BASIC INTERRUPT 1

最新推荐文章于 2024-12-01 15:33:54 发布

转载最新推荐文章于 2024-12-01 15:33:54 发布 · 735 阅读

文章标签：

#basic #descriptor #structure #struct #object #hook

本文介绍了一个简单的Windows内核模式下基本中断钩子(Basic Interrupt Hook)的实现方法。通过定义IDT表项结构和使用旁路指令(sidt)获取当前IDT信息，遍历并打印所有中断向量的地址。

// --------------------
// BASIC INTERRUPT HOOK
// --------------------

#include "ntddk.h"
#include <stdio.h>

#define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))

#define MAX_IDT_ENTRIES 0xFF

#define NT_INT_UNUSED_A 0x20

#define NT_INT_UNUSED_B    0x22
#define NT_INT_UNUSED_C    0x23
#define NT_INT_UNUSED_D    0x24
#define NT_INT_UNUSED_E    0x25
#define NT_INT_UNUSED_F    0x26
#define NT_INT_UNUSED_G    0x27
#define NT_INT_UNUSED_H    0x28
#define NT_INT_UNUSED_I    0x29

#define NT_INT_SYSTEMSERVICE 0x2E

///////////////////////////////////////////////////
// IDT structures
///////////////////////////////////////////////////
#pragma pack(1)

// entry in the IDT, this is sometimes called
// an "interrupt gate"
typedef struct
{
unsigned short LowOffset;
unsigned short selector;
unsigned char unused_lo;
unsigned char segment_type:4; //0x0E is an interrupt gate
unsigned char system_segment_flag:1;
unsigned char DPL:2; // descriptor privilege level
unsigned char P:1; /* present */
unsigned short HiOffset;
} IDTENTRY;

/* sidt returns idt in this format */
typedef struct
{
unsigned short IDTLimit;
unsigned short LowIDTbase;
unsigned short HiIDTbase;
} IDTINFO;

#pragma pack()

VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("ROOTKIT: OnUnload called/n");
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
IDTINFO idt_info; // this structure is obtained by calling STORE IDT (sidt)
IDTENTRY* idt_entries; // and then this pointer is obtained from idt_info
unsigned long count;

theDriverObject->DriverUnload = OnUnload;

// load idt_info
__asm sidt idt_info

idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);

for(count=0;count < MAX_IDT_ENTRIES;count++)
{
  char _t[255];
  IDTENTRY *i = &idt_entries[count];
  unsigned long addr = 0;
  addr = MAKELONG(i->LowOffset, i->HiOffset);

  _snprintf(_t, 253, "Interrupt %d: ISR 0x%08X", count, addr);
  DbgPrint(_t);
}

return STATUS_SUCCESS;
}