本文介绍了一种在Windows环境下实现内联函数Hooking的方法,即Detouring技术。作者未能找到现成的解决方案,因此自行开发了一个名为KREMBO的驱动程序,用于拦截和修改nt!RtlRandom函数的行为。该文章包含了源代码及已编译的驱动文件。
By: izik 
KREMBO is a Windows driver which detours nt!RtlRandom (for no particular reason, just as a proof of concept). It's well commented and includes debug prints. I have successfully compiled it with Windows DDK 3790.1830. The zip includes in it, both the source code and an already compiled (in checked environment) driver.
KREMBO (.zip)
I had to do an inline function hooking (aka. Detouring) to accomplish some task. When I've started looking around for example in rootkits source codes, it turns out no rootkit is actually using this method. It's makes sense in a way since it's much easier to hook functions within service tables when trying to intercept calls from applications to the kernel, but as far as intercepting functions within the same module (driver) it won't work. Since I couldn't find anything, I have then decided to write my own detouring driver, now I am publishing it for educational purpose only
KREMBO is a Windows driver which detours nt!RtlRandom (for no particular reason, just as a proof of concept). It's well commented and includes debug prints. I have successfully compiled it with Windows DDK 3790.1830. The zip includes in it, both the source code and an already compiled (in checked environment) driver.
KREMBO (.zip)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
