Another way to HOOK in the kernel

最新推荐文章于 2025-10-10 02:10:10 发布

转载最新推荐文章于 2025-10-10 02:10:10 发布 · 838 阅读

文章标签：

#hook #descriptor #struct #object #system #google

windows底层核心編程专栏收录该内容

743 篇文章

订阅专栏

本文介绍了一种利用DRX寄存器进行内核级HOOK的技术，并提供了具体的代码实例。该技术通过设置硬件断点来HOOK ZwCreateFile 函数，实现了对文件创建操作的拦截。

yykingking

Rk always use HOOK important functions to hide something , and some ARK first recover these hookers ( common by harddisk files) and then call the function.
And this is another way to HOOK in the kernel by DRX register. About the DRX register ,you can google it, there should be much info. So i only post some simple code next because of my poor english, if you know chinese, you can get the comment.

These code should be run in xp, and it simply act HOOK the ZwCreateFile and print the debug information.

/* drxhook.h Written By yykingking@126.com */ #ifndef _DRX_HOOK #define _DRX_HOOK #include <ntddk.h> typedef unsigned long DWORD; typedef unsigned char BOOL; #pragma pack(push,1) typedef struct _idtr { //定义中断描述符表的限制，长度两字节； short IDTLimit; //定义中断描述服表的基址，长度四字节； unsigned int IDTBase; }IDTR,*PIDTR; typedef struct _IDTENTRY { unsigned short LowOffset; unsigned short selector; unsigned char unused_lo; unsigned char segment_type:4; //0x0E is an interrupt gate unsigned char system_segment_flag:1; unsigned char DPL:2; // descriptor privilege level unsigned char P:1; /* present */ unsigned short HiOffset; } IDTENTRY,*PIDTENTRY; #pragma pack(pop) DWORD GetDBEntry(); void HookDBInt(); void UnHookDBInt(); #endif /* drxhook.cpp Written By yykingking@126.com */ #include "drxhook.h" DWORD g_OldDBEntry; IDTR g_IDTR; DWORD g_OldCreateFile; DWORD g_HookNumber = 0; DWORD g_CR0; BOOL g_bExit; void ReLoadCR0AndSti() { __asm { push eax mov eax, g_CR0 mov cr0, eax pop eax sti } } void CliAndDisableWPBit() { __asm { cli push eax mov eax, cr0 mov g_CR0, eax and eax, 0xFFFEFFFF mov cr0, eax pop eax } } void PrintHook() { DbgPrint(" Now Get In ZwCreateFile Hook: %d...Pid: %d.../n", g_HookNumber++, (DWORD)PsGetCurrentProcessId()); } __declspec(naked) void NewZwCreateFile() { __asm { pushfd; // 仅仅适合于 XP 操作系统 call PrintHook; popfd; mov eax,0x25; jmp g_OldCreateFile; } } void SetHB() // set hardware breakpoint 设置硬件断点 { __asm { mov eax, ZwCreateFile; // 想要挂接的函数或者地址 mov dr0, eax; mov eax, dr7; or eax, 0x2703; // 也要修改 dr7:GD 位，以免DrX被操作系统或其他程序修改 and eax, 0xfff0ffff; mov dr7, eax; } } __declspec(naked) void NewDBEntry() { __asm { pushfd; push eax; mov eax, dr6; test eax, 0x2000; jz NOT_EDIT_DRX; // 以下是如果有对DRX的操作的简单处理,如有需要可以修改 // 我只是简单的跳过这些指令 and eax, 0xFFFFDFFF; mov dr6, eax; // 清除DR6的标志 cmp g_bExit, 0; jnz MY_DRV_EXIT; // 驱动 Unload mov eax, [esp+8]; // 获取堆栈中的 EIP add eax, 3; // 由于所有对 DRX 的操作全都是3个字节的 mov [esp+8], eax; // 修改 EIP ,跳过当前指令,返回时执行下条指令 jmp MY_INT_END; NOT_EDIT_DRX: mov eax, dr6; test eax, 0x1; jz SYS_INT; // 如果不是Dr0 产生的中断,则跳回原系统中断 mov eax, [esp+8]; cmp eax, ZwCreateFile; // 判断一下是不是 ZwCreateFile 的线性地址 jnz SYS_INT; mov eax, NewZwCreateFile; mov [esp+8],eax; // 修改堆栈中的 EIP ,实现返回时跳转 MY_INT_END: mov eax, dr7; or eax, 0x2000; // 恢复 GD 位 mov dr7, eax; MY_DRV_EXIT: // 整个驱动 UnLoad 时,不恢复 Dr7 pop eax; popfd; iretd; SYS_INT: pop eax; popfd; jmp g_OldDBEntry; } } DWORD GetDBEntry() { PIDTENTRY IdtEntry; DWORD Entry; __asm sidt g_IDTR; IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8); Entry = IdtEntry->HiOffset << 16; Entry |= IdtEntry->LowOffset; return Entry; } void HookDBInt() { DWORD NewEntry; PIDTENTRY IdtEntry; NewEntry = (DWORD)NewDBEntry; g_OldCreateFile = (DWORD)ZwCreateFile + 5; // 新的要跳转过去的地址 g_OldDBEntry = GetDBEntry(); IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8); CliAndDisableWPBit(); IdtEntry->LowOffset = (USHORT)NewEntry; IdtEntry->HiOffset = (USHORT)( NewEntry >> 16 ); ReLoadCR0AndSti(); SetHB(); g_bExit = FALSE; return; } void UnHookDBInt() { PIDTENTRY IdtEntry; DWORD Entry; __asm sidt g_IDTR; IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8); CliAndDisableWPBit(); g_bExit = TRUE; __asm mov eax, dr7; // 产生一次例外并且清除Dr7:GD if ( g_OldDBEntry != 0 ) { IdtEntry->LowOffset = (USHORT)g_OldDBEntry; IdtEntry->HiOffset = (USHORT)( g_OldDBEntry >> 16 ); } ReLoadCR0AndSti(); DbgPrint(" UnLoad drx hook../n"); return; } NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject) { UnHookDBInt(); return STATUS_SUCCESS; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { HookDBInt(); DriverObject->DriverUnload = DriverUnload; DbgPrint("Load drxhook Driver Ok.../n"); return STATUS_SUCCESS; } /***********************/