Another way to HOOK in the kernel

最新推荐文章于 2025-10-10 02:10:10 发布

原创最新推荐文章于 2025-10-10 02:10:10 发布 · 911 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#hook #descriptor #struct #object #system #google

windows底层核心編程专栏收录该内容

743 篇文章

订阅专栏

本文介绍了一种利用DRX寄存器进行HOOK的技术，通过设置硬件断点来实现内核模式下的函数HOOK，具体展示了HOOK ZwCreateFile函数的过程，并提供了相关代码实现。

Rk always use HOOK important functions to hide something , and some ARK first recover these hookers ( common by harddisk files) and then call the function.
And this is another way to HOOK in the kernel by DRX register. About the DRX register ,you can google it, there should be much info. So i only post some simple code next because of my poor english, if you know chinese, you can get the comment.

These code should be run in xp, and it simply act HOOK the ZwCreateFile and print the debug information.

/* drxhook.h Written By yykingking@126.com */ #ifndef _DRX_HOOK #define _DRX_HOOK #include <ntddk.h> typedef unsigned long DWORD; typedef unsigned char BOOL; #pragma pack(push,1) typedef struct _idtr { //å®šä¹‰ä¸æ–æè¿°ç¬¦è¡¨çš„é™åˆ¶ï¼Œé•¿åº¦ä¸¤å—èŠ‚ï¼› short IDTLimit; //å®šä¹‰ä¸æ–æè¿°æœè¡¨çš„åŸºå€ï¼Œé•¿åº¦å››å—èŠ‚ï¼› unsigned int IDTBase; }IDTR,*PIDTR; typedef struct _IDTENTRY { unsigned short LowOffset; unsigned short selector; unsigned char unused_lo; unsigned char segment_type:4; //0x0E is an interrupt gate unsigned char system_segment_flag:1; unsigned char DPL:2; // descriptor privilege level unsigned char P:1; /* present */ unsigned short HiOffset; } IDTENTRY,*PIDTENTRY; #pragma pack(pop) DWORD GetDBEntry(); void HookDBInt(); void UnHookDBInt(); #endif /* drxhook.cpp Written By yykingking@126.com */ #include "drxhook.h" DWORD g_OldDBEntry; IDTR g_IDTR; DWORD g_OldCreateFile; DWORD g_HookNumber = 0; DWORD g_CR0; BOOL g_bExit; void ReLoadCR0AndSti() { __asm { push eax mov eax, g_CR0 mov cr0, eax pop eax sti } } void CliAndDisableWPBit() { __asm { cli push eax mov eax, cr0 mov g_CR0, eax and eax, 0xFFFEFFFF mov cr0, eax pop eax } } void PrintHook() { DbgPrint(" Now Get In ZwCreateFile Hook: %d...Pid: %d.../n", g_HookNumber++, (DWORD)PsGetCurrentProcessId()); } __declspec(naked) void NewZwCreateFile() { __asm { pushfd; // ä»…ä»…é€‚åˆäºŽ XP æ“ä½œç³»ç»Ÿ call PrintHook; popfd; mov eax,0x25; jmp g_OldCreateFile; } } void SetHB() // set hardware breakpoint è®¾ç½®ç¡¬ä»¶æ–ç‚¹ { __asm { mov eax, ZwCreateFile; // æƒ³è¦æŒ‚æŽ¥çš„å‡½æ•°æˆ–è€…åœ°å€ mov dr0, eax; mov eax, dr7; or eax, 0x2703; // ä¹Ÿè¦ä¿®æ”¹ dr7:GD ä½ï¼Œä»¥å…DrXè¢«æ“ä½œç³»ç»Ÿæˆ–å…¶ä»–ç¨‹åºä¿®æ”¹ and eax, 0xfff0ffff; mov dr7, eax; } } __declspec(naked) void NewDBEntry() { __asm { pushfd; push eax; mov eax, dr6; test eax, 0x2000; jz NOT_EDIT_DRX; // ä»¥ä¸‹æ˜¯å¦‚æžœæœ‰å¯¹DRXçš„æ“ä½œçš„ç®€å•å¤„ç†,å¦‚æœ‰éœ€è¦å¯ä»¥ä¿®æ”¹ // æˆ‘åªæ˜¯ç®€å•çš„è·³è¿‡è¿™äº›æŒ‡ä»¤ and eax, 0xFFFFDFFF; mov dr6, eax; // æ¸…é™¤DR6çš„æ ‡å¿— cmp g_bExit, 0; jnz MY_DRV_EXIT; // é©±åŠ¨ Unload mov eax, [esp+8]; // èŽ·å–å †æ ˆä¸çš„ EIP add eax, 3; // ç”±äºŽæ‰€æœ‰å¯¹ DRX çš„æ“ä½œå…¨éƒ½æ˜¯3ä¸ªå—èŠ‚çš„ mov [esp+8], eax; // ä¿®æ”¹ EIP ,è·³è¿‡å½“å‰æŒ‡ä»¤,è¿”å›žæ—¶æ‰§è¡Œä¸‹æ¡æŒ‡ä»¤ jmp MY_INT_END; NOT_EDIT_DRX: mov eax, dr6; test eax, 0x1; jz SYS_INT; // å¦‚æžœä¸æ˜¯Dr0 äº§ç”Ÿçš„ä¸æ–,åˆ™è·³å›žåŽŸç³»ç»Ÿä¸æ– mov eax, [esp+8]; cmp eax, ZwCreateFile; // åˆ¤æ–ä¸€ä¸‹æ˜¯ä¸æ˜¯ ZwCreateFile çš„çº¿æ€§åœ°å€ jnz SYS_INT; mov eax, NewZwCreateFile; mov [esp+8],eax; // ä¿®æ”¹å †æ ˆä¸çš„ EIP ,å®žçŽ°è¿”å›žæ—¶è·³è½¬ MY_INT_END: mov eax, dr7; or eax, 0x2000; // æ¢å¤ GD ä½ mov dr7, eax; MY_DRV_EXIT: // æ•´ä¸ªé©±åŠ¨ UnLoad æ—¶,ä¸æ¢å¤ Dr7 pop eax; popfd; iretd; SYS_INT: pop eax; popfd; jmp g_OldDBEntry; } } DWORD GetDBEntry() { PIDTENTRY IdtEntry; DWORD Entry; __asm sidt g_IDTR; IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8); Entry = IdtEntry->HiOffset << 16; Entry |= IdtEntry->LowOffset; return Entry; } void HookDBInt() { DWORD NewEntry; PIDTENTRY IdtEntry; NewEntry = (DWORD)NewDBEntry; g_OldCreateFile = (DWORD)ZwCreateFile + 5; // æ–°çš„è¦è·³è½¬è¿‡åŽ»çš„åœ°å€ g_OldDBEntry = GetDBEntry(); IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8); CliAndDisableWPBit(); IdtEntry->LowOffset = (USHORT)NewEntry; IdtEntry->HiOffset = (USHORT)( NewEntry >> 16 ); ReLoadCR0AndSti(); SetHB(); g_bExit = FALSE; return; } void UnHookDBInt() { PIDTENTRY IdtEntry; DWORD Entry; __asm sidt g_IDTR; IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8); CliAndDisableWPBit(); g_bExit = TRUE; __asm mov eax, dr7; // äº§ç”Ÿä¸€æ¬¡ä¾‹å¤–å¹¶ä¸”æ¸…é™¤Dr7:GD if ( g_OldDBEntry != 0 ) { IdtEntry->LowOffset = (USHORT)g_OldDBEntry; IdtEntry->HiOffset = (USHORT)( g_OldDBEntry >> 16 ); } ReLoadCR0AndSti(); DbgPrint(" UnLoad drx hook../n"); return; } NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject) { UnHookDBInt(); return STATUS_SUCCESS; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { HookDBInt(); DriverObject->DriverUnload = DriverUnload; DbgPrint("Load drxhook Driver Ok.../n"); return STATUS_SUCCESS; } /***********************/