本文介绍了一种利用DRX寄存器进行HOOK的技术,通过设置硬件断点来实现内核模式下对ZwCreateFile函数的HOOK,进而监控文件创建行为。文章提供了具体的实现代码,展示了如何在Windows XP系统中进行HOOK操作。
Rk always use HOOK important functions to hide something , and some ARK first recover these hookers ( common by harddisk files) and then call the function.
And this is another way to HOOK in the kernel by DRX register. About the DRX register ,you can google it, there should be much info. So i only post some simple code next because of my poor english, if you know chinese, you can get the comment.
These code should be run in xp, and it simply act HOOK the ZwCreateFile and print the debug information.
And this is another way to HOOK in the kernel by DRX register. About the DRX register ,you can google it, there should be much info. So i only post some simple code next because of my poor english, if you know chinese, you can get the comment.
These code should be run in xp, and it simply act HOOK the ZwCreateFile and print the debug information.
/*
drxhook.h
Written By yykingking@126.com
*/
#ifndef _DRX_HOOK
#define _DRX_HOOK
#include <ntddk.h>
typedef unsigned long DWORD;
typedef unsigned char BOOL;
#pragma pack(push,1)
typedef struct _idtr
{
//定义ä¸æ–æ述符表的é™åˆ¶ï¼Œé•¿åº¦ä¸¤å—节;
short IDTLimit;
//定义ä¸æ–æè¿°æœè¡¨çš„基å€ï¼Œé•¿åº¦å››å—节;
unsigned int IDTBase;
}IDTR,*PIDTR;
typedef struct _IDTENTRY
{
unsigned short LowOffset;
unsigned short selector;
unsigned char unused_lo;
unsigned char segment_type:4; //0x0E is an interrupt gate
unsigned char system_segment_flag:1;
unsigned char DPL:2; // descriptor privilege level
unsigned char P:1; /* present */
unsigned short HiOffset;
} IDTENTRY,*PIDTENTRY;
#pragma pack(pop)
DWORD GetDBEntry();
void HookDBInt();
void UnHookDBInt();
#endif
/*
drxhook.cpp
Written By yykingking@126.com
*/
#include "drxhook.h"
DWORD g_OldDBEntry;
IDTR g_IDTR;
DWORD g_OldCreateFile;
DWORD g_HookNumber = 0;
DWORD g_CR0;
BOOL g_bExit;
void ReLoadCR0AndSti()
{
__asm
{
push eax
mov eax, g_CR0
mov cr0, eax
pop eax
sti
}
}
void CliAndDisableWPBit()
{
__asm
{
cli
push eax
mov eax, cr0
mov g_CR0, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
}
void PrintHook()
{
DbgPrint(" Now Get In ZwCreateFile Hook: %d...Pid: %d.../n", g_HookNumber++, (DWORD)PsGetCurrentProcessId());
}
__declspec(naked) void NewZwCreateFile()
{
__asm
{
pushfd; // 仅仅适åˆäºŽ XP æ“作系统
call PrintHook;
popfd;
mov eax,0x25;
jmp g_OldCreateFile;
}
}
void SetHB() // set hardware breakpoint 设置硬件æ–点
{
__asm
{
mov eax, ZwCreateFile; // 想è¦æŒ‚接的函数或者地å€
mov dr0, eax;
mov eax, dr7;
or eax, 0x2703; // 也è¦ä¿®æ”¹ dr7:GD ä½ï¼Œä»¥å…DrX被æ“作系统或其他程åºä¿®æ”¹
and eax, 0xfff0ffff;
mov dr7, eax;
}
}
__declspec(naked) void NewDBEntry()
{
__asm
{
pushfd;
push eax;
mov eax, dr6;
test eax, 0x2000;
jz NOT_EDIT_DRX;
// 以下是如果有对DRXçš„æ“作的简å•å¤„ç†,如有需è¦å¯ä»¥ä¿®æ”¹
// 我åªæ˜¯ç®€å•çš„跳过这些指令
and eax, 0xFFFFDFFF;
mov dr6, eax; // 清除DR6çš„æ ‡å¿—
cmp g_bExit, 0;
jnz MY_DRV_EXIT; // 驱动 Unload
mov eax, [esp+8]; // 获å–å †æ ˆä¸çš„ EIP
add eax, 3; // 由于所有对 DRX çš„æ“作全都是3个å—节的
mov [esp+8], eax; // 修改 EIP ,跳过当å‰æŒ‡ä»¤,返回时执行下æ¡æŒ‡ä»¤
jmp MY_INT_END;
NOT_EDIT_DRX:
mov eax, dr6;
test eax, 0x1;
jz SYS_INT; // 如果ä¸æ˜¯Dr0 产生的ä¸æ–,则跳回原系统ä¸æ–
mov eax, [esp+8];
cmp eax, ZwCreateFile; // 判æ–一下是ä¸æ˜¯ ZwCreateFile 的线性地å€
jnz SYS_INT;
mov eax, NewZwCreateFile;
mov [esp+8],eax; // ä¿®æ”¹å †æ ˆä¸çš„ EIP ,实现返回时跳转
MY_INT_END:
mov eax, dr7;
or eax, 0x2000; // æ¢å¤ GD ä½
mov dr7, eax;
MY_DRV_EXIT: // 整个驱动 UnLoad æ—¶,ä¸æ¢å¤ Dr7
pop eax;
popfd;
iretd;
SYS_INT:
pop eax;
popfd;
jmp g_OldDBEntry;
}
}
DWORD GetDBEntry()
{
PIDTENTRY IdtEntry;
DWORD Entry;
__asm sidt g_IDTR;
IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);
Entry = IdtEntry->HiOffset << 16;
Entry |= IdtEntry->LowOffset;
return Entry;
}
void HookDBInt()
{
DWORD NewEntry;
PIDTENTRY IdtEntry;
NewEntry = (DWORD)NewDBEntry;
g_OldCreateFile = (DWORD)ZwCreateFile + 5; // æ–°çš„è¦è·³è½¬è¿‡åŽ»çš„地å€
g_OldDBEntry = GetDBEntry();
IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);
CliAndDisableWPBit();
IdtEntry->LowOffset = (USHORT)NewEntry;
IdtEntry->HiOffset = (USHORT)( NewEntry >> 16 );
ReLoadCR0AndSti();
SetHB();
g_bExit = FALSE;
return;
}
void UnHookDBInt()
{
PIDTENTRY IdtEntry;
DWORD Entry;
__asm sidt g_IDTR;
IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);
CliAndDisableWPBit();
g_bExit = TRUE;
__asm mov eax, dr7; // 产生一次例外并且清除Dr7:GD
if ( g_OldDBEntry != 0 )
{
IdtEntry->LowOffset = (USHORT)g_OldDBEntry;
IdtEntry->HiOffset = (USHORT)( g_OldDBEntry >> 16 );
}
ReLoadCR0AndSti();
DbgPrint(" UnLoad drx hook../n");
return;
}
NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UnHookDBInt();
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
HookDBInt();
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Load drxhook Driver Ok.../n");
return STATUS_SUCCESS;
}
/***********************/
扫一扫
596
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
