inline hook

最新推荐文章于 2025-07-21 16:06:19 发布
原创 最新推荐文章于 2025-07-21 16:06:19 发布 · 1.8k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#inline hook

Inline hook的步骤

1。获得要inline hook的函数在内存中的地址
2。实现T_MyFunc()与MyFunc函数,在该函数中将参数压栈并调用MyFunc函数处理。
3。HOOK。保存函数开头的指令到某个内存中,并在该内存末尾附加JMP指令到开头指令的后面的指令。并将开头的指令替换为JMP T_MyFunc地址。
4。在T_MyFunc执行完MyFunc之后,调用保存的指令,跳回去。


直接的jmp分3种 
Short Jump(短跳转)机器码 EB rel8 
只能跳转到256字节的范围内 
Near Jump(近跳转)机器码 E9 rel16/32 
可跳至同一个段的范围内的地址 
Far Jump(远跳转)机器码EA ptr 16:16/32 
可跳至任意地址,使用48位/32位全指针 


例子:

_declspec(naked) T_MyFunc(……)
{
	_asm
	{
		mov edi, edi
		push ebp
		mov ebp ,esp
		//参数压栈,传给MyFunc
		push [ebp+0ch]
		push [ebp+8]
		call MyFunc 
		//获得结果,并跳回原来的指令
		cmp eax,1
		jz end
		mov eax,FuncAddress 
		add eax,5 
		jmp eax
			
end:
		//恢复栈
		pop ebp
		retn 8
	}
}


Naked call
编译器不会给这种函数增加初始化和清理代码,不能用return返回返回值,只能用插入汇编返回结果。

//naked 调用约定。用户自己清理堆栈。不能进行原型声明,否则错误。
__declspec(naked) int add(int a,int b)
{
    __asm push ebp //必须加上两句修改栈帧,否则引用了错误的数据
    __asm mov ebp, esp
    __asm mov eax, a
    __asm add eax, b
    __asm pop ebp
    __asm ret
}

这个修饰是和__stdcall及cdecl结合使用的,前面是它和cdecl结合使用的代码,对于和stdcall结合的代码,则变成:
__declspec(naked) int __stdcall function(int a,int b) 
{
    __asm mov eax, a
    __asm add eax, b
    __asm ret 8 //注意后面的8
}
cdecl/fastcall/stdcall/thiscall/nakedcall
扩展阅读(重要):Calling convention: http://gccfeli.cn/tag/naked-call

例子:SwapContext inline hook 

#include <ntddk.h>
#include <ntimage.h>
#include <ntdef.h>
#include "hash.h"
#include "xde.h"
#include "main.h"

typedef struct _BYTECODE
{
	BYTE *pAddress;
	SIZE_T size;
} BYTECODE, *PBYTECODE;

typedef struct _OFFSETS
{
	BYTE threadsProcess;
	BYTE CID;
	BYTE imageFilename;
	BYTE crossThreadFlags;
	unsigned  PID;
	unsigned PPID;

	unsigned pecreatetimeoff;
	unsigned peexittimeoff;
} OFFSETS, *POFFSETS;

#define JMP_SIZE 5
#define SIG_SIZE 20
#define HASHTABLE_SIZE 256
#define MAINTAG1 'NIAM'

// NOTICE: WinDbg gives offsets in BYTEs, we use DWORDS.
OFFSETS offsets;
// The beginning of the SwapContext function is stored here.
BYTE *pSwapContext = NULL;
// The trampoline function which executes the replaced code and
// passes control to the hooked function.
BYTECODE trampoline;
// Inline assembler does not support structures, so this points
// directly to the pCode of the _BYTECODE structure.
BYTE *pTrampoline = NULL;
// The hashtable where we store the data.
PHASHTABLE pHashTable = NULL;
DWORD num = 0;

extern  USHORT  *NtBuildNumber;

const WCHAR deviceLinkBuffer[]  = L"\\DosDevices\\SwapContextDrv";
const WCHAR deviceNameBuffer[]  = L"\\Device\\SwapContextDrv";

PDEVICE_OBJECT g_HookDevice;

ULONG gNameOffset = 0x174;
PsLookupThreadByThreadId(
        IN PVOID UniqueThreadId,
        OUT PETHREAD *ppEthread
);
KIRQL			OldIrql;
KSPIN_LOCK		DpcSpinLock;

ULONG GetLocationOfProcessName(PEPROCESS CurrentProc)
{
    ULONG ul_offset;

	for(ul_offset = 0; ul_offset < PAGE_SIZE; ul_offset++) // This will fail if EPROCESS
												           // grows bigger than PAGE_SIZE
	{
		if( !strncmp( "System", (PCHAR) CurrentProc + ul_offset, strlen("System")))
		{
			return ul_offset;
		}
	}

	return (ULONG) 0;
}

// This function returns an MDL to an nonpaged virtual memory area.
// 
// IN pVirtualAddress Virtual address to the start of the memory area.
// IN length Length of the memory area in bytes.
//
// OUT PMDL Mdl to the nonpaged virtual memory area.
//
PMDL GetMdlForNonPagedMemory(PVOID pVirtualAddress, SIZE_T length)
{
	PMDL pMdl;

	if (length >= (PAGE_SIZE * (65535 - sizeof(MDL)) / sizeof(ULONG_PTR)))
	{
		DbgPrint("Size parameter passed to IoAllocateMdl is too big!\n");
		return NULL;
	}

	pMdl = IoAllocateMdl((PVOID)pVirtualAddress, length, FALSE, FALSE, NULL);
	if (NULL == pMdl)
	{
		DbgPrint("IoAllocateMdl returned NULL!\n");
		return NULL;
	}

	MmBuildMdlForNonPagedPool(pMdl);

	return pMdl;
}

// This function returns an MDL to a paged virtual memory area while
// making sure the pages are not paged out to the disk.
// 
// IN pVirtualAddress Virtual address to the start of the memory area.
// IN length Length of the memory area in bytes.
// IN operation Desired mode of operation.
//
// OUT PMDL Mdl to the locked and nonpaged memory area.
//
PMDL GetMdlForPagedMemory(PVOID pVirtualAddress, SIZE_T length, LOCK_OPERATION operation)
{
	PMDL pMdl;

	if (length >= (PAGE_SIZE * (65535 - sizeof(MDL)) / sizeof(ULONG_PTR)))
	{
		DbgPrint("Size parameter passed to IoAllocateMdl is too big!\n");
		return NULL;
	}

	pMdl = IoAllocateMdl((PVOID)pVirtualAddress, length, FALSE, FALSE, NULL);
	if (NULL == pMdl)
	{
		DbgPrint("IoAllocateMdl returned NULL!\n");
		return NULL;
	}

	// Make sure the memory is not paged on the disk.
	try
	{
		MmProbeAndLockPages(pMdl, KernelMode, operation);
	}
	except (EXCEPTION_EXECUTE_HANDLER)
	{
		DbgPrint("MmProbeAndLockPages caused an exception!\n");
		IoFreeMdl(pMdl);
		return NULL;
	}

	return pMdl;
}



// This function writes the given data to the given non-paged kernel memory location.
// It makes sure that no other instance can access it in any way until we have finished
// our job.
//
// IN pDestination Pointer to the kernel memory where we want to write.
// IN pSource Pointer to the data we want to write.
// IN length Length of data we want to write in bytes.
//
// OUT NTSTATUS return code.
//
NTSTATUS WriteKernelMemory(BYTE *pDestination, BYTE *pSource, SIZE_T length)
{
	KSPIN_LOCK spinLock;
	KLOCK_QUEUE_HANDLE lockHandle;
	PMDL pMdl;
	PVOID pAddress;

	pMdl = GetMdlForNonPagedMemory(pDestination, length);
	if (NULL == pMdl)
	{
		DbgPrint("GetMdlForSafeKernelMemoryArea returned NULL!\n");
		return STATUS_UNSUCCESSFUL;
	}

	pAddress = MmGetSystemAddressForMdlSafe(pMdl, HighPagePriority);

	if (pAddress == NULL)
	{
		IoFreeMdl(pMdl);
		DbgPrint("MmGetSystemAddressForMdlSafe returned NULL!\n");
		return STATUS_UNSUCCESSFUL;
	}

	KeInitializeSpinLock(&spinLock);
	// Only supported on XP and later. For Windows 2000 compatibility you can
	// use the older, less efficient and less reliable KeAcquireSpinLock function.
	KeAcquireInStackQueuedSpinLock (&spinLock, &lockHandle);
	// We have the spinlock, so we can safely overwrite the kernel memory.
	RtlCopyMemory(pAddress, pSource, length);
	KeReleaseInStackQueuedSpinLock(&lockHandle);

	IoFreeMdl(pMdl);

	return STATUS_SUCCESS;
}

void __stdcall ProcessData(DWORD *pEthread)
{
	DWORD	*pEprocess	= (DWORD *)*(pEthread + offsets.threadsProcess);
	DWORD	*pCid		= (DWORD *)(pEthread+offsets.CID);
	DWORD	key			= 0;
	DATA	data		= {0};
	
	data.processID = 0x0;
	data.threadID = 0x0;
	data.imageName = "NONE";

	key = (DWORD)pEthread;
	
	if (pCid != NULL)
	{
		data.processID = *pCid;
		data.threadID = *(pCid + 0x1);
	}
	
	if (pEprocess != NULL)
	{
		data.imageName = (BYTE *)(pEprocess+offsets.imageFilename);
		data.xlow = *(DWORD *)(pEprocess+offsets.peexittimeoff);
		data.xhigh = *(DWORD *)(pEprocess+offsets.peexittimeoff+4);
	}
	if (*(pEthread + offsets.crossThreadFlags) & 1)
	{
		KeAcquireSpinLock(&DpcSpinLock,&OldIrql);
		Remove(key, pHashTable);
		KeReleaseSpinLock(&DpcSpinLock,OldIrql);
	}
	else
	{
		KeAcquireSpinLock(&DpcSpinLock,&OldIrql);
		Insert(key, &data, pHashTable);
		KeReleaseSpinLock(&DpcSpinLock,OldIrql);
	}
}

void __declspec(naked) DetourFunction()
{
	__asm 
	{
		// Save parameters we will overwrite. We save all data to play it safe.
		pushad
		pushfd
		// Disable interrupts. Assume single processor machine.
		// cli
		// EDI holds the thread whose context we will switch out.
		push edi
		call ProcessData
		// ESI holds the thread whose context we will switch in.
		push esi
		call ProcessData
		// Enable interrupts.
		// sti
		// Restore the saved state.
		popfd
		popad

		// Jump to the trampoline function.
		jmp dword ptr pTrampoline
	}
}



BYTE * GetSwapAddr()
{
    BYTE		*res = 0;
    NTSTATUS	Status;
    PETHREAD	Thread;

    if (*NtBuildNumber <= 2195)
        Status = PsLookupThreadByThreadId((PVOID)4, &Thread);
    else
        Status = PsLookupThreadByThreadId((PVOID)8, &Thread);

    if (NT_SUCCESS(Status))
    {
        if (MmIsAddressValid(Thread))
            res = (BYTE *)(*(ULONG *)((BYTE *)(Thread)+0x28));
        if (MmIsAddressValid(res+8))
            res = (BYTE *)(*(ULONG *)(res+8));
        else
            res = 0;
    }

    return res;
}
ULONG GetFunctionAddr( IN PCWSTR FunctionName)
{
		UNICODE_STRING UniCodeFunctionName;
		
		RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
		return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );    
		
}
VOID DoFindSwap(IN PVOID pContext)
	{
		NTSTATUS ret;
		PSYSTEM_MODULE_INFORMATION  module = NULL;
		ULONG n=0;
		void  *buf    = NULL;
		ULONG ntosknlBase;
		ULONG ntosknlEndAddr;
		ULONG curAddr;

		ULONG code1_sp1=0xc626c90a,code2_sp1=0x9c022d46,code3_sp1=0xbb830b8b,code4_sp1=0x00000994;


		ULONG code1,code2,code3,code4;
		ULONG i;
		
		NtQuerySystemInformation=(NTQUERYSYSTEMINFORMATION)GetFunctionAddr(L"NtQuerySystemInformation");
		if (!NtQuerySystemInformation) 
		{
			DbgPrint("Find NtQuerySystemInformation faild!");
			goto Ret;
		}
		ret=NtQuerySystemInformation(SystemModuleInformation,&n,0,&n);
		if (NULL==( buf=ExAllocatePoolWithTag(NonPagedPool, n, 'PAWS')))
		{
			DbgPrint("ExAllocatePool() failed\n" );
			goto Ret;
		}
		ret=NtQuerySystemInformation(SystemModuleInformation,buf,n,NULL);
		if (!NT_SUCCESS(ret))	{
			DbgPrint("NtQuerySystemInformation faild!");
			goto Ret;
		} 
		module=(PSYSTEM_MODULE_INFORMATION)((PULONG)buf+1);
		ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
		ntosknlBase=(ULONG)module->Base;
		curAddr=ntosknlBase;
		ExFreePool(buf);

		code1 = code1_sp1;
		code2 = code2_sp1;
		code3 = code3_sp1;
		code4 = code4_sp1;
	
		for (i=curAddr;i<=ntosknlEndAddr;i++)
		{
			if (*((ULONG *)i)==code1) 
			{
				if (*((ULONG *)(i+4))==code2) 
				{
					if (*((ULONG *)(i+8))==code3) 
					{
						if (*((ULONG *)(i+12))==code4) 
						{
								
								pSwapContext=(BYTE *)i;
								break;
									
						}
					}
				}
			}
		}
Ret:
	PsTerminateSystemThread(STATUS_SUCCESS);
	}

void FindSwapAddr()
{
		HANDLE	hThread		= NULL;
		PVOID	objtowait	= 0;

		NTSTATUS dwStatus = 
			PsCreateSystemThread(
			&hThread,
	              0,
		       NULL,
			(HANDLE)0,
	              NULL,
		       DoFindSwap,
			NULL
			);
		if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
		{
			KfRaiseIrql(PASSIVE_LEVEL);
		
		}
		if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
		{
			return;
		}
		
		ObReferenceObjectByHandle(
			hThread,
			THREAD_ALL_ACCESS,
			NULL,
			KernelMode,
			&objtowait,
			NULL
			); 

		KeWaitForSingleObject(objtowait,Executive,KernelMode,FALSE,NULL); //NULL表示无限期等待.
		return;

}

NTSTATUS InstallSwapContextHook()
{
	NTSTATUS rc;r
	int length = 0;
	int totalLength = 0;
	struct xde_instr instr;
	BYTE *pJmpCode = NULL;
	long displacement = 0;

	__asm
    {
			push    eax
			mov        eax, CR0
			and        eax, 0FFFEFFFFh
			mov        CR0, eax
			pop        eax
    }

	// Disassemble the code to get how many bytes we have to replace.
	// We use XDE v1.01 by Z0MBie (http://z0mbie.host.sk/).
	while (totalLength < 5)
	{
		length = xde_disasm(pSwapContext + totalLength, &instr);
		if (length == 0)
		{
			DbgPrint("xde_disasm returned 0!\n");
			return STATUS_UNSUCCESSFUL;
		}
		totalLength += length;
	}
	
	DbgPrint("Hook will replace the first %d bytes.\n", totalLength);

	// Allocate the required bytes for the trampoline function.
	pTrampoline = trampoline.pAddress = ExAllocatePoolWithTag(NonPagedPool, totalLength + 5, MAINTAG1);
	if (trampoline.pAddress == NULL)
	{
		DbgPrint("ExAllocatePoolWithTag returned NULL!\n");
		return STATUS_UNSUCCESSFUL;
	} 

	DbgPrint("Trampoline is at 0x%x\n", pTrampoline);

	// This tells how many bytes we replaced from the original function.
	trampoline.size = totalLength;
	RtlCopyMemory(trampoline.pAddress, pSwapContext, totalLength);

	// We are using JMP rel32 instruction to jump to the rest of the
	// swapcontext function, so we first calculate the 32bit displacement
	// and then create the five byte JMP instruction.
	displacement = (pSwapContext + totalLength) - (trampoline.pAddress + totalLength + JMP_SIZE);
	pJmpCode = trampoline.pAddress + totalLength;

	//直接的jmp分3种 
	//Short Jump(短跳转)机器码 EB rel8 
	//只能跳转到256字节的范围内 
	//Near Jump(近跳转)机器码 E9 rel16/32 
	//可跳至同一个段的范围内的地址 
	//Far Jump(远跳转)机器码EA ptr 16:16/32 
	//可跳至任意地址,使用48位/32位全指针 
	*pJmpCode = 0xe9;
	RtlCopyMemory(pJmpCode+1, &displacement, 4);

	// Allocate the required bytes for the jmp code to the detour function.
	pJmpCode = ExAllocatePoolWithTag(NonPagedPool, totalLength, MAINTAG1);
	if (pJmpCode == NULL)
	{
		DbgPrint("ExAllocatePoolWithTag returned NULL!\n");
		return STATUS_UNSUCCESSFUL;
	}

	// Initialize the jmp-code with NOPs.
	RtlFillMemory(pJmpCode, totalLength, 0x90);
	
	// We are using JMP rel32 instruction to jump to our hook function,
	// so we first calculate the 32bit displacement and then create the
	// five byte JMP instruction.
	displacement = ((BYTE *)&DetourFunction) - (pSwapContext + JMP_SIZE);
	*pJmpCode = 0xe9;
	RtlCopyMemory(pJmpCode+1, &displacement, 4);

	rc = WriteKernelMemory(pSwapContext, pJmpCode, totalLength);
	ExFreePoolWithTag(pJmpCode, MAINTAG1);
    __asm
    {
        push    eax
			mov        eax, CR0
			or        eax, NOT 0FFFEFFFFh
			mov        CR0, eax
			pop        eax
    }
	return rc;
}

// This function removes our hook by restoring the bytes we have replaced
// from the original SwapContext function.
//
// OUT NTSTATUS return value.
//
NTSTATUS UninstallSwapContextHook()
{
	return WriteKernelMemory(pSwapContext, trampoline.pAddress, trampoline.size);
}

NTSTATUS OnUnload(IN PDRIVER_OBJECT DriverObject)
{
	NTSTATUS rc;
	UNICODE_STRING          deviceLinkUnicodeString;
	PDEVICE_OBJECT			p_NextObj;
	PPROCLIST pTemp = NULL, pt = NULL;
	PThreadData pTempT = NULL, pp = NULL;
	PDriverData pTempD = NULL, pd = NULL;
	PFileList pTempF = NULL, pf = NULL;

	DbgPrint("OnUnload called\n");

	rc = UninstallSwapContextHook();

	if (STATUS_SUCCESS == rc)
	{
		DbgPrint("UninstallSwapContextHook succeeded.\n");
	}
	else
	{
		DbgPrint("UninstallSwapContextHook failed!\n");
	}

	// Show the collected data and release all resources.
	//DumpTable(pHashTable);
	KeAcquireSpinLock(&DpcSpinLock,&OldIrql);
	DestroyTable(pHashTable);
	KeReleaseSpinLock(&DpcSpinLock,OldIrql);
	//num = 0;
	ExFreePoolWithTag(pTrampoline, MAINTAG1);

    // Delete the symbolic link for our device
	//
	RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
	IoDeleteSymbolicLink( &deviceLinkUnicodeString );
	// Delete the device object
	//
	IoDeleteDevice( DriverObject->DeviceObject );
	//return STATUS_SUCCESS;
	return rc;
}


NTSTATUS DispatchCreate (
		IN PDEVICE_OBJECT	pDevObj,
		IN PIRP				pIrp			)
{

	pIrp->IoStatus.Status = STATUS_SUCCESS;
	pIrp->IoStatus.Information = 0;	// no bytes xfered
	IoCompleteRequest( pIrp, IO_NO_INCREMENT );
	return STATUS_SUCCESS;
}


NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	
	RTL_OSVERSIONINFOW		osvi;
	NTSTATUS                ntStatus;
	UNICODE_STRING          deviceNameUnicodeString;
    UNICODE_STRING          deviceLinkUnicodeString;   
	RTL_OSVERSIONINFOEXW	VersionInfo;
	ULONGLONG				ConditionMask = 0;

	memset(&VersionInfo,0,sizeof(VersionInfo));

	VER_SET_CONDITION (
           ConditionMask,
            VER_SERVICEPACKMAJOR,
            VER_EQUAL
            );


	DbgPrint("DriverEntry called.\n");

	RtlZeroMemory(&osvi, sizeof(RTL_OSVERSIONINFOW));
	osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);


	// Initialize the OS specific data.
// 	gNameOffset = GetLocationOfProcessName(PsGetCurrentProcess());
// 	if (!gNameOffset)
// 		return STATUS_UNSUCCESSFUL;
	if (STATUS_SUCCESS == RtlGetVersion(&osvi))
	{
		if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1) //Windows XP
		{
			offsets.pecreatetimeoff = 0x070;
			offsets.peexittimeoff = 0x078;
			offsets.CID = 0x7b;
			offsets.threadsProcess = 0x88;
			offsets.crossThreadFlags = 0x92;
			offsets.imageFilename = 0x5d;
		}

		//VersionInfo.wServicePackMajor = 3;
		//if( STATUS_SUCCESS==RtlVerifyVersionInfo(&VersionInfo,VER_SERVICEPACKMAJOR,ConditionMask))//sp3
		//{
		//
		//}
		
		else
		{
			//更多的调试
			DbgPrint("Unsupported OS version!\n");
			return STATUS_UNSUCCESSFUL;
		}
		
	}
	else
	{
		DbgPrint("RtlGetVersion failed!\n");
		return STATUS_UNSUCCESSFUL;
	}
	
	RtlInitUnicodeString (&deviceNameUnicodeString,
	                          deviceNameBuffer );
	RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer);

	ntStatus = IoCreateDevice ( DriverObject,
	                                0, // For driver extension
	                                &deviceNameUnicodeString,
	                                FILE_DEVICE_UNKNOWN,
	                                0,
	                                TRUE,
	                                &g_HookDevice );

	if(! NT_SUCCESS(ntStatus))
	{
	        DbgPrint(("Failed to create device!\n"));
	        return ntStatus;
	}
	 
			
	ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
	                                        &deviceNameUnicodeString );
	if(! NT_SUCCESS(ntStatus)) 
	{
		 IoDeleteDevice(DriverObject->DeviceObject);
	        DbgPrint("Failed to create symbolic link!\n");
	        return ntStatus;
	}

	DriverObject->DriverUnload  = OnUnload;

	pHashTable = InitializeTable(HASHTABLE_SIZE);
	if (pHashTable == NULL)
	{
		DbgPrint("InitializeTable failed!\n");
		return STATUS_UNSUCCESSFUL;
	}
	
	//pSwapContext = GetSwapAddr();

	FindSwapAddr();

	if(NULL==pSwapContext)
	{
	 	DbgPrint("SwapContext addr not found!\n");
		return STATUS_UNSUCCESSFUL;
	}
	else
	{
		DbgPrint("SwapContext found at 0x%x\n", pSwapContext);

		ntStatus = InstallSwapContextHook();
	}
	
	if (STATUS_SUCCESS == ntStatus)
	{
		DbgPrint("InstallSwapContextHook succeeded.\n");
		DbgPrint("DetourFunction is at 0x%x\n", DetourFunction);
	}
	else
	{
		DbgPrint("InstallSwapContextHook failed!\n");
		return STATUS_UNSUCCESSFUL;
	}

	return STATUS_SUCCESS;
	
}

两份inline hook NtOpenprocess保护进程的代码:

这份没有使用中间函数:

#include "ntddk.h"

#pragma pack(1)
#define IOCTL_HOOK CTL_CODE(FILE_DEVICE_UNKNOWN,0x801 , METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)  

typedef struct ServiceDescriptorEntry {
	unsigned int *ServiceTableBase;
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
	unsigned int NumberOfServices;
	unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

//global
ULONG   OpenprocessAddress;
ULONG   JmpOldAddress;
UCHAR	OldCode[5];
HANDLE  MyPID;
HANDLE  PID;

int *MyPIDEx;
void IninleHookOpenProcess(int *PID);

NTSTATUS __declspec(naked)(__stdcall MyNtOpenProcess)(
	                                            PHANDLE ProcessHandle,
												ACCESS_MASK DesiredAccess,
												POBJECT_ATTRIBUTES ObjectAttributes,
												PCLIENT_ID ClientId) 
{
	__asm
	{
		push eax
		mov eax,[esp+0x14]  //获取ClientId,因为是第四个参数所以【esp+10】,但上面有push eax 所以再加4
		mov eax,[eax]
		mov PID,eax          //不能在naked函数里定义局部变量,会破坏本来的局部变量
		pop eax
	}

	if(PID==MyPID)
		{
			__asm
				{
					mov [esp+4],0 //返回空句柄
					mov eax,0xC0000022L  //返回值STATUS_ACCESS_DENIED 无法发现进程
					retn 0x10   //执行保护后的返回
				}
		}

	/*__asm
	{
		push  0x0C4
		mov edx,RealNtOpenProcess
		add edx,5
		jmp edx
	}*/
	
	__asm
	{
		mov  edi,edi
		push ebp
		mov ebp,esp
		jmp JmpOldAddress
	}

}

void PageProtectOn()
{
	__asm{//恢复内存保护  
		mov  eax,cr0
		or   eax,10000h
		mov  cr0,eax
		sti
	}
}

void PageProtectOff()
{
	__asm{//去掉内存保护
		cli
		mov  eax,cr0
		and  eax,not 10000h
		mov  cr0,eax
	}
}


NTSTATUS IODispatch(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{
	Irp->IoStatus.Status = STATUS_SUCCESS;
	IoCompleteRequest(Irp,IO_NO_INCREMENT);
	return STATUS_SUCCESS;
}


NTSTATUS IOManager(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{   
	PIO_STACK_LOCATION StackLocation = IoGetCurrentIrpStackLocation(Irp);
	ULONG IRPcode = StackLocation->Parameters.DeviceIoControl.IoControlCode;  
	char outText[]="保护成功";
	ULONG  returnSize;
	UCHAR *oubuffer;
	Irp->IoStatus.Status = STATUS_SUCCESS; 

	switch(IRPcode)
	{
	case IOCTL_HOOK:
		KdPrint(("IOCTL_HOOK  \n"));
	MyPIDEx	=(int*)Irp->AssociatedIrp.SystemBuffer;//得到传入数据地址

	oubuffer = (UCHAR*)Irp->AssociatedIrp.SystemBuffer;

	strcpy((char*)oubuffer,outText);

	returnSize=strlen(outText);  

	IninleHookOpenProcess(MyPIDEx);
		break;
	}
	
	Irp->IoStatus.Information=returnSize;
	Irp->IoStatus.Status= STATUS_SUCCESS;
	
	IoCompleteRequest(Irp,IO_NO_INCREMENT);
	return STATUS_SUCCESS;
}

void IninleHookOpenProcess(int *PID)
{
	UCHAR jmpcode[5];
	ULONG jmp_tmp_code;
	
	jmpcode[0]=0xE9;
	
	 OpenprocessAddress = KeServiceDescriptorTable.ServiceTableBase[190];

	 jmp_tmp_code = (ULONG)MyNtOpenProcess - OpenprocessAddress - 5; 

	 *(ULONG*)&jmpcode[1]=jmp_tmp_code;

	 JmpOldAddress = OpenprocessAddress + 5;
	 MyPID = (HANDLE)*PID;
	 PageProtectOff();

	 RtlCopyMemory(OldCode,(PVOID)OpenprocessAddress,5);
	 RtlCopyMemory((PVOID)OpenprocessAddress,jmpcode,5);

	 PageProtectOn();

}

void UnHookOpenprocess()
{
	 PageProtectOff();

	 RtlCopyMemory((PVOID)OpenprocessAddress,OldCode,5);

	 PageProtectOn();
}

NTSTATUS CreateDevice(PDRIVER_OBJECT pDriverObject)
{
	NTSTATUS Status;
	PDEVICE_OBJECT	pDevObj;
	UNICODE_STRING	usDevName;
	UNICODE_STRING	usSymName;

	RtlInitUnicodeString(&usDevName,L"\\Device\\MyDevice");

	Status = IoCreateDevice(pDriverObject,\
		0,\
		&usDevName,\
		FILE_DEVICE_UNKNOWN,\
		0,\
		TRUE,\
		&pDevObj);
	if (!NT_SUCCESS(Status))
	{
		return Status;
	}

	pDevObj->Flags |= DO_BUFFERED_IO;


	RtlInitUnicodeString(&usSymName,L"\\??\\MyDevice");

	Status = IoCreateSymbolicLink(&usSymName,&usDevName);
	if (!NT_SUCCESS(Status))
	{
		IoDeleteDevice(pDevObj);
		return Status;
	}

	return STATUS_SUCCESS;
}

void UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
	UNICODE_STRING usSymName;

	RtlInitUnicodeString(&usSymName,L"\\??\\MyDevice");

	if (pDriverObject->DeviceObject!=NULL)
	{
		IoDeleteSymbolicLink(&usSymName);
		IoDeleteDevice(pDriverObject->DeviceObject);
		KdPrint(("删除设备成功."));
	}
	UnHookOpenprocess();
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegString)
{
	NTSTATUS Status;
	Status = CreateDevice(pDriverObject);
	if (!NT_SUCCESS(Status))
	{
		KdPrint(("创建设备失败."));
	}else{
		KdPrint(("创建设备成功."));
	}
	
	pDriverObject->MajorFunction[IRP_MJ_CREATE] = IODispatch;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IOManager; 
	pDriverObject->DriverUnload = UnloadDriver;
	return STATUS_SUCCESS;
}


另外一份使用了中间函数 这才是真正意义上inline hook

//为什么一个是esp+0x34 一个是esp+14  原因是下面这份使用了

pushad
pushfd
保护了现场 这将栈提高了0x24字节
#include "ntddk.h"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
	unsigned int *ServiceTableBase;
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
	unsigned int NumberOfServices;
	unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

NTSTATUS
PsLookupProcessByProcessId(
    IN HANDLE ProcessId,
    OUT PEPROCESS *Process
    );

//global
ULONG	gfn_ntopenprocess;
ULONG	g_jmp_origfunc;
UCHAR	gs_origfunc_code[5];

void PageProtectOn()
{
	__asm{//恢复内存保护  
		mov  eax,cr0
		or   eax,10000h
		mov  cr0,eax
		sti
	}
}

void PageProtectOff()
{
	__asm{//去掉内存保护
		cli
		mov  eax,cr0
		and  eax,not 10000h
		mov  cr0,eax
	}
}

ULONG FilterNtOpenProcess(PCLIENT_ID ClientId)
{
	NTSTATUS	status;
	PEPROCESS	process_obj;
	status = PsLookupProcessByProcessId(ClientId->UniqueProcess,&process_obj);
	if (!NT_SUCCESS(status))
	{
		return 0;
	}

	if (strstr((char*)process_obj+0x16c,"VistaLKD")!=0)
	{
		return 1;
	}

	return 0;
}

__declspec(naked)
NTSTATUS NewNtOpenProcess()
{
	__asm{
		pushad
		pushfd
		push	[esp+0x34]
		call	FilterNtOpenProcess
		test	eax,eax
		je		__Exit
		popfd
		popad
		mov		eax,0
		ret		0x10
__Exit:
		popfd
		popad
		mov		edi,edi
		push	ebp
		mov		ebp,esp
		jmp		g_jmp_origfunc
	}
}

void UnHookNtOpenProcess()
{
	PageProtectOff();

	RtlCopyMemory((PVOID)gfn_ntopenprocess,gs_origfunc_code,5);

	PageProtectOn();
}

void HookNtOpenProcess()
{
	ULONG	u_jmp_address;
	UCHAR	str_jmp_code[5];
	
	gfn_ntopenprocess = KeServiceDescriptorTable.ServiceTableBase[190];
	RtlCopyMemory(gs_origfunc_code,(PVOID)gfn_ntopenprocess,5);
	
	str_jmp_code[0] = 0xE9;

	u_jmp_address = (ULONG)NewNtOpenProcess - gfn_ntopenprocess - 5;
	*(ULONG*)(&str_jmp_code[1]) = u_jmp_address;

	PageProtectOff();

	RtlCopyMemory((PVOID)gfn_ntopenprocess,str_jmp_code,5);

	PageProtectOn();

	g_jmp_origfunc = gfn_ntopenprocess + 5;
}

VOID MyUnload(PDRIVER_OBJECT pDriverObject)
{
	UnHookNtOpenProcess();
}

NTSTATUS DriverEntry(PDRIVER_OBJECT	pDriverObject,PUNICODE_STRING Reg_Path)
{
	HookNtOpenProcess();
	pDriverObject->DriverUnload = MyUnload;
	return STATUS_SUCCESS;
}


问:为什么一个esp+14 一个是esp+38


简单linux 下 x64任意地址的inlinehook
liutianheng654的博客
03-25 1634
相对主流工具frida,更加快速的inlinehook,代码简单,可以针对性进行修改
InlineHOOK
九月飞雪的博客
01-03 4556
//inline hook 实际上就是指 通过改变目标函数头部的代码来使改变后的代码跳转至我们自己设置的一个函数里,产生hook. #include &lt;windows.h&gt; #include &lt;stdio.h&gt; //定义一个与MessageBoxA类型一致的函数指针。 typedef int (WINAPI * MessageBox_type)(HWND hWnd, ...
HookInline Hook学习资料以及总结问题
it技术学习
04-03 1068
1、简介          INLINE HOOK原理:         Inline Hook通过硬编码的方式向内核API的内存空间(通常是开始的一段字节,且一般在第一个call之前,这么做是为了防止堆栈混乱)写入跳转语句,这样,该API只要被调用,程序就会跳转到我们的函数中来,我们在自己写的函数里需要完成3个任务:          1)重新调整当前堆栈。程序流程在刚刚跳转的时候
深入理解inline hook技术
最新发布
weixin_42452483的博客
07-21 686
Inline hook技术,即内联钩子技术,是一种用于软件开发中的高级技术,允许开发者在目标应用程序或系统库函数执行过程中,插入自己的代码段。通过这种技术,开发者能够监控或修改函数的行为,实现复杂的功能,比如性能分析、安全监控、功能增强等。掌握inline hook技术,对于IT从业者来说,不仅能够加深对软件执行过程的理解,还能够帮助他们在安全和性能优化等领域中实现更高级别的定制化操作。实现inline hook的过程通常包含几个核心步骤:首先,确定目标函数,即开发者希望插入代码的函数;
inlinehook_ssdt的ntopenkey函数的任意位置
02-01 927
#include"ntddk.h" #pragma pack(1) //写这个内存以一字节对齐 如果不写是以4字节的对齐的 typedef struct ServiceDescriptorEntry {//这个结构就是为了管理这个数组而来的 内核api所在的数组 才有这个结构的 这个是ssdt unsigned int *ServiceTableBase;//就是ServiceTable
[驱动开发] 手写 r0 hook(NtOpenProcess 为例)
LYSM
11-09 1828
inlineHook的原理: 为了方便好理解,一些变量名和函数名在这里使用中文命名,有些编译器不支持中文命名,在这里要注意(我的是VS2019) hook.h: #pragma once #include<ntifs.h> #include<ntddk.h> #pragma intrinsic(__readmsr) //SSDT的结构 typedef struct _SYSTEM_SERVICE_TABLE { PLONG ServiceTableBase; PVOI
HOOK ntopenprocess
qq_41071646的博客
01-06 1138
先来说一下我对SSDT的体会把   我感觉SSDT 就是一张表  这个表里面 有很多数组  然后 算是 内核层的 导入表只不过 他是整个操作系统的导入表  然后里面有很多数组  然后当我们 调用 api的时候  应用层的api 会经过封装 可能会多传出一些  参数 比如 那张表  表的 地址 那个数组  然后 进去调用就好了  听群里的大佬说   x86 的ssdt 好像是固定的   但是 ...
Inline Hook_inlinehook_x86_x64_64位HOOK_
09-28
Inline Hook是一种技术,主要用于在程序运行时修改函数的行为。它涉及到计算机编程中的底层技术,特别是逆向工程和软件调试领域。Inline Hook的核心是通过在原函数的代码中插入额外的指令来实现对函数调用的拦截,...
使用内核三步实现InlineHook的详细分析
07-06
Inlinehook.通俗的说就是对函数执行流程进行修改。达到控制函数过滤操作的目的。理论上我们可以在函数任何地方把原来指令替换成我们的跳转指令,也确实有些人在inlineHook的时候做得很深,来躲避inlineHook的检测。...
And64InlineHook:适用于Android CC ++的轻量级ARMv8-A(ARM64,AArch64,Little-Endian)内联挂钩库
04-30
And64InlineHook是一个专为Android平台设计的轻量级库,主要针对C/C++开发者,用于实现ARMv8-A架构(ARM64或AArch64,Little-Endian字节序)的内联挂钩功能。这个库允许开发人员在运行时修改已编译的二进制代码的...
代码实例分析android中inline hook
08-28
Android 中的 Inline Hook 技术详解 Android 中的 Inline Hook 技术是指在 Android 操作系统中,使用 Hook 技术来拦截和修改应用程序的行为。Inline Hook 是一种常用的 Hook 技术,通过在应用程序的代码中注入一段...
精选_实现32位和64位系统的Inline Hook API_源码打包
03-09
Inline Hook API 是一种在软件开发中用于拦截和修改程序行为的技术。它主要通过在目标函数的入口处插入自定义代码(通常称为钩子)来实现。这种方法允许开发者在不修改原始函数代码的情况下,动态地改变函数的行为。...
InlineHookOpenProcess之例子的软件源码
04-09
InlineHookOpenProcess之例子自己收藏的源码,特意贡献给大家
利用hook OpenProcess实现进程防杀的DLL源码
08-06
hook openprocess 实现进程防杀的DLL源码
SSDT inlineHook
dre4merp
05-16 457
上一篇我们介绍了最简单的SSDT,这篇来写一下inlineHook。 所谓的inlineHook就是在内存中修改所需要挂钩函数的前几个字节,让其跳转到我们的fake函数,执行完毕后再跳回去执行原函数,这样的话我们就没有修改SST表里面的内容,而是对函数本身修改。 流程摘自:看雪aniquest 1. 获取服务函数地址: (1)通过全局变量KeServiceDescriptorTable获得SSDT表的起始地址; (2)映射ntdll.dll到ring0空间,获得要Hook的函数的服务索引号; (
inline hook【002】
duhaomin的专栏
10-14 1067
inline hookhook dll中的某个函数的小例子:
浅谈inline HOOk之ring0下的进程保护
linuxheik的专栏
05-09 2395
浅谈inline HOOk之ring0下的进程保护 在上一篇中说了一下ring3下简单的inline HOOK,写函数开头的方法还是比较通用的,而Call钩子虽然有隐蔽的优点,却需要对目标函数进行反汇编,都不适合大规模使用,还有push 、ret的方法,熟习的API的压栈原理,就很简单的,这些问题以后再讨论,这次我将上一篇文章里的代码移植到了ring0下,用来实现进程保护,rin
ssdkhook之ntopenprocess_保护用户层的应用程序不被ce打开_完美版
01-31 971
#include"ntddk.h" NTSTATUS PsLookupProcessByProcessId( _In_ HANDLE ProcessId, _Out_ PEPROCESS *Process ); #pragma pack(1) //写这个内存以一字节对齐 如果不写是以4字节的对齐的 typedef struct ServiceDescriptorEntry {//这个
新手学ssdt_hook_ntopenprocess
05-09 609
#include "ntddk.h" #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsi...
InLine Hook技术源码深入解析
根据提供的文件信息,我们需要讨论的主题是“Inline Hook”技术,这是在软件逆向工程和安全领域中常见的一种技术手段。Inline Hook技术通常用于在不修改原有二进制文件的情况下,插入代码以修改程序的行为,或者监控...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值