15,471
社区成员
发帖
与我相关
我的任务
分享想了中新的HOOK API的方法,不过仅仅用于NtXxxxxxx和XP平台:)
原理:
ZwQuerySystemInformation: ; NtQuerySystemInformation
.text:7C92E1AA mov eax, 0ADh ; RtlGetNativeSystemInformation
.text:7C92E1AF mov edx, 7FFE0300h ;7FFE0300h好象存着好东西
.text:7C92E1B4 call dword ptr [edx]
.text:7C92E1B6 retn 10h
ZwQuerySystemTime: ; NtQuerySystemTime
.text:7C92E1BF mov eax, 0AEh
.text:7C92E1C4 mov edx, 7FFE0300h ;又是这
.text:7C92E1C9 call dword ptr [edx]
.text:7C92E1CB retn 4
FT,eax肯定是功能号,7FFE0300处存着全部需要进入Ring0的都要调用的过程的地址
原来7FFE0300放着KiFastSystemCall的地址7C92EB8B:)
KiFastSystemCall:
.text:7C92EB8B mov edx, esp
.text:7C92EB8D sysenter
.text:7C92EB94 retn
然后就是找到你要HOOK的NtXxxx,把7FFE0300改掉,改成存放你的myNtXxxx入口的变量地址
BYTE GetNtApiEP(char* ntApiName)
{
HMODULE lib;
PBYTE destApiEP;
lib = GetModuleHandle("ntdll.dll");
destApiEP = (PBYTE)GetProcAddress(lib , ntApiName);
if(!destApiEP)
{
return FALSE;
}
return destApiEP;
}
BOOL MakeMemRWE(PVOID mem,int size)
{
DWORD oldProtect;
if(!VirtualProtect(mem , size,PAGE_EXECUTE_READWRITE,&oldProtect))
{
return FALSE;
}
return TRUE;
}
BOOL isNtApi(PBYTE ntApiEP)
{
if(*ntApiEP != 0xB8)
{
return FALSE;
}
return TRUE;
}
BOOL Change0x77FE3000(PBYTE ntApiEP,PVOID value)
{
if(!value) return FALSE;
ntApiEP+=6;
*(DWORD*)ntApiEP = value;
return TRUE;
}
BOOL _stdcall HookNtXxx(PVOID destApiEP,PVOID pMonitorFuncAddr)
{
MessageBox(0,"I'm Hooking!","Message",0);
if(!MakeMemRWE(destApiEP,0x1000)) return FALSE;
if(!isNtApi(destApiEP)) return FALSE;
if(!Change0x77FE3000(destApiEP,pMonitorFuncAddr)) return FALSE;
return TRUE;
}
BOOL _stdcall UnHookNtXxx(PVOID destApiEP)
{
if(!MakeMemRWE(destApiEP,0x1000)) return FALSE;
if(!isNtApi(destApiEP)) return FALSE;
if(!Change0x77FE3000(destApiEP,0x7FFE0300)) return FALSE;
return TRUE;
}
ZwQuerySystemInformation: ; NtQuerySystemInformation
.text:7C92E1AA mov eax, 0ADh ; RtlGetNativeSystemInformation
.text:7C92E1AF mov edx, 7FFE0300h ;7FFE0300h好象存着好东西
.text:7C92E1B4 call dword ptr [edx]
.text:7C92E1B6 retn 10h
ZwQuerySystemTime: ; NtQuerySystemTime
.text:7C92E1BF mov eax, 0AEh
.text:7C92E1C4 mov edx, 7FFE0300h ;又是这
.text:7C92E1C9 call dword ptr [edx]
.text:7C92E1CB retn 4
FT,eax肯定是功能号,7FFE0300处存着全部需要进入Ring0的都要调用的过程的地址
原来7FFE0300放着KiFastSystemCall的地址7C92EB8B:)
KiFastSystemCall:
.text:7C92EB8B mov edx, esp
.text:7C92EB8D sysenter
.text:7C92EB94 retn
然后就是找到你要HOOK的NtXxxx,把7FFE0300改掉,改成存放你的myNtXxxx入口的变量地址
BYTE GetNtApiEP(char* ntApiName)
{
HMODULE lib;
PBYTE destApiEP;
lib = GetModuleHandle("ntdll.dll");
destApiEP = (PBYTE)GetProcAddress(lib , ntApiName);
if(!destApiEP)
{
return FALSE;
}
return destApiEP;
}
BOOL MakeMemRWE(PVOID mem,int size)
{
DWORD oldProtect;
if(!VirtualProtect(mem , size,PAGE_EXECUTE_READWRITE,&oldProtect))
{
return FALSE;
}
return TRUE;
}
BOOL isNtApi(PBYTE ntApiEP)
{
if(*ntApiEP != 0xB8)
{
return FALSE;
}
return TRUE;
}
BOOL Change0x77FE3000(PBYTE ntApiEP,PVOID value)
{
if(!value) return FALSE;
ntApiEP+=6;
*(DWORD*)ntApiEP = value;
return TRUE;
}
BOOL _stdcall HookNtXxx(PVOID destApiEP,PVOID pMonitorFuncAddr)
{
MessageBox(0,"I'm Hooking!","Message",0);
if(!MakeMemRWE(destApiEP,0x1000)) return FALSE;
if(!isNtApi(destApiEP)) return FALSE;
if(!Change0x77FE3000(destApiEP,pMonitorFuncAddr)) return FALSE;
return TRUE;
}
BOOL _stdcall UnHookNtXxx(PVOID destApiEP)
{
if(!MakeMemRWE(destApiEP,0x1000)) return FALSE;
if(!isNtApi(destApiEP)) return FALSE;
if(!Change0x77FE3000(destApiEP,0x7FFE0300)) return FALSE;
return TRUE;
}
...全文
请发表友善的回复…
发表回复
chaircat 2005-11-24
- 打赏
- 举报
楼上...Ntxxxxxxx函数当然只有NT系统才有啊...
另外想问下楼主测试过没有啊?
另外想问下楼主测试过没有啊?
mejy 2005-11-23
- 打赏
- 举报
跨平台如何
Dizovin 2005-11-21
- 打赏
- 举报
啧啧,学习。。。
netgm 2005-11-20
- 打赏
- 举报
up mark
布学无数 2005-11-19
- 打赏
- 举报
Mark
hamham 2005-11-19
- 打赏
- 举报
收藏
LookSail 2005-11-19
- 打赏
- 举报
这样是不是要写驱动啊?
LookSail 2005-11-19
- 打赏
- 举报
收藏,日后学习
oyljerry 2005-11-19
- 打赏
- 举报
mark
bluekite 2005-11-19
- 打赏
- 举报
關注一下!
xingzhou 2005-11-18
- 打赏
- 举报
学习
--------------------------------
行舟, CSDN论坛浏览器
http://blog.csdn.net/xingzhou
--------------------------------
行舟, CSDN论坛浏览器
http://blog.csdn.net/xingzhou
aspbasicer 2005-10-16
- 打赏
- 举报
再贴个例子:
DWORD __cdecl NtCreateFileMonitor(PVOID RetToKernel32CreateFile,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
UnHookNtXxx(oNtCreateFile);
MessageBoxW(0,ObjectAttributes->ObjectName->Buffer,L"Monitor",0);
__asm
{
push EaLength
push EaBuffer
push CreateOptions
push CreateDisposition
push ShareAccess
push FileAttributes
push AllocationSize
push IoStatusBlock
push ObjectAttributes
push DesiredAccess
push FileHandle
call oNtCreateFile
}
HookNtXxx(oNtCreateFile,&NtCreateFileMonitorAddr);
}
注意,一定要声明成__cdecl!!!!绝对不能其他的
自己写的NtXxxx必须比原来的多一个参数,我这是PVOID RetToKernel32CreateFile,这样在你的NtXxx里才能正确的使用参数。原理写起来太多,不写了
DWORD __cdecl NtCreateFileMonitor(PVOID RetToKernel32CreateFile,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
UnHookNtXxx(oNtCreateFile);
MessageBoxW(0,ObjectAttributes->ObjectName->Buffer,L"Monitor",0);
__asm
{
push EaLength
push EaBuffer
push CreateOptions
push CreateDisposition
push ShareAccess
push FileAttributes
push AllocationSize
push IoStatusBlock
push ObjectAttributes
push DesiredAccess
push FileHandle
call oNtCreateFile
}
HookNtXxx(oNtCreateFile,&NtCreateFileMonitorAddr);
}
注意,一定要声明成__cdecl!!!!绝对不能其他的
自己写的NtXxxx必须比原来的多一个参数,我这是PVOID RetToKernel32CreateFile,这样在你的NtXxx里才能正确的使用参数。原理写起来太多,不写了
