麥洛克菲內(nèi)核開(kāi)發(fā)第五課hook

1、麥洛克菲內(nèi)核開(kāi)發(fā)第五課HOOK,麥洛克菲www.mallocfree.com,周揚(yáng)榮,麥洛克菲www.mallocfree.com,提綱,SSDTINLINEIRPSYSENTERIDTOBJECTR3等等,SSDT HOOK,API 流程,kernel.dlluser32.dll,ntdll.dll,,,,,API,,IRP,,應(yīng)用層,內(nèi)核層,數(shù)據(jù)命令,封裝,,,,disk.sys,ntfs.sys,,ntosk

2、rnl.exe,,ZW與NT函數(shù)（1）,ntdll.dllZw*與nt*函數(shù)ntoskrnl.exeZw*與nt*函數(shù),Ntdll.dll,Ntoskrnl.exe,Nt*,Zw*,Nt*,Zw*,,,ZW與NT函數(shù)（2）,區(qū)別：Ntdll.dll中：完全一樣Ntoskrnl.exe中：Zw*?nt*，即nt函數(shù)更底層Zw*函數(shù)會(huì)把PreviousMode設(shè)置為KernelMode 然后再調(diào)用Nt*函數(shù)，因此在Nt*函數(shù)

3、中就不會(huì)進(jìn)行參數(shù)檢查。而如果直接調(diào)用Nt*函數(shù)的話 , 必須自己將PreviousMode設(shè)置為KernelMode,否則PreviousMode很可能仍然是UserMode, 這樣的話 Nt*函數(shù)就會(huì)認(rèn)為對(duì)它的調(diào)用來(lái)自用戶態(tài),從而做一些檢查,這時(shí)就會(huì)產(chǎn)生問(wèn)題了.因此要自己調(diào)用Nt*的話必須先將PreviousMode設(shè)為KernelMode,SSDT表,索引1,索引2,索引3,索引4,索引5,。。。,索引N,服務(wù)1,服務(wù)2,服務(wù)3,

4、服務(wù)4,服務(wù)5,。。。,服務(wù)N,API,Kernel32.dll,Ntdll.dll,sysenter,Zw*,Nt*,,,,,,Uf nt!ZwReadFile:.text:00406508                 mov    

5、; eax, 0B7h.text:0040650D                lea      edx, [esp+FileHandle].text:00406511  

6、               pushf.text:00406512                 push

7、0;   8.text:00406514                 call    _KiSystemService.text:00406519    

8、;             retn    24h.text:00406519 _ZwReadFile@36  endp,API調(diào)用流程,Ntdll.dll 中的 API 是一個(gè)簡(jiǎn)單的包裝函數(shù)。當(dāng) Kernel32.dll 中的 API

9、 通過(guò) Ntdll.dll 時(shí)，會(huì)完成參數(shù)的檢查再調(diào)用一個(gè)中斷(int 2Eh 或者 SysEnter 指令)，從而實(shí)現(xiàn)從 Ring3 進(jìn)入 Ring0 層并且將所要調(diào)用的服務(wù)號(hào)(也就是在 SSDT 數(shù)組中的索引值)存放到寄存器 EAX 中再根據(jù)存放在 EAX 中的索引值來(lái)在 SSDT 數(shù)組中調(diào)用指定的服務(wù)即Nt*系列函數(shù),SSDT表結(jié)構(gòu),結(jié)構(gòu)：#pragma pack(1)typedef struct ServiceDes

10、criptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase;} ServiceDescriptorTableEntry_t, *PServiceDesc

11、riptorTableEntry_t;#pragma pack()導(dǎo)出：__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;引用： #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULON

12、G)((PUCHAR)_function+1)] #define SDT SYSTEMSERVICE,要HOOK的API,typedef NTSTATUS (*ZWCREATESECTION)( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES

13、 ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPT

14、IONAL );static ZWCREATESECTION OldZwCreateSection;NTSTATUS NTAPI HOOK_NtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER

15、 SectionSize, ULONG Protect, ULONG Attributes, HANDLE FileHandle) {return OldZwCreateSection(SectionHandle, DesiredAccess, ObjectAttributes, SectionSize, Protect, Attrib

16、utes, FileHandle);},HOOK(1),void StartHook (void){ //獲取未導(dǎo)出的服務(wù)函數(shù)索引號(hào) HANDLE hFile; PCHAR pDllFile; ULONG ulSize; ULONG ulByteReaded; __asm { push eax mov

17、 eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } OldZwCreateSection = (ZWCREATESECTION)InterlockedExchange((PLONG)

18、 &SDT(ZwCreateSection), (LONG)HOOK_NtCreateSection); //關(guān)閉 __asm { push eax mov eax, CR0

19、 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return ;},HOOK(2),void RemoveHook (void){ __asm { push eax mov eax, CR0 and

20、 eax, 0FFFEFFFFh mov CR0, eax pop eax } InterlockedExchange( (PLONG) &SDT(ZwCreateSection) , (LONG) OldZwCreateSection); __asm { push eax m

21、ov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax }},一個(gè)穩(wěn)定的基本框架,查看HOOK之后的SSDT表x nt!kes*des*table*dds addrdds addr Llength,進(jìn)程保護(hù),Hook_ZwTerminateProcess,驅(qū)動(dòng)加

22、載監(jiān)控,Hook_ZwLoadDriver,進(jìn)程創(chuàng)建監(jiān)控,Hook_ZwOpenSection,XP:CreateProcessW?CreateProcessInternalW?NtCreateProcessEx?ZwCreateSection,VISTA以上:CreateProcessW?CreateProcessInternalW??NtCreateUserProcess??ZwCreateSection,注冊(cè)表操作

23、監(jiān)控,Hook_ZwSetValueKey,Inline hook,Inline hook原理圖,Inline hook的步驟,1。獲得要inline hook的函數(shù)在內(nèi)存中的地址2。實(shí)現(xiàn)T_MyFunc()與MyFunc函數(shù)，在該函數(shù)中將參數(shù)壓棧并調(diào)用MyFunc函數(shù)處理。3。HOOK。保存函數(shù)開(kāi)頭的指令到某個(gè)內(nèi)存中，并在該內(nèi)存末尾附加JMP指令到開(kāi)頭指令的后面的指令。并將開(kāi)頭的指令替換為JMP T_MyFunc地址。4。在T_

24、MyFunc執(zhí)行完MyFunc之后，調(diào)用保存的指令，跳回去。,如何找到函數(shù)的首地址？,未導(dǎo)出函數(shù)：暴力搜索導(dǎo)出函數(shù)：直接引用或者M(jìn)mGetSystemRoutineAddress,T_MyFunc,_declspec(naked) T_MyFunc(……){_asm{mov edi, edipush ebpmov ebp ,esp//參數(shù)壓棧，傳給MyFuncpush [ebp+0ch]p

25、ush [ebp+8]call MyFunc //獲得結(jié)果，并跳回原來(lái)的指令cmp eax,1jz endmov eax,FuncAddress add eax,5 jmp eaxend://恢復(fù)棧pop ebpretn 8}},Naked call編譯器不會(huì)給這種函數(shù)增加初始化和清理代碼，不能用return返回返回值，只能用插入?yún)R編返回結(jié)果。//nake

26、d 調(diào)用約定。用戶自己清理堆棧。不能進(jìn)行原型聲明，否則錯(cuò)誤。__declspec(naked) int add(int a,int b){ __asm push ebp //必須加上兩句修改棧幀，否則引用了錯(cuò)誤的數(shù)據(jù) __asm mov ebp, esp __asm mov eax, a __asm add eax, b __asm pop ebp __asm ret}這個(gè)修飾是

27、和__stdcall及cdecl結(jié)合使用的，前面是它和cdecl結(jié)合使用的代碼，對(duì)于和stdcall結(jié)合的代碼，則變成：__declspec(naked) int __stdcall function(int a,int b) { __asm mov eax, a __asm add eax, b __asm ret 8 //注意后面的8}cdecl/fastcall/stdcall/thiscall/n

28、akedcall擴(kuò)展閱讀（重要）：Calling convention: http://gccfeli.cn/tag/naked-call,,拷貝JMP T_MyFunc,_asm{CLIMOV EAX, CR0AND EAX, NOT 10000HMOV CR0, EAX}RtlCopyMemory(…);,SwapContext inline hook,,ObReferenceObjectByHa

29、ndleHook,,PspTerminateProcessHook,,練習(xí),對(duì)這些HOOK加彈框達(dá)到允許和禁止目的,作業(yè),,IRP HOOKpDriverObject?MajorFunction[…],IRP HOOK,PFILE_OBJECT pFile_tcp = NULL;PDEVICE_OBJECT pDev_tcp = NULL;PDRIVER_OBJECT pDrv_tcpip = NULL;

30、WCHAR deviceTCPName[] = L"\\Device\\Tcp";typedef NTSTATUS (*OLDIRPMJDEVICECONTROL)(IN PDEVICE_OBJECT, IN PIRP);OLDIRPMJDEVICECONTROL OldIrpMjDeviceControl;NTSTATUS HookedDeviceControl(IN PDEVICE_OBJEC

31、T DeviceObject, IN PIRP Irp){return OldIrpMjDeviceControl(DeviceObject, Irp);}//開(kāi)始HOOKRtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCP);ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString,

32、 FILE_READ_DATA, &pFile_tcp, &pDev_tcp);if(!NT_SUCCESS(ntStatus)) {return ntStatus;}pDrv_tcpip = pDev_tcp->DriverObject;OldIrpMjDeviceControl = pDrv_tcpip>MajorFunction[IRP_MJ_DEVICE_CONTROL]; if

33、 (OldIrpMjDeviceControl){InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);},SYSENTER HOOKrdmsr wrmsr,ULONG d_origKiFastCallEntry; // Original value

34、 of ntoskrnl!KiFastCallEntryVOID OnUnload( IN PDRIVER_OBJECT DriverObject ){ _asm { mov ecx, 0x176 xor edx,edx mov eax, d_origKiFastCallEntry // Hook function address wrmsr

35、 // Write to the IA32_SYSENTER_EIP register }}// Hook function__declspec(naked) MyKiFastCallEntry(){ __asm { jmp [d_origKiFastCallEntry] //直接跳到原來(lái)的 }}NTSTATUS DriverEntry( IN PDRIVER_OBJECT th

36、eDriverObject, IN PUNICODE_STRING theRegistryPath ){ theDriverObject->DriverUnload = OnUnload; __asm { mov ecx, 0x176 rdmsr // read the value of the IA32_SYSENTER_EIP registe

37、r mov d_origKiFastCallEntry, eax mov eax, MyKiFastCallEntry // Hook function address wrmsr // Write to the IA32_SYSENTER_EIP register } return STATUS_SUCCESS;},SYS

38、ENTER HOOK,IDT HOOK__asm sidt idt_info,IDT 表結(jié)構(gòu),///////////////////////////////////////////////////// IDT structures///////////////////////////////////////////////////#pragma pack(1)// entry in the IDT, this is so

39、metimes called// an "interrupt gate"typedef struct{ unsigned short LowOffset; unsigned short selector; unsigned char unused_lo; unsigned char segment_type:4; //0x0E is an interrupt gate unsigned c

40、har system_segment_flag:1; unsigned char DPL:2; // descriptor privilege level unsigned char P:1; /* present */ unsigned short HiOffset;} IDTENTRY;/* sidt returns idt in this format */typedef

41、 struct{ unsigned short IDTLimit; unsigned short LowIDTbase; unsigned short HiIDTbase;} IDTINFO;#pragma pack(),IDT HOOK,#define NT_INT_TIMER 0x30 //中斷向量__asm sidt idt_info //拿到IDT表idt_entries = (IDTENTRY

42、*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);//備份unsigned long old_ISR_pointer; // better save the old one!!old_ISR_pointer = MAKELONG(idt_entries[NT_INT_TIMER].LowOffset,idt_entries[NT_INT_TIMER].HiOffset);

43、//HOOK __asm cli idt_entries[NT_INT_TIMER].LowOffset = (unsigned short)my_interrupt_hook; idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)my_interrupt_hook >> 16); __asm sti__declspec(

44、naked) my_interrupt_hook(){ __asm {jmp old_ISR_pointer }},OBJECT HOOK,OBJECT HOOK原理,OBJECT?OBJECT_HEADER?OBJECT_TYPE?OBJECT_TYPE_INITIALIZER?: PVOID DumpProcedure; PVOID OpenProcedure; PVOID CloseProc

45、edure; PVOID DeleteProcedure; PVOID ParseProcedure; PVOID SecurityProcedure; PVOID QueryNameProcedure; PVOID OkayToCloseProcedure;,OBJECT HOOK,RtlInitUnicodeString(&Name,L"\\Device\\HarddiskVolume1\\1.

46、txt");InitializeObjectAttributes(&Attr,&Name,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE ,0,NULL);Status = ZwOpenFile(&hFile,GENERIC_ALL,&Attr,&ioStaBlock,0,FILE_NON_DIRECTORY_FILE);if (!NT_SU

47、CCESS(Status)){return Status;} Status = ObReferenceObjectByHandle(hFile,GENERIC_ALL,NULL,KernelMode,&pObject,NULL);if (!NT_SUCCESS(Status)){return Status;} addrs=OBJECT_TO_OBJECT_HEADER(pObject)

48、;//獲取對(duì)象頭pType=addrs->Type;//獲取對(duì)象類型結(jié)構(gòu) object-10hOldParseProcedure = pType->TypeInfo.ParseProcedurepType->TypeInfo.ParseProcedure = NewParseProcedure;//hook Status = ZwClose(hFile);,R3 HOOK,DLL注入,直接注入

49、DLL：AddDebugPrivilege(void)OpenProcess()VirtualAllocEx()WriteProcessMemory()CreateRemoteThread(),直接注入代碼：static DWORD WINAPI ThreadFunc (INJDATA *pData){}AddDebugPrivilege(void)OpenProcess()VirtualAllocEx

50、()WriteProcessMemory()CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pCodeRemote,pDataRemote, 0 , &dwThreadId);,HOOK engine,可選引擎：nthookenginemhookDetour方法：本進(jìn)程HOOK，直接調(diào)用HOOK函數(shù)；否則，寫(xiě)成一個(gè)DLL，