Simple Hooking of Functions not Exported by Ntoskrnl.exe
2007-04-26 08:28
1611 查看
As many of you will know, hooking functions not exported by ntoskrnl.exe is a real pain, as you need to hard code their position in KeServiceDescriptorTable, and this will change between windows releases.
Hardcoding the positions seems a poor solution, since it means after a new service pack, the rootkit may no longer work and become discovered.
As I have found the code on this site extremely helpful, I think it is only fair that I return the favour ;-)
I have implemented the method described in previous posts, whereby I have mapped a view of ntdll.dll into the process space of whoever loads the driver initially, and then retrieve the required function positions directly from the dll.
This was relatively simple to do, and only requires knowledge of the pe file format, and a few undocumented apis.
Using the function pasted below, when hooking you simply do as follows:
and here's the function GetDllFunctionAddress:
Hardcoding the positions seems a poor solution, since it means after a new service pack, the rootkit may no longer work and become discovered.
As I have found the code on this site extremely helpful, I think it is only fair that I return the favour ;-)
I have implemented the method described in previous posts, whereby I have mapped a view of ntdll.dll into the process space of whoever loads the driver initially, and then retrieve the required function positions directly from the dll.
This was relatively simple to do, and only requires knowledge of the pe file format, and a few undocumented apis.
Using the function pasted below, when hooking you simply do as follows:
RtlInitUnicodeString(&dllName, L"//Device//HarddiskVolume1//Windows//System32//ntdll.dll"); functionAddress = GetDllFunctionAddress(functionName, &dllName); position = *((WORD*)(functionAddress+1)); g_OriginalZwCreateProcessEx = (ZWCREATEPROCESSEX)(KeServiceDescriptorTable.ServiceTableBase[position]);
and here's the function GetDllFunctionAddress:
DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName) { HANDLE hThread, hSection, hFile, hMod; SECTION_IMAGE_INFORMATION sii; IMAGE_DOS_HEADER* dosheader; IMAGE_OPTIONAL_HEADER* opthdr; IMAGE_EXPORT_DIRECTORY* pExportTable; DWORD* arrayOfFunctionAddresses; DWORD* arrayOfFunctionNames; WORD* arrayOfFunctionOrdinals; DWORD functionOrdinal; DWORD Base, x, functionAddress; char* functionName; STRING ntFunctionName, ntFunctionNameSearch; PVOID BaseAddress = NULL; SIZE_T size=0; OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE}; IO_STATUS_BLOCK iosb; //_asm int 3; ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); oa.ObjectName = 0; ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile); ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE); ZwClose(hFile); hMod = BaseAddress; dosheader = (IMAGE_DOS_HEADER *)hMod; opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24); pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); // now we can get the exported functions, but note we convert from RVA to address arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions); arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames); arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals); Base = pExportTable->Base; RtlInitString(&ntFunctionNameSearch, lpFunctionName); for(x = 0; x < pExportTable->NumberOfFunctions; x++) { functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]); RtlInitString(&ntFunctionName, functionName); functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0 // this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]... // oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!! functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]); if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) { ZwClose(hSection); return functionAddress; } } ZwClose(hSection); return 0; }
相关文章推荐
- Simple Hooking of Functions not Exported by Ntoskrnl.exe
- Simple Hooking of Functions not Exported by Ntoskrnl.exe
- 文件更新后, 编译也成功,但无法调试,exe运行后还是原来的版本not found or not built by the last incremental link; performing full link
- The encryption certificate of the relying party trust identified by thumbprint is not valid
- [Err] 1055 - Expression #1 of ORDER BY clause is not in GROUP BY clause and contains nonaggregated c
- 【406错误】 The resource identified by this request is only capable of generating responses with characteristics not acceptable according to the request "accept" headers.
- “(null)” is of a model that is not supported by this version of Xcode. Please use a different device.
- This iPhone 6 is running iOS 10.2 (14C92), which may not be supported by this version of Xcode.
- [Err] 1055 - Expression #4 of SELECT list is not in GROUP BY clause and contains nonaggregated colum
- [Err] 1055 - Expression #1 of ORDER BY clause is not in GROUP BY clause and contains nonaggregated.
- laravel 报错 mcrypt_decrypt(): Key of size 11 not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported
- MySQL异常:[Err] 1055 - Expression #1 of ORDER BY clause is not in GROUP BY clause and contains nonaggr
- Expression #1 of ORDER BY clause is not in GROUP BY clause and contains nonaggregated column 'inform
- #1055 - Expression of SELECT list is not in GROUP BY clause and contains nonaggregated column this i
- mysql5.7 报错1055:Expression #1 of SELECT list is not in GROUP BY clause and contains non
- nfs mount:reason given by server: Permission denied +refused mount request XXX (/): not exported
- [Err] 1055 - Expression #1 of ORDER BY clause is not in GROUP BY clause and contains nonaggregated..
- Caused by: java.lang.IllegalAccessException: Class ognl.OgnlRuntime can not access a member of class
- iOS This iPhone 6s等 is running iOS 10.1 (14B72), which may not be supported by this version of Xcode
- iPhone may be running a version of iOS that is not supported by this version of Xcode