阅读:2724回复:7
关于inline hook NtDeviceIoControlFile例子中的问题
VOID DetourFunctionNtDeviceIoControlFile()
{ char *actual_function = (char *)NtDeviceIoControlFile; char *non_paged_memory; unsigned long detour_address; unsigned long reentry_address; int i = 0; // assembles to jmp far 0008:11223344 where 11223344 is address of // our detour function, plus one NOP to align up the patch char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00, 0x90 }; // reenter the hooked function at a location past the overwritten opcodes // alignment is, of course, very important here reentry_address = ((unsigned long)NtDeviceIoControlFile) + 8; non_paged_memory = ExAllocatePool(NonPagedPool, 256); // copy contents of our function into non paged memory // with a cap at 256 bytes (beware of possible read off end of page FIXME) for(i=0;i<256;i++) { ((unsigned char *)non_paged_memory) = ((unsigned char *)my_function_detour_ntdeviceiocontrolfile); } detour_address = (unsigned long)non_paged_memory; // stamp in the target address of the far jmp *( (unsigned long *)(&newcode[1]) ) = detour_address; // now, stamp in the return jmp into our detour // function for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)non_paged_memory)) && (0xAA == ((unsigned char *)non_paged_memory)[i+1]) && (0xAA == ((unsigned char *)non_paged_memory)[i+2]) && (0xAA == ((unsigned char *)non_paged_memory)[i+3])) { // we found the address 0xAAAAAAAA // stamp it w/ the correct address *( (unsigned long *)(&non_paged_memory) ) = reentry_address; break; } } //TODO, raise IRQL //overwrite the bytes in the kernel function //to apply the detour jmp for(i=0;i < 8;i++) { actual_function = newcode; } //TODO, drop IRQL } 在这个例子中,首先将要hook的函数的前几个字节改成jmp far 0008:11223344,然后再用创建的地址替换11223344,就变成了jmp far 0008:实际地址,我不明白0008是怎么得来的?在windows的系统空间,内存地址是怎么转换的,也是选择子+偏移量吗??希望熟悉的兄弟指点一二 |
|
沙发#
发布于:2007-01-17 18:15
Windows kernel里的DS吧
|
|
|
板凳#
发布于:2007-01-17 18:48
这种事情用C做,感觉就是不爽,还是直接用汇编实在.
|
|
|
地板#
发布于:2007-01-18 08:26
各位大侠能说说为什么地址用0008:11223344吗?这个0008到底是怎么来的呢?
|
|
地下室#
发布于:2007-03-07 23:13
此例子通不过。
msn:lxp8@sina.com |
|
|
5楼#
发布于:2007-03-12 09:17
引用第1楼killvxk于2007-01-17 18:15发表的“”: 8是不是应该表示win的gdt代码段 10应该是数据段? 保护模式不熟见笑了:) |
|
|
驱动小牛
|
6楼#
发布于:2007-03-12 20:58
觉的这种方法不大安全呀,突然CPU在其他线程跳过来怎么办.
|
7楼#
发布于:2007-03-12 21:59
引用第6楼wangjianfeng于2007-03-12 20:58发表的“”: 会非常不爽~ |
|
|