|
阅读:1252回复:4
怎么HOOK一个ntoskrnl.exe的导出函数?用户被禁言,该主题自动屏蔽! |
|
|
沙发#
发布于:2004-12-13 11:52
PCHAR U_GetModuleBaseAddress( IN PCHAR module_name ) { PSYSTEM_MODULE_INFORMATION module_information; PCHAR module_base = NULL; ULONG return_length; PULONG buffer = NULL; ULONG i; NTSTATUS status; status = ZwQuerySystemInformation( SystemModuleInformation, &return_length, 0, &return_length ); if (status != STATUS_INFO_LENGTH_MISMATCH) { return NULL; } buffer = (PULONG) ExAllocatePool(NonPagedPool, return_length); if (buffer) { status = ZwQuerySystemInformation( SystemModuleInformation, buffer, return_length, 0 ); if (status == STATUS_SUCCESS) { module_information = (PSYSTEM_MODULE_INFORMATION) (buffer + 1); for (i = 0; i < *buffer; i++) { PCHAR local_module_name = strrchr(module_information->ImageName, '\\'); if (!local_module_name) { local_module_name = module_information->ImageName; } else { local_module_name++; } if (0 == _stricmp(local_module_name, module_name)) { module_base = (PCHAR) module_information->Base; ExFreePool(buffer); return module_base; } module_information++; if ((ULONG) ((PCHAR) module_information - (PCHAR) buffer) > return_length) { break; } } } ExFreePool(buffer); } return NULL; } PVOID U_HookFunction( IN PCHAR module_base, IN PCHAR function_name, IN PVOID hook_function ) { PIMAGE_DOS_HEADER dos_header; PIMAGE_NT_HEADERS nt_header; PIMAGE_SECTION_HEADER sec_header; PIMAGE_EXPORT_DIRECTORY export_dir; SHORT i; ULONG j; PCHAR local_function_name; PULONG address_of_names; PULONG address_of_functions; PVOID old_function_address; ULONG protect_value; dos_header = (PIMAGE_DOS_HEADER) module_base; if (IMAGE_DOS_SIGNATURE == dos_header->e_magic) { nt_header = (PIMAGE_NT_HEADERS) (module_base + dos_header->e_lfanew); if ((IMAGE_NT_SIGNATURE == nt_header->Signature) || (IMAGE_NT_SIGNATURE1 == nt_header->Signature) ) { sec_header = (PIMAGE_SECTION_HEADER) (module_base + dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS)); for (i = 0; i < nt_header->FileHeader.NumberOfSections; i++) { if (!strcmp(sec_header->Name, ".edata")) { export_dir = (PIMAGE_EXPORT_DIRECTORY) (module_base + sec_header->VirtualAddress); address_of_names = (PULONG) (module_base + export_dir->AddressOfNames); address_of_functions = (PULONG) (module_base + export_dir->AddressOfFunctions); for (j = 0; j < export_dir->NumberOfFunctions; j++) { local_function_name = module_base + *address_of_names; if (!strcmp(local_function_name, function_name)) { U_RemoveWriteProtect(&protect_value); __asm cli old_function_address = module_base + *address_of_functions; *address_of_functions = (PCHAR) hook_function - module_base; __asm sti U_RestoreWriteProtect(protect_value); return old_function_address; } address_of_names++; address_of_functions++; } } sec_header++; } } } return NULL; } VOID U_RemoveWriteProtect( OUT PULONG old_value ) { ULONG value; __asm { push eax; mov eax, cr0; mov value, eax; and eax, 0FFFEFFFFh; mov cr0, eax; pop eax; }; *old_value = value; } VOID U_RestoreWriteProtect( IN ULONG old_value ) { __asm { push eax; mov eax, old_value; mov cr0, eax; pop eax; }; } ================================================ for example: module_address = U_GetModuleBaseAddress("NDIS.sys"); if (module_address) { g_OldNdisMRegisterMiniport = (PNDISMREGISTERMINIPORT) U_HookFunction( module_address, "NdisMRegisterMiniport", H_NdisMRegisterMiniport ); } 仅供参考 :D |
|
|
板凳#
发布于:2004-12-13 13:45
用户被禁言,该主题自动屏蔽! |
|
|
地板#
发布于:2004-12-13 16:45
不是已经很清楚了???
|
|
|
|
地下室#
发布于:2004-12-14 07:20
用户被禁言,该主题自动屏蔽! |
|