|
阅读:2052回复:4
一个IDT hook的程序
大家好,我目前在研究api hook. 我设计的hook是放在函数开头
地址 机器码 汇编代码 :71A21AF4 55 push ebp :71A21AF5 8BEC mov ebp, esp //将被HOOK的机器码 :71A21AF7 83EC10 sub esp, 00000010 把第二条mov ebp,esp指令(机器码8BEC,2字节)替换为INT F0指令(机器码CDF0),然后在IDT里设置一个中断门,指向我们的代码。我这里给出我写的HOOK代码如下: .386 .model flat, stdcall option casemap:none include w2k\ntstatus.inc include w2k\ntddk.inc include w2k\ntoskrnl.inc includelib c:\masm32\lib\w2k\ntoskrnl.lib include c:\masm32\Macros\Strings.mac ;定义 IDTR KIDTR struct Limit dw ? ; 段界限 Base dd ? ;段基址 KIDTR ends PKIDTR typedef PTR KIDTR; KIDTENTRY STRUCT ; sizeof = 8 _Offset WORD ? ; original name Offset Selector WORD ? Access WORD ? ExtendedOffset WORD ? KIDTENTRY ENDS PKIDTENTRY typedef PTR KIDTENTRY .const CCOUNTED_UNICODE_STRING "\\Device\\devHookMessage", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\slHookMessage", g_usSymbolicLinkName, 4 MYINT equ 0F0h .data? OldIdt KIDTENTRY <?> oldISR dd ? idtEntry PKIDTENTRY ? .code MyMessageBoxA proc lea ebp,[esp+12] pushfd pushad invoke DbgPrint,$CTA0("hello MessageBoxA\n") jmp oldISR ;恢复原来路径 popad popfd iretd MyMessageBoxA endp AddMyInt proc LOCAL idtr:KIDTR sidt idtr mov ebx,idtr.Base cld lea esi,[ebx + MYINT * 8] lea edi,OldIdt mov ecx,sizeof KIDTENTRY rep movsb cli add ebx,MYINT*8 mov idtEntry,ebx assume ebx:ptr KIDTENTRY mov ax,[ebx].ExtendedOffset shl eax,16 mov ax,[ebx]._Offset mov oldISR,eax mov eax,offset MyMessageBoxA mov [ebx]._Offset, ax shr eax,16 mov [ebx].ExtendedOffset,ax mov [ebx].Selector,8 mov [ebx].Access,0e7h assume ebx:nothing sti ret AddMyInt endp DriverUnload proc pDriverObject:PDRIVER_OBJECT LOCAL nameString:UNICODE_STRING cli mov edi,idtEntry lea esi,OldIdt mov ecx,sizeof KIDTENTRY rep movsb sti invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName mov eax, pDriverObject invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject ret DriverUnload endp DriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PVOID mov status,STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN, 0,FALSE,addr pDeviceObject .if eax == STATUS_SUCCESS invoke IoCreateSymbolicLink,addr g_usSymbolicLinkName,addr g_usDeviceName .if eax == STATUS_SUCCESS mov eax,pDriverObject assume eax: ptr DRIVER_OBJECT mov [eax].DriverUnload,offset DriverUnload assume eax:nothing mov status,STATUS_SUCCESS .else invoke IoDeleteDevice, pDeviceObject .endif .endif invoke AddMyInt mov eax, status ret DriverEntry endp end DriverEntry 驱动加载出现兰屏,请高手指正。 |
|
|
沙发#
发布于:2007-06-21 09:19
问题已经更正。
主要修改: AddMyInt proc LOCAL idtr:KIDTR sidt idtr mov ebx,idtr.Base add ebx,MYINT * 8 mov idtEntry,ebx invoke memcpy,addr OldIdt,ebx ,sizeof KIDTENTRY cli assume ebx:ptr KIDTENTRY mov ax,[ebx].ExtendedOffset shl eax,16 mov ax,[ebx]._Offset mov oldISR,eax mov eax,offset MyMessageBoxA mov [ebx]._Offset, ax shr eax,16 mov [ebx].ExtendedOffset,ax mov [ebx].Selector,8 mov [ebx].Access,0e7h assume ebx:nothing sti ret AddMyInt endp DriverUnload proc pDriverObject:PDRIVER_OBJECT LOCAL nameString:UNICODE_STRING cli invoke memcpy,idtEntry, addr OldIdt,sizeof KIDTENTRY sti invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName mov eax, pDriverObject invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject ret DriverUnload endp |
|
|
板凳#
发布于:2007-06-21 12:31
自己顶
|
|
|
地板#
发布于:2007-06-21 13:28
不错.感谢.
 |
|
|
|
地下室#
发布于:2007-06-21 20:29
好,终于又看到一个用KMD的。
|
|
