阅读:2063回复:20
bmyyyud 请接分
非常感谢您的帮助,我还有一个问题,您试过hook KeQueryTickCount函数吗?我总是hook不成功。
|
|
沙发#
发布于:2005-04-20 09:32
非常感谢您的帮助,我还有一个问题,您试过hook KeQueryTickCount函数吗?我总是hook不成功。 客气了,我没有hook过 KeQueryTickCount,但可以说说你的做法,是修改KeQueryTickCount的第一条指令吗? |
|
|
板凳#
发布于:2005-04-20 15:11
给分啦,我是想在驱动程序中hook KeQueryTickCount函数,然后在系统每次调用KeQueryTickCount函数时,打出一条信息,目前的想法就只有这些。
|
|
地板#
发布于:2005-04-20 15:29
给分啦,我是想在驱动程序中hook KeQueryTickCount函数,然后在系统每次调用KeQueryTickCount函数时,打出一条信息,目前的想法就只有这些。 关键是你的这个hook你决定怎么做 |
|
|
地下室#
发布于:2005-04-20 16:42
我目前是用了驱网上的一个hook pe的办法来hook相应的函数的。
我希望能够hook和系统相关的所有时间函数,不过类似于gettickcount这样的函数我就不知道在那里能找到,并hook它了。 |
|
5楼#
发布于:2005-04-21 09:34
我目前是用了驱网上的一个hook pe的办法来hook相应的函数的。 可以用调试符号文件的方法,但是这样又与Windows版本有关了 hook pe 方法,你用的是哪种,修改磁盘文件还是修改导出表还是修改函数第一条指令? |
|
|
6楼#
发布于:2005-04-21 11:05
调试符号文件的方法,这个我不知道。
hook pe 方法,我用的是驱动开发网上的一个例子, /****************************************************** 文件名 : WssHookPE.c 描述 : 拦截内核函数 作者 : sinister 最后修改日期 : 2002-11-02 *******************************************************/ 应该是修改导出表,目前我在测试这个例子的时候,发现我hook的zwcreatefile没反应,我看过你的一篇文章说函数名和它的地址对应错误,我现在比较糊涂。 请问修改函数第一条指令是怎么一回事啊 |
|
7楼#
发布于:2005-04-21 11:22
调试符号文件的方法,这个我不知道。 函数名和它的地址对应错误,我只说是ntoskrnl.exe模块的在内存中的开始地址在w2k ,wxp中的不同,但导出表函数名与他的地址应该是一样的.修改函数第一条指令,首先也得找到函数入口,然后保存入口的这条指令,在这里换成一条jmp指令 |
|
|
8楼#
发布于:2005-04-21 11:25
你的这个WssHookPE.c,我怎么找不到
在源代码共享,下载中心,还是专栏文章,技术资料 哪里呢? |
|
|
9楼#
发布于:2005-04-21 11:38
/*
HOOK PE 方法 ??方法?于?截、分析其他内核??的函数?用来?用的比?多。原理 是根据替? PE 格式?出表中的相?函数来??的。此方法中需要用到一些小 技巧。如内核模式并没有直接提供?似?用?的 GetModuleHandl()、GetProcAddress() 等函数来?得模?的地址。那?我?就需要自己来?写,? 里用到了一个未公?的函数与??。ZwQuerySystemInformation 与 SYSTEM_MODULE_INFORMATION 来??得到模?的基地址。??我?就可以根据 PE 格式来枚??出表中的函数来替?了。但?又引出了一个??,那就是从 WINDOWS 2000 后内核数据的?属性都是只?的,不能更改。内核模式也没有 提供?似?用?的 VirtualProtectEx() 等函数来修改?面属性。那?也需要 我?自己来?写。因?我?是在内核模式所以我?可以通?修改 cr0 寄存器的 的写保?位来?到我?的目的。??我?所期望的?截内核模式函数的功能便 得以??。此方法需要?? PE 格式有一定的基?。下面的程序演示了?一?程。 */ /***************************************************************** 文件名 : WssHookPE.c 描述 : ?截内核函数 作者 : sinister 最后修改日期 : 2002-11-02 *****************************************************************/ #include \"ntddk.h\" #include \"windef.h\" typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts, SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation, SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5, SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation, SystemInstructionEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation, SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation, SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment, SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemLoadAndCallImage, SystemPrioritySeparation, SystemNotImplemented10, SystemNotImplemented11, SystemInvalidInfoClass2, SystemInvalidInfoClass3, SystemTimeZoneInformation, SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInvalidInfoClass4, SystemRangeStartInformation, SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation } SYSTEM_INFORMATION_CLASS; typedef struct tagSYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ #define IMAGE_NT_SIGNATURE 0x50450000 // PE00 #define IMAGE_NT_SIGNATURE1 0x00004550 // 00EP typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 // // Optional header format. // typedef struct _IMAGE_OPTIONAL_HEADER { // // Standard fields. // WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; // // NT additional fields. // DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS; typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS; // // Section header format. // #define IMAGE_SIZEOF_SHORT_NAME 8 typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; #define IMAGE_SIZEOF_SECTION_HEADER 40 // // Export Format // typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; #define BASEADDRLEN 10 NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); typedef NTSTATUS (* ZWCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); ZWCREATEFILE OldZwCreateFile; static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject); VOID DisableWriteProtect( PULONG pOldAttr); VOID EnableWriteProtect( ULONG ulOldAttr ); FARPROC HookFunction( PCHAR pModuleBase, PCHAR pHookName, FARPROC pHookFunc ); NTSTATUS HookNtCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); PCHAR MyGetModuleBaseAddress( PCHAR pModuleName ) { PSYSTEM_MODULE_INFORMATION pSysModule; ULONG uReturn; ULONG uCount; PCHAR pBuffer = NULL; PCHAR pName = NULL; NTSTATUS status; UINT ui; CHAR szBuffer[BASEADDRLEN]; PCHAR pBaseAddress; status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, BASEADDRLEN, &uReturn ); pBuffer = ( PCHAR )ExAllocatePool( NonPagedPool, uReturn ); if ( pBuffer ) { status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn ); if( status == STATUS_SUCCESS ) { uCount = ( ULONG )*( ( ULONG * )pBuffer ); pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) ); for ( ui = 0; ui < uCount; ui++ ) { pName = MyStrchr( pSysModule->ImageName, \'\\\\\' ); if ( !pName ) { pName = pSysModule->ImageName; } else { pName++; } if( !_stricmp( pName, pModuleName ) ) { pBaseAddress = ( PCHAR )pSysModule->Base; ExFreePool( pBuffer ); return pBaseAddress; } pSysModule ++; } } ExFreePool( pBuffer ); } return NULL; } FARPROC HookFunction( PCHAR pModuleBase, PCHAR HookFunName,FARPROC HookFun) { PIMAGE_DOS_HEADER pDosHdr; PIMAGE_NT_HEADERS pNtHdr; PIMAGE_SECTION_HEADER pSecHdr; PIMAGE_EXPORT_DIRECTORY pExtDir; UINT ui,uj; PCHAR FunName; DWORD *dwAddrName; DWORD *dwAddrFun; ULONG uAttrib; FARPROC pOldFun; pDosHdr = ( PIMAGE_DOS_HEADER )pModuleBase; if ( IMAGE_DOS_SIGNATURE == pDosHdr->e_magic ) { pNtHdr = ( PIMAGE_NT_HEADERS )( pModuleBase + pDosHdr->e_lfanew ); if( IMAGE_NT_SIGNATURE == pNtHdr->Signature || IMAGE_NT_SIGNATURE1 == pNtHdr->Signature ) { pSecHdr = ( PIMAGE_SECTION_HEADER )( pModuleBase + pDosHdr->e_lfanew + sizeof( IMAGE_NT_HEADERS ) ); for ( ui = 0; ui < (UINT)pNtHdr->FileHeader.NumberOfSections; ui++ ) { if ( !strcmp( pSecHdr->Name, \".edata\" ) ) { pExtDir = ( PIMAGE_EXPORT_DIRECTORY )( pModuleBase + pSecHdr->VirtualAddress ); dwAddrName = ( PDWORD )(pModuleBase + pExtDir->AddressOfNames ); dwAddrFun = ( PDWORD )(pModuleBase + pExtDir->AddressOfFunctions ); for ( uj = 0; uj < (UINT)pExtDir->NumberOfFunctions; uj++ ) { FunName = pModuleBase + *dwAddrName; DbgPrint((\"-------------------Function_Name------------- %s\",FunName)); if( !strcmp( FunName, HookFunName ) ) { DbgPrint((\" HOOK %s()\\n\",FunName)); DisableWriteProtect( &uAttrib ); pOldFun = ( FARPROC )( pModuleBase + *dwAddrFun ); *dwAddrFun = ( PCHAR )HookFun - pModuleBase; EnableWriteProtect( uAttrib ); return pOldFun; } dwAddrName ++; dwAddrFun ++; } } pSecHdr++; } } } return NULL; } // ??入口 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { UNICODE_STRING nameString, linkString; PDEVICE_OBJECT deviceObject; NTSTATUS status; HANDLE hHandle; PCHAR pModuleAddress; int i; //卸??? DriverObject->DriverUnload = DriverUnload; //建立?? RtlInitUnicodeString( &nameString, L\"\\\\Device\\\\WssHookPE\" ); status = IoCreateDevice( DriverObject, 0, &nameString, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject ); if (!NT_SUCCESS( status )) return status; RtlInitUnicodeString( &linkString, L\"\\\\DosDevices\\\\WssHookPE\" ); status = IoCreateSymbolicLink (&linkString, &nameString); if (!NT_SUCCESS( status )) { IoDeleteDevice (DriverObject->DeviceObject); return status; } pModuleAddress = MyGetModuleBaseAddress(\"ntoskrnl.exe\"); if ( pModuleAddress == NULL) { DbgPrint(\" MyGetModuleBaseAddress()\\n\"); return 0; } OldZwCreateFile = (ZWCREATEFILE)HookFunction( pModuleAddress, \"ZwCreateFile\",(ZWCREATEFILE)HookNtCreateFile); if ( OldZwCreateFile == NULL) { DbgPrint(\" HOOK FAILED\\n\"); return 0; } DbgPrint(\"HOOK SUCCEED\\n\"); for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction = MydrvDispatch; } DriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } //?理???象操作 static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; IoCompleteRequest( Irp, 0 ); return Irp->IoStatus.Status; } VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject) { UNICODE_STRING nameString; PCHAR pModuleAddress; pModuleAddress = MyGetModuleBaseAddress(\"ntoskrnl.exe\"); if ( pModuleAddress == NULL) { DbgPrint(\"MyGetModuleBaseAddress()\\n\"); return ; } OldZwCreateFile = (ZWCREATEFILE)HookFunction( pModuleAddress, \"ZwCreateFile\",(ZWCREATEFILE)OldZwCreateFile); if ( OldZwCreateFile == NULL) { DbgPrint(\" UNHOOK FAILED!\\n\"); return ; } DbgPrint(\"UNHOOK SUCCEED\\n\"); RtlInitUnicodeString( &nameString, L\"\\\\DosDevices\\\\WssHookPE\" ); IoDeleteSymbolicLink(&nameString); IoDeleteDevice(pDriverObject->DeviceObject); return; } NTSTATUS HookNtCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ) { NTSTATUS status; DbgPrint(\"Hook ZwCreateFile()\\n\"); status = ((ZWCREATEFILE)(OldZwCreateFile))( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength ); return status; } VOID DisableWriteProtect( PULONG pOldAttr) { ULONG uAttr; _asm { push eax; mov eax, cr0; mov uAttr, eax; and eax, 0FFFEFFFFh; // CR0 16 BIT = 0 mov cr0, eax; pop eax; }; *pOldAttr = uAttr; //保存原有的 CRO 属性 } VOID EnableWriteProtect( ULONG uOldAttr ) { _asm { push eax; mov eax, uOldAttr; //恢?原有 CR0 属性 mov cr0, eax; pop eax; }; } |
|
10楼#
发布于:2005-04-21 12:04
偶44
|
|
|
11楼#
发布于:2005-04-21 15:37
请问bmyyyud:测试的结果如何啊?
|
|
12楼#
发布于:2005-04-21 15:49
请问bmyyyud:测试的结果如何啊? 没那么快,偶得回家用偶的肉鸡,并且想把idapro47的那个也44 |
|
|
13楼#
发布于:2005-04-21 16:35
:)不好意思,我记错了。
http://www.driverdevelop.com/forum/viewthread.php?tid=87994 这个是你曾经参与的贴子,和我的疑问一样,真是太奇怪了。 |
|
14楼#
发布于:2005-04-22 09:41
顶顶
|
|
15楼#
发布于:2005-04-22 09:59
顶顶 快救偶,本想试试,结果却自己死死了,看来以后不能偷懒用44了,嘿嘿... http://www.driverdevelop.com/forum/html_90820.html?1114134469 http://www.driverdevelop.com/forum/html_90817.html?1114134596 |
|
|
16楼#
发布于:2005-04-22 13:47
why???
|
|
17楼#
发布于:2005-04-22 15:29
why??? vs 2003 和ds3.2用时,vs2003有bug |
|
|
18楼#
发布于:2005-04-26 09:09
提一把
|
|
19楼#
发布于:2005-04-27 17:25
hook pe的方法并不好使,除非你修改NTOSKRNL的文件,嘿嘿,如果不怕死的话......
|
|
|
上一页
下一页