繁體
|
簡體
Sclub交友聊天~加入聊天室當版主
(檢舉)
分享
新浪微博
QQ空间
人人网
腾讯微博
Facebook
Google+
Plurk
Twitter
Line
标题:
多核下通过修改GDT隐藏IDT HOOK
[打印本页]
作者:
forwe
时间:
2013-8-30 21:20
标题:
多核下通过修改GDT隐藏IDT HOOK
Driver.h
#ifdef __cplusplus
extern "C"
{
#endif
#include <ntddk.h>
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#ifdef __cplusplus
}
#endif
#define PAGEDCODE code_seg("PAGE")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#define PAGEDDATA data_seg("PAGE")
#define LOCKEDDATA data_seg()
#define INITDATA data_seg("INIT")
#define arraysize(p) (sizeof(p)/sizeof((p)[0]))
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
#define WORD USHORT
#define DWORD ULONG
#define MAKELONG(a, b) ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) | ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))
#pragma pack(push)
#pragma pack(1) // 1字节对齐
typedef struct _IDTR //IDT基址
{
USHORT IDT_limit; //范围占位
USHORT IDT_LOWbase;//基地址占位_IDT_ENTRY类型指针
USHORT IDT_HIGbase;
}IDTR,*PIDTR;
typedef struct _IDT_ENTRY
{
USHORT LowOffset; //中断处理函数地址低位
USHORT selector; //选择符
UCHAR reserved;
UCHAR type:4; //4位
UCHAR always0:1; //1位
UCHAR dpl:2; //2位
UCHAR present:1; //1位
USHORT HigOffset;//中断处理函数地址高位
}IDTENTRY,*PIDTENTRY;//获取基址实际上是这个类型
typedef struct _KGDTENTRY
{
USHORT LimitLow;
USHORT BaseLow;
union {
struct {
UCHAR BaseMid;
UCHAR Flags1; // Declare as bytes to avoid alignment
UCHAR Flags2; // Problems.
UCHAR BaseHi;
} Bytes;
struct {
ULONG BaseMid : 8;
ULONG Type : 5;
ULONG Dpl : 2;
ULONG Pres : 1;
ULONG LimitHi : 4;
ULONG Sys : 1;
ULONG Reserved_0 : 1;
ULONG Default_Big : 1;
ULONG Granularity : 1;
ULONG BaseHi : 8;
} Bits;
} HighWord;
} KGDTENTRY, *PKGDTENTRY;
#pragma pack(pop)
EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
复制代码
Driver.cpp
#include "Driver.h"
//global
KEVENT g_Event ;
ULONG g_CurrentCpuAffinity = 0;
ULONG g_OrgInterruptFunc3;
ULONG g_uNewBase;
USHORT g_FilterJmp[3];
void PageProtectOn()
{
//恢复内存保护
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
void PageProtectOff()
{
//去掉内存保护
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
}
void GetIdt(ULONG uCPU)
{
IDTR idtr;
__asm SIDT idtr
PIDTENTRY pIdtEntry = NULL;
pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
KdPrint(("pIdtEntry: %X\n", pIdtEntry));
for (ULONG uIndex = 0; uIndex <= idtr.IDT_limit / sizeof(IDTENTRY); uIndex++)
{
KdPrint(("uCPU:%d---pIdtEntry[%d]: %X\n", uCPU, uIndex, MAKELONG(pIdtEntry[uIndex].LowOffset, pIdtEntry[uIndex].HigOffset)));
}
}
ULONG GetInterruptFuncAddress(ULONG InterruptIndex)
{
IDTR idtr;
PIDTENTRY pIdtEntry;
__asm SIDT idtr;
pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
return MAKELONG(pIdtEntry[InterruptIndex].LowOffset, pIdtEntry[InterruptIndex].HigOffset);
}
VOID __stdcall FilterInterruptFunc3()
{
KdPrint(("CurrentProcess:%s\n", PsGetProcessImageFileName(IoGetCurrentProcess())));
}
__declspec(naked) void NewInterruptFun3InOrigBase()
{
__asm
{
pushad
pushfd
push fs
push 0x30
pop fs
mov ax, 0x23
mov ds, ax
mov es, ax
call FilterInterruptFunc3
pop fs
popfd
popad
jmp g_OrgInterruptFunc3
}
}
__declspec(naked) void NewInterruptFun3()
{
__asm
{
jmp fword ptr [g_FilterJmp]
}
}
void HookInterrupt(ULONG uCPU, ULONG InterruptIndex, ULONG NewInterruptFunc)
{
IDTR idtr;
__asm SIDT idtr
PIDTENTRY pIdtEntry = NULL;
pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
KdPrint(("uCPU:%d---pIdtEntry: %X\n", uCPU, pIdtEntry));
PageProtectOff();
pIdtEntry[InterruptIndex].LowOffset =(USHORT)((ULONG)NewInterruptFunc & 0xffff);
pIdtEntry[InterruptIndex].HigOffset = (USHORT)((ULONG)NewInterruptFunc >> 16);
PageProtectOn();
}
void HookInterruptFromGdt(ULONG uCPU, ULONG InterruptIndex, BOOLEAN bHook)
{
IDTR idtr;
__asm SIDT idtr
PIDTENTRY pIdtEntry = NULL;
pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
ULONG uGdtAddr = 0;
__asm
{
push edx
SGDT [esp - 2]
pop edx
mov uGdtAddr, edx
}
PKGDTENTRY pGdtEntry = (PKGDTENTRY)uGdtAddr;
KdPrint(("uCPU:%d---pIdtEntry:%X---pGdtEntry:%X\n", uCPU, pIdtEntry, pGdtEntry));
PageProtectOff();
if (bHook)
{
pIdtEntry[InterruptIndex].selector = 0xa8;
RtlCopyMemory(&pGdtEntry[21], &pGdtEntry[1], sizeof(KGDTENTRY));
pGdtEntry[21].BaseLow = (USHORT) (g_uNewBase & 0xffff);
pGdtEntry[21].HighWord.Bytes.BaseMid = (UCHAR)((g_uNewBase >> 16) & 0xff);
pGdtEntry[21].HighWord.Bytes.BaseHi = (UCHAR)(g_uNewBase >> 24);
}
else
{
pIdtEntry[InterruptIndex].selector = 0x8;
memset(&pGdtEntry[21], 0, sizeof(KGDTENTRY));
}
PageProtectOn();
}
VOID HookIdtDpc(
IN struct _KDPC *Dpc,
IN PVOID DeferredContext,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2
)
{
HookInterruptFromGdt(g_CurrentCpuAffinity, (ULONG)SystemArgument1, (BOOLEAN)SystemArgument2);
KeSetEvent(&g_Event, IO_NO_INCREMENT, FALSE);
}
void HandleIdtByDpc(ULONG InterruptIndex, BOOLEAN bHook)
{
KAFFINITY CpuAffinity;
ULONG uCpuCount = 0;
ULONG i = 0;
KDPC Dpc;
CpuAffinity = KeQueryActiveProcessors();
for (i = 0; i < sizeof(KAFFINITY); i++)
{
if ((CpuAffinity >> i) & 1)
{
uCpuCount++;
}
}
if (uCpuCount == 1)
{
KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
HookInterruptFromGdt(0, InterruptIndex, bHook);
KeLowerIrql(OldIrql);
}
else
{
for (i = 0; i < sizeof(KAFFINITY); i++)
{
if ((CpuAffinity >> i) & 1)
{
g_CurrentCpuAffinity = i;
KeInitializeEvent(&g_Event, NotificationEvent, FALSE);
KeInitializeDpc(&Dpc, HookIdtDpc, NULL);
KeSetTargetProcessorDpc(&Dpc, (CCHAR)i);
KeSetImportanceDpc(&Dpc, HighImportance);
KeInsertQueueDpc(&Dpc, (PVOID)InterruptIndex, (PVOID)bHook);
if (KeWaitForSingleObject(&g_Event, (KWAIT_REASON)0, 0, 0, 0) == STATUS_SUCCESS)
{
continue;
}
}
}
}
}
#pragma INITCODE
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
g_OrgInterruptFunc3 = GetInterruptFuncAddress(3);
g_uNewBase = (ULONG)NewInterruptFun3 - g_OrgInterruptFunc3;
*(PULONG)g_FilterJmp = (ULONG)NewInterruptFun3InOrigBase;
g_FilterJmp[2] = 0x8;
HandleIdtByDpc(3, TRUE);
DriverObject->DriverUnload = DriverUnload;
return status;
}
#pragma PAGEDCODE
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
HandleIdtByDpc(3, FALSE);
KdPrint(("DriverEntry unLoading...\n"));
}
复制代码
欢迎光临 Forwe (http://forwe.joinbbs.net/)
Powered by Discuz! 7.2