通过Hook SwapContext 获得目标线程的 IDT GDT KPCR (fs寄存器)
Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- EXTERN_C NTKERNELAPI VOID KiDispatchInterrupt();
- EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
复制代码 Driver.cpp- #include "Driver.h"
- //global
- ULONG g_SwapContext_hookpointer;
- ULONG g_goto_origfunc;
- UCHAR g_szBackupSwapContext[5];
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- ULONG GetSwapContextAddr()
- {
- ULONG uAddr = (ULONG)KiDispatchInterrupt;
- PUCHAR p = (PUCHAR)uAddr;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0xe8
- && *(p + 5) == 0x8b
- && *(p + 6) == 0x2c
- && *(p - 2) == 0xb1)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find SwapContextAddr faile!\n"));
- return 0;
- }
- ULONG uSwapContextAddr = (ULONG)(*(PULONG)(p + 1) + p + 5);
- return uSwapContextAddr;
- }
- ULONG SearchHookPointer(ULONG StartAddress)
- {
- PUCHAR p = (PUCHAR)StartAddress;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0x89
- && *(p + 1) == 0x43
- && *(p + 2) == 0x18
- && *(p + 3) == 0xfb
- && *(p + 4) == 0x8b
- && *(p - 1) == 0x20
- && *(p - 2) == 0x46)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find SearchHookPointer faile!\n"));
- return 0;
- }
- ULONG uFindAddr = (ULONG)p;
- return uFindAddr;
-
- }
- void FilterSwapContext(PETHREAD pTargetThread, PETHREAD pCurrentThread, PKPCR pkpcr)
- {
- PEPROCESS pTargetProcess = (PEPROCESS)*(PULONG)((ULONG)pTargetThread + 0x44);
- PEPROCESS pCurrentProcess = (PEPROCESS)*(PULONG)((ULONG)pCurrentThread + 0x44);
- PUCHAR pszTarget = PsGetProcessImageFileName(pTargetProcess);
- PUCHAR pszCurrent = PsGetProcessImageFileName(pCurrentProcess);
- if (_stricmp((const char*)pszTarget, "calc.exe") == 0)
- {
- KdPrint(("pIdtEntry:%X-----pGdt:%X\n", pkpcr->IDT, pkpcr->GDT));
- KdPrint(("pszTarget:%s--pszCurrent:%s\n",pszTarget, pszCurrent));
- }
-
- }
- __declspec(naked) void NewSwapContext()
- {
- __asm
- {
- pushad
- pushfd
- push ebx
- push edi
- push esi
- call FilterSwapContext
- popfd
- popad
- mov [ebx + 18h], eax
- sti
- mov eax, [edi + 44h]
- jmp g_goto_origfunc
- }
- }
- void UnHookSwapContext()
- {
- KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
- PageProtectOff();
- RtlCopyMemory((PVOID)g_SwapContext_hookpointer, g_szBackupSwapContext, 5);
- PageProtectOn();
- KeLowerIrql(OldIrql);
- }
- VOID HookSwapContext()
- {
- ULONG uSwapContextAddr = GetSwapContextAddr();
- g_SwapContext_hookpointer = SearchHookPointer(uSwapContextAddr);
- g_goto_origfunc = g_SwapContext_hookpointer + 7;
- ULONG utemp;
- UCHAR jmp_code[5];
- jmp_code[0] = 0xE9;
- utemp = (ULONG)NewSwapContext - g_SwapContext_hookpointer - 5;
- *(ULONG*)&jmp_code[1] = utemp;
- PageProtectOff();
-
- RtlCopyMemory(g_szBackupSwapContext, (PVOID)g_SwapContext_hookpointer, 5);
- RtlCopyMemory((PVOID)g_SwapContext_hookpointer, jmp_code, 5);
-
- PageProtectOn();
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- HookSwapContext();
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnHookSwapContext();
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |