内核级hook的几种实现与应用.doc_第1页
内核级hook的几种实现与应用.doc_第2页
内核级hook的几种实现与应用.doc_第3页
内核级hook的几种实现与应用.doc_第4页
内核级hook的几种实现与应用.doc_第5页
已阅读5页,还剩25页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

内核级HOOK的几种实现与应用 创建时间:2003-03-26文章来源:文章提交:sinister(jiasys_at_21)内核级HOOK的几种实现与应用Author:sinisterEmail:HomePage:实现内核级HOOK对于拦截、分析、跟踪系统内核起着致关重要的作用。实现的方法不同意味着应用侧重点的不同。如想要拦截NATIVEAPI那么可能常用的就是HOOKSERVICETABLE的方法。如果要分析一些系统调用,那么可能想到用HOOKINT2E中断来实现。如果想要拦截或跟踪其他内核DRIVER的调用,那么就要用到HOOKPE的方法来实现。这里我们更注重的是实现,原理方面已有不少高手在网上发表过文章。大家可以结合起来读。下面以我写的几个实例程序来讲解一下各种方法的实现。错误之处还望各位指正。1、HOOKSERVICETABLE方法:这种方法对于拦截NATIVEAPI来说用的比较多。原理就是通过替换系统导出的一个SERVICETABLE中相应的NATIVEAPI的地址来达到拦截的目的。因为此方法较为简单,网上也有不少资料来介绍。所以这里就不给出实例程序了。SERVICETABLE的结构如下:typedefstructServiceDescriptorEntryunsignedint*ServiceTableBase;unsignedint*ServiceCounterTableBase;unsignedintNumberOfServices;unsignedchar*ParamTableBase;ServiceDescriptorTableEntry_t,*PServiceDescriptorTableEntry_t;2、HOOKINT2E方法:这种方法对于跟踪、分析系统调用来说用的比较多。原理是通过替换IDT表中的INT2E中断,使之指向我们自己的中断服务处理例程来实现的。掌握此方法需要你对保护模式有一定的基础。下面的程序演示了这一过程。/*文件名:WssHookInt2e.c描述:系统调用跟踪作者:sinister最后修改日期:2002-11-02*/#includentddk.h#includestring.h#defineDWORDunsigned_int32#defineWORDunsigned_int16#defineBYTEunsigned_int8#defineBOOL_int32#defineLOWORD(l)(WORD)(l)#defineHIWORD(l)(WORD)(DWORD)(l)16)&0xFFFF)#defineLOBYTE(w)(BYTE)(w)#defineHIBYTE(w)(BYTE)(WORD)(w)8)&0xFF)#defineMAKELONG(a,b)(LONG)(WORD)(a)|(DWORD)(WORD)(b)DriverUnload=DriverUnload;/建立设备RtlInitUnicodeString(&nameString,LDeviceWssHookInt2e);status=IoCreateDevice(DriverObject,0,&nameString,FILE_DEVICE_UNKNOWN,0,TRUE,&deviceObject);if(!NT_SUCCESS(status)returnstatus;RtlInitUnicodeString(&linkString,LDosDevicesWssHookInt2e);status=IoCreateSymbolicLink(&linkString,&nameString);if(!NT_SUCCESS(status)IoDeleteDevice(DriverObject-DeviceObject);returnstatus;for(i=0;iMajorFunctioni=MydrvDispatch;DriverObject-DriverUnload=DriverUnload;ProcessNameOffset=GetProcessNameOffset();InstallNewInt2e();returnSTATUS_SUCCESS;/处理设备对象操作staticNTSTATUSMydrvDispatch(INPDEVICE_OBJECTDeviceObject,INPIRPIrp)Irp-IoStatus.Status=STATUS_SUCCESS;Irp-IoStatus.Information=0L;IoCompleteRequest(Irp,0);returnIrp-IoStatus.Status;VOIDDriverUnload(INPDRIVER_OBJECTpDriverObject)UNICODE_STRINGnameString;UninstallNewInt2e();RtlInitUnicodeString(&nameString,LDosDevicesWssHookInt2e);IoDeleteSymbolicLink(&nameString);IoDeleteDevice(pDriverObject-DeviceObject);return;ULONGGetProcessNameOffset()PEPROCESScurproc;inti;curproc=PsGetCurrentProcess();/Scanfor12KB,hoppingtheKPEBnevergrowsthatbig!/for(i=0;i3*PAGE_SIZE;i+)if(!strncmp(SYSNAME,(PCHAR)curproc+i,strlen(SYSNAME)returni;/Namenotfound-oh,well/return0;VOIDGetProcessName(PCHARName)PEPROCESScurproc;char*nameptr;ULONGi;if(ProcessNameOffset)curproc=PsGetCurrentProcess();nameptr=(PCHAR)curproc+ProcessNameOffset;strncpy(Name,nameptr,16);elsestrcpy(Name,?);3、HOOKPE方法这种方法对于拦截、分析其他内核驱动的函数调用来说用的比较多。原理是根据替换PE格式导出表中的相应函数来实现的。此方法中需要用到一些小技巧。如内核模式并没有直接提供类似应用层的GetModuleHandl()、GetProcAddress()等函数来获得模块的地址。那么我们就需要自己来编写,这里用到了一个未公开的函数与结构。ZwQuerySystemInformation与SYSTEM_MODULE_INFORMATION来实现得到模块的基地址。这样我们就可以根据PE格式来枚举导出表中的函数来替换了。但这又引出了一个问题,那就是从WINDOWS2000后内核数据的页属性都是只读的,不能更改。内核模式也没有提供类似应用层的VirtualProtectEx()等函数来修改页面属性。那么也需要我们自己来编写。因为我们是在内核模式所以我们可以通过修改cr0寄存器的的写保护位来达到我们的目的。这样我们所期望的拦截内核模式函数的功能便得以实现。此方法需要你对PE格式有一定的基础。下面的程序演示了这一过程。/*文件名:WssHookPE.c描述:拦截内核函数作者:sinister最后修改日期:2002-11-02*/#includentddk.h#includewindef.htypedefenum_SYSTEM_INFORMATION_CLASSSystemBasicInformation,SystemProcessorInformation,SystemPerformanceInformation,SystemTimeOfDayInformation,SystemNotImplemented1,SystemProcessesAndThreadsInformation,SystemCallCounts,SystemConfigurationInformation,SystemProcessorTimes,SystemGlobalFlag,SystemNotImplemented2,SystemModuleInformation,SystemLockInformation,SystemNotImplemented3,SystemNotImplemented4,SystemNotImplemented5,SystemHandleInformation,SystemObjectInformation,SystemPagefileInformation,SystemInstructionEmulationCounts,SystemInvalidInfoClass1,SystemCacheInformation,SystemPoolTagInformation,SystemProcessorStatistics,SystemDpcInformation,SystemNotImplemented6,SystemLoadImage,SystemUnloadImage,SystemTimeAdjustment,SystemNotImplemented7,SystemNotImplemented8,SystemNotImplemented9,SystemCrashDumpInformation,SystemExceptionInformation,SystemCrashDumpStateInformation,SystemKernelDebuggerInformation,SystemContextSwitchInformation,SystemRegistryQuotaInformation,SystemLoadAndCallImage,SystemPrioritySeparation,SystemNotImplemented10,SystemNotImplemented11,SystemInvalidInfoClass2,SystemInvalidInfoClass3,SystemTimeZoneInformation,SystemLookasideInformation,SystemSetTimeSlipEvent,SystemCreateSession,SystemDeleteSession,SystemInvalidInfoClass4,SystemRangeStartInformation,SystemVerifierInformation,SystemAddVerifier,SystemSessionProcessesInformationSYSTEM_INFORMATION_CLASS;typedefstructtagSYSTEM_MODULE_INFORMATIONULONGReserved2;PVOIDBase;ULONGSize;ULONGFlags;USHORTIndex;USHORTUnknown;USHORTLoadCount;USHORTModuleNameOffset;CHARImageName256;SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;#defineIMAGE_DOS_SIGNATURE0x5A4D/MZ#defineIMAGE_NT_SIGNATURE0x50450000/PE00#defineIMAGE_NT_SIGNATURE10x00004550/00EPtypedefstruct_IMAGE_DOS_HEADER/DOS.EXEheaderWORDe_magic;/MagicnumberWORDe_cblp;/BytesonlastpageoffileWORDe_cp;/PagesinfileWORDe_crlc;/RelocationsWORDe_cparhdr;/SizeofheaderinparagraphsWORDe_minalloc;/MinimumextraparagraphsneededWORDe_maxalloc;/MaximumextraparagraphsneededWORDe_ss;/Initial(relative)SSvalueWORDe_sp;/InitialSPvalueWORDe_csum;/ChecksumWORDe_ip;/InitialIPvalueWORDe_cs;/Initial(relative)CSvalueWORDe_lfarlc;/FileaddressofrelocationtableWORDe_ovno;/OverlaynumberWORDe_res4;/ReservedwordsWORDe_oemid;/OEMidentifier(fore_oeminfo)WORDe_oeminfo;/OEMinformation;e_oemidspecificWORDe_res210;/ReservedwordsLONGe_lfanew;/FileaddressofnewexeheaderIMAGE_DOS_HEADER,*PIMAGE_DOS_HEADER;typedefstruct_IMAGE_FILE_HEADERWORDMachine;WORDNumberOfSections;DWORDTimeDateStamp;DWORDPointerToSymbolTable;DWORDNumberOfSymbols;WORDSizeOfOptionalHeader;WORDCharacteristics;IMAGE_FILE_HEADER,*PIMAGE_FILE_HEADER;typedefstruct_IMAGE_DATA_DIRECTORYDWORDVirtualAddress;DWORDSize;IMAGE_DATA_DIRECTORY,*PIMAGE_DATA_DIRECTORY;#defineIMAGE_NUMBEROF_DIRECTORY_ENTRIES16/Optionalheaderformat.typedefstruct_IMAGE_OPTIONAL_HEADER/Standardfields./WORDMagic;BYTEMajorLinkerVersion;BYTEMinorLinkerVersion;DWORDSizeOfCode;DWORDSizeOfInitializedData;DWORDSizeOfUninitializedData;DWORDAddressOfEntryPoint;DWORDBaseOfCode;DWORDBaseOfData;/NTadditionalfields./DWORDImageBase;DWORDSectionAlignment;DWORDFileAlignment;WORDMajorOperatingSystemVersion;WORDMinorOperatingSystemVersion;WORDMajorImageVersion;WORDMinorImageVersion;WORDMajorSubsystemVersion;WORDMinorSubsystemVersion;DWORDWin32VersionValue;DWORDSizeOfImage;DWORDSizeOfHeaders;DWORDCheckSum;WORDSubsystem;WORDDllCharacteristics;DWORDSizeOfStackReserve;DWORDSizeOfStackCommit;DWORDSizeOfHeapReserve;DWORDSizeOfHeapCommit;DWORDLoaderFlags;DWORDNumberOfRvaAndSizes;IMAGE_DATA_DIRECTORYDataDirectoryIMAGE_NUMBEROF_DIRECTORY_ENTRIES;IMAGE_OPTIONAL_HEADER32,*PIMAGE_OPTIONAL_HEADER32;typedefstruct_IMAGE_NT_HEADERSDWORDSignature;IMAGE_FILE_HEADERFileHeader;IMAGE_OPTIONAL_HEADER32OptionalHeader;IMAGE_NT_HEADERS32,*PIMAGE_NT_HEADERS32;typedefIMAGE_NT_HEADERS32IMAGE_NT_HEADERS;typedefPIMAGE_NT_HEADERS32PIMAGE_NT_HEADERS;/Sectionheaderformat./#defineIMAGE_SIZEOF_SHORT_NAME8typedefstruct_IMAGE_SECTION_HEADERBYTENameIMAGE_SIZEOF_SHORT_NAME;unionDWORDPhysicalAddress;DWORDVirtualSize;Misc;DWORDVirtualAddress;DWORDSizeOfRawData;DWORDPointerToRawData;DWORDPointerToRelocations;DWORDPointerToLinenumbers;WORDNumberOfRelocations;WORDNumberOfLinenumbers;DWORDCharacteristics;IMAGE_SECTION_HEADER,*PIMAGE_SECTION_HEADER;#defineIMAGE_SIZEOF_SECTION_HEADER40/ExportFormat/typedefstruct_IMAGE_EXPORT_DIRECTORYDWORDCharacteristics;DWORDTimeDateStamp;WORDMajorVersion;WORDMinorVersion;DWORDName;DWORDBase;DWORDNumberOfFunctions;DWORDNumberOfNames;DWORDAddressOfFunctions;/RVAfrombaseofimageDWORDAddressOfNames;/RVAfrombaseofimageDWORDAddressOfNameOrdinals;/RVAfrombaseofimageIMAGE_EXPORT_DIRECTORY,*PIMAGE_EXPORT_DIRECTORY;#defineBASEADDRLEN10NTSYSAPINTSTATUSNTAPIZwQuerySystemInformation(INSYSTEM_INFORMATION_CLASSSystemInformationClass,INOUTPVOIDSystemInformation,INULONGSystemInformationLength,OUTPULONGReturnLengthOPTIONAL);typedefNTSTATUS(*ZWCREATEFILE)(OUTPHANDLEFileHandle,INACCESS_MASKDesiredAccess,INPOBJECT_ATTRIBUTESObjectAttributes,OUTPIO_STATUS_BLOCKIoStatusBlock,INPLARGE_INTEGERAllocationSizeOPTIONAL,INULONGFileAttributes,INULONGShareAccess,INULONGCreateDisposition,INULONGCreateOptions,INPVOIDEaBufferOPTIONAL,INULONGEaLength);ZWCREATEFILEOldZwCreateFile;staticNTSTATUSMydrvDispatch(INPDEVICE_OBJECTDeviceObject,INPIRPIrp);VOIDDriverUnload(INPDRIVER_OBJECTpDriverObject);VOIDDisableWriteProtect(PULONGpOldAttr);VOIDEnableWriteProtect(ULONGulOldAttr);FARPROCHookFunction(PCHARpModuleBase,PCHARpHookName,FARPROCpHookFunc);NTSTATUSHookNtCreateFile(OUTPHANDLEFileHandle,INACCESS_MASKDesiredAccess,INPOBJECT_ATTRIBUTESObjectAttributes,OUTPIO_STATUS_BLOCKIoStatusBlock,INPLARGE_INTEGERAllocationSizeOPTIONAL,INULONGFileAttributes,INULONGShareAccess,INULONGCreateDisposition,INULONGCreateOptions,INPVOIDEaBufferOPTIONAL,INULONGEaLength);PCHARMyGetModuleBaseAddress(PCHARpModuleName)PSYSTEM_MODULE_INFORMATIONpSysModule;ULONGuReturn;ULONGuCount;PCHARpBuffer=NULL;PCHARpName=NULL;NTSTATUSstatus;UINTui;CHARszBufferBASEADDRLEN;PCHARpBaseAddress;status=ZwQuerySystemInformation(SystemModuleInformation,szBuffer,BASEADDRLEN,&uReturn);pBuffer=(PCHAR)ExAllocatePool(NonPagedPool,uReturn);if(pBuffer)status=ZwQuerySystemInformation(SystemModuleInformation,pBuffer,uReturn,&uReturn);if(status=STATUS_SUCCESS)uCount=(ULONG)*(ULONG*)pBuffer);pSysModule=(PSYSTEM_MODULE_INFORMATION)(pBuffer+sizeof(ULONG);for(ui=0;uiImageName,);if(!pName)pName=pSysModule-ImageName;elsepName+;if(!_stricmp(pName,pModuleName)pBaseAddress=(PCHAR)pS
人人文库> 全部分类> 教育资料 > 课设设计

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论