mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-02 08:25:27 +00:00
695 lines
27 KiB
C
695 lines
27 KiB
C
|
#include "KernelHookCheck.h"
|
|||
|
#include "libdasm.h"
|
|||
|
#include "Common.h"
|
|||
|
#include "Reload.h"
|
|||
|
|
|||
|
ULONG IntHookCount; //<2F><>¼Hook<6F><6B><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
extern DWORD OriginalKiServiceTable;
|
|||
|
extern PSERVICE_DESCRIPTOR_TABLE OriginalServiceDescriptorTable;
|
|||
|
|
|||
|
extern ULONG_PTR SystemKernelModuleBase;
|
|||
|
extern ULONG_PTR SystemKernelModuleSize;
|
|||
|
extern ULONG_PTR ImageModuleBase;
|
|||
|
|
|||
|
|
|||
|
BOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo)
|
|||
|
{
|
|||
|
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
|||
|
|
|||
|
PIMAGE_NT_HEADERS NtHeader;
|
|||
|
PIMAGE_EXPORT_DIRECTORY ExportTable;
|
|||
|
ULONG* FunctionAddresses;
|
|||
|
ULONG* FunctionNames;
|
|||
|
USHORT* FunctionIndexs;
|
|||
|
ULONG ulIndex;
|
|||
|
ULONG i;
|
|||
|
CHAR* szFunctionName;
|
|||
|
SIZE_T ViewSize=0;
|
|||
|
ULONG_PTR ulFunctionAddress;
|
|||
|
|
|||
|
BOOL bIsZwFunction = FALSE;
|
|||
|
|
|||
|
ULONG ulOldAddress;
|
|||
|
ULONG ulReloadAddress;
|
|||
|
|
|||
|
PUCHAR ulTemp;
|
|||
|
|
|||
|
__try{
|
|||
|
NtHeader = RtlImageNtHeader((PVOID)ImageModuleBase);
|
|||
|
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
|
|||
|
ExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)ImageModuleBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
|||
|
FunctionAddresses = (ULONG*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfFunctions);
|
|||
|
FunctionNames = (ULONG*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfNames);
|
|||
|
FunctionIndexs = (USHORT*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfNameOrdinals);
|
|||
|
for(i = 0; i < ExportTable->NumberOfNames; i++)
|
|||
|
{
|
|||
|
szFunctionName = (LPSTR)((ULONG_PTR)ImageModuleBase + FunctionNames[i]);
|
|||
|
|
|||
|
ulIndex = FunctionIndexs[i];
|
|||
|
ulFunctionAddress = (ULONG_PTR)((ULONG_PTR)ImageModuleBase + FunctionAddresses[ulIndex]);
|
|||
|
// ulIndex=*(ULONG*)(ulFunctionAddress+1); //32 bit 1 64 bit 4 //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
|
|||
|
//<2F><><EFBFBD>ڷ<EFBFBD>Zwϵ<77>к<EFBFBD><D0BA><EFBFBD> ƫ<>Ƶ<EFBFBD>ϵͳ<CFB5>ĸú<C4B8><C3BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7>
|
|||
|
ulReloadAddress = ulFunctionAddress;
|
|||
|
ulOldAddress = ulReloadAddress - (ULONG)ImageModuleBase + SystemKernelModuleBase;
|
|||
|
|
|||
|
if (!ulOldAddress ||
|
|||
|
!MmIsAddressValid((PVOID)ulOldAddress) ||
|
|||
|
!ulReloadAddress ||
|
|||
|
!MmIsAddressValid((PVOID)ulReloadAddress))
|
|||
|
{
|
|||
|
continue;
|
|||
|
}
|
|||
|
bIsZwFunction = FALSE;
|
|||
|
|
|||
|
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>call<6C>ĺ<EFBFBD><C4BA><EFBFBD><EFBFBD><EFBFBD>hook
|
|||
|
if (*szFunctionName == 'Z' &&
|
|||
|
*(szFunctionName+1) == 'w')
|
|||
|
{
|
|||
|
bIsZwFunction = TRUE;
|
|||
|
ulIndex = *((WORD*)(ulFunctionAddress + 1)); //<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
if (ulIndex > 0 &&
|
|||
|
ulIndex <= OriginalServiceDescriptorTable->TableSize)
|
|||
|
{
|
|||
|
//<2F><><EFBFBD><EFBFBD>Zwϵ<77>к<EFBFBD><D0BA><EFBFBD> <20><><EFBFBD><EFBFBD>ϵͳNtos<6F><73> <20><>Ӧ<EFBFBD><D3A6>Nt<4E><74><EFBFBD><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
|
|||
|
ulReloadAddress = OriginalServiceDescriptorTable->ServiceTable[ulIndex];
|
|||
|
ulOldAddress = ulReloadAddress - (ULONG)ImageModuleBase + SystemKernelModuleBase;
|
|||
|
}
|
|||
|
}
|
|||
|
if (bIsZwFunction)
|
|||
|
{
|
|||
|
//<2F><><EFBFBD><EFBFBD> bIsZwFunction == TRUE <20><><EFBFBD><EFBFBD>Ч<EFBFBD><D0A7>һ<EFBFBD>µ<EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>Ч<EFBFBD><D0A7>
|
|||
|
if (!ulOldAddress ||
|
|||
|
!MmIsAddressValid((PVOID)ulOldAddress) ||
|
|||
|
!ulReloadAddress ||
|
|||
|
!MmIsAddressValid((PVOID)ulReloadAddress))
|
|||
|
{
|
|||
|
continue;
|
|||
|
}
|
|||
|
}
|
|||
|
else //<2F><>һ<EFBFBD>㺯<EFBFBD><E3BAAF>ֻɨ<D6BB><C9A8><EFBFBD><EFBFBD>Zw<5A><77>ͷ<EFBFBD>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD><EFBFBD>ֻɨ<D6BB><C9A8>δ<EFBFBD><CEB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
{
|
|||
|
GetNextFunctionAddress(ImageModuleBase,ulOldAddress,szFunctionName,InlineHookInfo);
|
|||
|
}
|
|||
|
|
|||
|
ulTemp = NULL;
|
|||
|
|
|||
|
//<2F><><EFBFBD><EFBFBD>Zw<5A>е<EFBFBD>Nt<4E><74><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
//<2F>ж<EFBFBD><D0B6>Ƿ<EFBFBD>Ntos <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Hook
|
|||
|
//ulOldAddress <20>Ǹ<EFBFBD><C7B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ص<EFBFBD>ַ - Base + KernelBase <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
|
|||
|
ulTemp = (PUCHAR)GetEatHook(ulOldAddress,i,SystemKernelModuleBase,SystemKernelModuleSize); //<2F>Ƚ<EFBFBD>EAT Hook
|
|||
|
|
|||
|
if(ulTemp)
|
|||
|
{//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Hook<6F><6B>
|
|||
|
FillInlineHookInfo(ulTemp,InlineHookInfo,szFunctionName,ulOldAddress,1); //EAT Hook 1
|
|||
|
}
|
|||
|
//<2F>Ƿ<EFBFBD><C7B7><EFBFBD>InlineHook
|
|||
|
CheckFuncByOpcode((PVOID)ulReloadAddress,InlineHookInfo,szFunctionName,(PVOID)ulOldAddress);
|
|||
|
|
|||
|
}
|
|||
|
}
|
|||
|
}__except(EXCEPTION_EXECUTE_HANDLER)
|
|||
|
{
|
|||
|
}
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
VOID FillInlineHookInfo(PUCHAR ulTemp,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,ULONG ulOldAddress,ULONG HookType)
|
|||
|
{
|
|||
|
ULONG ulHookModuleBase;
|
|||
|
ULONG ulHookModuleSize;
|
|||
|
char lpszHookModuleImage[256];
|
|||
|
ULONG IntHookCount = InlineHookInfo->ulCount;
|
|||
|
|
|||
|
|
|||
|
memset(lpszHookModuleImage,0,sizeof(lpszHookModuleImage));
|
|||
|
if (!IsAddressInSystem(
|
|||
|
(ULONG)ulTemp,
|
|||
|
&ulHookModuleBase,
|
|||
|
&ulHookModuleSize,
|
|||
|
lpszHookModuleImage))
|
|||
|
{
|
|||
|
memset(lpszHookModuleImage,0,sizeof(lpszHookModuleImage));
|
|||
|
strcat(lpszHookModuleImage,"Unknown4");
|
|||
|
ulHookModuleBase = 0;
|
|||
|
ulHookModuleSize = 0;
|
|||
|
}
|
|||
|
InlineHookInfo->InlineHook[IntHookCount].ulMemoryHookBase = (ULONG)ulTemp;
|
|||
|
memset(InlineHookInfo->InlineHook[IntHookCount].lpszFunction,0,sizeof(InlineHookInfo->InlineHook[IntHookCount].lpszFunction));
|
|||
|
memset(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage,0,sizeof(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage));
|
|||
|
|
|||
|
memcpy(InlineHookInfo->InlineHook[IntHookCount].lpszFunction,szFunctionName,strlen(szFunctionName));
|
|||
|
memcpy(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage,lpszHookModuleImage,strlen(lpszHookModuleImage));
|
|||
|
|
|||
|
InlineHookInfo->InlineHook[IntHookCount].ulMemoryFunctionBase = (ULONG)ulOldAddress;
|
|||
|
InlineHookInfo->InlineHook[IntHookCount].ulHookModuleBase = ulHookModuleBase;
|
|||
|
InlineHookInfo->InlineHook[IntHookCount].ulHookModuleSize = ulHookModuleSize;
|
|||
|
InlineHookInfo->InlineHook[IntHookCount].ulHookType = HookType; //eat hook 1 Inline Hook 0
|
|||
|
IntHookCount++;
|
|||
|
InlineHookInfo->ulCount++;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
VOID CheckFuncByOpcode(PVOID ulReloadAddress,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,PVOID ulOldAddress)
|
|||
|
{
|
|||
|
INSTRUCTION Inst;
|
|||
|
INSTRUCTION Instb;
|
|||
|
ULONG ulHookFunctionAddress;
|
|||
|
size_t ulCodeSize;
|
|||
|
PUCHAR p;
|
|||
|
PUCHAR ulTemp;
|
|||
|
int Flagss;
|
|||
|
if (GetFunctionCodeSize(ulOldAddress) == GetFunctionCodeSize(ulReloadAddress) &&
|
|||
|
memcmp(ulReloadAddress,ulOldAddress,GetFunctionCodeSize(ulOldAddress)) != 0)
|
|||
|
{//<2F><>Hook<6F><6B>
|
|||
|
//<2F><>ʼɨ<CABC><C9A8>hooksss
|
|||
|
ulCodeSize = GetFunctionCodeSize(ulOldAddress);
|
|||
|
|
|||
|
for (p = (PUCHAR)ulOldAddress ;(ULONG)p < (ULONG)ulOldAddress+ulCodeSize; p++)
|
|||
|
{
|
|||
|
//<2F>۰<EFBFBD>ɨ<EFBFBD>裬<EFBFBD><E8A3AC><EFBFBD><EFBFBD>ǰ<EFBFBD><C7B0>һ<EFBFBD><D2BB>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼɨ<CABC><C9A8><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>
|
|||
|
if (memcmp(ulReloadAddress,ulOldAddress,ulCodeSize/2) == 0)
|
|||
|
{
|
|||
|
ulCodeSize = ulCodeSize + ulCodeSize/2;
|
|||
|
continue;
|
|||
|
}
|
|||
|
if (*p == 0xcc ||
|
|||
|
*p == 0xc2)
|
|||
|
{
|
|||
|
break;
|
|||
|
}
|
|||
|
ulHookFunctionAddress = (*(PULONG)(p + 1) + (ULONG)p + 5); //<2F>õ<EFBFBD>hook<6F>ĵ<EFBFBD>ַ
|
|||
|
if (!MmIsAddressValid((PVOID)ulHookFunctionAddress))
|
|||
|
{
|
|||
|
continue;
|
|||
|
}
|
|||
|
ulTemp = NULL;
|
|||
|
get_instruction(&Inst,p,MODE_32);
|
|||
|
switch (Inst.type)
|
|||
|
{
|
|||
|
case INSTRUCTION_TYPE_JMP:
|
|||
|
if(Inst.opcode==0xFF&&Inst.modrm==0x25)
|
|||
|
{
|
|||
|
//DIRECT_JMP
|
|||
|
ulTemp = (PUCHAR)Inst.op1.displacement;
|
|||
|
}
|
|||
|
else if (Inst.opcode==0xEB)
|
|||
|
{
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
else if(Inst.opcode==0xE9)
|
|||
|
{
|
|||
|
//RELATIVE_JMP;
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
break;
|
|||
|
case INSTRUCTION_TYPE_CALL:
|
|||
|
if(Inst.opcode==0xFF&&Inst.modrm==0x15)
|
|||
|
{
|
|||
|
//DIRECT_CALL
|
|||
|
ulTemp = (PUCHAR)Inst.op1.displacement;
|
|||
|
}
|
|||
|
else if (Inst.opcode==0x9A)
|
|||
|
{
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
else if(Inst.opcode==0xE8)
|
|||
|
{
|
|||
|
//RELATIVE_CALL;
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
break;
|
|||
|
case INSTRUCTION_TYPE_PUSH:
|
|||
|
if(!RMmIsAddressValid((PVOID)(p)))
|
|||
|
{
|
|||
|
break;
|
|||
|
}
|
|||
|
get_instruction(&Instb,(BYTE*)(p),MODE_32);
|
|||
|
if(Instb.type == INSTRUCTION_TYPE_RET)
|
|||
|
{
|
|||
|
//StartAddress+len-inst.length-instb.length;
|
|||
|
ulTemp = (PUCHAR)Instb.op1.displacement;
|
|||
|
}
|
|||
|
break;
|
|||
|
}
|
|||
|
if (ulTemp &&
|
|||
|
RMmIsAddressValid(ulTemp) &&
|
|||
|
RMmIsAddressValid(p)) //hook<6F>ĵ<EFBFBD>ַҲҪ<D2B2><D2AA>Ч<EFBFBD>ſ<EFBFBD><C5BF><EFBFBD>Ŷ
|
|||
|
{
|
|||
|
if ((ULONG)ulTemp > SystemKernelModuleBase &&
|
|||
|
(ULONG)ulTemp < SystemKernelModuleBase+SystemKernelModuleSize) //̫<><CCAB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҳ<EFBFBD><D2B2><EFBFBD><EFBFBD>
|
|||
|
{
|
|||
|
goto Next;
|
|||
|
}
|
|||
|
//ulTempҲ<70><D2B2><EFBFBD><EFBFBD>С<EFBFBD><D0A1> SystemKernelModuleBase
|
|||
|
if ((ULONG)ulTemp < SystemKernelModuleBase)
|
|||
|
{
|
|||
|
goto Next;
|
|||
|
}
|
|||
|
//KdPrint(("%08x-%08x-%08x",p,ulTemp,(SystemKernelModuleBase + SystemKernelModuleSize + 0xfffffff)));
|
|||
|
|
|||
|
if (*(ULONG *)ulTemp == 0x00000000 ||
|
|||
|
*(ULONG *)ulTemp == 0x00000005 ||
|
|||
|
*(ULONG *)ulTemp == 0xc0000012)
|
|||
|
{
|
|||
|
goto Next;
|
|||
|
}
|
|||
|
Flagss = 0;
|
|||
|
__asm{
|
|||
|
mov esi,ulTemp
|
|||
|
mov ax,word ptr [esi]
|
|||
|
cmp ax,0x0000
|
|||
|
jz Cont//<2F><>add byte ptr [eax],al
|
|||
|
//<2F><><EFBFBD><EFBFBD>
|
|||
|
mov Flagss,1
|
|||
|
Cont:
|
|||
|
}
|
|||
|
if (Flagss != 1)
|
|||
|
goto Next;
|
|||
|
|
|||
|
ulTemp = ulTemp+0x5;
|
|||
|
//<2F><EFBFBD><F2B5A5B4><EFBFBD>һ<EFBFBD>¶<EFBFBD><C2B6><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
if (*ulTemp == 0xe9 ||
|
|||
|
*ulTemp == 0xe8)
|
|||
|
{
|
|||
|
ulTemp = (PUCHAR)(*(PULONG)(ulTemp+1)+(ULONG)(ulTemp+5));
|
|||
|
}
|
|||
|
FillInlineHookInfo(ulTemp,InlineHookInfo,szFunctionName,(ULONG)p,0); //Inline Hook
|
|||
|
Next:
|
|||
|
_asm{nop}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
//<2F><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>0xe8 call<6C><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD>inlinehookcheck
|
|||
|
ULONG GetNextFunctionAddress(ULONG ulNtDllModuleBase,ULONG ulOldAddress,char *functionName,PINLINEHOOKINFO InlineHookInfo)
|
|||
|
{
|
|||
|
ULONG ulCodeSize;
|
|||
|
|
|||
|
ULONG ulNextFunCodeSize;
|
|||
|
ULONG ulNextFunReloadCodeSize;
|
|||
|
PUCHAR i;
|
|||
|
|
|||
|
PUCHAR ulNextFunctionAddress = NULL;
|
|||
|
PUCHAR ulReloadNextFunctionAddress = NULL;
|
|||
|
BOOL bRetOK = FALSE;
|
|||
|
PUCHAR ulTemp;
|
|||
|
ULONG ulHookFunctionAddress;
|
|||
|
PUCHAR p;
|
|||
|
|
|||
|
INSTRUCTION Inst;
|
|||
|
INSTRUCTION Instb;
|
|||
|
|
|||
|
char lpszHookModuleImage[256];
|
|||
|
ULONG ulHookModuleBase;
|
|||
|
ULONG ulHookModuleSize;
|
|||
|
int Flagss;
|
|||
|
|
|||
|
if (!MmIsAddressValid((PVOID)ulOldAddress))
|
|||
|
{
|
|||
|
return bRetOK;
|
|||
|
}
|
|||
|
__try
|
|||
|
{
|
|||
|
ulCodeSize = GetFunctionCodeSize((PVOID)ulOldAddress);
|
|||
|
for (i=(PUCHAR)ulOldAddress;i < i+ulCodeSize;i++)
|
|||
|
{
|
|||
|
//ɨ<><C9A8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ת
|
|||
|
if (*i == 0xe8)
|
|||
|
{
|
|||
|
ulNextFunctionAddress = (PUCHAR)(*(PULONG)(i+1)+(ULONG)(i+5));
|
|||
|
if (MmIsAddressValid((PVOID)ulNextFunctionAddress))
|
|||
|
{
|
|||
|
//<2F>ж<EFBFBD>һ<EFBFBD><D2BB><EFBFBD>Ƿ<EFBFBD><C7B7>ǵ<EFBFBD><C7B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
if (IsFunctionInExportTable(ulNtDllModuleBase,(ULONG)ulNextFunctionAddress))
|
|||
|
{
|
|||
|
return 0;
|
|||
|
}
|
|||
|
//<2F><>hook ɨ<><C9A8>
|
|||
|
ulReloadNextFunctionAddress = ulNextFunctionAddress - SystemKernelModuleBase + ImageModuleBase;
|
|||
|
if (MmIsAddressValid(ulReloadNextFunctionAddress) &&
|
|||
|
MmIsAddressValid(ulNextFunctionAddress))
|
|||
|
{
|
|||
|
ulNextFunCodeSize = GetFunctionCodeSize(ulNextFunctionAddress);
|
|||
|
ulNextFunReloadCodeSize = GetFunctionCodeSize(ulReloadNextFunctionAddress);
|
|||
|
|
|||
|
if (ulNextFunCodeSize == ulNextFunReloadCodeSize &&
|
|||
|
memcmp(ulReloadNextFunctionAddress,ulNextFunctionAddress,ulNextFunCodeSize) != 0)
|
|||
|
{
|
|||
|
//<2F><>hook<6F><6B>
|
|||
|
for (p = (PUCHAR)ulNextFunctionAddress ;(ULONG)p < (ULONG)ulNextFunctionAddress+ulNextFunCodeSize; p++)
|
|||
|
{
|
|||
|
//<2F>۰<EFBFBD>ɨ<EFBFBD>裬<EFBFBD><E8A3AC><EFBFBD><EFBFBD>ǰ<EFBFBD><C7B0>һ<EFBFBD><D2BB>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼɨ<CABC><C9A8><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>
|
|||
|
if (memcmp(ulReloadNextFunctionAddress, ulNextFunctionAddress,ulNextFunCodeSize/2) == 0)
|
|||
|
{
|
|||
|
ulNextFunCodeSize = ulNextFunCodeSize + ulNextFunCodeSize/2;
|
|||
|
continue;
|
|||
|
}
|
|||
|
//<2F>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
if (*p == 0xcc ||
|
|||
|
*p == 0xc2)
|
|||
|
{
|
|||
|
break;
|
|||
|
}
|
|||
|
ulHookFunctionAddress = (*(PULONG)(p + 1) + (ULONG)p + 5); //<2F>õ<EFBFBD><C3B5><EFBFBD>ַ
|
|||
|
if (!RMmIsAddressValid((PVOID)ulHookFunctionAddress))
|
|||
|
{
|
|||
|
continue;
|
|||
|
}
|
|||
|
ulTemp = NULL;
|
|||
|
get_instruction(&Inst,p,MODE_32);
|
|||
|
switch (Inst.type)
|
|||
|
{
|
|||
|
case INSTRUCTION_TYPE_JMP:
|
|||
|
if(Inst.opcode==0xFF&&Inst.modrm==0x25)
|
|||
|
{
|
|||
|
//DIRECT_JMP
|
|||
|
ulTemp = (PUCHAR)Inst.op1.displacement;
|
|||
|
}
|
|||
|
else if (Inst.opcode==0xEB)
|
|||
|
{
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
else if(Inst.opcode==0xE9)
|
|||
|
{
|
|||
|
//RELATIVE_JMP;
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
break;
|
|||
|
case INSTRUCTION_TYPE_CALL:
|
|||
|
if(Inst.opcode==0xFF&&Inst.modrm==0x15)
|
|||
|
{
|
|||
|
//DIRECT_CALL
|
|||
|
ulTemp = (PUCHAR)Inst.op1.displacement;
|
|||
|
}
|
|||
|
else if (Inst.opcode==0x9A)
|
|||
|
{
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
else if(Inst.opcode==0xE8)
|
|||
|
{
|
|||
|
//RELATIVE_CALL;
|
|||
|
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
|
|||
|
}
|
|||
|
break;
|
|||
|
case INSTRUCTION_TYPE_PUSH:
|
|||
|
if(!RMmIsAddressValid((PVOID)(p)))
|
|||
|
{
|
|||
|
break;
|
|||
|
}
|
|||
|
get_instruction(&Instb,(BYTE*)(p),MODE_32);
|
|||
|
if(Instb.type == INSTRUCTION_TYPE_RET)
|
|||
|
{
|
|||
|
//StartAddress+len-inst.length-instb.length;
|
|||
|
ulTemp = (PUCHAR)Instb.op1.displacement;
|
|||
|
}
|
|||
|
break;
|
|||
|
}
|
|||
|
if (ulTemp &&
|
|||
|
MmIsAddressValid(ulTemp) &&
|
|||
|
MmIsAddressValid(p)) //hook<6F>ĵ<EFBFBD>ַҲҪ<D2B2><D2AA>Ч<EFBFBD>ſ<EFBFBD><C5BF><EFBFBD>Ŷ
|
|||
|
{
|
|||
|
if ((ULONG)ulTemp > SystemKernelModuleBase &&
|
|||
|
(ULONG)ulTemp < SystemKernelModuleBase+SystemKernelModuleSize) //̫<><CCAB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҳ<EFBFBD><D2B2><EFBFBD><EFBFBD>
|
|||
|
{
|
|||
|
goto Next;
|
|||
|
}
|
|||
|
//ulTempҲ<70><D2B2><EFBFBD><EFBFBD>С<EFBFBD><D0A1> SystemKernelModuleBase
|
|||
|
if ((ULONG)ulTemp < SystemKernelModuleBase)
|
|||
|
{
|
|||
|
goto Next;
|
|||
|
}
|
|||
|
if (*(ULONG *)ulTemp == 0x00000000 ||
|
|||
|
*(ULONG *)ulTemp == 0x00000005)
|
|||
|
{
|
|||
|
goto Next;
|
|||
|
}
|
|||
|
Flagss = 0;
|
|||
|
__asm{
|
|||
|
mov esi,ulTemp
|
|||
|
mov ax,word ptr [esi]
|
|||
|
cmp ax,0x0000
|
|||
|
jz Cont//<2F><>add byte ptr [eax],al
|
|||
|
mov Flagss,1
|
|||
|
Cont:
|
|||
|
}
|
|||
|
if (Flagss != 1)
|
|||
|
goto Next;
|
|||
|
|
|||
|
ulTemp = ulTemp+0x5;
|
|||
|
//<2F><EFBFBD><F2B5A5B4><EFBFBD>һ<EFBFBD>¶<EFBFBD><C2B6><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
if (*ulTemp == 0xe9 ||
|
|||
|
*ulTemp == 0xe8)
|
|||
|
{
|
|||
|
ulTemp = (PUCHAR)(*(PULONG)(ulTemp+1)+(ULONG)(ulTemp+5));
|
|||
|
}
|
|||
|
FillInlineHookInfo(ulTemp+0x5,InlineHookInfo,functionName,(ULONG)p,2);
|
|||
|
Next:
|
|||
|
_asm{nop}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
if (*i == 0xcc ||
|
|||
|
*i == 0xc2)
|
|||
|
{
|
|||
|
return 0;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
}__except(EXCEPTION_EXECUTE_HANDLER){
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
return 0;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
BOOLEAN IsFunctionInExportTable(ULONG ulModuleBase,ULONG ulFunctionAddress)
|
|||
|
{
|
|||
|
|
|||
|
PIMAGE_DOS_HEADER pDosHeader;
|
|||
|
PIMAGE_NT_HEADERS NtDllHeader;
|
|||
|
IMAGE_OPTIONAL_HEADER opthdr;
|
|||
|
DWORD* arrayOfFunctionAddresses;
|
|||
|
DWORD* arrayOfFunctionNames;
|
|||
|
WORD* arrayOfFunctionOrdinals;
|
|||
|
DWORD functionOrdinal;
|
|||
|
DWORD Base, x, functionAddress,ulOldAddress;
|
|||
|
IMAGE_EXPORT_DIRECTORY *pExportTable;
|
|||
|
char *functionName;
|
|||
|
|
|||
|
|
|||
|
__try
|
|||
|
{
|
|||
|
pDosHeader=(PIMAGE_DOS_HEADER)ulModuleBase;
|
|||
|
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return FALSE;
|
|||
|
}
|
|||
|
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
|
|||
|
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return FALSE;
|
|||
|
}
|
|||
|
opthdr = NtDllHeader->OptionalHeader;
|
|||
|
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //<2F><>ַ<EFBFBD><D6B7>
|
|||
|
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
|
|||
|
|
|||
|
Base = pExportTable->Base;
|
|||
|
|
|||
|
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɨ<EFBFBD><C9A8>
|
|||
|
{
|
|||
|
//functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
|
|||
|
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
|
|||
|
functionAddress = (DWORD)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
|
|||
|
//KdPrint(("%08x:%s\r\n",functionAddress,functionName));
|
|||
|
//ulOldAddress = GetSystemRoutineAddress(0,functionName);
|
|||
|
ulOldAddress = functionAddress - ulModuleBase + SystemKernelModuleBase;
|
|||
|
if (ulFunctionAddress == ulOldAddress)
|
|||
|
{
|
|||
|
//<2F>ǵ<EFBFBD><C7B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˳<EFBFBD>
|
|||
|
return TRUE;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
}__except(EXCEPTION_EXECUTE_HANDLER){
|
|||
|
|
|||
|
}
|
|||
|
return FALSE;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
BOOLEAN ReSetEatHook(CHAR *lpszFunction,ULONG ulReloadKernelModule,ULONG ulKernelModule)
|
|||
|
{
|
|||
|
ULONG ulModuleBase;
|
|||
|
PIMAGE_DOS_HEADER pDosHeader;
|
|||
|
PIMAGE_NT_HEADERS NtDllHeader;
|
|||
|
IMAGE_OPTIONAL_HEADER opthdr;
|
|||
|
DWORD* arrayOfFunctionAddresses;
|
|||
|
DWORD* arrayOfFunctionNames;
|
|||
|
WORD* arrayOfFunctionOrdinals;
|
|||
|
DWORD functionOrdinal;
|
|||
|
DWORD Base,x,functionAddress;
|
|||
|
IMAGE_EXPORT_DIRECTORY *pExportTable;
|
|||
|
char *functionName = NULL;
|
|||
|
BOOL bIsEatHooked = FALSE;
|
|||
|
int position;
|
|||
|
ULONG ulFunctionOrdinal;
|
|||
|
|
|||
|
//<2F>ָ<EFBFBD><D6B8><EFBFBD>ʱ<EFBFBD><CAB1> <20><>reload<61><64>ImageModuleBase
|
|||
|
ulModuleBase = ulReloadKernelModule;
|
|||
|
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
|
|||
|
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return 0;
|
|||
|
}
|
|||
|
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
|
|||
|
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return 0;
|
|||
|
}
|
|||
|
opthdr = NtDllHeader->OptionalHeader;
|
|||
|
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //<2F><>ַ<EFBFBD><D6B7>
|
|||
|
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
|
|||
|
|
|||
|
Base = pExportTable->Base;
|
|||
|
|
|||
|
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɨ<EFBFBD><C9A8>
|
|||
|
{
|
|||
|
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
|
|||
|
ulFunctionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
|
|||
|
ulFunctionOrdinal = arrayOfFunctionAddresses[ulFunctionOrdinal];
|
|||
|
|
|||
|
functionAddress = (DWORD)((BYTE*)ulModuleBase + ulFunctionOrdinal);
|
|||
|
|
|||
|
if (_stricmp(lpszFunction,functionName) == 0)
|
|||
|
{
|
|||
|
KdPrint(("reload ulFunctionOrdinal:%08x:%s",ulFunctionOrdinal,functionName));
|
|||
|
|
|||
|
//<2F><>ʼ<EFBFBD>ָ<EFBFBD>
|
|||
|
ulModuleBase = ulKernelModule;
|
|||
|
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
|
|||
|
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return 0;
|
|||
|
}
|
|||
|
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
|
|||
|
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return 0;
|
|||
|
}
|
|||
|
opthdr = NtDllHeader->OptionalHeader;
|
|||
|
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //<2F><>ַ<EFBFBD><D6B7>
|
|||
|
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
|
|||
|
|
|||
|
Base = pExportTable->Base;
|
|||
|
|
|||
|
_asm
|
|||
|
{
|
|||
|
CLI
|
|||
|
MOV EAX, CR0
|
|||
|
AND EAX, NOT 10000H
|
|||
|
MOV CR0, EAX
|
|||
|
}
|
|||
|
arrayOfFunctionAddresses[arrayOfFunctionOrdinals[x] + Base - 1] = ulFunctionOrdinal;
|
|||
|
_asm
|
|||
|
{
|
|||
|
MOV EAX, CR0
|
|||
|
OR EAX, 10000H
|
|||
|
MOV CR0, EAX
|
|||
|
STI
|
|||
|
}
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
return TRUE;
|
|||
|
}
|
|||
|
ULONG GetEatHook(ULONG ulOldAddress,int x,ULONG ulSystemKernelModuleBase,ULONG ulSystemKernelModuleSize)
|
|||
|
{
|
|||
|
ULONG ulModuleBase;
|
|||
|
PIMAGE_DOS_HEADER pDosHeader;
|
|||
|
PIMAGE_NT_HEADERS NtDllHeader;
|
|||
|
IMAGE_OPTIONAL_HEADER opthdr;
|
|||
|
DWORD* arrayOfFunctionAddresses;
|
|||
|
DWORD* arrayOfFunctionNames;
|
|||
|
WORD* arrayOfFunctionOrdinals;
|
|||
|
DWORD functionOrdinal;
|
|||
|
DWORD Base,functionAddress;
|
|||
|
IMAGE_EXPORT_DIRECTORY *pExportTable;
|
|||
|
char *functionName = NULL;
|
|||
|
BOOL bIsEatHooked = FALSE;
|
|||
|
ULONG position = 0;
|
|||
|
ULONG ulFunctionOrdinal;
|
|||
|
|
|||
|
ulModuleBase = ulSystemKernelModuleBase;
|
|||
|
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
|
|||
|
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return 0;
|
|||
|
}
|
|||
|
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
|
|||
|
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
|
|||
|
{
|
|||
|
KdPrint(("failed to find NtHeader\r\n"));
|
|||
|
return 0;
|
|||
|
}
|
|||
|
opthdr = NtDllHeader->OptionalHeader;
|
|||
|
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //<2F><>ַ<EFBFBD><D6B7>
|
|||
|
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
|
|||
|
|
|||
|
Base = pExportTable->Base;
|
|||
|
|
|||
|
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
|
|||
|
ulFunctionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
|
|||
|
functionAddress = (DWORD)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[ulFunctionOrdinal]);
|
|||
|
|
|||
|
if (*functionName == 'Z' &&
|
|||
|
*(functionName+1) == 'w')
|
|||
|
{
|
|||
|
position = *((WORD*)(functionAddress + 1)); //<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
if (position > 0 &&
|
|||
|
position <= OriginalServiceDescriptorTable->TableSize)
|
|||
|
{
|
|||
|
//<2F>õ<EFBFBD>ԭʼ<D4AD><CABC>ַ
|
|||
|
functionAddress = OriginalServiceDescriptorTable->ServiceTable[position] - (ULONG)ImageModuleBase + SystemKernelModuleBase;
|
|||
|
}
|
|||
|
}
|
|||
|
if (ulOldAddress != functionAddress)
|
|||
|
{
|
|||
|
KdPrint(("EAT HOOK %08x:%s\r\n",functionAddress,functionName));
|
|||
|
return functionAddress;
|
|||
|
}
|
|||
|
return 0;
|
|||
|
}
|
|||
|
|