From: doskey on
On 4月23日, 下午10时07分, "Nicolás Genen" <nge...(a)gmail.com> wrote:
> To Don Burn:
>
> That is exactly what I'm trying to do ^^
>
> To Doskey:
>
> I'm using the following macros
>
> #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1)
>
> #define HOOK(functionName, newPointer2Function, oldPointer2Function ) \
> oldPointer2Function = (PVOID) InterlockedExchange( (PLONG)
> &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function)
>
> #define UNHOOK(functionName, oldPointer2Function) \
> InterlockedExchange( (PLONG)
> &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function)
>
> Thanks 4 everything!
>
> "Don Burn" <b...(a)stopspam.windrvr.com> escribió en el mensajenews:u0mpr7TpIHA.2188(a)TK2MSFTNGP04.phx.gbl...
>
> > Of course be aware, of the following:
>
> > 1. Using hooking will label your software MALWARE
> > 2. As stated below it will not work on x64 systems, and hopefilly in the
> > future on x86 systems
> > 3. The approack below means your driver can never be unloaded since it is
> > likely to crash the world.
> > 4. If someone elxe is doing hooking, the approach below can mean your
> > driver might see ZwReadVirtualMemory before the other driver which might
> > get all the ZwWriteVirtualMemory calls first.
>
> > Finally, what are you trying to do that requires this? If you are trying
> > to control the calls at the level of process A cannot access process B
> > there are legitimate though harder to code ways to do this.
>
> > --
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Website:http://www.windrvr.com
> > Blog:http://msmvps.com/blogs/WinDrvr
> > Remove StopSpam to reply
>
> > "doskey" <doskey....(a)gmail.com> wrote in message
> >news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com...
> > On 4ÔÂ23ÈÕ, ÏÂÎç1ʱ09·Ö, "Nicol¨¢s Genen" <nge...(a)gmail.com> wrote:
> >> I have tried do it by "simple" ways, but when I need link my driver with
> >> ntdll.lib it doesn't load anymore. I need find a simple or complex way to
> >> do
> >> it.
>
> >> Thanks in advance!
>
> >> Nicol¨¢s
>
> > What's your "simple" ways?
> > My way is SSDT hooking. But this way cannot run in x64 system such as
> > WinXP 64 and Vista 64.
>
> > 1. Get ID of these functions from export functions of ntdll.dll .
> > These ID is index of SSDT service function array.
> > 2. Import KeServiceDescriptorTable in your driver.
> > 3. Get service functions form SSDT by ID.
> > 4. Save address of the service funcion.
> > 5. Copy your address of hook routine to SSDT by ID
> > Then you must call org service function in your hook routine, or
> > return a fail to user mode.
> > Enjoy. ;^)

Don't forget enable write-protect of memory. InterlockXXX in only
useful in multi-CORE system. You must stop swap thread context. You
must do somthing like this:

DWORD nOldProtect;
__asm
{
cli ; clear interrupt bit, stop
the swap thread context
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF ; 0x10000 this bit is write-protect of CPU
mov cr0, eax
pop eax
}

/* do your hooking */

__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti ; set interrupt bit
}

I think that's all your need.


To Don Burn:
System filter driver is best way. But I think Windows can't filte
memory access in all versions.
Maybe your mean is object callback? It's only used in Vista SP1(build
6001).
Do you have better way to filte memory access such as
NtWriteVirtualMemory, NtReadVirtualMemory, etc?
From: Nicol�s Genen on
Doskey you are amazing :)

In the way, I solved it using this macros.

#define HOOK_ID(functionId, newPointer2Function, oldPointer2Function )
\
oldPointer2Function = (PVOID) InterlockedExchange( (PLONG)
&NewSystemCallTable[functionId], (LONG) newPointer2Function)

#define UNHOOK_ID(functionId, oldPointer2Function) \
InterlockedExchange( (PLONG) &NewSystemCallTable[functionId], (LONG)
oldPointer2Function)

then 4 example hook ZwReadVirtualMemory,

HOOK_ID(186, NewZwReadVirtualMemory, OldZwReadVirtualMemory);

then the unhook

UNHOOK_ID(186, OldZwReadVirtualMemory);


so I can hooks system calls without have it defined ^^

It works, If I need or should do something else, please let me know!

Regards,
Nico.