Prev: How to dump system service dispatch table?
Next: Find interactive user name / token (again) problems
From: doskey on 23 Apr 2008 22:32 On 4æ23æ¥, ä¸å10æ¶07å, "Nicolás Genen" <nge...(a)gmail.com> wrote: > To Don Burn: > > That is exactly what I'm trying to do ^^ > > To Doskey: > > I'm using the following macros > > #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1) > > #define HOOK(functionName, newPointer2Function, oldPointer2Function ) \ > oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) > &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) > > #define UNHOOK(functionName, oldPointer2Function) \ > InterlockedExchange( (PLONG) > &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) > > Thanks 4 everything! > > "Don Burn" <b...(a)stopspam.windrvr.com> escribió en el mensajenews:u0mpr7TpIHA.2188(a)TK2MSFTNGP04.phx.gbl... > > > Of course be aware, of the following: > > > 1. Using hooking will label your software MALWARE > > 2. As stated below it will not work on x64 systems, and hopefilly in the > > future on x86 systems > > 3. The approack below means your driver can never be unloaded since it is > > likely to crash the world. > > 4. If someone elxe is doing hooking, the approach below can mean your > > driver might see ZwReadVirtualMemory before the other driver which might > > get all the ZwWriteVirtualMemory calls first. > > > Finally, what are you trying to do that requires this? If you are trying > > to control the calls at the level of process A cannot access process B > > there are legitimate though harder to code ways to do this. > > > -- > > Don Burn (MVP, Windows DDK) > > Windows 2k/XP/2k3 Filesystem and Driver Consulting > > Website:http://www.windrvr.com > > Blog:http://msmvps.com/blogs/WinDrvr > > Remove StopSpam to reply > > > "doskey" <doskey....(a)gmail.com> wrote in message > >news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com... > > On 4ÃÃ23ÃÃ, ÃÃÃç1ñ09·Ã, "Nicol¨¢s Genen" <nge...(a)gmail.com> wrote: > >> I have tried do it by "simple" ways, but when I need link my driver with > >> ntdll.lib it doesn't load anymore. I need find a simple or complex way to > >> do > >> it. > > >> Thanks in advance! > > >> Nicol¨¢s > > > What's your "simple" ways? > > My way is SSDT hooking. But this way cannot run in x64 system such as > > WinXP 64 and Vista 64. > > > 1. Get ID of these functions from export functions of ntdll.dll . > > These ID is index of SSDT service function array. > > 2. Import KeServiceDescriptorTable in your driver. > > 3. Get service functions form SSDT by ID. > > 4. Save address of the service funcion. > > 5. Copy your address of hook routine to SSDT by ID > > Then you must call org service function in your hook routine, or > > return a fail to user mode. > > Enjoy. ;^) Don't forget enable write-protect of memory. InterlockXXX in only useful in multi-CORE system. You must stop swap thread context. You must do somthing like this: DWORD nOldProtect; __asm { cli ; clear interrupt bit, stop the swap thread context push eax mov eax, cr0 mov nOldProtect, eax and eax, 0xFFFEFFFF ; 0x10000 this bit is write-protect of CPU mov cr0, eax pop eax } /* do your hooking */ __asm { push eax mov eax, nOldProtect mov cr0, eax pop eax sti ; set interrupt bit } I think that's all your need. To Don Burn: System filter driver is best way. But I think Windows can't filte memory access in all versions. Maybe your mean is object callback? It's only used in Vista SP1(build 6001). Do you have better way to filte memory access such as NtWriteVirtualMemory, NtReadVirtualMemory, etc?
From: Nicol�s Genen on 24 Apr 2008 00:35 Doskey you are amazing :) In the way, I solved it using this macros. #define HOOK_ID(functionId, newPointer2Function, oldPointer2Function ) \ oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[functionId], (LONG) newPointer2Function) #define UNHOOK_ID(functionId, oldPointer2Function) \ InterlockedExchange( (PLONG) &NewSystemCallTable[functionId], (LONG) oldPointer2Function) then 4 example hook ZwReadVirtualMemory, HOOK_ID(186, NewZwReadVirtualMemory, OldZwReadVirtualMemory); then the unhook UNHOOK_ID(186, OldZwReadVirtualMemory); so I can hooks system calls without have it defined ^^ It works, If I need or should do something else, please let me know! Regards, Nico.
First
|
Prev
|
Pages: 1 2 Prev: How to dump system service dispatch table? Next: Find interactive user name / token (again) problems |