Re[4]: NtCreateFile отличить путь к файлу от pipe, etc
От: sergey77666 Марс  
Дата: 02.01.18 11:36
Оценка:
Здравствуйте, Alexander G, Вы писали:

S>>Чем лучше?

AG>Штатностью, соответственно совместимостью.

А конкретнее?
Берем новый ноут с вин10 x64, работают хуки если откл. проверку подписей?
HOOK SSDT::Hook(const char* apiname, void* newfunc)
{
    SSDTStruct* SSDT = SSDTfind();
    if(!SSDT)
    {
        Log("SSDT not found...\r\n");
        return 0;
    }
    ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable;
    if(!SSDTbase)
    {
        Log("ServiceTable not found...\r\n");
        return 0;
    }
    int FunctionIndex = NTDLL::GetExportSsdtIndex(apiname);
    if(FunctionIndex == -1)
        return 0;
    if((ULONGLONG)FunctionIndex >= SSDT->NumberOfServices)
    {
        Log("nvalid API offset...\r\n");
        return 0;
    }

    HOOK hHook = 0;
    LONG oldValue = SSDT->pServiceTable[FunctionIndex];
    LONG newValue;

    /*
    x64 SSDT Hook;
    1) find API addr
    2) get code page+size
    3) find cave address
    4) hook cave address (using hooklib)
    5) change SSDT value
    */

    static ULONG CodeSize = 0;
    static PVOID CodeStart = 0;
    if(!CodeStart)
    {
        ULONG_PTR Lowest = SSDTbase;
        ULONG_PTR Highest = Lowest + 0x0FFFFFFF;
        Log("Range: 0x%p-0x%p\r\n", Lowest, Highest);
        CodeSize = 0;
        CodeStart = PE::GetPageBase(Undocumented::GetKernelBase(), &CodeSize, (PVOID)((oldValue >> 4) + SSDTbase));
        if(!CodeStart || !CodeSize)
        {
            Log("PeGetPageBase failed...\r\n");
            return 0;
        }
        Log("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);
        if((ULONG_PTR)CodeStart < Lowest)  //start of the page is out of range (impossible, but whatever)
        {
            CodeSize -= (ULONG)(Lowest - (ULONG_PTR)CodeStart);
            CodeStart = (PVOID)Lowest;
            Log("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);
        }
        Log("Range: 0x%p-0x%p\r\n", CodeStart, (ULONG_PTR)CodeStart + CodeSize);
    }

    PVOID CaveAddress = FindCaveAddress(CodeStart, CodeSize, sizeof(HOOKOPCODES));
    if(!CaveAddress)
    {
        Log("FindCaveAddress failed...\r\n");
        return 0;
    }
    Log("CaveAddress: 0x%p\r\n", CaveAddress);

    hHook = Hooklib::Hook(CaveAddress, (void*)newfunc);
    if(!hHook)
        return 0;

    newValue = (LONG)((ULONG_PTR)CaveAddress - SSDTbase);
    newValue = (newValue << 4) | oldValue & 0xF;

    //update HOOK structure
    hHook->SSDTindex = FunctionIndex;
    hHook->SSDTold = oldValue;
    hHook->SSDTnew = newValue;
    hHook->SSDTaddress = (oldValue >> 4) + SSDTbase;

    InterlockedSet(&SSDT->pServiceTable[FunctionIndex], newValue);

    Log("SSDThook(%s:0x%p, 0x%p)\r\n", apiname, hHook->SSDTold, hHook->SSDTnew);

    return hHook;
}

Hooklib----

static HOOK hook_internal(ULONG_PTR addr, void* newfunc)
{
    //allocate structure
    HOOK hook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT));
    //set hooking address
    hook->addr = addr;
    //set hooking opcode
#ifdef _WIN64
    hook->hook.mov = 0xB848;
#else
    hook->hook.mov = 0xB8;
#endif
    hook->hook.addr = (ULONG_PTR)newfunc;
    hook->hook.push = 0x50;
    hook->hook.ret = 0xc3;
    //set original data
    RtlCopyMemory(&hook->orig, (const void*)addr, sizeof(HOOKOPCODES));
    if(!NT_SUCCESS(RtlSuperCopyMemory((void*)addr, &hook->hook, sizeof(HOOKOPCODES))))
    {
        RtlFreeMemory(hook);
        return 0;
    }
    return hook;
}
Отредактировано 02.01.2018 11:36 sergey77666 . Предыдущая версия .
 
Подождите ...
Wait...
Пока на собственное сообщение не было ответов, его можно удалить.