摘要:本文主要向大家介绍了C/C++知识点之IDT hook,通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。
本文主要向大家介绍了C/C++知识点之IDT hook,通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。
#include "ntddk.h"
#include
//组合一个地址
#define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))
#define MAX_IDT_ENTRIES 0xFF
//构造0x30号中断地址
#define NT_INT_TIMER 0x30
unsigned long g_i_count = 0;
///////////////////////////////////////////////////
// IDT structures
///////////////////////////////////////////////////
#pragma pack(1)
// entry in the IDT, this is sometimes called
// an "interrupt gate"
typedef struct
{
unsigned short LowOffset; //2 字节 表示ISR地址是低字节
unsigned short selector; //2 字节 //段选择字
unsigned char unused_lo; //1 字节 //保留
unsigned char segment_type:4; //0x0E is an interrupt gate //中断门类型
unsigned char system_segment_flag:1; //为0是中断门
unsigned char DPL:2; // descriptor privilege level //特权级
unsigned char P:1; /* present */ //现在是否是使用中断
unsigned short HiOffset; //2 字节 表示ISR地址的高字节
} IDTENTRY;
//typedef struct _IDTR
//{
// USHORT limit; //整个表所占内存大小 2
// ULONG base; //IDT表项起始地址 4
//}IDTR, *PIDTR;
/* sidt returns idt in this format */
//48位
typedef struct
{
unsigned short IDTLimit; //2 字节
unsigned short LowIDTbase;//2 字节
unsigned short HiIDTbase; //2 字节
} IDTINFO;
#pragma pack()
//4字节
unsigned long old_ISR_pointer; // better save the old one!!
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
IDTINFO idt_info; // this structure is obtained by calling STORE IDT (sidt)
IDTENTRY* idt_entries; // and then this pointer is obtained from idt_info
char _t[255];
// load idt_info
__asm sidt idt_info
idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
DbgPrint("ROOTKIT: OnUnload called\n");
_snprintf(_t, 253, "called %d times", g_i_count);
DbgPrint(_t);
DbgPrint("UnHooking Interrupt...");
// restore the original interrupt handler
__asm cli //关中断
idt_entries[NT_INT_TIMER].LowOffset = (unsigned short) old_ISR_pointer;
idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)old_ISR_pointer >> 16);
__asm sti //开中断
DbgPrint("UnHooking Interrupt complete.");
}
// using stdcall means that this function fixes the stack before returning (opposite of cdecl)
void __stdcall count_syscall( unsigned long system_call_number )
{
g_i_count++;
}
// naked functions have no prolog/epilog code - they are functionally like the
// target of a goto statement
//shellcode 先调用自己例程再 调用原来例程
__declspec(naked) my_interrupt_hook()
{
__asm
{
push eax
call count_syscall
jmp old_ISR_pointer
}
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
IDTINFO idt_info; // this structure is obtained by calling STORE IDT (sidt)
IDTENTRY* idt_entries; // and then this pointer is obtained from idt_info
IDTENTRY* i;
unsigned long addr;
unsigned long count;
char _t[255];
theDriverObject->DriverUnload = OnUnload;
// load idt_info
__asm sidt idt_info
//ida入口
idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
//遍历ida表
for(count=0;count < MAX_IDT_ENTRIES;count++)
{
i = &idt_entries[count];
addr = MAKELONG(i->LowOffset, i->HiOffset);
_snprintf(_t, 253, "Interrupt %d: ISR 0x%08X", count, addr);
DbgPrint(_t);
}
DbgPrint("Hooking Interrupt...");
// lets hook an interrupt
// exercise - choose your own interrupt
old_ISR_pointer = MAKELONG(idt_entries[NT_INT_TIMER].LowOffset,idt_entries[NT_INT_TIMER].HiOffset);
// debug, use this if you want some additional info on what is going on
#if 0
_snprintf(_t, 253, "old address for ISR is 0x%08x", old_ISR_pointer);
DbgPrint(_t);
_snprintf(_t, 253, "address of my function is 0x%08x", my_interrupt_hook);
DbgPrint(_t);
#endif
// remember we disable interrupts while we patch the table
__asm cli //关中断
idt_entries[NT_INT_TIMER].LowOffset = (unsigned short)my_interrupt_hook;
idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)my_interrupt_hook >> 16);
__asm sti //开中断
// debug - use this if you want to check what is now placed in the interrupt vector
#if 0
i = &idt_entries[NT_INT_TIMER];
addr = MAKELONG(i->LowOffset, i->HiOffset);
_snprintf(_t, 253, "Interrupt ISR 0x%08X", addr);
DbgPrint(_t);
#endif
DbgPrint("Hooking Interrupt complete");
return STATUS_SUCCESS;
}
本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注职坐标编程语言C/C+频道!
您输入的评论内容中包含违禁敏感词
我知道了
请输入正确的手机号码
请输入正确的验证码
您今天的短信下发次数太多了,明天再试试吧!
我们会在第一时间安排职业规划师联系您!
您也可以联系我们的职业规划师咨询:
版权所有 职坐标-一站式IT培训就业服务领导者 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
沪公网安备 31011502005948号