C/C++知识点之IDT hook
小标 2019-04-22 来源 : 阅读 1438 评论 0

摘要:本文主要向大家介绍了C/C++知识点之IDT hook,通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。

本文主要向大家介绍了C/C++知识点之IDT hook,通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。


#include "ntddk.h"
#include
//组合一个地址
#define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))

#define MAX_IDT_ENTRIES 0xFF
//构造0x30号中断地址
#define NT_INT_TIMER    0x30

unsigned long g_i_count = 0;

///////////////////////////////////////////////////
// IDT structures
///////////////////////////////////////////////////
#pragma pack(1)

// entry in the IDT, this is sometimes called
// an "interrupt gate"
typedef struct
{
  unsigned short LowOffset;   //2 字节                             表示ISR地址是低字节
  unsigned short selector;    //2 字节                             //段选择字
  unsigned char unused_lo;    //1 字节                             //保留
  unsigned char segment_type:4;  //0x0E is an interrupt gate       //中断门类型
  unsigned char system_segment_flag:1;    //为0是中断门
  unsigned char DPL:2;         // descriptor privilege level       //特权级
  unsigned char P:1;            /* present */                      //现在是否是使用中断  
  unsigned short HiOffset;   //2 字节                              表示ISR地址的高字节
} IDTENTRY;

//typedef struct _IDTR
//{
//  USHORT    limit;   //整个表所占内存大小  2
//  ULONG    base;    //IDT表项起始地址      4
//}IDTR, *PIDTR;
/* sidt returns idt in this format */
//48位
typedef struct
{
  unsigned short IDTLimit;  //2 字节
  unsigned short LowIDTbase;//2 字节
  unsigned short HiIDTbase; //2 字节
} IDTINFO;
#pragma pack()
//4字节
unsigned long old_ISR_pointer;  // better save the old one!!

VOID OnUnload( IN PDRIVER_OBJECT DriverObject )

  IDTINFO    idt_info;    // this structure is obtained by calling STORE IDT (sidt)
  IDTENTRY*  idt_entries;  // and then this pointer is obtained from idt_info
  char _t[255];

  // load idt_info
  __asm  sidt  idt_info 
  idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);

  DbgPrint("ROOTKIT: OnUnload called\n");

  _snprintf(_t, 253, "called %d times", g_i_count);
  DbgPrint(_t);

  DbgPrint("UnHooking Interrupt...");

  // restore the original interrupt handler
  __asm cli   //关中断
  idt_entries[NT_INT_TIMER].LowOffset = (unsigned short) old_ISR_pointer;
  idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)old_ISR_pointer >> 16);
  __asm sti  //开中断

  DbgPrint("UnHooking Interrupt complete.");
}

// using stdcall means that this function fixes the stack before returning (opposite of cdecl)
void __stdcall count_syscall( unsigned long system_call_number )
{
  g_i_count++;
}

// naked functions have no prolog/epilog code - they are functionally like the
// target of a goto statement
//shellcode  先调用自己例程再 调用原来例程
__declspec(naked) my_interrupt_hook()
{
  __asm
  {
    push  eax
    call  count_syscall
    jmp    old_ISR_pointer
  }
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
  IDTINFO    idt_info;    // this structure is obtained by calling STORE IDT (sidt)
  IDTENTRY*  idt_entries;  // and then this pointer is obtained from idt_info
  IDTENTRY*  i;
  unsigned long   addr;
  unsigned long  count;
  char _t[255];

  theDriverObject->DriverUnload  = OnUnload;

  // load idt_info
  __asm  sidt  idt_info
  //ida入口
  idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
  //遍历ida表
  for(count=0;count < MAX_IDT_ENTRIES;count++)
  {
    i = &idt_entries[count];
    addr = MAKELONG(i->LowOffset, i->HiOffset);

    _snprintf(_t, 253, "Interrupt %d: ISR 0x%08X", count, addr);
    DbgPrint(_t);
  }

  DbgPrint("Hooking Interrupt...");
  // lets hook an interrupt
  // exercise - choose your own interrupt
  old_ISR_pointer = MAKELONG(idt_entries[NT_INT_TIMER].LowOffset,idt_entries[NT_INT_TIMER].HiOffset);

// debug, use this if you want some additional info on what is going on
#if 0
  _snprintf(_t, 253, "old address for ISR is 0x%08x", old_ISR_pointer);
  DbgPrint(_t);
  _snprintf(_t, 253, "address of my function is 0x%08x", my_interrupt_hook);
  DbgPrint(_t);
#endif

  // remember we disable interrupts while we patch the table
  __asm cli   //关中断
  idt_entries[NT_INT_TIMER].LowOffset = (unsigned short)my_interrupt_hook;
  idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)my_interrupt_hook >> 16);
  __asm sti   //开中断

// debug - use this if you want to check what is now placed in the interrupt vector
#if 0
  i = &idt_entries[NT_INT_TIMER];
  addr = MAKELONG(i->LowOffset, i->HiOffset);
  _snprintf(_t, 253, "Interrupt ISR 0x%08X", addr);
  DbgPrint(_t); 
#endif

  DbgPrint("Hooking Interrupt complete");

  return STATUS_SUCCESS;
}

   

本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注职坐标编程语言C/C+频道!

本文由 @小标 发布于职坐标。未经许可,禁止转载。
喜欢 | 0 不喜欢 | 0
看完这篇文章有何感觉?已经有0人表态,0%的人喜欢 快给朋友分享吧~
评论(0)
后参与评论

您输入的评论内容中包含违禁敏感词

我知道了

助您圆梦职场 匹配合适岗位
验证码手机号,获得海同独家IT培训资料
选择就业方向:
人工智能物联网
大数据开发/分析
人工智能Python
Java全栈开发
WEB前端+H5

请输入正确的手机号码

请输入正确的验证码

获取验证码

您今天的短信下发次数太多了,明天再试试吧!

提交

我们会在第一时间安排职业规划师联系您!

您也可以联系我们的职业规划师咨询:

小职老师的微信号:z_zhizuobiao
小职老师的微信号:z_zhizuobiao

版权所有 职坐标-一站式IT培训就业服务领导者 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
 沪公网安备 31011502005948号    

©2015 www.zhizuobiao.com All Rights Reserved

208小时内训课程