硬件斷點的實現需要依賴於調試寄存器
DR0~DR7 調試寄存器
DR0~DR3-----調試地址寄存器
DR4~DR5-----保留
DR6 -----調試狀態寄存器 指示哪個調試寄存器被命中
DR7 -----調試控制寄存器
關於Dr7寄存器每個標志位的解釋:
總結如下
DR7調試控制寄存器:
R/W0~R/W3:與DR0~DR3相對應,用來指定監控地址的訪問類型,表示意義如下:
00:僅當執行對應的地址時中斷
01:僅當寫入對應的地址時中斷
10:基本不用
11:讀取對應的地址時中斷,讀取指令的指令除外
LEN0~LEN3:與DR0~DR3相對應,用來指定監控地址的長度,意義如下:
00:一個字節長
01:兩個字節長
10:未定義或者代表8字節,具體視CPU而定
11:四個字節長
L0~L3:與DR0~DR3相對應,意思表示僅對當前
接下來看看兩個Windows提供的兩個API函數,GetThreadContext和SetThreadContext來獲取或者時設置線程的上下文,什么是線程的上下文,就是線程運行時的各種寄存器的信息,比如調試寄存器,浮點寄存器,控制寄存器等等,在應用層是不能直接操作Drx寄存器的值,但可以調用這兩個api來讀寫線程的上下文,來達到設置硬件斷點的目的,如果想對某個進程設置硬件斷點,就需要對它的每個線程都調用SetThreadContext()函數,設置Drx寄存器的值。
BOOL WINAPI GetThreadContext(
__in HANDLE hThread,
__inout LPCONTEXT lpContext
);
BOOL WINAPI SetThreadContext( __in HANDLE hThread, __in const CONTEXT *lpContext );
在SSDT表中對應的NtGetContextThread和NtSetContextThread
NTSTATUS
NtGetContextThread(
__in HANDLE ThreadHandle,
__inout PCONTEXT ThreadContext
)
NTSTATUS
NtSetContextThread(
__in HANDLE ThreadHandle,
__in PCONTEXT ThreadContext
)
這兩個函數都是調用了PsSet/GetContextThread函數
NTSTATUS
PsSetContextThread(
__in PETHREAD Thread,
__in PCONTEXT ThreadContext,
__in KPROCESSOR_MODE Mode
)
NTSTATUS
PsGetContextThread(
__in PETHREAD Thread,
__inout PCONTEXT ThreadContext,
__in KPROCESSOR_MODE Mode
)
我們可以對PsGet/SetContextTread函數Hook來達到對設置硬件斷點的一個過濾,對於目標進程獲取或者設置線程的Context進行處理。
oid __stdcall FilterSetGetContextThread( PETHREAD Thread, PCONTEXT Context, KPROCESSOR_MODE AccessMode) { __try{ if (AccessMode == UserMode) { //wrk 參數校驗 ProbeForReadSmallStructure(Context,sizeof(CONTEXT),PROBE_ALIGNMENT(CONTEXT)); }else{ *Context = *Context; } if (strstr(GetProcessNameByThread(Thread),"test.exe")!=NULL) { if (strstr((char*)PsGetCurrentProcess()+0x16c,"ollydbg") != NULL) { return; } //如果是要獲得調試寄存器的值,將Flags 的獲得調試寄存器清零, if (Context->ContextFlags | CONTEXT_DEBUG_REGISTERS) { Context->ContextFlags = ~CONTEXT_DEBUG_REGISTERS; } } }__except(EXCEPTION_EXECUTE_HANDLER){ return; } }
typedef NTSTATUS (*PSGETCONTEXTTHREAD)( PETHREAD Thread, PCONTEXT Context, KPROCESSOR_MODE AccessMode); typedef NTSTATUS (*PSSETCONTEXTTHREAD)( PETHREAD Thread, PCONTEXT Context, KPROCESSOR_MODE AccessMode); //global PSGETCONTEXTTHREAD PsGetContextThread; PSSETCONTEXTTHREAD PsSetContextThread; ULONG g_JmpGetContextThread; UCHAR g_cGetContextCode[5]; BOOLEAN g_bHookGetContextSuccess; ULONG g_JmpSetContextThread; UCHAR g_cSetContextCode[5]; BOOLEAN g_bHookSetContextSuccess; char* GetProcessNameByThread(PETHREAD Thread) { ULONG ProcessObj; if (MmIsAddressValid(Thread)) { ProcessObj = *(ULONG*)((ULONG)Thread + 0x150); return (char*)(ProcessObj+0x16C); } return 0; } void PageProtectOn() { __asm{//恢復內存保護 mov eax,cr0 or eax,10000h mov cr0,eax sti } } void PageProtectOff() { __asm{//去掉內存保護 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } BOOLEAN Jmp_HookFunction( IN ULONG Destination, IN ULONG Source, IN UCHAR *Ori_Code ) { ULONG Jmp_Offest; UCHAR Jmp_Code[5] = {0xE9}; KSPIN_LOCK lock; KIRQL irql; if (Destination==0||Source==0) { DbgPrint("Params error!"); return FALSE; } RtlCopyMemory(Ori_Code,(PVOID)Destination,5); Jmp_Offest = Source - Destination-5; *(ULONG*)&Jmp_Code[1] = Jmp_Offest; KeInitializeSpinLock (&lock ); KeAcquireSpinLock(&lock,&irql); PageProtectOff(); RtlCopyMemory((PVOID)Destination,Jmp_Code,5); PageProtectOn(); KeReleaseSpinLock (&lock,irql); return TRUE; } VOID Res_HookFunction( IN ULONG Destination, IN UCHAR *Ori_Code, IN ULONG Length ) { KSPIN_LOCK lock; KIRQL irql; if (Destination==0||Ori_Code==0){ return; } KeInitializeSpinLock (&lock ); KeAcquireSpinLock(&lock,&irql); PageProtectOff(); RtlCopyMemory((PVOID)Destination,Ori_Code,Length); PageProtectOn(); KeReleaseSpinLock (&lock,irql); } FORCEINLINE VOID ProbeForReadSmallStructure ( IN PVOID Address, IN SIZE_T Size, IN ULONG Alignment ) //wrk源碼 { ASSERT((Alignment == 1) || (Alignment == 2) || (Alignment == 4) || (Alignment == 8) || (Alignment == 16)); if ((Size == 0) || (Size >= 0x10000)) { ASSERT(0); ProbeForRead(Address, Size, Alignment); } else { if (((ULONG_PTR)Address & (Alignment - 1)) != 0) { ExRaiseDatatypeMisalignment(); } if ((PUCHAR)Address >= (UCHAR * const)MM_USER_PROBE_ADDRESS) { Address = (UCHAR * const)MM_USER_PROBE_ADDRESS; } _ReadWriteBarrier(); *(volatile UCHAR *)Address; } } void __stdcall FilterSetGetContextThread( PETHREAD Thread, PCONTEXT Context, KPROCESSOR_MODE AccessMode) { __try{ if (AccessMode == UserMode) { //wrk 參數校驗 ProbeForReadSmallStructure(Context,sizeof(CONTEXT),PROBE_ALIGNMENT(CONTEXT)); }else{ *Context = *Context; } if (strstr(GetProcessNameByThread(Thread),"test.exe")!=NULL) { if (strstr((char*)PsGetCurrentProcess()+0x16c,"ollydbg") != NULL) { return; } //如果是要獲得調試寄存器的值,將Flags 的獲得調試寄存器清零, if (Context->ContextFlags | CONTEXT_DEBUG_REGISTERS) { Context->ContextFlags = ~CONTEXT_DEBUG_REGISTERS; } } }__except(EXCEPTION_EXECUTE_HANDLER){ return; } } void __declspec(naked) NewGetContextThread() { __asm{ mov edi,edi push ebp mov ebp,esp push [ebp+0x10] push [ebp+0xc] push [ebp+0x8] call FilterSetGetContextThread mov esp,ebp pop ebp mov edi,edi push ebp mov ebp,esp jmp g_JmpGetContextThread } } void __declspec(naked) NewSetContextThread() { __asm{ mov edi,edi push ebp mov ebp,esp push [ebp+0x10] push [ebp+0xc] push [ebp+0x8] call FilterSetGetContextThread mov esp,ebp pop ebp mov edi,edi push ebp mov ebp,esp jmp g_JmpSetContextThread } } void HookSetGetContextThread() { g_JmpGetContextThread = (ULONG)PsGetContextThread + 0x5; g_bHookGetContextSuccess = Jmp_HookFunction((ULONG)PsGetContextThread,(ULONG)NewGetContextThread,g_cGetContextCode); g_JmpSetContextThread = (ULONG)PsSetContextThread + 0x5; g_bHookSetContextSuccess = Jmp_HookFunction((ULONG)PsSetContextThread,(ULONG)NewSetContextThread,g_cSetContextCode); } void UnHookSetGetContextThread() { if (g_bHookGetContextSuccess) { Res_HookFunction((ULONG)PsGetContextThread,g_cGetContextCode,5); } if (g_bHookSetContextSuccess) { Res_HookFunction((ULONG)PsSetContextThread,g_cSetContextCode,5); } } void DriverUnLoad(PDRIVER_OBJECT pDriverObject) { UnHookSetGetContextThread(); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING usRegistPath) { UNICODE_STRING usFuncName1,usFuncName2; RtlInitUnicodeString(&usFuncName1,L"PsGetContextThread"); RtlInitUnicodeString(&usFuncName2,L"PsSetContextThread"); PsGetContextThread = (PSGETCONTEXTTHREAD)MmGetSystemRoutineAddress(&usFuncName1); PsSetContextThread = (PSSETCONTEXTTHREAD)MmGetSystemRoutineAddress(&usFuncName2); HookSetGetContextThread(); pDriverObject->DriverUnload = DriverUnLoad; return STATUS_SUCCESS; }
在ring0可以直接改變Drx寄存器的值,設置硬件斷點來達到對某個函數的hook,這里以NtOpenProcess為例。我們知道內核層產生的異常都會由RtlDispatchException函數進行分發處理,所以我們首先要InlineHook RtlDispatchException函數,在對異常進行分發時先對異常進行過濾,如果異常地址是我們設置的硬件斷點“監控”的地址,則改變EIP,達到對目標函數“hook”的目的。
先InlineHook RtlDispatchException ,RtlDispatchException未導出,在KiDispatchException中被調用,KiDispatchException也未導出,采用的方法是暴力搜索整個內核文件Ntoskrnl.exe來匹配特征碼
VOID HookRtlDispatchException() { PLDR_DATA_TABLE_ENTRY Ldr = NULL; //構建RtlDispatchException 的特征碼 // nt!KiDispatchException+0x160: // 83eff040 53 push ebx // 83eff041 ff750c push dword ptr [ebp+0Ch] // 83eff044 ff7510 push dword ptr [ebp+10h] // 83eff047 ff15bc49fb83 call dword ptr [nt!KiDebugRoutine (83fb49bc)] // 83eff04d 84c0 test al,al // 83eff04f 0f859d000000 jne nt!KiDispatchException+0x211 (83eff0f2) // 83eff055 57 push edi // 83eff056 53 push ebx // 83eff057 e8 a372ffff call nt!RtlDispatchException (83ef62ff) // kd> u 83ef62ff // nt!RtlDispatchException: // 83ef62ff 8bff mov edi,edi // 83ef6301 55 push ebp // 83ef6302 8bec mov ebp,esp // 83ef6304 83e4f8 and esp,0FFFFFFF8h // 83ef6307 83ec6c sub esp,6Ch // 83ef630a 53 push ebx // 83ef630b 56 push esi // 83ef630c 57 push edi SIGNATURE_INFO SignCode[] = {{0x84,10},{0xc0,9},{0x57,2},{0x53,1},{0xE8,0}}; #ifndef _DEBUG __asm int 3 #endif g_bHookSuccess = FALSE; Ldr = SearchDriver(g_LocalDriverObj,L"ntoskrnl.exe"); if (!Ldr) return; g_RtlDispatchExeceptionAddress = SearchAddressForSignFromPE((ULONG_PTR)(Ldr->DllBase),Ldr->SizeOfImage,SignCode); if (!MmIsAddressValid((PVOID)g_RtlDispatchExeceptionAddress)) return; //利用偏移轉成絕對地址 +5 過e8 a372ffff 這五個字節 g_RtlDispatchExeceptionAddress = g_RtlDispatchExeceptionAddress+5 + *(ULONG_PTR*)(g_RtlDispatchExeceptionAddress+1); //過被占的前5個字節,繼續執行的代碼 DbgPrint("RtlDispatchExceptionAddresss:%x",g_RtlDispatchExeceptionAddress); g_JmpOrigDispatchException = g_RtlDispatchExeceptionAddress + 5; g_bHookSuccess = Jmp_HookFunction(g_RtlDispatchExeceptionAddress,(ULONG_PTR)NewRtlDispatchException,g_cDisExceptionCode); }
然后將要“監控”的目標地址寫入Dr0寄存器,當目標地址被執行的時候,觸發異常,執行RtlDispatchException函數,
VOID SetMonitor(PVOID Address) { __asm { mov eax , Address mov DR0 , eax mov eax , 0x02 //全局的,僅當執行時產生異常 mov DR7 , eax } } VOID CancelMonitor(PVOID Address) { __asm { xor eax , eax mov DR0 , eax mov DR7 , eax } }
RtlDispatchException的過濾函數,在這里改變Eip的值,異常處理完畢以后,開始執行NewNtOpenProcess
ULONG_PTR _stdcall FilterRtlDispatchException ( IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT ContextRecord ) { //DbgPrint("Address:%x -- ExceptionCode:%x\r\n",ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode); //如果是NtOpenProcess處的異常 if (ExceptionRecord->ExceptionAddress == (PVOID)KeServiceDescriptorTable.ServiceTableBase[190]) { KdPrint(("<Except addresss>:%X <seh callBack>:%X -- <Except code>:%X", ContextRecord->Eip,ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode)); //將執行的下一條指令置為NewNtOpenProcess() 函數的地址,CPU接着去執行NewNtOpenProcess ContextRecord->Eip = (ULONG_PTR)NewNtOpenProcess; //返回TRUE,異常不再進行派發 return 1; } return 0; }
NewNtOpenProcess只是簡單地調用FilterNtOpenProcess進行簡單的調用,打印一些基本的信息。
void __declspec(naked) NewNtOpenProcess() { __asm { pushad pushfd call FilterNtOpenProcess popfd popad mov edi , edi push esp mov ebp , esp //跳過NtOpenProcess的前五個字節, //避免再次觸發異常 jmp g_JmpOrigNtOpenProcess } }
完整的工程代碼
#ifndef CXX_DRXHOOK_H #define CXX_DRXHOOK_H #include <ntifs.h> #include <devioctl.h> #endif typedef struct _SYSTEM_SERVICE_TABLE32 { ULONG_PTR* ServiceTableBase; ULONG_PTR* ServiceCounterTableBase; ULONG32 NumberOfServices; ULONG_PTR* ParamTableBase; } SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32; typedef struct _SYSTEM_SERVICE_TABLE64{ ULONG_PTR* ServiceTableBase; ULONG_PTR* ServiceCounterTableBase; ULONG64 NumberOfServices; ULONG_PTR* ParamTableBase; } SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64; #ifndef _WIN64 #define _SYSTEM_SERVICE_TABLE _SYSTEM_SERVICE_TABLE64 #define SYSTEM_SERVICE_TABLE SYSTEM_SERVICE_TABLE64 #define PSYSTEM_SERVICE_TABLE PSYSTEM_SERVICE_TABLE64 #else #define _SYSTEM_SERVICE_TABLE _SYSTEM_SERVICE_TABLE32 #define SYSTEM_SERVICE_TABLE SYSTEM_SERVICE_TABLE32 #define PSYSTEM_SERVICE_TABLE PSYSTEM_SERVICE_TABLE32 #endif __declspec(dllimport) SYSTEM_SERVICE_TABLE KeServiceDescriptorTable; //結構聲明 typedef struct _SIGNATURE_INFO{ UCHAR cSingature; int Offset; }SIGNATURE_INFO,*PSIGNATURE_INFO; typedef struct _LDR_DATA_TABLE_ENTRY // 24 elements, 0x78 bytes (sizeof) { /*0x000*/ struct _LIST_ENTRY InLoadOrderLinks; // 2 elements, 0x8 bytes (sizeof) /*0x008*/ PVOID ExceptionTable; /*0x00C*/ ULONG ExceptionTableSize; /*0x010*/ struct _LIST_ENTRY InInitializationOrderLinks; // 2 elements, 0x8 bytes (sizeof) /*0x018*/ VOID* DllBase; /*0x01C*/ VOID* EntryPoint; /*0x020*/ ULONG32 SizeOfImage; /*0x024*/ struct _UNICODE_STRING FullDllName; // 3 elements, 0x8 bytes (sizeof) /*0x02C*/ struct _UNICODE_STRING BaseDllName; // 3 elements, 0x8 bytes (sizeof) /*0x034*/ ULONG32 Flags; /*0x038*/ UINT16 LoadCount; /*0x03A*/ UINT16 TlsIndex; union // 2 elements, 0x8 bytes (sizeof) { /*0x03C*/ struct _LIST_ENTRY HashLinks; // 2 elements, 0x8 bytes (sizeof) struct // 2 elements, 0x8 bytes (sizeof) { /*0x03C*/ VOID* SectionPointer; /*0x040*/ ULONG32 CheckSum; }; }; union // 2 elements, 0x4 bytes (sizeof) { /*0x044*/ ULONG32 TimeDateStamp; /*0x044*/ VOID* LoadedImports; }; /*0x048*/ VOID* EntryPointActivationContext; /*0x04C*/ VOID* PatchInformation; /*0x050*/ struct _LIST_ENTRY ForwarderLinks; // 2 elements, 0x8 bytes (sizeof) /*0x058*/ struct _LIST_ENTRY ServiceTagLinks; // 2 elements, 0x8 bytes (sizeof) /*0x060*/ struct _LIST_ENTRY StaticLinks; // 2 elements, 0x8 bytes (sizeof) /*0x068*/ VOID* ContextInformation; /*0x06C*/ ULONG32 OriginalBase; /*0x070*/ union _LARGE_INTEGER LoadTime; // 4 elements, 0x8 bytes (sizeof) }LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; ULONG_PTR _stdcall FilterRtlDispatchException ( IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT ContextRecord ); VOID HookRtlDispatchException(); VOID UnloadDriver(PDRIVER_OBJECT DriverObject); PLDR_DATA_TABLE_ENTRY SearchDriver(PDRIVER_OBJECT pDriverObject,wchar_t *strDriverName); BOOLEAN Jmp_HookFunction(IN ULONG Destination,IN ULONG Source,IN UCHAR *Ori_Code); VOID ResumeHookFunction(IN ULONG Destination,IN UCHAR *Ori_Code,IN ULONG Length); ULONG_PTR SearchAddressForSignFromPE(ULONG_PTR uStartBase, ULONG_PTR uSearchLength, SIGNATURE_INFO SignatureInfo[5]); VOID WPOFF(); NTSTATUS _stdcall FilterNtOpenProcess (); VOID WPON(); VOID SetMonitor(PVOID Address); VOID CancelMonitor(PVOID Address); #ifndef CXX_DRXHOOK_H # include "DrxHook.h" #endif #include <ntimage.h> KIRQL Irql; PDRIVER_OBJECT g_LocalDriverObj; BOOLEAN g_bHookSuccess; ULONG_PTR g_RtlDispatchExeceptionAddress; ULONG_PTR g_JmpOrigDispatchException; UCHAR g_cDisExceptionCode[5]; ULONG_PTR g_JmpOrigNtOpenProcess; void __declspec(naked) NewNtOpenProcess() { __asm { pushad pushfd call FilterNtOpenProcess popfd popad mov edi , edi push esp mov ebp , esp //跳過NtOpenProcess的前五個字節, //避免再次觸發異常 jmp g_JmpOrigNtOpenProcess } } void __declspec(naked) NewRtlDispatchException() { __asm { mov edi,edi push ebp mov ebp , esp pushad //保存所有寄存器 pushfd //保存標志寄存器 push [ebp+0xc] push [ebp+0x8] call FilterRtlDispatchException //檢測返回值是否為0 test eax , eax jz __SafeExit // 若eax為0 跳轉__SafeExit popfd popad mov esp , ebp pop ebp // 將KiDispatchException中對於RtlDispatchException的返回值進行校驗, // 如果為0 則對異常進行重新派發,為1則不再做處理 mov eax ,0x01 retn 0x8 //平衡堆棧,兩個參數8字節 __SafeExit: popfd popad mov esp , ebp pop ebp //先執行RtlDispatchException原來的5個字節的內容 mov edi , edi push ebp mov ebp , esp jmp g_JmpOrigDispatchException } } NTSTATUS _stdcall FilterNtOpenProcess () { DbgPrint("FilterNtOpenProcess---%s\r\n",(ULONG_PTR)PsGetCurrentProcess()+0x16c); return STATUS_SUCCESS; } ULONG_PTR _stdcall FilterRtlDispatchException ( IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT ContextRecord ) { //DbgPrint("Address:%x -- ExceptionCode:%x\r\n",ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode); //如果是NtOpenProcess處的異常 if (ExceptionRecord->ExceptionAddress == (PVOID)KeServiceDescriptorTable.ServiceTableBase[190]) { KdPrint(("<Except addresss>:%X <seh callBack>:%X -- <Except code>:%X", ContextRecord->Eip,ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode)); //將執行的下一條指令置為NewNtOpenProcess() 函數的地址,CPU接着去執行NewNtOpenProcess ContextRecord->Eip = (ULONG_PTR)NewNtOpenProcess; //返回TRUE,異常不再進行派發 return 1; } return 0; } VOID SetMonitor(PVOID Address) { __asm { mov eax , Address mov DR0 , eax mov eax , 0x02 //全局的,僅當執行時產生異常 mov DR7 , eax } } VOID CancelMonitor(PVOID Address) { __asm { xor eax , eax mov DR0 , eax mov DR7 , eax } } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryString) { NTSTATUS Status = STATUS_SUCCESS; g_LocalDriverObj = pDriverObject; HookRtlDispatchException(); g_JmpOrigNtOpenProcess = (ULONG_PTR)(KeServiceDescriptorTable.ServiceTableBase[190] + 0x5); //為了方便,這里寫死了,NtOpenProcess Win7 x86 SetMonitor((PVOID)KeServiceDescriptorTable.ServiceTableBase[190]); return Status; } VOID HookRtlDispatchException() { PLDR_DATA_TABLE_ENTRY Ldr = NULL; //構建RtlDispatchException 的特征碼 // nt!KiDispatchException+0x160: // 83eff040 53 push ebx // 83eff041 ff750c push dword ptr [ebp+0Ch] // 83eff044 ff7510 push dword ptr [ebp+10h] // 83eff047 ff15bc49fb83 call dword ptr [nt!KiDebugRoutine (83fb49bc)] // 83eff04d 84c0 test al,al // 83eff04f 0f859d000000 jne nt!KiDispatchException+0x211 (83eff0f2) // 83eff055 57 push edi // 83eff056 53 push ebx // 83eff057 e8 a372ffff call nt!RtlDispatchException (83ef62ff) // kd> u 83ef62ff // nt!RtlDispatchException: // 83ef62ff 8bff mov edi,edi // 83ef6301 55 push ebp // 83ef6302 8bec mov ebp,esp // 83ef6304 83e4f8 and esp,0FFFFFFF8h // 83ef6307 83ec6c sub esp,6Ch // 83ef630a 53 push ebx // 83ef630b 56 push esi // 83ef630c 57 push edi SIGNATURE_INFO SignCode[] = {{0x84,10},{0xc0,9},{0x57,2},{0x53,1},{0xE8,0}}; #ifndef _DEBUG __asm int 3 #endif g_bHookSuccess = FALSE; Ldr = SearchDriver(g_LocalDriverObj,L"ntoskrnl.exe"); if (!Ldr) return; g_RtlDispatchExeceptionAddress = SearchAddressForSignFromPE((ULONG_PTR)(Ldr->DllBase),Ldr->SizeOfImage,SignCode); if (!MmIsAddressValid((PVOID)g_RtlDispatchExeceptionAddress)) return; //利用偏移轉成絕對地址 +5 過e8 a372ffff 這五個字節 g_RtlDispatchExeceptionAddress = g_RtlDispatchExeceptionAddress+5 + *(ULONG_PTR*)(g_RtlDispatchExeceptionAddress+1); //過被占的前5個字節,繼續執行的代碼 DbgPrint("RtlDispatchExceptionAddresss:%x",g_RtlDispatchExeceptionAddress); g_JmpOrigDispatchException = g_RtlDispatchExeceptionAddress + 5; g_bHookSuccess = Jmp_HookFunction(g_RtlDispatchExeceptionAddress,(ULONG_PTR)NewRtlDispatchException,g_cDisExceptionCode); } //搜索整個PE文件的 ULONG_PTR SearchAddressForSignFromPE(ULONG_PTR uStartBase,ULONG_PTR uSearchLength,SIGNATURE_INFO SignatureInfo[5]) { UCHAR *p; ULONG_PTR u_index1,u_index2; //ULONG uIndex; PIMAGE_DOS_HEADER pimage_dos_header; PIMAGE_NT_HEADERS pimage_nt_header; PIMAGE_SECTION_HEADER pimage_section_header; if(!MmIsAddressValid((PVOID)uStartBase)) { return 0; } pimage_dos_header = (PIMAGE_DOS_HEADER)uStartBase; pimage_nt_header = (PIMAGE_NT_HEADERS)((ULONG)uStartBase+pimage_dos_header->e_lfanew); pimage_section_header = (PIMAGE_SECTION_HEADER)((ULONG)pimage_nt_header+sizeof(IMAGE_NT_HEADERS)); for (u_index1 = 0;u_index1<pimage_nt_header->FileHeader.NumberOfSections;u_index1++) { //#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. //#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. //#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. //0x60000000 = IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ if (pimage_section_header[u_index1].Characteristics&0x60000000) { p = (UCHAR*)uStartBase + pimage_section_header[u_index1].VirtualAddress; for (u_index2 = 0;u_index2<pimage_section_header[u_index1].Misc.VirtualSize;u_index2++) { if (!MmIsAddressValid((p-SignatureInfo[0].Offset))|| !MmIsAddressValid((p-SignatureInfo[4].Offset))) { p++; continue; } __try{ if (*(p-SignatureInfo[0].Offset)==SignatureInfo[0].cSingature&& *(p-SignatureInfo[1].Offset)==SignatureInfo[1].cSingature&& *(p-SignatureInfo[2].Offset)==SignatureInfo[2].cSingature&& *(p-SignatureInfo[3].Offset)==SignatureInfo[3].cSingature&& *(p-SignatureInfo[4].Offset)==SignatureInfo[4].cSingature) { return (ULONG_PTR)p; } }__except(EXCEPTION_EXECUTE_HANDLER){ DbgPrint("Search error!"); } p++; } } } return 0; } BOOLEAN Jmp_HookFunction( IN ULONG Destination, IN ULONG Source, IN UCHAR *Ori_Code ) { ULONG jmp_offset; UCHAR jmp_code[5] = {0xE9}; KSPIN_LOCK lock; KIRQL irql; if (Destination==0||Source==0) { DbgPrint("Params error!"); return FALSE; } RtlCopyMemory(Ori_Code,(PVOID)Destination,5); jmp_offset = Source - (Destination+5); *(ULONG*)&jmp_code[1] = jmp_offset; //放入偏移 KeInitializeSpinLock (&lock ); KeAcquireSpinLock(&lock,&irql); WPOFF(); RtlCopyMemory((PVOID)Destination,jmp_code,5); WPON(); KeReleaseSpinLock (&lock,irql); return TRUE; } VOID WPOFF() { ULONG_PTR cr0 = 0; Irql = KeRaiseIrqlToDpcLevel(); cr0 =__readcr0(); cr0 &= 0xfffffffffffeffff; __writecr0(cr0); } VOID WPON() { ULONG_PTR cr0=__readcr0(); cr0 |= 0x10000; __writecr0(cr0); KeLowerIrql(Irql); } //簡單的通過鏈表獲得內核模塊的基本信息 PLDR_DATA_TABLE_ENTRY SearchDriver(PDRIVER_OBJECT pDriverObject,wchar_t *strDriverName) { LDR_DATA_TABLE_ENTRY *pdata_table_entry,*ptemp_data_table_entry; PLIST_ENTRY plist; UNICODE_STRING str_module_name; RtlInitUnicodeString(&str_module_name,strDriverName); pdata_table_entry = (LDR_DATA_TABLE_ENTRY*)pDriverObject->DriverSection; if (!pdata_table_entry) { return 0; } plist = pdata_table_entry->InLoadOrderLinks.Flink; while(plist!= &pdata_table_entry->InLoadOrderLinks) { ptemp_data_table_entry = (LDR_DATA_TABLE_ENTRY *)plist; //DbgPrint("%wZ",&pTempDataTableEntry->BaseDllName); if (0==RtlCompareUnicodeString(&ptemp_data_table_entry->BaseDllName,&str_module_name,FALSE)) { return ptemp_data_table_entry; } plist = plist->Flink; } return 0; } VOID UnloadDriver(PDRIVER_OBJECT DriverObject) { if (g_bHookSuccess) { ResumeHookFunction(g_RtlDispatchExeceptionAddress,g_cDisExceptionCode,0x5); } } VOID ResumeHookFunction( IN ULONG Destination, IN UCHAR *Ori_Code, IN ULONG Length ) { KSPIN_LOCK lock; KIRQL irql; if (Destination==0||Ori_Code==0) return; KeInitializeSpinLock (&lock ); KeAcquireSpinLock(&lock,&irql); WPOFF(); RtlCopyMemory((PVOID)Destination,Ori_Code,Length); WPON(); KeReleaseSpinLock (&lock,irql); }