hook_idt

hook_IDT/IDTHook/IDTHook.c

@@ -0,0 +1,195 @@
+
+#ifndef CXX_IDTHOOK_H
+#	include "IDTHook.h"
+#endif
+#include <WINDEF.H>
+
+
+ULONG_PTR g_OrigKiTrap03;
+KIRQL  Irql;
+
+
+_declspec(naked) void NewKiTrap03()
+{
+
+	__asm
+	{
+		//测试
+		//jmp g_OrigKiTrap03
+
+		//构建Trap03的异常帧
+		//保存现场环境,和原始Trap03一样
+		push    0   ;ErrorCode
+		push    ebp
+		push    ebx
+		push    esi
+		push    edi
+		push    fs
+		mov     ebx,30h
+		mov     fs,bx
+		mov     ebx,dword ptr fs:[0]
+		push    ebx
+		sub     esp,4
+		push    eax
+		push    ecx
+		push    edx
+		push    ds
+		push    es
+		push    gs
+
+		sub     esp,30h    //esp此时就指向陷阱帧
+
+		push    esp         //FilterExceptionInfo自己清理了
+
+		call   FilterExceptionInfo   //过滤函数
+
+		add     esp , 0x30
+		pop		gs
+		pop		es
+		pop		ds
+		pop		edx
+		pop		ecx
+		pop		eax
+		add		esp , 4
+		pop		ebx
+		pop		fs
+		pop		edi
+		pop		esi
+		pop		ebx
+		pop		ebp
+		add     esp , 0x4
+		jmp     g_OrigKiTrap03
+	}
+}
+
+
+
+VOID __stdcall FilterExceptionInfo(PX86_KTRAP_FRAME pTrapFrame)
+{
+
+	//eip的值减一过int3，汇编代码分析中dec， 
+	DbgPrint("Eip:%x\r\n",(pTrapFrame->Eip)-1);
+}
+
+
+NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryString)
+{
+	NTSTATUS	Status = STATUS_SUCCESS;
+	IDTR Idtr;
+	PIDTENTRY pIdtArray = NULL;
+	ULONG_PTR Index = 0;
+
+	DriverObject->DriverUnload = UnloadDriver;
+    __asm sidt Idtr
+	//虚拟机是单核的，只用一个就可以了
+	if(KeGetIdt(&pIdtArray))
+	{
+		DbgPrint("%x---%x\r\n",Idtr.base,Idtr.limit);
+		for (Index =0;Index<(Idtr.limit+1)/sizeof(IDTENTRY);Index++) 		
+		{
+			DbgPrint("TrapHandle[%d]:%x\r\n",Index,MAKELONG(pIdtArray[Index].LowOffset,pIdtArray[Index].HiOffset));
+		}
+
+		g_OrigKiTrap03 = MAKELONG(pIdtArray[3].LowOffset,pIdtArray[3].HiOffset);
+
+		WPOFF();
+		pIdtArray[3].LowOffset = (ULONG_PTR)NewKiTrap03 & 0xFFFF;  //低16位
+		pIdtArray[3].HiOffset =  (ULONG_PTR)NewKiTrap03 >> 16;     //高16位
+		WPON();
+
+	}
+
+	//limit 0x7ff (包含0)  0x800  = 2048  Entry每项大小8字节，就2048/8 = 256 成员
+	//!idt -a   0ff  = 256 
+
+	//MAKELONG
+	//#define MAKELONG(a, b)      ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) | ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))
+	return Status;
+}
+
+
+
+
+
+BOOLEAN KeGetIdt(PIDTENTRY *pIdtArray)
+{
+	ULONG Index,Affinity,CurrentAffinity;
+	pfnKESETAFFINITYTHREAD fnpKeSetAffinityThread;
+
+	UNICODE_STRING usFuncName;
+	PIDTENTRY pIdtEntry;
+
+	RtlInitUnicodeString(&usFuncName,L"KeSetAffinityThread");
+	fnpKeSetAffinityThread = (pfnKESETAFFINITYTHREAD)MmGetSystemRoutineAddress(&usFuncName);
+
+	if (fnpKeSetAffinityThread==0)
+	{
+		return FALSE;
+	}
+
+	Affinity = KeQueryActiveProcessors();                    
+	//KeQueryActiveProcessors获取处理器相关的位图
+	//(这里的位图可以理解为个数，比如返回1代表一个处理器，返回3表示两个处理器，返回7表示三个处理器，依此类推。
+	//也就是说从有多少个处理器，那么Affinity的值就会从低位到高位依此填充多少位)
+
+	CurrentAffinity = 1;
+	Index = 0;
+	while(Affinity)
+	{
+		//下面只是个简单的算法，使当前线程运行到不同的处理器上
+		Affinity &= ~CurrentAffinity;
+		fnpKeSetAffinityThread(PsGetCurrentThread(),(KAFFINITY)CurrentAffinity);
+		CurrentAffinity <<= 1;
+
+		__asm{
+			push        eax
+			mov         eax,fs:[0x38]
+			mov         pIdtEntry,eax
+			pop         eax
+		}
+		//得到我们要的东西
+		pIdtArray[Index] = pIdtEntry;
+		Index++;
+	}
+
+	return TRUE;
+}
+
+
+VOID WPOFF()
+{
+	ULONG_PTR cr0 = 0;
+	Irql = KeRaiseIrqlToDpcLevel();
+	cr0 =__readcr0();
+	cr0 &= 0xfffffffffffeffff;
+	__writecr0(cr0);
+
+}
+
+
+
+
+
+VOID WPON()
+{
+
+	ULONG_PTR cr0=__readcr0();
+	cr0 |= 0x10000;
+	__writecr0(cr0);
+	KeLowerIrql(Irql);
+}
+
+
+
+VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
+{
+	//恢复
+	PIDTENTRY pIdtEntry;
+	if (g_OrigKiTrap03 && KeGetIdt(&pIdtEntry))
+	{
+		WPOFF();
+		pIdtEntry[3].LowOffset = g_OrigKiTrap03 & 0xFFFF;
+		pIdtEntry[3].HiOffset = g_OrigKiTrap03 >> 16;
+		WPON();
+	}
+}

hook_IDT/IDTHook/IDTHook.h

@@ -0,0 +1,85 @@
+
+
+#ifndef CXX_IDTHOOK_H
+#define CXX_IDTHOOK_H
+
+#include <ntifs.h>
+#include <devioctl.h>
+#endif	
+
+#pragma  pack(2)  //默认是4字节对齐
+typedef struct _IDTR
+{
+	USHORT	limit;	//范围，所占内存大小
+	ULONG	base;	//IDT表项起始地址
+}IDTR,*PIDTR;
+#pragma pack()
+
+//占8字节
+typedef struct _IDTENTRY
+{
+	unsigned short LowOffset;    //LowOffset和HiOffset组成一4字节的地址就是处理例程的地址
+	unsigned short selector;
+	unsigned char retention:5;
+	unsigned char zero1:3;
+	unsigned char gate_type:1;
+	unsigned char zero2:1;
+	unsigned char interrupt_gate_size:1;
+	unsigned char zero3:1;
+	unsigned char zero4:1;
+	unsigned char DPL:2;
+	unsigned char P:1;
+	unsigned short HiOffset;
+} IDTENTRY,*PIDTENTRY;
+
+
+typedef struct _X86_KTRAP_FRAME {
+	ULONG   DbgEbp;
+	ULONG   DbgEip;
+	ULONG   DbgArgMark;
+	ULONG   DbgArgPointer;
+	ULONG   TempSegCs;
+	ULONG   TempEsp;
+	ULONG   Dr0;
+	ULONG   Dr1;
+	ULONG   Dr2;
+	ULONG   Dr3;
+	ULONG   Dr6;
+	ULONG   Dr7;
+	ULONG   SegGs;
+	ULONG   SegEs;
+	ULONG   SegDs;
+	ULONG   Edx;
+	ULONG   Ecx;
+	ULONG   Eax;
+	ULONG   PreviousPreviousMode;
+	ULONG   ExceptionList;
+	ULONG   SegFs;
+	ULONG   Edi;
+	ULONG   Esi;
+	ULONG   Ebx;
+	ULONG   Ebp;
+	ULONG   ErrCode;
+
+	ULONG   Eip;
+	ULONG   SegCs;
+	ULONG   EFlags;
+	ULONG   HardwareEsp;    // WARNING - segSS:esp are only here for stacks
+	ULONG   HardwareSegSs;  // that involve a ring transition.
+	ULONG   V86Es;          // these will be present for all transitions from
+	ULONG   V86Ds;          // V86 mode
+	ULONG   V86Fs;
+	ULONG   V86Gs;
+} X86_KTRAP_FRAME, *PX86_KTRAP_FRAME;
+
+
+
+VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
+VOID WPOFF();
+VOID WPON();
+VOID __stdcall FilterExceptionInfo(PX86_KTRAP_FRAME pTrapFrame);
+BOOLEAN KeGetIdt(PIDTENTRY *pIdtArray);
+typedef KAFFINITY (*pfnKESETAFFINITYTHREAD)(
+	__inout PKTHREAD Thread,
+	__in KAFFINITY Affinity
+	);

hook_IDT/IDTHook/IDTHook.sln

@@ -0,0 +1,16 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "IDTHook", "IDTHook.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		WinDDK|Win32 = WinDDK|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.ActiveCfg = WinDDK|Win32
+		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.Build.0 = WinDDK|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

hook_IDT/IDTHook/IDTHook.vcxproj

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="WinDDK|Win32">
+      <Configuration>WinDDK</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>"IDTHook"</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
+    <TargetExt>.sys</TargetExt>
+    <GenerateManifest>false</GenerateManifest>
+    <ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
+    <IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
+    <ReferencePath />
+    <LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
+    <SourcePath />
+    <ExcludePath />
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
+      <ExceptionHandling>false</ExceptionHandling>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+      <AdditionalIncludeDirectories>
+      </AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <Link>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <SetChecksum>true</SetChecksum>
+      <BaseAddress>0x10000</BaseAddress>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include=".\IDTHook.c" />
+    <ClCompile Include=".\IDTHook.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

hook_IDT/IDTHook/IDTHook.vcxproj.user

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>

hook_IDT/IDTHook/clean.bat

@@ -0,0 +1,28 @@
+rem /////////////////
+rem / Add by ChiChou
+rem / 
+rem / FileName:Clean.bat
+rem / Description:Clean
+rem /
+rem ////////////////
+rd .\bin /s /q
+rd .\WinDDK /s /q
+rd .\objchk_w2k_x86 /s /q
+rd .\objchk_wxp_x86 /s /q
+rd .\objchk_wnet_x86 /s /q
+rd .\objchk_wlh_x86 /s /q
+rd .\objfre_w2k_x86 /s /q
+rd .\objfre_wxp_x86 /s /q
+rd .\objfre_wnet_x86 /s /q
+rd .\objfre_wlh_x86 /s /q
+del .\*.log
+del .\*.err
+del .\*.xml
+rem ***** del VS2005 file *****
+del .\*.ncb
+del .\*.user
+del .\*.suo /A:H
+rem ***** del VS6.0 file *****
+del .\*.plg
+del .\*.opt
+exit