inline hook原理大概如下:
修改被hook函式a的頭5個位元組,使其跳轉到我們自定義的函式b,函式b的型別與函式a要相同。因為我們是使用jmp直接跳轉到函式b,
而不是使用正常的call指令。在函式b內,我們可以檢查函式引數,然後可以直接返回。也可以再呼叫函式a的乙個副本。這個副本在hook動作發生的同時,就儲存下來了。
**非常簡單,工程打包供大家學習。高手飄過
/** krembo.c, demonstration of inline hooking (aka. detouring) within driver/kernel.
* - izik@tty64.org
*/#include
// assembly jmp opcode value
#ifndef x86_jmp
#define x86_jmp 0xe9
#endif
// number of bytes to overwrite
#ifndef jmp_length
#define jmp_length sizeof(x86_jmp) + sizeof(int)
#endif
// size of a page (4k)
#ifndef page_size
#define page_size 0x1000
#endif
// pointers macros
#define page_mask(ptr) (ptr & 0xfffff000)
#define offset_in_page(ptr) (ptr - (ptr & 0xfffff000))
// rtlrandom pointer prototype
typedef unsigned long (*rtlrandom)(
unsigned long *seed
);// pointers to duplicated (original) and current versions of rtlrandom
rtlrandom pduprtlrandom;
rtlrandom pcurrtlrandom;
/** detourfunction, detour a function (install detour)
* * pfcnaddr, pointer to the soon-to-be-detoured function
* * ihookaddr, address of the hook function
* * ipooltype, pool type of allocated memory
*/void *detourfunction(char *pfcnaddr, int ihookaddr, int ipooltype)
// duplicate the entire page
rtlcopymemory(porigpage, (char *)page_mask((int)pfcnaddr), page_size);//拷貝函式內容,把函式所在的一整頁都拷貝下來。如果函式不僅僅佔據一頁呢?
// calculate the relocation to `ihookaddr`
ihookaddr -= ((int)pfcnaddr + 5);//ihookaddr = ihookaddr - (pfcnaddr +5) ihookaddr是跳轉的相對位址
_a**
// overwrite the first `jmp_length` bytes of pfcnaddr (detour it)
*(pfcnaddr) = x86_jmp;
*(pfcnaddr+1) = (ihookaddr & 0xff);
*(pfcnaddr+2) = (ihookaddr >> 8) & 0xff;
*(pfcnaddr+3) = (ihookaddr >> 16) & 0xff;
*(pfcnaddr+4) = (ihookaddr >> 24) & 0xff;
_a**
// return pointer to the duplicate function (within the duplicate page)
return (void *)((int)porigpage + offset_in_page((int)pfcnaddr));//返回我們儲存的函式副本位址(原件)}/*
* myrtlrandom, rtlrandom hook
* * seed, given seed
*/unsigned long myrtlrandom(unsigned long *seed)
/** restoredetouredfunction, restore a detoured function (remove detour)
* * pdupfcn, pointer to the duplicated function
* * porigfcn, pointer to the original function
*/void restoredetouredfunction(char *porigfcn, char *pdupfcn)
// uninstall the detour, restore `jmp_lenght` bytes from the duplicate function.
for (offset = 0; offset < jmp_length; offset++)
_a**
// deallocate the duplicate page
exfreepoolwithtag((void *)((int)pdupfcn - offset_in_page((int)porigfcn)), 0xdeadbeef);
return ;}/*
* driverunload, driver unload point
* * driverobject, self (driver)
*/void driverunload(in pdriver_object driverobject)
//dbgprint(("krembo unloaded!/n"));
return ;}/*
* driverentry, driver single entry point
* * driverobject, self (driver)
* * registrypath, given registrypath
*/ntstatus driverentry(in pdriver_object driverobject, in punicode_string registrypath) else
return status_success;
}
從subsystem開始概述NT核心
什麼是subsystem?nt架構 windows nt windows xp windows 2003 的初始設計是很有野心的,它希望在nt上可以不加修改地執行os2 unix程式。所以在nt中有subsystem的概念,每個subsystem針對乙個平台,ntdll.dll是所有subsyste...
NT下如何徹底刪除Oracle
軟體環境 1 windows 2000 oracle 8.1.7 2 oracle安裝路徑為 c oracle 實現方法 1 開始 設定 控制面板 管理工具 服務 停止所有oracle服務。2 開始 程式 oracle orahome81 oracle installation products u...
NT下如何徹底刪除Oracle?
1 windows 2000 oracle 8.1.7 2 oracle安裝路徑為 c oracle 實現方法 1 開始 設定 控制面板 管理工具 服務 停止所有oracle服務。2 開始 程式 oracle orahome81 oracle installation products univer...