Process hiding and process protection (implemented by SSDT Hook) (1)

Article directory:

1. Introduction-Hook Technology:

2. SSDT introduction:

3. Complete Execution Process for calling Win32 API at the application layer:

4. SSDT:

5. SSDT Hook principle:

6. Summary:

1. Introduction-Hook Technology:

The previous blog article introduced the code injection technology (Remote thread Implementation). The blog address is as follows:

Http://www.cnblogs.com/BoyXiao/archive/2011/08/11/2134367.html

Although code injection is a very old technology, it is still quite common,

Of course, it is also quite useful. For example, the remote thread injection technology is used in Spy ++,

At the same time, if you are interested in reading the Spy ++ source code, you can also read the remote thread Injection Technology in the source code.

(This blog post will be divided into two sections, but it will still be long, with a large number of contents and wide coverage,

If you are interested, please bring your tea and snacks and read the full text slowly,

PS: This is referenced by a garden friend in the garden)

(Then it will take a long night to get in a bad mood, so I wrote a blog post and just drank a bit again. So I guess there will be some omissions. Please forgive me ~)

In this blog post, we will introduce a Hook technology, which can be divided into two parts,

The first part is the Hook on the Ring3 layer, commonly known as the application layer Hook Technology,

The other part is naturally hooked on the Ring0 layer, commonly known as the kernel layer Hook Technology,

In the Ring3 layer, there are basically two types of hooks,

The first type is the Windows message Hook, and the second type is the Windows API Hook.

The following figure shows several types of hooks:

I believe many of my friends have been familiar with Windows message Hook, because a SetWindowsHookEx can complete message Hook,

Here we will briefly introduce the message Hook. The message Hook can be inserted to the front end of the Hook chain through SetWindowsHookEx,

The messages sent to the Hook window (or all windows, that is, global Hook) will be captured by our Hook processing function,

That is, we can first capture these messages in the form. Windows message Hook can be implemented as in-process message Hook and global message Hook,

For in-process message Hook, you can simply write the Hook processing function directly in this process, that is, Hook yourself,

For more widely used global message hooks, you need to write the Hook processing function in a DLL,

In this way, your processing function can be loaded by all processes (the process automatically loads the DLL containing the Hook message processing function ).

For Windows message Hook, there can be a simple and evil application, that is, recording keyboard-key messages,

So as to monitor the key-value information entered by the user. In this way, some simple users can obtain the key-value information through the keyboard,

If you do not press the next key, Windows will generate a key message (of course, there is a distinction between pressing, popping, and other messages ),

Then we can Hook the key message so that we can get the key that the user presses in the Hook message processing function.

Of course, message Hook is not the focus of this blog,

This blog post mainly introduces SSDT Hook Technology, which is one of kernel Hook technologies,

This is also an old technology. It seems that Rootkit came out when it caught fire,

However, SSDT Hook is still popular. For example, SSDT Hook Technology is also used in many anti-virus software or security software.

There are also several types of kernel hooks. The following illustration is also given:

There are many kernel-level Hook technologies mentioned above, including snow, debugman, and xfocus,

However, I am a junior who has been behind these technologies for many years. Here I just want to list my learning and some summarized experiences,

If you want to learn more about the content, you can find the information on the snow ~

2. SSDT introduction:

The following is an introduction from Baidu (PS: Baidu Library has made many blog posts, and I will copy them here ):

The full name of SSDT is System Services Descriptor Table, a System service Descriptor Table.

This table associates Ring3's Win32 API with Ring0's kernel API.

SSDT not only contains a large address index table, but also contains some useful information, such as the base address of the address index and the number of service functions.

By modifying the function address of this table, you can Hook common Windows functions and APIs to filter and monitor system actions that you are concerned about.

Some HIPS, anti-virus software, system monitoring, and registry monitoring software often use this interface to implement their own monitoring modules.

In Windows operating systems with NT 4.0 or higher, two system service description tables exist by default. These two scheduling tables correspond to two different types of system services,

The two scheduling tables are: KeServiceDescriptorTable and KeServiceDescriptorTableShadow,

Among them, KeServiceDescriptorTable is mainly used to process system calls from Kernel32.dll of ring3,

The KeServiceDescriptorTableShadow mainly handles system calls from User32.dll and GDI32.dll,

In addition, KeServiceDescriptorTable is exported in ntoskrnl.exe (Windows operating system kernel file, including kernel and execution Layer,

The KeServiceDescriptorTableShadow is not exported by the Windows operating system,

All the content about SSDT is completed through the KeServiceDescriptorTable ~

The following shows that the KeServiceDescriptorTable is exported in ntoskrnl.exe:

Then let's take a look at how KeServiceDescriptorTable is defined in the Windows operating system source code WRK ~

First, let's take a look at how KeServiceDescriptorTable was exported by the Windows operating system source code:

The following shows that the system service description table is exported from a module partition file (. def) in the wrk source code.

What is WRK? You can refer to my other blogIntroduction to Windows kernel (WRK)The blog address is as follows:

Http://www.cnblogs.com/BoyXiao/archive/2011/01/08/1930904.html

In Windows source code WRK, the Code for the System Service Descriptor Table is defined as follows (KeServiceDecriptorTable is defined by this structure ):

The above structure definition does not show any name in the name of the member variable. The structure we will use in our code is as follows:

   1:  typedef struct _KSYSTEM_SERVICE_TABLE

   2:  {

3: PULONG ServiceTableBase; // base address of SSDT (System Service Dispatch Table)

4: PULONG ServiceCounterTableBase; // used for checked builds, including the number of calls to each service in SSDT

5: ULONG NumberOfService; // number of service functions. NumberOfService * 4 indicates the size of the entire address table.

6: ULONG ParamTableBase; // base address of SSPT (System Service Parameter Table)

   7:   

   8:  } KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;

   9:   

  10:  typedef struct _KSERVICE_TABLE_DESCRIPTOR

  11:  {

12: KSYSTEM_SERVICE_TABLE ntoskrnl; // service function of ntoskrnl.exe

13: KSYSTEM_SERVICE_TABLE win32k; // service functions of win32k. sys (Kernel support of GDI32.dll/User32.dll)

  14:      KSYSTEM_SERVICE_TABLE   notUsed1;

  15:      KSYSTEM_SERVICE_TABLE   notUsed2;

  16:   

  17:  } KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;

  18:   

19: // export the SSDT exported by ntoskrnl.exe

  20:  extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;

With the above introduction, we can simply regard the KeServiceDescriptor as an array (its essence is an array ),

The API in ntdll. dll at the application layer has a corresponding service in the system service description table (SSDT,

When our application calls the API in ntdll. dll, it will eventually call the corresponding system service in the kernel,

With SSDT, we only need to inform the kernel of the index in the SSDT where the service to be called is located,

Then the kernel can find the corresponding service in SSDT Based on the index value, and then the kernel calls the service to complete the application API call request.

For the basic structure, refer:

3. Complete Execution Process for calling Win32 API at the application layer:

With the SSDT Foundation above, let's take a look at the complete process of calling Win32 API at the application layer (here mainly refers to the API in ntdll. dll,

Here we mainly analyze the call process of the NtQuerySystemInformation API in ntdll. dll,

(PS: Windows task manager obtains information about system processes through this API ).

First, give an illustration (first remember that there are four similar APIs here, but be sure to distinguish them from each other. If you get confused, it will be too much trouble ):

Then, let's look at the basic calling process of these APIs (which makes everyone feel at least lost ):

First, use the PE tool to open the ntdll. dll file. You can see NtQuerySystemInformation,

In addition to NtQuerySystemInformation, you can also see ZwQuerySystemInformation,

In essence, in Windows,

The ZwQuerySystemInformation and NtQuerySystemInformation in Ntdll. dll are the same function,

We can see from the following that the entry addresses of these two functions point to the same region, and their function entry addresses are the same ~

It's strange ~ In fact, I think it's strange ~ Why do we do this ~

As we all know, APIs in Ntdll. dll are just a simple packaging function,

When the API in Kernel32.dll passes Ntdll. dll, the parameter check is completed,

Call another interrupt (int 2Eh or SysEnter command ),So as to enter the Ring0 layer from Ring3,

And store the service number to be called (that is, the index value in the SSDT array) in the register EAX,

Put the parameter address in the specified register (EDX), and then copy the parameter to the kernel address space,

Then, the specified service is called in the SSDT Array Based on the index value stored in EAX ~

After the preceding steps, the Ring3 layer enters the Ring0 layer,

We can use the PE tool to view ZwQuerySystemInformation and NtQuerySystemInformation in ntoskrnl.exe.

Let's take a look at ZwQuerySystemInformation in ntoskrnl.exe:

In the preceding figure, ZwQuerySystemInformation under Ring0 puts 0ADh into the register eax,

Then the system service distribution function KiSystemService is called, and the KiSystemService function is based on the index value in the eax register,

Then, find the SSDT item worth storing in the eax register with the index value in the SSDT array,

Finally, the system service is called Based on the address of the System Service stored in this SSDT item ~

For example, here is the system service that calls the address stored in the KeServiceDescriptorTable [0ADh ~

That is, NtQuerySystemInformation under Ring0 is called ~

So far, the entire process of calling NtQuerySystemInformation at the application layer has ended ~

Finally, the disassembly code of NtQuerySystemInformation under Ring0 is pasted:

4. SSDT:

In this section, we will look at what SSDT is ~ Here we use WinDbg to debug the XP SP2 system ~

First, let's see what the KeServiceDescriptorTable is?

The first address of the KeServiceDesciptorTable is 804e58a0,

View the analysis address. You can see that the first entry address of the system service is 80591bfb!

Let's take a look at the system service corresponding to the address 80591bfb?

From the following, we can see that the first system service in SSDT is NtAcceptConnectPort !!!

Because we know the first address of SSDT and the index number of the NtQuerySystemInformation service under Ring0,

Therefore, you can add a 4 * index number based on the Address = first Address of the SSDT system service Address + 4 * index number ",

Calculate the address of the NtQuerySystemInformation service,

Therefore, Address = 804e58a0 + 4 * 0adh = 804E5B54;

Then let's take a look at the address 804E5B54. The information is as follows:

The starting address of NtQuerySystemInformation is 80586ff1,

Next, let's verify whether the address 80586ff1 is the first address of NtQuerySystemInformation ~

It can be confirmed from the following that 80586ff1 is indeed the first address of NtQuerySystemInformation,

This is consistent with the calculation formula for the address of the service with the specified index number in SSDT !!!

From the above introduction, we can see that SSDT is actually an array used to save the Windows service address !!!

5. SSDT Hook principle:

With this part of the above, we can see the principle of ssdt hook,

In fact, the principle of SSDT Hook is very simple. From the above analysis,

We can know that the system service address is saved in the SSDT array,

For example, for the address of the System Service NtQuerySystemInformation under Ring0,

Stored in the KeServiceDescriptorTable [0ADh,

Since it is a Hook, we can replace the service address stored in this KeServiceDescriptorTable [0ADh,

Replace the original address with the address of our own Hook handler function,

In this way, each time we call KeServiceDescriptorTable [0ADh], we will call our own Hook handler function.

The following are represented by several images:

The following is after the SSDT Hook. You can see that the service address in SSDT is changed to MyHookNtQuerySystemInformation,

In this way, every time the system calls the system service NtQuerySystemInformation,

Essentially, MyHookNtQuerySystemInformation is called. To ensure system stability (at least prevent the system from crashing ),

In general, the original service in the system, that is, NtQuerySystemInformation, is called in MyHookNtQuerySystemInformation.

6. Summary:

This blog post only introduces what SSDT is, but does not provide the Implementation of SSDT Hook,

The implementation and Demo of SSDT Hook are all completed in (2), that is, this blog is not complete, To be continued ......

There are a lot of articles about SSDT in the snow, because I was suddenly interested in this thing a while ago,

So I first learned about it. Naturally, I have read a lot of articles. SSDT can search a lot on Google,

But if I want to introduce SSDT in the most detail, I 'd like to explain it in detail in this article,

Because many users on the Internet only briefly introduce the SSDT principle, and then go down a Demo on the Internet,

After you paste the code out, even the Code cannot be fully compiled,

So if you want to know something about SSDT, you can take a good look at this article ~

By the way, I also encountered a problem that suddenly came out of my mind,

However, due to time or personal status issues, I have never studied it ~ I don't know if there is wood in the garden ~

As we all know, in Windows, the PID of the System process is 4,

I want to ask: why is the PID of the System process 4?

You are welcome to discuss this issue ~Here, let's give you some ideas,

That is, you can use the Windows operating system startup process, and then combine the WRK source code for research ~

Copyright,HuanWelcome to reprint, but please note: Reprinted fromZachary. XiaoZhen-the sky of dreams