Windows Kernel API hook-inline hook

Source: csdn Author: daiwen

Good name, inline hook. At first glance, it seems very advanced. The Inline here, I think, refers to writing Assembly Code directly to the memory area of the kernel API. Inline hook is not like user-mode hook or ssdt hook (it is enough in C language), it needs to embed assembly code (inline assembly) in the program) the Assembly commands corresponding to the operation stack and the execution of the kernel API. Of course, these must be driven.

The so-called API hook is to replace the "position" of the system API with the function you write. After that, the function you write has mastered all the "matters" previously handled by the hook api ". Windows systems are divided into user and kernel states, and APIs are divided into user and kernel levels. To do something at the underlying level and thoroughly, you must hook the kernel API (but the hook user-mode API also has many functions ).

Ssdt hook is common in hook kernel APIs. In a single sentence, Windows stores all the kernel API addresses to be called in a table (System Service Descriptor Table). To hook a kernel API, A simple method is to change the address saved by the kernel API in the table (ssdt) to the function address you have written. This is similar to tampering with the "kernel API phone book" of "Windows". When the old man wants to call "hooked API phone book, the "phone number" he found has actually been tampered with by us. After dialing the phone number, our "function boy" began to respond, and Information Filtering began.

Unfortunately, detection tools such as icesword can easily determine whether ssdt has been tampered with and notify users in an appropriate way (for example, the font of the search result turns red ).

The Inline hook is more thorough than the ssdt hook. If ssdt hook only kidnapped a "kernel API Mr" and used our "self" to take over his work, but icesword can find the kidnapped "kernel API sir" and "alarm" from other contact channels, so -- inline Hook can be said to have operated on "kernel API sir, make him a part of our camp ". Inline hook uses hard encoding to allocate memory space to the kernel API (usually the first byte, and before the first call, this is done to prevent stack confusion) write a jump statement. As long as the API is called, the program will jump to our function. We need to complete three tasks in the function we write:
1) re-adjust the current stack. When the program process is just redirected, the kernel API is not completed, and our function needs to filter information based on the result, therefore, we need to ensure that the kernel API can be returned to our function after successful execution, which requires an adjustment to the current stack.
2) execute the lost command. When we provide a kernel API address space such as a jump command (jmp xxxxxxxx), we will inevitably overwrite some of the original assembly commands, therefore, we must ensure that these covered commands can be executed smoothly (otherwise, your and your bsod will be required, haha, blue screen of death ). The execution of this part of commands is generally placed in our functions, so that our function "helps" the kernel API to execute the overwritten commands, then, the address after the kernel API is overwritten continues to execute the remaining content. When you jump back, you must calculate the address of the jump back, which is the first byte after the starting address of the kernel API.
A friend once proposed to restore the covered content of the kernel API and then execute this method. I did not test it, but I think it should not be very stable, because the kernel often has thread switching, if you restore the kernel API, if the thread of your function is suspended and another thread is calling the API, "hook omission" may occur ".
3) information filtering. This does not need to be said. The kernel API is successfully executed and returned to our function. We naturally need to filter some information based on the results, this part of content varies depending on the APIs to be hooked and the purpose of the hook.

Inline hook workflow:
1) Verify the kernel API version (pattern matching ).
2) write your own functions to complete the above three tasks.
2) obtain the address of your function and overwrite the kernel API memory for redirection.

Disadvantages of inline HOOK:
1) not general enough. In various Windows versions, kernel APIs start from a different segment. To get started, you need to write several versions or perform a Pattern Search (because some kernel APIs are very similar in each version, add something before or after the "signature ).
2) Some detection tools have been included in the scope of detection. If it is directly overwritten from the first byte of the kernel API, it is easy to be detected. If the coverage range is pushed back and deformed, it may be able to resist. I am not familiar with the specific situation and have not tried it yet.

The preceding documents are as follows:
1) kernel inline hook bypasses Vice detection-articles on xfocus
2) A simple method to realize the kernel-mode inline function hook (http://www.phpfav.com /? P = 35) -- 5 ecur! Article on Ty

You can refer to the original article. The Code in article 1 can be optimized using Article 2.