Book note _ windows mixed HOOK _ part 5 _ HOOK memory space

Source: Internet
Author: User

Hook memory space

One of the problems with user space Hooks is to compile LoadLibrary parameters or code. Hooks usually have to allocate space in remote processes. There is a writable area in the kernel that maps to the address space of each process. Another technology uses the fact that two virtual addresses are mapped to the same physical address. The kernel address 0xFFDF0000 and user address 0x7FFE0000 both point to the synonymous physical page. The kernel address of the shared area is writable, but the user address cannot be written. The MDL method can be used to write the code to the kernel address and access it with the user address.

The size of the shared area is 4 k, and the kernel occupies part of it, but about 3 k space can be used for code and variables. The name of the memory region is KUSER_SHARED_DATA. The following is an example of writing data to the region:

DWORD d_shareM = 0x7ffe0800; // A user Address

DWORD d_sharedK = 0xffdf0800; // A Kernel Address

 

Unsigned char new_code [] = {

0x90, // NOP make INT 3 to see

0xb8, 0xff, 0xff, 0xff, 0xff, // move ax, 0 xffffffff

0xff, 0xe0 // jmp eax

};

If (! Gb_Hooked)

{

RtlCopyMemory (PVOID) d_sharedK, new_code, 8 );

RtlCopyMemory (PVOID) (d_sharedK + 2), (PVOID) & pd_IAT [index], 4 );

Gb_Hooked = TRUE;

}

The first byte is the operation code. If you want to observe the behavior, use the NOP or INT3 (break) command. The next seven bytes only move a dumb address to EAX and then jump to the address. At this time, the hook function writer needs to write a more advanced function to the memory to filter the output of the real function.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.