Book note _ windows mixed HOOK _ part 5 _ HOOK memory space

Hook memory space

One of the problems with user space Hooks is to compile LoadLibrary parameters or code. Hooks usually have to allocate space in remote processes. There is a writable area in the kernel that maps to the address space of each process. Another technology uses the fact that two virtual addresses are mapped to the same physical address. The kernel address 0xFFDF0000 and user address 0x7FFE0000 both point to the synonymous physical page. The kernel address of the shared area is writable, but the user address cannot be written. The MDL method can be used to write the code to the kernel address and access it with the user address.

The size of the shared area is 4 k, and the kernel occupies part of it, but about 3 k space can be used for code and variables. The name of the memory region is KUSER_SHARED_DATA. The following is an example of writing data to the region:

DWORD d_shareM = 0x7ffe0800; // A user Address

DWORD d_sharedK = 0xffdf0800; // A Kernel Address

 

Unsigned char new_code [] = {

0x90, // NOP make INT 3 to see

0xb8, 0xff, 0xff, 0xff, 0xff, // move ax, 0 xffffffff

0xff, 0xe0 // jmp eax

};

If (! Gb_Hooked)

{

RtlCopyMemory (PVOID) d_sharedK, new_code, 8 );

RtlCopyMemory (PVOID) (d_sharedK + 2), (PVOID) & pd_IAT [index], 4 );

Gb_Hooked = TRUE;

}

The first byte is the operation code. If you want to observe the behavior, use the NOP or INT3 (break) command. The next seven bytes only move a dumb address to EAX and then jump to the address. At this time, the hook function writer needs to write a more advanced function to the memory to filter the output of the real function.