New to Windows Kernel 1-hook ssdt

New to Windows Kernel 1-hook ssdt

This series of records learn how to learn the Windows kernel.

Core content of this article: hook the series ntopenprocess, ntduplicateobject, ntcreatethread, ntopenthread, and ntwritevirtualmemory in ssdt to filter process operations to protect the target process space.

 

The full name of ssdt is system services Descriptor Table, a system service Descriptor Table. This table associates ring3's Win32 API with ring0's kernel API. Ssdt not only contains a large address index table, but also contains some useful information, such as the base address of the address index and the number of service functions.

Ssdt manages system-related functions (kernel32.dll and NTDLL. dll ). By modifying the function address of this table, you can hook common Windows functions and APIs to filter and monitor system actions that you are concerned about. Some hips, anti-virus software, system monitoring, and registry monitoring software often use this interface to implement their own monitoring modules.

The kernel Implementation of ssdt In the Win32 subsystem is ntoskrnl. EXE, and the export table name is keservicedescriptortable, The corresponding system process generally has System

Ssdt structure:

Typedef struct tagssdt {

Pulong pssdtbase; // base address of ssdt in memory

Pvoid pservicecountertable;

Ulong unumberofservices; // Number of ssdt items

Puchar pparamtablebase;

} Ssdt, * pssdt; // ssdt

1. How to hook ssdt

First, disable the Cr0 write protection (by changing the WP bit of the Cr0 register), then replace the function address in the original ssdt with the new function address, and finally restore the Cr0 write protection.

Hooks ntopenprocess, ntduplicateobject, ntcreatethread, ntopenthread, and ntwritevirtualmemory in ssdt to filter process operations to protect the target process space.

1.1 ntopenprocess

In Windows, Kernel32! OpenProcess calls NTDLL! Ntopenprocess is finally transferred to the kernel-state nt! Ntopenprocess, which is linked to ntopenprocess, can filter and intercept the process to open other processes.

In the custom ntopenprocess function, first obtain the process PID to be opened and determine whether the PID is a protected process. If the PID is a protected process, remove the corresponding permissions in the open permission, to open the R3 process of the system, remove the permission to terminate the process, and then call the ntopenprocess function. Then, the Process Handle returned to R3 cannot read or write the protected process, the malicious program cannot end the target process.

Get PID through Process Handle Determine if the PID is protected If yes Handle some permissions .... Call ntopenprocess If no Call the real ntcreatethread

Code 1.1 myntopenprocess

1.2 ntduplicateobject

The worker process saves the handles of all processes. By calling duplicatehandle to copy the handle from CSRSS, the worker process can indirectly call OpenProcess to obtain the target process handle.

In the defined ntduplcateobject function, call the real ntduplicateobject first. If the call is successful, check whether the returned handle is a protected Process Handle. If the call is a protected Process Handle, close it. Through such filtering, malicious programs cannot call duplicatehandle to open protected processes.

1.3 ntcreatethread

In R3, a thread (createthread and createremotethread are called respectively) created in the process and other processes is finally passed through NTDLL! Ntcreatethread to the kernel-state nt! Createthread, filtered by NT! Createthread can prevent malicious programs from creating remote threads (calling createremotethread) in protected processes ). The myntcreatethread process is shown in Code 1.2:

Get PID through Process Handle Determine if the PID is protected If yes Returns STATUS_ACCESS_DENIED. If no Call the real ntcreatethread

Code 1.2 myntcreatethread

1.4 ntopenthread

In the Windows operating system, you can call openthread to obtain the handle of the target thread and further use this handle to operate the target thread. The password theft prevention system hooks ntopenthread to prevent malicious programs from operating the thread of the protected process.

In the custom ntopenthread function, first obtain the PID of the process where the thread is located, and then determine whether the PID is protected. If the PID is protected, STATUS_ACCESS_DENIED is returned directly, otherwise, call the ntopenthread.

1.5 ntwritevirtualmemory

In Windows, processes can call Kernel32! Writeprocessmemory to write other process memory, Kernel32! Writeprocessmemory through NTDLL! Ntwritevirtualmemory to the kernel-state nt! Ntwritevirtualmemory. Hook NT through! Ntwritevirtualmemory is used to prevent malicious programs from writing protected process memory. Shows the pseudocode in code 1.3.

Get PID through Process Handle Determine if the PID is protected If yes Returns STATUS_ACCESS_DENIED. If no Call ntwritevirtualmemory

Code 1.3 myntwritevirtualmemory

New to Windows Kernel 1-hook ssdt

This series of records learn how to learn the Windows kernel.

Core content of this article: hook the series ntopenprocess, ntduplicateobject, ntcreatethread, ntopenthread, and ntwritevirtualmemory in ssdt to filter process operations to protect the target process space.

 

The full name of ssdt is system services Descriptor Table, a system service Descriptor Table. This table associates ring3's Win32 API with ring0's kernel API. Ssdt not only contains a large address index table, but also contains some useful information, such as the base address of the address index and the number of service functions.

Ssdt manages system-related functions (kernel32.dll and NTDLL. dll ). By modifying the function address of this table, you can hook common Windows functions and APIs to filter and monitor system actions that you are concerned about. Some hips, anti-virus software, system monitoring, and registry monitoring software often use this interface to implement their own monitoring modules.

The kernel Implementation of ssdt In the Win32 subsystem is ntoskrnl. EXE, and the export table name is keservicedescriptortable, The corresponding system process generally has System

Ssdt structure:

Typedef struct tagssdt {

Pulong pssdtbase; // base address of ssdt in memory

Pvoid pservicecountertable;

Ulong unumberofservices; // Number of ssdt items

Puchar pparamtablebase;

} Ssdt, * pssdt; // ssdt

1. How to hook ssdt

First, disable the Cr0 write protection (by changing the WP bit of the Cr0 register), then replace the function address in the original ssdt with the new function address, and finally restore the Cr0 write protection.

Hooks ntopenprocess, ntduplicateobject, ntcreatethread, ntopenthread, and ntwritevirtualmemory in ssdt to filter process operations to protect the target process space.

1.1 ntopenprocess

In Windows, Kernel32! OpenProcess calls NTDLL! Ntopenprocess is finally transferred to the kernel-state nt! Ntopenprocess, which is linked to ntopenprocess, can filter and intercept the process to open other processes.

In the custom ntopenprocess function, first obtain the process PID to be opened and determine whether the PID is a protected process. If the PID is a protected process, remove the corresponding permissions in the open permission, to open the R3 process of the system, remove the permission to terminate the process, and then call the ntopenprocess function. Then, the Process Handle returned to R3 cannot read or write the protected process, the malicious program cannot end the target process.

Get PID through Process Handle Determine if the PID is protected If yes Handle some permissions .... Call ntopenprocess If no Call the real ntcreatethread

Code 1.1 myntopenprocess

1.2 ntduplicateobject

The worker process saves the handles of all processes. By calling duplicatehandle to copy the handle from CSRSS, the worker process can indirectly call OpenProcess to obtain the target process handle.

In the defined ntduplcateobject function, call the real ntduplicateobject first. If the call is successful, check whether the returned handle is a protected Process Handle. If the call is a protected Process Handle, close it. Through such filtering, malicious programs cannot call duplicatehandle to open protected processes.

1.3 ntcreatethread

In R3, a thread (createthread and createremotethread are called respectively) created in the process and other processes is finally passed through NTDLL! Ntcreatethread to the kernel-state nt! Createthread, filtered by NT! Createthread can prevent malicious programs from creating remote threads (calling createremotethread) in protected processes ). The myntcreatethread process is shown in Code 1.2:

Get PID through Process Handle Determine if the PID is protected If yes Returns STATUS_ACCESS_DENIED. If no Call the real ntcreatethread

Code 1.2 myntcreatethread

1.4 ntopenthread

In the Windows operating system, you can call openthread to obtain the handle of the target thread and further use this handle to operate the target thread. The password theft prevention system hooks ntopenthread to prevent malicious programs from operating the thread of the protected process.

In the custom ntopenthread function, first obtain the PID of the process where the thread is located, and then determine whether the PID is protected. If the PID is protected, STATUS_ACCESS_DENIED is returned directly, otherwise, call the ntopenthread.

1.5 ntwritevirtualmemory

In Windows, processes can call Kernel32! Writeprocessmemory to write other process memory, Kernel32! Writeprocessmemory through NTDLL! Ntwritevirtualmemory to the kernel-state nt! Ntwritevirtualmemory. Hook NT through! Ntwritevirtualmemory is used to prevent malicious programs from writing protected process memory. Shows the pseudocode in code 1.3.

Get PID through Process Handle Determine if the PID is protected If yes Returns STATUS_ACCESS_DENIED. If no Call ntwritevirtualmemory

Code 1.3 myntwritevirtualmemory