Home > Others

Inlinehook (0 Rings)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

#include <ntddk.h>//How to do inlinehook?//to a function first, figure out the definition of the function you want to inlinehook. Then, get the address of the function to be inline hook://If it is not exported, according to the signature, violent search memory;//If it is exported, you can use the function name as its address directly or use mmgetsystemroutineaddress//to get its address. such as://NTKERNELAPI//BOOLEAN//KEINSERTQUEUEAPC (//In PKAPC apc,//in PVOID systemargument1,//in PVOID systemargument2,//in Kpriority increment//);//Then KEINSERTQUEUEAPC is the first address of the function. Attention plus NTKERNELAPI. Otherwise you have to use mmgetsystemroutineaddress to take address////get address, you can do inlinehook. Replace the first five bytes of this address with the one in jmp t_myfunc-func-5//In the T_myfunc to press the stack parameter, call MyFunc. After the execution of the MyFunc, jump to func+5 place to execute. In the Unload function, restore func, remove the inline hook//so, inlinehook a Func function, there are several tasks://1. Figure out the definition of the function func to hook//2. Find the address of the function func//3. Write the T_myfunc, pass the parameters to MyFunc processing, and then jump to Func to execute//4. Implement the MyFunc function and do your own processing//5. The inline hook function, which implements Inlinehook, jumps the Func function to T_myfunc execution. Call//6 in DriverEntry. Inline hook unload function, call//function to hook in driverunload typedef NTSTATUS (*funcdefine) (peprocess Process, NTSTATUS exitstatus); Funcdefine funcaddress= null;//function not exported the infamous TypeDef NTSTATUS (*ntquerysysteminformation) (in ULONG SysteminformationclThe PVOID systeminformation, in the ULONG systeminformationlength, out Pulong returnlength OPTIONAL); typedef unsigned LON G DWORD; NtQuerySystemInformation ntquerysysteminformation;//System loaded Module information # define Systemmoduleinformation 11// structure typedef struct _system_module_information{ULONG reserved[2] for recording module information; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT Loadcount; USHORT Modulenameoffset; CHAR imagename[256];} System_module_information, *psystem_module_information; PVOID getfunctionaddressfromkernelmemory (VOID) {ULONG size = 0; ULONG index = 0; Pulong buf = NULL; ULONG i = 0; Psystem_module_information MODULE = NULL; PVOID driveraddress = 0; ULONG ntosknlbase = 0; ULONG ntosknlendaddr = 0; ULONG curaddr = 0; NTSTATUS status = 0; ULONG retaddr = 0; The signature of the function in memory ULONG code1_sp2=0x8b55ff8b,code2_sp2=0xa16456ec,code3_sp2=0x00000124,code4_sp2=0x3b08758b; First query gets size ntquerysysteminformation (systemmoduleinformation,&size, 0, &size); Redistribution Memory if (null== (buf = (PulonG) ExAllocatePoolWithTag (pagedpool, size, ' Nlni ')) {Dbgprint ("Failed alloc memory failed \ n"); return 0;}//re-query Status=n Tquerysysteminformation (systemmoduleinformation,buf, size, 0); if (! Nt_success (status) {Dbgprint ("failed query\n"); return 0;}//save related Information module = (psystem_module_information) ((Pulong) b UF + 1); Ntosknlendaddr= (ULONG) module->base+ (ULONG) module->size; Ntosknlbase= (ULONG) module->base; Curaddr=ntosknlbase; The information has been saved to release just the buffer memory Exfreepool (BUF); Brute Force search Memory for (i=curaddr;i<=ntosknlendaddr;i++) {if ((* (ULONG *) i) ==code1_sp2 && (* (ULONG *) (I+4) ==code2 _SP2) && (* ((ULONG *) (i+8)) ==code3_sp2) && (* ((ulong*) (i+12)) ==code4_sp2) {retaddr=i; Dbgprint ("Adress is:%x", retaddr); Return (PVOID) retaddr; }} return NULL;} ULONG getfunctionaddr (in pcwstr functionname) {unicode_string unicodefunctionname; Rtlinitunicodestring (&unicodefunctionname,functionname); Return (ULONG) mmgetsystemroutineaddress (&unicodefunctionname);} NTSTATUS CheCkfuncishook () {int i = 0; char *addr = (char *) funcaddress; char code[] = {0x8b, 0xFF, 0x55, 0x8b, 0xec}; while (i<5) {Dbgprint ("0x%02X", (unsigned char) addr[i]) (if (addr[i]! = Code[i]) {return status_unsuccessful;} i++;} return status_success;} int MyFunc (peprocess Process, NTSTATUS exitstatus) {dbgprint ("MyFunc hello\n"); return 1;} _declspec (Naked) t_myfunc (peprocess Process, NTSTATUS exitstatus) {_asm {mov edi, EDI push EBP mov ebp, ESP//parametric stack, passed to my Func push [ebp+0ch] push [ebp+8] call MyFunc cmp eax,1 JZ end mov eax,funcaddress add eax,5 jmp eaxend://Recovery stack pop EBP RETN 8}}void Inlinehookfunc () {int jmpoffset = 0; unsigned char jmpcode[5] = {0xe9, 0x00, 0x00, 0x00, 0x00}; KIRQL OLDIRQL = 0; if (funcaddress = = 0) {dbgprint ("Func not found\n"); return;} Dbgprint ("Func is found at:0x%08x\n", (ULONG) funcaddress); Dbgprint ("T_myfunc is:%x\n", T_myfunc); jmpoffset= (char*) T_myfunc-(char*) FuncAddress-5; Dbgprint ("Jmpoffset is:%x\n", jmpoffset); Rtlcopymemory (jmpcode+1, &Amp Jmpoffset, 4); _asm {CLI mov EAX, CR0 and EAX, not 10000H MOV CR0, EAX} OLDIRQL = Keraiseirqltodpclevel (); Rtlcopymemory (Funcaddress, Jmpcode, 5); Dbgprint ("funcaddress is hooks now \ n"); KELOWERIRQL (OLDIRQL); _asm {mov EAX, CR0 OR EAX, 10000H MOV CR0, EAX STI}}void driverunload (pdriver_object pdriverobject) {///on Win2000 is three bytes// Push EBP//MOV EBP, ESP////on the WinXP as well as on subsequent systems, it becomes five bytes//mov edi, EDI//push EBP//MOV EBP, ESP//function preamble//recovery Hook KI RQL OLDIRQL = 0; Large_integer Delay = {0}; unsigned char code[5] = {0x8b,0xff,0x55,0x8b,0xec}; Delay.quadpart =-5000000; Kedelayexecutionthread (KernelMode, TRUE, &delay); OLDIRQL = Keraiseirqltodpclevel (); __asm {CLI mov eax, CR0 and eax, not 10000H MOV CR0, eax} rtlcopymemory (Funcaddress, Code, 5); __asm {mov eax, CR0 OR eax, 10000H MOV CR0, eax STI} kelowerirql (OLDIRQL); Dbgprint ("Goodbye driver\n");} NTSTATUS DriverEntry (in Pdriver_object pdriverobject, punicode_string pregpath) {//non-exported function funcaddress = GetfunctionaddRessfromkernelmemory (); The exported function//funcaddress = getfunctionaddr (L "FuncName"); if (status_success! = Checkfuncishook ()) {Dbgprint ("Func Match Failed!"); return status_unsuccessful;}//inline hook it in Linehookfunc (); Pdriverobject->driverunload = Driverunload; return status_success;}

Inlinehook (0 rings)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More