Talking about hookport. sys

Talking about hookport. sys
Prepared by: ggdd
Duration: 2011-01-09,01: 26: 52
Chain: http://bbs.pediy.com/showthread.php? T = 127820

I saw an article on the 360HOOK framework on the Forum a few days ago, which was well written. In fact, many people used hookport. sys
The teacher wrote a detailed set of articles. I am a beginner, just adding some knowledge about science, just like me.
Cainiao grew up. This article mainly introduces some of the more incisive applications of 360. As for the functions, you can go online.
Search for the instructor's article. It is actually a structure.
Highlights 1: HOOK KiFastCallEntry quick System Call SYSENTER
That is to say, each time the system calls, it will eventually pass the KiFastCallEntry
Let's take a look at the key code of the KiFastCallEntry function.
8054257d 8bb324010000 mov esi, dword ptr [ebx + 124 h] // obtain CurrentThread
80542583 ff33 push dword ptr [ebx]
80542585 c703ffffffff mov dword ptr [ebx], 0 FFFFFFFFh
8054258b 8b6e18 mov ebp, dword ptr [esi + 18 h]
8054258e 6a01 push 1
80542590 83ec48 sub esp, 48 h
80542593 81ed9c020000 sub ebp, 29Ch
80542599 c686400000001 mov byte ptr [esi + 140 h], 1
805425a0 3bec cmp ebp, esp
805425a2 758d jne nt! KiFastCallEntry2 + 0 x 49( 80542531)
805425a4 83652c00 and dword ptr [ebp + 2Ch], 0
805425a8 f6462cff test byte ptr [esi + 2Ch], 0FFh
805425ac 89ae34010000 mov dword ptr [esi + 134 h], ebp
805425b2 0f8538feffff jne nt! Dr_FastCallDrSave (805423f0)
805425b8 8b5d60 mov ebx, dword ptr [ebp + 60 h]
805425bb 8b7d68 mov edi, dword ptr [ebp + 68 h]
805425be 89550c mov dword ptr [ebp + 0Ch], edx
805425c1 c74508000ddbba mov dword ptr [ebp + 8], 0BADB0D00h
805425c8 895d00 mov dword ptr [ebp], ebx
805425cb 897d04 mov dword ptr [ebp + 4], edi
805425ce fb sti
805425cf 8bf8 mov edi, eax // eax = SSDTindex
805425d1 c1ef08 shr edi, 8 // divided by 256
805425d4 83e730 and edi, 30 h // 0 must be 0X10 to determine whether it is SSDTSHADOW or SSDT
805425d7 8bcf mov ecx, edi
805425d9 03bee0000000 add edi, dword ptr [esi + 0E0h] // obtained through esi = KTHREAD-> ServiceTable
ServiceTable used by the current thread;
805425df 8bd8 mov ebx, eax // SSDTID
805425e1 25ff0f0000 and eax, 0 FFFh
805425e6 3b4708 cmp eax, dword ptr [edi + 8]
805425e9 0f8333fdffff jae nt! KiBBTUnexpectedRange (80542322)
805425ef 83f910 cmp ecx, 10 h // determine whether it is SSDT or SSDTSHADOW
805425f2 751b jne nt! KiFastCallEntry + 0xcf (8054260f)
805425f4 648b0d18000000 mov ecx, dword ptr fs: [18 h]
805425fb 33db xor ebx, ebx
805425fd 0b99700f0000 or ebx, dword ptr [ecx + 0F70h]
80542603 740a je nt! KiFastCallEntry + 0xcf (8054260f)
80542605 52 push edx
80542606 50 push eax
80542607 ff1548d75580 call dword ptr [nt! KeGdiFlushUserBatch (8055d748)]
8054260d 58 pop eax
8054260e 5a pop edx
8054260f 64ff0538060000 inc dword ptr fs: [638 h] // count
80542616 8bf2 mov esi, edx
80542618 8b5f0c mov ebx, dword ptr [edi + 0Ch]
8054261b 33c9 xor ecx, ecx
8054261d 8a0c6 mov cl, byte ptr [eax + ebx]
80542620 8b3f mov edi, dword ptr [edi]
80542622 8b1c87 mov ebx, dword ptr [edi + eax * 4]
80542625 e9d69c8d09 jmp 89e1c300 // This is the 360 HOOK. This is the highlight of 360.
The above EDI = SSDTaddr EBX = system service address EAX = SSDTindex has these registers, saving a lot of trouble.
8054262a 8bfc mov edi, esp
8054262c 3b3534315680 cmp &