Talking about the hook chain problem of the monitor host

The operating system drives various event actions through message passing, to monitor the dynamics of the system, it is necessary to monitor the intrusion behavior of hackers, such as the change of permission, the creation and killing of the process, the change of network connection, the reading and writing of files, the change of registry, the loading of driver, Remote thread injection, and so on.

How do you monitor the behavior of these systems? Is that before these action programs are executed, insert their own section of the program code, check the driver of the message from where, if not with their own, to the original program to carry out, if it relates to their own, the first to carry out their own actions, and then see whether the situation to the original procedure, or directly returned. This process is the hook we used to talk about.

The Chinese translation of hooks is "hook", which is a lot of technical variety, such as IAT hook,eat HOOK,SSDT hook,shadow SSDT hook,idt hook,irp and Hook,spi hook,tdi Hook, in Line hook and so on. Hook monitoring function is very powerful, such as Trojan record your keyboard input, you can steal your account and password.

Operating systems are divided into different permission levels for security purposes, and common distinctions between user mode and kernel mode (such as Windows) are communicated through the System Service Description table (SSDT) to enter the system kernel mode, which means that the system's advanced permissions are used, so SSDT Hook is a lot of anti-virus and monitoring software choices. SSDT is a driver's record table, which records the location of the driver to execute the pointer, the hook is to keep these pointers first, and then fill in the table with their own driver's address, so as to obtain priority to execute permissions.

How to hook the child is not the focus of this article, this article is about a certain point hanging a lot of hooks in the case, will produce some security problems.

Questions raised:

The following figure is the calling procedure for user-implemented operations: When a user program needs to create a process, it finds the physical location of the system driver by SSDT a function pointer at a location.

When we want to monitor this create action, we hang a hook in the function call table. If there are other apps that want to monitor the action, hang the hook here. Note that at this point the hook is hanging on the front of a hook, because the hook, see the address pointer, do not know is the original driver's address, or someone else's hook address, generally directly hanging on. So go on ... Eventually form a "hook chain" as shown in the diagram.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/