所有种类的钩子,用户层的APIHOOK,内核驱动层的SSDT-hook，IDT-hook，sysenter-hook.zip

共25个文件

h：3个

c：3个

obj：2个

版权申诉

hook

ssdt

5星 · 超过95%的资源 31 浏览量 2021-01-27 15:17:51 上传评论收藏 113KB ZIP 举报

在IT领域，"钩子"（Hook）是一种技术，它允许开发者拦截并处理特定系统事件或函数调用，以便在程序执行过程中插入自定义的行为。本压缩包包含的资源涉及了用户层API Hook、内核驱动层的SSDT（System Service Dispatch Table）Hook、IDT（Interrupt Descriptor Table）Hook以及sysenter Hook，这些都是Windows操作系统中实现系统级控制的关键技术。用户层API Hook是针对应用程序编程接口（API）的拦截。开发者可以创建一个钩子函数，替换掉原始API，当API被调用时，先执行钩子函数，然后才执行原函数。这种方式常用于调试、监控、性能分析和恶意软件中，以改变或扩展系统功能。内核层的SSDT Hook则更加深入。SSDT是Windows内核用于调度系统服务的表，当用户模式的应用程序请求服务时，这些服务会通过SSDT映射到相应的内核函数。通过挂钩SSDT，开发者可以直接修改系统服务的行为，这在驱动开发中常见，用于实现自定义的服务处理。但请注意，这种操作风险较高，可能导致系统不稳定甚至崩溃。 IDT Hook涉及到中断处理。IDT是操作系统用来管理硬件中断和软件异常的表。通过挂钩IDT，开发者可以劫持特定中断或异常的处理流程，例如，可以拦截键盘输入，改变其行为，或者对特定错误进行自定义处理。这种技术通常用于高级调试和安全防御。 sysenter Hook是x86架构中快速进入内核模式的一种机制。相比于传统的中断方式（int 2Eh），sysenter提供了一条更快的路径。对sysenter的hook可以改变系统调用的执行流程，对于性能敏感的系统或安全研究有重要意义。压缩包中的"README"文件可能包含了关于如何使用这些钩子技术的说明，"Sys"、"Exe"和"Bin"文件可能是示例代码、驱动程序或工具，帮助理解并实践这些概念。使用这些资源时，应确保了解相关风险，并在适当的环境中进行，避免对生产系统造成影响。熟悉和掌握这些钩子技术，对于深入理解Windows操作系统的底层机制以及开发高级系统应用具有重要意义。

资源推荐

资源详情

资源评论

收起资源包目录

所有种类的钩子,用户层的API HOOK,内核层的SSDT-hook，IDT-hook，sysenter-hook.zip （25个子文件）

README 3KB

Sys

buildfre.wrn 2KB

SOURCES 83B

buildfre.log 5KB

obj

_objects.mac 466B

MAKEFILE 267B

rk_interrupt.h 3KB

ioctlcmd.h 502B

objfre

i386

basic.obj 50KB

rk_interrupt.obj 53KB

i386

strace.pdb 145KB

rk_interrupt.c 5KB

basic.c 6KB

Exe

Exe.bbs 59B

Instdrv.cpp 9KB

strace.c 2KB

strace.cpp 7KB

Exe.plg 1KB

Exe.dsw 529B

Instdrv.h 191B

Exe.dsp 4KB

Exe.ncb 49KB

Exe.opt 49KB

Bin

strace.sys 5KB

strace.exe 44KB

#include "ntddk.h" #include "stdarg.h" #include "stdio.h" #include "ntiologc.h" #include "rk_interrupt.h" #include "ioctlcmd.h" void GetProcessNameOffset() { PEPROCESS curproc; int i; curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") )) { gProcessNameOffset = i; } } } NTSTATUS OnStubDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PIO_STACK_LOCATION irpStack; PVOID inputBuffer; PVOID outputBuffer; ULONG inputBufferLength; ULONG outputBufferLength; ULONG ioControlCode; NTSTATUS ntstatus; UNICODE_STRING deviceLinkUnicodeString; DbgPrint("sTrace: OnStubDispatch called.\n"); // // Go ahead and set the request up as successful // ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; // // Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. // irpStack = IoGetCurrentIrpStackLocation (Irp); // // Get the pointer to the input/output buffer and its length // inputBuffer = Irp->AssociatedIrp.SystemBuffer; inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outputBuffer = Irp->AssociatedIrp.SystemBuffer; outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode; switch (irpStack->MajorFunction) { case IRP_MJ_CREATE: DbgPrint("sTrace: IRP_MJ_CREATE entered.\n"); break; case IRP_MJ_SHUTDOWN: DbgPrint("sTrace: IRP_MJ_SHUTDOWN entered.\n"); RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer ); IoDeleteSymbolicLink( &deviceLinkUnicodeString ); // Delete the device object // IoDeleteDevice( DeviceObject ); break; case IRP_MJ_CLOSE: DbgPrint("sTrace: IRP_MJ_CLOSE entered.\n"); break; case IRP_MJ_DEVICE_CONTROL: DbgPrint("sTrace: IRP_MJ_DEVICE_CONTROL entered.\n"); if(IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER) { outputBuffer = Irp->UserBuffer; } // Its a request from rootkit ntstatus = sTraceDeviceControl( irpStack->FileObject, TRUE, inputBuffer, inputBufferLength, outputBuffer, outputBufferLength, ioControlCode, &Irp->IoStatus, DeviceObject ); break; } IoCompleteRequest( Irp, IO_NO_INCREMENT ); return ntstatus; } NTSTATUS sTraceDeviceControl( IN PFILE_OBJECT FileObject, IN BOOLEAN Wait, IN PVOID InputBuffer, IN ULONG InputBufferLength, OUT PVOID OutputBuffer, IN ULONG OutputBufferLength, IN ULONG IoControlCode, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) { NTSTATUS ntStatus; // UNICODE_STRING deviceLinkUnicodeString; DbgPrint("sTrace: sTraceDeviceControl called.\n"); IoStatus->Status = STATUS_SUCCESS; IoStatus->Information = 0; switch ( IoControlCode ) { case IOCTL_STRACE_INIT: DbgPrint("sTrace: IOCTL_STRACE_INIT entered.\n"); if ((InputBufferLength < sizeof(int) * 2) || (InputBuffer == NULL)) { IoStatus->Status = STATUS_INVALID_BUFFER_SIZE; break; } gProcessID = (ULONG) (*(ULONG *)InputBuffer); gSyscallLimit = (ULONG) (*((ULONG *)InputBuffer+1)); break; case IOCTL_GET_SYSCALL_NUM: DbgPrint("sTrace: IOCTL_GET_SYSCALL_NUM entered.\n"); if ((OutputBufferLength < sizeof(DWORD)) || (OutputBuffer == NULL)) { IoStatus->Status = STATUS_INVALID_BUFFER_SIZE; break; } *(DWORD *)OutputBuffer = KeServiceDescriptorTable.NumberOfServices; IoStatus->Information = sizeof(DWORD); break; case IOCTL_REPORT_SYSCALL_NAMES: DbgPrint("sTrace: IOCTL_REPORT_SYSCALL_NAMES entered.\n"); // Table already initialized. Reboot if you just installed a service pack. if (name_array != NULL) { break; } if ((InputBufferLength < KeServiceDescriptorTable.NumberOfServices*FUNC_NAME_LEN) || (InputBuffer == NULL)) { IoStatus->Status = STATUS_INVALID_BUFFER_SIZE; break; } name_array = (char *)ExAllocatePool(NonPagedPool, KeServiceDescriptorTable.NumberOfServices*FUNC_NAME_LEN); if (name_array == NULL) { IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES; break; } RtlCopyMemory(name_array, InputBuffer, KeServiceDescriptorTable.NumberOfServices*FUNC_NAME_LEN); break; default: DbgPrint("sTrace: Default entered = INVALID_DEVICE_REQUEST.\n"); IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST; break; } return IoStatus->Status; } VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("sTrace: OnUnload called.\n"); UnhookInterrupts(); } NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { int i; NTSTATUS ntStatus; UNICODE_STRING deviceNameUnicodeString; UNICODE_STRING deviceLinkUnicodeString; DbgPrint("sTrace: Loading.\n"); GetProcessNameOffset(); // Setup our name and symbolic link. RtlInitUnicodeString (&deviceNameUnicodeString, deviceNameBuffer ); RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer ); // // Set up the device // ntStatus = IoCreateDevice ( theDriverObject, 0, // For driver extension &deviceNameUnicodeString, FILE_DEVICE_STRACE_TRAP, 0, FALSE, &g_StraceTrapDevice ); if( NT_SUCCESS(ntStatus)) { ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString, &deviceNameUnicodeString ); // Register a dispatch function for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { theDriverObject->MajorFunction[i] = OnStubDispatch; } theDriverObject->DriverUnload = OnUnload; } HookInterrupts(); return STATUS_SUCCESS; }

评论收藏

内容反馈

版权申诉