Código de HookSSDT.c
•
1 gostou•13,595 visualizações
Código de HootSSDT.c utilizado para el artículo de "SSDT Hooking V2" de El lado del mal, escrito por Blackngel.
![-----[ hookSSDT.c ]----#include "ntddk.h"
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef struct _SDE
{
DWORD *KiServiceTable;
DWORD unused;
DWORD nSystemCalls;
DWORD *KiArgumentTable;
}SDE, *PSDE;
typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key,
PUNICODE_STRING
valueName,
ZwSetValueKeyPtr oldZwSetValueKey;
DWORD *newSSDT = NULL;
DWORD oldSSDT;
__declspec(dllimport) SDE KeServiceDescriptorTable;
NTSTATUS newZwSetValueKey(HANDLE key,
PUNICODE_STRING valueName,
ULONG titleIndex,
ULONG type,
PVOID data,
ULONG dataSize) {
NTSTATUS ntStatus;
ANSI_STRING ansiString;
DbgPrint("[+]: Call to NtSetValueKey()
interceptedn");
ULONG titleIndex,
ULONG type,
PVOID data,
ULONG dataSize);
ntStatus =
RtlUnicodeStringToAnsiString(&ansiString, valueName,
TRUE);
if ( NT_SUCCESS(ntStatus) )
{
DbgPrint("[+]: Value Name = %sn",
ansiString.Buffer);
}
return ( oldZwSetValueKey(key, valueName,
titleIndex,
type, data, dataSize)
);
}](https://image.slidesharecdn.com/hookssdt-140302145838-phpapp01/85/Codigo-de-HookSSDT-c-1-320.jpg)
![DWORD GetSSDTIndex(BYTE *zwApi) {
DWORD *idxAddr;
DWORD idx;
idxAddr = ++zwApi;
idx = *idxAddr;
return idx; }
DWORD GetSystemCallTable() {
PSDE serviceDesc;
serviceDesc = &KeServiceDescriptorTable;
return(serviceDesc->KiServiceTable);
}
DWORD GetSSDTEntry(DWORD idx) {
DWORD *callTable = GetSystemCallTable();
return callTable[idx];
}
DWORD GetNumSystemCalls() {
PSDE serviceDesc;
serviceDesc = &KeServiceDescriptorTable;
return(serviceDesc->nSystemCalls);
}
DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) {
PSDE serviceDesc;
DWORD nCalls = 0;
DWORD idx = 0;
DWORD i;
nCalls = GetNumSystemCalls();
newSSDT = ExAllocatePool(NonPagedPool, nCalls *
sizeof(DWORD));
if ( newSSDT == NULL )
return 1;
idx = GetSSDTIndex(zwApi);
for ( i = 0; i < nCalls; i++ )
{
if ( i == idx ) {
DbgPrint("[+]: Hooking
NtSetValueKey...");
newSSDT[i] = newApi;
oldZwSetValueKey = (ZwSetValueKeyPtr
*)GetSSDTEntry(i);
DbgPrint("[+]: Original ZwSetValueKey ->
0x%08xn",](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (9)
Destaque
Destaque (7)
Semelhante a Código de HookSSDT.c
Semelhante a Código de HookSSDT.c (12)
Mais de Chema Alonso
Mais de Chema Alonso (20)
Último
Último (20)
Código de HookSSDT.c
- 1. -----[ hookSSDT.c ]----#include "ntddk.h" typedef unsigned long DWORD; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _SDE { DWORD *KiServiceTable; DWORD unused; DWORD nSystemCalls; DWORD *KiArgumentTable; }SDE, *PSDE; typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key, PUNICODE_STRING valueName, ZwSetValueKeyPtr oldZwSetValueKey; DWORD *newSSDT = NULL; DWORD oldSSDT; __declspec(dllimport) SDE KeServiceDescriptorTable; NTSTATUS newZwSetValueKey(HANDLE key, PUNICODE_STRING valueName, ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize) { NTSTATUS ntStatus; ANSI_STRING ansiString; DbgPrint("[+]: Call to NtSetValueKey() interceptedn"); ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize); ntStatus = RtlUnicodeStringToAnsiString(&ansiString, valueName, TRUE); if ( NT_SUCCESS(ntStatus) ) { DbgPrint("[+]: Value Name = %sn", ansiString.Buffer); } return ( oldZwSetValueKey(key, valueName, titleIndex, type, data, dataSize) ); }
- 2. DWORD GetSSDTIndex(BYTE *zwApi) { DWORD *idxAddr; DWORD idx; idxAddr = ++zwApi; idx = *idxAddr; return idx; } DWORD GetSystemCallTable() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->KiServiceTable); } DWORD GetSSDTEntry(DWORD idx) { DWORD *callTable = GetSystemCallTable(); return callTable[idx]; } DWORD GetNumSystemCalls() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->nSystemCalls); } DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) { PSDE serviceDesc; DWORD nCalls = 0; DWORD idx = 0; DWORD i; nCalls = GetNumSystemCalls(); newSSDT = ExAllocatePool(NonPagedPool, nCalls * sizeof(DWORD)); if ( newSSDT == NULL ) return 1; idx = GetSSDTIndex(zwApi); for ( i = 0; i < nCalls; i++ ) { if ( i == idx ) { DbgPrint("[+]: Hooking NtSetValueKey..."); newSSDT[i] = newApi; oldZwSetValueKey = (ZwSetValueKeyPtr *)GetSSDTEntry(i); DbgPrint("[+]: Original ZwSetValueKey -> 0x%08xn",
- 3. oldZwSetValueKey); DbgPrint("[+]: SSDT(%d) -> Hooked -> 0x%08xn", i, newSSDT[i]); DbgPrint("[+]: Hooking was completed sucessfullyn"); } else } newSSDT[i] = GetSSDTEntry(i); oldSSDT = GetSystemCallTable(); serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = newSSDT; return 0; } void UnhookSSDT() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = oldSSDT; ExFreePool(newSSDT); newSSDT = NULL; oldSSDT = 0; } VOID Unload(IN PDRIVER_OBJECT pDriverObject) { DbgPrint("[+]: SSDT Hooking V2 - Driver unloadedn"); UnhookSSDT(); return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING regPath) { DbgPrint("[+]: SSDT Hooking V2 - Driver loadedn"); pDriverObject->DriverUnload = Unload; HookSSDT((BYTE *)ZwSetValueKey, (BYTE *)newZwSetValueKey); return STATUS_SUCCESS; } -----[ end hookSSDT.c ]----