Author:Sysnap
Inline hook is to modify some bytes of a fuction for jump instruction go to funtions oneself to execute......
IDT HOOK is to modify entry fuction for normal exception handling on IDT table be do function's address oneself.
Put the two ideas of thoughts is combined - """"one byte's hook""""
Watch:
nt!NtOpenFile:
80579fd0 8bff mov edi,edi
80579fd2 55 push ebp
80579fd3 8bec mov ebp,esp
No problem is do inline hook the funtion.....But there only modify one byte...So that isn't inline hook
mov edi,edi The Opcode is 8bff...........We modify 8b to 0xCD.....Then executed
Then nt!NtOpenFile.....The mean executed 0xCD 0xFF and the opcode is INT 0XFF...Ah.....Then exception is occur......Goto dispose exception handling of INT 0XFF的............We can IDT HOOK INT 0XFF.........So our function onself is executed
Summarizes:::The way can bypass many of tools about inline hook now...Because We modified one byte of function's start...In essence,That isn's inline hook,Because without jmp.....
But modified IDT.....Need DUMP IDT for realize to have exception ..........So dectect IDT is important....The table is used for virus....Except that,""""one byte hook"""""and keyboard record...Ban debug etc..........
No comments:
Post a Comment