Tuesday, August 9, 2011

Hook Specials 2: Inline hook for the first time emerge BSOD

Anthor:emc
While debugging inline hook wirtten by oneself,BSOD was be emerged.Then windbg was be used to debug file of dump.The information as:

PEB is paged out (Peb.Ldr =7ffd500c) .   Type " . hh dbgerr001"  for details
PEB is paged out (Peb.Ldr =7ffd500c) .   Type " . hh dbgerr001"  for details

I had already check up peb structure and _ PEB_LDE_DATA structure,But does not understand what meaning the information above is.Past master helps me to have a watch for change it.

Inline hook was on ObReferenceObjectByHandle,That is code:

#include <ntddk.h >
#include <string.h >

extern POBJECT_TYPE *PsProcessType;

void close_write_protected()
{
  //cancel write protected
  __asm
  {
    CLI           
    MOV eax, CR0     
    AND eax, NOT 10000H 
    MOV CR0, eax
  }
}

void open_write_protected()
{
  __asm
  {
    MOV eax, CR0
    OR eax, 10000H
    MOV CR0, eax
    STI
  } 
}

//this routine unload current driver
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
  KIRQL irql;

  unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec} ;

  irql = KeRaiseIrqlToDpcLevel() ;
  close_write_protected() ;
 
  //unload inline hook
  RtlCopyMemory(ObReferenceObjectByHandle,routine_head ,5);
 
  open_write_protected() ;
  KeLowerIrql(irql) ;

  DbgPrint(" inline hook success unload." );

  return;
}

int call_failed(
        IN HANDLE Handle,
        IN ACCESS_MASK DesiredAccess,
        IN POBJECT_TYPE ObjectType,
        IN KPROCESSOR_MODE AccessMode,
        OUT PVOID *Object,
        OUT POBJECT_HANDLE_INFORMATION HandleInfo
        )

  KIRQL irql;
 
  //mov edi,edi
  //push ebp
  //mov ebp,esp
  unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec} ;
 
  //jmp address
  unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00} ;

  if(ObjectType == *PsProcessType)   //this object is a process
  {
   
    irql = KeRaiseIrqlToDpcLevel() ;
    close_write_protected() ;

    //unload inline hook
    RtlCopyMemory(ObReferenceObjectByHandle,routine_head ,5);
   
    ObReferenceObjectByHandle(
        Handle,        
        DesiredAccess,
        ObjectType,
        AccessMode,
        Object,
        HandleInfo
      );
   
    open_write_protected() ;
    KeLowerIrql(irql) ;

    if(_stricmp((const char *) Object+0x174," notepad.exe" ) ! =0)  //this process is protected
    {
      return 1;
    }
    else
    {
      *Object = (PVOID) -1;
      return 0;
    }   
  }
  return 0;
}

//jmp this routine
__declspec(naked)  my_routine()
{
  __asm
  {
    mov edi,edi
    push ebp
    mov ebp,esp

    //parameter enter the stack
    push [ebp+0x1c]
    push [ebp+0x18]
    push [ebp+0x14]
    push [ebp+0x10]
    push [ebp+0xc]
    push [ebp+8]

    call call_failed
  }
}

//driver program entry routine
//rewrite ObReferenceObjectByHandle()  start 5 byte for jmp address to my_routine
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
  int jmp_offset; //a jmp operation from current to my_routine
  KIRQL irql;
  unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00} ;

  DriverObject -> DriverUnload = DriverUnload; //set this driver unload routinue
 
  irql = KeRaiseIrqlToDpcLevel() ;
  close_write_protected() ;
 
  //inline hook ObReferenceObjectByHandle()
  jmp_offset = (char *) my_routine - (char *) ObReferenceObjectByHandle - 5;
  RtlCopyMemory(jmp_code+1,&jmp_offset ,4);
  RtlCopyMemory(ObReferenceObjectByHandle,jmp_code ,5);

  open_write_protected() ;
  KeLowerIrql(irql) ;
 
  DbgPrint(" install inline hook success." );

  return STATUS_SUCCESS;

Answer:

Refer to code:

No comments:

Post a Comment