-----[ hookSSDT.c ]----#include "ntddk.h"
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char ...
DWORD GetSSDTIndex(BYTE *zwApi) {
DWORD *idxAddr;
DWORD idx;
idxAddr = ++zwApi;
idx = *idxAddr;
return idx; }
DWORD GetSys...
oldZwSetValueKey);
DbgPrint("[+]: SSDT(%d) -> Hooked ->
0x%08xn", i,
newSSDT[i]);
DbgPrint("[+]: Hooking was completed
suc...
Upcoming SlideShare
Loading in...5
×

Código de HookSSDT.c

11,669

Published on

Código de HootSSDT.c utilizado para el artículo de "SSDT Hooking V2" de El lado del mal, escrito por Blackngel.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
11,669
On Slideshare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Código de HookSSDT.c"

  1. 1. -----[ hookSSDT.c ]----#include "ntddk.h" typedef unsigned long DWORD; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _SDE { DWORD *KiServiceTable; DWORD unused; DWORD nSystemCalls; DWORD *KiArgumentTable; }SDE, *PSDE; typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key, PUNICODE_STRING valueName, ZwSetValueKeyPtr oldZwSetValueKey; DWORD *newSSDT = NULL; DWORD oldSSDT; __declspec(dllimport) SDE KeServiceDescriptorTable; NTSTATUS newZwSetValueKey(HANDLE key, PUNICODE_STRING valueName, ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize) { NTSTATUS ntStatus; ANSI_STRING ansiString; DbgPrint("[+]: Call to NtSetValueKey() interceptedn"); ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize); ntStatus = RtlUnicodeStringToAnsiString(&ansiString, valueName, TRUE); if ( NT_SUCCESS(ntStatus) ) { DbgPrint("[+]: Value Name = %sn", ansiString.Buffer); } return ( oldZwSetValueKey(key, valueName, titleIndex, type, data, dataSize) ); }
  2. 2. DWORD GetSSDTIndex(BYTE *zwApi) { DWORD *idxAddr; DWORD idx; idxAddr = ++zwApi; idx = *idxAddr; return idx; } DWORD GetSystemCallTable() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->KiServiceTable); } DWORD GetSSDTEntry(DWORD idx) { DWORD *callTable = GetSystemCallTable(); return callTable[idx]; } DWORD GetNumSystemCalls() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->nSystemCalls); } DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) { PSDE serviceDesc; DWORD nCalls = 0; DWORD idx = 0; DWORD i; nCalls = GetNumSystemCalls(); newSSDT = ExAllocatePool(NonPagedPool, nCalls * sizeof(DWORD)); if ( newSSDT == NULL ) return 1; idx = GetSSDTIndex(zwApi); for ( i = 0; i < nCalls; i++ ) { if ( i == idx ) { DbgPrint("[+]: Hooking NtSetValueKey..."); newSSDT[i] = newApi; oldZwSetValueKey = (ZwSetValueKeyPtr *)GetSSDTEntry(i); DbgPrint("[+]: Original ZwSetValueKey -> 0x%08xn",
  3. 3. oldZwSetValueKey); DbgPrint("[+]: SSDT(%d) -> Hooked -> 0x%08xn", i, newSSDT[i]); DbgPrint("[+]: Hooking was completed sucessfullyn"); } else } newSSDT[i] = GetSSDTEntry(i); oldSSDT = GetSystemCallTable(); serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = newSSDT; return 0; } void UnhookSSDT() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = oldSSDT; ExFreePool(newSSDT); newSSDT = NULL; oldSSDT = 0; } VOID Unload(IN PDRIVER_OBJECT pDriverObject) { DbgPrint("[+]: SSDT Hooking V2 - Driver unloadedn"); UnhookSSDT(); return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING regPath) { DbgPrint("[+]: SSDT Hooking V2 - Driver loadedn"); pDriverObject->DriverUnload = Unload; HookSSDT((BYTE *)ZwSetValueKey, (BYTE *)newZwSetValueKey); return STATUS_SUCCESS; } -----[ end hookSSDT.c ]----    

×