Código de HookSSDT.c

  • 11,093 views
Uploaded on

Código de HootSSDT.c utilizado para el artículo de "SSDT Hooking V2" de El lado del mal, escrito por Blackngel.

Código de HootSSDT.c utilizado para el artículo de "SSDT Hooking V2" de El lado del mal, escrito por Blackngel.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
11,093
On Slideshare
0
From Embeds
0
Number of Embeds
49

Actions

Shares
Downloads
10
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. -----[ hookSSDT.c ]----#include "ntddk.h" typedef unsigned long DWORD; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _SDE { DWORD *KiServiceTable; DWORD unused; DWORD nSystemCalls; DWORD *KiArgumentTable; }SDE, *PSDE; typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key, PUNICODE_STRING valueName, ZwSetValueKeyPtr oldZwSetValueKey; DWORD *newSSDT = NULL; DWORD oldSSDT; __declspec(dllimport) SDE KeServiceDescriptorTable; NTSTATUS newZwSetValueKey(HANDLE key, PUNICODE_STRING valueName, ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize) { NTSTATUS ntStatus; ANSI_STRING ansiString; DbgPrint("[+]: Call to NtSetValueKey() interceptedn"); ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize); ntStatus = RtlUnicodeStringToAnsiString(&ansiString, valueName, TRUE); if ( NT_SUCCESS(ntStatus) ) { DbgPrint("[+]: Value Name = %sn", ansiString.Buffer); } return ( oldZwSetValueKey(key, valueName, titleIndex, type, data, dataSize) ); }
  • 2. DWORD GetSSDTIndex(BYTE *zwApi) { DWORD *idxAddr; DWORD idx; idxAddr = ++zwApi; idx = *idxAddr; return idx; } DWORD GetSystemCallTable() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->KiServiceTable); } DWORD GetSSDTEntry(DWORD idx) { DWORD *callTable = GetSystemCallTable(); return callTable[idx]; } DWORD GetNumSystemCalls() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->nSystemCalls); } DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) { PSDE serviceDesc; DWORD nCalls = 0; DWORD idx = 0; DWORD i; nCalls = GetNumSystemCalls(); newSSDT = ExAllocatePool(NonPagedPool, nCalls * sizeof(DWORD)); if ( newSSDT == NULL ) return 1; idx = GetSSDTIndex(zwApi); for ( i = 0; i < nCalls; i++ ) { if ( i == idx ) { DbgPrint("[+]: Hooking NtSetValueKey..."); newSSDT[i] = newApi; oldZwSetValueKey = (ZwSetValueKeyPtr *)GetSSDTEntry(i); DbgPrint("[+]: Original ZwSetValueKey -> 0x%08xn",
  • 3. oldZwSetValueKey); DbgPrint("[+]: SSDT(%d) -> Hooked -> 0x%08xn", i, newSSDT[i]); DbgPrint("[+]: Hooking was completed sucessfullyn"); } else } newSSDT[i] = GetSSDTEntry(i); oldSSDT = GetSystemCallTable(); serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = newSSDT; return 0; } void UnhookSSDT() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = oldSSDT; ExFreePool(newSSDT); newSSDT = NULL; oldSSDT = 0; } VOID Unload(IN PDRIVER_OBJECT pDriverObject) { DbgPrint("[+]: SSDT Hooking V2 - Driver unloadedn"); UnhookSSDT(); return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING regPath) { DbgPrint("[+]: SSDT Hooking V2 - Driver loadedn"); pDriverObject->DriverUnload = Unload; HookSSDT((BYTE *)ZwSetValueKey, (BYTE *)newZwSetValueKey); return STATUS_SUCCESS; } -----[ end hookSSDT.c ]----