Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Código de HookSSDT.c

13,146 views

Published on

Código de HootSSDT.c utilizado para el artículo de "SSDT Hooking V2" de El lado del mal, escrito por Blackngel.

Published in: Technology
  • Be the first to comment

Código de HookSSDT.c

  1. 1. -----[ hookSSDT.c ]----#include "ntddk.h" typedef unsigned long DWORD; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _SDE { DWORD *KiServiceTable; DWORD unused; DWORD nSystemCalls; DWORD *KiArgumentTable; }SDE, *PSDE; typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key, PUNICODE_STRING valueName, ZwSetValueKeyPtr oldZwSetValueKey; DWORD *newSSDT = NULL; DWORD oldSSDT; __declspec(dllimport) SDE KeServiceDescriptorTable; NTSTATUS newZwSetValueKey(HANDLE key, PUNICODE_STRING valueName, ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize) { NTSTATUS ntStatus; ANSI_STRING ansiString; DbgPrint("[+]: Call to NtSetValueKey() interceptedn"); ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize); ntStatus = RtlUnicodeStringToAnsiString(&ansiString, valueName, TRUE); if ( NT_SUCCESS(ntStatus) ) { DbgPrint("[+]: Value Name = %sn", ansiString.Buffer); } return ( oldZwSetValueKey(key, valueName, titleIndex, type, data, dataSize) ); }
  2. 2. DWORD GetSSDTIndex(BYTE *zwApi) { DWORD *idxAddr; DWORD idx; idxAddr = ++zwApi; idx = *idxAddr; return idx; } DWORD GetSystemCallTable() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->KiServiceTable); } DWORD GetSSDTEntry(DWORD idx) { DWORD *callTable = GetSystemCallTable(); return callTable[idx]; } DWORD GetNumSystemCalls() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->nSystemCalls); } DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) { PSDE serviceDesc; DWORD nCalls = 0; DWORD idx = 0; DWORD i; nCalls = GetNumSystemCalls(); newSSDT = ExAllocatePool(NonPagedPool, nCalls * sizeof(DWORD)); if ( newSSDT == NULL ) return 1; idx = GetSSDTIndex(zwApi); for ( i = 0; i < nCalls; i++ ) { if ( i == idx ) { DbgPrint("[+]: Hooking NtSetValueKey..."); newSSDT[i] = newApi; oldZwSetValueKey = (ZwSetValueKeyPtr *)GetSSDTEntry(i); DbgPrint("[+]: Original ZwSetValueKey -> 0x%08xn",
  3. 3. oldZwSetValueKey); DbgPrint("[+]: SSDT(%d) -> Hooked -> 0x%08xn", i, newSSDT[i]); DbgPrint("[+]: Hooking was completed sucessfullyn"); } else } newSSDT[i] = GetSSDTEntry(i); oldSSDT = GetSystemCallTable(); serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = newSSDT; return 0; } void UnhookSSDT() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = oldSSDT; ExFreePool(newSSDT); newSSDT = NULL; oldSSDT = 0; } VOID Unload(IN PDRIVER_OBJECT pDriverObject) { DbgPrint("[+]: SSDT Hooking V2 - Driver unloadedn"); UnhookSSDT(); return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING regPath) { DbgPrint("[+]: SSDT Hooking V2 - Driver loadedn"); pDriverObject->DriverUnload = Unload; HookSSDT((BYTE *)ZwSetValueKey, (BYTE *)newZwSetValueKey); return STATUS_SUCCESS; } -----[ end hookSSDT.c ]----    

×