Downloaded 15 times
![-----[ hookSSDT.c ]----#include "ntddk.h"
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef struct _SDE
{
DWORD *KiServiceTable;
DWORD unused;
DWORD nSystemCalls;
DWORD *KiArgumentTable;
}SDE, *PSDE;
typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key,
PUNICODE_STRING
valueName,
ZwSetValueKeyPtr oldZwSetValueKey;
DWORD *newSSDT = NULL;
DWORD oldSSDT;
__declspec(dllimport) SDE KeServiceDescriptorTable;
NTSTATUS newZwSetValueKey(HANDLE key,
PUNICODE_STRING valueName,
ULONG titleIndex,
ULONG type,
PVOID data,
ULONG dataSize) {
NTSTATUS ntStatus;
ANSI_STRING ansiString;
DbgPrint("[+]: Call to NtSetValueKey()
interceptedn");
ULONG titleIndex,
ULONG type,
PVOID data,
ULONG dataSize);
ntStatus =
RtlUnicodeStringToAnsiString(&ansiString, valueName,
TRUE);
if ( NT_SUCCESS(ntStatus) )
{
DbgPrint("[+]: Value Name = %sn",
ansiString.Buffer);
}
return ( oldZwSetValueKey(key, valueName,
titleIndex,
type, data, dataSize)
);
}](https://image.slidesharecdn.com/hookssdt-140302145838-phpapp01/85/Codigo-de-HookSSDT-c-1-320.jpg)
![-----[ hookSSDT.c ]----#include "ntddk.h"
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef struct _SDE
{
DWORD *KiServiceTable;
DWORD unused;
DWORD nSystemCalls;
DWORD *KiArgumentTable;
}SDE, *PSDE;
typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key,
PUNICODE_STRING
valueName,
ZwSetValueKeyPtr oldZwSetValueKey;
DWORD *newSSDT = NULL;
DWORD oldSSDT;
__declspec(dllimport) SDE KeServiceDescriptorTable;
NTSTATUS newZwSetValueKey(HANDLE key,
PUNICODE_STRING valueName,
ULONG titleIndex,
ULONG type,
PVOID data,
ULONG dataSize) {
NTSTATUS ntStatus;
ANSI_STRING ansiString;
DbgPrint("[+]: Call to NtSetValueKey()
interceptedn");
ULONG titleIndex,
ULONG type,
PVOID data,
ULONG dataSize);
ntStatus =
RtlUnicodeStringToAnsiString(&ansiString, valueName,
TRUE);
if ( NT_SUCCESS(ntStatus) )
{
DbgPrint("[+]: Value Name = %sn",
ansiString.Buffer);
}
return ( oldZwSetValueKey(key, valueName,
titleIndex,
type, data, dataSize)
);
}](https://image.slidesharecdn.com/hookssdt-140302145838-phpapp01/75/Codigo-de-HookSSDT-c-1-2048.jpg)
![DWORD GetSSDTIndex(BYTE *zwApi) {
DWORD *idxAddr;
DWORD idx;
idxAddr = ++zwApi;
idx = *idxAddr;
return idx; }
DWORD GetSystemCallTable() {
PSDE serviceDesc;
serviceDesc = &KeServiceDescriptorTable;
return(serviceDesc->KiServiceTable);
}
DWORD GetSSDTEntry(DWORD idx) {
DWORD *callTable = GetSystemCallTable();
return callTable[idx];
}
DWORD GetNumSystemCalls() {
PSDE serviceDesc;
serviceDesc = &KeServiceDescriptorTable;
return(serviceDesc->nSystemCalls);
}
DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) {
PSDE serviceDesc;
DWORD nCalls = 0;
DWORD idx = 0;
DWORD i;
nCalls = GetNumSystemCalls();
newSSDT = ExAllocatePool(NonPagedPool, nCalls *
sizeof(DWORD));
if ( newSSDT == NULL )
return 1;
idx = GetSSDTIndex(zwApi);
for ( i = 0; i < nCalls; i++ )
{
if ( i == idx ) {
DbgPrint("[+]: Hooking
NtSetValueKey...");
newSSDT[i] = newApi;
oldZwSetValueKey = (ZwSetValueKeyPtr
*)GetSSDTEntry(i);
DbgPrint("[+]: Original ZwSetValueKey ->
0x%08xn",](https://image.slidesharecdn.com/hookssdt-140302145838-phpapp01/85/Codigo-de-HookSSDT-c-2-320.jpg)
![oldZwSetValueKey);
DbgPrint("[+]: SSDT(%d) -> Hooked ->
0x%08xn", i,
newSSDT[i]);
DbgPrint("[+]: Hooking was completed
sucessfullyn");
} else
}
newSSDT[i] = GetSSDTEntry(i);
oldSSDT = GetSystemCallTable();
serviceDesc = &KeServiceDescriptorTable;
serviceDesc->KiServiceTable = newSSDT;
return 0; }
void UnhookSSDT() {
PSDE serviceDesc;
serviceDesc = &KeServiceDescriptorTable;
serviceDesc->KiServiceTable = oldSSDT;
ExFreePool(newSSDT);
newSSDT = NULL;
oldSSDT = 0;
}
VOID Unload(IN PDRIVER_OBJECT pDriverObject) {
DbgPrint("[+]: SSDT Hooking V2 - Driver
unloadedn");
UnhookSSDT();
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,
IN
PUNICODE_STRING regPath) {
DbgPrint("[+]: SSDT Hooking V2 - Driver
loadedn");
pDriverObject->DriverUnload = Unload;
HookSSDT((BYTE *)ZwSetValueKey, (BYTE
*)newZwSetValueKey);
return STATUS_SUCCESS;
}
-----[ end hookSSDT.c ]----](https://image.slidesharecdn.com/hookssdt-140302145838-phpapp01/85/Codigo-de-HookSSDT-c-3-320.jpg)
Uploaded byChema Alonso
Código de HookSSDT.c
The document includes a C code snippet for a driver that hooks into the System Service Descriptor Table (SSDT) to intercept calls to the 'ntsetvaluekey' function. It defines functions for hooking and unhooking the SSDT as well as for managing the service descriptor table. The driver logs the operation of hooking and unloading the driver, confirming its status during execution.
![Hacking iOS: iPhone & iPad (2º Edición) [Índice]](https://cdn.slidesharecdn.com/ss_thumbnails/indice-161024044410-thumbnail.jpg?width=640&height=640&fit=bounds)
![DirtyTooth: It´s only Rock'n Roll but I like it [Slides]](https://cdn.slidesharecdn.com/ss_thumbnails/dirtytoothslides-170309122009-thumbnail.jpg?width=640&height=640&fit=bounds)
Código de HookSSDT.c
- 1. -----[ hookSSDT.c ]----#include"ntddk.h" typedef unsigned long DWORD; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _SDE { DWORD *KiServiceTable; DWORD unused; DWORD nSystemCalls; DWORD *KiArgumentTable; }SDE, *PSDE; typedef NTSTATUS (*ZwSetValueKeyPtr)(HANDLE key, PUNICODE_STRING valueName, ZwSetValueKeyPtr oldZwSetValueKey; DWORD *newSSDT = NULL; DWORD oldSSDT; __declspec(dllimport) SDE KeServiceDescriptorTable; NTSTATUS newZwSetValueKey(HANDLE key, PUNICODE_STRING valueName, ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize) { NTSTATUS ntStatus; ANSI_STRING ansiString; DbgPrint("[+]: Call to NtSetValueKey() interceptedn"); ULONG titleIndex, ULONG type, PVOID data, ULONG dataSize); ntStatus = RtlUnicodeStringToAnsiString(&ansiString, valueName, TRUE); if ( NT_SUCCESS(ntStatus) ) { DbgPrint("[+]: Value Name = %sn", ansiString.Buffer); } return ( oldZwSetValueKey(key, valueName, titleIndex, type, data, dataSize) ); }
- 2. DWORD GetSSDTIndex(BYTE *zwApi){ DWORD *idxAddr; DWORD idx; idxAddr = ++zwApi; idx = *idxAddr; return idx; } DWORD GetSystemCallTable() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->KiServiceTable); } DWORD GetSSDTEntry(DWORD idx) { DWORD *callTable = GetSystemCallTable(); return callTable[idx]; } DWORD GetNumSystemCalls() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; return(serviceDesc->nSystemCalls); } DWORD HookSSDT(BYTE *zwApi, BYTE* newApi) { PSDE serviceDesc; DWORD nCalls = 0; DWORD idx = 0; DWORD i; nCalls = GetNumSystemCalls(); newSSDT = ExAllocatePool(NonPagedPool, nCalls * sizeof(DWORD)); if ( newSSDT == NULL ) return 1; idx = GetSSDTIndex(zwApi); for ( i = 0; i < nCalls; i++ ) { if ( i == idx ) { DbgPrint("[+]: Hooking NtSetValueKey..."); newSSDT[i] = newApi; oldZwSetValueKey = (ZwSetValueKeyPtr *)GetSSDTEntry(i); DbgPrint("[+]: Original ZwSetValueKey -> 0x%08xn",
- 3. oldZwSetValueKey); DbgPrint("[+]: SSDT(%d) ->Hooked -> 0x%08xn", i, newSSDT[i]); DbgPrint("[+]: Hooking was completed sucessfullyn"); } else } newSSDT[i] = GetSSDTEntry(i); oldSSDT = GetSystemCallTable(); serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = newSSDT; return 0; } void UnhookSSDT() { PSDE serviceDesc; serviceDesc = &KeServiceDescriptorTable; serviceDesc->KiServiceTable = oldSSDT; ExFreePool(newSSDT); newSSDT = NULL; oldSSDT = 0; } VOID Unload(IN PDRIVER_OBJECT pDriverObject) { DbgPrint("[+]: SSDT Hooking V2 - Driver unloadedn"); UnhookSSDT(); return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING regPath) { DbgPrint("[+]: SSDT Hooking V2 - Driver loadedn"); pDriverObject->DriverUnload = Unload; HookSSDT((BYTE *)ZwSetValueKey, (BYTE *)newZwSetValueKey); return STATUS_SUCCESS; } -----[ end hookSSDT.c ]----