Defining a Hook Function


The basic components of a kernel hook are the function to be hooked, the function replacing the function to be hooked, and the system call table. The preceding section gives you the macros you will need to use these components, but you still need to define the function replacing the function to be hooked and the function pointer that stores the address of the original function. In most cases, you can find the function prototype of interest in the DDK header files. As an example, the following prototype is taken from ntddk.h and is modified to become the function replacing the function to be hooked.

Following is the original prototype from ntddk.h:

  NTSYSAPI NTSTATUS NTAPI ZwMapViewOfSection(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,  IN ULONG Protect ); 

Therefore, the pointer to the old function to be hooked would be as follows:

  typedef NTSTATUS (*ZWMAPVIEWOFSECTION)(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,  IN ULONG Protect ); ZWMAPVIEWOFSECTION OldZwMapViewOfSection; 

The function replacing the function to be hooked would be the following:

  NTSTATUS NewZwMapViewOfSection(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,  IN ULONG Protect ) {  NTSTATUS status;  DbgPrint("comint32: NewZwMapViewOfSection called.");  // we can do whatever we want with the input here  // and return or continue to the original function  status = OldZwMapViewOfSection(SectionHandle,   ProcessHandle,   BaseAddress,   ZeroBits,   CommitSize,   SectionOffset OPTIONAL,   ViewSize,   InheritDisposition,   AllocationType,   Protect );  // we can do whatever we want with the output here  // and return any value including the actual one  return status; } 

Once these components are defined, you can use this:

  HOOK( ZwMapViewOfSection, NewZwMapViewOfSection, OldZwMapViewOfSection ); 

You must also remember to unhook if you are using DriverUnload().

Tip 

ZwMapViewOfSection is the kernel function that allows applications to map exported functions from Dynamic Link Libraries into memory. Hooking this function to alter the mapping of the DLL functions is called Process Injection or User Mode Hooking, and is the subject of Chapter 4.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net