X64 HOOK IDT

发布于 2015-11-06  387 次阅读


kd> dt nt!_KIDTENTRY64 @idtr + @@(sizeof(nt!_KIDTENTRY64))
+0x000 OffsetLow : 0x44c0
+0x002 Selector : 0x10
+0x004 IstIndex : 0y000
+0x004 Reserved0 : 0y00000 (0)
+0x004 Type : 0y01110 (0xe)
+0x004 Dpl : 0y00
+0x004 Present : 0y1
+0x006 OffsetMiddle : 0x40e
+0x008 OffsetHigh : 0xfffff800
+0x00c Reserved1 : 0
+0x000 Alignment : 0x40e8e00`001044c0
kd> !idt 1

Dumping IDT:

01: fffff800040e44c0 nt!KiDebugTrapOrFault

#pragma pack(1)
typedef struct{
USHORT limit;
ULONG64 BASE;

}IDT_INFO,*PIDT_INFO;

typedef union _KIDTENTRY64
{
struct
{
USHORT OffsetLow;
USHORT Selector;
USHORT IstIndex : 3;
USHORT Reserved0 : 5;
USHORT Type : 5;
USHORT Dpl : 2;
USHORT Present : 1;
USHORT OffsetMiddle;
ULONG OffsetHigh;
ULONG Reserved1;
};
UINT64 Alignment;
} KIDTENTRY64, *PKIDTENTRY64;

#pragma pack()
typedef NTSTATUS(NTAPI *_KeSetAffinityThread)(
IN PKTHREAD Thread,
IN KAFFINITY Affinity
);
NTSTATUS HOOKIDT(ULONG IDTID, PVOID NewfcuncAddress,__out PVOID * oldTRAP1){

KIRQL oldIrql;
ULONG lowpart;
KAFFINITY processOrs;
PKTHREAD thread;
LONG i;
IDT_INFO idtinfo;
ULONG_PTR oldTrap = 0;
ULONG_PTR newTrap;
KIDTENTRY64*idt_entry;
UNICODE_STRING ustrKeSetAffinityThread;
_KeSetAffinityThread KeSetAffinityThread;
RtlInitUnicodeString(&ustrKeSetAffinityThread, L"KeSetAffinityThread");
KeSetAffinityThread = (_KeSetAffinityThread)MmGetSystemRoutineAddress(&ustrKeSetAffinityThread);
processOrs = KeQueryActiveProcessors();
thread = KeGetCurrentThread();
newTrap = (ULONG_PTR)NewfcuncAddress;
if (!MmIsAddressValid(oldTRAP1))
{ return 1; }

for (i = 0; i < 32; i++){
KAFFINITY curProc = processOrs &(1 << i);
if (curProc != 0){

KeSetAffinityThread(thread, curProc);
__sidt(&idtinfo);
idt_entry = idtinfo.BASE;

oldTrap = (ULONG_PTR)((((ULONGLONG)idt_entry[IDTID].OffsetHigh) << 32) | (ULONGLONG)(((idt_entry[IDTID].OffsetMiddle << 16) | idt_entry[IDTID].OffsetLow) & 0x00000000ffffffff)); if ( *oldTRAP1 == NULL) { *oldTRAP1 = (PVOID)oldTrap; } KeRaiseIrql(HIGH_LEVEL, &oldIrql); lowpart = (ULONG)((ULONGLONG)(newTrap)); idt_entry[IDTID].OffsetLow = (USHORT)lowpart; idt_entry[IDTID].OffsetMiddle = (USHORT)(lowpart >> 16);
idt_entry[IDTID].OffsetHigh = (ULONG)((ULONGLONG)newTrap >> 32);
KeLowerIrql(oldIrql);
}

}
KeSetAffinityThread(thread, processOrs);

return STATUS_SUCCESS;
}

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员