dayed Posted January 9, 2009 Share Posted January 9, 2009 //By Dayed #include <ntddk.h> #include <ntifs.h> #include <windef.h> #include <Dayed.h> #include <LDasm.h> #define PS_CLEAR_BITS(Flags, Flag) \ RtlInterlockedClearBitsDiscardReturn (Flags, Flag) #define PS_CROSS_THREAD_FLAGS_TERMINATED 0x00000001UL //================================================================================ ================ BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 }; BYTE g_OrigCode[5] = { 0 }; BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 }; //------------------------------------------------------------ ULONG g_ProcessNameOffset = 0; ULONG g_ThreadFlagsOffset=0; ULONG OldMask; UCHAR * PsGetProcessImageFileName( __in PEPROCESS Process ); //------------------------------------------------------------ //================================================================================ ================ ULONG GetThreadFlagsOffset() { UCHAR *cPtr, *pOpcode; ULONG Length; USHORT Offset; for (cPtr = (PUCHAR)PsTerminateSystemThread; cPtr < (PUCHAR)PsTerminateSystemThread + 0x100; cPtr += Length) { Length = SizeOfCode(cPtr, &pOpcode); if (!Length) break; if (*(USHORT *)pOpcode == 0x80F6) //f6804802000010 test byte ptr [eax+248h],10h { Offset=*(USHORT *)((ULONG)pOpcode+2); return Offset; } } return 0; } //================================================================================ ================ VOID UnHookKeInsertQueueApc () { KIRQL oldIrql; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory ( (BYTE*)KeInsertQueueApc, g_OrigCode, 5 ); KeLowerIrql(oldIrql); WPON(); } //================================================================================ ================ VOID HookKeInsertQueueApc () { KIRQL oldIrql; RtlCopyMemory (g_OrigCode, (BYTE*)KeInsertQueueApc, 5); *( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_KeInsertQueueApc - (ULONG)KeInsertQueueApc- 5; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory ( (BYTE*)KeInsertQueueApc, g_HookCode, 5 ); *( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)KeInsertQueueApc + 5 ); RtlCopyMemory ( (BYTE*)Proxy_KeInsertQueueApc, g_OrigCode, 5); RtlCopyMemory ( (BYTE*)Proxy_KeInsertQueueApc + 5, jmp_orig_code, 7); KeLowerIrql(oldIrql); WPON(); } //================================================================================ ================ BOOLEAN __stdcall fake_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost) { PEPROCESS pTargetProcess; PUCHAR pTargetProcessName; ULONG XXThread; //------------------------------------------------------------------------------------------------------- pTargetProcess=IoThreadToProcess( (PETHREAD)Apc->Thread ); // pTargetProcessName=(PUCHAR)((ULONG)pTargetProcess+g_ProcessNameOffset); pTargetProcessName=PsGetProcessImageFileName(pTargetProcess); //------------------------------------------------------------------------------------------------------- // if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2) if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2||Apc!=SystemArgument1) { goto Call_KeInsertQueueApc; } else { DbgPrint("TargetProcessName is %s\n",pTargetProcessName); XXThread = (ULONG)Apc->Thread + g_ThreadFlagsOffset; __asm { mov eax, XXThread and [eax], 0xfffffffe } Apc->Thread=KeGetCurrentThread(); goto Call_KeInsertQueueApc; } Call_KeInsertQueueApc: return Proxy_KeInsertQueueApc(Apc,SystemArgument1,SystemArgument2,PriorityBoost); } //================================================================================ ================ __declspec (naked) BOOLEAN Proxy_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost) { __asm { _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 } } //================================================================================ ================ ULONG GetProcessNameOffset( void ) { PEPROCESS curproc; int i = 0; curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( "System", (PCHAR)curproc + i, strlen("System") )) { DbgPrint("i=0x%x\n", i); return i; } } return 0; } //================================================================================ ================ VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { UnHookKeInsertQueueApc(); DbgPrint("My Driver UnLoad!"); } //================================================================================ ================ NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { DbgPrint("My Driver Loaded!"); theDriverObject->DriverUnload = OnUnload; g_ProcessNameOffset = GetProcessNameOffset(); g_ThreadFlagsOffset = GetThreadFlagsOffset(); DbgPrint("ProcessNameOffset is %d\n",g_ProcessNameOffset); DbgPrint("ThreadFlagsOffset is %d\n",g_ThreadFlagsOffset); HookKeInsertQueueApc(); return STATUS_SUCCESS; } //================================================================================ ================ Link to comment
GamingMasteR Posted January 9, 2009 Share Posted January 9, 2009 Hi, One can use KiInsertQueueApc instead Link to comment
0xFF Posted January 9, 2009 Share Posted January 9, 2009 So, it must be hooked via kernel mode using a device driver, right ? (Those who don't know how to compile it, download DDK from Microsoft.com). Link to comment
dayed Posted January 10, 2009 Author Share Posted January 10, 2009 Hi,One can use KiInsertQueueApc instead U R right! Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now