dayed Posted January 9, 2009 Posted January 9, 2009 //By Dayed #include <ntddk.h> #include <ntifs.h> #include <windef.h> #include <Dayed.h> #include <LDasm.h> #define PS_CLEAR_BITS(Flags, Flag) \ RtlInterlockedClearBitsDiscardReturn (Flags, Flag) #define PS_CROSS_THREAD_FLAGS_TERMINATED 0x00000001UL //================================================================================ ================ BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 }; BYTE g_OrigCode[5] = { 0 }; BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 }; //------------------------------------------------------------ ULONG g_ProcessNameOffset = 0; ULONG g_ThreadFlagsOffset=0; ULONG OldMask; UCHAR * PsGetProcessImageFileName( __in PEPROCESS Process ); //------------------------------------------------------------ //================================================================================ ================ ULONG GetThreadFlagsOffset() { UCHAR *cPtr, *pOpcode; ULONG Length; USHORT Offset; for (cPtr = (PUCHAR)PsTerminateSystemThread; cPtr < (PUCHAR)PsTerminateSystemThread + 0x100; cPtr += Length) { Length = SizeOfCode(cPtr, &pOpcode); if (!Length) break; if (*(USHORT *)pOpcode == 0x80F6) //f6804802000010 test byte ptr [eax+248h],10h { Offset=*(USHORT *)((ULONG)pOpcode+2); return Offset; } } return 0; } //================================================================================ ================ VOID UnHookKeInsertQueueApc () { KIRQL oldIrql; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory ( (BYTE*)KeInsertQueueApc, g_OrigCode, 5 ); KeLowerIrql(oldIrql); WPON(); } //================================================================================ ================ VOID HookKeInsertQueueApc () { KIRQL oldIrql; RtlCopyMemory (g_OrigCode, (BYTE*)KeInsertQueueApc, 5); *( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_KeInsertQueueApc - (ULONG)KeInsertQueueApc- 5; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory ( (BYTE*)KeInsertQueueApc, g_HookCode, 5 ); *( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)KeInsertQueueApc + 5 ); RtlCopyMemory ( (BYTE*)Proxy_KeInsertQueueApc, g_OrigCode, 5); RtlCopyMemory ( (BYTE*)Proxy_KeInsertQueueApc + 5, jmp_orig_code, 7); KeLowerIrql(oldIrql); WPON(); } //================================================================================ ================ BOOLEAN __stdcall fake_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost) { PEPROCESS pTargetProcess; PUCHAR pTargetProcessName; ULONG XXThread; //------------------------------------------------------------------------------------------------------- pTargetProcess=IoThreadToProcess( (PETHREAD)Apc->Thread ); // pTargetProcessName=(PUCHAR)((ULONG)pTargetProcess+g_ProcessNameOffset); pTargetProcessName=PsGetProcessImageFileName(pTargetProcess); //------------------------------------------------------------------------------------------------------- // if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2) if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2||Apc!=SystemArgument1) { goto Call_KeInsertQueueApc; } else { DbgPrint("TargetProcessName is %s\n",pTargetProcessName); XXThread = (ULONG)Apc->Thread + g_ThreadFlagsOffset; __asm { mov eax, XXThread and [eax], 0xfffffffe } Apc->Thread=KeGetCurrentThread(); goto Call_KeInsertQueueApc; } Call_KeInsertQueueApc: return Proxy_KeInsertQueueApc(Apc,SystemArgument1,SystemArgument2,PriorityBoost); } //================================================================================ ================ __declspec (naked) BOOLEAN Proxy_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost) { __asm { _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 } } //================================================================================ ================ ULONG GetProcessNameOffset( void ) { PEPROCESS curproc; int i = 0; curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( "System", (PCHAR)curproc + i, strlen("System") )) { DbgPrint("i=0x%x\n", i); return i; } } return 0; } //================================================================================ ================ VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { UnHookKeInsertQueueApc(); DbgPrint("My Driver UnLoad!"); } //================================================================================ ================ NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { DbgPrint("My Driver Loaded!"); theDriverObject->DriverUnload = OnUnload; g_ProcessNameOffset = GetProcessNameOffset(); g_ThreadFlagsOffset = GetThreadFlagsOffset(); DbgPrint("ProcessNameOffset is %d\n",g_ProcessNameOffset); DbgPrint("ThreadFlagsOffset is %d\n",g_ThreadFlagsOffset); HookKeInsertQueueApc(); return STATUS_SUCCESS; } //================================================================================ ================
0xFF Posted January 9, 2009 Posted January 9, 2009 So, it must be hooked via kernel mode using a device driver, right ? (Those who don't know how to compile it, download DDK from Microsoft.com).
dayed Posted January 10, 2009 Author Posted January 10, 2009 Hi,One can use KiInsertQueueApc instead U R right!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now