Hook KeInsertQueueApc

Posted January 9, 200916 yr

//By Dayed

#include <ntddk.h>

#include <ntifs.h>

#include <windef.h>

#include <Dayed.h>

#include <LDasm.h>

#define PS_CLEAR_BITS(Flags, Flag) \

RtlInterlockedClearBitsDiscardReturn (Flags, Flag)

#define PS_CROSS_THREAD_FLAGS_TERMINATED 0x00000001UL

//================================================================================

================

BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 };

BYTE g_OrigCode[5] = { 0 };

BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 };

//------------------------------------------------------------

ULONG g_ProcessNameOffset = 0;

ULONG g_ThreadFlagsOffset=0;

ULONG OldMask;

UCHAR *

PsGetProcessImageFileName(

__in PEPROCESS Process

);

//------------------------------------------------------------

//================================================================================

================

ULONG GetThreadFlagsOffset()

{

UCHAR *cPtr, *pOpcode;

ULONG Length;

USHORT Offset;

for (cPtr = (PUCHAR)PsTerminateSystemThread;

cPtr < (PUCHAR)PsTerminateSystemThread + 0x100;

cPtr += Length)

{

Length = SizeOfCode(cPtr, &pOpcode);

if (!Length) break;

if (*(USHORT *)pOpcode == 0x80F6) //f6804802000010 test byte ptr [eax+248h],10h

{

Offset=*(USHORT *)((ULONG)pOpcode+2);

return Offset;

}

return 0;

}

//================================================================================

================

VOID UnHookKeInsertQueueApc ()

{

KIRQL oldIrql;

WPOFF();

oldIrql = KeRaiseIrqlToDpcLevel();

RtlCopyMemory ( (BYTE*)KeInsertQueueApc, g_OrigCode, 5 );

KeLowerIrql(oldIrql);

WPON();

}

//================================================================================

================

VOID HookKeInsertQueueApc ()

{

KIRQL oldIrql;

RtlCopyMemory (g_OrigCode, (BYTE*)KeInsertQueueApc, 5);

*( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_KeInsertQueueApc - (ULONG)KeInsertQueueApc- 5;

WPOFF();

oldIrql = KeRaiseIrqlToDpcLevel();

RtlCopyMemory ( (BYTE*)KeInsertQueueApc, g_HookCode, 5 );

*( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)KeInsertQueueApc + 5 );

RtlCopyMemory ( (BYTE*)Proxy_KeInsertQueueApc, g_OrigCode, 5);

RtlCopyMemory ( (BYTE*)Proxy_KeInsertQueueApc + 5, jmp_orig_code, 7);

KeLowerIrql(oldIrql);

WPON();

}

//================================================================================

================

BOOLEAN __stdcall

fake_KeInsertQueueApc(IN PKAPC Apc,

IN PVOID SystemArgument1,

IN PVOID SystemArgument2,

IN KPRIORITY PriorityBoost)

{

PEPROCESS pTargetProcess;

PUCHAR pTargetProcessName;

ULONG XXThread;

//-------------------------------------------------------------------------------------------------------

pTargetProcess=IoThreadToProcess( (PETHREAD)Apc->Thread );

// pTargetProcessName=(PUCHAR)((ULONG)pTargetProcess+g_ProcessNameOffset);

pTargetProcessName=PsGetProcessImageFileName(pTargetProcess);

//-------------------------------------------------------------------------------------------------------

// if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2)

if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2||Apc!=SystemArgument1)

{

goto Call_KeInsertQueueApc;

}

else

{

DbgPrint("TargetProcessName is %s\n",pTargetProcessName);

XXThread = (ULONG)Apc->Thread + g_ThreadFlagsOffset;

__asm {

mov eax, XXThread

and [eax], 0xfffffffe

}

Apc->Thread=KeGetCurrentThread();

goto Call_KeInsertQueueApc;

}

Call_KeInsertQueueApc:

return Proxy_KeInsertQueueApc(Apc,SystemArgument1,SystemArgument2,PriorityBoost);

}

//================================================================================

================

__declspec (naked)

BOOLEAN

Proxy_KeInsertQueueApc(IN PKAPC Apc,

IN PVOID SystemArgument1,

IN PVOID SystemArgument2,

IN KPRIORITY PriorityBoost)

{

__asm {

_emit 0x90

}

//================================================================================

================

ULONG GetProcessNameOffset( void )

{

PEPROCESS curproc;

int i = 0;

curproc = PsGetCurrentProcess();

for( i = 0; i < 3*PAGE_SIZE; i++ ) {

if( !strncmp( "System", (PCHAR)curproc + i, strlen("System") )) {

DbgPrint("i=0x%x\n", i);

return i;

}

return 0;

}

//================================================================================

================

VOID OnUnload( IN PDRIVER_OBJECT DriverObject )

{

UnHookKeInsertQueueApc();

DbgPrint("My Driver UnLoad!");

}

//================================================================================

================

NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )

{

DbgPrint("My Driver Loaded!");

theDriverObject->DriverUnload = OnUnload;

g_ProcessNameOffset = GetProcessNameOffset();

g_ThreadFlagsOffset = GetThreadFlagsOffset();

DbgPrint("ProcessNameOffset is %d\n",g_ProcessNameOffset);

DbgPrint("ThreadFlagsOffset is %d\n",g_ThreadFlagsOffset);

HookKeInsertQueueApc();

return STATUS_SUCCESS;

}

//================================================================================

================

:wub:

January 9, 200916 yr

Hi,

One can use KiInsertQueueApc instead

January 9, 200916 yr

So, it must be hooked via kernel mode using a device driver, right ? (Those who don't know how to compile it, download DDK from Microsoft.com).

January 10, 200916 yr

Author

Hi,
One can use KiInsertQueueApc instead

U R right!

Sign In

Hook KeInsertQueueApc

Featured Replies

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)