枚举IDT表

admin · · Windows程序设计
0

本文共计873个字,预计阅读时长3.5分钟。

#include <ntddk.h>

#define WORD	USHORT
#define DWORD	ULONG

#define MAKELONG(a, b)      ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) \
								| ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) <<16))

typedef struct _IDTR{
	USHORT   IDT_limit;
	USHORT   IDT_LOWbase;
	USHORT   IDT_HIGbase;
}IDTR,*PIDTR;

typedef struct _IDTENTRY
{
	unsigned short LowOffset;
	unsigned short selector;
	unsigned char retention:5;
	unsigned char zero1?;
	unsigned char gate_type:1;
	unsigned char zero2:1;
	unsigned char interrupt_gate_size:1;
	unsigned char zero3:1;
	unsigned char zero4:1;
	unsigned char DPL:2;
	unsigned char P:1;
	unsigned short HiOffset;
} IDTENTRY,*PIDTENTRY;

typedef struct _KGDTENTRY {
	USHORT  LimitLow;
	USHORT  BaseLow;
	union {
		struct {
			UCHAR   BaseMi?
			UCHAR   Flags1;     // Declare as bytes to avoid alignment
			UCHAR   Flags2;     // Problems.
			UCHAR   BaseHi;
		} Bytes;
		struct {
			ULONG   BaseMid : 8;
			ULONG   Type : 5;
			ULONG   Dpl : 2;
			ULONG   Pres : 1;

			ULONG   LimitHi : 4;
			ULONG   Sys : 1;
			ULONG   Reserved_0 : 1;
			ULONG   Default_Big : 1;
			ULONG   Granularity : 1;
			ULONG   BaseHi : 8;
		} Bits;
	} HighWor?
} KGDTENTRY, *PKGDTENTRY;

//global
ULONG	g_InterruptFunc3;

void PageProtectOn()
{
	__asm{//恢复内存保护  
		mov  eax,cr0
		or   eax,10000h
		mov  cr0,eax
		sti
	}
}

void PageProtectOff()
{
	__asm{//去掉内存保护
		cli
		mov  eax,cr0
		and  eax,not 10000h
		mov  cr0,eax
	}
}

void __stdcall FilterInterruptFunc3()
{
	USHORT u_es,u_ds;

	KdPrint(("CurrentProcess:%s",(char?PsGetCurrentProcess()+0x16c));
	__asm{
		mov	u_es,es
		mov u_ds,ds
	}

	KdPrint(("%X,%X",u_es,u_ds));
}

__declspec(naked)
void NewInterruptFunc3()
{
	__asm{
		pushad
		pushfd
  
		push	fs
		push	0x30
		pop		fs

		call	FilterInterruptFunc3

		pop		fs

		popfd
		popad

		jmp		g_InterruptFunc3
	}
}

ULONG	GetInterruptFuncAddress(ULONG InterruptIndex)
{
	IDTR		idtr;
	IDTENTRY	*pIdtEntry;

	__asm	SIDT	idtr;

	pIdtEntry = (IDTENTRY ?MAKELONG(idtr.IDT_LOWbase,idtr.IDT_HIGbase);

	return MAKELONG(pIdtEntry[InterruptIndex].LowOffset,pIdtEntry[InterruptIndex].HiOffset);
}

VOID SetInterrupt(ULONG InterruptIndex,ULONG NewInterruptFunc)
{
	ULONG			u_fnKeSetTimeIncrement;
	UNICODE_STRING	usFuncName;
	ULONG			u_index;
	ULONG			*u_KiProcessorBlock;

	IDTENTRY		*pIdtEntry;
	PKGDTENTRY		pGdt;

	RtlInitUnicodeString(&usFuncName,L"KeSetTimeIncrement");
	
	u_fnKeSetTimeIncrement = (ULONG)MmGetSystemRoutineAddress(&usFuncName);
	if (!MmIsAddressValid((PVOID)u_fnKeSetTimeIncrement))
	{
		return;
	}

	u_KiProcessorBlock = *(ULONG*?(u_fnKeSetTimeIncrement + 44);
	
	u_index = 0;
	while (u_KiProcessorBlock[u_index])
	{
		pIdtEntry = *(IDTENTRY*?(u_KiProcessorBlock[u_index] - 0xE8);
		
		PageProtectOff();

		pIdtEntry[InterruptIndex].LowOffset = (unsigned short)((ULONG)NewInterruptFunc & 0xffff);
		pIdtEntry[InterruptIndex].HiOffset = (unsigned short)((ULONG)NewInterruptFunc >>16);
		
		pGdt = *(PKGDTENTRY?(u_KiProcessorBlock[u_index] - 0xE4);
		KdPrint(("GDT:%X--%X--%X--%X",pGdt,pGdt[1].BaseLow,pGdt[1].HighWord.Bits.BaseMid,pGdt[1].HighWord.Bits.BaseHi));

		PageProtectOn();
		u_index++;
	}
}

VOID MyUnload(PDRIVER_OBJECT	pDriverObject)
{
	SetInterrupt(3,g_InterruptFunc3);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT	pDriverObject,PUNICODE_STRING Reg_Path)
{
	USHORT u_cs;
	g_InterruptFunc3 = GetInterruptFuncAddress(3);
	
	__asm	mov		u_cs,cs;

	KdPrint(("%X--%X",NewInterruptFunc3,u_cs));
	SetInterrupt(3,(ULONG)NewInterruptFunc3);
	pDriverObject->DriverUnload = MyUnloa?
	return STATUS_SUCCESS;
}
```
最后于 2023-2-26 被admin编辑 ,原因:
  投诉举报
1087
最新回复 ( 0 )
全部楼主

  • 暂无评论