Shulou(Shulou.com)06/03 Report--

This article mainly explains "the introduction of the underlying principles of SSDT Hook and how to achieve process protection", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn the "introduction to the underlying principles of SSDT Hook and how to achieve process protection"!

Catalogue

SSDT Hook effect diagram

Introduction to SSDT

SSDT structure

SSDT HOOK principle

Pre-Hook preparation

How to get the address of the function in SSDT?

SSDT Hook process

SSDT Hook implements process protection

SSDT Hook effect diagram

Load the driver and successfully Hook NtTerminateProcess the function:

When you try to end the process by using the Task Manager after protecting the specified process, a "access denied" window pops up, indicating that our goal has been achieved:

Introduction to SSDT

The full name of SSDT is System Services Descriptor Table, the system service descriptor table.

This table is a connection between Ring3's Win32 API and Ring0's kernel API.

SSDT contains not only a large address index table, but also some other useful information, such as the base address of the address index, the number of service functions, and so on.

By modifying the function address of this table, we can Hook common Windows functions and API, so as to achieve the purpose of filtering and monitoring some concerned system actions.

Some HIPS, antivirus software, system monitoring, registry monitoring software often use this interface to achieve their own monitoring module.

SSDT structure

SSDT is the system service descriptor table, which is structured as follows (see Chapter 2 of "Undocument Windows 2000 Secretes"):

/ / KSYSTEM_SERVICE_TABLE and KSERVICE_TABLE_DESCRIPTOR// are used to define the base address of the SSDT structure typedef struct _ KSYSTEM_SERVICE_TABLE {PULONG ServiceTableBase; / / SSDT (System Service Dispatch Table) PULONG ServiceCounterTableBase; / / for checked builds, including the number of times each service in the SSDT is called ULONG NumberOfService / / the number of service functions. NumberOfService * 4 is the base address of the entire address table ULONG ParamTableBase; / / SSPT (System Service Parameter Table)} KSYSTEM_SERVICE_TABLE, * PKSYSTEM_SERVICE_TABLE;typedef struct _ KSERVICE_TABLE_DESCRIPTOR {KSYSTEM_SERVICE_TABLE ntoskrnl / / ntoskrnl.exe 's service function KSYSTEM_SERVICE_TABLE win32k; / / win32k.sys 's service function (supported by GDI32.dll/User32.dll kernel) KSYSTEM_SERVICE_TABLE notUsed1; KSYSTEM_SERVICE_TABLE notUsed2;} KSERVICE_TABLE_DESCRIPTOR, * PKSERVICE_TABLE_DESCRIPTOR

There are two system service descriptor tables in the kernel, one is KeServiceDescriptorTable (exported by ntoskrnl.exe) and the other is KeServieDescriptorTableShadow (not exported).

The difference between the two is that KeServiceDescriptorTable has only ntoskrnel, and KeServieDescriptorTableShadow contains ntoskrnel and win32k. In general, the service address of Native API is assigned by KeServiceDescriptorTable, and the kernel API call service address of gdi.dll/user.dll is assigned by KeServieDescriptorTableShadow. Also to be clear is that win32k.sys is only loaded in the gui thread, in general, it is not loaded, so to Hook KeServieDescriptorTableShadow, it is usually triggered by a GUI program through IoControlCode (I do not understand this, blue screen crashes N times do not understand what is going on).

SSDT HOOK principle

There are many types of kernel Hook, and an illustration is also given below:

SSDT HOOK is just one of the Hook technologies, and this article focuses on the use of SSDT Hook.

SSDT HOOK schematic diagram

Through the Kernel Detective tool, we can find that the current address of NtTerminateProcess will change before and after SSDT Hook, where the changed current address: 0xF885A110 is the address of our custom Hook function (that is, HookNtTerminateProcess). In this way, each time NtTerminateProcess is executed later, it will be based on the function pointed to by the execution of the "current address", which is the principle of SSDT Hook.

In addition, look at Xue's "fallen Genius" is well written, I directly quote:

The principle of SSDT HOOK is actually very simple. Let's actually take a look at what KeServiceDescriptorTable looks like.

Lkd > dd KeServiceDescriptorTable 8055ab80 804e3d20 00000000 0000011c 804d9f48 8055ab90 00000000 00000000 0000000000000000 8055aba0 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

As above, 80587691 805716ef 8057ab71 80581b5c these are the addresses of the system service functions. For example, when we call OpenProcess in ring3, the ID that enters sysenter is 0x7A (XP SP2), and then the system checks KeServiceDescriptorTable. It looks like this: KeServiceDescriptorTable.ntoskrnel.ServiceTableBase (804e3d20) + 0x7A * 4 = 804E3F08, and then 804E3F08-> 8057559e is where the OpenProcess system service function lies. Let's track it again:

Lkd > u 8057559e 68c4000000 push 0C4h 805755a3 6860b54e80 push offset ntOpenProcess: 8057559e ObReferenceObjectByPointercourse 0x127 (804eb560) 805755a8 e8e5e4f6ff call ntspeak InterlockedPushEntrySListopia 0x79 (804e3a92) 805755ad 33f6 xor esi,esi

It turns out that 8057559e is the starting address of the NtOpenProcess function.

Well, what if we change 8057559e to the address that points to our function? For example, MyNtOpenProcess, the system will call MyNtOpenProcess directly instead of the original NtOpenProcess. This is where the SSDT HOOK principle lies.

Pre-Hook preparation

If we want to modify the SSDT table, first of all, the table must be writable, but in the future xp system, it is read-only. There are three ways to modify the memory protection mechanism.

(1) change the registry

Restore page protection: HKLM\ SYSTEM\ CurrentControlset\ Control\ Session Manger\ Memory Management\ EnforceWriteProtection=0

Remove page protection: HKLM\ SYSTEM\ CurrentControlset\ Control\ Session Manger\ Memory Management\ DisablePagingExecutive=1

(2) change the first bit of the CR0 register

Windows allocates memory by paging management. There is a CR0 register, as shown in the following figure:

The first bit is called the protection property bit, which controls the read or write properties of the page. If 1, you can read / write / execute; if 0, you can only read / execute.

The page properties of SSDT,IDT are read-only, executable, but not writable by default.

The code is as follows:

/ / set to not writable void DisableWrite () {_ _ try {_ asm {mov eax, cr0 or eax, 10000h mov cr0, eax sti}} _ _ except (1) {DbgPrint ("DisableWrite execution failed!") ;}} / / set to writable void EnableWrite () {_ _ try {_ asm {cli mov eax,cr0 and eax,not 10000h / / and eax,0FFFEFFFFh mov cr0,eax}} _ _ except (1) {DbgPrint ("EnableWrite execution failed!") ;}}

(3) through Memory Descriptor List (MDL)

Specific methods can be done under google, but we will not introduce them here.

How do I get the address of a function in SSDT?

Two macros are mainly used here:

① gets the index number of the specified service: SYSCALL_INDEX

② gets the current address of the specified service: SYSCALL_FUNCTION

The specific definitions of these two macros are as follows:

/ / obtain the index number of the service corresponding to ZwServiceFunction in SSDT according to ZwServiceFunction # define SYSCALL_INDEX (ServiceFunction) (* (PULONG) ((PUCHAR) ServiceFunction + 1)) / / obtain the index number of service in SSDT according to ZwServiceFunction, and then obtain the address of ntServiceFunction through this index number # define SYSCALL_FUNCTION (ServiceFunction) KeServiceDescriptorTable- > ntoskrnl.ServiceTableBaseBase[ define SYSCALL_FUNCTION _ INDEX (ServiceFunction)] SSDT Hook process

In the driver entry function (DriverEntry), the SSDT table before SSDT Hook is backed up (saved with an array). When backing up, an index number corresponds to a current address, as shown in the figure above.

In this way, when you release the Hook, you can get the current address of the pre-Hook service name from the global array based on the index number, so that the original address can be written back, which is important.

When the user chooses to protect a process, an IO_INSERT_PROTECT_PROCESS control code will be sent to the driver through DeviceIoControl, and the driver will generate an IRP:IRP_MJ_DEVICE_CONTROL.

IRP_MJ_DEVICE_CONTROL specifies a dispatch function: SSDTHook_DispatchRoutine_CONTROL. In this dispatch function, we pass the pid of the process to be protected to the driver through the third parameter of DeviceIoControl if we want to protect a process by getting the control code (whether to protect the process or unprotect the process). Then read the pid from the buffer in the dispatch function SSDTHook_DispatchRoutine_CONTROL. If you want to protect the process, add the pid of the "protected process" to an array, and if you want to "unprotect the process", the process PID that you want to unprotect is removed from the array. After the Hook NtTermianteProcess function, we execute our custom function: HookNtTerminateProcess. In the HookNtTerminateProcess function, we determine whether the current process is in the process array to be protected. If the pid exists in the array, we return an exception of "insufficient permissions". If the pid does not exist in the process protection array, we directly call the NtTerminateProcess in the original SSDT to end the process. SSDT Hook implements process protection

With the above theoretical basis, we can talk about the specific implementation of SSDT Hook implementation process protection.

To implement process protection, you can either Hook NtTermianteProcess or Hook NtOpenProcess. Here, I am Hook NtTermianteProcess.

As mentioned in the SSDT Hook principles section, the essence of the SSDT Hook principle is to customize a function (HookNtTerminateProcess) so that the current address of the system service NtTermianteProcess points to our custom function address.

This step is performed in the driver entry function. When the driver loads, write the address of the custom function to the current address of the NtTermianteProcess service in the SSDT table:

/ / implement the installation of Hook, mainly replacing oldServiceNTSTATUS InstallHook (ULONG oldService, ULONG newService) {_ _ try {ULONG uOldAttr = 0; EnableWrite () with newService in SSDT; / / removing the page protection KdPrint (("forged NtTerminateProcess address:% x\ n", (int) newService)); / / KeServiceDescriptorTable- > ntoskrnl.ServiceTableBase[ Syscall _ INDEX (oldService)] = newService SYSCALL_FUNCTION (oldService) = newService;// DisableWrite (); / / restore page protection return STATUS_SUCCESS;} _ _ except (1) {KdPrint (("failed to install Hook!"));}}

It should be noted that before Hook, the page protection attribute of memory needs to be removed, and after Hook, the page protection attribute of memory needs to be restored.

The code for the HookNtTerminateProcess function is as follows:

/ / * * / function name: HookNtTerminateProcess// description: custom NtOpenProcess Used to implement Hook Kernel API// date: 2013 in_opt HANDLE ProcessHandle,__in NTSTATUS ExitStatus 06 in_opt HANDLE ProcessHandle,__in NTSTATUS ExitStatus 28 ULONG uPID / Parameter: ProcessHandle: process handle return value: / / * * NTSTATUS HookNtTerminateProcess (_ _ in_opt HANDLE ProcessHandle,__in NTSTATUS ExitStatus) {ULONG uPID NTSTATUS rtStatus; PCHAR pStrProcName; PEPROCESS pEProcess; ANSI_STRING strProcName; / / obtain the FileObject object corresponding to the process through the process handle. Since this is the process object, you naturally get the EPROCESS object rtStatus = ObReferenceObjectByHandle (ProcessHandle, FILE_READ_DATA, NULL, KernelMode, (PVOID*) & pEProcess, NULL); if (! NT_SUCCESS (rtStatus)) {return rtStatus } / / Save the original NtTerminateProcess address in SSDT pOldNtTerminateProcess = (NTTERMINATEPROCESS) oldSysServiceAdd [SYSCALL _ INDEX (ZwTerminateProcess)]; / / you can get the process name and process ID through this function, which is essentially exported in the kernel (you can see it in WRK) / / but it is not everywhere in ntddk.h, so you need to declare it yourself to use uPID = (ULONG) PsGetProcessId (pEProcess). PStrProcName = _ strupr ((TCHAR *) PsGetProcessImageFileName (pEProcess)); / / get the process name using Microsoft's unexposed PsGetProcessImageFileName function / / initialize an ASCII string RtlInitAnsiString (& strProcName, pStrProcName) through the process name If (ValidateProcessNeedProtect (uPID)! =-1) {/ / make sure that the caller process can be terminated (here mainly refers to taskmgr.exe) if (uPID! = (ULONG) PsGetProcessId (PsGetCurrentProcess () {/ / if the process is protected, you can return STATUS_ACCESS_DENIED if the process returns an exception with insufficient permissions. }} / / for unprotected processes, you can directly call the NtTerminateProcess in the original SSDT to end the process rtStatus = pOldNtTerminateProcess (ProcessHandle, ExitStatus); return rtStatus;} so far, I believe you have a deeper understanding of the "introduction of the underlying principles of SSDT Hook and how to implement process protection". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.