[m5home]

Hook SSDT in Win7x64 is easy.
But I don't think it is useful.
Because you need to disable PatchGuard(use fyyre's DISABLE_PG_DS_V3).
This is the main code:

Code: Select all

//Author: Tesla.Angela [www.m5home.com/bbs]
#include <ntddk.h>

PSYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
NTTERMINATEPROCESS NtTerminateProcess=NULL;
ULONG OldTpVal;

NTSTATUS __fastcall Fake_NtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
        PEPROCESS Process;
        NTSTATUS st = ObReferenceObjectByHandle (ProcessHandle, 0, *PsProcessType, KernelMode, &Process, NULL);
        DbgPrint("Fake_NtTerminateProcess called!");
        if(NT_SUCCESS(st))
        {
                if(!_stricmp(PsGetProcessImageFileName(Process),"loaddrv.exe")||!_stricmp(PsGetProcessImageFileName(Process),"calc.exe"))
                        return STATUS_ACCESS_DENIED;
                else
                        return NtTerminateProcess(ProcessHandle,ExitStatus);
        }
        else
                return STATUS_ACCESS_DENIED;
}

ULONGLONG GetKeServiceDescriptorTable64() //written by a foreigner
{
        char KiSystemServiceStart_pattern[13] = "\x8B\xF8\xC1\xEF\x07\x83\xE7\x20\x25\xFF\x0F\x00\x00"; 
        ULONGLONG CodeScanStart = (ULONGLONG)&_strnicmp;
        ULONGLONG CodeScanEnd = (ULONGLONG)&KdDebuggerNotPresent;
        UNICODE_STRING Symbol;
        ULONGLONG i, tbl_address, b;
        for (i = 0; i < CodeScanEnd - CodeScanStart; i++)
        {
                if (!memcmp((char*)(ULONGLONG)CodeScanStart +i, (char*)KiSystemServiceStart_pattern,13))
                { 
                        for (b = 0; b < 50; b++)
                        {
                                tbl_address = ((ULONGLONG)CodeScanStart+i+b);
                                if (*(USHORT*) ((ULONGLONG)tbl_address ) == (USHORT)0x8d4c)
                                        return ((LONGLONG)tbl_address +7) + *(LONG*)(tbl_address +3);
                        }
                }
        }
        return 0;
}

ULONGLONG GetSSDTFuncCurAddr(ULONG id)
{
        LONG dwtmp=0;
        PULONG ServiceTableBase=NULL;
        ServiceTableBase=(PULONG)KeServiceDescriptorTable->ServiceTableBase;
        dwtmp=ServiceTableBase[id];
        dwtmp=dwtmp>>4;
        return (LONGLONG)dwtmp + (ULONGLONG)ServiceTableBase;
}

ULONG GetOffsetAddress(ULONGLONG FuncAddr)
{
        ULONG dwtmp=0;
        PULONG ServiceTableBase=NULL;
        ServiceTableBase=(PULONG)KeServiceDescriptorTable->ServiceTableBase;
        dwtmp=(ULONG)(FuncAddr-(ULONGLONG)ServiceTableBase);
        return dwtmp<<4;
}

VOID FuckKeBugCheckEx()
{
        KIRQL irql;
        ULONGLONG myfun;
        UCHAR jmp_code[]="\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\xFF\xE0";
        myfun=(ULONGLONG)Fake_NtTerminateProcess;
        memcpy(jmp_code+2,&myfun,8);
        irql=WPOFFx64();
        memset(KeBugCheckEx,0x90,15);
        memcpy(KeBugCheckEx,jmp_code,12);
        WPONx64(irql);
}

/*
填写KeBugCheckEx的地址
在KeBugCheckEx填写jmp，跳到Fake_NtTerminateProcess
不能直接填写Fake_NtTerminateProcess的地址，因为它们不再同一个4GB
*/
VOID HookSSDT()
{
        KIRQL irql;
        ULONGLONG dwtmp=0;
        PULONG ServiceTableBase=NULL;
        //get old address
        NtTerminateProcess=(NTTERMINATEPROCESS)GetSSDTFuncCurAddr(41);
        dprintf("Old_NtTerminateProcess: %llx",(ULONGLONG)NtTerminateProcess);
        //set kebugcheckex
        FuckKeBugCheckEx();
        //show new address
        ServiceTableBase=(PULONG)KeServiceDescriptorTable->ServiceTableBase;
        OldTpVal=ServiceTableBase[41];        //record old offset value
        irql=WPOFFx64();
        ServiceTableBase[41]=GetOffsetAddress((ULONGLONG)KeBugCheckEx);
        WPONx64(irql);
        dprintf("KeBugCheckEx: %llx",(ULONGLONG)KeBugCheckEx);
        dprintf("New_NtTerminateProcess: %llx",GetSSDTFuncCurAddr(41));
}

VOID UnhookSSDT()
{
        KIRQL irql;
        PULONG ServiceTableBase=NULL;
        ServiceTableBase=(PULONG)KeServiceDescriptorTable->ServiceTableBase;
        //set value
        irql=WPOFFx64();
        ServiceTableBase[41]=GetOffsetAddress((ULONGLONG)NtTerminateProcess);        //OldTpVal;        //直接填写这个旧值也行
        WPONx64(irql);
        //没必要恢复KeBugCheckEx的内容了，反正执行到KeBugCheckEx时已经完蛋了。
        dprintf("NtTerminateProcess: %llx",GetSSDTFuncCurAddr(41));
}

hookssdt.jpg (258.14 KiB) Viewed 1010 times

[Vrtule]

Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.

[m5home]

Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.

I know, kernel hook is not a good way in WIN64.

But kernel hook(include SSDT HOOK and INLINE HOOK) can do many things.

ObRegisterCallbacks can monitor process/thread handle only, it means that this function can protect process/thread only.

My rule: Try to use standard method, if standard method cannot realize my need, I will use hook to realize it.

[Dmitry Varshavsky]

Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.

I know, kernel hook is not a good way in WIN64.

But kernel hook(include SSDT HOOK and INLINE HOOK) can do many things.

ObRegisterCallbacks can monitor process/thread handle only, it means that this function can protect process/thread only.

My rule: Try to use standard method, if standard method cannot realize my need, I will use hook to realize it.

ObRegisterCallbacks is much more flexible and useful than hooking of single NtTerminateProcess routine. It can restrict suspend/resume, vm operations, setting of context and many other things. You would require a bunch of hooked functions to achieve the whole functionality ObRegisterCallbacks provide you. Especially when we talk about x64 systems..
Think about it.

[m5home]

Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.

I know, kernel hook is not a good way in WIN64.

But kernel hook(include SSDT HOOK and INLINE HOOK) can do many things.

ObRegisterCallbacks can monitor process/thread handle only, it means that this function can protect process/thread only.

My rule: Try to use standard method, if standard method cannot realize my need, I will use hook to realize it.

ObRegisterCallbacks is much more flexible and useful than hooking of single NtTerminateProcess routine. It can restrict suspend/resume, vm operations, setting of context and many other things. You would require a bunch of hooked functions to achieve the whole functionality ObRegisterCallbacks provide you. Especially when we talk about x64 systems..
Think about it.

This topic is just a demo code of "HOOK SSDT IN WIN64".
I NEVER SAID "HOOK SSDT TO PROTECT PROCESS IS BETTER THEN USE ObRegisterCallbacks".

[EP_X0FF]

Capslock off please.

[m5home]

Capslock off please.

OK, next time, I will.

[m5home]

Something about kernel hook on X64:
1.Hook SSDT is illegal on WIN7 and WIN8.
2.Hook SHADOW SSDT is illegal on WIN8 but is legal on WIN7.
3.Hook Kernel Object Routine Function is illegal on WIN8 but is legal on WIN7.
4.Hook FSD dispatch function is legal on WIN7(Is it legal on WIN8? I don't know).

[gloryo]

Something about kernel hook on X64:
1.Hook SSDT is illegal on WIN7 and WIN8.
2.Hook SHADOW SSDT is illegal on WIN8 but is legal on WIN7.
3.Hook Kernel Object Routine Function is illegal on WIN8 but is legal on WIN7.
4.Hook FSD dispatch function is legal on WIN7(Is it legal on WIN8? I don't know).

i'd like to know about no 3.

u mean hook object_type_initializer function of any kernel object type is illegal on windows 8?

[xqrzd]

Object type hooks work fine for me on x86 Windows 8. I've not tested x64, but I would assume patch guard still covers it.