Hello. I was learning a lot recently, managed to hook SSDT using MDL. The hooks are wokring nicely, but when any SSDT hook is installed there is unintended problem, i cant run any exe. When i unload driver everything goes back to normal state. Do you have idea why?
There is part of code. I tested all variables, addresses with DbgPrint.
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
NTSTATUS PrepareSSDT(){
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable->ServiceTableBase, KeServiceDescriptorTable->NumberOfServices * 4);
if (!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
DbgPrint("Mapped address %p", MappedSystemCallTable);
return STATUS_SUCCESS;
}
void HookSSDTEntry(ULONG entryId, PVOID HookFunction){
__asm cli
MappedSystemCallTable[entryId] = HookFunction;
DbgPrint("Adres po haczeniu: %p", KeServiceDescriptorTable->ServiceTableBase[entryId]);
__asm sti
}
and somewhere inside DriverEntry:
NtProtectVirtualMemory = (NTSTATUS(NTAPI*)(HANDLE, PVOID, PULONG, ULONG, PULONG)) KeServiceDescriptorTable->ServiceTableBase[0xD7];
HookSSDTEntry(0xD7, myNtProtectVirtualMemory);
I chose NtProtectVirtualMemory randomly (just to see 1 random hook in action). I see output in DbgView. myNtProtectVirtualMemory simply prints DbgPrint that hook was called and returns original call. What is worng with this simple hook then?
There is part of code. I tested all variables, addresses with DbgPrint.
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
NTSTATUS PrepareSSDT(){
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable->ServiceTableBase, KeServiceDescriptorTable->NumberOfServices * 4);
if (!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
DbgPrint("Mapped address %p", MappedSystemCallTable);
return STATUS_SUCCESS;
}
void HookSSDTEntry(ULONG entryId, PVOID HookFunction){
__asm cli
MappedSystemCallTable[entryId] = HookFunction;
DbgPrint("Adres po haczeniu: %p", KeServiceDescriptorTable->ServiceTableBase[entryId]);
__asm sti
}
and somewhere inside DriverEntry:
NtProtectVirtualMemory = (NTSTATUS(NTAPI*)(HANDLE, PVOID, PULONG, ULONG, PULONG)) KeServiceDescriptorTable->ServiceTableBase[0xD7];
HookSSDTEntry(0xD7, myNtProtectVirtualMemory);
I chose NtProtectVirtualMemory randomly (just to see 1 random hook in action). I see output in DbgView. myNtProtectVirtualMemory simply prints DbgPrint that hook was called and returns original call. What is worng with this simple hook then?
