??? Hook - PowerPoint PPT Presentation

About This Presentation
Title:

??? Hook

Description:

4 2004 12 14 Hook SYSENTER Hook Windows IDS System Service ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 28
Provided by: DaisukeS
Category:

less

Transcript and Presenter's Notes

Title: ??? Hook


1
????????(5)
  • ??4??
  • ?? ??
  • 2004?12?14?

2
??
  • ????
  • ??? Hook
  • SYSENTER ? Hook
  • ?????

3
????
  • Windows ? IDS
  • System Service ??????
  • System Service UNIX ??System Call
  • ?????? Hook ???????

4
??
  • ????
  • ??? Hook
  • SYSENTER ? Hook
  • ?????

5
??? Hook
  • User-mode
  • Win32 ? API ? Hook 1
  • ??3?????
  • Kernel-mode
  • Native API ? Hook

6
User-mode Hooking
  • Proxy DLL
  • DLL ??????
  • Function Patching
  • ???????????
  • ?Detours 2
  • IAT Patching 2,3
  • Import Address Table ????????
  • Detours ????????

7
Function Patching (Detours)
  • ??????(detour)????????API ?????

8
Function Patching (Detours)
  • ??
  • ??????? API ? Hook ???
  • ??
  • API ?? ?jmp ???5 byte ???????? 5 byte ??? API
    ?????????
  • Win32 ? API ????? DLL ??????????

9
IAT Patching
  • IAT Import Address Table
  • Import Address Table ??????
  • Detours ????????
  • ??????????

10
Import Address Table (IAT) 4
  • ???????(?? DLL )????????????????
  • ??????????
  • Windows Loader ? DLL ???????????????
  • 1?????????1???
  • ??????0???(? ntdll.dll)
  • ????? Export Address Table

11
Using IAT for Hooking
DLL
EXE
??? ????
CreateFile
OpenFile


CreateFile
OpenFile



IAT
??? ???
12
IAT Patching
  • ??????
  • Getprocaddress ????????????????????
  • ????????Rootkit???????
  • OS ???????????????????????

13
Kernel-mode Hooking
  • Windows NT ? System Service ?hooking 5
  • ???????? 6
  • ?????????????????(?????)
  • Rootkit ??????????

14
System Service
  • Linux ? System Call ??????
  • NT Executive(ntoskrnl.exe ???) ????????
  • ?????Windows ?????
  • ?Win32 CreateFile() ? POSIX open()
    ?NTCreateFile() ??????
  • ?????????????????????!

15
System Service Hooking 5
  • System Service ????(System Service
    Table(SST))???(UNIX?? System Call Table ??????)
  • SST ? Service ?????????
  • ??????????????? ???????????

16
System Service Hooking
SSDT
ZwCreateFile
ZwDeleteFile


??????
??? ???
?????
17
???
  • OS ??????????ntoskrnl.exe ????????
    ?OS??????????
  • Hook ??????????????

18
??
  • ????
  • ??? Hook
  • SYSENTER ? Hook
  • ?????

19
SYSENTER ? Hook
  • System Service ?????? ??????????????????????????
    ??
  • User-mode ?? System Service ?????????Kernel-mode
    ???????? Windows 2000 ??? int 2e Windows XP
    ??? SYSENTER

20
SYSENTER???? 7
  • 1997???????????
  • Fast System CallSystem Call ???????????????????
  • ??????????IP??????????????
  • Linux ?? 2.5 ???(?)

21
SYSENTER ? Hook
  • SYSENTER_EIP_MSR ?? ?? IP ?????? ???????????
  • WRMSR ???????
  • RDMSR ???????

22
???(??????????)
stub pushad cmp eax, 30h / ?????
CreateProcess ???? / je log
normal popad jmp SYSENTER_EIP_MSR_L
log push eax push offset logMessage call
DbgPrint add esp, 8 jmp normal endasm
push eax push ecx push edx mov ecx, 174h /
SYSENTER_CS_MSR / rdmsr mov SYSENTER_CS_MSR_H,
edx mov SYSENTER_CS_MSR_L, eax mov ecx, 175h /
SYSENTER_ESP_MSR / rdmsr mov SYSENTER_ESP_MSR_H,
edx mov SYSENTER_ESP_MSR_L, eax mov ecx, 176h /
SYSENTER_EIP_MSR / rdmsr mov SYSENTER_EIP_MSR_H,
edx mov SYSENTER_EIP_MSR_L, eax cli mov ecx,
176h xor edx, edx mov eax, stub wrmsr sti pop
edx pop ecx pop eax jmp endasm
23
??
24
??
  • ????
  • ??? Hook
  • SYSENTER ? Hook
  • ?????

25
?????
  • UI???
  • DbgView ??????????
  • ????????????
  • SYSENTER ?? Hook ????? IDS ???
  • UNIX??? System Call ?????????

26
????(1)
  1. API Spying Techniqueshttp//www.internals.com/art
    icles/apispy/apispy.htm
  2. Detourshttp//research.microsoft.com/sn/detours/
  3. Process-wide API spying an ultimate
    hackhttp//www.codeproject.com/system/api_spying_
    hack.asp
  4. An In-Depth Look into the Win32 Portable
    Executable File Format (Part 1
    2)http//www.msdn.microsoft.com/msdnmag/issues/02
    /02/PE/default.aspxhttp//www.msdn.microsoft.com/
    msdnmag/issues/02/03/PE2/default.aspx

27
????(2)
  1. Hooking Windows NT System Serviceshttp//www.wind
    owsitlibrary.com/Content/356/06/1.html
  2. A Host Intrusion Prevention System for Windows
    Operating SystemsRoberto Battistoni, Emanuele
    Gabrielli, Luigi V. ManciniESORICS 2004
  3. IA-32 Intel Architecture Software Developers
    Manual
Write a Comment
User Comments (0)
About PowerShow.com