C/C++教程
Windows驱动开发学习记录- x86 InlineHook字节数计算(使用Hook Api lib 0.4 for C)
本文主要是介绍Windows驱动开发学习记录- x86 InlineHook字节数计算(使用Hook Api lib 0.4 for C),对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
Hook Api lib 0.4 for C原文及源代码地址链接《 [原创]Hook Api lib 0.4 for C 》
一、使用背景
最新在学习SSDT Inline Hook,一般在Hook开头进行一个JMP,例如Near Jmp,或者一个Far Jmp。
Near Jmp机器码为 E9 xx xx xx xx,一共五个字节;Far Jmp机器码为 EA xx xx xx xx 08 00,其中驱动中段址为08。
在Hook时保存原调用函数对应的字节数,然后修改其为跳转到自定义函数。
以Windows XP SP3中的 NtOpenFile为例,其反汇编如下:
1 0: kd> u nt!NtOpenFile nt!NtQueryEaFile-1 2 nt!NtOpenFile: 3 8057b1a0 8bff mov edi,edi 4 8057b1a2 55 push ebp 5 8057b1a3 8bec mov ebp,esp 6 8057b1a5 33c0 xor eax,eax 7 8057b1a7 50 push eax 8 8057b1a8 50 push eax 9 8057b1a9 50 push eax 10 8057b1aa 50 push eax 11 8057b1ab 50 push eax 12 8057b1ac ff751c push dword ptr [ebp+1Ch] 13 8057b1af 6a01 push 1 14 8057b1b1 ff7518 push dword ptr [ebp+18h] 15 8057b1b4 50 push eax 16 8057b1b5 50 push eax 17 8057b1b6 ff7514 push dword ptr [ebp+14h] 18 8057b1b9 ff7510 push dword ptr [ebp+10h] 19 8057b1bc ff750c push dword ptr [ebp+0Ch] 20 8057b1bf ff7508 push dword ptr [ebp+8] 21 8057b1c2 e873c7ffff call nt!IoCreateFile (8057793a) 22 8057b1c7 5d pop ebp 23 8057b1c8 c21800 ret 18h 24 8057b1cb cc int 3 25 8057b1cc cc int 3 26 8057b1cd cc int 3 27 8057b1ce cc int 3 28 8057b1cf cc int 3
在这种情况下进行Near Jmp的Inline Hook正好,三条指令,5个字节长度。但也有例外情况。
如Windows XP SP3中的 NtOpenEvent:
1 0: kd> u nt!NtOpenEvent L25 2 nt!NtOpenEvent: 3 806101e0 6a18 push 18h 4 806101e2 68a0df4d80 push offset nt!ExTraceAllTables+0x1b (804ddfa0) 5 806101e7 e854cbf2ff call nt!_SEH_prolog (8053cd40) 6 806101ec 64a124010000 mov eax,dword ptr fs:[00000124h] 7 806101f2 8a9840010000 mov bl,byte ptr [eax+140h] 8 806101f8 885ddc mov byte ptr [ebp-24h],bl 9 806101fb 84db test bl,bl 10 806101fd 743c je nt!NtOpenEvent+0x5b (8061023b) 11 806101ff 8365fc00 and dword ptr [ebp-4],0 12 80610203 8b7508 mov esi,dword ptr [ebp+8] 13 80610206 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)] 14 8061020b 3bf0 cmp esi,eax 15 8061020d 7206 jb nt!NtOpenEvent+0x35 (80610215) 16 8061020f c70000000000 mov dword ptr [eax],0 17 80610215 8b06 mov eax,dword ptr [esi] 18 80610217 8906 mov dword ptr [esi],eax 19 80610219 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 20 8061021d eb1f jmp nt!NtOpenEvent+0x5e (8061023e) 21 8061021f 8b45ec mov eax,dword ptr [ebp-14h] 22 80610222 8b00 mov eax,dword ptr [eax] 23 80610224 8b00 mov eax,dword ptr [eax] 24 80610226 8945e0 mov dword ptr [ebp-20h],eax 25 80610229 e8c0400000 call nt!ExSystemExceptionFilter (806142ee) 26 8061022e c3 ret 27 ......
发现第一条指令2字节,第二条指令5字节,对于使用Near Jmp的5字节来说,正好落在第2条指令中间,也就是说把一整条指令打断了,这样运行肯定会出问题。
所以需要一个计算每条指令长度的功能,来获取大于等于我们需要hook长度的最少完整指令长度,而 Hook Api lib 0.4 for C 这篇文章就提供了这个方法。
二、代码实现
直接上代码:
头文件
1 //
2 //deroko 的LDEX86的头文件定义
3 /*
4 C_MODRM for instructions that require MODRM
5 C_PREFIX for PREFIXES (SEG/REP)
6 C_2BYTE for instructions which opcode is 2 byte
7 */
8 #define C_SIZE1 0x01
9 #define C_MODRM 0x02
10 #define C_DATA8 0x04
11 #define C_DATA16 0x08
12 #define C_DATA32 0x10
13 #define C_PREFIX 0x20
14 #define C_2BYTE 0x40
15 #define C_REL 0x80 //used to don't fuck up relative jmps with 67 prefix
16 #define C_66 0x66 //operand size prefix
17 #define C_67 0x67 //address size prefix
18
19 #define C_UNKNOWN 0x00
20
21 static BYTE table_1[256]={
22 /* 00 */ C_MODRM
23 /* 01 */, C_MODRM
24 /* 02 */, C_MODRM
25 /* 03 */, C_MODRM
26 /* 04 */, C_DATA8 // add al, ax, eax + 32imm w not set imm size = 8
27 /* 05 */, C_DATA32 // add al, ax, eax + 32imm w set imm size = 32
28 /* 06 */, C_SIZE1 //push es
29 /* 07 */, C_SIZE1 //pop es
30 /* 08 */, C_MODRM //or w set
31 /* 09 */, C_MODRM //or w not set :)
32 /* 0A */, C_MODRM
33 /* 0B */, C_MODRM
34 /* 0C */, C_DATA8 // or al/ax/eax shortcut
35 /* 0D */, C_DATA32 // or al/ax/eax shortcut
36 /* 0E */, C_SIZE1 // push cs
37 /* 0F */, C_2BYTE
38 /* 10 */, C_MODRM //adc w/d set mod rm, next 4
39 /* 11 */, C_MODRM
40 /* 12 */, C_MODRM
41 /* 13 */, C_MODRM
42 /* 14 */, C_DATA8 //adc al, imm8
43 /* 15 */, C_DATA32 //adc al, imm32
44 /* 16 */, C_SIZE1 //push ss
45 /* 17 */, C_SIZE1 //pop ss
46 /* 18 */, C_MODRM //sbb w set/not set
47 /* 19 */, C_MODRM
48 /* 1A */, C_MODRM //sbb d/w combinations
49 /* 1B */, C_MODRM //sbb d/w combinations
50 /* 1C */, C_DATA8 //sbb al, imm8
51 /* 1D */, C_DATA32 //sbb eax, imm32
52 /* 1E */, C_SIZE1 //push ds
53 /* 1F */, C_SIZE1 //pop ds
54 /* 20 */, C_MODRM //and mod/rm d/w bit combinations = 4
55 /* 21 */, C_MODRM
56 /* 22 */, C_MODRM
57 /* 23 */, C_MODRM //end and mod/rm d/w bit combinations
58 /* 24 */, C_DATA8 //and al, imm8
59 /* 25 */, C_DATA32 //and al, imm32
60 /* 26 */, C_PREFIX
61 /* 27 */, C_SIZE1 //daa
62 /* 28 */, C_MODRM //sub w/d mixup
63 /* 29 */, C_MODRM
64 /* 2A */, C_MODRM
65 /* 2B */, C_MODRM //sub w/d mixup end
66 /* 2C */, C_DATA8 //sub al, ax ,eax imm8
67 /* 2D */, C_DATA32 //sub al, ax, eax imm8
68 /* 2E */, C_PREFIX
69 /* 2F */, C_SIZE1 //das
70 /* 30 */, C_MODRM //xor next 4
71 /* 31 */, C_MODRM
72 /* 32 */, C_MODRM
73 /* 33 */, C_MODRM
74 /* 34 */, C_DATA8 //xor al, ax, eax imm 8 w not set (al)
75 /* 35 */, C_DATA32 //xor al, ax, eax imm 32 w set (eax)
76 /* 36 */, C_PREFIX
77 /* 37 */, C_SIZE1 //AAA
78 /* 38 */, C_MODRM //cmp d/w set 4 combinations
79 /* 39 */, C_MODRM //cmp
80 /* 3A */, C_MODRM //cmp
81 /* 3B */, C_MODRM //cmp
82 /* 3C */, C_DATA8 //cmp al, ax, eax imm 8
83 /* 3D */, C_DATA32 //cmp al, ax, eax imm 32
84 /* 3E */, C_PREFIX
85 /* 3F */, C_SIZE1 //AAS
86 /* 40 */, C_SIZE1 //inc reg (alternate encoding)
87 /* 41 */, C_SIZE1
88 /* 42 */, C_SIZE1
89 /* 43 */, C_SIZE1
90 /* 44 */, C_SIZE1
91 /* 45 */, C_SIZE1
92 /* 46 */, C_SIZE1
93 /* 47 */, C_SIZE1
94 /* 48 */, C_SIZE1 //dec reg (alternate encoding)
95 /* 49 */, C_SIZE1
96 /* 4A */, C_SIZE1
97 /* 4B */, C_SIZE1
98 /* 4C */, C_SIZE1
99 /* 4D */, C_SIZE1
100 /* 4E */, C_SIZE1
101 /* 4F */, C_SIZE1
102 /* 50 */, C_SIZE1
103 /* 51 */, C_SIZE1
104 /* 52 */, C_SIZE1
105 /* 53 */, C_SIZE1
106 /* 54 */, C_SIZE1
107 /* 55 */, C_SIZE1
108 /* 56 */, C_SIZE1
109 /* 57 */, C_SIZE1
110 /* 58 */, C_SIZE1 //pop reg
111 /* 59 */, C_SIZE1
112 /* 5A */, C_SIZE1
113 /* 5B */, C_SIZE1
114 /* 5C */, C_SIZE1
115 /* 5D */, C_SIZE1
116 /* 5E */, C_SIZE1
117 /* 5F */, C_SIZE1 //pop reg ends
118 /* 60 */, C_SIZE1 //pushad
119 /* 61 */, C_SIZE1 //popad
120 /* 62 */, C_MODRM //bound
121 /* 63 */, C_MODRM //arpl
122 /* 64 */, C_PREFIX
123 /* 65 */, C_PREFIX
124 /* 66 */, C_PREFIX
125 /* 67 */, C_PREFIX
126 /* 68 */, C_DATA32 //push immidiate 32
127 /* 69 */, C_MODRM + C_DATA32 //imul reg/reg imm32
128 /* 6A */, C_DATA8 //push imm 8
129 /* 6B */, C_MODRM + C_DATA8 //imul reg/reg imm8
130 /* 6C */, C_SIZE1 //ins w not set
131 /* 6D */, C_SIZE1 //ins w set
132 /* 6E */, C_SIZE1 //outs w not set
133 /* 6F */, C_SIZE1 //outs w set
134 /* 70 */, C_DATA8 + C_REL //jcc 8 bit displacement start
135 /* 71 */, C_DATA8 + C_REL
136 /* 72 */, C_DATA8 + C_REL
137 /* 73 */, C_DATA8 + C_REL
138 /* 74 */, C_DATA8 + C_REL
139 /* 75 */, C_DATA8 + C_REL
140 /* 76 */, C_DATA8 + C_REL
141 /* 77 */, C_DATA8 + C_REL
142 /* 78 */, C_DATA8 + C_REL
143 /* 79 */, C_DATA8 + C_REL
144 /* 7A */, C_DATA8 + C_REL
145 /* 7B */, C_DATA8 + C_REL
146 /* 7C */, C_DATA8 + C_REL
147 /* 7D */, C_DATA8 + C_REL
148 /* 7E */, C_DATA8 + C_REL
149 /* 7F */, C_DATA8 + C_REL //jcc 8 bit displacement ends
150 /* 80 */, C_MODRM + C_DATA8 //sub immidira/reg 32bit imm, also cmp modrm/imm32, also cmp
151 /* 81 */, C_MODRM + C_DATA32 //sub imidiate/reg 32bit imm, also cmp modrm/imm32, also cmp
152 /* 82 */, C_MODRM + C_DATA8 //sub or mod rm 8imm w not set, --||-- /imm8, also cmp
153 /* 83 */, C_MODRM + C_DATA8 //sub or mod rm 8imm w set set, --||-- /imm8, also cmp
154 /* 84 */, C_MODRM //test w not set
155 /* 85 */, C_MODRM //test w set
156 /* 86 */, C_MODRM //xchg w not set
157 /* 87 */, C_MODRM //xchg w set
158 /* 88 */, C_MODRM //mov not set w
159 /* 89 */, C_MODRM //mov set w
160 /* 8A */, C_MODRM //mov d set/not
161 /* 8B */, C_MODRM
162 /* 8C */, C_MODRM //mov reg/seg
163 /* 8D */, C_MODRM //lea
164 /* 8E */, C_MODRM //mov reg/seg I guess
165 /* 8F */, C_MODRM //pop reg/memory
166 /* 90 */, C_SIZE1 //nop
167 /* 91 */, C_SIZE1 //xchg al, ax, eax reg
168 /* 92 */, C_SIZE1
169 /* 93 */, C_SIZE1
170 /* 94 */, C_SIZE1
171 /* 95 */, C_SIZE1
172 /* 96 */, C_SIZE1
173 /* 97 */, C_SIZE1 //xchg al, ax, eax, ret ends
174 /* 98 */, C_SIZE1 //cbw, cwde
175 /* 99 */, C_SIZE1 //cdq, cwd
176 /* 9A */, C_DATA32 + C_DATA16 //far call (call unsinged full offset,selector)
177 /* 9B */, C_SIZE1 //wait//fwait
178 /* 9C */, C_SIZE1 //pushfd
179 /* 9D */, C_SIZE1 //popfd
180 /* 9E */, C_SIZE1 //sahf
181 /* 9F */, C_SIZE1 //LAHF
182 /* A0 */, C_DATA32 //mov al, ax, eax,mem full_offset
183 /* A1 */, C_DATA32 //mov al, ax, eax, mem full_offset
184 /* A2 */, C_DATA32 //mov mem, al, ax, eax full_offset
185 /* A3 */, C_DATA32 //mov mem, al, ax, eax full_offset
186 /* A4 */, C_SIZE1 //movsb
187 /* A5 */, C_SIZE1 //movsd
188 /* A6 */, C_SIZE1 //cmpsb... 2 of them w bit set
189 /* A7 */, C_SIZE1
190 /* A8 */, C_DATA8 //test al/ax/eax shortcut
191 /* A9 */, C_DATA32 //test al/ax/eax shortcut
192 /* AA */, C_SIZE1 //stosb
193 /* AB */, C_SIZE1 //stosd, or stosw + PREFIX 66
194 /* AC */, C_SIZE1 //lodsb
195 /* AD */, C_SIZE1 //lodsw + PREFIX 66 or lodsd
196 /* AE */, C_SIZE1 //scasb
197 /* AF */, C_SIZE1 //scasd
198 /* B0 */, C_DATA8 //mov reg, imm 8 alterante encoding
199 /* B1 */, C_DATA8
200 /* B2 */, C_DATA8
201 /* B3 */, C_DATA8
202 /* B4 */, C_DATA8
203 /* B5 */, C_DATA8
204 /* B6 */, C_DATA8
205 /* B7 */, C_DATA8
206 /* B8 */, C_DATA32 //mov immidiate to reg (alternate encoding)
207 /* B9 */, C_DATA32
208 /* BA */, C_DATA32
209 /* BB */, C_DATA32
210 /* BC */, C_DATA32
211 /* BD */, C_DATA32
212 /* BE */, C_DATA32
213 /* BF */, C_DATA32
214 /* C0 */, C_MODRM+C_DATA8 //rcl reg/mem by imm8 also rcr depends on opcode in modr/m field, also rol/ror
215 /* C1 */, C_MODRM+C_DATA8 //-----------||-----------
216 /* C2 */, C_DATA16
217 /* C3 */, C_SIZE1 //ret no args
218 /* C4 */, C_MODRM //les
219 /* C5 */, C_MODRM //lds
220 /* C6 */, C_MODRM+C_DATA8 // mov mem/imm
221 /* C7 */, C_MODRM+C_DATA32 //litle change (mov mem/imm)
222 /* C8 */, C_DATA8 + C_DATA16 //enter 16disp, 8bit level =4 size
223 /* C9 */, C_SIZE1
224 /* CA */, C_DATA16 //retf param
225 /* CB */, C_SIZE1 //retf no param
226 /* CC */, C_SIZE1
227 /* CD */, C_DATA8 //int, 8bit interupt number
228 /* CE */, C_SIZE1 //into
229 /* CF */, C_SIZE1 //iret
230 /* D0 */, C_MODRM //rcl reg/memory by 1 , also rcr, also ror/rol
231 /* D1 */, C_MODRM //same with w bit set , -||-
232 /* D2 */, C_MODRM //rcl register by cl , -||-
233 /* D3 */, C_MODRM //same with w bit set , -||- , also rol,ror
234 /* D4 */, C_DATA8 //aam 2 byte long but C_DATA8 is processed as 2 in my algo so this is ok
235 /* D5 */, C_DATA8 //aad 2 bytes long C_DATA8 is processed as 2 byte long
236 /* D6 */, C_SIZE1 //salc
237 /* D7 */, C_SIZE1 //xlat
238 /* D8 */, C_MODRM //all FPU are C_MODRM
239 /* D9 */, C_MODRM
240 /* DA */, C_MODRM
241 /* DB */, C_MODRM
242 /* DC */, C_MODRM
243 /* DD */, C_MODRM
244 /* DE */, C_MODRM
245 /* DF */, C_MODRM //end FPU instructions
246 /* E0 */, C_DATA8 + C_REL //loonz 8bit
247 /* E1 */, C_DATA8 + C_REL //loopz 8bit
248 /* E2 */, C_DATA8 + C_REL //loop 8bit
249 /* E3 */, C_DATA8 + C_REL //jecxz 8bit Address-size prefix indicates jcxz or jecxz
250 /* E4 */, C_DATA8 //in al, port
251 /* E5 */, C_DATA8 //in eax, port
252 /* E6 */, C_DATA8 //out port w not set (out 0, al)
253 /* E7 */, C_DATA8 //out port w set (out 0, eax)
254 /* E8 */, C_DATA32 + C_REL
255 /* E9 */, C_DATA32 + C_REL //jmp full displacement
256 /* EA */, C_DATA32 + C_DATA16 //jmp far full offset, selector
257 /* EB */, C_DATA8 //jmp 8 bit displacement
258 /* EC */, C_SIZE1 //in
259 /* ED */, C_SIZE1 //in
260 /* EE */, C_SIZE1 //out
261 /* EF */, C_SIZE1 //out
262 /* F0 */, C_PREFIX
263 /* F1 */, C_SIZE1 //int1
264 /* F2 */, C_PREFIX
265 /* F3 */, C_PREFIX
266 /* F4 */, C_SIZE1 //hlt
267 /* F5 */, C_SIZE1 //cmc
268 /* F6 */, C_MODRM + C_DATA8 //not (w not set), neg depends on opcode field in modrm, it can be test imm
269 /* F7 */, C_MODRM + C_DATA32 //not (w set) , neg depends on opcode field in modrm, it can be test imm
270 /* F8 */, C_SIZE1 //clc
271 /* F9 */, C_SIZE1 //stc
272 /* FA */, C_SIZE1 //cli
273 /* FB */, C_SIZE1 //sti
274 /* FC */, C_SIZE1 //cld
275 /* FD */, C_SIZE1 //std
276 /* FE */, C_MODRM //inc/dec w not set (modrm)
277 /* FF */, C_MODRM //inc/dec w set (modrm) //call also depends on reg/opcode field
278 }; //also jmp (depends on reg/opcode) fild
279
280 static BYTE table_2[256]={
281 /* 00 */ C_MODRM //lldt
282 /* 01 */, C_MODRM //invlpg
283 /* 02 */, C_MODRM //lar
284 /* 03 */, C_MODRM //LSL
285 /* 04 */, 0
286 /* 05 */, 0
287 /* 06 */, C_SIZE1 //clts
288 /* 07 */, 0
289 /* 08 */, C_SIZE1 //invd
290 /* 09 */, C_SIZE1
291 /* 0A */, 0
292 /* 0B */, 0
293 /* 0C */, 0
294 /* 0D */, 0
295 /* 0E */, 0
296 /* 0F */, 0
297 /* 10 */, 0
298 /* 11 */, 0
299 /* 12 */, 0
300 /* 13 */, 0
301 /* 14 */, 0
302 /* 15 */, 0
303 /* 16 */, 0
304 /* 17 */, 0
305 /* 18 */, 0
306 /* 19 */, 0
307 /* 1A */, 0
308 /* 1B */, 0
309 /* 1C */, 0
310 /* 1D */, 0
311 /* 1E */, 0
312 /* 1F */, 0
313 /* 20 */, C_MODRM //mov reg/crX
314 /* 21 */, C_MODRM //mov drX/reg
315 /* 22 */, C_MODRM //mov crX/reg and it foes all the way down
316 /* 23 */, C_MODRM //mov reg/drX
317 /* 24 */, 0
318 /* 25 */, 0
319 /* 26 */, 0
320 /* 27 */, 0
321 /* 28 */, 0
322 /* 29 */, 0
323 /* 2A */, 0
324 /* 2B */, 0
325 /* 2C */, 0
326 /* 2D */, 0
327 /* 2E */, 0
328 /* 2F */, 0
329 /* 30 */, C_SIZE1
330 /* 31 */, C_SIZE1
331 /* 32 */, C_SIZE1
332 /* 33 */, C_SIZE1
333 /* 34 */, C_SIZE1
334 /* 35 */, 0
335 /* 36 */, 0
336 /* 37 */, 0
337 /* 38 */, 0
338 /* 39 */, 0
339 /* 3A */, 0
340 /* 3B */, 0
341 /* 3C */, 0
342 /* 3D */, 0
343 /* 3E */, 0
344 /* 3F */, 0
345 /* 40 */, C_MODRM //conditional move
346 /* 41 */, C_MODRM
347 /* 42 */, C_MODRM
348 /* 43 */, C_MODRM
349 /* 44 */, C_MODRM
350 /* 45 */, C_MODRM
351 /* 46 */, C_MODRM
352 /* 47 */, C_MODRM
353 /* 48 */, C_MODRM
354 /* 49 */, C_MODRM
355 /* 4A */, C_MODRM
356 /* 4B */, C_MODRM
357 /* 4C */, C_MODRM
358 /* 4D */, C_MODRM
359 /* 4E */, C_MODRM
360 /* 4F */, C_MODRM //end conditional move
361 /* 50 */, 0
362 /* 51 */, 0
363 /* 52 */, 0
364 /* 53 */, 0
365 /* 54 */, 0
366 /* 55 */, 0
367 /* 56 */, 0
368 /* 57 */, 0
369 /* 58 */, 0
370 /* 59 */, 0
371 /* 5A */, 0
372 /* 5B */, 0
373 /* 5C */, 0
374 /* 5D */, 0
375 /* 5E */, 0
376 /* 5F */, 0
377 /* 60 */, 0
378 /* 61 */, 0
379 /* 62 */, 0
380 /* 63 */, 0
381 /* 64 */, 0
382 /* 65 */, 0
383 /* 66 */, 0
384 /* 67 */, 0
385 /* 68 */, 0
386 /* 69 */, 0
387 /* 6A */, 0
388 /* 6B */, 0
389 /* 6C */, 0
390 /* 6D */, 0
391 /* 6E */, 0
392 /* 6F */, 0
393 /* 70 */, 0
394 /* 71 */, 0
395 /* 72 */, 0
396 /* 73 */, 0
397 /* 74 */, 0
398 /* 75 */, 0
399 /* 76 */, 0
400 /* 77 */, 0
401 /* 78 */, 0
402 /* 79 */, 0
403 /* 7A */, 0
404 /* 7B */, 0
405 /* 7C */, 0
406 /* 7D */, 0
407 /* 7E */, 0
408 /* 7F */, 0
409 /* 80 */, C_DATA32 //jccs 2 byte long imm32
410 /* 81 */, C_DATA32
411 /* 82 */, C_DATA32
412 /* 83 */, C_DATA32
413 /* 84 */, C_DATA32
414 /* 85 */, C_DATA32
415 /* 86 */, C_DATA32
416 /* 87 */, C_DATA32
417 /* 88 */, C_DATA32
418 /* 89 */, C_DATA32
419 /* 8A */, C_DATA32
420 /* 8B */, C_DATA32
421 /* 8C */, C_DATA32
422 /* 8D */, C_DATA32
423 /* 8E */, C_DATA32
424 /* 8F */, C_DATA32 //jccs 2byte long ends imm32
425 /* 90 */, C_MODRM
426 /* 91 */, C_MODRM
427 /* 92 */, C_MODRM
428 /* 93 */, C_MODRM
429 /* 94 */, C_MODRM
430 /* 95 */, C_MODRM
431 /* 96 */, C_MODRM
432 /* 97 */, C_MODRM
433 /* 98 */, C_MODRM
434 /* 99 */, C_MODRM
435 /* 9A */, C_MODRM
436 /* 9B */, C_MODRM
437 /* 9C */, C_MODRM
438 /* 9D */, C_MODRM
439 /* 9E */, C_MODRM
440 /* 9F */, C_MODRM
441 /* A0 */, C_SIZE1 //push fs
442 /* A1 */, C_SIZE1 //pop fs
443 /* A2 */, C_SIZE1 //cpuid
444 /* A3 */, C_MODRM //bt reg/mem
445 /* A4 */, C_MODRM + C_DATA8
446 /* A5 */, C_MODRM
447 /* A6 */, 0
448 /* A7 */, 0
449 /* A8 */, C_SIZE1 //push gs
450 /* A9 */, C_SIZE1 //pop gs
451 /* AA */, C_SIZE1
452 /* AB */, C_MODRM //bts
453 /* AC */, C_MODRM + C_DATA8
454 /* AD */, C_MODRM
455 /* AE */, 0
456 /* AF */, C_MODRM //imul reg/reg or reg/mem
457 /* B0 */, C_MODRM //cmpxchg
458 /* B1 */, C_MODRM //cmpxchg
459 /* B2 */, C_MODRM //lss
460 /* B3 */, C_MODRM //btr
461 /* B4 */, C_MODRM //lfs
462 /* B5 */, C_MODRM //lgs
463 /* B6 */, C_MODRM //movzx
464 /* B7 */, C_MODRM //movzx
465 /* B8 */, 0
466 /* B9 */, 0
467 /* BA */, C_MODRM + C_DATA8 //bt imm8
468 /* BB */, C_MODRM //btc mod/rm
469 /* BC */, C_MODRM //BSF
470 /* BD */, C_MODRM //BSR
471 /* BE */, C_MODRM //movsx
472 /* BF */, C_MODRM //movsx
473 /* C0 */, C_MODRM //xadd
474 /* C1 */, C_MODRM //xadd
475 /* C2 */, 0
476 /* C3 */, 0
477 /* C4 */, 0
478 /* C5 */, 0
479 /* C6 */, 0
480 /* C7 */, 0
481 /* C8 */, C_SIZE1 //bswap eax
482 /* C9 */, C_SIZE1
483 /* CA */, C_SIZE1
484 /* CB */, C_SIZE1
485 /* CC */, C_SIZE1
486 /* CD */, C_SIZE1
487 /* CE */, C_SIZE1
488 /* CF */, C_SIZE1 //bswap reg ends
489 /* D0 */, 0
490 /* D1 */, 0
491 /* D2 */, 0
492 /* D3 */, 0
493 /* D4 */, 0
494 /* D5 */, 0
495 /* D6 */, 0
496 /* D7 */, 0
497 /* D8 */, 0
498 /* D9 */, 0
499 /* DA */, 0
500 /* DB */, 0
501 /* DC */, 0
502 /* DD */, 0
503 /* DE */, 0
504 /* DF */, 0
505 /* E0 */, 0
506 /* E1 */, 0
507 /* E2 */, 0
508 /* E3 */, 0
509 /* E4 */, 0
510 /* E5 */, 0
511 /* E6 */, 0
512 /* E7 */, 0
513 /* E8 */, 0
514 /* E9 */, 0
515 /* EA */, 0
516 /* EB */, 0
517 /* EC */, 0
518 /* ED */, 0
519 /* EE */, 0
520 /* EF */, 0
521 /* F0 */, 0
522 /* F1 */, 0
523 /* F2 */, 0
524 /* F3 */, 0
525 /* F4 */, 0
526 /* F5 */, 0
527 /* F6 */, 0
528 /* F7 */, 0
529 /* F8 */, 0
530 /* F9 */, 0
531 /* FA */, 0
532 /* FB */, 0
533 /* FC */, 0
534 /* FD */, 0
535 /* FE */, 0
536 /* FF */, 0
537 };
CPP文件
1 int GetOpCodeSize(PVOID Start)
2 {
3 BYTE opcode, * p, /*tempopcode,*/ instruction;
4 int size;
5 int opsizeprefix = 0, addressprefix = 0;
6 size = 0;
7 p = (PBYTE)Start;
8 opcode = *p;
9 //Proces PREFIXES!!! if any...
10 prefix_loop:
11 if (table_1[opcode] == C_PREFIX) {
12 if (opcode == C_66)
13 opsizeprefix = 1;
14 if (opcode == C_67)
15 addressprefix = 1;
16 size++;
17 p++;
18 opcode = *p;
19 goto prefix_loop;
20 }
21 //check for test, stupid and fucking test
22 instruction = table_1[opcode];
23 if ((opcode == 0xF6) || (opcode == 0xF7)) {
24 opcode = p[1];
25 if ((opcode & 0x38) != 0) //test or neg/not...
26 instruction = C_MODRM;
27
28 }
29 if (opsizeprefix)
30 //where was 8 still is 8 //where was 32 now is 16
31 if (instruction & C_DATA32) {
32 instruction &= ~(C_DATA32);
33 instruction |= C_DATA16;
34 }
35 //if not relative change
36 if (addressprefix && !(instruction & C_REL)) {
37 instruction &= ~(C_DATA32);
38 instruction &= ~(C_DATA8);
39 instruction |= C_DATA16;
40 }
41 //clear relative flag
42 if (instruction & C_REL)
43 instruction &= ~(C_REL);
44 //fill instruction with flags from table_2 and decode it in right way
45 if (instruction == C_2BYTE) {
46 size += 1;
47 p++;
48 instruction = table_2[*p];
49 //if (instruction == C_DATA32)
50 // size += 5;
51 //goto check_modrm;
52 }
53 size += 1; //opcode len;
54 //check_modrm:
55 if (instruction & C_MODRM) {
56 unsigned char modrm, sib;
57 size += 1;
58 p++;
59 modrm = *p;
60 if ((modrm >> 6) == 0 && (modrm & 0x07) == 0x05) //modrm is folowed by 32disp
61 size += 4;
62
63 if ((modrm >> 6) != 3 && (modrm & 0x07) == 0x04) { //sib
64 size++;
65 p++;
66 sib = *p;
67 if ((modrm >> 6) == 1 && (modrm & 0x07) == 0x04) //8bit disp after SIB(added to index)
68 size++;
69 if ((modrm >> 6) == 2 && (modrm & 0x07) == 0x04) //32bit displacement after sib(added to index)
70 size += 4;
71 if ((modrm >> 6) == 0 && (sib & 0x07) == 0x05)
72 size += 4;
73 } //SIB processing
74 TEST CODE//
75 if (modrm >= 0x40 && modrm <= 0x7f && (modrm & 0x07) != 0x04)
76 size += 1;
77 if (modrm >= 0x80 && modrm <= 0xbf && (modrm & 0x07) != 0x04)
78 size += 4;
79 ///TEST CODE///
80 }
81 if (instruction & C_DATA32) //is this opcode opcode modrm immdata ???
82 size += 4;
83 if (instruction & C_DATA8)
84 size++;
85 if (instruction & C_DATA16)
86 size += 2;
87 if (instruction == C_UNKNOWN)
88 size += 1;
89 return size;
90 }
三、测试
测试循环打印出 NtOpenProcess 前50行指令,环境为WinXP x86 SP3.。
1.代码
1 #if DBG
2 #define KDPRINT(projectName, format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, projectName "::【" __FUNCTION__ "】" ##format, ##__VA_ARGS__ )
3 #else
4 #define KDPRINT(format, ...)
5 #endif
6
7
8 NTSTATUS DriverEntry(
9 PDRIVER_OBJECT pDriverObject,
10 PUNICODE_STRING pRegistryPath)
11 {
12 UNREFERENCED_PARAMETER(pDriverObject);
13 NTSTATUS ntStatus = STATUS_SUCCESS;
14 do
15 {
16 KDPRINT("【GetOpCodeX86】","DriverEntry! \n");
17
18 KDPRINT("【GetOpCodeX86】","Hello Kernel World! CurrentProcessId:0x%p CurrentIRQL:0x%u\n",
19 PsGetCurrentProcessId(),
20 KeGetCurrentIrql());
21
22 if (pRegistryPath != NULL)
23 {
24 KDPRINT("【GetOpCodeX86】","RegistryPath:%wZ \n", pRegistryPath);
25 }
26 pDriverObject->DriverUnload = DriverUnload;
27
28 PrintFunctionOpCode((PBYTE)NtOpenProcess);
29
30 } while (false);
31
32 return ntStatus;
33 }
34
35 VOID DriverUnload(
36 PDRIVER_OBJECT pDriverObject)
37 {
38 UNREFERENCED_PARAMETER(pDriverObject);
39 KDPRINT("【GetOpCodeX86】"," CurrentProcessId:0x%p CurrentIRQL:0x%u\n",
40 PsGetCurrentProcessId(),
41 KeGetCurrentIrql());
42 }
43
44 VOID PrintFunctionOpCode(PBYTE pAddress)
45 {
46 ULONG ulGetOpCodeSingleSize = 0;
47 ULONG ulGetOpCodeTotalSize = 0;
48 ULONG nLines = 1;
49 while (nLines <= 50)
50 {
51 ulGetOpCodeSingleSize = GetOpCodeSize(pAddress + ulGetOpCodeTotalSize);
52 KDPRINT("【GetOpCodeX86】","Line %03d, GetOpCodeSize:%d\r\n",
53 nLines, ulGetOpCodeSingleSize);
54 ulGetOpCodeTotalSize += ulGetOpCodeSingleSize;
55 nLines++;
56 }
57 }
2.输出结果(WinXP SP3):
3.Windbg反汇编结果
4.结论
通过对比可以看出前50条指令中每条指令长度都是正确计算出来的。
PS 附上库代码的下载链接:
《HookAPILib0.4.rar》
这篇关于Windows驱动开发学习记录- x86 InlineHook字节数计算(使用Hook Api lib 0.4 for C)的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
-
增量更新怎么做?-icode9专业技术文章分享11-23
-
压缩包加密方案有哪些?-icode9专业技术文章分享11-23
-
用shell怎么写一个开机时自动同步远程仓库的代码?-icode9专业技术文章分享11-23
-
webman可以同步自己的仓库吗?-icode9专业技术文章分享11-23
-
在 Webman 中怎么判断是否有某命令进程正在运行?-icode9专业技术文章分享11-23
-
如何重置new Swiper?-icode9专业技术文章分享11-23
-
oss直传有什么好处?-icode9专业技术文章分享11-23
-
如何将oss直传封装成一个组件在其他页面调用时都可以使用?-icode9专业技术文章分享11-23
-
怎么使用laravel 11在代码里获取路由列表?-icode9专业技术文章分享11-23
-
怎么实现ansible playbook 备份代码中命名包含时间戳功能?-icode9专业技术文章分享11-22
-
ansible 的archive 参数是什么意思?-icode9专业技术文章分享11-22
-
ansible 中怎么只用archive 排除某个目录?-icode9专业技术文章分享11-22
-
exclude_path参数是什么作用?-icode9专业技术文章分享11-22
-
微信开放平台第三方平台什么时候调用数据预拉取和数据周期性更新接口?-icode9专业技术文章分享11-22
-
uniapp 实现聊天消息会话的列表功能怎么实现?-icode9专业技术文章分享11-22
栏目导航
