extern "C"
{

#include "hooking.h"
#include "hooked_proc.h"
#include "debug.h"
#include "undocnt.h"

int hooking_hook(void);
int hooking_unhook(void);

__declspec(dllimport) SERVICE_DESCRIPTOR_ENTRY KeServiceDescriptorTable;
}


//global hooking flag
int hook_active=FALSE;


/*
 this function installs SDT hook and returns TRUE if succeeded
*/

int hooking_hook(void)
{
  DbgMsg("hooking.cpp: hooking_hook()");

  /*
   we need valid SDT index for ZwQueryInformationThread
  */
  if (!SDT_index_ZwQueryInformationThread)
  {
    DbgMsg("hooking.cpp: hooking_hook error: SDT_index_ZwQueryInformationThread is not valid");
    DbgMsg("hooking.cpp: hooking_hook(-):FALSE");
    return FALSE;
  }


  if (hook_active)
  {
    DbgMsg("hooking.cpp: hooking_hook error: hook is already active");
    DbgMsg("hooking.cpp: hooking_hook(-):FALSE");
    return FALSE;
  }

  /*
   now we are changing SDT
   we have to use atomic operations because of multiprocessor machines

   we also have to disable WP bit for WXP SP2 and higher
   to be able to write to SDT
  */

  _asm                                          //disable WP bit
  {
    mov eax,cr0                                 //move CR0 register into EAX
    and eax,not 000010000h                      //disable WP bit 
    mov cr0,eax                                 //write register back
  }

  OldZwOpenProcess=(ZW_OPEN_PROCESS)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenProcess),(ULONG)NewZwOpenProcess);
  OldZwOpenThread=(ZW_OPEN_THREAD)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenThread),(ULONG)NewZwOpenThread);
  OldZwTerminateProcess=(ZW_TERMINATE_PROCESS)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwTerminateProcess),(ULONG)NewZwTerminateProcess);
  OldZwLoadDriver=(ZW_LOAD_DRIVER)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwLoadDriver),(ULONG)NewZwLoadDriver);
  OldZwOpenSection=(ZW_OPEN_SECTION)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenSection),(ULONG)NewZwOpenSection);
  OldZwCreateFile=(ZW_CREATE_FILE)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwCreateFile),(ULONG)NewZwCreateFile);
  OldZwOpenFile=(ZW_OPEN_FILE)InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenFile),(ULONG)NewZwOpenFile);

  _asm                                          //enable WP bit
  {
    mov eax,cr0                                 //move CR0 register into EAX
    or eax,000010000h                           //enable WP bit         
    mov cr0,eax                                 //write register back           
  }

  DbgMsg("OldZwOpenProcess=0x%.8X",OldZwOpenProcess);
  DbgMsg("OldZwOpenThread=0x%.8X",OldZwOpenThread);
  DbgMsg("OldZwTerminateProcess=0x%.8X",OldZwTerminateProcess);
  DbgMsg("OldZwLoadDriver=0x%.8X",OldZwLoadDriver);
  DbgMsg("OldZwOpenSection=0x%.8X",OldZwOpenSection);
  DbgMsg("OldZwCreateFile=0x%.8X",OldZwCreateFile);
  DbgMsg("OldZwOpenFile=0x%.8X",OldZwOpenFile);
  DbgMsg("ZwOpenProcess=0x%.8X",SYSTEM_SERVICE(ZwOpenProcess));
  DbgMsg("ZwOpenThread=0x%.8X",SYSTEM_SERVICE(ZwOpenThread));
  DbgMsg("ZwTerminateProcess=0x%.8X",SYSTEM_SERVICE(ZwTerminateProcess));
  DbgMsg("ZwLoadDriver=0x%.8X",SYSTEM_SERVICE(ZwLoadDriver));
  DbgMsg("ZwOpenSection=0x%.8X",SYSTEM_SERVICE(ZwOpenSection));
  DbgMsg("ZwCreateFile=0x%.8X",SYSTEM_SERVICE(ZwCreateFile));
  DbgMsg("ZwOpenFile=0x%.8X",SYSTEM_SERVICE(ZwOpenFile));

  hook_active=TRUE;
  DbgMsg("hooking.cpp: hooking_hook(-):TRUE");
  return TRUE;
}


/*
 this function uninstalls SDT hook and returns TRUE if succeeded
*/

int hooking_unhook(void)
{
  DbgMsg("hooking.cpp: hooking_unhook()");
  if (!hook_active)
  {
    DbgMsg("hooking.cpp: hooking_unhook error: hook is not active");
    DbgMsg("hooking.cpp: hooking_unhook(-):FALSE");
    return FALSE;
  }

  DbgMsg("NewZwOpenProcess=0x%.8X",(ULONG)NewZwOpenProcess);
  DbgMsg("NewZwOpenThread=0x%.8X",(ULONG)NewZwOpenThread);
  DbgMsg("NewZwTerminateProcess=0x%.8X",(ULONG)NewZwTerminateProcess);
  DbgMsg("NewZwLoadDriver=0x%.8X",(ULONG)NewZwLoadDriver);
  DbgMsg("NewZwOpenSection=0x%.8X",(ULONG)NewZwOpenSection);
  DbgMsg("NewZwCreateFile=0x%.8X",(ULONG)NewZwCreateFile);
  DbgMsg("NewZwOpenFile=0x%.8X",(ULONG)NewZwOpenFile);

  /*
   similar actions as in hooking_hook()
  */
  _asm                                          //disable WP bit
  {
    mov eax,cr0                                 //move CR0 register into EAX
    and eax,not 000010000h                      //disable WP bit 
    mov cr0,eax                                 //write register back
  }

  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenProcess),(ULONG)OldZwOpenProcess);
  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenThread),(ULONG)OldZwOpenThread);
  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwTerminateProcess),(ULONG)OldZwTerminateProcess);
  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwLoadDriver),(ULONG)OldZwLoadDriver);
  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenSection),(ULONG)OldZwOpenSection);
  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwCreateFile),(ULONG)OldZwCreateFile);
  InterlockedExchange((PLONG)&SYSTEM_SERVICE(ZwOpenFile),(ULONG)OldZwOpenFile);

  _asm                                          //enable WP bit
  {
    mov eax,cr0                                 //move CR0 register into EAX
    or eax,000010000h                           //enable WP bit         
    mov cr0,eax                                 //write register back           
  }

  DbgMsg("ZwOpenProcess=0x%.8X",SYSTEM_SERVICE(ZwOpenProcess));
  DbgMsg("ZwOpenThread=0x%.8X",SYSTEM_SERVICE(ZwOpenThread));
  DbgMsg("ZwTerminateProcess=0x%.8X",SYSTEM_SERVICE(ZwTerminateProcess));
  DbgMsg("ZwLoadDriver=0x%.8X",SYSTEM_SERVICE(ZwLoadDriver));
  DbgMsg("ZwOpenSection=0x%.8X",SYSTEM_SERVICE(ZwOpenSection));
  DbgMsg("ZwCreateFile=0x%.8X",SYSTEM_SERVICE(ZwCreateFile));
  DbgMsg("ZwOpenFile=0x%.8X",SYSTEM_SERVICE(ZwOpenFile));

  hook_active=FALSE;
  DbgMsg("hooking.cpp: hooking_unhook(-):TRUE");
  return TRUE;
}
Advertisements