SSDT Hooking mini-library/example

Results 1 to 7 of 7
  1. #1
    Account Inactive Guy is offline
    InactiveRank
    Apr 2009 Join Date
    919Posts

    SSDT Hooking mini-library/example

    Code:
    #include <ntddk.h>
    
    typedef unsigned long DWORD, *PDWORD;
    typedef unsigned char BYTE, *PBYTE, *PCHAR;
    typedef unsigned long ULONG_PTR;
    typedef ULONG_PTR DWORD_PTR;
    
    NTSTATUS( *Real_ZwClose )( HANDLE Handle );
    
    #define _Lookup( _Call )  \
    	KeServiceDescriptorTable.ServiceTable[* ( unsigned int * ) \
    	( ( unsigned char * ) _Call + 1 )]
    
    
    typedef struct _SSDT
    {
    	PDWORD ServiceTable;
    	PDWORD CounterTableBase;
    	DWORD ServiceLimit;
    	PCHAR ArgumentTable;
    } SSDT;
    
    __declspec(dllimport) SSDT KeServiceDescriptorTable;
    
    DWORD_PTR *SSDT_Hook( DWORD_PTR *_OrigCall, DWORD_PTR *_Hook )
    {
    	unsigned long *returnVal = _Lookup( _OrigCall );
    	_Lookup( _OrigCall ) = _Hook;
    
    	return( returnVal );
    }
    
    void DriverUnload( PDRIVER_OBJECT DriverObject)
    {
    	SSDT_Hook( ( DWORD_PTR * ) ZwClose, ( DWORD_PTR * ) Real_ZwClose );
    }
    
    NTSTATUS my_ZwClose( HANDLE Handle )
    {
    	DbgPrint( "ZwClose called!" );
    	Real_ZwClose( Handle );
    	return( STATUS_SUCCESS );
    }
    
    NTSTATUS DriverEntry( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath )
    {
    	DriverObject->DriverUnload = DriverUnload;
    	Real_ZwClose = SSDT_Hook( ( DWORD_PTR * ) ZwClose, ( DWORD_PTR * ) my_ZwClose );
    
    	return( STATUS_SUCCESS );
    }
    Requires WinDDK to compile/link; note, you should remove your hook in the "Unload" event, otherwise, a BSOD will most likely occur dependent on what function you're hooking, how often it's called, etc.

    EDIT: The above example now has a safe-unload mechanism.

    From here, you can write an anti-cheat by hooking functions known to be used for cheats; for example, hook ZwOpenProcess, and check if the PID parameter matches the process ID of the Gunz process; if so, return an error message, and do not hand off the request to the actual ZwOpenProcess call.

    Otherwise, this is just a poc demonstrating how easy it is to hook functions in the SSDT :)

    Downloads:
    WinDDK - http://www.microsoft.com/whdc/devtools/WDK/default.mspx
    InstDvr (Allows quick loading/unloading of kernel driver) - http://nsis.sourceforge.net/InstDrv_plug-in
    Last edited by Guy; 11-08-09 at 12:47 AM.


  2. #2
    Mako is insane. ThePhailure772 is offline
    True MemberRank
    Sep 2007 Join Date
    1,132Posts

    Re: SSDT Hooking mini-library/example

    Very nice release CFX.

  3. #3
    GunZ Developer dacharles is offline
    True MemberRank
    Oct 2006 Join Date
    488Posts

    Re: SSDT Hooking mini-library/example

    Amm you have any page that xplain what SSDT is?

    P.D.: u are hooking ZwClose? D:
    Last edited by dacharles; 11-08-09 at 05:21 AM.

  4. #4

    Re: SSDT Hooking mini-library/example

    Looks great.

    Off-topic:

    Phail, you're a moderator now? O_O
    "You’ve nothing to gain from holding on to your ideas; they may feel precious, but the more you share, the more new ideas you’ll have."

  5. #5
      Phoenix is offline
    ModeratorRank
    Mar 2009 Join Date
    6,885Posts

    Re: SSDT Hooking mini-library/example

    Phail's a Mod? LOL! Congrats xD

  6. #6
    Mako is insane. ThePhailure772 is offline
    True MemberRank
    Sep 2007 Join Date
    1,132Posts

    Re: SSDT Hooking mini-library/example

    I'll just leave this e-book here...
    http://legacygamers.net/rootkit.rar

  7. #7
    Account Inactive cerealnp is offline
    InactiveRank
    Apr 2006 Join Date
    BrazilLocation
    444Posts

    Re: SSDT Hooking mini-library/example

    Will that work at all NT based OS? I don't have too much experience about hooking Kernel functions =D

    Edit: Lol it was at the WDK page:

    This topic applies to the following versions of Windows:
    Windows 7
    Windows Vista
    Windows XP
    Windows Server 2008 R2
    Windows Server 2008
    Windows Server 2003
    Thanks for sharing.
    Last edited by cerealnp; 11-08-09 at 02:36 PM.



Advertisement