??? Hook

1
????????(5)

• ??4??
• ?? ??
• 2004?12?14?

2
??

• ????
• ??? Hook
• SYSENTER ? Hook
• ?????

3
????

• Windows ? IDS
• System Service ??????
• System Service UNIX ??System Call
• ?????? Hook ???????

4
??

• ????
• ??? Hook
• SYSENTER ? Hook
• ?????

5
??? Hook

• User-mode
• Win32 ? API ? Hook 1
• ??3?????
• Kernel-mode
• Native API ? Hook

6
User-mode Hooking

• Proxy DLL
• DLL ??????
• Function Patching
• ???????????
• ?Detours 2
• IAT Patching 2,3
• Import Address Table ????????
• Detours ????????

7
Function Patching (Detours)

• ??????(detour)????????API ?????

8
Function Patching (Detours)

• ??
• ??????? API ? Hook ???
• ??
• API ?? ?jmp ???5 byte ???????? 5 byte ??? API
  ?????????
• Win32 ? API ????? DLL ??????????

9
IAT Patching

• IAT Import Address Table
• Import Address Table ??????
• Detours ????????
• ??????????

10
Import Address Table (IAT) 4

• ???????(?? DLL )????????????????
• ??????????
• Windows Loader ? DLL ???????????????
• 1?????????1???
• ??????0???(? ntdll.dll)
• ????? Export Address Table

11
Using IAT for Hooking
DLL
EXE
??? ????
CreateFile
OpenFile


CreateFile
OpenFile



IAT
??? ???
12
IAT Patching

• ??????
• Getprocaddress ????????????????????
• ????????Rootkit???????
• OS ???????????????????????

13
Kernel-mode Hooking

• Windows NT ? System Service ?hooking 5
• ???????? 6
• ?????????????????(?????)
• Rootkit ??????????

14
System Service

• Linux ? System Call ??????
• NT Executive(ntoskrnl.exe ???) ????????
• ?????Windows ?????
• ?Win32 CreateFile() ? POSIX open()
  ?NTCreateFile() ??????
• ?????????????????????!

15
System Service Hooking 5

• System Service ????(System Service
  Table(SST))???(UNIX?? System Call Table ??????)
• SST ? Service ?????????
• ??????????????? ???????????

16
System Service Hooking
SSDT
ZwCreateFile
ZwDeleteFile


??????
??? ???
?????
17
???

• OS ??????????ntoskrnl.exe ????????
  ?OS??????????
• Hook ??????????????

18
??

• ????
• ??? Hook
• SYSENTER ? Hook
• ?????

19
SYSENTER ? Hook

• System Service ?????? ??????????????????????????
  ??
• User-mode ?? System Service ?????????Kernel-mode
  ???????? Windows 2000 ??? int 2e Windows XP
  ??? SYSENTER

20
SYSENTER???? 7

• 1997???????????
• Fast System CallSystem Call ???????????????????
• ??????????IP??????????????
• Linux ?? 2.5 ???(?)

21
SYSENTER ? Hook

• SYSENTER_EIP_MSR ?? ?? IP ?????? ???????????
• WRMSR ???????
• RDMSR ???????

22
???(??????????)
stub pushad cmp eax, 30h / ?????
CreateProcess ???? / je log
normal popad jmp SYSENTER_EIP_MSR_L
log push eax push offset logMessage call
DbgPrint add esp, 8 jmp normal endasm
push eax push ecx push edx mov ecx, 174h /
SYSENTER_CS_MSR / rdmsr mov SYSENTER_CS_MSR_H,
edx mov SYSENTER_CS_MSR_L, eax mov ecx, 175h /
SYSENTER_ESP_MSR / rdmsr mov SYSENTER_ESP_MSR_H,
edx mov SYSENTER_ESP_MSR_L, eax mov ecx, 176h /
SYSENTER_EIP_MSR / rdmsr mov SYSENTER_EIP_MSR_H,
edx mov SYSENTER_EIP_MSR_L, eax cli mov ecx,
176h xor edx, edx mov eax, stub wrmsr sti pop
edx pop ecx pop eax jmp endasm
23
??
24
??

• ????
• ??? Hook
• SYSENTER ? Hook
• ?????

25
?????

• UI???
• DbgView ??????????
• ????????????
• SYSENTER ?? Hook ????? IDS ???
• UNIX??? System Call ?????????

26
????(1)

1. API Spying Techniqueshttp//www.internals.com/art
   icles/apispy/apispy.htm
2. Detourshttp//research.microsoft.com/sn/detours/
3. Process-wide API spying an ultimate
   hackhttp//www.codeproject.com/system/api_spying_
   hack.asp
4. An In-Depth Look into the Win32 Portable
   Executable File Format (Part 1
   2)http//www.msdn.microsoft.com/msdnmag/issues/02
   /02/PE/default.aspxhttp//www.msdn.microsoft.com/
   msdnmag/issues/02/03/PE2/default.aspx

27
????(2)

1. Hooking Windows NT System Serviceshttp//www.wind
   owsitlibrary.com/Content/356/06/1.html
2. A Host Intrusion Prevention System for Windows
   Operating SystemsRoberto Battistoni, Emanuele
   Gabrielli, Luigi V. ManciniESORICS 2004
3. IA-32 Intel Architecture Software Developers
   Manual