在Windows 2003中HOOK ZwCreateProcessEx
创建时间:2005-03-09
文章属性:原创
文章提交:suei8423 (suei8423_at_163.com)
作者:ZwelL
工作需要,想控制进程的创建,于是HOOK了ZwCreateProcess,后来发现xp和2003中创建进程的都用NtCreateProcessEx(参见[1])。
但是ZwCreateProcessEx未被ntoskrnl.exe导出,用softice的ntcall命令也没有看到,网上也没有找到相关代码。没办法,跟踪ntoskrnl!ZwCreateProcess
>u ntoskrnl!ZwCreateProcessEx
_ZwCreateProcess
0008:804e7ae2 bb32000000 mov eax, 00000032
但是ZwCreateProcessEx有9个参数,最后一个未知,4字节,猜成HANDLE型。
原型如下:
typedef NTSTATUS (*NTCREATEPROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown );
最终用硬编码HOOK 成功,代码如下:
#include "ntddk.h"
#include "stdarg.h"
#include "stdio.h"
#include "ntiologc.h"
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
typedef NTSTATUS (*NTCREATEPROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown );
NTCREATEPROCESSEX OldNtCreateProcessEx;
// Length of process name (rounded up to next DWORD)
#define PROCNAMELEN 20
// Maximum length of NT process name
#define NT_PROCNAMELEN 16
ULONG gProcessNameOffset;
void GetProcessNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") ))
{
gProcessNameOffset = i;
}
}
}
BOOL GetProcessName( PCHAR theName )
{
PEPROCESS curproc;
char *nameptr;
ULONG i;
KIRQL oldirql;
if( gProcessNameOffset )
{
curproc = PsGetCurrentProcess();
nameptr = (PCHAR) curproc + gProcessNameOffset;
strncpy( theName, nameptr, NT_PROCNAMELEN );
theName[NT_PROCNAMELEN] = 0; /* NULL at end */
return TRUE;
}
return FALSE;
}
NTSTATUS NewNtCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown OPTIONAL)
{
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewNtCreateProcessEx() from %s\n", aProcessName);
//DbgPrint("ok");
return OldNtCreateProcessEx(ProcessHandle,DesiredAccess,
ObjectAttributes,ParentProcess,InheritObjectTable,SectionHandle,DebugPort,ExceptionPort,Unknown);
}
NTSTATUS
OnStubDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest (Irp,
IO_NO_INCREMENT
);
return Irp->IoStatus.Status;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("ROOTKIT: OnUnload called\n");
_asm
{
CLI //dissable interrupt
MOV EAX, CR0 //move CR0 register into EAX
AND EAX, NOT 10000H //disable WP bit
MOV CR0, EAX //write register back
}
(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))=OldNtCreateProcessEx;
_asm
{
MOV EAX, CR0 //move CR0 register into EAX
OR EAX, 10000H //enable WP bit
MOV CR0, EAX //write register back
STI //enable interrupt
}
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
DbgPrint("My Driver Loaded!");
GetProcessNameOffset();
// Register a dispatch function
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}
theDriverObject->DriverUnload = OnUnload;
// save old system call locations
//OldNtCreateProcessEx=(NTCREATEPROCESSEX)(SYSTEMSERVICE(0x32));
OldNtCreateProcessEx=(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32));
_asm
{
CLI //dissable interrupt
MOV EAX, CR0 //move CR0 register into EAX
AND EAX, NOT 10000H //disable WP bit
MOV CR0, EAX //write register back
}
(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))= NewNtCreateProcessEx;
_asm
{
MOV EAX, CR0 //move CR0 register into EAX
OR EAX, 10000H //enable WP bit
MOV CR0, EAX //write register back
STI //enable interrupt
}
return STATUS_SUCCESS;
}
这样很不爽,每次都要这样看索引号,问了SOBEIT,可以通过从NTDLL中这样获取服务索引号:
来自rookkit:
#include <windows.h>
#include <stdio.h>
BOOL GetId( char *FuncName, ULONG *FunctionID )
{
//get the function's address
PBYTE Function = (PBYTE)GetProcAddress( GetModuleHandle( "ntdll.dll" ), FuncName );
/*
do some sanity checks,
make sure this function
has a corresponding kernel
level function
*/
*FunctionID = 0;
//func not found...
if ( Function == NULL )
{
return FALSE;
}
/*
77F5B438 B8 00000000 MOV EAX, _FUNCTION_ID_
77F5B43D BA 0003FE7F MOV EDX,7FFE0300
77F5B442 FFD2 CALL EDX
77F5B444 C2 1800 RETN XX
*/
//mov eax
if ( *Function != 0xB8 )
{
return FALSE;
}
/*
since the address of
the function which
actually makes the call
(SYSCALL) may change, we just
check for mov edx
*/
if ( *(Function + 5) != 0xBA )
{
return FALSE;
}
//call edx
/*if ( *(PWORD)(Function + 10) != 0xD2FF )
{
return FALSE;
}
//retn
if ( *(Function + 12) != 0xC2 )
{
return FALSE;
}*/
*FunctionID = *(PDWORD)(Function + 1);
return TRUE;
}
int main(int argc, char* argv[])
{
ULONG Id;
printf( "function name: NtCreateProcessEx\n" );
GetId( "NtCreateProcessEx", &Id );
printf( "function id: %08X\n", Id );
return 0;
}
///////////////////////////////////////////////////////////////////////
这样也不爽,要从用户态传到驱动层不方便,最后,用这个代码:
#include "ntddk.h"
#include "stdarg.h"
#include "stdio.h"
#include "ntiologc.h"
#include "ntimage.h"
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
#define BYTE unsigned char
#define SEC_IMAGE 0x01000000
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID EntryPoint;
ULONG StackZeroBits;
ULONG StackReserved;
ULONG StackCommit;
ULONG ImageSubsystem;
WORD SubsystemVersionLow;
WORD SubsystemVersionHigh;
ULONG Unknown1;
ULONG ImageCharacteristics;
ULONG ImageMachineType;
ULONG Unknown2[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName)
{
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
IMAGE_DOS_HEADER* dosheader;
IMAGE_OPTIONAL_HEADER* opthdr;
IMAGE_EXPORT_DIRECTORY* pExportTable;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress;
char* functionName;
STRING ntFunctionName, ntFunctionNameSearch;
PVOID BaseAddress = NULL;
SIZE_T size=0;
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb;
//_asm int 3;
ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
oa.ObjectName = 0;
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile);
ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(hFile);
hMod = BaseAddress;
dosheader = (IMAGE_DOS_HEADER *)hMod;
opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24);
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
// now we can get the exported functions, but note we convert from RVA to address
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions);
arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames);
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFunctionNameSearch, lpFunctionName);
for(x = 0; x < pExportTable->NumberOfFunctions; x++)
{
functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);
RtlInitString(&ntFunctionName, functionName);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0
// this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]...
// oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!!
functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
{
ZwClose(hSection);
return functionAddress;
}
}
ZwClose(hSection);
return 0;
}
NTSTATUS
OnStubDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest (Irp,
IO_NO_INCREMENT
);
return Irp->IoStatus.Status;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("ROOTKIT: OnUnload called\n");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
UNICODE_STRING dllName;
DWORD functionAddress;
int position;
DbgPrint("My Driver Loaded!");
theDriverObject->DriverUnload = OnUnload;
RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll");
functionAddress = GetDllFunctionAddress("ZwCreateProcessEx", &dllName);
position = *((WORD*)(functionAddress+1));
DbgPrint("Id:%d\n", position);
return STATUS_SUCCESS;
}
上面的代码从驱动层加载NTDLL,再从输出表中找出函数地址,mov eax,[ID]对应的b8后面的字就是索引号,其实跟前一个代码作用是相似的,
只是驱动层没有LoadLibrary,只能这样解决了。将上面的代码整合起来就比较完善了,大家看着改吧。这里顺便把2003中的服务描述表发出来,希望对大家有帮助:
Service table address:0x80567980 Number of services:280=0x127
Index Address Parameters Name
-------------------------------------------------------------------------------------------------
0x0 0x8058ddce 6 NtAcceptConnectPort
0x1 0x80596b7e 8 NtAccessCheck
0x2 0x805976ce b NtAccessCheckAndAuditAlarm
0x3 0x805a8bb7 b NtAccessCheckByType
0x4 0x8059968a 10 NtAccessCheckByTypeAndAuditAlarm
0x5 0x80658705 b NtAccessCheckByTypeResultList
0x6 0x8065a9b2 10 NtAccessCheckByTypeResultListAndAuditAlarm
0x7 0x8065a9f5 11 NtAccessCheckByTypeResultListAndAuditAlarmByHandle
0x8 0x8059dc4f 3 NtAddAtom
0xb 0x806581e2 6 NtAdjustGroupsToken
0xc 0x80597836 6 NtAdjustPrivilegesToken
0xd 0x8065104b 2 NtAlertResumeThread
0xe 0x805971ea 1 NtAlertThread
0xf 0x805996cc 1 NtAllocateLocallyUniqueId
0x10 0x80647eb9 3 NtAllocateUserPhysicalPages
0x11 0x805a70dc 4 NtAllocateUuids
0x12 0x80583188 6 NtAllocateVirtualMemory
0x13 0x8058faff 2 NtApphelpCacheControl
0x14 0x805e92fb 2 NtAreMappedFilesTheSame
0x15 0x805aae6f 2 NtAssignProcessToJobObject
0x16 0x804ebbcc 3 NtCallbackReturn
0x18 0x805eb49d 2 NtCancelIoFile
0x19 0x804f7445 2 NtCancelTimer
0x1a 0x8058c43a 1 NtClearEvent
0x1b 0x805768ac 1 NtClose
0x1c 0x80596eea 3 NtCloseObjectAuditAlarm
0x1d 0x80626f6f 2 NtCompactKeys
0x1e 0x8065b8ff 3 NtCompareTokens
0x1f 0x8058dc82 1 NtCompleteConnectPort
0x20 0x806271d6 1 NtCompressKey
0x21 0x8058c55a 8 NtConnectPort
0x22 0x804eb14b 2 NtContinue
0x23 0x805b0b1e 4 NtCreateDebugObject
0x24 0x805aabaf 3 NtCreateDirectoryObject
0x25 0x80578522 5 NtCreateEvent
0x26 0x80668009 3 NtCreateEventPair
0x27 0x805790cb b NtCreateFile
0x28 0x8059f5ab 4 NtCreateIoCompletion
0x29 0x805e09eb 3 NtCreateJobObject
0x2a 0x80651805 3 NtCreateJobSet
0x2b 0x80592a39 7 NtCreateKey
0x2c 0x805f225d 8 NtCreateMailslotFile
0x2d 0x805863a1 4 NtCreateMutant
0x2e 0x8058f416 e NtCreateNamedPipeFile
0x2f 0x805c8e1e 4 NtCreatePagingFile
0x30 0x805a32a4 5 NtCreatePort
0x31 0x805bd684 8 NtCreateProcess
0x32 0x8058efe3 9 NtCreateProcessEx
0x33 0x806685b7 9 NtCreateProfile
0x34 0x80573eca 7 NtCreateSection
0x35 0x8059afa9 5 NtCreateSemaphore
0x36 0x805ab548 4 NtCreateSymbolicLinkObject
0x37 0x80588254 8 NtCreateThread
0x38 0x805a2688 4 NtCreateTimer
0x39 0x805a62a4 d NtCreateToken
0x3a 0x805bc212 5 NtCreateWaitablePort
0x3b 0x805b12c1 2 NtDebugActiveProcess
0x3c 0x805b17dc 3 NtDebugContinue
0x3d 0x80574c08 2 NtDelayExecution
0x3e 0x8059ab90 1 NtDeleteAtom
0x41 0x805b7979 1 NtDeleteFile
0x42 0x805eca87 1 NtDeleteKey
0x43 0x8065aa3a 3 NtDeleteObjectAuditAlarm
0x44 0x805a20d4 2 NtDeleteValueKey
0x45 0x80586f5e a NtDeviceIoControlFile
0x46 0x805c9f0b 1 NtDisplayString
0x47 0x8058051e 7 NtDuplicateObject
0x48 0x8059cc7c 6 NtDuplicateToken
0x4b 0x8059a085 6 NtEnumerateKey
0x4c 0x80667a42 3 NtEnumerateSystemEnvironmentValuesEx
0x4d 0x8059d849 6 NtEnumerateValueKey
0x4e 0x805ac037 2 NtExtendSection
0x4f 0x805e41d5 6 NtFilterToken
0x50 0x8059e01a 3 NtFindAtom
0x51 0x805920a7 2 NtFlushBuffersFile
0x52 0x8058a8b5 3 NtFlushInstructionCache
0x53 0x805e715b 1 NtFlushKey
0x54 0x805a130d 4 NtFlushVirtualMemory
0x55 0x80648b20 0 NtFlushWriteBuffer
0x56 0x8064852a 3 NtFreeUserPhysicalPages
0x57 0x8057b2bf 4 NtFreeVirtualMemory
0x58 0x8057f504 a NtFsControlFile
0x59 0x805e8674 2 NtGetContextThread
0x5a 0x8064de05 2 NtGetDevicePowerState
0x5b 0x805e8ccb 4 NtGetPlugPlayEvent
0x5c 0x80544ec4 7 NtGetWriteWatch
0x5d 0x805f12e2 1 NtImpersonateAnonymousToken
0x5e 0x80597fdf 2 NtImpersonateClientOfPort
0x5f 0x8059b9c8 3 NtImpersonateThread
0x60 0x805b77c8 1 NtInitializeRegistry
0x61 0x8064dc59 4 NtInitiatePowerAction
0x62 0x8058ec31 2 NtIsProcessInJob
0x63 0x8064ddf2 0 NtIsSystemResumeAutomatic
0x64 0x805bc19c 2 NtListenPort
0x65 0x805b9dfe 1 NtLoadDriver
0x66 0x805b2d8f 2 NtLoadKey
0x67 0x8062758c 3 NtLoadKey2
0x68 0x805b4a6c 4 NtLoadKeyEx
0x69 0x805a2342 a NtLockFile
0x6a 0x805e4eaa 2 NtLockProductActivationKeys
0x6b 0x805de064 1 NtLockRegistryKey
0x6c 0x805e4a65 4 NtLockVirtualMemory
0x6d 0x805ab8ba 1 NtMakePermanentObject
0x6e 0x805abb05 1 NtMakeTemporaryObject
0x6f 0x80647392 3 NtMapUserPhysicalPages
0x70 0x80647859 3 NtMapUserPhysicalPagesScatter
0x71 0x80589905 a NtMapViewOfSection
0x74 0x805ef59d 9 NtNotifyChangeDirectoryFile
0x75 0x80599f1c a NtNotifyChangeKey
0x76 0x80599d2d c NtNotifyChangeMultipleKeys
0x77 0x8058ef66 3 NtOpenDirectoryObject
0x78 0x80599615 3 NtOpenEvent
0x79 0x806680f4 3 NtOpenEventPair
0x7a 0x8057909d 6 NtOpenFile
0x7b 0x80634e03 3 NtOpenIoCompletion
0x7c 0x805af8b0 3 NtOpenJobObject
0x7d 0x80578d88 3 NtOpenKey
0x7e 0x80586508 3 NtOpenMutant
0x7f 0x805ed885 c NtOpenObjectAuditAlarm
0x80 0x80593613 4 NtOpenProcess
0x81 0x8057e110 3 NtOpenProcessToken
0x82 0x8057e816 4 NtOpenProcessTokenEx
0x83 0x8058a94b 3 NtOpenSection
0x84 0x805b3152 3 NtOpenSemaphore
0x85 0x8058ea10 3 NtOpenSymbolicLinkObject
0x86 0x805a2a8c 4 NtOpenThread
0x87 0x8057f976 4 NtOpenThreadToken
0x88 0x8057f8e5 5 NtOpenThreadTokenEx
0x89 0x805eb40f 3 NtOpenTimer
0x8a 0x805a24a2 3 NtPlugPlayControl
0x8b 0x805ae364 5 NtPowerInformation
0x8c 0x805a2c28 3 NtPrivilegeCheck
0x8d 0x805e48ce 6 NtPrivilegeObjectAuditAlarm
0x8e 0x805a7bf0 5 NtPrivilegedServiceAuditAlarm
0x8f 0x80584a67 5 NtProtectVirtualMemory
0x90 0x8059f752 2 NtPulseEvent
0x91 0x80585755 2 NtQueryAttributesFile
0x94 0x80508c75 2 NtQueryDebugFilterState
0x95 0x8057ffd5 2 NtQueryDefaultLocale
0x96 0x80587c53 1 NtQueryDefaultUILanguage
0x97 0x8058731c b NtQueryDirectoryFile
0x98 0x80595d65 7 NtQueryDirectoryObject
0x9a 0x80635410 9 NtQueryEaFile
0x9b 0x805a2d89 5 NtQueryEvent
0x9c 0x8059b735 2 NtQueryFullAttributesFile
0x9d 0x805edffe 5 NtQueryInformationAtom
0x9e 0x805852cf 5 NtQueryInformationFile
0x9f 0x805af5ab 5 NtQueryInformationJobObject
0xa0 0x80644a66 5 NtQueryInformationPort
0xa1 0x8057fdea 5 NtQueryInformationProcess
0xa2 0x80576dc6 5 NtQueryInformationThread
0xa3 0x8057e718 5 NtQueryInformationToken
0xa4 0x8059d58c 1 NtQueryInstallUILanguage
0xa5 0x80668a4e 2 NtQueryIntervalProfile
0xa6 0x80634ebc 5 NtQueryIoCompletion
0xa7 0x80580c31 5 NtQueryKey
0xa8 0x80626765 6 NtQueryMultipleValueKey
0xa9 0x80668412 5 NtQueryMutant
0xaa 0x805f1cad 5 NtQueryObject
0xab 0x80626953 2 NtQueryOpenSubKeys
0xac 0x80626b89 4 NtQueryOpenSubKeysEx
0xad 0x8057f59e 2 NtQueryPerformanceCounter
0xae 0x80635c9d 9 NtQueryQuotaInformationFile
0xaf 0x8058679a 5 NtQuerySection
0xb0 0x805997e7 5 NtQuerySecurityObject
0xb1 0x80667325 5 NtQuerySemaphore
0xb2 0x8058e816 3 NtQuerySymbolicLinkObject
0xb3 0x80667a76 4 NtQuerySystemEnvironmentValue
0xb5 0x8057cbe2 4 NtQuerySystemInformation
0xb6 0x80597e57 1 NtQuerySystemTime
0xb7 0x8058c677 5 NtQueryTimer
0xb8 0x8059e436 3 NtQueryTimerResolution
0xb9 0x80577d61 6 NtQueryValueKey
0xba 0x80582264 6 NtQueryVirtualMemory
0xbb 0x8057960d 5 NtQueryVolumeInformationFile
0xbc 0x8058c78e 5 NtQueueApcThread
0xbd 0x804eb198 3 NtRaiseException
0xbe 0x80667075 6 NtRaiseHardError
0xbf 0x8057d886 9 NtReadFile
0xc0 0x805aeb82 9 NtReadFileScatter
0xc1 0x8059859d 6 NtReadRequestData
0xc2 0x805861e0 5 NtReadVirtualMemory
0xc3 0x80588402 1 NtRegisterThreadTerminatePort
0xc4 0x80574b77 2 NtReleaseMutant
0xc5 0x80598eb5 3 NtReleaseSemaphore
0xc6 0x80577945 5 NtRemoveIoCompletion
0xc7 0x8066e462 2 NtRemoveProcessDebug
0xc8 0x80626dec 2 NtRenameKey
0xc9 0x8062748f 3 NtReplaceKey
0xca 0x80580e50 2 NtReplyPort
0xcb 0x8057b2a0 4 NtReplyWaitReceivePort
0xcc 0x8057adb0 5 NtReplyWaitReceivePortEx
0xcd 0x80644b39 2 NtReplyWaitReplyPort
0xce 0x80667a4f 1 NtModifyDriverEntry
0xcf 0x805985f2 2 NtRequestPort
0xd0 0x8058cbc3 3 NtRequestWaitReplyPort
0xd1 0x8064dc04 1 NtRequestWakeupLatency
0xd2 0x805a4751 2 NtResetEvent
0xd3 0x8054543e 3 NtResetWriteWatch
0xd4 0x80627286 3 NtRestoreKey
0xd5 0x80650ff5 1 NtResumeProcess
0xd6 0x805806fa 2 NtResumeThread
0xd7 0x80627325 2 NtSaveKey
0xd8 0x806273b2 3 NtSaveKeyEx
0xd9 0x80625f0d 3 NtSaveMergedKeys
0xda 0x8058d4b2 9 NtSecureConnectPort
0xdd 0x805b16f1 2 NtSetContextThread
0xde 0x8066e4f1 3 NtSetDebugFilterState
0xdf 0x805ca1ac 1 NtSetDefaultHardErrorPort
0xe0 0x805b748b 2 NtSetDefaultLocale
0xe1 0x805b7433 1 NtSetDefaultUILanguage
0xe2 0x80667a5c 2 NtSetBootEntryOrder
0xe3 0x8063594e 4 NtSetEaFile
0xe4 0x8057abd7 2 NtSetEvent
0xe5 0x80575690 1 NtSetEventBoostPriority
0xe6 0x806683b0 1 NtSetHighEventPair
0xe7 0x806682e6 1 NtSetHighWaitLowEventPair
0xe8 0x8066e255 5 NtSetInformationDebugObject
0xe9 0x80578747 5 NtSetInformationFile
0xea 0x805e0b5f 4 NtSetInformationJobObject
0xeb 0x80626400 4 NtSetInformationKey
0xec 0x8059223e 4 NtSetInformationObject
0xed 0x80580221 4 NtSetInformationProcess
0xee 0x80577629 4 NtSetInformationThread
0xef 0x805a6844 4 NtSetInformationToken
0xf0 0x806685a0 2 NtSetIntervalProfile
0xf1 0x8057c39a 5 NtSetIoCompletion
0xf2 0x806508db 6 NtSetLdtEntries
0xf3 0x8066834f 1 NtSetLowEventPair
0xf4 0x8066827d 1 NtSetLowWaitHighEventPair
0xf5 0x80635c7e 4 NtSetQuotaInformationFile
0xf6 0x805a5626 3 NtSetSecurityObject
0xf7 0x80667d39 2 NtSetSystemEnvironmentValue
0xf8 0x80667a35 5 NtSetSystemEnvironmentValueEx
0xf9 0x80597238 3 NtSetSystemInformation
0xfa 0x8067b325 3 NtSetSystemPowerState
0xfb 0x8066697b 2 NtSetSystemTime
0xfc 0x805abc19 2 NtSetThreadExecutionState
0xfd 0x804ee9bf 7 NtSetTimer
0xfe 0x805acb3b 3 NtSetTimerResolution
0xff 0x805bc73c 1 NtSetUuidSeed
0x100 0x80592859 6 NtSetValueKey
0x101 0x806361ed 5 NtSetVolumeInformationFile
0x102 0x8066614b 1 NtShutdownSystem
0x103 0x80546d9e 4 NtSignalAndWaitForSingleObject
0x104 0x806687ec 1 NtStartProfile
0x105 0x80668999 1 NtStopProfile
0x106 0x80650fa0 1 NtSuspendProcess
0x107 0x805b0163 2 NtSuspendThread
0x108 0x80668af2 6 NtSystemDebugControl
0x109 0x80651a9b 2 NtTerminateJobObject
0x10a 0x80590cba 2 NtTerminateProcess
0x10b 0x80576714 2 NtTerminateThread
0x10c 0x8057e4f8 0 NtTestAlert
0x10d 0x8051ed5e 4 NtTraceEvent
0x10e 0x80667a69 4 NtTranslateFilePath
0x10f 0x806383c5 1 NtUnloadDriver
0x110 0x8062747c 1 NtUnloadKey
0x111 0x80625fc6 2 NtUnloadKey2
0x112 0x806261cb 2 NtUnloadKeyEx
0x113 0x805a220b 5 NtUnlockFile
0x114 0x805ae977 4 NtUnlockVirtualMemory
0x115 0x80589e79 2 NtUnmapViewOfSection
0x116 0x805c5aa2 2 NtVdmControl
0x117 0x805b07c8 4 NtWaitForDebugEvent
0x118 0x80574d38 5 NtWaitForMultipleObjects
0x119 0x8057428d 3 NtWaitForSingleObject
0x11a 0x8066821c 1 NtWaitHighEventPair
0x11b 0x806681bb 1 NtWaitLowEventPair
0x11c 0x80578248 9 NtWriteFile
0x11d 0x805aefe1 9 NtWriteFileGather
0x11e 0x805990a6 6 NtWriteRequestData
0x11f 0x805862d7 5 NtWriteVirtualMemory
0x120 0x805091c1 0 NtYieldExecution
0x121 0x805d7d7f 4 NtCreateKeyedEvent
0x122 0x8058f5cf 3 NtOpenKeyedEvent
0x123 0x8066922f 4 NtReleaseKeyedEvent
0x124 0x806694aa 4 NtWaitForKeyedEvent
0x125 0x8064f170 0 NtQueryPortInformationProcess
0x126 0x8064f1a4 0 NtGetCurrentProcessorNumber
参考资料:
1.MSDN系列(3)--Administrator用户直接获取SYSTEM权限 scz
http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1900
2.hooking functions not exported by ntoskrnl
http://www.rootkit.com/newsread.php?newsid=151
3.Simple Hooking of Functions not Exported by Ntoskrnl.exe
http://www.rootkit.com/newsread.php?newsid=248
文章属性:原创
文章提交:suei8423 (suei8423_at_163.com)
作者:ZwelL
工作需要,想控制进程的创建,于是HOOK了ZwCreateProcess,后来发现xp和2003中创建进程的都用NtCreateProcessEx(参见[1])。
但是ZwCreateProcessEx未被ntoskrnl.exe导出,用softice的ntcall命令也没有看到,网上也没有找到相关代码。没办法,跟踪ntoskrnl!ZwCreateProcess
>u ntoskrnl!ZwCreateProcessEx
_ZwCreateProcess
0008:804e7ae2 bb32000000 mov eax, 00000032
但是ZwCreateProcessEx有9个参数,最后一个未知,4字节,猜成HANDLE型。
原型如下:
typedef NTSTATUS (*NTCREATEPROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown );
最终用硬编码HOOK 成功,代码如下:
#include "ntddk.h"
#include "stdarg.h"
#include "stdio.h"
#include "ntiologc.h"
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
typedef NTSTATUS (*NTCREATEPROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown );
NTCREATEPROCESSEX OldNtCreateProcessEx;
// Length of process name (rounded up to next DWORD)
#define PROCNAMELEN 20
// Maximum length of NT process name
#define NT_PROCNAMELEN 16
ULONG gProcessNameOffset;
void GetProcessNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") ))
{
gProcessNameOffset = i;
}
}
}
BOOL GetProcessName( PCHAR theName )
{
PEPROCESS curproc;
char *nameptr;
ULONG i;
KIRQL oldirql;
if( gProcessNameOffset )
{
curproc = PsGetCurrentProcess();
nameptr = (PCHAR) curproc + gProcessNameOffset;
strncpy( theName, nameptr, NT_PROCNAMELEN );
theName[NT_PROCNAMELEN] = 0; /* NULL at end */
return TRUE;
}
return FALSE;
}
NTSTATUS NewNtCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown OPTIONAL)
{
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewNtCreateProcessEx() from %s\n", aProcessName);
//DbgPrint("ok");
return OldNtCreateProcessEx(ProcessHandle,DesiredAccess,
ObjectAttributes,ParentProcess,InheritObjectTable,SectionHandle,DebugPort,ExceptionPort,Unknown);
}
NTSTATUS
OnStubDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest (Irp,
IO_NO_INCREMENT
);
return Irp->IoStatus.Status;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("ROOTKIT: OnUnload called\n");
_asm
{
CLI //dissable interrupt
MOV EAX, CR0 //move CR0 register into EAX
AND EAX, NOT 10000H //disable WP bit
MOV CR0, EAX //write register back
}
(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))=OldNtCreateProcessEx;
_asm
{
MOV EAX, CR0 //move CR0 register into EAX
OR EAX, 10000H //enable WP bit
MOV CR0, EAX //write register back
STI //enable interrupt
}
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
DbgPrint("My Driver Loaded!");
GetProcessNameOffset();
// Register a dispatch function
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}
theDriverObject->DriverUnload = OnUnload;
// save old system call locations
//OldNtCreateProcessEx=(NTCREATEPROCESSEX)(SYSTEMSERVICE(0x32));
OldNtCreateProcessEx=(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32));
_asm
{
CLI //dissable interrupt
MOV EAX, CR0 //move CR0 register into EAX
AND EAX, NOT 10000H //disable WP bit
MOV CR0, EAX //write register back
}
(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))= NewNtCreateProcessEx;
_asm
{
MOV EAX, CR0 //move CR0 register into EAX
OR EAX, 10000H //enable WP bit
MOV CR0, EAX //write register back
STI //enable interrupt
}
return STATUS_SUCCESS;
}
这样很不爽,每次都要这样看索引号,问了SOBEIT,可以通过从NTDLL中这样获取服务索引号:
来自rookkit:
#include <windows.h>
#include <stdio.h>
BOOL GetId( char *FuncName, ULONG *FunctionID )
{
//get the function's address
PBYTE Function = (PBYTE)GetProcAddress( GetModuleHandle( "ntdll.dll" ), FuncName );
/*
do some sanity checks,
make sure this function
has a corresponding kernel
level function
*/
*FunctionID = 0;
//func not found...
if ( Function == NULL )
{
return FALSE;
}
/*
77F5B438 B8 00000000 MOV EAX, _FUNCTION_ID_
77F5B43D BA 0003FE7F MOV EDX,7FFE0300
77F5B442 FFD2 CALL EDX
77F5B444 C2 1800 RETN XX
*/
//mov eax
if ( *Function != 0xB8 )
{
return FALSE;
}
/*
since the address of
the function which
actually makes the call
(SYSCALL) may change, we just
check for mov edx
*/
if ( *(Function + 5) != 0xBA )
{
return FALSE;
}
//call edx
/*if ( *(PWORD)(Function + 10) != 0xD2FF )
{
return FALSE;
}
//retn
if ( *(Function + 12) != 0xC2 )
{
return FALSE;
}*/
*FunctionID = *(PDWORD)(Function + 1);
return TRUE;
}
int main(int argc, char* argv[])
{
ULONG Id;
printf( "function name: NtCreateProcessEx\n" );
GetId( "NtCreateProcessEx", &Id );
printf( "function id: %08X\n", Id );
return 0;
}
///////////////////////////////////////////////////////////////////////
这样也不爽,要从用户态传到驱动层不方便,最后,用这个代码:
#include "ntddk.h"
#include "stdarg.h"
#include "stdio.h"
#include "ntiologc.h"
#include "ntimage.h"
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
#define BYTE unsigned char
#define SEC_IMAGE 0x01000000
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID EntryPoint;
ULONG StackZeroBits;
ULONG StackReserved;
ULONG StackCommit;
ULONG ImageSubsystem;
WORD SubsystemVersionLow;
WORD SubsystemVersionHigh;
ULONG Unknown1;
ULONG ImageCharacteristics;
ULONG ImageMachineType;
ULONG Unknown2[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName)
{
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
IMAGE_DOS_HEADER* dosheader;
IMAGE_OPTIONAL_HEADER* opthdr;
IMAGE_EXPORT_DIRECTORY* pExportTable;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress;
char* functionName;
STRING ntFunctionName, ntFunctionNameSearch;
PVOID BaseAddress = NULL;
SIZE_T size=0;
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb;
//_asm int 3;
ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
oa.ObjectName = 0;
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile);
ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(hFile);
hMod = BaseAddress;
dosheader = (IMAGE_DOS_HEADER *)hMod;
opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24);
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
// now we can get the exported functions, but note we convert from RVA to address
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions);
arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames);
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFunctionNameSearch, lpFunctionName);
for(x = 0; x < pExportTable->NumberOfFunctions; x++)
{
functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);
RtlInitString(&ntFunctionName, functionName);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0
// this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]...
// oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!!
functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
{
ZwClose(hSection);
return functionAddress;
}
}
ZwClose(hSection);
return 0;
}
NTSTATUS
OnStubDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest (Irp,
IO_NO_INCREMENT
);
return Irp->IoStatus.Status;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("ROOTKIT: OnUnload called\n");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
UNICODE_STRING dllName;
DWORD functionAddress;
int position;
DbgPrint("My Driver Loaded!");
theDriverObject->DriverUnload = OnUnload;
RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll");
functionAddress = GetDllFunctionAddress("ZwCreateProcessEx", &dllName);
position = *((WORD*)(functionAddress+1));
DbgPrint("Id:%d\n", position);
return STATUS_SUCCESS;
}
上面的代码从驱动层加载NTDLL,再从输出表中找出函数地址,mov eax,[ID]对应的b8后面的字就是索引号,其实跟前一个代码作用是相似的,
只是驱动层没有LoadLibrary,只能这样解决了。将上面的代码整合起来就比较完善了,大家看着改吧。这里顺便把2003中的服务描述表发出来,希望对大家有帮助:
Service table address:0x80567980 Number of services:280=0x127
Index Address Parameters Name
-------------------------------------------------------------------------------------------------
0x0 0x8058ddce 6 NtAcceptConnectPort
0x1 0x80596b7e 8 NtAccessCheck
0x2 0x805976ce b NtAccessCheckAndAuditAlarm
0x3 0x805a8bb7 b NtAccessCheckByType
0x4 0x8059968a 10 NtAccessCheckByTypeAndAuditAlarm
0x5 0x80658705 b NtAccessCheckByTypeResultList
0x6 0x8065a9b2 10 NtAccessCheckByTypeResultListAndAuditAlarm
0x7 0x8065a9f5 11 NtAccessCheckByTypeResultListAndAuditAlarmByHandle
0x8 0x8059dc4f 3 NtAddAtom
0xb 0x806581e2 6 NtAdjustGroupsToken
0xc 0x80597836 6 NtAdjustPrivilegesToken
0xd 0x8065104b 2 NtAlertResumeThread
0xe 0x805971ea 1 NtAlertThread
0xf 0x805996cc 1 NtAllocateLocallyUniqueId
0x10 0x80647eb9 3 NtAllocateUserPhysicalPages
0x11 0x805a70dc 4 NtAllocateUuids
0x12 0x80583188 6 NtAllocateVirtualMemory
0x13 0x8058faff 2 NtApphelpCacheControl
0x14 0x805e92fb 2 NtAreMappedFilesTheSame
0x15 0x805aae6f 2 NtAssignProcessToJobObject
0x16 0x804ebbcc 3 NtCallbackReturn
0x18 0x805eb49d 2 NtCancelIoFile
0x19 0x804f7445 2 NtCancelTimer
0x1a 0x8058c43a 1 NtClearEvent
0x1b 0x805768ac 1 NtClose
0x1c 0x80596eea 3 NtCloseObjectAuditAlarm
0x1d 0x80626f6f 2 NtCompactKeys
0x1e 0x8065b8ff 3 NtCompareTokens
0x1f 0x8058dc82 1 NtCompleteConnectPort
0x20 0x806271d6 1 NtCompressKey
0x21 0x8058c55a 8 NtConnectPort
0x22 0x804eb14b 2 NtContinue
0x23 0x805b0b1e 4 NtCreateDebugObject
0x24 0x805aabaf 3 NtCreateDirectoryObject
0x25 0x80578522 5 NtCreateEvent
0x26 0x80668009 3 NtCreateEventPair
0x27 0x805790cb b NtCreateFile
0x28 0x8059f5ab 4 NtCreateIoCompletion
0x29 0x805e09eb 3 NtCreateJobObject
0x2a 0x80651805 3 NtCreateJobSet
0x2b 0x80592a39 7 NtCreateKey
0x2c 0x805f225d 8 NtCreateMailslotFile
0x2d 0x805863a1 4 NtCreateMutant
0x2e 0x8058f416 e NtCreateNamedPipeFile
0x2f 0x805c8e1e 4 NtCreatePagingFile
0x30 0x805a32a4 5 NtCreatePort
0x31 0x805bd684 8 NtCreateProcess
0x32 0x8058efe3 9 NtCreateProcessEx
0x33 0x806685b7 9 NtCreateProfile
0x34 0x80573eca 7 NtCreateSection
0x35 0x8059afa9 5 NtCreateSemaphore
0x36 0x805ab548 4 NtCreateSymbolicLinkObject
0x37 0x80588254 8 NtCreateThread
0x38 0x805a2688 4 NtCreateTimer
0x39 0x805a62a4 d NtCreateToken
0x3a 0x805bc212 5 NtCreateWaitablePort
0x3b 0x805b12c1 2 NtDebugActiveProcess
0x3c 0x805b17dc 3 NtDebugContinue
0x3d 0x80574c08 2 NtDelayExecution
0x3e 0x8059ab90 1 NtDeleteAtom
0x41 0x805b7979 1 NtDeleteFile
0x42 0x805eca87 1 NtDeleteKey
0x43 0x8065aa3a 3 NtDeleteObjectAuditAlarm
0x44 0x805a20d4 2 NtDeleteValueKey
0x45 0x80586f5e a NtDeviceIoControlFile
0x46 0x805c9f0b 1 NtDisplayString
0x47 0x8058051e 7 NtDuplicateObject
0x48 0x8059cc7c 6 NtDuplicateToken
0x4b 0x8059a085 6 NtEnumerateKey
0x4c 0x80667a42 3 NtEnumerateSystemEnvironmentValuesEx
0x4d 0x8059d849 6 NtEnumerateValueKey
0x4e 0x805ac037 2 NtExtendSection
0x4f 0x805e41d5 6 NtFilterToken
0x50 0x8059e01a 3 NtFindAtom
0x51 0x805920a7 2 NtFlushBuffersFile
0x52 0x8058a8b5 3 NtFlushInstructionCache
0x53 0x805e715b 1 NtFlushKey
0x54 0x805a130d 4 NtFlushVirtualMemory
0x55 0x80648b20 0 NtFlushWriteBuffer
0x56 0x8064852a 3 NtFreeUserPhysicalPages
0x57 0x8057b2bf 4 NtFreeVirtualMemory
0x58 0x8057f504 a NtFsControlFile
0x59 0x805e8674 2 NtGetContextThread
0x5a 0x8064de05 2 NtGetDevicePowerState
0x5b 0x805e8ccb 4 NtGetPlugPlayEvent
0x5c 0x80544ec4 7 NtGetWriteWatch
0x5d 0x805f12e2 1 NtImpersonateAnonymousToken
0x5e 0x80597fdf 2 NtImpersonateClientOfPort
0x5f 0x8059b9c8 3 NtImpersonateThread
0x60 0x805b77c8 1 NtInitializeRegistry
0x61 0x8064dc59 4 NtInitiatePowerAction
0x62 0x8058ec31 2 NtIsProcessInJob
0x63 0x8064ddf2 0 NtIsSystemResumeAutomatic
0x64 0x805bc19c 2 NtListenPort
0x65 0x805b9dfe 1 NtLoadDriver
0x66 0x805b2d8f 2 NtLoadKey
0x67 0x8062758c 3 NtLoadKey2
0x68 0x805b4a6c 4 NtLoadKeyEx
0x69 0x805a2342 a NtLockFile
0x6a 0x805e4eaa 2 NtLockProductActivationKeys
0x6b 0x805de064 1 NtLockRegistryKey
0x6c 0x805e4a65 4 NtLockVirtualMemory
0x6d 0x805ab8ba 1 NtMakePermanentObject
0x6e 0x805abb05 1 NtMakeTemporaryObject
0x6f 0x80647392 3 NtMapUserPhysicalPages
0x70 0x80647859 3 NtMapUserPhysicalPagesScatter
0x71 0x80589905 a NtMapViewOfSection
0x74 0x805ef59d 9 NtNotifyChangeDirectoryFile
0x75 0x80599f1c a NtNotifyChangeKey
0x76 0x80599d2d c NtNotifyChangeMultipleKeys
0x77 0x8058ef66 3 NtOpenDirectoryObject
0x78 0x80599615 3 NtOpenEvent
0x79 0x806680f4 3 NtOpenEventPair
0x7a 0x8057909d 6 NtOpenFile
0x7b 0x80634e03 3 NtOpenIoCompletion
0x7c 0x805af8b0 3 NtOpenJobObject
0x7d 0x80578d88 3 NtOpenKey
0x7e 0x80586508 3 NtOpenMutant
0x7f 0x805ed885 c NtOpenObjectAuditAlarm
0x80 0x80593613 4 NtOpenProcess
0x81 0x8057e110 3 NtOpenProcessToken
0x82 0x8057e816 4 NtOpenProcessTokenEx
0x83 0x8058a94b 3 NtOpenSection
0x84 0x805b3152 3 NtOpenSemaphore
0x85 0x8058ea10 3 NtOpenSymbolicLinkObject
0x86 0x805a2a8c 4 NtOpenThread
0x87 0x8057f976 4 NtOpenThreadToken
0x88 0x8057f8e5 5 NtOpenThreadTokenEx
0x89 0x805eb40f 3 NtOpenTimer
0x8a 0x805a24a2 3 NtPlugPlayControl
0x8b 0x805ae364 5 NtPowerInformation
0x8c 0x805a2c28 3 NtPrivilegeCheck
0x8d 0x805e48ce 6 NtPrivilegeObjectAuditAlarm
0x8e 0x805a7bf0 5 NtPrivilegedServiceAuditAlarm
0x8f 0x80584a67 5 NtProtectVirtualMemory
0x90 0x8059f752 2 NtPulseEvent
0x91 0x80585755 2 NtQueryAttributesFile
0x94 0x80508c75 2 NtQueryDebugFilterState
0x95 0x8057ffd5 2 NtQueryDefaultLocale
0x96 0x80587c53 1 NtQueryDefaultUILanguage
0x97 0x8058731c b NtQueryDirectoryFile
0x98 0x80595d65 7 NtQueryDirectoryObject
0x9a 0x80635410 9 NtQueryEaFile
0x9b 0x805a2d89 5 NtQueryEvent
0x9c 0x8059b735 2 NtQueryFullAttributesFile
0x9d 0x805edffe 5 NtQueryInformationAtom
0x9e 0x805852cf 5 NtQueryInformationFile
0x9f 0x805af5ab 5 NtQueryInformationJobObject
0xa0 0x80644a66 5 NtQueryInformationPort
0xa1 0x8057fdea 5 NtQueryInformationProcess
0xa2 0x80576dc6 5 NtQueryInformationThread
0xa3 0x8057e718 5 NtQueryInformationToken
0xa4 0x8059d58c 1 NtQueryInstallUILanguage
0xa5 0x80668a4e 2 NtQueryIntervalProfile
0xa6 0x80634ebc 5 NtQueryIoCompletion
0xa7 0x80580c31 5 NtQueryKey
0xa8 0x80626765 6 NtQueryMultipleValueKey
0xa9 0x80668412 5 NtQueryMutant
0xaa 0x805f1cad 5 NtQueryObject
0xab 0x80626953 2 NtQueryOpenSubKeys
0xac 0x80626b89 4 NtQueryOpenSubKeysEx
0xad 0x8057f59e 2 NtQueryPerformanceCounter
0xae 0x80635c9d 9 NtQueryQuotaInformationFile
0xaf 0x8058679a 5 NtQuerySection
0xb0 0x805997e7 5 NtQuerySecurityObject
0xb1 0x80667325 5 NtQuerySemaphore
0xb2 0x8058e816 3 NtQuerySymbolicLinkObject
0xb3 0x80667a76 4 NtQuerySystemEnvironmentValue
0xb5 0x8057cbe2 4 NtQuerySystemInformation
0xb6 0x80597e57 1 NtQuerySystemTime
0xb7 0x8058c677 5 NtQueryTimer
0xb8 0x8059e436 3 NtQueryTimerResolution
0xb9 0x80577d61 6 NtQueryValueKey
0xba 0x80582264 6 NtQueryVirtualMemory
0xbb 0x8057960d 5 NtQueryVolumeInformationFile
0xbc 0x8058c78e 5 NtQueueApcThread
0xbd 0x804eb198 3 NtRaiseException
0xbe 0x80667075 6 NtRaiseHardError
0xbf 0x8057d886 9 NtReadFile
0xc0 0x805aeb82 9 NtReadFileScatter
0xc1 0x8059859d 6 NtReadRequestData
0xc2 0x805861e0 5 NtReadVirtualMemory
0xc3 0x80588402 1 NtRegisterThreadTerminatePort
0xc4 0x80574b77 2 NtReleaseMutant
0xc5 0x80598eb5 3 NtReleaseSemaphore
0xc6 0x80577945 5 NtRemoveIoCompletion
0xc7 0x8066e462 2 NtRemoveProcessDebug
0xc8 0x80626dec 2 NtRenameKey
0xc9 0x8062748f 3 NtReplaceKey
0xca 0x80580e50 2 NtReplyPort
0xcb 0x8057b2a0 4 NtReplyWaitReceivePort
0xcc 0x8057adb0 5 NtReplyWaitReceivePortEx
0xcd 0x80644b39 2 NtReplyWaitReplyPort
0xce 0x80667a4f 1 NtModifyDriverEntry
0xcf 0x805985f2 2 NtRequestPort
0xd0 0x8058cbc3 3 NtRequestWaitReplyPort
0xd1 0x8064dc04 1 NtRequestWakeupLatency
0xd2 0x805a4751 2 NtResetEvent
0xd3 0x8054543e 3 NtResetWriteWatch
0xd4 0x80627286 3 NtRestoreKey
0xd5 0x80650ff5 1 NtResumeProcess
0xd6 0x805806fa 2 NtResumeThread
0xd7 0x80627325 2 NtSaveKey
0xd8 0x806273b2 3 NtSaveKeyEx
0xd9 0x80625f0d 3 NtSaveMergedKeys
0xda 0x8058d4b2 9 NtSecureConnectPort
0xdd 0x805b16f1 2 NtSetContextThread
0xde 0x8066e4f1 3 NtSetDebugFilterState
0xdf 0x805ca1ac 1 NtSetDefaultHardErrorPort
0xe0 0x805b748b 2 NtSetDefaultLocale
0xe1 0x805b7433 1 NtSetDefaultUILanguage
0xe2 0x80667a5c 2 NtSetBootEntryOrder
0xe3 0x8063594e 4 NtSetEaFile
0xe4 0x8057abd7 2 NtSetEvent
0xe5 0x80575690 1 NtSetEventBoostPriority
0xe6 0x806683b0 1 NtSetHighEventPair
0xe7 0x806682e6 1 NtSetHighWaitLowEventPair
0xe8 0x8066e255 5 NtSetInformationDebugObject
0xe9 0x80578747 5 NtSetInformationFile
0xea 0x805e0b5f 4 NtSetInformationJobObject
0xeb 0x80626400 4 NtSetInformationKey
0xec 0x8059223e 4 NtSetInformationObject
0xed 0x80580221 4 NtSetInformationProcess
0xee 0x80577629 4 NtSetInformationThread
0xef 0x805a6844 4 NtSetInformationToken
0xf0 0x806685a0 2 NtSetIntervalProfile
0xf1 0x8057c39a 5 NtSetIoCompletion
0xf2 0x806508db 6 NtSetLdtEntries
0xf3 0x8066834f 1 NtSetLowEventPair
0xf4 0x8066827d 1 NtSetLowWaitHighEventPair
0xf5 0x80635c7e 4 NtSetQuotaInformationFile
0xf6 0x805a5626 3 NtSetSecurityObject
0xf7 0x80667d39 2 NtSetSystemEnvironmentValue
0xf8 0x80667a35 5 NtSetSystemEnvironmentValueEx
0xf9 0x80597238 3 NtSetSystemInformation
0xfa 0x8067b325 3 NtSetSystemPowerState
0xfb 0x8066697b 2 NtSetSystemTime
0xfc 0x805abc19 2 NtSetThreadExecutionState
0xfd 0x804ee9bf 7 NtSetTimer
0xfe 0x805acb3b 3 NtSetTimerResolution
0xff 0x805bc73c 1 NtSetUuidSeed
0x100 0x80592859 6 NtSetValueKey
0x101 0x806361ed 5 NtSetVolumeInformationFile
0x102 0x8066614b 1 NtShutdownSystem
0x103 0x80546d9e 4 NtSignalAndWaitForSingleObject
0x104 0x806687ec 1 NtStartProfile
0x105 0x80668999 1 NtStopProfile
0x106 0x80650fa0 1 NtSuspendProcess
0x107 0x805b0163 2 NtSuspendThread
0x108 0x80668af2 6 NtSystemDebugControl
0x109 0x80651a9b 2 NtTerminateJobObject
0x10a 0x80590cba 2 NtTerminateProcess
0x10b 0x80576714 2 NtTerminateThread
0x10c 0x8057e4f8 0 NtTestAlert
0x10d 0x8051ed5e 4 NtTraceEvent
0x10e 0x80667a69 4 NtTranslateFilePath
0x10f 0x806383c5 1 NtUnloadDriver
0x110 0x8062747c 1 NtUnloadKey
0x111 0x80625fc6 2 NtUnloadKey2
0x112 0x806261cb 2 NtUnloadKeyEx
0x113 0x805a220b 5 NtUnlockFile
0x114 0x805ae977 4 NtUnlockVirtualMemory
0x115 0x80589e79 2 NtUnmapViewOfSection
0x116 0x805c5aa2 2 NtVdmControl
0x117 0x805b07c8 4 NtWaitForDebugEvent
0x118 0x80574d38 5 NtWaitForMultipleObjects
0x119 0x8057428d 3 NtWaitForSingleObject
0x11a 0x8066821c 1 NtWaitHighEventPair
0x11b 0x806681bb 1 NtWaitLowEventPair
0x11c 0x80578248 9 NtWriteFile
0x11d 0x805aefe1 9 NtWriteFileGather
0x11e 0x805990a6 6 NtWriteRequestData
0x11f 0x805862d7 5 NtWriteVirtualMemory
0x120 0x805091c1 0 NtYieldExecution
0x121 0x805d7d7f 4 NtCreateKeyedEvent
0x122 0x8058f5cf 3 NtOpenKeyedEvent
0x123 0x8066922f 4 NtReleaseKeyedEvent
0x124 0x806694aa 4 NtWaitForKeyedEvent
0x125 0x8064f170 0 NtQueryPortInformationProcess
0x126 0x8064f1a4 0 NtGetCurrentProcessorNumber
参考资料:
1.MSDN系列(3)--Administrator用户直接获取SYSTEM权限 scz
http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1900
2.hooking functions not exported by ntoskrnl
http://www.rootkit.com/newsread.php?newsid=151
3.Simple Hooking of Functions not Exported by Ntoskrnl.exe
http://www.rootkit.com/newsread.php?newsid=248