BehaviorMon.h
上传用户:xuemeng126
上传日期:2022-07-05
资源大小:454k
文件大小:3k
- #if defined(_M_IA64)
- //
- // IA64 SYSTEM CALL HOOK/UNHOOK
- //
- //
- // On the IA64 the Zw function has an embedded immediate that is the system call number
- //
- #define SYSCALL_INDEX(_Function) (((*(PULONG)((PUCHAR)(*(PULONG_PTR)_Function+4)) & 0x3) << 7) + (*(PULONG)((PUCHAR)*(PULONG_PTR)_Function) >> 18))
- #define HOOK_SYSCALL(_Function, _Hook, _Orig )
- if( !HookDescriptors[ SYSCALL_INDEX(_Function) ].Hooked ) {
- ULONG syscallIndex = SYSCALL_INDEX(_Function );
- if( !stubsPatched ) PatchStub( gpReg, (PVOID) *(PULONG_PTR *) Stub##_Hook );
- HookDescriptors[ syscallIndex ].FuncDesc.EntryPoint =
- (ULONGLONG) InterlockedExchangePointer( (PVOID) &KeServiceTablePointers[ syscallIndex ], *(PULONG_PTR *) Stub##_Hook );
- HookDescriptors[ syscallIndex ].FuncDesc.GlobalPointer = ((PLABEL_DESCRIPTOR *)&_Function)->GlobalPointer;
- _Orig = (PVOID) &HookDescriptors[ syscallIndex ].FuncDesc.EntryPoint;
- HookDescriptors[ syscallIndex ].Hooked = TRUE;
- }
- //
- // NOTE: We can't unhook if someone else has hooked on top of us. Note that the
- // unhook code below still has a window of vulnerability where someone can hook between
- // our test and unhook.
- //
- #define UNHOOK_SYSCALL(_Function, _Hook, _Orig )
- if( HookDescriptors[ SYSCALL_INDEX(_Function)].Hooked && KeServiceTablePointers[ SYSCALL_INDEX(_Function) ] == (PVOID) _Hook ) {
- InterlockedExchangePointer( (PVOID) &KeServiceTablePointers[ SYSCALL_INDEX(_Function) ], (PVOID) _Orig );
- HookDescriptors[ SYSCALL_INDEX(_Function) ].Hooked = FALSE;
- }
- #else
- //
- // X86 SYSTEM CALL HOOK/UNHOOK
- //
- //
- // Define this because we build with the NT4DDK for 32-bit systems, where
- // ULONG_PTR isn't defined and is a ULONG anyway
- //
- typedef ULONG ULONG_PTR;
- //
- // On X86 implementations of Zw* functions, the DWORD
- // following the first byte is the system call number, so we reach into the Zw function
- // passed as a parameter, and pull the number out. This makes system call hooking
- //
- #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
- #define HOOK_SYSCALL(_Function, _Hook, _Orig )
- if( !HookDescriptors[ SYSCALL_INDEX(_Function) ].Hooked ) {
- _Orig = (PVOID) InterlockedExchange( (PLONG) &KeServiceTablePointers[ SYSCALL_INDEX(_Function) ], (LONG) _Hook );
- HookDescriptors[ SYSCALL_INDEX(_Function) ].Hooked = TRUE;
- }
- //
- // NOTE: We can't unhook if someone else has hooked on top of us. Note that the
- // unhook code below still has a window of vulnerability where someone can hook between
- // our test and unhook.
- //
- #define UNHOOK_SYSCALL(_Function, _Hook, _Orig )
- if( HookDescriptors[ SYSCALL_INDEX(_Function)].Hooked && KeServiceTablePointers[ SYSCALL_INDEX(_Function) ] == (PVOID) _Hook ) {
- InterlockedExchange( (PLONG) &KeServiceTablePointers[ SYSCALL_INDEX(_Function) ], (LONG) _Orig );
- HookDescriptors[ SYSCALL_INDEX(_Function) ].Hooked = FALSE;
- }
- #endif