[計(jì)算機(jī)軟件及應(yīng)用]麥洛克菲內(nèi)核驅(qū)動(dòng)開(kāi)發(fā)第七課ppt課件

1、麥洛克菲內(nèi)核開(kāi)發(fā)第七課注冊(cè)表callback 和重定向麥洛克菲mallocfree程君程君Callback提綱nCallback 相關(guān)函數(shù)nCallback 原理nCallback 實(shí)現(xiàn)功能注冊(cè)表重定向提綱n注冊(cè)表的構(gòu)成n注冊(cè)表調(diào)用Callback 相關(guān)函數(shù)NTSTATUSCmRegisterCallback(IN PEX_CALLBACK_FUNCTION Function,IN PVOID Context,OUT PLARGE_INTEGER Cookie / 時(shí)間 ); NTSTATUSCmRegisterCallbackEx(IN PEX_CALLBACK_FUNCTION Funct

2、ion,IN PCUNICODE_STRING Altitude,IN PVOID Driver,IN PVOID Context,OUT PLARGE_INTEGER Cookie, PVOID Reserved); Vista 以后運(yùn)用,支持高度NTSTATUSCmUnRegisterCallback(IN LARGE_INTEGER Cookie); Callback 相關(guān)函數(shù)nCmSetCallbackObjectContext(IN OUT PVOID Object,IN PLARGE_INTEGER Cookie,IN PVOID NewContext,OUT OPTIONAL P

3、VOID *OldContext );n主要用來(lái)在一個(gè)對(duì)象上設(shè)置相關(guān)的數(shù)據(jù)構(gòu)造n nNTSTATUSCmCallbackGetKeyObjectID(IN PLARGE_INTEGER Cookie,IN PVOID Object,OUT OPTIONAL PULONG_PTR ObjectID,OUT OPTIONAL PCUNICODE_STRING *ObjectName); n主要用來(lái)在vista以后得到key 的名字nPVOIDCmGetBoundTransaction(in PLARGE_INTEGER Cookie,in PVOID Object); nVOID CmGetCal

4、lbackVersion(OUT OPTIONAL PULONG Major,OUT OPTIONAL PULONG Minor); Callback 相關(guān)函數(shù)nEX_CALLBACK_FUNCTION RegistryCallback;nNTSTATUS RegistryCallback(_in PVOID CallbackContext,_in_opt PVOID Argument1, / / REG_NOTIFY_CLASS _in_opt PVOID Argument2 / KEY_INFORMATION )nswitch( (REG_NOTIFY_CLASS) Argument1)n

5、ncase RegNtPreDeleteKey :nreturn HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION) Argument2);ncase RegNtPreSetValueKey:nreturn HOOK_PreNtSetValueKey(PREG_SET_VALUE_KEY_INFORMATION) Argument2);ncase RegNtPreDeleteValueKey:nreturn HOOK_PreNtDeleteValueKey(PREG_DELETE_VALUE_KEY_INFORMATION) Argument2);

6、ncase RegNtPreRenameKey:nreturn HOOK_PreNtRenameKey(PREG_RENAME_KEY_INFORMATION) Argument2);ncase RegNtPreCreateKeyEx:nreturn HOOK_PreNtCreateKeyEx(PREG_CREATE_KEY_INFORMATION) Argument2);ncase RegNtPreCreateKeyEx: / pre 操作nreturn HOOK_PreNtCreateKeyEx(PREG_CREATE_KEY_INFORMATION) Argument2);ncase R

7、egNtPostCreateKeyEx : / post 操作nreturn HOOK_PostNtCreateKeyEx(PRGG_POST_OPERATION_INFORMATION ) Argument2);nCallback 相關(guān)函數(shù)nPre 操作nREG_XXX_KEY_INFORMATIONn根據(jù)調(diào)用的各個(gè)不同REG_NOTIFY_CLASS 來(lái)決議 nPOST 操作ntypedef struct _REG_POST_OPERATION_INFORMATION PVOID Object; / pre 操作后產(chǎn)生的對(duì)象NTSTATUS Status; / pre 完成后將要前往給系統(tǒng)

8、的形狀n PVOID PreInformation; / pre 的類信息NTSTATUS ReturnStatus; / 假設(shè)要作修正,將要前往的形狀PVOID CallContext; / PVOID ObjectContext; / 可以pre 設(shè)置帶到post里面來(lái)PVOID Reserved; REG_POST_OPERATION_INFORMATION,*PREG_POST_OPERATION_INFORMATION; 整體框架NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING Regist

9、ryPath) NTSTATUS ntStatus;ntStatus = CmRegisterCallback(MyRegistryCallback, NULL, &pCookie);return ntStatus;NTSTATUS RegistryCallback(_in PVOID CallbackContext,_in_opt PVOID Argument1, / / REG_NOTIFY_CLASS _in_opt PVOID Argument2 / KEY_INFORMATION ) switch( (REG_NOTIFY_CLASS) Argument1) case Reg

10、NtPreDeleteKey :return HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION) Argument2); case RegNtPreRenameKey:return HOOK_PreNtRenameKey(PREG_RENAME_KEY_INFORMATION) Argument2); case RegNtPreCreateKeyEx: / pre 操作 return HOOK_PreNtCreateKeyEx(PREG_CREATE_KEY_INFORMATION) Argument2); case RegNtPostCreate

11、KeyEx : / post 操作return HOOK_PostNtCreateKeyEx(PRGG_POST_OPERATION_INFORMATION ) NTSTATUS HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION Data)NTSTATUS status = 0;PUNICODE_STRING keyName;UNICODE_STRING uTarget;return STATUS_SUCCESS;Callback 實(shí)現(xiàn)的功能nMonitorn主要用在系統(tǒng)工具上,procmon,regmonnBlockn防御上，維護(hù)上等等nModi

12、fynSandbox,虛擬化等等Callback 實(shí)現(xiàn)的功能nMonitornRegistryCallback routine returns STATUS_SUCCESS nBlocknRegistryCallback routine NT_SUCCESS(status) equals FALSE, 這時(shí)候直接前往形狀status 給系統(tǒng)調(diào)用,假設(shè)注冊(cè)了post 操作的話,post 操作將不會(huì)執(zhí)行n Callback 實(shí)現(xiàn)的功能nModifyn1. 修正REG_xxx_KEY_INFORMATION 構(gòu)造里面的然后 Callback 函數(shù)前往STATUS_SUCCESS n2. 修正REG_

13、POST_OPERATION_INFORMATION 構(gòu)造里的ReturnStatus,然后Callback 函數(shù)前往STATUS_CALLBACK_BYPASS Callback 設(shè)計(jì)中心思想nWindow 操作系統(tǒng)的設(shè)計(jì)中心n音訊分發(fā)：運(yùn)用層nn分層：從運(yùn)用到內(nèi)核nn回調(diào)：也相當(dāng)于分層，其實(shí)回調(diào)應(yīng)該是設(shè)計(jì)的一種接口方式Callback 設(shè)計(jì)中心分層思想Callback 設(shè)計(jì)中心思想ntOpenKey().if(isCallback() return regcalllist-preOpen();.if(isCallback() return regcalllist-postOpen();1.

14、在注冊(cè)的時(shí)候把要注冊(cè)的函數(shù)放到全局鏈表里2.在調(diào)用的時(shí)候，先判別能否注冊(cè)，假設(shè)注冊(cè)，調(diào)用函數(shù)Callback 原理nNTSTATUSnCmRegisterCallback(_in PEX_CALLBACK_FUNCTION Function, _in_opt PVOID Context,_out PLARGE_INTEGER Cookie)nn PEX_CALLBACK_ROUTINE_BLOCK RoutineBlock;n ULONG i;n PCM_CALLBACK_CONTEXT_BLOCK CmCallbackContext;n PAGED_CODE();n CmCallbackCo

15、ntext = (PCM_CALLBACK_CONTEXT_BLOCK)ExAllocatePoolWithTag (PagedPool, sizeof (CM_CALLBACK_CONTEXT_BLOCK), bcMC);n if( CmCallbackContext = NULL ) n return STATUS_INSUFFICIENT_RESOURCES;n n RoutineBlock = ExAllocateCallBack (Function,CmCallbackContext);n if( RoutineBlock = NULL ) n ExFreePool(CmCallba

16、ckContext);n return STATUS_INSUFFICIENT_RESOURCES;n n/ init the contextnKeQuerySystemTime(&(CmCallbackContext-Cookie);n *Cookie = CmCallbackContext-Cookie;n InitializeListHead(&(CmCallbackContext-ThreadListHead); nExInitializePushLock(&(CmCallbackContext-ThreadListLock);n CmCallbackConte

17、xt-CallerContext = Context;n/ find a spot where we could add this callbacknfor( i=0;iCmpCallCallBacksCallback 原理：注冊(cè)的函數(shù)什么時(shí)間調(diào)用1.NtOpenKey 和NtCreateKey CmpParseKeyNtOpenKey-ObOpenObjectByName(ObInsertObject ObReferenceObjectByName)-ObpLookupObjectName(ParseProcedure)Callback 原理：注冊(cè)的函數(shù)什么時(shí)間調(diào)用2pParseKeyPha

18、se1Initialization-Phase1InitializationDiscard-CmInitSystem1-CmpCreateObjectTypes-CmpParseKey-CmpCallCallBacks RtlZeroMemory(&ObjectTypeInitializer, sizeof(ObjectTypeInitializer); ObjectTypeInitializer.Length = sizeof(ObjectTypeInitializer); ObjectTypeInitializer.InvalidAttributes = CMP_KEY_INVAL

19、ID_ATTRIBUTES; ObjectTypeInitializer.GenericMapping = CmpKeyMapping; ObjectTypeInitializer.ValidAccessMask = KEY_ALL_ACCESS; ObjectTypeInitializer.DefaultPagedPoolCharge = sizeof(CM_KEY_BODY);. ObjectTypeInitializer.DumpProcedure = NULL; ObjectTypeInitializer.OpenProcedure = NULL; ObjectTypeInitiali

20、zer.CloseProcedure = CmpCloseKeyObject; ObjectTypeInitializer.DeleteProcedure = CmpDeleteKeyObject; ObjectTypeInitializer.ParseProcedure = CmpParseKey; ObjectTypeInitializer.SecurityProcedure = CmpSecurityMethod; ObjectTypeInitializer.QueryNameProcedure = CmpQueryKeyName;a.從上面可以看出：在創(chuàng)建key object 類型的時(shí)

21、候，注冊(cè)key對(duì)象的ParseProcedure，從而把對(duì)象類型和詳細(xì)的對(duì)象聯(lián)絡(luò)起來(lái)b.從CmpParseKey可知道，用CmAreCallbacksRegistered 判別能否注冊(cè)Callback 原理：注冊(cè)的函數(shù)什么時(shí)間調(diào)用CmpParseKeybasentosconfig if ( CmAreCallbacksRegistered() ) REG_CREATE_KEY_INFORMATION PreCreateInfo; PreCreateInfopleteName = CompleteName; PreCreateInfo.RootObject = ParseObject; if(

22、ARGUMENT_PRESENT(lcontext) ) / / NtCreateKey / status = CmpCallCallBacks(RegNtPreCreateKeyEx,&PreCreateInfo,TRUE,RegNtPostCreateKeyEx,ParseObject); else / / NtOpenKey / status = CmpCallCallBacks(RegNtPreOpenKeyEx,(PREG_OPEN_KEY_INFORMATION)(&PreCreateInfo),TRUE,RegNtPostOpenKeyEx,ParseObject); if( !NT_SUCCESS(status) ) / 前往到哪里去了 ObpLookupObjectName return status; BEGIN_LOCK_CHECKPOINT; kcb = (PCM_KEY_BODY)ParseObject)-KeyControlBlock; Callback 原理：注冊(cè)的函數(shù)什么時(shí)間調(diào)用 練習(xí)n1.regmonn2.特殊技藝n3.了解回調(diào)設(shè)計(jì)架構(gòu)n4. file 的回調(diào)分析注冊(cè)表的構(gòu)成注冊(cè)表的構(gòu)成注冊(cè)表的類型注冊(cè)表與文件對(duì)應(yīng)關(guān)系注冊(cè)表的調(diào)用關(guān)系重定向方案n1.ntdll hookn需求x64的hook 引擎