Gamerz Online

It's a place where I put things when I's looking for info on internet.

Ring0 ADetours

Publicado por luchin On martes, 21 de septiembre de 2010 0 comentarios

Ring0 ADetours

Being a big fan of ADetours, created by Azorbix, I've ported it to ring0 a while ago & now i've enhanced it a bit to make a release.

What it does now:

ADetourKernelFunc:
- auto-detect opcode size
- lock pages in memory before accessing them (needed for detours over pageable memory like win32k.sys)

ARetourKernelFunc:
- you can now decide wheter to free or redirect the trampoline.

Usage:
at the top of your .cpp/.c file:

PHP Code:
#include "adetours.h" // define Example1 functions and init the Org_Example1 address to 0x101010 // > 1st arg: use page locking before hooking (boolean) TRUE/FALSE // > set to TRUE if hooking pageable memory // > 2nd arg: function name // > 3rd arg: return type // > 4th arg: arguments with "( )" // > 5th arg: original function address // > 6th arg: calling convention (this is optional) ADETOUR_DEFINE_AND_INIT(TRUE,Example1, BOOLEAN, (IN LONG arg1), 0x101010, NTAPI); // define Example2 functions and don't init Org_Example2 // > we could also add a ", NTAPI" here, // > but as it is optional, we don't do it this time, // > attention: callconvention will default to your compilers default setting doing so ADETOUR_DEFINE(FALSE,Example2, VOID, (IN LONG arg1) );

in your .cpp/.c file:

PHP Code:
void AddDetours() { // set detour & auto-detect opcode size ADETOUR_HOOK(Example1); // init Org_Example2 Org_Example2 = (Example2_Func)0x202020; // set detour & use 8 as opcode length (minimal value is 5) ADETOUR_HOOK_LEN(Example2, 8); } void RemoveDetours() { // remove detour & don't free trampoline and redirect it to Org_Example1 ADETOUR_UNHOOK(Example1, false); // remove detour with given opcode length & free trampoline ADETOUR_UNHOOK_LEN(Example2, 8, true); } BOOLEAN NTAPI My_Example1(IN LONG arg1) { return Trmp_Example1(arg1); } VOID NTAPI My_Example2(IN LONG arg1) { return Trmp_Example2(arg1); }
About Hooking
- don't enable any sti/cli/cr0 asm tricks before hooking/unhooking, adetours will do this for you

Hooking Win32k.sys
- make sure to use page locking
- before hooking/unhooking make sure you are in a GUI-process context,
either attach to one ( check Sheppard's Ring 0 Hack for Diablo 2 ), or better send an IOCTL to your driver and do it from there , cause attaching sometimes causes problems during hooking

Credits
Matthew L (Azorbix)
Dom1n1k
LanceVorgin
P47R!CK
rain
Ms-Rem

Changelog
2.1
- converted to C
- better names for the function arguments

2.0
- can now choose to use page locking or not
- added cr0 / cli / sti tricks
- fixed callconvention macros
- general improvements

1.1
- rewrote page locking functions

1.0
- first release

Credit by Michael87
http://www.ziddu.com/download/11766317/adetours_ring0_2.1.zip.html

Gamerz Online

Ring0 ADetours

Ring0 ADetours

0 comentarios:

Publicar un comentario

Blog Archive

Páginas