[lorddoskias]

Hello,

I'm trying to hook ZwQuerySystemInformation on Windows 7 32 bits. Here's the code I have:

In DriverEntry:

.....

Code: Select all

/*  Start the hooking proess */
	WPGLOBAL state = disableWP(KeServiceDescriptorTable.KiServiceTable, KeServiceDescriptorTable.nSystemCalls);
	if((state.mdl == NULL) || (state.address == NULL)) {
		return STATUS_UNSUCCESSFUL;
	}

	RtlInitUnicodeString(&FuncName, L"ZwQuerySystemInformation");
	ZwQuerySystemInformation = (QUERY_SYS_INFO)MmGetSystemRoutineAddress(&FuncName);
	if(ZwQuerySystemInformation != NULL)
		hookSSDTEntry((BYTE *)ZwQuerySystemInformation, (BYTE *)myZwQuerySystemInformation, (DWORD *)state.address);

	enableWP(&state);

/* end hooking process */

The enable/disable WP are pretty straight forward - I'm using MDL's to disable KeServiceTable protection. Here is my custom ZwQuerySystemInformation:

Code: Select all

NTSTATUS myZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength) 
{

	DbgPrint("Hooked ZwQuerySystemInformation Invoked \n");

	return ZwQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
}

Just a single wrapper to see that it is actually working. The SSDT hooking routines:

Code: Select all

DWORD getSSDTIndex(BYTE *address) {
	BYTE *addressOfIndex;
	DWORD index;
	addressOfIndex = address + 1;

	return *((PULONG)addressOfIndex);
}

BYTE* hookSSDTEntry(BYTE *apicall, BYTE *newadd, DWORD *calltable) {

	PLONG target;
	DWORD indexValue;

	indexValue = getSSDTIndex(apicall);
	return (BYTE *)InterlockedExchange((PLONG)&calltable[indexValue], (LONG)newadd);
}

Pretty straightforward, the problem is that I can see the string "Hooked ZwQuerySystemInformation Invoked " about 10-15 times after which the system freezes. I can't even break the debugger so that I can check if a BSOD has actually occurred. Any ideas as to where I might be wrong are welcomed.

[GamingMasteR]

Hi,

Are you working on multi-core cpu ?
If yes please try this code and see if freeze still happens :

Code: Select all

KAFFINITY Affinity = 1;
KeSetAffinityThread(KeGetCurrentThread(), Affinity);

// 
// Hook SSDT Code
//

Affinity = KeQueryActiveProcessors();
KeSetAffinityThread(KeGetCurrentThread(), Affinity);

[lorddoskias]

I'm trying this inside a virtual machine which has just 1 CPU, but the host PC has multicore CPU and then agains since I'm using InterlockedExchange - multi-CPU shouldn't matter or am I mistaken?

EDIT:

Here is what my code looks now as per you requested:

In DriverEntry:

Code: Select all

        RtlInitUnicodeString(&FuncName, L"ZwQuerySystemInformation");
	ZwQuerySystemInformation = (QUERY_SYS_INFO)MmGetSystemRoutineAddress(&FuncName);
	RtlInitUnicodeString(&FuncName, L"KeSetAffinityThread");
	KeSetAffinityThread = (SET_AFFINITY)MmGetSystemRoutineAddress(&FuncName);
	if(ZwQuerySystemInformation != NULL)
	{
		KAFFINITY Affinity = 1;
		KeSetAffinityThread(KeGetCurrentThread(), Affinity);

		hookSSDTEntry((BYTE *)ZwQuerySystemInformation, (BYTE *)myZwQuerySystemInformation, (DWORD *)state.address);

		Affinity = KeQueryActiveProcessors();
		KeSetAffinityThread(KeGetCurrentThread(), Affinity);
	}
	enableWP(&state);

And I can still confirm that the same freeze occurs.

[GamingMasteR]

You are right ...
I think the mistake you made is that you are returning execution in hook function to ZwQuerySystemInformation while you should return to NtQuerySystemInformation, use the returned value from hookSSDTEntry function.

[EP_X0FF]

He coded recursive endless loop.