-
-
[原创]一个简单得栈回溯
-
发表于:
2009-11-1 01:09
5919
-
看了大米牛的一篇调试文章,才有了这篇,本来想hook NtfsCreateFcb,不过也偷了下懒。
参考资料:
achillis牛的文章:
http://hi.baidu.com/_achillis/blog/item/629923fbef65cc19a9d311c7.html
大米牛的文章:
http://bbs.pediy.com/showthread.php?t=87741&prefixid=phpforce_38
不过他好像没放出code,所以意淫了下,失误之处请指正。
#include "ntifs.h"
unsigned char OrigCode[5];
ULONG OrigNtfsCreateFcb = NULL;
VOID wpoff()
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
VOID wpon()
{
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
NTSTATUS fake_NtfsCreateFcb()
{
return STATUS_SUCCESS;//OrigNtfsCreateFcb();
}
VOID init_hook(ULONG ret)
{
ULONG pOrigNtfsCeateFcb = 0;
PULONG i = NULL;
ULONG n = 0;
i = (PULONG)(ret - 4);
n = *i;
n = 0xffffffff-n;
OrigNtfsCreateFcb = ret - 5 - n + 4;
DbgPrint("NtfsCreateFcb = 0x%08x.\n",OrigNtfsCreateFcb);
wpoff();
RtlCopyMemory(ExAllocatePoolWithTag,OrigCode,5);
wpon();
}
_declspec(naked)
PVOID
T_ExAllocatePoolWithTag(
IN POOL_TYPE PoolType,
IN SIZE_T NumberOfBytes,
IN ULONG Tag
)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
mov eax,[ebp+0xc]
cmp eax,20h
jnz end
mov eax,[ebp+0x10]
cmp eax,7346744Eh
jnz end
mov ebx,[ebp]
mov eax,[ebx+4]
push eax
call init_hook
end:
mov eax,ExAllocatePoolWithTag
add eax,5
jmp eax
}
}
VOID inline_ExAllocatePoolWithTag()
{
unsigned char JmpCode[5] = { 0xe9 };
ULONG Jmpoffset = 0;
Jmpoffset = (ULONG)((char*)T_ExAllocatePoolWithTag - (char*)ExAllocatePoolWithTag - 5);
RtlCopyMemory(JmpCode+1, &Jmpoffset, 4);
wpoff();
RtlCopyMemory(OrigCode,ExAllocatePoolWithTag,5);
RtlCopyMemory(ExAllocatePoolWithTag,JmpCode,5);
wpon();
}
VOID Unload(PDRIVER_OBJECT DriverObject)
{
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = Unload;
inline_ExAllocatePoolWithTag();
return STATUS_SUCCESS;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
