首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 经典问答
    3. 发新帖
硬编码问题
发表于: 2010-3-2 20:37 3754

硬编码问题

darkbot 活跃值
2010-3-2 20:37
3754
__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId)
{
  DbgPrint("NtOpenProcess() called");
  __asm{
    push    0C4h
    push    804eb0d8h  //共十个字节
    jmp     [JmpAddress]     
  }
}

如上 这个是SSDT HOOK 对抗inline hook其中的代码
我是想问 里面的

    push    0C4h
    push    804eb0d8h

有什么办法可以使得驱动程序自己获得 而不需要自己用硬编码代替?
我的系统是XP2

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费
支持
分享
最新回复 (5)
yangjh
雪    币: 542
活跃值: (121)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
帮你顶起,等待高人回答
2010-3-2 21:08
0
skypismire
雪    币: 75
活跃值: (883)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
3
有方法,看看这个函数是哪个模块导出的,然后自己加载该模块,根据导出表找到
xxopenprocess原始代码的所在位置,读取开头的10个字节,放在你自己的函数里面

怎么放进你的函数,你可以自己申请一段内存,然后在内存里生成你的函数代码,再把这10个字节填充到相应位置
2010-3-2 22:01
0
枫之佳旭
雪    币: 7
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
看不懂~~帮你顶起来吧
2010-3-3 10:10
0
skypismire
雪    币: 75
活跃值: (883)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
UCHAR CodeBuff[10];
    status = ZwQuerySystemInformation(SystemModuleInformation,NULL,0,&length);
    if (status == STATUS_INFO_LENGTH_MISMATCH)
    {
        SysInfo = ExAllocatePool(NonPagedPool,length);
        if (NULL == SysInfo)
        {
            return;
        }
    }
    status = ZwQuerySystemInformation(SystemModuleInformation,SysInfo,length,&length);
    pSmi = (PSYSTEM_MODULE_INFORMATION)((char*)SysInfo+4);
    kBase = (ULONG)(pSmi->Base);
    kSize = (ULONG)(pSmi->Size);
 
 
    InitializeObjectAttributes (
        &ob,
        &pdte->FullDllName,
        OBJ_CASE_INSENSITIVE,
        NULL,
        NULL
        );
    status = ZwOpenFile(
        &hFile,
        FILE_READ_ACCESS,
        &ob,
        &IoStatusBlock,
        FILE_SHARE_READ,
        FILE_SYNCHRONOUS_IO_NONALERT
       );
    ob.ObjectName = NULL;
    status =  ZwCreateSection(
        &hSection,
        SECTION_MAP_EXECUTE,
        &ob,
        0,
        PAGE_EXECUTE,
        SEC_IMAGE,
        hFile
        );
    size = 0;
    status =  ZwMapViewOfSection(
            hSection,
            NtCurrentProcess(),
            &BaseAddress,
            0,
            1000,
            0,
            &size,
            (SECTION_INHERIT)1,
            MEM_TOP_DOWN,
            PAGE_READWRITE
            );
    mBase = ExAllocatePool (NonPagedPool, size);
 
    RtlCopyMemory (mBase, BaseAddress, size);      
         
    DosHead = (PIMAGE_DOS_HEADER)mBase;
    NtHeads = (PIMAGE_NT_HEADERS)((ULONG)DosHead + DosHead->e_lfanew);
    ExportDir = (PIMAGE_EXPORT_DIRECTORY)((PUCHAR)mBase + NtHeads->OptionalHeader.DataDirectory[0].VirtualAddress);
    RelocDir = (PIMAGE_BASE_RELOCATION)((ULONG)mBase + NtHeads->OptionalHeader.DataDirectory[5].VirtualAddress);
    Name = mBase + ExportDir->AddressOfNames;
    Ordinal = mBase + ExportDir->AddressOfNameOrdinals;
    Function = mBase + ExportDir->AddressOfFunctions;
 
    if (RelocDir != NULL)
    {
        while (RelocDir->VirtualAddress != 0 || RelocDir->SizeOfBlock !=  0)
        {
            FixAddrBase = RelocDir->VirtualAddress + (ULONG)mBase;
            RelocSize = (RelocDir->SizeOfBlock - 8)/2;
            for ( i = 0; i < RelocSize; i++)
            {
                Temp = *(PUSHORT)((ULONG)RelocDir + sizeof (IMAGE_BASE_RELOCATION) + i * 2);
                if ( (Temp & 0xF000) == 0x3000)
                {
                    Temp &= 0x0FFF;
                    FixAddr = FixAddrBase + (ULONG)Temp;
                    *(PULONG)FixAddr = *(PULONG)FixAddr + (ULONG)kBase - (ULONG)NtHeads->OptionalHeader.ImageBase;
                }
            }
            RelocDir = (ULONG)RelocDir + RelocDir->SizeOfBlock;
        }
    }
 
 
 
    for (i = 0; i < ExportDir->NumberOfNames; i++)
    {
        SystemFunName = (PCHAR)(*(PULONG)(Name + i * 4) + (ULONG)Base);
        index = *((PUSHORT)(Ordinal + i * 2));
        Address = *((PULONG)(Function + index * 4));
        if (Flag == 0)
        {
            if (!stricmp ("NtOpenProcess", SystemFunName))
            {
                break;
            }
        }
    }
   
    memcopy (CodeBuff, Address + mBase, 10);
    //到这里就获得了原始ntopenprocess函数开头10字节代码
 
    MyNtOpenProcessAdddress = MyNtProcessBorn (CodeBuff);
 
    //好了,什么都有了,ssdthook就ok了
 
 ULONG  MyNtProcessBorn (PUCHAR CodeBuff)
 {
     PUCHAR Temp;
     ULONG myntopenprocessaddress;
     myntopenprocessaddress = ExAllocatePool (NonPagedPool, 15);
     memcpy (myntprocessaddress, CodeBuff, 10);
 
     Temp = (PUCHAR)myntprocessaddress + 10;
     *(PUCHAR)Temp = 0xE9;
     Temp += 1;
     offset = (ULONG)realntopenprocessaddress - (ULONG)Temp - 4;
 
     *(PULONG)Temp = offset;
     return myntopenprocessaddress;
 
 }
2010-3-4 17:10
0
skypismire
雪    币: 75
活跃值: (883)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
6
哦,还少了个源文件的定义,pdte->FullDllName,换成 ntopenprocess所在模块的原始文件的全路径就ok了
2010-3-4 17:16
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》