首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
某某的apc主动防御逆向分析
发表于: 2010-3-28 20:54 8487

某某的apc主动防御逆向分析

skypismire 活跃值
1
2010-3-28 20:54
8487
nt!KeInitializeApc:                               ;
mov     edi,edi                                   ;
push    ebp                                       ;
mov     ebp,esp                                   ;
mov     eax,dword ptr [ebp+8]                     ;[ebp+8]: Apc
mov     edx,dword ptr [ebp+10h]                   ;[ebp+10h]: TargetEnvironment
cmp     edx,2                                     ;
mov     ecx,dword ptr [ebp+0Ch]                   ;[ebp+0Ch]: Thread
mov     word ptr [eax],12h                        ;Apc->Type = 0x12
mov     word ptr [eax+2],30h                      ;Apc->Size = 0x30
jne     nt!KeInitializeApc+0x24 (804fd3c2)        ;若TargetEnvironment != CurrentApcEnvironment则跳转
mov     dl,byte ptr [ecx+165h]                    ;[ecx+165h]:Thread->ApcStateIndex,表示当前线程的环境值
---------------------------------------------------
[COLOR="Blue"]nop                                               ;inline Hook部分:仅对Apc->Thread进行了处理
call    xyz12345+0x333c (ba27b33c)                ;处理函数[/COLOR]
---------------------------------------------------
mov     dword ptr [eax+14h],ecx			  ;
mov     ecx,dword ptr [ebp+18h]                   ;
mov     byte ptr [eax+2Ch],dl                     ;
mov     dword ptr [eax+18h],ecx                   ;
mov     ecx,dword ptr [ebp+1Ch]                   ;
xor     edx,edx                                   ;
cmp     ecx,edx                                   ;
mov     dword ptr [eax+1Ch],ecx                   ;
je      nt!KeInitializeApc+0x50 (804fbaa6)        ;
mov     cl,byte ptr [ebp+20h]                     ;
mov     byte ptr [eax+2Dh],cl                     ;
--------------------------------------------------;
在进入处理函数之前,堆栈空间内容:
|Context            |
|Mode               |
|NormalRoutine      |
|RundownRoutine     |
|KernelRoutine      |
|TargetEnvironment  |
|Thread             |
|Apc                |
|KeInitializeApc.Ret|
|KeInitializeApc.Ebp|


b2a7033c:                                        ;
mov     edi, edi                                  ;
pusha                                             ;
pushf                                             ;
lock inc dword_16AC0                              ;多核同步
mov     eax, dword_16B44                          ;dword_16B44:PsExitSpecialApc函数地址
test    eax, eax                                  ;
jnz     short loc_1338A                           ;
mov     ebx, [ebp+14h]                            ;[ebp+14h]:KernelRoutine
mov     ecx, [ebp+20h]                            ;[ebp+20h]:NormalRoutine
mov     edx, [ebp+10h]                            ;[ebp+10h]:TargetEnvironment
mov     esi, [ebp+0Ch]                            ;[ebp+0Ch]:Thread
mov     eax, Object                               ;Object: 进程的ETHREAD结构指针
cmp     eax, esi                                  ;
jnz     short loc_133B5                           ;若当前线程不是Object代表的线程则跳转
test    ecx, ecx                                  ;
jnz     short loc_133B5                           ;若NormalRoutine!= NULL 则跳转
test    edx, edx                                  ;
jnz     short loc_133B5                           ;若TargetEnvironment != OriginalApcEnvironment则跳转
mov     edi, dword_16A7C                          ;dword_16A7C: ntoskln.exe模块的Base
cmp     ebx, edi                                  ;
jb      short loc_133B5                           ;若KernelRoutine 低于dword_16A7C 则跳转
mov     eax, dword_16AA0                          ;dword_16AA0: ntoskln.exe模块的Size
add     edi, eax                                  ;
cmp     ebx, edi                                  ;
jg      short loc_133B5                           ;若KernelRoutine 高于dword_16A7C + dword_16AA0 则跳转
mov     dword_16B44, ebx                          ;
jmp     short loc_133B5                           ;
--------------------------------------------------;
                                                  ;
.text:0001338A loc_1338A:                         ;
mov     eax, [ebp+0Ch]                            ;[ebp+0Ch]:Thread
push    eax                                       ;
mov     eax, [ebp+14h]                            ;[ebp+14h]:KernelRoutine
push    eax                                       ;
mov     eax, [ebp+4]                              ;[ebp+4]: KeInitializeApc.Ret
push    eax                                       ;
[COLOR="Green"]call    sub_130A4                                 ;关键函数
[/COLOR]test    al, al                                    ;
jz      short loc_133B5                           ;
popf                                              ;
popa                                              ;
[COLOR="red"]mov     ecx, Object                               ;
mov     [eax+8], ecx                              ;Apc->Thread = Object
mov     ecx, [ebp+14h]                            ;[/COLOR]
lock dec dword_16AC0                              ;
retn                                              ;
-----------------------------                     ;
.text:000133B5 loc_133B5:                         ;
popf                                              ;
popa                                              ;
[COLOR="red"]mov     [eax+8], ecx                              ;
mov     ecx, [ebp+14h]                            ;[/COLOR]
lock dec dword_16AC0                              ;
retn                                              ;

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (3)
skypismire
雪    币: 75
活跃值: (733)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
2
上面的仅仅只是冰山一角阿
ntkrnlpa.exe:CcFastMdlReadWait:805510c0 has been inline-hooked!
ntkrnlpa.exe:CcFastReadNotPossible:805510c8 has been inline-hooked!
ntkrnlpa.exe:CcFastReadWait:805510d0 has been inline-hooked!
ntkrnlpa.exe:ExDesktopObjectType:8055c53c has been inline-hooked!
。。。。
ntkrnlpa.exe:HalPrivateDispatchTable:80546910 has been inline-hooked!
ntkrnlpa.exe:InitSafeBootMode:80552380 has been inline-hooked!
ntkrnlpa.exe:IoAdapterObjectType:80552870 has been inline-hooked!
ntkrnlpa.exe:IoDeviceHandlerObjectSize:80552854 has been inline-hooked!
ntkrnlpa.exe:IoDeviceHandlerObjectType:8055285c has been inline-hooked!
ntkrnlpa.exe:IoDeviceObjectType:80552864 has been inline-hooked!
ntkrnlpa.exe:IoDriverObjectType:80552860 has been inline-hooked!
ntkrnlpa.exe:IoFileObjectType:80552858 has been inline-hooked!
ntkrnlpa.exe:IoReadOperationCount:80552850 has been inline-hooked!
ntkrnlpa.exe:IoReadTransferCount:80552840 has been inline-hooked!
ntkrnlpa.exe:IoReportHalResourceUsage:8068a1c8 has been inline-hooked!
ntkrnlpa.exe:IoWriteOperationCount:8055284c has been inline-hooked!
ntkrnlpa.exe:IoWriteTransferCount:80552838 has been inline-hooked!
ntkrnlpa.exe:KdDebuggerEnabled:8054d541 has been inline-hooked!
ntkrnlpa.exe:KdDebuggerNotPresent:8054d540 has been inline-hooked!
ntkrnlpa.exe:KdEnteredDebugger:8054d544 has been inline-hooked!
ntkrnlpa.exe:KeDcacheFlushCount:8054d554 has been inline-hooked!
。。。。。
ntkrnlpa.exe:KeSetProfileIrql:80690b64 has been inline-hooked!
ntkrnlpa.exe:KeTickCount:8054be20 has been inline-hooked!
ntkrnlpa.exe:KiEnableTimerWatchdog:8054d578 has been inline-hooked!
ntkrnlpa.exe:LpcPortObjectType:80554a08 has been inline-hooked!
ntkrnlpa.exe:Mm64BitPhysicalAddress:805594c4 has been inline-hooked!
ntkrnlpa.exe:MmHighestUserAddress:80559a5c has been inline-hooked!
ntkrnlpa.exe:MmSectionObjectType:805597c0 has been inline-hooked!
ntkrnlpa.exe:MmSystemRangeStart:80559a58 has been inline-hooked!
ntkrnlpa.exe:MmUserProbeAddress:80559a54 has been inline-hooked!
ntkrnlpa.exe:NlsAnsiCodePage:80670df8 has been inline-hooked!
ntkrnlpa.exe:NlsMbCodePageTag:80670e10 has been inline-hooked!
ntkrnlpa.exe:NlsMbOemCodePageTag:80671028 has been inline-hooked!
ntkrnlpa.exe:NlsOemCodePage:80670dfc has been inline-hooked!
ntkrnlpa.exe:NtGlobalFlag:805522ec has been inline-hooked!
ntkrnlpa.exe:PsInitialSystemProcess:8055b2d4 has been inline-hooked!
ntkrnlpa.exe:PsJobType:8055b260 has been inline-hooked!
ntkrnlpa.exe:PsProcessType:8055b2d8 has been inline-hooked!
ntkrnlpa.exe:PsThreadType:8055b2dc has been inline-hooked!
ntkrnlpa.exe:RtlPrefetchMemoryNonTemporal:80543364 has been inline-hooked!
ntkrnlpa.exe:SeExports:80671674 has been inline-hooked!
ntkrnlpa.exe:SePublicDefaultDacl:8067156c has been inline-hooked!
ntkrnlpa.exe:SeSystemDefaultDacl:8067157c has been inline-hooked!
ntkrnlpa.exe:SeTokenObjectType:80671804 has been inline-hooked!
hal.dll:HalAllProcessorsStarted:806ee560 has been inline-hooked!
hal.dll:HalInitSystem:806ee0b8 has been inline-hooked!
hal.dll:HalReportResourceUsage:806ee5d6 has been inline-hooked!
hal.dll:KdComPortInUse:806de780 has been inline-hooked!
USBD.SYS:USBD_RegisterHcDeviceCapabilities:f8bb23f0 has been
2010-3-29 14:51
0
qihoocom
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
私信
3
是你的INLINE扫描程序有问题。。全部都是全局变量。。。。囧
2010-3-29 17:33
0
skypismire
雪    币: 75
活跃值: (733)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
4
,感谢楼上发现了这个
2010-3-29 19:40
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//