能力值:
( LV2,RANK:10 )
|
-
-
3 楼
貌似你保存的10个字节的硬编码的代码有问题,压栈的两个参数肯定和你自己系统的内核上原来的不一样,想不蓝屏都难啊!
如果你的 NtOpenProcess 干净的话,你可以自己在调试器里看一下函数头。
|
能力值:
( LV5,RANK:60 )
|
-
-
4 楼
nt!RtlpBreakWithStatusInstruction:
804e4592 cc int 3
kd> g
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run kd.exe) or, *
* CTRL+BREAK (if you run WinDBG), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e4592 cc int 3
kd> bu SsdtHook!DriverEntry
kd> g
Breakpoint 1 hit
SsdtHook!DriverEntry:
fa0332e2 55 push ebp
kd> p
SsdtHook!DriverEntry+0x3:
fa0332e5 8b4508 mov eax,dword ptr [ebp+8]
kd> p
SsdtHook!DriverEntry+0xd:
fa0332ef 68d03203fa push offset SsdtHook!MyNtOpenProcess+0x39 (fa0332d0)
kd> p
**Unhooker load**SsdtHook!DriverEntry+0x1a:
fa0332fc e895000000 call SsdtHook!Hook (fa033396)
kd> t
SsdtHook!Hook:
fa033396 55 push ebp
kd> p
SsdtHook!Hook+0x4:
fa03339a a1043503fa mov eax,dword ptr [SsdtHook!KeServiceDescriptorTable (fa033504)]
kd> p
SsdtHook!Hook+0x14:
fa0333aa 8b55fc mov edx,dword ptr [ebp-4]
kd> dd KeServiceDescriptorTable
8055b220 804e36a8 00000000 0000011c 80511088
8055b230 00000000 00000000 00000000 00000000
8055b240 00000000 00000000 00000000 00000000
8055b250 00000000 00000000 00000000 00000000
8055b260 00002710 bf80c0b6 00000000 00000000
8055b270 f9f48a80 81bc8da8 81b010f0 80700f40
8055b280 00000000 00000000 00000000 00000000
8055b290 d9b348c0 01cad84c 00000000 00000000
kd> p
Address:0x804E3890SsdtHook!Hook+0x25:
fa0333bb 8b45fc mov eax,dword ptr [ebp-4]
kd> p
SsdtHook!Hook+0x30:
fa0333c6 8b15043603fa mov edx,dword ptr [SsdtHook!OldServiceAddress (fa033604)]
kd> u 805727c7
nt!NtOpenProcess:
805727c7 68c4000000 push 0C4h
805727cc 68d8b04e80 push offset nt!ObWatchHandles+0x25c (804eb0d8)
805727d1 e8650cf7ff call nt!_SEH_prolog (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
805727e0 ab stos dword ptr es:[edi]
kd> p
OldServiceAddress:0x805727C7SsdtHook!Hook+0x44:
fa0333da 68973203fa push offset SsdtHook!MyNtOpenProcess (fa033297)
kd> p
MyNtOpenProcess:0xFA033297SsdtHook!Hook+0x56:
fa0333ec a1003503fa mov eax,dword ptr [SsdtHook!_imp__NtOpenProcess (fa033500)]
kd> p
SsdtHook!Hook+0x63:
fa0333f9 8b0d003603fa mov ecx,dword ptr [SsdtHook!JmpAddress (fa033600)]
kd> p
JmpAddress:0x805727D1SsdtHook!Hook+0x77:
fa03340d fa cli
kd> u 805727D1
nt!NtOpenProcess+0xa:
805727d1 e8650cf7ff call nt!_SEH_prolog (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
805727e0 ab stos dword ptr es:[edi]
805727e1 64a124010000 mov eax,dword ptr fs:[00000124h]
805727e7 8a8040010000 mov al,byte ptr [eax+140h]
kd> 805727c7
^ Syntax error in '805727c7'
kd> u 805727c7
nt!NtOpenProcess:
805727c7 68c4000000 push 0C4h
805727cc 68d8b04e80 push offset nt!ObWatchHandles+0x25c (804eb0d8)
805727d1 e8650cf7ff call nt!_SEH_prolog (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
805727e0 ab stos dword ptr es:[edi]
kd> u 805727c8
nt!NtOpenProcess+0x1:
805727c8 c400 les eax,fword ptr [eax]
805727ca 0000 add byte ptr [eax],al
805727cc 68d8b04e80 push offset nt!ObWatchHandles+0x25c (804eb0d8)
805727d1 e8650cf7ff call nt!_SEH_prolog (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
kd> u 805727c9
nt!NtOpenProcess+0x2:
805727c9 0000 add byte ptr [eax],al
805727cb 0068d8 add byte ptr [eax-28h],ch
805727ce b04e mov al,4Eh
805727d0 80e865 sub al,65h
805727d3 0cf7 or al,0F7h
805727d5 ff33 push dword ptr [ebx]
805727d7 f6 ???
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
kd> u 805727cA
nt!NtOpenProcess+0x3:
805727ca 0000 add byte ptr [eax],al
805727cc 68d8b04e80 push offset nt!ObWatchHandles+0x25c (804eb0d8)
805727d1 e8650cf7ff call nt!_SEH_prolog (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
805727e0 ab stos dword ptr es:[edi]
kd> u 805727D1
nt!NtOpenProcess+0xa:
805727d1 e8650cf7ff call nt!_SEH_prolog (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
805727e0 ab stos dword ptr es:[edi]
805727e1 64a124010000 mov eax,dword ptr fs:[00000124h]
805727e7 8a8040010000 mov al,byte ptr [eax+140h]
kd> p
SsdtHook!Hook+0x78:
fa03340e 0f20c0 mov eax,cr0
kd> p
SsdtHook!Hook+0x7b:
fa033411 25fffffeff and eax,0FFFEFFFFh
kd> p
SsdtHook!Hook+0x80:
fa033416 0f22c0 mov cr0,eax
kd> p
SsdtHook!Hook+0x83:
fa033419 8b55fc mov edx,dword ptr [ebp-4]
kd> p
SsdtHook!Hook+0x8c:
fa033422 0f20c0 mov eax,cr0
kd> r edx
edx=804e3890
kd> u 804e3890
nt!KiServiceTable+0x1e8:
804e3890 97 xchg eax,edi
804e3891 3203 xor al,byte ptr [ebx]
804e3893 fa cli
804e3894 f5 cmc
804e3895 ee out dx,al
804e3896 56 push esi
804e3897 80eef0 sub dh,0F0h
804e389a 56 push esi
kd> p
SsdtHook!Hook+0x8f:
fa033425 0d00000100 or eax,10000h
kd> p
SsdtHook!Hook+0x94:
fa03342a 0f22c0 mov cr0,eax
kd> p
SsdtHook!Hook+0x97:
fa03342d fb sti
kd> p
SsdtHook!Hook+0x98:
fa03342e 8be5 mov esp,ebp
kd> p
SsdtHook!DriverEntry+0x1f:
fa033301 33c0 xor eax,eax
kd> p
SsdtHook!DriverEntry+0x21:
fa033303 5d pop ebp
kd> p
nt!IopLoadDriver+0x66d:
805a499d 3bc3 cmp eax,ebx
kd> p
nt!IopLoadDriver+0x66f:
805a499f 8b8d68ffffff mov ecx,dword ptr [ebp-98h]
kd> p
nt!IopLoadDriver+0x675:
805a49a5 8945ac mov dword ptr [ebp-54h],eax
kd> p
nt!IopLoadDriver+0x678:
805a49a8 8901 mov dword ptr [ecx],eax
kd> p
nt!IopLoadDriver+0x67a:
805a49aa 0f8c3d420400 jl nt!IopLoadDriver+0x67c (805e8bed)
kd> p
nt!IopLoadDriver+0x683:
805a49b0 895da0 mov dword ptr [ebp-60h],ebx
kd> p
nt!IopLoadDriver+0x686:
805a49b3 8b45a0 mov eax,dword ptr [ebp-60h]
kd> p
nt!IopLoadDriver+0x689:
805a49b6 8d448738 lea eax,[edi+eax*4+38h]
kd> p
nt!IopLoadDriver+0x68d:
805a49ba 3918 cmp dword ptr [eax],ebx
kd> p
nt!IopLoadDriver+0x68f:
805a49bc 0f8437420400 je nt!IopLoadDriver+0x691 (805e8bf9)
kd> p
nt!IopLoadDriver+0x697:
805a49c2 ff45a0 inc dword ptr [ebp-60h]
kd> p
nt!IopLoadDriver+0x69a:
805a49c5 837da01b cmp dword ptr [ebp-60h],1Bh
kd> p
nt!IopLoadDriver+0x69e:
805a49c9 76e8 jbe nt!IopLoadDriver+0x686 (805a49b3)
kd> p
nt!IopLoadDriver+0x686:
805a49b3 8b45a0 mov eax,dword ptr [ebp-60h]
kd> p
nt!IopLoadDriver+0x689:
805a49b6 8d448738 lea eax,[edi+eax*4+38h]
kd> p
nt!IopLoadDriver+0x68d:
805a49ba 3918 cmp dword ptr [eax],ebx
kd> p
nt!IopLoadDriver+0x68f:
805a49bc 0f8437420400 je nt!IopLoadDriver+0x691 (805e8bf9)
kd> p
nt!IopLoadDriver+0x697:
805a49c2 ff45a0 inc dword ptr [ebp-60h]
kd> p
nt!IopLoadDriver+0x69a:
805a49c5 837da01b cmp dword ptr [ebp-60h],1Bh
kd> p
nt!IopLoadDriver+0x69e:
805a49c9 76e8 jbe nt!IopLoadDriver+0x686 (805a49b3)
kd> p
nt!IopLoadDriver+0x686:
805a49b3 8b45a0 mov eax,dword ptr [ebp-60h]
kd> p
nt!IopLoadDriver+0x689:
805a49b6 8d448738 lea eax,[edi+eax*4+38h]
kd> p
nt!IopLoadDriver+0x68d:
805a49ba 3918 cmp dword ptr [eax],ebx
kd> p
nt!IopLoadDriver+0x68f:
805a49bc 0f8437420400 je nt!IopLoadDriver+0x691 (805e8bf9)
kd> p
nt!IopLoadDriver+0x697:
805a49c2 ff45a0 inc dword ptr [ebp-60h]
kd> p
nt!IopLoadDriver+0x69a:
805a49c5 837da01b cmp dword ptr [ebp-60h],1Bh
kd> p
nt!IopLoadDriver+0x69e:
805a49c9 76e8 jbe nt!IopLoadDriver+0x686 (805a49b3)
kd> p
nt!IopLoadDriver+0x686:
805a49b3 8b45a0 mov eax,dword ptr [ebp-60h]
kd> g
Breakpoint 0 hit
SsdtHook!MyNtOpenProcess:
fa033297 55 push ebp
kd> p
SsdtHook!MyNtOpenProcess+0x7:
fa03329e c745fc220000c0 mov dword ptr [ebp-4],0C0000022h
kd> p
SsdtHook!MyNtOpenProcess+0xe:
fa0332a5 60 pushad
kd> p
SsdtHook!MyNtOpenProcess+0xf:
fa0332a6 837d0800 cmp dword ptr [ebp+8],0
kd> p
SsdtHook!MyNtOpenProcess+0x15:
fa0332ac 68803203fa push offset SsdtHook!MyNtOpenProcess+0xffffffff`ffffffe9 (fa033280)
kd> p
NtOpenProcess() calledSsdtHook!MyNtOpenProcess+0x22:
fa0332b9 61 popad
kd> u MyNtOpenProcess
SsdtHook!MyNtOpenProcess [e:\vc\驱动相关\驱动hook\hooknt~2\hook.c @ 25]:
fa033297 55 push ebp
fa033298 8bec mov ebp,esp
fa03329a 51 push ecx
fa03329b 53 push ebx
fa03329c 56 push esi
fa03329d 57 push edi
fa03329e c745fc220000c0 mov dword ptr [ebp-4],0C0000022h
fa0332a5 60 pushad
kd> u MyNtOpenProcess+100
SsdtHook!Hook+0x1 [e:\vc\驱动相关\驱动hook\hooknt~2\hook.c @ 71]:
fa033397 8bec mov ebp,esp
fa033399 51 push ecx
fa03339a a1043503fa mov eax,dword ptr [SsdtHook!KeServiceDescriptorTable (fa033504)]
fa03339f 8b08 mov ecx,dword ptr [eax]
fa0333a1 81c1e8010000 add ecx,1E8h
fa0333a7 894dfc mov dword ptr [ebp-4],ecx
fa0333aa 8b55fc mov edx,dword ptr [ebp-4]
fa0333ad 52 push edx
kd> u MyNtOpenProcess+10
SsdtHook!MyNtOpenProcess+0x10 [e:\vc\驱动相关\驱动hook\hooknt~2\hook.c @ 30]:
fa0332a7 7d08 jge SsdtHook!MyNtOpenProcess+0x1a (fa0332b1)
fa0332a9 00741468 add byte ptr [esp+edx+68h],dh
fa0332ad 803203 xor byte ptr [edx],3
fa0332b0 fa cli
fa0332b1 e8e8010000 call SsdtHook!DbgPrint (fa03349e)
fa0332b6 83c404 add esp,4
fa0332b9 61 popad
fa0332ba 8b45fc mov eax,dword ptr [ebp-4]
kd> u MyNtOpenProcess*10
a0332970 ?? ???
^ Memory access error in 'u MyNtOpenProcess*10'
kd> u MyNtOpenProcess
SsdtHook!MyNtOpenProcess [e:\vc\驱动相关\驱动hook\hooknt~2\hook.c @ 25]:
fa033297 55 push ebp
fa033298 8bec mov ebp,esp
fa03329a 51 push ecx
fa03329b 53 push ebx
fa03329c 56 push esi
fa03329d 57 push edi
fa03329e c745fc220000c0 mov dword ptr [ebp-4],0C0000022h
fa0332a5 60 pushad
kd> p
SsdtHook!MyNtOpenProcess+0x23:
fa0332ba 8b45fc mov eax,dword ptr [ebp-4]
kd> p
Breakpoint 0 hit
SsdtHook!MyNtOpenProcess:
fa033297 55 push ebp
kd> p
SsdtHook!MyNtOpenProcess+0x26:
fa0332bd c21000 ret 10h
kd> p
f7fbfd64 40 inc eax
kd> p
SsdtHook!MyNtOpenProcess+0x4:
fa03329b 53 push ebx
kd> p
f7fbfd65 fecb dec bl
kd> p
f7fbfd67 00f4 add ah,dh
kd> p
SsdtHook!MyNtOpenProcess+0x6:
fa03329d 57 push edi
kd> p
SsdtHook!MyNtOpenProcess+0x7:
fa03329e c745fc220000c0 mov dword ptr [ebp-4],0C0000022h
kd> p
f7fbfd69 e492 in al,92h
kd> p
f7fbfd6b 7c00 jl f7fbfd6d
kd> p
SsdtHook!MyNtOpenProcess+0xe:
fa0332a5 60 pushad
kd> p
SsdtHook!MyNtOpenProcess+0xf:
fa0332a6 837d0800 cmp dword ptr [ebp+8],0
kd> p
f7fbfd6d 0ddbbafcfd or eax,0FDFCBADBh
kd> p
f7fbfd72 cb retf
kd> p
SsdtHook!MyNtOpenProcess+0x13:
fa0332aa 7414 je SsdtHook!MyNtOpenProcess+0x29 (fa0332c0)
kd> p
SsdtHook!MyNtOpenProcess+0x15:
fa0332ac 68803203fa push offset SsdtHook!MyNtOpenProcess+0xffffffff`ffffffe9 (fa033280)
kd> p
*** Fatal System Error: 0x0000007f
(0x0000000D,0x00000000,0x00000000,0x00000000)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.调试过程如上
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
看过了你上面的帖子,原始的函数头为:
nt!NtOpenProcess:
805727c7 68c4000000 push 0C4h
805727cc 68d8b04e80 push offset nt!ObWatchHandles+0x25c (804eb0d8)
那段内联汇编改为:
__asm{
push 0C4h
push 804eb0d8
jmp [JmpAddress]
}
这样就解决了蓝屏的问题,但这还是硬编码 
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
这个错了:
JmpAddress = (ULONG)NtOpenProcess + 10;
jmp [距离]
距离 = MyNtOpenProcess + { DbgPrint(...) + ... + jmp } - (NtOpenProcess + 10);
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
楼主说的对,我搞错了!我在 Windows XP SP2 指行楼主的驱动,没有蓝屏。
jmp 有两种:
Direct jump: 0xFF 0x25 0 0 0 0
Relative jump: 0xE9 0 0 0 0
楼主的情形是 direct jump. 我指的是 relative jump.
wonderu说的对:
__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
DbgPrint("NtOpenProcess() called");
__asm{
push 0C4h
push 804eb560h // <-- 是这个的问题!
jmp [JmpAddress]
}
}
|
