[求助]Inline Hook PspTerminateThreadByPointer失败-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]Inline Hook PspTerminateThreadByPointer失败

发表于: 2010-7-16 14:56 6342

[求助]Inline Hook PspTerminateThreadByPointer失败

wujimaa

2010-7-16 14:56

6342

不知道在哪出错，ＶＭware测试蓝屏．我认为可能是T_PspTerminateThreadByPointer函数中堆栈没处理好，谁懂的帮我指出来．主要是调用InlineHookPspTerminateThreadByPointer()之后就蓝屏．谢了．

#include <ntddk.h>
#include "InlineHook.h"

typedef NTSTATUS
(*PSPTERMINATETHREADBYPOINTER)(
IN PETHREAD Thread,
IN NTSTATUS ExitStatus,
IN BOOLEAN DirectTerminate
);

PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointerAddr;

//获取PspTerminateThreadByPointer地址
PVOID GetUnDocFunAddr()
{
ULONG size,index;
PULONG buf;
ULONG i;
PSYSTEM_MODULE_INFORMATION module;
PVOID driverAddress;
ULONG ntosknlBase;
ULONG ntosknlEndAddr;
ULONG curAddr;
NTSTATUS status;
ULONG retAddr=0;

ULONG code1_2003=0x8b55ff8b,code2_2003=0x575653ec,code3_2003=0x8d087d8b,code4_2003=0x4006f600;

ZwQuerySystemInformation(SystemModuleInformation,&size,0,&size);

buf=(PULONG)ExAllocatePool(PagedPool,size);

if(buf==NULL)
{
DbgPrint("failed alloc memory failed \n");
      return 0;
}

status=ZwQuerySystemInformation(SystemModuleInformation,buf, size ,0);

if(!NT_SUCCESS(status))
{
DbgPrint("failed query\n");
return 0;
}

module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
ntosknlBase=(ULONG)module->Base;
curAddr=ntosknlBase;

ExFreePool(buf);

for( i=curAddr;i<ntosknlEndAddr;i++)
{
if ((*((ULONG *)i)==code1_2003)
&&(*((ULONG *)(i+4))==code2_2003)
&&(*((ULONG *)(i+8))==code3_2003)
&&(*((ULONG*)(i+16))==code4_2003))
{
retAddr=i;
DbgPrint("address is 0x%x\n",retAddr);
return (PVOID)retAddr;
}

}

return (PVOID)retAddr;
}

//测试PspTerminateThreadByPointer()有没有被ＨＯＯk过
NTSTATUS CheckPspTerminateThreadByPointerIsHook()
{
int i=0;
char *addr = (char *)PspTerminateThreadByPointerAddr;
char code[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec};
while(i<5){

DbgPrint(" - 0x%02X ",(unsigned char)addr[i]);
if(addr[i] != code[i])
{
return STATUS_UNSUCCESSFUL;
}
i++;
}
return STATUS_SUCCESS;
}

VOID MyPspTerminateThreadByPointer(PETHREAD Thread,PEPROCESS Process, NTSTATUS ExitStatus)
{
DbgPrint("PspTerminateProcess hello\n");

}

_declspec(naked) T_PspTerminateThreadByPointer( PETHREAD Thread,
   PEPROCESS Process,
   NTSTATUS ExitStatus )
{

_asm{
      mov edi, edi
push  ebp
mov ebp ,esp
push [ebp+10h]
push [ebp+0ch]
push [ebp+8]
call MyPspTerminateThreadByPointer
mov eax,PspTerminateThreadByPointerAddr
add eax,5
jmp eax

}
}

//Inline Hook 函数
VOID InlineHookPspTerminateThreadByPointer()
{
int JmpOffSet;
unsigned char JmpCode[5]={0x9e,0x00,0x00,0x00,0x00};

KIRQL oldrql;

if(PspTerminateThreadByPointerAddr==0)
{
DbgPrint("PspTerminateThreadByPointer NOT FOUND!\n");
return;
}

DbgPrint("PspTerminateThreadByPointer is found in 0x%08x",(ULONG)PspTerminateThreadByPointerAddr);
DbgPrint("T_PspTerminateThreadByPointer is:%x\n",T_PspTerminateThreadByPointer);

JmpOffSet=(char*)T_PspTerminateThreadByPointer-(char*)PspTerminateThreadByPointerAddr-5;

DbgPrint("JmpOffSet Address is %x\n",JmpOffSet);

RtlCopyMemory(JmpCode+1,&JmpOffSet,4);

_asm{
CLI
mov EAX, CR0
and EAX, not 10000H
mov CR0, EAX
}

oldrql = KeRaiseIrqlToDpcLevel();

RtlCopyMemory(PspTerminateThreadByPointerAddr,JmpCode,5);
DbgPrint("hook now \n");
KeLowerIrql(oldrql);

_asm{
      MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}

}

VOID OnUnLoad(IN PDRIVER_OBJECT pDriverObject)
{
unsigned char Code[5]={0x8b,0xff,0x55,0x8b,0xec};

_asm
{
      CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax

pushad
mov edi, PspTerminateThreadByPointerAddr
mov eax, dword ptr Code[0]
mov [edi], eax
mov al, byte ptr Code[4]
mov [edi+4], al
popad

MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
DbgPrint("Unload called\n!");

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegisterPath)
{
PspTerminateThreadByPointerAddr=GetUnDocFunAddr();

if(STATUS_SUCCESS != CheckPspTerminateThreadByPointerIsHook())
{
DbgPrint("PspTerminateProcess Match Failed !");
return STATUS_UNSUCCESSFUL;
}
      //Inline Hook开始

InlineHookPspTerminateThreadByPointer();
pDriverObject->DriverUnload=OnUnLoad;
return STATUS_SUCCESS;
}

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (8)
wujimaa 雪币： 364 活跃值： (1586) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 166 粉丝 1 关注私信	wujimaa 1 2 楼蓝屏日志,不懂分析．谁懂指点一下．让我们学习一下． kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 809443a6, The address that the exception occurred at Arg3: f698ecbc, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" FAULTING_IP: nt!PspTerminateThreadByPointer+8 809443a6 8b7d08 mov edi,dword ptr [ebp+8] TRAP_FRAME: f698ecbc -- (.trap 0xfffffffff698ecbc) ErrCode = 00000000 eax=809446ca ebx=8ed75630 ecx=00000000 edx=0114ffa8 esi=8ea005e8 edi=00000000 eip=809443a6 esp=f698ed30 ebp=565376ec iopl=0 nv up ei pl zr ac pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010256 nt!PspTerminateThreadByPointer+0x8: 809443a6 8b7d08 mov edi,dword ptr [ebp+8] ss:0010:565376f4=???????? Resetting default scope CUSTOMER_CRASH_COUNT: 8 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP BUGCHECK_STR: 0x8E CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 80883908 to 809443a6 STACK_TEXT: f698ed54 80883908 00000000 00000000 0114ffb8 nt!PspTerminateThreadByPointer+0x8 f698ed54 7c9585ec 00000000 00000000 0114ffb8 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 0114ff9c 7c957c2b 7c80f932 00000000 00000000 0x7c9585ec 0114ffb8 7c82482f 00000000 00000000 00000000 0x7c957c2b 0114ffec 00000000 77c4b0f5 0061f378 00000000 0x7c82482f STACK_COMMAND: kb FOLLOWUP_IP: nt!PspTerminateThreadByPointer+8 809443a6 8b7d08 mov edi,dword ptr [ebp+8] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!PspTerminateThreadByPointer+8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlpa.exe DEBUG_FLR_IMAGE_TIMESTAMP: 45d69710 FAILURE_BUCKET_ID: 0x8E_nt!PspTerminateThreadByPointer+8 BUCKET_ID: 0x8E_nt!PspTerminateThreadByPointer+8 Followup: MachineOwner 2010-7-16 15:22 0
gzsmhf 雪币： 247 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 154 粉丝 0 关注私信	gzsmhf 3 楼原函数的参数是 NTSTATUS PspTerminateThreadByPointer( IN PETHREAD Thread, IN NTSTATUS ExitStatus, IN BOOLEAN DirectTerminate ) 你的过滤函数却是 MyPspTerminateThreadByPointer(PETHREAD Thread,PEPROCESS Process, NTSTATUS ExitStatus) 这个肯定呀蓝屏呀，至少参数类型要一直呀 2010-7-16 17:48 0
gzsmhf 雪币： 247 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 154 粉丝 0 关注私信	gzsmhf 4 楼你在declspec 历程中，将原函数的第一二三参数压栈，所以调用函数的参数类型一定要一致 2010-7-16 17:51 0
gzsmhf 雪币： 247 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 154 粉丝 0 关注私信	gzsmhf 5 楼 _declspec(naked) T_PspTerminateThreadByPointer( PETHREAD Thread, PEPROCESS Process, NTSTATUS ExitStatus ) 这个的参数类型也要改成一致的 2010-7-16 17:52 0
wujimaa 雪币： 364 活跃值： (1586) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 166 粉丝 1 关注私信	wujimaa 1 6 楼谢谢了.知道错在那了．调试一下午没注意看函数原型 2010-7-16 18:29 0
PEBOSS 雪币： 33 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 144 回帖 856 粉丝 0 关注私信	PEBOSS 7 楼深表同情 2010-7-17 01:48 0
金罡雪币： 1534 活跃值： (738) 能力值： ( LV8，RANK：130 ) 在线值：发帖 13 回帖 362 粉丝 88 关注私信	金罡 2 8 楼 Hook的比较深，膜拜一下 2010-7-17 17:04 0
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 18 关注私信	Winker 8 9 楼搜索函数地址的函数，至少要try一下吧 2010-7-19 21:46 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wujimaa

发帖

166

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (8)
wujimaa 雪币： 364 活跃值： (1586) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 166 粉丝 1 关注私信	wujimaa 1 2 楼蓝屏日志,不懂分析．谁懂指点一下．让我们学习一下． kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 809443a6, The address that the exception occurred at Arg3: f698ecbc, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" FAULTING_IP: nt!PspTerminateThreadByPointer+8 809443a6 8b7d08 mov edi,dword ptr [ebp+8] TRAP_FRAME: f698ecbc -- (.trap 0xfffffffff698ecbc) ErrCode = 00000000 eax=809446ca ebx=8ed75630 ecx=00000000 edx=0114ffa8 esi=8ea005e8 edi=00000000 eip=809443a6 esp=f698ed30 ebp=565376ec iopl=0 nv up ei pl zr ac pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010256 nt!PspTerminateThreadByPointer+0x8: 809443a6 8b7d08 mov edi,dword ptr [ebp+8] ss:0010:565376f4=???????? Resetting default scope CUSTOMER_CRASH_COUNT: 8 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP BUGCHECK_STR: 0x8E CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 80883908 to 809443a6 STACK_TEXT: f698ed54 80883908 00000000 00000000 0114ffb8 nt!PspTerminateThreadByPointer+0x8 f698ed54 7c9585ec 00000000 00000000 0114ffb8 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 0114ff9c 7c957c2b 7c80f932 00000000 00000000 0x7c9585ec 0114ffb8 7c82482f 00000000 00000000 00000000 0x7c957c2b 0114ffec 00000000 77c4b0f5 0061f378 00000000 0x7c82482f STACK_COMMAND: kb FOLLOWUP_IP: nt!PspTerminateThreadByPointer+8 809443a6 8b7d08 mov edi,dword ptr [ebp+8] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!PspTerminateThreadByPointer+8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlpa.exe DEBUG_FLR_IMAGE_TIMESTAMP: 45d69710 FAILURE_BUCKET_ID: 0x8E_nt!PspTerminateThreadByPointer+8 BUCKET_ID: 0x8E_nt!PspTerminateThreadByPointer+8 Followup: MachineOwner 2010-7-16 15:22 0
gzsmhf 雪币： 247 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 154 粉丝 0 关注私信	gzsmhf 3 楼原函数的参数是 NTSTATUS PspTerminateThreadByPointer( IN PETHREAD Thread, IN NTSTATUS ExitStatus, IN BOOLEAN DirectTerminate ) 你的过滤函数却是 MyPspTerminateThreadByPointer(PETHREAD Thread,PEPROCESS Process, NTSTATUS ExitStatus) 这个肯定呀蓝屏呀，至少参数类型要一直呀 2010-7-16 17:48 0
gzsmhf 雪币： 247 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 154 粉丝 0 关注私信	gzsmhf 4 楼你在declspec 历程中，将原函数的第一二三参数压栈，所以调用函数的参数类型一定要一致 2010-7-16 17:51 0
gzsmhf 雪币： 247 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 154 粉丝 0 关注私信	gzsmhf 5 楼 _declspec(naked) T_PspTerminateThreadByPointer( PETHREAD Thread, PEPROCESS Process, NTSTATUS ExitStatus ) 这个的参数类型也要改成一致的 2010-7-16 17:52 0
wujimaa 雪币： 364 活跃值： (1586) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 166 粉丝 1 关注私信	wujimaa 1 6 楼谢谢了.知道错在那了．调试一下午没注意看函数原型 2010-7-16 18:29 0
PEBOSS 雪币： 33 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 144 回帖 856 粉丝 0 关注私信	PEBOSS 7 楼深表同情 2010-7-17 01:48 0
金罡雪币： 1534 活跃值： (738) 能力值： ( LV8，RANK：130 ) 在线值：发帖 13 回帖 362 粉丝 88 关注私信	金罡 2 8 楼 Hook的比较深，膜拜一下 2010-7-17 17:04 0
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 18 关注私信	Winker 8 9 楼搜索函数地址的函数，至少要try一下吧 2010-7-19 21:46 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复