不知道在哪出错,VMware测试蓝屏.我认为可能是T_PspTerminateThreadByPointer函数中堆栈没处理好,谁懂的帮我指出来.主要是调用InlineHookPspTerminateThreadByPointer()之后就蓝屏.谢了.
#include <ntddk.h>
#include "InlineHook.h"
typedef NTSTATUS
(*PSPTERMINATETHREADBYPOINTER)(
IN PETHREAD Thread,
IN NTSTATUS ExitStatus,
IN BOOLEAN DirectTerminate
);
PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointerAddr;
//获取PspTerminateThreadByPointer地址
PVOID GetUnDocFunAddr()
{
ULONG size,index;
PULONG buf;
ULONG i;
PSYSTEM_MODULE_INFORMATION module;
PVOID driverAddress;
ULONG ntosknlBase;
ULONG ntosknlEndAddr;
ULONG curAddr;
NTSTATUS status;
ULONG retAddr=0;
ULONG code1_2003=0x8b55ff8b,code2_2003=0x575653ec,code3_2003=0x8d087d8b,code4_2003=0x4006f600;
ZwQuerySystemInformation(SystemModuleInformation,&size,0,&size);
buf=(PULONG)ExAllocatePool(PagedPool,size);
if(buf==NULL)
{
DbgPrint("failed alloc memory failed \n");
return 0;
}
status=ZwQuerySystemInformation(SystemModuleInformation,buf, size ,0);
if(!NT_SUCCESS(status))
{
DbgPrint("failed query\n");
return 0;
}
module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
ntosknlBase=(ULONG)module->Base;
curAddr=ntosknlBase;
ExFreePool(buf);
for( i=curAddr;i<ntosknlEndAddr;i++)
{
if ((*((ULONG *)i)==code1_2003)
&&(*((ULONG *)(i+4))==code2_2003)
&&(*((ULONG *)(i+8))==code3_2003)
&&(*((ULONG*)(i+16))==code4_2003))
{
retAddr=i;
DbgPrint("address is 0x%x\n",retAddr);
return (PVOID)retAddr;
}
}
return (PVOID)retAddr;
}
//测试PspTerminateThreadByPointer()有没有被HOOk过
NTSTATUS CheckPspTerminateThreadByPointerIsHook()
{
int i=0;
char *addr = (char *)PspTerminateThreadByPointerAddr;
char code[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec};
while(i<5){
DbgPrint(" - 0x%02X ",(unsigned char)addr[i]);
if(addr[i] != code[i])
{
return STATUS_UNSUCCESSFUL;
}
i++;
}
return STATUS_SUCCESS;
}
VOID MyPspTerminateThreadByPointer(PETHREAD Thread,PEPROCESS Process, NTSTATUS ExitStatus)
{
DbgPrint("PspTerminateProcess hello\n");
}
_declspec(naked) T_PspTerminateThreadByPointer( PETHREAD Thread,
PEPROCESS Process,
NTSTATUS ExitStatus )
{
_asm{
mov edi, edi
push ebp
mov ebp ,esp
push [ebp+10h]
push [ebp+0ch]
push [ebp+8]
call MyPspTerminateThreadByPointer
mov eax,PspTerminateThreadByPointerAddr
add eax,5
jmp eax
}
}
//Inline Hook 函数
VOID InlineHookPspTerminateThreadByPointer()
{
int JmpOffSet;
unsigned char JmpCode[5]={0x9e,0x00,0x00,0x00,0x00};
KIRQL oldrql;
if(PspTerminateThreadByPointerAddr==0)
{
DbgPrint("PspTerminateThreadByPointer NOT FOUND!\n");
return;
}
DbgPrint("PspTerminateThreadByPointer is found in 0x%08x",(ULONG)PspTerminateThreadByPointerAddr);
DbgPrint("T_PspTerminateThreadByPointer is:%x\n",T_PspTerminateThreadByPointer);
JmpOffSet=(char*)T_PspTerminateThreadByPointer-(char*)PspTerminateThreadByPointerAddr-5;
DbgPrint("JmpOffSet Address is %x\n",JmpOffSet);
RtlCopyMemory(JmpCode+1,&JmpOffSet,4);
_asm{
CLI
mov EAX, CR0
and EAX, not 10000H
mov CR0, EAX
}
oldrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory(PspTerminateThreadByPointerAddr,JmpCode,5);
DbgPrint("hook now \n");
KeLowerIrql(oldrql);
_asm{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
}
VOID OnUnLoad(IN PDRIVER_OBJECT pDriverObject)
{
unsigned char Code[5]={0x8b,0xff,0x55,0x8b,0xec};
_asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
pushad
mov edi, PspTerminateThreadByPointerAddr
mov eax, dword ptr Code[0]
mov [edi], eax
mov al, byte ptr Code[4]
mov [edi+4], al
popad
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
DbgPrint("Unload called\n!");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegisterPath)
{
PspTerminateThreadByPointerAddr=GetUnDocFunAddr();
if(STATUS_SUCCESS != CheckPspTerminateThreadByPointerIsHook())
{
DbgPrint("PspTerminateProcess Match Failed !");
return STATUS_UNSUCCESSFUL;
}
//Inline Hook开始
InlineHookPspTerminateThreadByPointer();
pDriverObject->DriverUnload=OnUnLoad;
return STATUS_SUCCESS;
}
[课程]Linux pwn 探索篇!