Cracker:KernelKiller
program:Themida Demo Release: 1.0.0.2
:)英文不会写了, 来点中文做全面介绍.
重所周知,Themida系列的软件都对内核进行了处理。以达到保护目的.这些保护
保护包括监听函数(注:对保护进程的写和读...)监听中断(注:异常和单步...)等等等等来实现。下面我来挖解工作在WIN2K的Themida对系统的监听函数。我提供的这一小部分分析,不能让你完全的操控Themida,但能让你明白Themida在内核中的一点点原理,让你更了解Themida。没话说了,就讲到这里:)
work at win2k,Themida hook all kernel function show:
NtAllocateVirtualMemory
ZwCreateThread
ZwQueryVirtualMemory
ZwReadVirtualMemory
NtRequestWaitReplyPort
ZwTerminateProcess
ZwWriteVirtualMemory
Themida_NtAllocateVirtualMemory:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 56C67F5h
cmp dword ptr [esp+28h], 0FFFFFFFFh
jz short loc_EB98CC4E ; if handle==NULL goto true function address
push edx ; save Absolute Address
push 0 ; NULL
lea eax, [edx+56C687Eh] ; edx+56C687Eh save Object
push eax
push 0 ; KernelMode
xor eax, eax
push eax ; NULL
push 10h ; ACCESS
push dword ptr [ebp+8] ; process handle
mov eax, 8044D57Ah
call eax
; call function ObReferenceObjectByHandle get allocate process of memory's handle to object
; ObReferenceObjectByHandle(ebp+8,0x10,NULL,KernelMode,&(edx+56C687Eh),NULL);
pop edx ; renew Absolute Address
cmp dword ptr [edx+56C687Eh], 0
jz near ptr 0EB98C6EDh ; if process object==0 to address invalid EB98C6EDh,system die
mov eax, [edx+56C687Eh]
mov ebx, eax
and ebx, 7FFFFFFFh
mov esi, 0EBABB000h
loc_EB98CC17:
///////////////////////////////////////////////////////////////////////////////////// attention
add esi, 4
cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking
jz short loc_EB98CC4E ; jump of call system true function
cmp [esi], eax
jz short loc_EB98CC2C ; compare protect process object
cmp [esi], ebx
jz short loc_EB98CC2C
jmp short loc_EB98CC17 ; while compare protect Process Object ;; attention
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CC2C:
///////////////////////////////////////////////////////////////////////////////////// attention,is protect process
push fs
mov eax, 30h
mov fs, ax
mov eax, large fs:124h ; ETHREAD
mov eax, [eax+44h] ; KPROCESS
pop fs
cmp eax, [edx+56C687Eh]
jz short loc_EB98CC4E
/////////////////////////////////////////////////////////////////////////////////////
popa
pop ebp
retn 18h ; attention,not call system function
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CC4E:
/////////////system function
popa
pop ebp
push 804C73E8h ; NtAllocateVirtualMemory
retn
//EBABB000h data,length 20h
//47616420h address end marking
//81407D60h Themida protect process object
00000000h: 20 64 61 47 60 7D 40 81 20 64 61 47 00 00 00 00 ; daG`}@?daG....
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
Themida_ZwCreateThread:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 5676055h
cmp dword ptr [esp+28h], 0FFFFFFFFh
jz short loc_EB98CD44 ; if handle==NULL goto true function address
push edx ; save Absolute Address
push 0 ; NULL
lea eax, [edx+56760DAh] ; edx+56760DAh save Object
push eax
push 0 ; KernelMode
xor eax, eax
push eax ; NULL
push 10h ; ACCESS
push dword ptr [ebp+14h] ; process handle
mov eax, 8044D57Ah
call eax
; call function ObReferenceObjectByHandle get process's handle to object
pop edx
cmp dword ptr [edx+56760DAh], 0
jz short loc_EB98CD44 ; if process object==0 to goto true function address
mov eax, [edx+56760DAh]
mov ebx, eax
and ebx, 7FFFFFFFh
mov esi, 0EBABB000h ; data address
mov edi, esi
add edi, 3E8h ; add offset
jmp short loc_EB98CD50
loc_EB98CD22:
///////////////////////////////////////////////////////////////////////////////////// attention,is protect process
push fs
mov eax, 30h
mov fs, ax
mov eax, large fs:124h ; ETHREAD
mov eax, [eax+44h] ; KPROCESS
pop fs
cmp eax, [edx+56760DAh]
jz short loc_EB98CD44 ; compare
///////////////////////////////////////////////////////////////////////////////////// attention
popa
pop ebp
retn 20h ; attention,not call system function
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CD44:
/////////////system function
popa
pop ebp
push 804DF0F8h ;ZwCreateThread
retn
loc_EB98CD50:
///////////////////////////////////////////////////////////////////////////////////// attention
add esi, 4
add edi, 4
cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking
jz short loc_EB98CD44 ; jump of call system true function
cmp [esi], eax ; attention esi
jz short loc_EB98CD22
cmp [edi], eax
jz short loc_EB98CD22
cmp [esi], ebx ; attention esi
jz short loc_EB98CD22
cmp [edi], ebx
jz short loc_EB98CD22
jmp short loc_EB98CD50 ; while compare protect Process Object ;; attention
/////////////////////////////////////////////////////////////////////////////////////
//EBABB000+3E8h data,length 20h
//47616420h address end marking
00000000h: 20 64 61 47 00 00 00 00 20 64 61 47 00 00 00 00 ; daG.... daG....
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
Themida_ZwQueryVirtualMemory:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 56C4980h
cmp dword ptr [esp+28h], 0FFFFFFFFh
jz short loc_EB938B53 ; if handle==NULL goto true function address
push edx ; save Absolute Address
push 0 ; NULL
lea eax, [edx+56C4A08h] ; edx+56C4A08h save Object
push eax
push 0 ; KernelMode
xor eax, eax
push eax ; NULL
push 10h ; ACCESS
push dword ptr [ebp+8] ; process handle
mov eax, 8044D57Ah
call eax
; call function ObReferenceObjectByHandle get process's handle to object
pop edx
cmp dword ptr [edx+56C4A08h], 0
jz short loc_EB938B53 ; if process object==0 to goto true function address
mov eax, [edx+56C4A08h]
mov ebx, eax
and ebx, 7FFFFFFFh
mov esi, 0EBAC8000h
loc_EB938B19:
///////////////////////////////////////////////////////////////////////////////////// attention
add esi, 4
cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking
jz short loc_EB938B53 ; jump of call system true function
cmp [esi], eax
jz short loc_EB938B2E
cmp [esi], ebx
jz short loc_EB938B2E
jmp short loc_EB938B19 ; while compare protect Process Object ;; attention
///////////////////////////////////////////////////////////////////////////////////// attention
loc_EB938B2E: ;is protect process
push fs
mov eax, 30h
mov fs, ax
mov eax, large fs:124h ; ETHREAD
mov eax, [eax+44h] ; KPROCESS
pop fs
cmp eax, [edx+56C4A08h]
jz short loc_EB938B53
///////////////////////////////////////////////////////////////////////////////////// attention
mov dword ptr [esp+28h], 0 ;fuck Themida, handle=0;
loc_EB938B53:
/////////////system function
popa
pop ebp
push 804D1DFAh ;ZwQueryVirtualMemory
retn
//EBAC8000h data,length 20h
//47616420h address end marking
//813E5020h Themida protect process object
00000000h: 20 64 61 47 20 50 3E 81 20 64 61 47 00 00 00 00 ; daG P>?daG....
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
Themida_ZwWriteVirtualMemory:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
