-
-
[分享]微软的Hot Patch代码
-
发表于: 2011-6-27 21:37
-
基本的方法MJ已经说了, 并给出了主要的代码. 此方法简单易用. 相当不错.
可惜偶比较菜, 到现在才来学习. 补全了MJ的代码, 增加了卸载驱动恢复原函数的代码. 跟我一样的菜鸟可以看看, 大牛飘过.
MJ的帖子: http://www.debugman.com/discussion/670#a
先用WinDbg看下原函数:
Hook示意图:
代码如下:
#include "ntddk.h"
typedef unsigned char BYTE;
BYTE OriginalBytes[2]={0};
KSPIN_LOCK SDTSpinLock;
ULONG g_uCr0 = 0;
extern POBJECT_TYPE *PsProcessType;
VOID WPOFF();
VOID WPON();
NTKERNELAPI
NTSTATUS
ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
//HOOK函数
NTSTATUS
DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
void WPOFF()
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli
};
g_uCr0 = uAttr;
}
VOID WPON()
{
_asm
{
sti
push eax;
mov eax, g_uCr0;
mov cr0, eax;
pop eax;
};
}
NTSTATUS InlineHookFuncXP(IN PVOID FuncAddress,
IN PVOID NewFuncAddress)
{
//FuncAddress:orignal function address
//NewFuncAddress:new function address to hook
//if function successed,the old function which the hook function will jump to
//is the FuncAddress+2
KIRQL OldIrql ;
NTSTATUS stat;
KeAcquireSpinLock( &SDTSpinLock, &OldIrql );
WPOFF();
//保存原函数的头两个字节
RtlCopyMemory(OriginalBytes,(BYTE *)ObReferenceObjectByHandle,2);
__asm
{
push eax
push ecx
lea eax,[FuncAddress]
mov eax,[eax]
cmp byte ptr[eax],0x8b
jnz failtohook
cmp byte ptr[eax+1],0xff ;判断函数开始头部是不是 "mov edi,edi"
jnz failtohook
mov ecx,0xffffffff ;-1
loopcheck:
cmp byte ptr[eax+ecx],0x90
jnz failtohook
dec ecx
cmp ecx,0xfffffffa ;循环5次, 判断函数开始上面部分是不是"nop"
jnz loopcheck
;保存函数原始的指令
mov byte ptr[eax],0xeb ; 短跳jmp
mov byte ptr[eax+1],0xf9 ; 0x00-偏移量-指令长度 = 0x00-5-2 = f9
;write the new function header:jmp short funcaddr-5(0x00-0x07)
mov byte ptr[eax-5],0xe9 ;远跳jmp
;write 1 byte :jmp xxxxx
mov ecx,[NewFuncAddress]
sub ecx,eax ;得到跳转的相对偏移
mov dword ptr[eax-4],ecx
jmp hookok
failtohook:
mov stat,0xc0000001
jmp end
hookok:
mov stat,0
end:
pop ecx
pop eax
}
WPON();
KeReleaseSpinLock( &SDTSpinLock, OldIrql );
return stat;
}
VOID UnInlineHookFuncXP(IN PVOID FuncAddress)
{
KIRQL OldIrql ;
NTSTATUS stat;
KeAcquireSpinLock( &SDTSpinLock, &OldIrql );
WPOFF();
// 恢复函数的前两个字节
RtlCopyMemory((BYTE *)FuncAddress, OriginalBytes, 2);
// 恢复函数上面的5个nop
__asm
{
push ecx
push eax
lea eax,[FuncAddress]
mov eax,[eax]
mov ecx,0xffffffff ;-1
loopcheck:
mov byte ptr[eax+ecx],0x90
dec ecx
cmp ecx,0xfffffffa
jnz loopcheck
pop eax
pop ecx
}
WPON();
KeReleaseSpinLock( &SDTSpinLock, OldIrql );
}
_declspec (naked)
NTSTATUS
OriginalObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
_asm
{
mov edi,edi // 手动写ObReferenceObjectByHandle函数开头的2个字节, 可用WinDbg查看
mov eax,ObReferenceObjectByHandle
add eax,2
jmp eax
}
}
NTSTATUS
DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
NTSTATUS status;
status = OriginalObReferenceObjectByHandle(Handle,DesiredAccess, ObjectType,AccessMode,Object,HandleInformation);
if((status==STATUS_SUCCESS)&&(DesiredAccess==1)) // 如果是关闭软件, 从DesiredAccess == 1可知
{
if(ObjectType== *PsProcessType)
{
if( _stricmp((char *)((ULONG)(*Object)+0x174),"notepad.exe")==0)
{
ObDereferenceObject(*Object);
return STATUS_INVALID_HANDLE;
}
}
}
return status;
}
VOID
DriverUnload(
IN PDRIVER_OBJECT pDriverObj
)
{
UnInlineHookFuncXP(ObReferenceObjectByHandle);
KdPrint(("[inlineHook] Unloaded Success\r\n"));
return;
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObj,
IN PUNICODE_STRING pRegistryString
)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("Enter DriverEntry!\n"));
pDriverObj->DriverUnload = DriverUnload;
status = InlineHookFuncXP(ObReferenceObjectByHandle, DetourMyObReferenceObjectByHandle);
if (NT_SUCCESS(status))
KdPrint(("Inline Hook Success!\n"));
else
KdPrint(("Inline Hook UnSuccess!\n"));
return status;
}
可惜偶比较菜, 到现在才来学习. 补全了MJ的代码, 增加了卸载驱动恢复原函数的代码. 跟我一样的菜鸟可以看看, 大牛飘过.
MJ的帖子: http://www.debugman.com/discussion/670#a
先用WinDbg看下原函数:
Hook示意图:
代码如下:
#include "ntddk.h"
typedef unsigned char BYTE;
BYTE OriginalBytes[2]={0};
KSPIN_LOCK SDTSpinLock;
ULONG g_uCr0 = 0;
extern POBJECT_TYPE *PsProcessType;
VOID WPOFF();
VOID WPON();
NTKERNELAPI
NTSTATUS
ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
//HOOK函数
NTSTATUS
DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
void WPOFF()
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli
};
g_uCr0 = uAttr;
}
VOID WPON()
{
_asm
{
sti
push eax;
mov eax, g_uCr0;
mov cr0, eax;
pop eax;
};
}
NTSTATUS InlineHookFuncXP(IN PVOID FuncAddress,
IN PVOID NewFuncAddress)
{
//FuncAddress:orignal function address
//NewFuncAddress:new function address to hook
//if function successed,the old function which the hook function will jump to
//is the FuncAddress+2
KIRQL OldIrql ;
NTSTATUS stat;
KeAcquireSpinLock( &SDTSpinLock, &OldIrql );
WPOFF();
//保存原函数的头两个字节
RtlCopyMemory(OriginalBytes,(BYTE *)ObReferenceObjectByHandle,2);
__asm
{
push eax
push ecx
lea eax,[FuncAddress]
mov eax,[eax]
cmp byte ptr[eax],0x8b
jnz failtohook
cmp byte ptr[eax+1],0xff ;判断函数开始头部是不是 "mov edi,edi"
jnz failtohook
mov ecx,0xffffffff ;-1
loopcheck:
cmp byte ptr[eax+ecx],0x90
jnz failtohook
dec ecx
cmp ecx,0xfffffffa ;循环5次, 判断函数开始上面部分是不是"nop"
jnz loopcheck
;保存函数原始的指令
mov byte ptr[eax],0xeb ; 短跳jmp
mov byte ptr[eax+1],0xf9 ; 0x00-偏移量-指令长度 = 0x00-5-2 = f9
;write the new function header:jmp short funcaddr-5(0x00-0x07)
mov byte ptr[eax-5],0xe9 ;远跳jmp
;write 1 byte :jmp xxxxx
mov ecx,[NewFuncAddress]
sub ecx,eax ;得到跳转的相对偏移
mov dword ptr[eax-4],ecx
jmp hookok
failtohook:
mov stat,0xc0000001
jmp end
hookok:
mov stat,0
end:
pop ecx
pop eax
}
WPON();
KeReleaseSpinLock( &SDTSpinLock, OldIrql );
return stat;
}
VOID UnInlineHookFuncXP(IN PVOID FuncAddress)
{
KIRQL OldIrql ;
NTSTATUS stat;
KeAcquireSpinLock( &SDTSpinLock, &OldIrql );
WPOFF();
// 恢复函数的前两个字节
RtlCopyMemory((BYTE *)FuncAddress, OriginalBytes, 2);
// 恢复函数上面的5个nop
__asm
{
push ecx
push eax
lea eax,[FuncAddress]
mov eax,[eax]
mov ecx,0xffffffff ;-1
loopcheck:
mov byte ptr[eax+ecx],0x90
dec ecx
cmp ecx,0xfffffffa
jnz loopcheck
pop eax
pop ecx
}
WPON();
KeReleaseSpinLock( &SDTSpinLock, OldIrql );
}
_declspec (naked)
NTSTATUS
OriginalObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
_asm
{
mov edi,edi // 手动写ObReferenceObjectByHandle函数开头的2个字节, 可用WinDbg查看
mov eax,ObReferenceObjectByHandle
add eax,2
jmp eax
}
}
NTSTATUS
DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
NTSTATUS status;
status = OriginalObReferenceObjectByHandle(Handle,DesiredAccess, ObjectType,AccessMode,Object,HandleInformation);
if((status==STATUS_SUCCESS)&&(DesiredAccess==1)) // 如果是关闭软件, 从DesiredAccess == 1可知
{
if(ObjectType== *PsProcessType)
{
if( _stricmp((char *)((ULONG)(*Object)+0x174),"notepad.exe")==0)
{
ObDereferenceObject(*Object);
return STATUS_INVALID_HANDLE;
}
}
}
return status;
}
VOID
DriverUnload(
IN PDRIVER_OBJECT pDriverObj
)
{
UnInlineHookFuncXP(ObReferenceObjectByHandle);
KdPrint(("[inlineHook] Unloaded Success\r\n"));
return;
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObj,
IN PUNICODE_STRING pRegistryString
)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("Enter DriverEntry!\n"));
pDriverObj->DriverUnload = DriverUnload;
status = InlineHookFuncXP(ObReferenceObjectByHandle, DetourMyObReferenceObjectByHandle);
if (NT_SUCCESS(status))
KdPrint(("Inline Hook Success!\n"));
else
KdPrint(("Inline Hook UnSuccess!\n"));
return status;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
先恭喜一下莫兄荣升版主,好文章支持!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
这个自己早就做过了……没想到还能打上MS的旗号来 “招摇撞骗”
|
|
|
|
|
|
表激动……没看见那个引号?俺是支持你的
|
|
|
激动到木有.
 只是现在这个区的学习气氛不怎么好, 鼓励大家多多发帖呢. 呵呵. 兄弟也很早嘛, 你的智能主防研究的肿么样了啊, 嘿嘿~. 
|
|
|
what? 你怎么知道的……不会是我QQ里的某某吧?
|
|
|
那没有, 因为兄弟在论坛里还是很犀利了, 我老早关注你了嘛, 嘿嘿~
|
|
|
晕……! 我表示很蛋疼 =。=
哥睡了
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
