0x805CC628 | FF75 C8 | push dword ptr [ebp-38] |
0x805CC62B | FF75 DC | push dword ptr [ebp-24] |
0x805CC62E | E8 4706FFFF | call ObOpenObjectByPointer |
0x805CC633 | 8BF8 | mov edi, eax |
0x805CC635 | 8D85 48FFFFFF | lea eax, dword ptr [ebp-B8] |
0x805CC63B | 50 | push eax |
0x805CC63C | E8 47550200 | call SeDeleteAccessState |
我想从0x805CC633 开始hook,先保存 0x805CC633到0x805CC63B这三行的代码
修改后以上这几行我假想变成如下
push dword ptr [ebp-38]
push dword ptr [ebp-24]
call ObOpenObjectByPointer
jmp myntopenprocess
nop
nop
nop
nop
(余下的用nop填充)
接下来是我的函数的处理
我想一开始先call ObOpenObjectByPointer
因为TP inline hook了
0x805CC62E | E8 4706FFFF | call ObOpenObjectByPointer
这一行
于是得先call ObOpenObjectByPointer
得到函数返回值,然后后面有9个被破坏的代码,要弄回来于是用nop填充(这个时候用刚才保存的代码复制过来)最后再跳转到0x805CC63C这一行就行了,我的函数代码如下
mov eax,0x805BCC7A//我家ObOpenObjectByPointer的地址是0x805BCC7A
jmp eax
nop
nop
nop
nop
nop
nop
nop
nop
nop
mov eax,0x805CC63C
jmp eax
最后我想再在卸载驱动的时候,将保存的代码复制过去,就行了,但是我却无数次的蓝屏,各位大虾帮我看看,代码如下
#include <ntddk.h>
#include <windef.h>
#include <ntstatus.h>
BYTE JmpAddress[9]={0xE9,0,0,0,0,0x90,0x90,0x90,0x90};
ULONG hookaddress;
BYTE store[9];
void A()
{
__asm{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
void B()
{
__asm{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
__declspec(naked) VOID __stdcall New_NtOpenProcess()
{
_asm
{
mov eax,0x805CC633//call ObOpenObjectByPointer
call eax
nop
nop
nop
nop
nop
nop
nop
nop
nop//中间的nop用来保存被破坏的代码
mov eax,0x805CC63C//跳转到0x805CC63C
jmp eax
}
}
void Hook()
{
KIRQL Irql;
hookaddress=(ULONG)0x805CC633;
*(ULONG*)(JmpAddress+1)=(ULONG)New_NtOpenProcess-((ULONG)hookaddress+0x5);//这里是inline hook的准备大家都懂吧
A();
Irql=KeRaiseIrqlToDpcLevel();
memcpy(store,(BYTE*)hookaddress,9);//保存9字节代码
memcpy((BYTE*)New_NtOpenProcess+7,store,9);将9字节代码复制到New_NtOpenProcess的nop位置
memcpy((BYTE*)hookaddress,JmpAddress,9);//完成inline
KeLowerIrql(Irql);
B();
}
VOID Unload(IN PDRIVER_OBJECT pDriverObj)
{
KIRQL Irql;
A();
Irql=KeRaiseIrqlToDpcLevel();
memcpy((BYTE*)hookaddress,store,9);//将代码复制过去
KeLowerIrql(Irql);
B();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegistryString)
{
pDriverObj->DriverUnload = Unload;
Hook();
return STATUS_SUCCESS;
}
[课程]Linux pwn 探索篇!