-
-
[原创]简单分析一下HS驱动保护 - Hook篇
-
发表于: 2011-10-9 11:35 11647
-
struct{
ULONG: FunctionNameAddress; //+0x00 函数名地址
ULONG: FunctionIndex; //+0x04 函数索引
ULONG: ProxyAddress; //+0x08 代理函数地址
ULONG: PreAddress; //+0x0C hook之前的地址
ULONG: HasBeenHooked; //+0x10 是否已经安装了hook
ULONG: Flag; //+0x14
}shadow_ssdt_hook_info
struct{
ULONG: FunctionName: //函数名称字串指针
ULONG: PreAddress; //hook之前的地址
PVOID: BufferForJmpCode; //跳转指令的地址
BYTE : HasBeenHooked; //+0xC是否已经Hook的标志
BYTE : IsHookCallInstruction; //+0xD是否在call指令处进行Hook
ULONG: unknow1; //+0x10
ULONG: unknow2; //+0x14
ULONG: FunctionFlag; //+0x18
ULONG: unknow3; //+0x1C
}shadow_ssdt_hook_info2
Hook_InlineDo proc near
OpcodeLength = dword ptr -2Ch
JmpCode = dword ptr -28h
JmpCode_ = dword ptr -24h
temp = dword ptr -20h
WriteAble = dword ptr -1Ch
TotalDecodedLength = dword ptr -14h
PreAddressIp = dword ptr -10h
DecodedLength = dword ptr -0Ch
JmpCodeDump = dword ptr -8
JmpCodeDump_ = dword ptr -4
JmpBackBufferAddress = dword ptr 8 //回跳的缓冲地址
PreAddress = dword ptr 0Ch //进行Hook的起始地址
JmpToProxyBufferAddress = dword ptr 10h //跳至代理函数的缓冲地址
IsHookCallInstruction = byte ptr 14h //是否是对call指令进行Hook
ReturnValue = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 2Ch
push esi
push edi
mov byte ptr [ebp+JmpCode], 90h
mov byte ptr [ebp+JmpCode+1], 90h
mov byte ptr [ebp+JmpCode+2], 90h
mov byte ptr [ebp+JmpCode+3], 90h
mov byte ptr [ebp+JmpCode_], 90h
mov byte ptr [ebp+JmpCode_+1], 90h
mov byte ptr [ebp+JmpCode_+2], 90h
mov byte ptr [ebp+JmpCode_+3], 90h
mov [ebp+OpcodeLength], 0
mov [ebp+TotalDecodedLength], 0
mov [ebp+DecodedLength], 0
push 0
mov eax, [ebp+PreAddress]
push eax
call CheckFunctionWhetherBeenHooked ; 这里验证一下首字节 看看有没有被hook掉
mov [ebp+PreAddress], eax ; 如果被hook了 而且是绝对跳转 这里返回绝对跳转的地址
cmp [ebp+JmpBackBufferAddress], 0
jz short loc_21ACD
cmp [ebp+JmpToProxyBufferAddress], 0
jz short loc_21ACD
cmp [ebp+PreAddress], 0
jnz short loc_21AD4
loc_21ACD: ; ...
xor al, al
jmp loc_21CCE
; ---------------------------------------------------------------------------
loc_21AD4: ; ...
movzx ecx, [ebp+IsHookCallInstruction]
cmp ecx, 1 ; 要进行hook的是call还是别的神马
jz loc_21BF7
mov edx, [ebp+PreAddress]
mov [ebp+PreAddressIp], edx
loc_21AE7: ; ...
lea eax, [ebp+OpcodeLength]
push eax
mov ecx, [ebp+PreAddressIp]
push ecx
call DisAsm
mov [ebp+DecodedLength], eax
mov edx, [ebp+TotalDecodedLength]
add edx, [ebp+DecodedLength]
mov [ebp+TotalDecodedLength], edx
mov eax, [ebp+PreAddressIp]
add eax, [ebp+DecodedLength]
mov [ebp+PreAddressIp], eax
cmp [ebp+TotalDecodedLength], 5
jb short loc_21AE7 ; 确保足够5字节长也就是一条jmp指令的长度
cmp [ebp+TotalDecodedLength], 1Bh
jbe short loc_21B1C
xor al, al
jmp loc_21CCE
; ---------------------------------------------------------------------------
loc_21B1C: ; ...
push 1 ; 对非call处进行hook
push 8
mov ecx, [ebp+JmpBackBufferAddress] ; 定位到 jmp xxxx的缓冲后面
push ecx
call MakeSpecialAddressWriteAble
mov [ebp+WriteAble], eax
mov edx, [ebp+PreAddress]
movzx eax, byte ptr [edx]
cmp eax, 0E9h
jnz short loc_21B6A ; 不是jmp指令的话跳转
mov byte ptr [ebp+JmpCode], 0E9h
mov ecx, [ebp+PreAddress]
mov edx, [ecx+1] ; 定位到机器码偏移
mov eax, [ebp+PreAddress]
lea ecx, [eax+edx+5] ; 计算绝对地址
mov [ebp+temp], ecx
mov edx, [ebp+JmpBackBufferAddress]
add edx, 5
mov eax, [ebp+temp]
sub eax, edx ; 计算偏移地址
mov [ebp+temp], eax
mov ecx, [ebp+temp]
mov [ebp+JmpCode+1], ecx ; 写入到缓冲
mov [ebp+TotalDecodedLength], 0
jmp short loc_21BA0
; ---------------------------------------------------------------------------
loc_21B6A: ; ...
mov byte ptr [ebp+JmpCode], 0E9h ; jmp 指令
mov edx, [ebp+PreAddress]
add edx, [ebp+TotalDecodedLength] ; 回跳的目的地址
mov eax, [ebp+TotalDecodedLength]
mov ecx, [ebp+JmpBackBufferAddress]
lea eax, [ecx+eax+5] ; 目的地址 = jmp偏移+5+当前指令地址
sub edx, eax ; jmp偏移 = 目的地址 -(当前指令地址+5)
mov [ebp+temp], edx
mov ecx, [ebp+temp]
mov [ebp+JmpCode+1], ecx ; 完成jmp code
mov ecx, [ebp+TotalDecodedLength]
mov esi, [ebp+PreAddress]
mov edi, [ebp+JmpBackBufferAddress]
mov edx, ecx
shr ecx, 2
rep movsd ; 复制要执行的指令段
mov ecx, edx
and ecx, 3
rep movsb
loc_21BA0: ; ...
mov eax, [ebp+JmpBackBufferAddress]
add eax, [ebp+TotalDecodedLength]
mov ecx, [ebp+JmpCode]
mov [eax], ecx
mov edx, [ebp+JmpCode_]
mov [eax+4], edx ; 写入回跳的缓冲之中
mov eax, [ebp+WriteAble]
push eax
push 8
mov ecx, [ebp+JmpBackBufferAddress]
push ecx
call MakeSpecialAddressWriteAble
mov edx, [ebp+PreAddress]
mov eax, [edx]
mov [ebp+JmpCode], eax
mov ecx, [edx+4]
mov [ebp+JmpCode_], ecx ; 前8个字节
mov byte ptr [ebp+JmpCode], 0E9h
mov edx, [ebp+PreAddress]
add edx, 5
mov eax, [ebp+JmpToProxyBufferAddress]
sub eax, edx
mov [ebp+temp], eax
mov ecx, [ebp+temp]
mov [ebp+JmpCode+1], ecx
mov edx, [ebp+JmpCode]
mov [ebp+JmpCodeDump], edx
mov eax, [ebp+JmpCode_]
mov [ebp+JmpCodeDump_], eax
jmp loc_21C94
; ---------------------------------------------------------------------------
loc_21BF7: ; ...
mov [ebp+TotalDecodedLength], 5
mov ecx, [ebp+TotalDecodedLength]
mov esi, [ebp+PreAddress]
lea edi, [ebp+JmpCode]
mov edx, ecx
shr ecx, 2
rep movsd ; 复制5个字节 call xxxx
mov ecx, edx
and ecx, 3
rep movsb
mov byte ptr [ebp+JmpCode], 0E9h ; jmp指令
mov eax, [ebp+PreAddress]
add eax, [ebp+TotalDecodedLength]
add eax, [ebp+JmpCode+1] ; 跳转的目标地址
mov [ebp+temp], eax ; 这里是绝对地址 也就是回跳的地址
mov ecx, [ebp+JmpBackBufferAddress]
add ecx, [ebp+TotalDecodedLength]
mov edx, [ebp+temp]
sub edx, ecx ; 回跳的目的地址 - (指令地址+指令长度) = 偏移
mov [ebp+temp], edx
mov eax, [ebp+temp]
mov [ebp+JmpCode+1], eax ; 写入缓冲
push 1
push 8
mov ecx, [ebp+JmpBackBufferAddress]
push ecx
call MakeSpecialAddressWriteAble
mov [ebp+WriteAble], eax
mov edx, [ebp+JmpBackBufferAddress]
mov eax, [ebp+JmpCode]
mov [edx], eax ; 写入回跳jmp命令
mov ecx, [ebp+JmpCode_]
mov [edx+4], ecx
mov edx, [ebp+WriteAble]
push edx
push 8
mov eax, [ebp+JmpBackBufferAddress]
push eax
call MakeSpecialAddressWriteAble
mov ecx, [ebp+PreAddress]
mov edx, [ecx]
mov [ebp+JmpCode], edx
mov eax, [ecx+4]
mov [ebp+JmpCode_], eax
mov ecx, [ebp+PreAddress]
add ecx, 5
mov edx, [ebp+JmpToProxyBufferAddress]
sub edx, ecx
mov [ebp+temp], edx
mov eax, [ebp+temp]
mov [ebp+JmpCode+1], eax
mov ecx, [ebp+JmpCode]
mov [ebp+JmpCodeDump], ecx
mov edx, [ebp+JmpCode_]
mov [ebp+JmpCodeDump_], edx
loc_21C94: ; ...
push 1
push 8
mov eax, [ebp+PreAddress]
push eax
call MakeSpecialAddressWriteAble
mov [ebp+WriteAble], eax
mov ecx, [ebp+JmpCodeDump_]
push ecx
mov edx, [ebp+JmpCodeDump]
push edx
mov eax, [ebp+PreAddress]
push eax
call ExInterlockedCompareExchange64Pack ; 这里正式进行Hook
mov ecx, [ebp+ReturnValue]
mov [ecx], eax
mov [ecx+4], edx
mov edx, [ebp+WriteAble]
push edx
push 8
mov eax, [ebp+PreAddress]
push eax
call MakeSpecialAddressWriteAble
mov al, 1
loc_21CCE: ; ...
pop edi
pop esi
mov esp, ebp
pop ebp
retn 14h
Hook_InlineDo endp
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏记录
参与人
雪币
留言
时间
伟叔叔
为你点赞~
2024-5-31 02:32
心游尘世外
为你点赞~
2024-3-10 00:51
飘零丶
为你点赞~
2024-3-1 00:34
QinBeast
为你点赞~
2024-2-7 00:48
shinratensei
为你点赞~
2024-1-24 02:39
一笑人间万事
为你点赞~
2023-3-7 00:50
赞赏
|
|
|---|---|
|
|
看不懂也要顶,以后肯定能看懂
|
|
|
哇噻~好东西呢!
最近也在研究HS保护,正好可以参考学习学习o(∩_∩)o 谢谢LZ… |
|
|
thisis今年要火了...
|
|
|
火啦.............
|
|
|
他的文章
- [原创]枚举系统全局原子表 6985
- [注意]win7下这段代码会让你蓝得毁三观 8065
- [原创]奇怪的驱动全局变量初始化问题 7460
- [原创]符号下载工具 <附带源码> 11965
- [原创]Hackshield内幕 55554
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
loqich
谁下载
kanxue
sdlylz
robslove
fxyang
subme1
脱脱
cd37ycs
xblan
goding
dboy
metalqiang
kcarhc
nhchmg1
飘云
zmfu
syscom
eunt
KuNgBiM
执着我一生
davisneilp
polelf
sisess
卫斯理
woyaozhuce
jameshero
aki
JDboy
lvtx
cxhcxh
jesseyzy
惊电
ttstation
斩天
fazir
pighead
sailove
wlcskf
XYUN
lcjxb
heimei
gegon
lingyu
zzq
浪流
wangjietx
lendy
bootdisk
RuShi
lflyspace
yanxizhen
xss
tunshizhe
basketwill
nononono
wswsws
dengwenjie
kagayaki
Winker
davidfoxhu
honffx
上网鱼
cvcvxk
trojanth
dnybz
开心就好
pcasa
yashengwh
坚持到底
rocketming
sudami
jhuang
ycdear
uppreety
zenner
garasmc
dtcser
lorndragon
creakerzgz
yigeren
waitting
stu
kangkonghu
downtools
hwfdvd
lookzo
putao
zzage
Jobcrazy
jasonnbfan
房有亮
飞跃梦想
dtkalaok
coolwxd
zenghay
drawangel
ggdd
waterworld
chagoogle
yayayxkf
赞赏
雪币:
留言:
