首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
6
[原创]简单分析一下HS驱动保护 - Hook篇
发表于: 2011-10-9 11:35 11745

[原创]简单分析一下HS驱动保护 - Hook篇

thisIs 活跃值
9
2011-10-9 11:35
11745
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
struct{
    ULONG: FunctionNameAddress;      //+0x00 函数名地址
    ULONG: FunctionIndex;               //+0x04 函数索引
    ULONG: ProxyAddress;                //+0x08 代理函数地址
    ULONG: PreAddress;          //+0x0C hook之前的地址
    ULONG: HasBeenHooked;       //+0x10 是否已经安装了hook
    ULONG: Flag;                        //+0x14
}shadow_ssdt_hook_info
 
struct{
    ULONG: FunctionName:          //函数名称字串指针
    ULONG: PreAddress;        //hook之前的地址
    PVOID: BufferForJmpCode;      //跳转指令的地址
    BYTE : HasBeenHooked;         //+0xC是否已经Hook的标志
    BYTE : IsHookCallInstruction;    //+0xD是否在call指令处进行Hook
    ULONG: unknow1;           //+0x10
    ULONG: unknow2;           //+0x14
    ULONG: FunctionFlag;          //+0x18
    ULONG: unknow3;           //+0x1C
}shadow_ssdt_hook_info2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
Hook_InlineDo proc near
 
OpcodeLength            = dword ptr -2Ch
JmpCode                 = dword ptr -28h
JmpCode_                = dword ptr -24h
temp                    = dword ptr -20h
WriteAble               = dword ptr -1Ch
TotalDecodedLength      = dword ptr -14h
PreAddressIp            = dword ptr -10h
DecodedLength           = dword ptr -0Ch
JmpCodeDump             = dword ptr -8
JmpCodeDump_            = dword ptr -4
 
JmpBackBufferAddress    = dword ptr  8      //回跳的缓冲地址
PreAddress              = dword ptr  0Ch    //进行Hook的起始地址
JmpToProxyBufferAddress = dword ptr  10h    //跳至代理函数的缓冲地址
IsHookCallInstruction   = byte ptr  14h     //是否是对call指令进行Hook
ReturnValue             = dword ptr  18h
 
       push    ebp
       mov     ebp, esp
       sub     esp, 2Ch
       push    esi
       push    edi
       mov     byte ptr [ebp+JmpCode], 90h
       mov     byte ptr [ebp+JmpCode+1], 90h
       mov     byte ptr [ebp+JmpCode+2], 90h
       mov     byte ptr [ebp+JmpCode+3], 90h
       mov     byte ptr [ebp+JmpCode_], 90h
       mov     byte ptr [ebp+JmpCode_+1], 90h
       mov     byte ptr [ebp+JmpCode_+2], 90h
       mov     byte ptr [ebp+JmpCode_+3], 90h
       mov     [ebp+OpcodeLength], 0
       mov     [ebp+TotalDecodedLength], 0
       mov     [ebp+DecodedLength], 0
       push    0
       mov     eax, [ebp+PreAddress]
       push    eax
       call    CheckFunctionWhetherBeenHooked     ; 这里验证一下首字节 看看有没有被hook掉
       mov     [ebp+PreAddress], eax              ; 如果被hook了 而且是绝对跳转 这里返回绝对跳转的地址
       cmp     [ebp+JmpBackBufferAddress], 0
       jz      short loc_21ACD
       cmp     [ebp+JmpToProxyBufferAddress], 0
       jz      short loc_21ACD
       cmp     [ebp+PreAddress], 0
       jnz     short loc_21AD4
 
loc_21ACD:                                        ; ...
       xor     al, al
       jmp     loc_21CCE
; ---------------------------------------------------------------------------
 
loc_21AD4:                                        ; ...
       movzx   ecx, [ebp+IsHookCallInstruction]
       cmp     ecx, 1                             ; 要进行hook的是call还是别的神马
       jz      loc_21BF7
       mov     edx, [ebp+PreAddress]
       mov     [ebp+PreAddressIp], edx
 
loc_21AE7:                                        ; ...
       lea     eax, [ebp+OpcodeLength]
       push    eax
       mov     ecx, [ebp+PreAddressIp]
       push    ecx
       call    DisAsm
       mov     [ebp+DecodedLength], eax
       mov     edx, [ebp+TotalDecodedLength]
       add     edx, [ebp+DecodedLength]
       mov     [ebp+TotalDecodedLength], edx
       mov     eax, [ebp+PreAddressIp]
       add     eax, [ebp+DecodedLength]
       mov     [ebp+PreAddressIp], eax
       cmp     [ebp+TotalDecodedLength], 5
       jb      short loc_21AE7                    ; 确保足够5字节长也就是一条jmp指令的长度
       cmp     [ebp+TotalDecodedLength], 1Bh
       jbe     short loc_21B1C
       xor     al, al
       jmp     loc_21CCE
; ---------------------------------------------------------------------------
 
loc_21B1C:                                        ; ...
       push    1                                  ; 对非call处进行hook
       push    8
       mov     ecx, [ebp+JmpBackBufferAddress]    ; 定位到 jmp xxxx的缓冲后面
       push    ecx
       call    MakeSpecialAddressWriteAble
       mov     [ebp+WriteAble], eax
       mov     edx, [ebp+PreAddress]
       movzx   eax, byte ptr [edx]
       cmp     eax, 0E9h
       jnz     short loc_21B6A                    ; 不是jmp指令的话跳转
       mov     byte ptr [ebp+JmpCode], 0E9h
       mov     ecx, [ebp+PreAddress]
       mov     edx, [ecx+1]                       ; 定位到机器码偏移
       mov     eax, [ebp+PreAddress]
       lea     ecx, [eax+edx+5]                   ; 计算绝对地址
       mov     [ebp+temp], ecx
       mov     edx, [ebp+JmpBackBufferAddress]
       add     edx, 5
       mov     eax, [ebp+temp]
       sub     eax, edx                           ; 计算偏移地址
       mov     [ebp+temp], eax
       mov     ecx, [ebp+temp]
       mov     [ebp+JmpCode+1], ecx               ; 写入到缓冲
       mov     [ebp+TotalDecodedLength], 0
       jmp     short loc_21BA0
; ---------------------------------------------------------------------------
 
loc_21B6A:                                        ; ...
       mov     byte ptr [ebp+JmpCode], 0E9h       ; jmp 指令
       mov     edx, [ebp+PreAddress]
       add     edx, [ebp+TotalDecodedLength]      ; 回跳的目的地址
       mov     eax, [ebp+TotalDecodedLength]
       mov     ecx, [ebp+JmpBackBufferAddress]
       lea     eax, [ecx+eax+5]                   ; 目的地址 = jmp偏移+5+当前指令地址
       sub     edx, eax                           ; jmp偏移 = 目的地址 -(当前指令地址+5)
       mov     [ebp+temp], edx
       mov     ecx, [ebp+temp]
       mov     [ebp+JmpCode+1], ecx               ; 完成jmp code
       mov     ecx, [ebp+TotalDecodedLength]
       mov     esi, [ebp+PreAddress]
       mov     edi, [ebp+JmpBackBufferAddress]
       mov     edx, ecx
       shr     ecx, 2
       rep movsd                                  ; 复制要执行的指令段
       mov     ecx, edx
       and     ecx, 3
       rep movsb
 
loc_21BA0:                                        ; ...
       mov     eax, [ebp+JmpBackBufferAddress]
       add     eax, [ebp+TotalDecodedLength]
       mov     ecx, [ebp+JmpCode]
       mov     [eax], ecx
       mov     edx, [ebp+JmpCode_]
       mov     [eax+4], edx                       ; 写入回跳的缓冲之中
       mov     eax, [ebp+WriteAble]
       push    eax
       push    8
       mov     ecx, [ebp+JmpBackBufferAddress]
       push    ecx
       call    MakeSpecialAddressWriteAble
       mov     edx, [ebp+PreAddress]
       mov     eax, [edx]
       mov     [ebp+JmpCode], eax
       mov     ecx, [edx+4]
       mov     [ebp+JmpCode_], ecx                ; 前8个字节
       mov     byte ptr [ebp+JmpCode], 0E9h
       mov     edx, [ebp+PreAddress]
       add     edx, 5
       mov     eax, [ebp+JmpToProxyBufferAddress]
       sub     eax, edx
       mov     [ebp+temp], eax
       mov     ecx, [ebp+temp]
       mov     [ebp+JmpCode+1], ecx
       mov     edx, [ebp+JmpCode]
       mov     [ebp+JmpCodeDump], edx
       mov     eax, [ebp+JmpCode_]
       mov     [ebp+JmpCodeDump_], eax
       jmp     loc_21C94
; ---------------------------------------------------------------------------
 
loc_21BF7:                                        ; ...
       mov     [ebp+TotalDecodedLength], 5
       mov     ecx, [ebp+TotalDecodedLength]
       mov     esi, [ebp+PreAddress]
       lea     edi, [ebp+JmpCode]
       mov     edx, ecx
       shr     ecx, 2
       rep movsd                                  ; 复制5个字节 call xxxx
       mov     ecx, edx
       and     ecx, 3
       rep movsb
       mov     byte ptr [ebp+JmpCode], 0E9h       ; jmp指令
       mov     eax, [ebp+PreAddress]
       add     eax, [ebp+TotalDecodedLength]
       add     eax, [ebp+JmpCode+1]               ; 跳转的目标地址
       mov     [ebp+temp], eax                    ; 这里是绝对地址 也就是回跳的地址
       mov     ecx, [ebp+JmpBackBufferAddress]
       add     ecx, [ebp+TotalDecodedLength]
       mov     edx, [ebp+temp]
       sub     edx, ecx                           ; 回跳的目的地址 - (指令地址+指令长度) = 偏移
       mov     [ebp+temp], edx
       mov     eax, [ebp+temp]
       mov     [ebp+JmpCode+1], eax               ; 写入缓冲
       push    1
       push    8
       mov     ecx, [ebp+JmpBackBufferAddress]
       push    ecx
       call    MakeSpecialAddressWriteAble
       mov     [ebp+WriteAble], eax
       mov     edx, [ebp+JmpBackBufferAddress]
       mov     eax, [ebp+JmpCode]
       mov     [edx], eax                         ; 写入回跳jmp命令
       mov     ecx, [ebp+JmpCode_]
       mov     [edx+4], ecx
       mov     edx, [ebp+WriteAble]
       push    edx
       push    8
       mov     eax, [ebp+JmpBackBufferAddress]
       push    eax
       call    MakeSpecialAddressWriteAble
       mov     ecx, [ebp+PreAddress]
       mov     edx, [ecx]
       mov     [ebp+JmpCode], edx
       mov     eax, [ecx+4]
       mov     [ebp+JmpCode_], eax
       mov     ecx, [ebp+PreAddress]
       add     ecx, 5
       mov     edx, [ebp+JmpToProxyBufferAddress]
       sub     edx, ecx
       mov     [ebp+temp], edx
       mov     eax, [ebp+temp]
       mov     [ebp+JmpCode+1], eax
       mov     ecx, [ebp+JmpCode]
       mov     [ebp+JmpCodeDump], ecx
       mov     edx, [ebp+JmpCode_]
       mov     [ebp+JmpCodeDump_], edx
 
loc_21C94:                                        ; ...
       push    1
       push    8
       mov     eax, [ebp+PreAddress]
       push    eax
       call    MakeSpecialAddressWriteAble
       mov     [ebp+WriteAble], eax
       mov     ecx, [ebp+JmpCodeDump_]
       push    ecx
       mov     edx, [ebp+JmpCodeDump]
       push    edx
       mov     eax, [ebp+PreAddress]
       push    eax
       call    ExInterlockedCompareExchange64Pack ;  这里正式进行Hook
       mov     ecx, [ebp+ReturnValue]
       mov     [ecx], eax
       mov     [ecx+4], edx
       mov     edx, [ebp+WriteAble]
       push    edx
       push    8
       mov     eax, [ebp+PreAddress]
       push    eax
       call    MakeSpecialAddressWriteAble
       mov     al, 1
 
loc_21CCE:                                        ; ...
       pop     edi
       pop     esi
       mov     esp, ebp
       pop     ebp
       retn    14h
Hook_InlineDo endp

[注意]看雪招聘,专注安全领域的专业人才平台!

上传的附件:
收藏
免费 6
支持
分享
赞赏记录
参与人
雪币
留言
时间
伟叔叔
为你点赞~
2024-5-31 02:32
心游尘世外
为你点赞~
2024-3-10 00:51
飘零丶
为你点赞~
2024-3-1 00:34
QinBeast
为你点赞~
2024-2-7 00:48
shinratensei
为你点赞~
2024-1-24 02:39
PLEBFE
为你点赞~
2023-3-7 00:50
最新回复 (4)
hpphpp
雪    币: 226
活跃值: (1504)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
看不懂也要顶,以后肯定能看懂
2011-10-9 11:39
0
lvtx
雪    币: 2342
活跃值: (876)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
哇噻~好东西呢!
最近也在研究HS保护,正好可以参考学习学习o(∩_∩)o
谢谢LZ…
2011-10-9 12:07
0
正happy
雪    币: 207
活跃值: (26)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
4
thisis今年要火了...
2011-10-9 12:58
0
竹君
雪    币: 170
活跃值: (90)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
5
火啦.............
2011-10-13 13:24
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》