其中NtOpenProcess\NtOpenThread \NtReadVirtualMemory \NtWriteVirtualMemory
都测试能够绕过TP的保护了;也查看了下KiAttachProcess的地址,已经恢复成功了,但提示还是:无法附加XXX.exe进程
是不是在应用层也进行HOOK了,所以OD无法附加?
那我应该如何去查看应用层所HOOK函数的地址?
求帮助……在这里已经困惑好久了,求大神帮忙点透一下
KiAttachProcess
函数的HOOK恢复如下:
ULONG Pass_KiAttachProcess()
{
// *UX++;
unsigned char *KiAttachProcessAddress;
BYTE *KeAttachProcessAddress = NULL; //KeAttachProcess函数地址
BYTE *p;
BYTE MovEaxAddress[5] = {0xB8,0,0,0,0}; //
BYTE JmpEax[2] = {0xff,0xe0};
KIRQL Irql;
//特征码
BYTE Signature1 = 0x56, //p-1
Signature2 = 0x57, //p-2
Signature3 = 0x5F, //p-3
Signature4 = 0x5E, //p+5
Signature5 = 0xE8; //p第一个字节
KeAttachProcessAddress = (BYTE*)GetNt_OldAddr(L"KeAttachProcess");
if (KeAttachProcessAddress == NULL)
return 0;
//将p指向KeAttachProcess函数开始处
p = KeAttachProcessAddress;
while (1)
{
if ((*(p-1) == Signature1) &&
(*(p-2) == Signature2) &&
(*(p+5) == Signature3) &&
(*(p+6) == Signature4) &&
(*p == Signature5))
{
//定位成功后取地址
KiAttachProcessAddress = (UCHAR *)*(PULONG)(p+1)+(ULONG)(p+5);
break;
}
//推动指针
p++;
}
int i;
unsigned char newcode[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec, 0x53, 0x8b};
WPOFF();
Irql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KiAttachProcessAddress[i] = newcode[i];
}
KeLowerIrql(Irql);
WPON();
return 1;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课