最近working比较busy,于是没时间发帖子,现在回来发一帖,关于伪装系统版本号与系统位数的~
具体什么用途,我想会有人知道了~(某些软件在x64上会不xxx那啥你懂得,比如360的安装程序)
直接上代码,思路已经ok了,其他内容都是基本的东西(主体代码复用了我以前发的TimeMachine)~
#include "stdafx.h"
#include "nameTools.h"
typedef NTSTATUS (NTAPI *T_ZwQueryInformationProcess)(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
typedef NTSTATUS (NTAPI *T_ZwQuerySystemInformation) (
IN SYSTEM_INFORMATION_CLASS SystemInfoClass,
OUT PVOID SystemInfoBuffer,
IN ULONG SystemInfoBufferSize,
OUT PULONG BytesReturned OPTIONAL
);
#define KI_USER_SHARED_DATA 0xffdf0000
#define SharedUserData ((KUSER_SHARED_DATA * const) KI_USER_SHARED_DATA)
ULONG HookSSDT(ULONG Id,ULONG Addr)
{
ULONG ulOldAddr;
ULONG Address;
ulOldAddr =*(PULONG)((PCHAR)KeServiceDescriptorTable->ServiceTableBase +Id*4);
Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + Id * 4;
ulOldAddr = *(ULONG*)Address;
// hook system calls
__asm
{//去掉内存保护
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
*((ULONG*)Address) = (ULONG)Addr;//HOOK SSDT
__asm
{//恢复内存保护
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return ulOldAddr;
}
ULONG NtQuerySystemInformationId=0;
ULONG NtQueryInformationProcessId=0;
T_ZwQuerySystemInformation OldNtQuerySystemInformation=NULL;
T_ZwQueryInformationProcess OldNtQueryInformationProcess=NULL;
NTSTATUS NTAPI OnNtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInfoClass,
OUT PVOID SystemInfoBuffer,
IN ULONG SystemInfoBufferSize,
OUT PULONG BytesReturned OPTIONAL
)
{
NTSTATUS ns = OldNtQuerySystemInformation(SystemInfoClass,SystemInfoBuffer,SystemInfoBufferSize,BytesReturned);
if (NT_SUCCESS(ns))
{
if (SystemInfoClass==SystemProcessorInformation)
{
if (IsSomeProcess())
{
PSYSTEM_PROCESSOR_INFORMATION pProcessorInfo = (PSYSTEM_PROCESSOR_INFORMATION)SystemInfoBuffer;
pProcessorInfo->ProcessorArchitecture = 9;//PROCESSOR_ARCHITECTURE_AMD64;//小试牛刀?
}
}
}
return ns;
}
NTSTATUS NTAPI
OnNtQueryInformationProcess(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
)
{
NTSTATUS ns = OldNtQueryInformationProcess(ProcessHandle,ProcessInformationClass,ProcessInformation,ProcessInformationLength,ReturnLength);
if (NT_SUCCESS(ns))
{
if (ProcessInformationClass==ProcessWow64Information)
{
if (IsSomeProcess())
{
*(PULONG_PTR)ProcessInformation = 1;
}
}
}
return ns;
}
void PatchPebVersion(PEPROCESS Process)
{
BOOLEAN bRet = FALSE;
HANDLE hProcess = NULL;
// get handle to target process
NTSTATUS ns = ObOpenObjectByPointer(
Process,
OBJ_KERNEL_HANDLE,
NULL,
0,
NULL,
KernelMode,
&hProcess
);
if (NT_SUCCESS(ns))
{
PROCESS_BASIC_INFORMATION ProcessInfo;
// get address of PEB
ns = ZwQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&ProcessInfo,
sizeof(ProcessInfo),
NULL
);
if (NT_SUCCESS(ns))
{
KAPC_STATE ApcState;
// change context to target process
KeStackAttachProcess(Process, &ApcState);
__try
{
PUCHAR Peb = (PUCHAR)ProcessInfo.PebBaseAddress;
if (Peb)
{
*(DWORD *)((DWORD)Peb+0xA4)=6;
*(DWORD *)((DWORD)Peb+0xA8)=1;
*(WORD *)((DWORD)Peb+0xAC)=7600;
*(WORD *)((DWORD)Peb+0xAE)=0;
*(DWORD *)((DWORD)Peb+0xB0)=2;
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() EXCEPTION\n");
}
KeUnstackDetachProcess(&ApcState);
}
else
{
// Can't query information about process, probably 'System' or rootkit activity
}
ZwClose(hProcess);
}
else
{
DbgMsg(__FILE__, __LINE__, "ObOpenObjectByPointer() fails; status: 0x%.8x\n", ns);
}
}
void ProcessNotifyRoutineTimeMachine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
if (Create)
{
//来吧英雄
PEPROCESS Process = NULL;
NTSTATUS ns = PsLookupProcessByProcessId(ProcessId, &Process);
if (NT_SUCCESS(ns))
{
PatchPebVersion(Process);
ObDereferenceObject(Process);
}
}
}
void FakeOSVersion()
{
PKUSER_SHARED_DATA pKUS = (PKUSER_SHARED_DATA)KI_USER_SHARED_DATA;
ClearWp(NULL);
pKUS->NtMajorVersion = 6;
pKUS->NtMinorVersion = 1;
SetWp(NULL);
}
NTSTATUS HookSST()
{
NtQuerySystemInformationId = GetSyscallNumber("NtQuerySystemInformation");
NtQueryInformationProcessId = GetSyscallNumber("NtQueryInformationProcess");
FakeOSVersion();
PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutineTimeMachine,FALSE);
if (NtQuerySystemInformationId)
{
OldNtQuerySystemInformation = (T_ZwQuerySystemInformation)HookSSDT(NtQuerySystemInformationId,(ULONG)OnNtQuerySystemInformation);
}
if (NtQueryInformationProcessId)
{
OldNtQueryInformationProcess = (T_ZwQueryInformationProcess)HookSSDT(NtQueryInformationProcessId,(ULONG)OnNtQueryInformationProcess);
}
return STATUS_SUCCESS;
}
NTSTATUS UnHookSST()
{
PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutineTimeMachine,TRUE);
if (OldNtQueryInformationProcess)
{
HookSSDT(NtQueryInformationProcessId,(ULONG)OldNtQueryInformationProcess);
}
if (OldNtQuerySystemInformation)
{
HookSSDT(NtQuerySystemInformationId,(ULONG)OldNtQuerySystemInformation);
}
KernelSleep(100);
return STATUS_SUCCESS;
}
PS:
求捐助,求赞助,求投资,欢迎联系QQ:86879759
欲购买 AntiGameProtect或UltraGameProtect系列代码与产品 也欢迎联系。
qq技术扯淡群1:171797360
qq技术扯淡群2:1748876
yy技术扯淡频道:80252844
[课程]Android-CTF解题方法汇总!