[求助]重构KeStackAttachProcess-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]重构KeStackAttachProcess 0.00雪花

发表于: 2015-8-23 18:15 1795

[旧帖] [求助]重构KeStackAttachProcess 0.00雪花

wyhaha

2015-8-23 18:15

1795

最近在32位下发现KeStackAttachProcess被某p保护inline hook了。
所以我就把他恢复了，可是发现有检测，发现该函数被unhook后，就会导致机器重启，所以我就把被hook的地方保存下来，使用后马上恢复回去，可是这样会有很小的几率被检测到，实践中也是这样。
所以我就想把这个函数重构一下下面是汇编代码，可惜小弟汇编不好，写好函数后调用，发现有些问题
下面上代码请大神帮忙看看，我不知道函数的参数应该如何带入进去。

unsigned long KeBugCheckExaddr;
unsigned long _imp__KeRaiseIrqlToDpcLeveladdr;
unsigned long HvlLongSpinCountMaskaddr;
unsigned long HvlEnlightenmentsaddr;
unsigned long HvlNotifyLongSpinWaitaddr;
unsigned long KiAttachProcessaddr;
unsigned long KeStackAttachProcessaddr;

NTSTATUS  myAttachProcess(void* EProcess, void* ApcState)
{
__asm
{
      mov    edi, edi
push ebp
mov    ebp, esp
push ecx
push ebx
push esi
mov    esi, dword ptr fs : [124h]
mov    ecx, dword ptr fs : [1A54h]
mov    eax, 10001h
push edi
test eax, ecx
je    myAttachProcess3f

myAttachProcess20:
      mov    ecx, dword ptr fs : [1A54h]
and    ecx, eax
movzx eax, byte ptr[esi + 134h]
push ecx
push eax
push dword ptr[esi + 50h]
push dword ptr[ebp + 8]
push 5
call KeBugCheckExaddr
int    3

myAttachProcess3f:
      mov    eax, dword ptr[ebp + 8]
cmp    dword ptr[esi + 50h], eax
jne    myAttachProcess53

      myAttachProcess47 :
mov    eax, dword ptr[ebp + 0Ch]
mov    dword ptr[eax + 10h], 1
jmp    myAttachProcessc5

      myAttachProcess53 :
call dword ptr[_imp__KeRaiseIrqlToDpcLeveladdr]
mov    byte ptr[ebp - 4], al
lea    edi, [esi + 60h]
xor    ebx, ebx
jmp    myAttachProcess85

      myAttachProcess63 :
      inc    ebx
test dword ptr[HvlLongSpinCountMaskaddr], ebx
jne    myAttachProcess7d

        myAttachProcess6c :
test byte ptr[HvlEnlightenmentsaddr], 40h
je    myAttachProcess7d

myAttachProcess75 :
push ebx
call HvlNotifyLongSpinWaitaddr
jmp    myAttachProcess7f

        myAttachProcess7d :
pause

myAttachProcess7f :
mov    eax, dword ptr[edi]
test eax, eax
jne    myAttachProcess63

        myAttachProcess85 :
xor    eax, eax
mov    ecx, edi
inc    eax
xchg eax, dword ptr[ecx]
test eax, eax
jne    myAttachProcess63

        myAttachProcess90 :
      cmp    byte ptr[esi + 134h], al
je    myAttachProcessaa

        myAttachProcess98 :
push dword ptr[ebp + 0Ch]
mov    eax, esi
push dword ptr[ebp - 4]
push dword ptr[ebp + 8]
call KiAttachProcessaddr
jmp    myAttachProcessc5

      myAttachProcessaa :
      lea    eax, [esi + 170h]
push eax
push dword ptr[ebp - 4]
mov    eax, esi
push dword ptr[ebp + 8]
call KiAttachProcessaddr
mov    eax, dword ptr[ebp + 0Ch]
and    dword ptr[eax + 10h], 0

      myAttachProcessc5:
      pop    edi
pop    esi
pop    ebx
mov    esp,ebp
pop    ebp
ret    8
}
}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持