win10_arm64 驱动注入dll 到 arm32程序
思路如下:
PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);
VOID LoadImageNotifyRoutine
(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
if ( FullImageName == L"\\SystemRoot\\SysArm32\\ntdll.dll") // arm32程序
InjectProcess(ProcessId, ImageInfo->ImageBase);
}
InjectProcess(ProcessId, NtdllImageBase)
{
GetProcAddress32(hNtdll, "NtTestAlert"); // hook NtTestAlert to shellcode,它在进程入口点前被系统调用
GetProcAddress32(hNtdll, "LdrLoadDll"); // shellcode 用 LdrLoadDll 加载 dll
shellcode_buf = AllocMem(ProcessId); // shellcode_buf 要指定在进程空间用户地址2G范围内,方便跳转
// ZwQueryVirtualMemory ZwAllocateVirtualMemory
KeStackAttachProcess(pEProcess, &ApcState);
MakeShellCode(shellcode_buf);
KeUnstackDetachProcess(&ApcState);
}
shellcode 构造:
win10_arm64 应用层代码,是 thumb & arm 混杂指令模式,
#pragma once
#include <ntddk.h>
typedef struct _D_UNICODE_STRING32 {
USHORT Length;
USHORT MaximumLength;
WCHAR * POINTER_32 Buffer;
} D_UNICODE_STRING32, *P_D_UNICODE_STRING32;
typedef
NTSTATUS (NTAPI * POINTER_32 LdrLoadDll_t)(PWCHAR PathToFile, ULONG *Flags, UNICODE_STRING *ModuleFileName, HANDLE *ModuleHandle);
#pragma pack(push, 1)
typedef struct _InjectShellCodeArm32 * POINTER_32 PInjectShellCodeArm32;
typedef struct _InjectShellCodeArm32
{
USHORT PushR0_R3; // 0F B4
USHORT PushLr; // 00 B5
USHORT MovR0Pc; // 78 46
USHORT SubR0_8; // 08 38
USHORT BlInjectFunc1; // 00 F0
USHORT BlInjectFunc2; // 18 F9
USHORT PopR0; // 01 BC
USHORT MovLrR0; // 86 46
USHORT PopR0_R3; // 0F BC
USHORT align; // 00 00
UCHAR OrigFunc[16];
PInjectLibArm32 next;
D_UNICODE_STRING32 dll; // Dst dll path
WCHAR dllBuf[260];
LdrLoadDll_t pLdrLoadDll;
UCHAR injectFunc[1];
} InjectShellCodeArm32;
#pragma pack(pop)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2018-9-27 16:27
被囧囧编辑
,原因: