-
-
攻破 Window AMD64 平台的 PatchGuard - 让 PatchGuard Context 失效
-
发表于: 2018-11-27 22:37
-
前文说到如何找到加密的 PatchGuard Context, 先来看一下 CmpAppendDllSection (window 10 build 10.0.17763.1) 函数 :
从函数内部,很轻易的就可以分析出头部的地址的计算方法, Context + *(LONG*)(Context + 7e8h(各版本不同)), 再来看一下入口函数:
这里可以看到 14034eed 这里请了DR7 寄存器, 让硬件断点失效, 所以调试的时候硬件断点要放在这个地址之前, 再来看一下结尾部分的代码:
函数在结束的时候进入了SdbpCheckDll,
这个函数什么也没做, 就是把栈和寄存器清空了.
看过很多别出心裁的方法让
PatchGuard 失效, 我使用的方法比较简单, 直接HOOK入口点让代码正常返回, 这里有两种情况, 先看一下版本号小于 17134, 没有开启btc的情况 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 | VOIDNTAPISetNewEntryForEncryptedContext( __inout PPATCHGUARD_BLOCK PatchGuardBlock, __in PVOID PatchGuardContext, __in ULONG64 RorKey){ ULONG64 LastRorKey = 0; ULONG RvaOfEntry = 0; ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 }; ULONG FieldIndex = 0; ULONG Index = 0; PCHAR ControlPc = NULL; // 这里先取 RVA 的偏移, 8字节对齐, 计算密钥的加密次数 FieldIndex = (PatchGuardBlock->RvaOffsetOfEntry - PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64); // 复制到缓存中 RtlCopyMemory( FieldBuffer, (PCHAR)PatchGuardContext + (PatchGuardBlock->RvaOffsetOfEntry & ~7), sizeof(FieldBuffer)); // 计算缓存的最后一个密钥 LastRorKey = RorKey; for (Index = 0; Index < FieldIndex; Index++) { LastRorKey = __ROL64(LastRorKey, Index); } // 解密缓存 for (Index = 0; Index < RTL_NUMBER_OF(FieldBuffer); Index++) { LastRorKey = __ROL64(LastRorKey, FieldIndex + Index); FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; } // 计算入口的地址 RvaOfEntry = *(PULONG)((PCHAR)FieldBuffer + (PatchGuardBlock->RvaOffsetOfEntry & 7)); // 计算密钥的加密次数 FieldIndex = (RvaOfEntry - PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64); // 复制入口的代码到缓存 这里考虑到对齐 需要最少 24 个字节 RtlCopyMemory( FieldBuffer, (PCHAR)PatchGuardContext + (RvaOfEntry & ~7), sizeof(FieldBuffer)); // 计算缓存的最后一个密钥 LastRorKey = RorKey; for (Index = 0; Index < FieldIndex; Index++) { LastRorKey = __ROL64(LastRorKey, Index); } // 解密缓存 for (Index = 0; Index < RTL_NUMBER_OF(FieldBuffer); Index++) { LastRorKey = __ROL64(LastRorKey, FieldIndex + Index); FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; } // 生成 HOOK 代码 "\xff\x25\x00\x00\x00\x00" ControlPc = (PCHAR)FieldBuffer + (RvaOfEntry & 7); BuildJumpCode( PatchGuardBlock->_ClearEncryptedContext._ShellCode, &ControlPc); // 重新加密缓存 while (Index--) { FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; LastRorKey = __ROR64(LastRorKey, FieldIndex + Index); } // 替换掉原始加密数据 RtlCopyMemory( (PCHAR)PatchGuardContext + (RvaOfEntry & ~7), FieldBuffer, sizeof(FieldBuffer));} |
在 17134 版本之后由于 RVA 被加密, 并且无法正常加密 CONTEXT, 所以我采用了另外一种方法去找入口点, 方法类似上文找Context 的方法, 由4个Field 碰撞成功已经可以确认这是一个 PatchGuard 的 Context, 继续用入口点的真实代码去碰撞这段内存, 就可以100% 命中.
下面看代码,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 | VOIDNTAPISetNewEntryForEncryptedWithBtcContext( __inout PPATCHGUARD_BLOCK PatchGuardBlock, __in PVOID PatchGuardContext, __in SIZE_T ContextSize){ ULONG64 RorKey = 0; ULONG64 LastRorKey = 0; ULONG LastRorKeyOffset = 0; ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 }; ULONG FieldIndex = 0; ULONG AlignOffset = 0; ULONG Index = 0; PULONG64 ControlPc = NULL; PULONG64 TargetPc = NULL; ULONG CompareCount = 0; // 由于头部的第一个字节可能不对齐 所以我们最多可能需要循环 7 次 CompareCount = (ContextSize - PatchGuardBlock->SizeOfCmpAppendDllSection) / 8 - 1; for (AlignOffset = 0; AlignOffset < 8; AlignOffset++) { ControlPc = (PULONG64)((PCHAR)PatchGuardBlock->EntryPoint + AlignOffset); TargetPc = (PULONG64)((PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection); for (Index = 0; Index < CompareCount; Index++) { RorKey = TargetPc[Index + 1] ^ ControlPc[1]; LastRorKey = RorKey; RorKey = __ROR64(RorKey, Index + 1); RorKey = _btc64(RorKey, RorKey); if ((TargetPc[Index] ^ RorKey) == ControlPc[0]) { // 命中数据 goto found; } } }found: // 判断没有没命中 当然这几乎不太可能发生 if (Index != CompareCount) { // 计算对齐点 FieldIndex = Index - (0 == (AlignOffset & 7) ? 0 : 1); LastRorKeyOffset = 2 + (0 == (AlignOffset & 7) ? 0 : 1); // 复制代码到缓存 RtlCopyMemory( FieldBuffer, (PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8, sizeof(FieldBuffer)); // 解密缓存代码 RorKey = LastRorKey; Index = LastRorKeyOffset; while (Index--) { FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey; RorKey = __ROR64(RorKey, FieldIndex + Index); RorKey = _btc64(RorKey, RorKey); } // 生成 HOOK 代码 ControlPc = (PCHAR)FieldBuffer + 8 - AlignOffset; BuildJumpCode( PatchGuardBlock->_ClearEncryptedContext._ShellCode, &ControlPc); // 重新加密代码 RorKey = LastRorKey; Index = LastRorKeyOffset; while (Index--) { FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey; RorKey = __ROR64(RorKey, FieldIndex + Index); RorKey = _btc64(RorKey, RorKey); } // 写回去 RtlCopyMemory( (PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8, FieldBuffer, sizeof(FieldBuffer)); }} |
再来看一下HOOK后的操作 :
1 2 | add rsp, 30h ret |
讲下这里 为啥是 30h, 入口是从CmpAppendDllSection 进入的 入口代码是 :
28h + call 压入的ret 地址 刚好是30h 这样就返回了上层调用函数, 因为PatchGuard 实际上什么也没干所以直接就可以返回了, 到这里加密 Context 部分的操作要点基本就说完了, 当 Context 已经解密并且已经在执行的时候应该怎么办, 这个留到下节再说. 最后我在贴一个DPC 触发异常进入CmpAppendDllSection 的代码, 当然只是10种解密中的一个, 有兴趣可以调试看看:
1 2 | sub rsp, 28h call rax |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 | .text:00000001401CA89A ExpCenturyDpcRoutine$fin$0: ; DATA XREF: .rdata:00000001403D09AC↓o.text:00000001401CA89A ; .pdata:000000014047B220↓o.text:00000001401CA89A ; __finally // owned by 14015AABE.text:00000001401CA89A 40 53 push rbx.text:00000001401CA89C 55 push rbp.text:00000001401CA89D 48 83 EC 38 sub rsp, 38h.text:00000001401CA8A1 48 8B EA mov rbp, rdx.text:00000001401CA8A4 88 4D 50 mov [rbp+50h], cl.text:00000001401CA8A7 84 C9 test cl, cl.text:00000001401CA8A9 0F 84 0E 02 00 00 jz loc_1401CAABD.text:00000001401CA8AF E9 36 01 00 00 jmp loc_1401CA9EA.text:00000001401CA8B4 ; ---------------------------------------------------------------------------.text:00000001401CA8B4.text:00000001401CA8B4 loc_1401CA8B4: ; CODE XREF: ExpCenturyDpcRoutine+7004C↓j.text:00000001401CA8B4 45 33 D2 xor r10d, r10d.text:00000001401CA8B7 44 89 55 54 mov [rbp+54h], r10d.text:00000001401CA8BB 48 8B 5D 38 mov rbx, [rbp+38h].text:00000001401CA8BF.text:00000001401CA8BF loc_1401CA8BF: ; CODE XREF: ExpCenturyDpcRoutine+6FF1F↓j.text:00000001401CA8BF 4D 8B 01 mov r8, [r9].text:00000001401CA8C2 4C 89 85 18 01 00 00 mov [rbp+118h], r8.text:00000001401CA8C9 49 8B D0 mov rdx, r8.text:00000001401CA8CC 48 8B 05 95 AD 2F 00 mov rax, cs:KiWaitNever.text:00000001401CA8D3 48 33 D0 xor rdx, rax.text:00000001401CA8D6 8B C8 mov ecx, eax.text:00000001401CA8D8 48 D3 C2 rol rdx, cl.text:00000001401CA8DB 48 33 D3 xor rdx, rbx.text:00000001401CA8DE 48 0F CA bswap rdx.text:00000001401CA8E1 48 33 15 80 AF 2F 00 xor rdx, cs:KiWaitAlways.text:00000001401CA8E8 49 89 11 mov [r9], rdx.text:00000001401CA8EB 41 8B C2 mov eax, r10d.text:00000001401CA8EE 49 0F AF C3 imul rax, r11.text:00000001401CA8F2 48 03 C2 add rax, rdx.text:00000001401CA8F5 49 89 01 mov [r9], rax.text:00000001401CA8F8 41 8B C8 mov ecx, r8d.text:00000001401CA8FB F7 D1 not ecx.text:00000001401CA8FD 83 E1 3F and ecx, 3Fh.text:00000001401CA900 B8 C8 00 00 00 mov eax, 0C8h.text:00000001401CA905 41 2B C2 sub eax, r10d.text:00000001401CA908 41 0F AF C2 imul eax, r10d.text:00000001401CA90C 48 D3 C8 ror rax, cl.text:00000001401CA90F 48 33 D8 xor rbx, rax.text:00000001401CA912 48 89 5D 38 mov [rbp+38h], rbx.text:00000001401CA916 41 83 E0 3F and r8d, 3Fh.text:00000001401CA91A 41 8A C8 mov cl, r8b.text:00000001401CA91D 48 D3 C3 rol rbx, cl.text:00000001401CA920 48 89 5D 38 mov [rbp+38h], rbx.text:00000001401CA924 49 03 DB add rbx, r11.text:00000001401CA927 48 89 5D 38 mov [rbp+38h], rbx.text:00000001401CA92B 45 33 C0 xor r8d, r8d.text:00000001401CA92E 44 89 45 58 mov [rbp+58h], r8d.text:00000001401CA932.text:00000001401CA932 loc_1401CA932: ; CODE XREF: ExpCenturyDpcRoutine+6FF0A↓j.text:00000001401CA932 41 0F B6 01 movzx eax, byte ptr [r9].text:00000001401CA936 83 E0 0F and eax, 0Fh.text:00000001401CA939 0F B6 54 05 40 movzx edx, byte ptr [rbp+rax+40h].text:00000001401CA93E 49 83 21 F0 and qword ptr [r9], 0FFFFFFFFFFFFFFF0h.text:00000001401CA942 49 0B 11 or rdx, [r9].text:00000001401CA945 49 89 11 mov [r9], rdx.text:00000001401CA948 48 C1 CA 04 ror rdx, 4.text:00000001401CA94C 49 89 11 mov [r9], rdx.text:00000001401CA94F 41 FF C0 inc r8d.text:00000001401CA952 44 89 45 58 mov [rbp+58h], r8d.text:00000001401CA956 41 83 F8 10 cmp r8d, 10h.text:00000001401CA95A 72 D6 jb short loc_1401CA932.text:00000001401CA95C 49 83 C1 08 add r9, 8.text:00000001401CA960 4C 89 4D 60 mov [rbp+60h], r9.text:00000001401CA964 41 FF C2 inc r10d.text:00000001401CA967 44 89 55 54 mov [rbp+54h], r10d.text:00000001401CA96B 41 83 FA 19 cmp r10d, 19h.text:00000001401CA96F 0F 82 4A FF FF FF jb loc_1401CA8BF.text:00000001401CA975 48 B9 F5 6F 1B AD 5F 93 44 62 mov rcx, 6244935FAD1B6FF5h.text:00000001401CA97F 49 8B 03 mov rax, [r11].text:00000001401CA982 48 33 C1 xor rax, rcx.text:00000001401CA985 48 89 45 38 mov [rbp+38h], rax.text:00000001401CA989 48 8B 45 38 mov rax, [rbp+38h].text:00000001401CA98D 48 B9 DB 27 2A BC 17 A2 15 6A mov rcx, 6A15A217BC2A27DBh.text:00000001401CA997 48 33 C1 xor rax, rcx.text:00000001401CA99A 48 89 45 38 mov [rbp+38h], rax.text:00000001401CA99E 41 C6 03 2E mov byte ptr [r11], 2Eh ; 写入 CmpAppendDllSection 头部4字节解密数据.text:00000001401CA9A2 41 C6 43 01 48 mov byte ptr [r11+1], 48h.text:00000001401CA9A7 41 C6 43 02 31 mov byte ptr [r11+2], 31h.text:00000001401CA9AC 41 C6 43 03 11 mov byte ptr [r11+3], 11h.text:00000001401CA9B1 45 33 C9 xor r9d, r9d.text:00000001401CA9B4 45 33 C0 xor r8d, r8d.text:00000001401CA9B7 48 8B 55 38 mov rdx, [rbp+38h].text:00000001401CA9BB 49 8B CB mov rcx, r11.text:00000001401CA9BE 49 8B C3 mov rax, r11.text:00000001401CA9C1 E8 4A ED FE FF call _guard_dispatch_icall ;这里进入 CmpAppendDllSection.text:00000001401CA9C6 C7 45 5C 01 00 00 00 mov dword ptr [rbp+5Ch], 1.text:00000001401CA9CD 8B 45 30 mov eax, [rbp+30h].text:00000001401CA9D0 83 C0 02 add eax, 2.text:00000001401CA9D3 89 45 30 mov [rbp+30h], eax.text:00000001401CA9D6 48 8D 15 FD 00 F9 FF lea rdx, loc_14015AADA.text:00000001401CA9DD 48 8B 8D 38 01 00 00 mov rcx, [rbp+138h].text:00000001401CA9E4 E8 77 42 FC FF call _local_unwind.text:00000001401CA9E9 90 nop.text:00000001401CA9EA.text:00000001401CA9EA loc_1401CA9EA: ; CODE XREF: ExpCenturyDpcRoutine+6FE5F↑j.text:00000001401CA9EA 8B 45 30 mov eax, [rbp+30h].text:00000001401CA9ED 83 F8 02 cmp eax, 2.text:00000001401CA9F0 0F 85 AB 00 00 00 jnz loc_1401CAAA1.text:00000001401CA9F6 48 8B 8D CA 00 00 00 mov rcx, [rbp+0CAh].text:00000001401CA9FD 48 89 8D E8 00 00 00 mov [rbp+0E8h], rcx.text:00000001401CAA04 4C 8B 85 C2 00 00 00 mov r8, [rbp+0C2h].text:00000001401CAA0B 48 8B 85 CA 00 00 00 mov rax, [rbp+0CAh].text:00000001401CAA12 48 89 85 00 01 00 00 mov [rbp+100h], rax.text:00000001401CAA19 48 8B 55 7A mov rdx, [rbp+7Ah].text:00000001401CAA1D 49 D3 C8 ror r8, cl.text:00000001401CAA20 8B C8 mov ecx, eax.text:00000001401CAA22 48 D3 C2 rol rdx, cl.text:00000001401CAA25 4C 8B 5A 40 mov r11, [rdx+40h].text:00000001401CAA29 4C 89 5D 38 mov [rbp+38h], r11.text:00000001401CAA2D 4D 33 D8 xor r11, r8.text:00000001401CAA30 48 B8 00 00 00 00 00 80 FF FF mov rax, 0FFFF800000000000h.text:00000001401CAA3A 4C 0B D8 or r11, rax.text:00000001401CAA3D 4C 89 9D 10 01 00 00 mov [rbp+110h], r11.text:00000001401CAA44 4D 8B CB mov r9, r11.text:00000001401CAA47 4C 89 5D 60 mov [rbp+60h], r11.text:00000001401CAA4B 41 8B CB mov ecx, r11d.text:00000001401CAA4E 83 E1 3F and ecx, 3Fh.text:00000001401CAA51 49 8B C3 mov rax, r11.text:00000001401CAA54 48 D3 C8 ror rax, cl.text:00000001401CAA57 48 89 45 38 mov [rbp+38h], rax.text:00000001401CAA5B C7 45 40 09 0A 0C 01 mov dword ptr [rbp+40h], 10C0A09h.text:00000001401CAA62 C7 45 44 0F 00 05 0E mov dword ptr [rbp+44h], 0E05000Fh.text:00000001401CAA69 C7 45 48 04 03 07 0D mov dword ptr [rbp+48h], 0D070304h.text:00000001401CAA70 C7 45 4C 08 06 02 0B mov dword ptr [rbp+4Ch], 0B020608h.text:00000001401CAA77 33 D2 xor edx, edx.text:00000001401CAA79 89 55 54 mov [rbp+54h], edx.text:00000001401CAA7C 8B C2 mov eax, edx.text:00000001401CAA7E 4C 8D 45 40 lea r8, [rbp+40h].text:00000001401CAA82 4C 03 C0 add r8, rax.text:00000001401CAA85.text:00000001401CAA85 loc_1401CAA85: ; CODE XREF: ExpCenturyDpcRoutine+7004A↓j.text:00000001401CAA85 41 8A 08 mov cl, [r8].text:00000001401CAA88 83 F1 09 xor ecx, 9.text:00000001401CAA8B 88 4C 15 40 mov [rbp+rdx+40h], cl.text:00000001401CAA8F FF C2 inc edx.text:00000001401CAA91 89 55 54 mov [rbp+54h], edx.text:00000001401CAA94 49 FF C0 inc r8.text:00000001401CAA97 83 FA 10 cmp edx, 10h.text:00000001401CAA9A 72 E9 jb short loc_1401CAA85.text:00000001401CAA9C E9 13 FE FF FF jmp loc_1401CA8B4.text:00000001401CAAA1 ; ---------------------------------------------------------------------------.text:00000001401CAAA1.text:00000001401CAAA1 loc_1401CAAA1: ; CODE XREF: ExpCenturyDpcRoutine+6FFA0↑j.text:00000001401CAAA1 48 8B 85 CA 00 00 00 mov rax, [rbp+0CAh].text:00000001401CAAA8 48 89 85 40 01 00 00 mov [rbp+140h], rax.text:00000001401CAAAF 48 8B 95 C2 00 00 00 mov rdx, [rbp+0C2h].text:00000001401CAAB6 8B C8 mov ecx, eax.text:00000001401CAAB8 48 D3 CA ror rdx, cl.text:00000001401CAABB 8B 02 mov eax, [rdx].text:00000001401CAABD.text:00000001401CAABD loc_1401CAABD: ; CODE XREF: ExpCenturyDpcRoutine+6FE59↑j.text:00000001401CAABD 48 83 C4 38 add rsp, 38h.text:00000001401CAAC1 5D pop rbp.text:00000001401CAAC2 5B pop rbx.text:00000001401CAAC3 C3 retn |
源码 :Shark
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏记录
参与人
雪币
留言
时间
dx苹果的心愿
为你点赞~
2022-1-7 18:13
qsls9
为你点赞~
2019-1-22 21:41
Foodie
为你点赞~
2018-11-28 09:39
Editor
为你点赞~
2018-11-28 09:34
万剑归宗
为你点赞~
2018-11-28 08:42
sxpp
为你点赞~
2018-11-28 00:24
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
前面说了,CmpAppendDllSection本身双加密了,暴力搜索搜不到的 |
|
|
|
|
|
DeviceGuard了解一下 |
|
|
|
|
|
不止某地,拆迁6也有人用上了。 |
|
|
|
|
|
|
|
|
|
|
|
如果是乱码 看看是不是ror的计算次数搞错了 另外PatchGuardEntryPoint 这段搜索代码 是从ntos文件中获取的 |
|
|
win8.1 9600.17415上面,PatchGuardEntryPoint相对于上下文的RVA是存在上下文+0x420处,在0x424和0x428处还存了RtlLookupFunctionEntryEx和FsRtlUninitializeSmallMcb相对于上下文的RVA。我每次解密上下文,这三处的值都是固定不变的,这说明我的ROR计算次数应该没问题。PatchGuardEntryPoint的头部指令也是从ntos中重新提取的。 |
|
|
这就不太清楚了 根据RVA算下地址看看 会不会是已经被修改了 |
hzqst
