-
-
[分享github] 借用卡巴VT实现Hook ssdt
-
2020-8-30 12:38
15934
-
[分享github] 借用卡巴VT实现Hook ssdt
hook ssdt shadow_ssdt 稳如狗
卡巴帮你初始化的VT环境,你说稳不稳
我们只要写回调函数就好了
VS2019直接编译
https://github.com/iPower/KasperskyHook
搜索卡巴VT
bool kaspersky::initialize()
{
// Find SetHvmEvent
//
set_hvm_event = reinterpret_cast< f_SetHvmEvent >( utils::find_pattern_km( L"klhk.sys", ".text", "\x48\x83\xEC\x38\x48\x83\x3D",
"xxxxxxx" ) );
if ( !set_hvm_event )
return false;
// Find klhk's service table
//
auto presult = utils::find_pattern_km( L"klhk.sys", "_hvmcode", "\x4C\x8D\x0D\x00\x00\x00\x00\x4D", "xxx????x" );
if ( !presult )
return false;
system_dispatch_array = reinterpret_cast< void*** >( presult + *reinterpret_cast< int* >( presult + 0x3 ) + 0x7 );
// Find number of services (SSDT)
//
presult = utils::find_pattern_km( L"klhk.sys", ".text", "\x3B\x1D\x00\x00\x00\x00\x73\x56", "xx????xx" );
if ( !presult )
return false;
ssdt_service_count = reinterpret_cast< unsigned int* >( presult + *reinterpret_cast< int* >( presult + 0x2 ) + 0x6 );
// Find number of services (Shadow SSDT)
//
presult = utils::find_pattern_km( L"klhk.sys", ".text", "\x89\x05\x00\x00\x00\x00\x8B\xFB", "xx????xx" );
if ( !presult )
return false;
shadow_ssdt_service_count = reinterpret_cast< unsigned int* >( presult + *reinterpret_cast< int* >( presult + 0x2 ) + 0x6 );
// Find provider data
//
presult = utils::find_pattern_km( L"klhk.sys", ".text", "\x39\x2D\x00\x00\x00\x00\x75", "xx????x" );
if ( !presult )
return false;
provider = reinterpret_cast< unsigned int* >( presult + *reinterpret_cast< int* >( presult + 2 ) + 0x6 );
return true;
}
HOOK SSDT
bool kaspersky::hook_ssdt_routine( unsigned short index, void* dest, void** poriginal )
{
if ( !system_dispatch_array || !dest || !poriginal )
return false;
// Get ssdt service count
//
const auto svc_count = get_svc_count_ssdt();
// Kaspersky's SSDT isn't built/Invalid index
//
if ( !svc_count || index >= svc_count )
return false;
// Swap entry
//
*poriginal = *system_dispatch_array[ index ];
*system_dispatch_array[ index ] = dest;
return true;
}
Hooks shadow SSDT
bool kaspersky::hook_shadow_ssdt_routine( unsigned short index, void* dest, void** poriginal )
{
if ( !system_dispatch_array || !dest || !poriginal )
return false;
// Get service count for ssdt and shadow ssdt
//
const auto svc_count = get_svc_count_ssdt(), svc_count_shadow_ssdt = get_svc_count_shadow_ssdt();
// Failed to obtain service count
//
if ( !svc_count || !svc_count_shadow_ssdt )
return nullptr;
// Calculate index for dispatch table
//
const auto index_dispatch_table = ( index - 0x1000 ) + svc_count;
// Get dispatch table limit
//
const auto dispatch_table_limit = svc_count + svc_count_shadow_ssdt;
// Invalid index
//
if ( index_dispatch_table >= dispatch_table_limit )
return false;
// Swap entry
//
*poriginal = *system_dispatch_array[ index_dispatch_table ];
*system_dispatch_array[ index_dispatch_table ] = dest;
return true;
}
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。