打算直接hook 函数头 前15个字节
现在已经把前15个字节替换,这里ret 过去的是自己申请的虚拟地址
这里执行一遍被破坏的指令就直接ret了 返回地址也是fffff801`2c3290ef
蓝屏错误 说是 一个 Virtual address for the attempted execute.
内核inlin hook 不能用虚拟地址吗?
插入代码
VOID HOOKPspUserThreadStartup()
{
PVOID pHookaddr = (PVOID)GetPspUserThreadStartup();
DbgPrint("pHookaddr:%p\n", pHookaddr);
/*
push rax
MOV RAX, 0x9090909090909090
PUSH RAX
RET
*/
BYTE HookCode[] =
{
0x50,0x48, 0xB8, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x50, 0xC3,0x90,0x90
};
//50 48 B8 90 90 90 90 90 90 90 90 50 C3
BYTE JMPBackCode[] =
{
0x58,0x68, 0x90, 0x90,0x90, 0x90
};
BYTE JMPBackCode2[] =
{
0xC7, 0x44, 0x24, 0x04, 0x90, 0x90, 0x90, 0x90
};
BYTE JMPBackCode3[] =
{
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xC3
};
//58 68 - - - - C7 44 24 04 - - - - C3
//DbgPrint("pHookaddr -->%p\n", pHookaddr);
cs = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, 'cs');
RtlSecureZeroMemory(cs, PAGE_SIZE);
PVOID Nexaddr = (PVOID)((ULONG64)pHookaddr + 15);
*(PINT64)(HookCode + 3) = (INT64)cs;
*(PINT64)(JMPBackCode + 2) = 0x2C3290EF;//((INT64)Nexaddr >> 32) << 32;
* (PINT64)(JMPBackCode2 + 4) = 0xFFFFF801;//(INT)Nexaddr << 32;
//DbgPrint("Nexaddr: %p\n", (INT64)Nexaddr);
//DbgPrint("高Nexaddr>>32: %p\n", ((INT64)Nexaddr >>32)<<32);
//DbgPrint("低Nexaddr<<32: %p\n", (INT64)Nexaddr << 32);
//DbgPrint("JMPCode:-->%p\n", (INT64)&NewPspUserThreadStartup - (ULONG64)pHookaddr + 5);
//
__debugbreak();
KIRQL irql=WPOFFx64();
memcpy(cs, pHookaddr, 15);//保存
memcpy((PVOID)((ULONG64)cs+15), JMPBackCode, 6);//回跳
memcpy((PVOID)((ULONG64)cs + 21), JMPBackCode2, 8);//回跳 测试
memcpy((PVOID)((ULONG64)cs + 29), JMPBackCode3, 9);//回跳 测试
memcpy(pHookaddr, &HookCode,15);
DbgPrint("cs-->%p\n", cs);
__debugbreak();
WPONx64(irql);
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2020-9-11 19:58
被叽叽‘and1=1编辑
,原因: