首页
社区
课程
招聘
[求助]inline hook编译成dll后失效
发表于: 2021-4-23 23:30 4198

[求助]inline hook编译成dll后失效

2021-4-23 23:30
4198
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#include"hook.h"
 
 
 
 
BYTE g_OldData32[5] = { 0 };
BYTE g_OldData64[12] = { 0 };
 
pfnZwQuerySystemInformation fnZwQuerySystemInformation = NULL;
 
 NTSTATUS __stdcall My_ZwQuerySystemInformation(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength)
{
    DWORD dwHidePid = 42912;    //1.要隐藏的进程ID
    UnHook();
 
    // 调用原函数
    NTSTATUS status = fnZwQuerySystemInformation(SystemInformationClass, SystemInformation,
        SystemInformationLength, ReturnLength);
    // 判断
    if (NT_SUCCESS(status) && 5 == SystemInformationClass)
    {
        PSYSTEM_PROCESS_INFORMATION pCur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
        PSYSTEM_PROCESS_INFORMATION pPrev = NULL;
        while (TRUE)
        {
            //判断进程名是否是隐藏进程
            char pc[255] = "\0";
            sprintf_s(pc, 255, "%ws", pCur->ImageName.Buffer);
            if (!strcmp(pc, "pp.exe"))
            {
                //pPrev -- 指向前一个
                //pCur  -- 指向当前
                //pNext -- 指向下一个
              //找到隐藏进程,清除进程信息,即将pPrev的NextEntryOffset字段改为pNext偏移
                if (0 == pCur->NextEntryOffset && pPrev)
                    pPrev->NextEntryOffset = 0;
                else
                    pPrev->NextEntryOffset = pPrev->NextEntryOffset + pCur->NextEntryOffset;
            }
            else
            {
                pPrev = pCur;
            }
            if (0 == pCur->NextEntryOffset)
            {
                break;
            }
            pCur = (PSYSTEM_PROCESS_INFORMATION)((BYTE*)pCur + pCur->NextEntryOffset);
        }
    }
    HookAPI();
    return status;
}
 
 
void HookAPI()
{
    // 1.获取Ntdll中的ZwQuerySystemInformation函数地址
    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
    fnZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
    if (!fnZwQuerySystemInformation)return;
    // 2.修改地址
#ifndef _WIN64
    BYTE pData[5] = { 0xE9 };
    DWORD dwOffset = (DWORD)My_ZwQuerySystemInformation - (DWORD)fnZwQuerySystemInformation - 5;
    RtlCopyMemory(&pData[1], &dwOffset, sizeof(dwOffset));
    //保存前5字节数据
    RtlCopyMemory(g_OldData32, fnZwQuerySystemInformation, 5);
#else
    BYTE pData[12] = { 0x48,0xB8,0,0,0,0,0,0,0,0,0x50,0xC3 };
    ULONGLONG dwDestAddr = (ULONGLONG)My_ZwQuerySystemInformation;
    printf("%llx\n", dwDestAddr);
    RtlCopyMemory(&pData[2], &dwDestAddr, sizeof(dwDestAddr));
    //保存前12字节数据
    RtlCopyMemory(g_OldData64, fnZwQuerySystemInformation, 12);
#endif
    // 3.设置页面属性可读可写可执行
    DWORD dwOldProtect = 0;
    VirtualProtect(fnZwQuerySystemInformation, sizeof(pData), PAGE_EXECUTE_READWRITE, &dwOldProtect);
    RtlCopyMemory(fnZwQuerySystemInformation, pData, sizeof(pData));
    VirtualProtect(fnZwQuerySystemInformation, sizeof(pData), dwOldProtect, &dwOldProtect);
}
 
void UnHook()
{
    DWORD dwOldProtect = 0;
#ifndef _WIN64
    VirtualProtect(fnZwQuerySystemInformation, sizeof(g_OldData32), PAGE_EXECUTE_READWRITE, &dwOldProtect);
    RtlCopyMemory(fnZwQuerySystemInformation, g_OldData32, sizeof(g_OldData32));
    VirtualProtect(fnZwQuerySystemInformation, sizeof(g_OldData32), dwOldProtect, &dwOldProtect);
#else
    VirtualProtect(fnZwQuerySystemInformation, sizeof(g_OldData64), PAGE_EXECUTE_READWRITE, &dwOldProtect);
    RtlCopyMemory(fnZwQuerySystemInformation, g_OldData64, sizeof(g_OldData64));
    VirtualProtect(fnZwQuerySystemInformation, sizeof(g_OldData64), dwOldProtect, &dwOldProtect);
#endif
 
}

利用inline hook ZwQuerySystemInformation实现进程隐藏,直接编译成exe可以成功,但是编译成dll后用LoadLibrary加载程序崩溃,用X64dbg调试后应该是获取到的My_ZwQuerySystemInformation地址有问题,无法跳过去,这一步该如何处理


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-4-24 01:12 被999编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 220
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
请问您知道,c编译后的obj文件怎么加密吗
2021-4-30 20:45
0
游客
登录 | 注册 方可回帖
返回
//