首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[讨论]卷太卷了,前几天某位大佬写的页面HOOK,已经被科学家们安排上了,大概还原了一下,科学家们已经不限于用这个玩通讯了
发表于: 2022-11-20 02:56 3089

[讨论]卷太卷了,前几天某位大佬写的页面HOOK,已经被科学家们安排上了,大概还原了一下,科学家们已经不限于用这个玩通讯了

wx_See U_358 活跃值
2022-11-20 02:56
3089

PVOID HookLargePage(ULONG64 DirBase, PVOID lpBaseAddress)
{
PMMVA AddressInfo = (PMMVA)&lpBaseAddress;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
PVOID        PML4T = (PVOID)ClearCR3Flag(DirBase);
 
PMMPTE        PML4E = NULL;
 
PVOID        PDPT = NULL;
 
PMMPTE        PDPTE = NULL;
 
PVOID        PDT = NULL;
 
PMMPTE      PDE = NULL;
 
 
 
 
 
PML4E = MapPhysicalToVirtual((ULONG64)((ULONG64)PML4T + AddressInfo->PML4T * ENTRY_SIZE));
if (PML4E != NULL)
{
    ULONG64 Permission = (*(PULONG64)PML4E) & 0xFFF;
 
    PVOID   Page = AllocPhysicaMemory(0x1000);
 
    PVOID  PML4EVA = MapPhysicalToVirtual(ClearCR3Flag(*(PULONG64)PML4E));
 
    RtlCopyMemory(Page, PML4EVA, 0x1000);
 
    *(ULONG64*)((ULONG64)PML4E) = MmGetPhysicalAddress(Page).QuadPart | Permission;
 
    UpDataLargeTLb(Page,0X1000);
    UpDataLargeTLb(Page,0X1000);
 
}
 
PDPT = (PVOID)ClearCR3Flag(*(PULONG64)PML4E);
PDPTE = (PMMPTE)MapPhysicalToVirtual((ULONG64)PDPT + AddressInfo->PDPT * ENTRY_SIZE);
if (PDPTE != NULL)
{
    ULONG64 Permission = (*(PULONG64)PDPTE) & 0xFFF;
 
    PVOID   Page = AllocLargePageMemory(0x1000);
 
    PVOID   PDPTEVA = MapPhysicalToVirtual(ClearCR3Flag(*(PULONG64)PDPTE));
 
    RtlCopyMemory((PVOID)Page, PDPTEVA, 0x1000);
 
    *(ULONG64*)((ULONG64)PDPTE) = MmGetPhysicalAddress((PVOID)Page).QuadPart | Permission;
 
 
    UpDataLargeTLb(Page,0X1000);
    UpDataLargeTLb(PDPTEVA, 0X1000);
 
}
 
PDT = (PVOID)ClearCR3Flag(*(PULONG64)PDPTE);
PDE = (PMMPTE)MapPhysicalToVirtual((ULONG64)PDT + AddressInfo->PDT * ENTRY_SIZE);
if (PDE != NULL)
{
    PDE->Global = 0;
 
    ULONG64 Permission = (*(PULONG64)PDE) & 0xFFF;
 
    PVOID   Page = AllocLargePageMemory(NUM_2M * 2);
 
    ULONG64 PagePhy = MmGetPhysicalAddress(Page).QuadPart;
 
    ULONG64 PagePhyAlign = ROUND_UP(PagePhy, NUM_2M);
 
    ULONG64 Delta = PagePhyAlign - PagePhy;
 
    PVOID   PDEVA = MapPhysicalToVirtual(ClearCR3Flag(*(PULONG64)PDE));
 
    RtlCopyMemory((PVOID)((ULONG64)Page + Delta), PDEVA, NUM_2M);
 
    *(ULONG64*)((ULONG64)PDE) = PagePhyAlign | Permission;
 
 
    UpDataLargeTLb(Page, NUM_2M * 2);
    UpDataLargeTLb(PDEVA, NUM_2M);
    UpDataLargeTLb(lpBaseAddress, NUM_2M);
 
    return Page;
 
}
 
 
 
return NULL;

}

 

VOID HookLargePageApi(PEPROCESS Eprocess, PVOID ApiAddress, PVOID Proxy_ApiAddress, PVOID * Original_ApiAddress)
{
PVOID FakerPte = NULL;
ULONG Size = 0;
KAPC_STATE ApcState;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
BYTE CallReturn[] =
{
    0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
    0xC3
};
 
BYTE HookCode[12] =
{
  0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  0xFF,0xE0
};
 
KeStackAttachProcess(Eprocess, &ApcState);
 
FakerPte = HookLargePage(__readcr3(), ApiAddress);
 
ClearPDEGlobal(ApiAddress);
ClearPDEGlobal(NtOpenThread);
ClearPDEGlobal(NtOpenProcess);
 
KeUnstackDetachProcess(&ApcState);
 
 
UpDataLargeTLb(ApiAddress, 0x1000);
UpDataLargeTLb(NtOpenProcess, 0x1000);
UpDataLargeTLb(NtOpenThread, 0x1000);
 
ClearPDEGlobal(ApiAddress);
ClearPDEGlobal(NtOpenThread);
ClearPDEGlobal(NtOpenProcess);
//-----------------------------------------------先退出刷新一次
 
 
KeAttachProcess(Eprocess);
*(PULONG64)((ULONG64)HookCode + 0x02) = (ULONG64)Proxy_ApiAddress;
RtlSuperCopyMemory(ApiAddress, HookCode, sizeof(HookCode));
RtlSuperCopyMemory(NtOpenProcess, CallReturn, sizeof(CallReturn));
RtlSuperCopyMemory(NtOpenThread, CallReturn, sizeof(CallReturn));
KeDetachProcess();
 
 
 
for (ULONG64 i = 0; i < NUM_2M * 2; i += 0x1000)
{
    ULONG64 BadPag = MmGetPhysicalAddress((PVOID)((ULONG64)FakerPte + i)).QuadPart;
    MarkPhysicalMemoryAsBad(BadPag);
}
 
 
 
 
MmFreeContiguousMemory(FakerPte);
return;

}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HookLargePageApi(Eprocess, PsLookupThreadByThreadId, HookShllCode, NULL);
 
 
 
                for (ULONG i = 4; i < 65535; i = i + 4)
                {
                    PETHREAD pTempThread = NULL;
 
                    if (NT_SUCCESS(PsLookupThreadByThreadId((HANDLE)i, &pTempThread)))
                    {
 
                        if ((IoThreadToProcess(pTempThread) == Eprocess && !PsIsThreadTerminating(pTempThread)))
                        {
                            KeAttachProcess(Eprocess);
                            SaveThread->g_SaveEthread[(ULONG64)PsGetThreadId(pTempThread)] = (ULONG64)pTempThread;
                            KeDetachProcess();
 
 
 
                            *(ULONG64 *)ExpLookupHandleTableEntry((PVOID)PspCid, (ULONG64)PsGetThreadId(pTempThread)) = 0;
                            continue;
                        }
                        ObDereferenceObject(pTempThread);
 
                    }

如今的大佬们都开清空 PSPCID线程句柄来保护DWM,其实我想表示没吊用,人家根本不是这么找的DWM 还原不太像 他构造的是4级 我直接按照内核的来 构造为2M的页面
外挂样本整活群(定期更新各种好玩的外挂样本):QQ群252586714


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//