-
-
[讨论][转帖][讨论][原创]windows Hook内核api,能过win10 22H2的pg
-
2023-12-6 17:35
-
最近一直在思考如何hook内核函数而不触发pg,于是我在看雪找到一篇文章讲解如何hook内核函数不触发pg,链接:https://bbs.kanxue.com/thread-266781.htm。 文章并没有讲解思路,直接贴上代码,在看完他的代码后,我理解了其思路,发现代码有点冗长,存在一些多余的操作,不过这也给了我过pg的思路。
windows64位系统内核中内核函数线性地址对应的物理地址是pte里面的物理地址,是不是可以修改pte里面物理地址从而改变线性地址对应的物理地址,但是内核中的函数的pte里面的物理地址是全局的,只要一修改,其他进程也会受到影响。好在我们通过进程的Cr3找到进程的内核函数地址对应的PXE,这个PXE不是全局的,如果修改了PXE里面的值,该进程内核函数对应的物理地址也就变了,但是不会影响的其他进程。于是我们可以重构页表,通过修改PXE,PDPTE,PDE,PTE来修改该进程内核函数对应的物理地址,从而可以对该内核函数进行hook而不触发pg。大致做法如下图:
我们可以通过映射物理内存到虚拟内存的方法来修改PXE,PDPTE,PDE,PTE。
这里一共两份源码,一份win7,一份win10,win10的源码针对2Mb大页的。
下面是源码:
支持win7
#include<ntifs.h>
ULONG_PTR pPhyAddr[5] = { 0 };
typedef struct _HARDWARE_PTE
{
ULONG64 Valid : 1;
ULONG64 Write : 1;
ULONG64 Owner : 1;
ULONG64 WriteThrough : 1;
ULONG64 CacheDisable : 1;
ULONG64 Accessed : 1;
ULONG64 Dirty : 1;
ULONG64 LargePage : 1;
ULONG64 Global : 1;
ULONG64 CopyOnWrite : 1;
ULONG64 Prototype : 1;
ULONG64 reserved0 : 1;
ULONG64 PageFrameNumber : 36;
ULONG64 reserved1 : 4;
ULONG64 SoftwareWsIndex : 11;
ULONG64 NoExecute : 1;
} HARDWARE_PTE, *PHARDWARE_PTE;
BOOLEAN InitHook(ULONG_PTR VirtualAddress_s, ULONG Pid, ULONG_PTR offset)
{
//1获取虚拟内存的PXE PDPTE pde,pte的索引
ULONG PxeIndex = (VirtualAddress_s >> 0x27) & 0x1FF;
UINT32 PPEIndex = (VirtualAddress_s >> 0x1E) & 0x1FF; //PPEIndex
UINT32 PDEIndex = (VirtualAddress_s >> 0x15) & 0x1FF; //PDEIndex
UINT32 PTEIndex = (VirtualAddress_s >> 0xC) & 0x1FF;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | //DbgBreakPoint();//2 获取要hook进程的CR3PEPROCESS pEprocess = NULL;NTSTATUS status = PsLookupProcessByProcessId(Pid, &pEprocess);if (!NT_SUCCESS(status)){ return 0;}ULONG_PTR Cr3PhyAddr = *(PULONG64)((ULONG64)pEprocess + KERNEL_CR3_OFFSET);PHYSICAL_ADDRESS Cr3 = { 0 };Cr3.QuadPart = Cr3PhyAddr;ULONG_PTR VirtualAddresss = MmMapIoSpace(Cr3, PAGE_SIZE, MmNonCached);//由于Cr3是物理地址我们需要映射到虚拟内存中去if (!VirtualAddresss){ return 0;}//3 构建页表//*(PULONG64)(VirtualAddresss + PxeIndex * 8) |= 70;PHYSICAL_ADDRESS Low = { 0 };PHYSICAL_ADDRESS High = { MAXULONG64 };//ppepPhyAddr[0] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached);ULONG_PTR newPPEphy = MmGetPhysicalAddress(pPhyAddr[0]).QuadPart;ULONG_PTR PPEPhyAddr = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber) * 0x1000;PHYSICAL_ADDRESS temp = { 0 };temp.QuadPart = PPEPhyAddr;ULONG_PTR VirtualAddress_PPE= MmMapIoSpace(temp, PAGE_SIZE, MmNonCached);memcpy(pPhyAddr[0], VirtualAddress_PPE, PAGE_SIZE);//pdepPhyAddr[1] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached);ULONG_PTR newPDEphy= MmGetPhysicalAddress(pPhyAddr[1]).QuadPart;ULONG_PTR pdePhy= (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PPE + PPEIndex * 8))->PageFrameNumber) * 0x1000;temp.QuadPart = pdePhy;ULONG_PTR VirtualAddress_PDE = MmMapIoSpace(temp,PAGE_SIZE, MmNonCached);memcpy(pPhyAddr[1], VirtualAddress_PDE, PAGE_SIZE);//ptepPhyAddr[2] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached);ULONG_PTR newPTEphy = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart;ULONG_PTR ptePhy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PDE + PDEIndex * 8))->PageFrameNumber) * 0x1000;temp.QuadPart = ptePhy;ULONG_PTR VirtualAddress_PTE = MmMapIoSpace(temp, PAGE_SIZE, MmNonCached);memcpy(pPhyAddr[2], VirtualAddress_PTE, PAGE_SIZE);//物理内存pPhyAddr[3] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached);ULONG_PTR newphy = MmGetPhysicalAddress(pPhyAddr[3]).QuadPart;ULONG_PTR Phy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PTE + PTEIndex * 8))->PageFrameNumber) * 0x1000;temp.QuadPart = Phy;ULONG_PTR VirtualAddress_PHY = MmMapIoSpace(temp, PAGE_SIZE, MmNonCached);memcpy(pPhyAddr[3], VirtualAddress_PHY, PAGE_SIZE);//ULONG_PTR ss3 = pPhyAddr[3];//ULONG_PTR ss1 = pPhyAddr[1];//ULONG_PTR ss2 = pPhyAddr[2];//DbgBreakPoint();//4 修改PXE PPE PDE PTE从而改变((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber = newPPEphy >> 12;((PHARDWARE_PTE)(pPhyAddr[0] + PPEIndex * 8))->PageFrameNumber = newPDEphy >> 12;((PHARDWARE_PTE)(pPhyAddr[1] + PDEIndex * 8))->PageFrameNumber = newPTEphy >> 12;((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->PageFrameNumber = newphy >> 12;((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->Write = 1;*(PUCHAR)(pPhyAddr[3] + offset + 0x27) = 0x90;*(PUCHAR)(pPhyAddr[3] + offset + 0x28) = 0x90;*(PUCHAR)(pPhyAddr[3] + offset + 0x29) = 0xc3;return TRUE; |
}
VOID unstallHook()
{
1 2 3 4 | MmFreeContiguousMemory(pPhyAddr[0]);MmFreeContiguousMemory(pPhyAddr[1]);MmFreeContiguousMemory(pPhyAddr[2]);MmFreeContiguousMemory(pPhyAddr[3]); |
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
unstallHook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRes)
{
pDriver->DriverUnload = DriverUnload;
UNICODE_STRING ss = { 0 };
RtlInitUnicodeString(&ss, L"NtOpenProcess");
ULONG_PTR NtOpenAddr = MmGetSystemRoutineAddress(&ss);
ULONG_PTR funcVir = NtOpenAddr & ~(0xfff);
ULONG_PTR funcOffset = NtOpenAddr & 0xfff;
InitHook(funcVir, 2280, funcOffset);
//SetPTEHook(ssz);
return STATUS_SUCCESS;
}
当我附加到被我下钩子的进程,NtOpenProcess的结果在内存中是这样的:
附加到我们没有HOOK的其他进程:
在win7 64位系统中存在了5小时未发生pg。
我的这份源码纯粹是为了实验,封装的不太好,请谅解。
由于我刚学习64位系统内核没多久,可能文章会有一些错误,希望各位大佬能够指正。
对于win10,由于不能像win7用同样的方法映射页表的物理内存,我换了一种方式,且这次是2Mb的大页,细节有很多发生了变化,但思路还是一样的,我没有完善卸载函数,卸载的时候会蓝屏。
下面是源码:
ULONG_PTR pPhyAddr[5] = { 0 };
ULONG IsPdeLager = 0;
ULONG_PTR newPPEphy = 0;
//ULONG_PTR pPhyAddr[5] = { 0 };
ULONG_PTR newPDEphy = 0;
ULONG_PTR newPTEphy = 0;
ULONG_PTR newphy = 0;
typedef struct _HARDWARE_PTE
{
ULONG64 Valid : 1;
ULONG64 Write : 1;
ULONG64 Owner : 1;
ULONG64 WriteThrough : 1;
ULONG64 CacheDisable : 1;
ULONG64 Accessed : 1;
ULONG64 Dirty : 1;
ULONG64 LargePage : 1;
ULONG64 Global : 1;
ULONG64 CopyOnWrite : 1;
ULONG64 Prototype : 1;
ULONG64 reserved0 : 1;
ULONG64 PageFrameNumber : 36;
ULONG64 reserved1 : 4;
ULONG64 SoftwareWsIndex : 11;
ULONG64 NoExecute : 1;
} HARDWARE_PTE, *PHARDWARE_PTE;
BOOLEAN InitHook(ULONG_PTR VirtualAddress_s, ULONG Pid, ULONG_PTR offset)
{
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 | //1获取虚拟内存的PXE PDPTE pde,pte的索引ULONG PxeIndex = (VirtualAddress_s >> 0x27) & 0x1FF;UINT32 PPEIndex = (VirtualAddress_s >> 0x1E) & 0x1FF; //PPEIndexUINT32 PDEIndex = (VirtualAddress_s >> 0x15) & 0x1FF; //PDEIndexUINT32 PTEIndex = (VirtualAddress_s >> 0xC) & 0x1FF; //DbgBreakPoint(); //2 获取要hook进程的CR3PEPROCESS pEprocess = NULL;NTSTATUS status = PsLookupProcessByProcessId(Pid, &pEprocess);if (!NT_SUCCESS(status)){ return 0;}HANDLE hMemory = NULL;UNICODE_STRING unName = { 0 };RtlInitUnicodeString(&unName, L"\\Device\\PhysicalMemory");OBJECT_ATTRIBUTES obj;InitializeObjectAttributes(&obj, &unName, OBJ_CASE_INSENSITIVE, NULL, NULL);status = ZwOpenSection(&hMemory, SECTION_ALL_ACCESS, &obj);if (!NT_SUCCESS(status)){ return 0;}SIZE_T sizeView = PAGE_SIZE;PVOID sectionObj = NULL;status = ObReferenceObjectByHandle(hMemory, SECTION_ALL_ACCESS, NULL, KernelMode, §ionObj, NULL);if (!NT_SUCCESS(status)){ return status;}ULONG_PTR Cr3PhyAddr = *(PULONG64)((ULONG64)pEprocess + KERNEL_CR3_OFFSET)&~(0xf);PHYSICAL_ADDRESS Cr3 = { 0 };Cr3.QuadPart = Cr3PhyAddr;ULONG_PTR VirtualAddresss = NULL;status = ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddresss, 0, PAGE_SIZE, &Cr3, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);//ULONG_PTR VirtualAddresss = MmMapIoSpace(Cr3, PAGE_SIZE, MmNonCached);//由于Cr3是物理地址我们需要映射到虚拟内存中去if (!NT_SUCCESS(status)){ return 0;}//3 构建页表//*(PULONG64)(VirtualAddresss + PxeIndex * 8) |= 70;PHYSICAL_ADDRESS Low = { 0 };PHYSICAL_ADDRESS High = { MAXULONG64 };//ppedo { pPhyAddr[0] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newPPEphy = MmGetPhysicalAddress(pPhyAddr[0]).QuadPart; ULONG_PTR PPEPhyAddr = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber) * 0x1000; PHYSICAL_ADDRESS temp = { 0 }; temp.QuadPart = PPEPhyAddr; ULONG_PTR VirtualAddress_PPE = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PPE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[0], VirtualAddress_PPE, PAGE_SIZE); //pde pPhyAddr[1] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newPDEphy = MmGetPhysicalAddress(pPhyAddr[1]).QuadPart; ULONG_PTR pdePhy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PPE + PPEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = pdePhy; ULONG_PTR VirtualAddress_PDE = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PDE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[1], VirtualAddress_PDE, PAGE_SIZE); //pte ULONG_PTR ptePhy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PDE + PDEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = ptePhy; if (((PHARDWARE_PTE)(VirtualAddress_PDE + PDEIndex * 8))->LargePage == 1) { pPhyAddr[2] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE* 1024, Low, High, Low, MmCached); memset(pPhyAddr[2], 0, PAGE_SIZE * 1024); ULONG_PTR Real = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR Real1 = Real; ULONG_PTR Realtemp = 0; if (Real == 0) { MmFreeContiguousMemory(pPhyAddr[0]); MmFreeContiguousMemory(pPhyAddr[1]); MmFreeContiguousMemory(pPhyAddr[2]); return FALSE; } ULONG i = 0; for (i = 0; i < 1024; i++) { Real += PAGE_SIZE; //Real &= 0x1fffff; Realtemp = Real & 0x1fffff; if (!Realtemp) break; } DbgBreakPoint(); pPhyAddr[2] += PAGE_SIZE * (i+1); newPTEphy = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR VirtualAddress_PTE = NULL; sizeView = PAGE_SIZE * 0x200; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PTE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[2], VirtualAddress_s &~(0x1fffff), PAGE_SIZE*0x200); ((PHARDWARE_PTE)(pPhyAddr[0] + PPEIndex * 8))->PageFrameNumber = newPDEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[1] + PDEIndex * 8))->PageFrameNumber = newPTEphy >> 12; //((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->Write = 1; ULONG_PTR newOffset = (VirtualAddress_s & 0x1ff000) + offset; //((PHARDWARE_PTE)(pPhyAddr[1] + PTEIndex * 8))->Write = 1; *(PUCHAR)(pPhyAddr[2] + newOffset + 0x27) = 0x90; *(PUCHAR)(pPhyAddr[2] + newOffset + 0x28) = 0x90; *(PUCHAR)(pPhyAddr[2] + newOffset + 0x29) = 0xc3; ULONG_PTR ss = pPhyAddr[2]; ULONG_PTR ss2 = VirtualAddress_s & ~(0x1fffff); IsPdeLager = 1; break; } pPhyAddr[2] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newPTEphy = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR VirtualAddress_PTE = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PTE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[2], VirtualAddress_PTE, PAGE_SIZE); //物理内存 pPhyAddr[3] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newphy = MmGetPhysicalAddress(pPhyAddr[3]).QuadPart; ULONG_PTR Phy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PTE + PTEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = Phy; ULONG_PTR VirtualAddress_PHY = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PHY, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[3], VirtualAddress_PHY, PAGE_SIZE);} while (0);//ULONG_PTR ss3 = pPhyAddr[3];//ULONG_PTR ss1 = pPhyAddr[1];//ULONG_PTR ss2 = pPhyAddr[2];//DbgBreakPoint();//4 修改PXE PPE PDE PTE从而改变if (IsPdeLager){ ((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber = newPPEphy >> 12; return TRUE;}((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber = newPPEphy >> 12;((PHARDWARE_PTE)(pPhyAddr[0] + PPEIndex * 8))->PageFrameNumber = newPDEphy >> 12;((PHARDWARE_PTE)(pPhyAddr[1] + PDEIndex * 8))->PageFrameNumber = newPTEphy >> 12;((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->PageFrameNumber = newphy >> 12;return TRUE; |
};
VOID unstallHook()
{
if (IsPdeLager)
{
MmFreeContiguousMemory(pPhyAddr[0]);
MmFreeContiguousMemory(pPhyAddr[1]);
MmFreeContiguousMemory(pPhyAddr[2]);
return;
}
1 2 3 4 | //MmFreeContiguousMemory(pPhyAddr[0]);//MmFreeContiguousMemory(pPhyAddr[1]);//MmFreeContiguousMemory(pPhyAddr[2]);//MmFreeContiguousMemory(pPhyAddr[3]); |
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
unstallHook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRes)
{
pDriver->DriverUnload = DriverUnload;
PKLDR_DATA_TABLE_ENTRY pKldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
pKldr->Flags |= 0x20;
//NTSTATUS status = PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, FALSE);
UNICODE_STRING ss = { 0 };
RtlInitUnicodeString(&ss, L"NtOpenProcess");
ULONG_PTR NtOpenAddr = MmGetSystemRoutineAddress(&ss);
ULONG_PTR funcVir = NtOpenAddr & ~(0xfff);
ULONG_PTR funcOffset = NtOpenAddr & 0xfff;
InitHook(funcVir, 8568, funcOffset);
//SetPTEHook(ssz);
return STATUS_SUCCESS;
}
附加到我们hook的进程:
附加到其他进程:
实验结果和win7是一样的,同样也没有出发PG。
下面是win10的版本:
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
|
|
|
|
|
|
|
|
我测试的时候没蓝屏 |
|
|
|
|
|
补了,不过失效的我没删 |
|
|
|
|
|
现在按照我的思路win10 22H2也能过pg,你说话要负责,这要靠实验来证明的,不是靠看出来的。 |
|
|
现在支持win10了 |
|
|
|
|
|
我上面给的链接的那篇文章,人家也没有事,只要不改全局应该行,现在以及过去六小时了,我win10还没蓝屏,而且已经有人用这个方法hook使用频率较高的api了,而且也没蓝屏,挺稳定的。至于你说的是不是这样我不清楚,但是我看已经有人用的好好的,而且直接搞游戏了。
最后于 2023-12-8 12:10
被mb_maiyudos编辑
,原因:
|
|
|
应该不会,各级页表是进程独立的,除非PG以你的进程上下文执行。 |
|
|
|
|
|
你直接复制粘贴吗?你调了没 |
|
|
|
|
|
你复制的是第一份还是第二份 |
|
|
|
|
|
|
|
|
|
|
|
感谢 |
|
|
|
|
|
试了 嘎嘎蓝
|
|
|
我没写hook框架,直接改了一些字节码,你仔细看
最后于 2023-12-17 21:43
被mb_maiyudos编辑
,原因:
|
|
|
你真逆天,你就不能调吗?我这个代码只是实验而已,不同的操作系统要不同的代码 |
|
|
代码只不过是参考,用于实验,适用于所有环境的windows的代码我不可能发出来的。 |
