-
-
腾讯游戏安全大赛2024决赛题解
-
发表于: 2024-4-22 00:57 11647
-
决赛打五天,是真的顶级,但是五天比一年学的东西都多...
本题解题附件自取
<!--more-->
Key 和 User 默认读 C:\card.txt
,如果找不到或者是错误,那么加载会失败,于是想到 hook NtCreateFile 获取到文件句柄,再 hook NtReadFile 找到文件内容写入的地址。
跟到后面可以找到文件内容(ReadFile第六个参数),在文件内容处下硬件读取断点,可以找到这里文件内容被被写入两个寄存器,随后又写入另外的内存(RCX所指向的内存)。
然后就直接 ret 了,这里将内存窗口转到 RCX 指向的地址,然后程序跳出来。
紧接着给末尾添 0 字节,然后将 r14 与 0x10 比较,小于跳出
这一次输出失败了,于是考虑换长度但是改一个字符,发现在另外的位置写了零字节
在跟的过程中,发现后面的一个内存就是长度
然后接着跟,会跟到一个找 - 的代码
很容易理解,因为 - 就是分隔 user 和 key 的,必然有一个遍历在找 - 的位置,那就直接跳到它找到了 - 的位置,发现有一个大跳转
随后会把 - 所处的地址存入栈中
紧接着跟,发现把User拷贝到下面的内存了
随后将key也写入下方的内存
然后开始循环 key,判断如果 -0x30 是否 >10,应该 key 只能是数字的判断。
于是我在循环这里下了一个软件断点,发现 RDI 会存储当前已遍历的十进制。
例如现在已经遍历到了 405,那么 rdi=0x195=405。
经过数次的循环,
可以发现 RDI=0xF17E203C,就是 4051574844,那么接下来就往下面跟看看跟 User 有什么样的关系。
取出ACE之后算出一个值 0x0000000020450083,最后很 0x1003F 相乘,得到 00000000F17E203D,刚好是题目所给 key 的十六进制表示。
后面通过一定的调试分析,发现一个规律
似乎它会把每一个字符加起来然后 *0x1003F
,并且一定是 int
。
先验证一遍ACE是否正确
发现果然如此,那么照样子算出 key 为 4007951923
。
根据上面的分析,不难写出 keygen 程序
运行即可获得 key 的输出。
有这么几种方法:监控内核线程,在 shellcode 执行的时候拦截,把比较是否相等的代码patch掉。监控文件读写,在读文件的时候,判断如果是目标文件,让它返回正确的结果。
最后还是选择在文件处拦截,然后趁它读文件的时候遍历驱动模块改它代码,上面分析的 imul 关键指令在 Loader.sys+0xafc1c4
的位置
再调试一遍,决出关键一步,找到了 cmp 指令
如图所示的内存分别为实际输入的数值和通过 user 计算得到的key的数值,随后取出相比较,不相等显然跳转到 Fail 分支,因此这里改成 NOP 让它不跳转任意情况下跳转成功。
此时的 sys 基地址为 0xFFFFF806F82D0000
,与该指令相减得到 0xa27e
的偏移,只需把这两个字节改成 0x90 即可达到任意的 user key 可以成功加载驱动。
我先使用了hook的方式去劫持,确保劫持的函数没错,再通过修改劫持时机和方式让方法满足要求
可以看到,先加载我写的驱动,后加载题目驱动,无论 user-key 正确与否,都加载成功
于是这里把修改的函数套到文件读取里面去拦截,达到读该文件时遍历模块,找到指定模块则写入指令。
下面是真正的代码(编译文件为XSafe2.sys)
该程序(附件中的XSafe2.sys)先加载,再加载Loader.sys同样可以任意user key加载成功并且不hook任何系统API和文件。
shellcode加载之后,会检测双机调试
但是有一定的延迟,说明是主动检测的不是被动触发的,刚好遇上这个题,猜测是检测了一个调试器标志位。
不过这里感觉是得先确定一下 shellcode 的位置的,因为它带反调,不知道它怎么反调的,突然想到之前一位神仙把蓝屏代码删了导致电脑爆炸,于是我也想效仿一下看看可不可彳亍。
这里去hook KeBugCheckEx,然后直接让它 sleep 一小时,防止它蓝我,我有更多时间可以去分析。
直接拿捏住了蓝屏。
在后面的分析中发现了 GameSec.exe 的内存一直在被读,估计是在搜索进程,然后读取进程的内存,这一部分后面没有分析太出来。
并且在运行的时候发现会读一些 exe 文件的字符串,在 shellcode 开头 + 80 的位置,这里后续没继续分析了。
随后想到去dump shellcode,这里注册回调的方式并不能成功拦截住,因此想到直接去 hook,判断线程起始位置是否在模块范围内,或者说在 Loader.sys 范围内,如果有都输出然后调试器看看内存像不像shellcode,无果,于是选择去跟一下,结果跟到一个类似shellcode的地方(很多浮点指令,看起来像垃圾指令的混淆),dump下来用 010 分析。
通过内存地址的特征可以发现,前八位可以通过 VAD 的方式去获取,后四个位每次加载似乎都是固定的,因此只需要爆破两个字节用一个特征去匹配就行了,这里。
vad.h
先加载 loader 再加载 search,成功输出 shellcode 的地址,特征码匹配前八个字节,在自己的环境只输出了一个地址,如果输出多个地址可以考虑加长特征码。
通过获取到线程结构得到它的线程上下文,输出 RIP 的值应该也行,通过PCHUNTER看到shellcode运行的线程
通过分析可知 shellcode 执行的线程具有如下特点:
与 TID=12 的线程入口相同
保持运行状态
据此可以筛选得到这个线程,通过线程结构体可以找到它的栈
多次运行发现栈中存在 GameSec.exe
这个字符串。并且在它 - 0x28 的位置有一个地址,那个地址前八位和shellcode一致,所以同样可以爆破+特征码匹配。
先运行 Loader.sys,再运行EmurateThread.sys,可以成功输出shellcode的地址。
随后我发现线程结构体中的 TrapFrame 有点东西,通过一段时间的运行之后,发现它的一些寄存器中会带上点东西
这里我选 Rdx,取前8位,暴力搜索4位(65536,可接受范围内)匹配。
先运行 Loader.sys 再运行 Search3.sys,可以直接得到 shellcode 的地址。
观察到 ETHTREAD 结构体中有个指针指向了距离shellcode比较近的位置
获取这个指针的前八位,然后爆破,匹配特征码。
先运行Loader.sys,再运行 Search4.sys,即可获得shellcode的地址。
挂起线程,此时会将线程上下文保存在栈顶中,再去遍历一遍栈,获得RIP指针,这里判断只需要拿 RSP 即可,当 [addr+0x180]-0x400==addr(+0x180是RSP相对于上下文结构体的偏移,0x400是context上下文大小)时,取出 RIP 即可。
先运行 Loader.sys,在运行search5.sys,即可输出shellcode。
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
#define MAX_BACKTRACE_DEPTH 20
#define SYMBOL L"\\??\\xia0ji2333"
#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)
UINT64
BaseAddr=NULL, DLLSize=0;
void
DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start delete device\n"
), __LINE__);
if
(pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);
//CreateFile
kprintf((
"Line %d:xia0ji233: Delete Symbol\n"
), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf((
"Line %d:xia0ji233: Delete Device\n"
), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf((
"Line %d:xia0ji233: end delete device\n"
), __LINE__);
}
HANDLE
FileHandler = NULL;
char
newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
* target;
char
* target2;
KIRQL WPOFFx64()
{
KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64
cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return
irql;
}
void
WPONx64(KIRQL irql)
{
UINT64
cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}
NTSTATUS Unhook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Unhook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
PDRIVER_OBJECT g_Object = NULL;
typedef
struct
_LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
//驱动的进入点 DriverEntry
ULONG
SizeOfImage;
UNICODE_STRING FullDllName;
//驱动的满路径
UNICODE_STRING BaseDllName;
//不带路径的驱动名字
ULONG
Flags;
USHORT
LoadCount;
USHORT
TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID
SectionPointer;
ULONG
CheckSum;
};
};
union
{
struct
{
ULONG
TimeDateStamp;
};
struct
{
PVOID
LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef
NTSTATUS (* FuncPtr) (
_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength
);
typedef
NTSTATUS (* FuncPtr2 )(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key
);
ULONG
myCreateFile(_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if
(!wcscmp(ObjectAttributes->ObjectName->Buffer, L
"\\??\\C:\\card.txt"
)) {
kprintf((
"call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return
s;
}
ULONG
myReadFile(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if
(FileHandler && FileHandler == FileHandle) {
kprintf((
"call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
DbgBreakPoint();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return
s;
}
void
DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start unload\n"
), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) {
DriverObject->DriverUnload = DriverUnload;
kprintf((
"Line %d:xia0ji233: RegistryPath = %S\n"
), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf((
"Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"
), __LINE__, target,target2);
g_Object = DriverObject;
if
(target&&target2) {
for
(
int
i = 0; i <
sizeof
(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(
UINT64
*)(newcode + 2) = myCreateFile;
*(
UINT64
*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else
{
kprintf((
"xia0ji233:hahaha"
));
}
return
0;
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
#define MAX_BACKTRACE_DEPTH 20
#define SYMBOL L"\\??\\xia0ji2333"
#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)
UINT64
BaseAddr=NULL, DLLSize=0;
void
DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start delete device\n"
), __LINE__);
if
(pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);
//CreateFile
kprintf((
"Line %d:xia0ji233: Delete Symbol\n"
), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf((
"Line %d:xia0ji233: Delete Device\n"
), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf((
"Line %d:xia0ji233: end delete device\n"
), __LINE__);
}
HANDLE
FileHandler = NULL;
char
newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
* target;
char
* target2;
KIRQL WPOFFx64()
{
KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64
cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return
irql;
}
void
WPONx64(KIRQL irql)
{
UINT64
cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}
NTSTATUS Unhook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Unhook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
PDRIVER_OBJECT g_Object = NULL;
typedef
struct
_LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
//驱动的进入点 DriverEntry
ULONG
SizeOfImage;
UNICODE_STRING FullDllName;
//驱动的满路径
UNICODE_STRING BaseDllName;
//不带路径的驱动名字
ULONG
Flags;
USHORT
LoadCount;
USHORT
TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID
SectionPointer;
ULONG
CheckSum;
};
};
union
{
struct
{
ULONG
TimeDateStamp;
};
struct
{
PVOID
LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef
NTSTATUS (* FuncPtr) (
_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength
);
typedef
NTSTATUS (* FuncPtr2 )(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key
);
ULONG
myCreateFile(_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if
(!wcscmp(ObjectAttributes->ObjectName->Buffer, L
"\\??\\C:\\card.txt"
)) {
kprintf((
"call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return
s;
}
ULONG
myReadFile(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if
(FileHandler && FileHandler == FileHandle) {
kprintf((
"call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
DbgBreakPoint();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return
s;
}
void
DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start unload\n"
), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) {
DriverObject->DriverUnload = DriverUnload;
kprintf((
"Line %d:xia0ji233: RegistryPath = %S\n"
), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf((
"Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"
), __LINE__, target,target2);
g_Object = DriverObject;
if
(target&&target2) {
for
(
int
i = 0; i <
sizeof
(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(
UINT64
*)(newcode + 2) = myCreateFile;
*(
UINT64
*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else
{
kprintf((
"xia0ji233:hahaha"
));
}
return
0;
}
#include<stdio.h>
#include<string.h>
int
main(){
char
user[]=
"xia0ji233"
;
int
n=
strlen
(user);
unsigned key=0;
for
(
int
i=0;i<n;i++){
key=(key+user[i])*0x1003F;
}
printf
(
"%u\n"
,key);
}
#include<stdio.h>
#include<string.h>
int
main(){
char
user[]=
"xia0ji233"
;
int
n=
strlen
(user);
unsigned key=0;
for
(
int
i=0;i<n;i++){
key=(key+user[i])*0x1003F;
}
printf
(
"%u\n"
,key);
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
#define MAX_BACKTRACE_DEPTH 20
#define SYMBOL L"\\??\\xia0ji2333"
#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)
UINT64
BaseAddr=NULL, DLLSize=0;
void
DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start delete device\n"
), __LINE__);
if
(pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);
//CreateFile
kprintf((
"Line %d:xia0ji233: Delete Symbol\n"
), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf((
"Line %d:xia0ji233: Delete Device\n"
), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf((
"Line %d:xia0ji233: end delete device\n"
), __LINE__);
}
HANDLE
FileHandler = NULL;
char
newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
* target;
char
* target2;
KIRQL WPOFFx64()
{
KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64
cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return
irql;
}
void
WPONx64(KIRQL irql)
{
UINT64
cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}
NTSTATUS Unhook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Unhook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
PDRIVER_OBJECT g_Object = NULL;
typedef
struct
_LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
//驱动的进入点 DriverEntry
ULONG
SizeOfImage;
UNICODE_STRING FullDllName;
//驱动的满路径
UNICODE_STRING BaseDllName;
//不带路径的驱动名字
ULONG
Flags;
USHORT
LoadCount;
USHORT
TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID
SectionPointer;
ULONG
CheckSum;
};
};
union
{
struct
{
ULONG
TimeDateStamp;
};
struct
{
PVOID
LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef
NTSTATUS (* FuncPtr) (
_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength
);
typedef
NTSTATUS (* FuncPtr2 )(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key
);
NTSTATUS EnumerateKernelThreads();
typedef
NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG
,
PVOID
,
ULONG
,
PULONG
);
typedef
struct
_SYSTEM_PROCESS_INFORMATION {
ULONG
NextEntryOffset;
ULONG
NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG
BasePriority;
HANDLE
ProcessId;
HANDLE
InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef
struct
_SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG
WaitTime;
PVOID
StartAddress;
CLIENT_ID ClientId;
ULONG
Priority;
LONG
BasePriority;
ULONG
ContextSwitchCount;
LONG
State;
LONG
WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef
enum
_SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;
#define SystemModuleInformation 11
ULONG
myCreateFile(_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if
(!wcscmp(ObjectAttributes->ObjectName->Buffer, L
"\\??\\C:\\card.txt"
)) {
kprintf((
"call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
//DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return
s;
}
MDLWriteMemory(
PVOID
pBaseAddress,
PVOID
pWriteData,
SIZE_T
writeDataSize)
{
PMDL pMdl = NULL;
PVOID
pNewAddress = NULL;
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if
(NULL == pMdl)
{
return
FALSE;
}
MmBuildMdlForNonPagedPool(pMdl);
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if
(NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return
TRUE;
}
VOID
PatchInstr()
{
LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int
i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
UNICODE_STRING name;
RtlInitUnicodeString(&name,L
"Loader.sys"
);
;
while
(LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
if
(RtlEqualUnicodeString(&Tmp->BaseDllName, &name,FALSE)) {
kprintf((
"DLLname:%S DLLBase=%p nowcode=%p\n"
), Tmp->BaseDllName.Buffer,Tmp->DllBase,(
ULONG64
)(Tmp->DllBase) + 0xa27e);
char
buffer[] = { 0x90,0x90 };
MDLWriteMemory((
ULONG64
)(Tmp->DllBase) + 0xa27e, buffer, 2);
return
;
}
LinkList = LinkList->Flink;
i++;
}
}
ULONG
myReadFile(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if
(FileHandler && FileHandler == FileHandle) {
kprintf((
"call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
kprintf((
"buffer in %p\n"
), Buffer);
PatchInstr();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return
s;
}
void
DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start unload\n"
), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) {
DriverObject->DriverUnload = DriverUnload;
kprintf((
"Line %d:xia0ji233: RegistryPath = %S\n"
), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf((
"Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"
), __LINE__, target,target2);
g_Object = DriverObject;
if
(target&&target2) {
for
(
int
i = 0; i <
sizeof
(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(
UINT64
*)(newcode + 2) = myCreateFile;
*(
UINT64
*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else
{
kprintf((
"xia0ji233:hahaha"
));
}
return
0;
}
int
Filter(
ULONG
Start)
{
LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int
i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
while
(LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
ULONG
BASE = Tmp->DllBase;
ULONG
Size = Tmp->SizeOfImage;
if
(Start >= BASE && Start < BASE + Size) {
return
0;
}
LinkList = LinkList->Flink;
i++;
}
return
1;
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
#define MAX_BACKTRACE_DEPTH 20
#define SYMBOL L"\\??\\xia0ji2333"
#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)
UINT64
BaseAddr=NULL, DLLSize=0;
void
DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start delete device\n"
), __LINE__);
if
(pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);
//CreateFile
kprintf((
"Line %d:xia0ji233: Delete Symbol\n"
), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf((
"Line %d:xia0ji233: Delete Device\n"
), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf((
"Line %d:xia0ji233: end delete device\n"
), __LINE__);
}
HANDLE
FileHandler = NULL;
char
newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
//mov rax,xxx
0xFF,0xE0
//jmp rax
};
char
oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};
char
* target;
char
* target2;
KIRQL WPOFFx64()
{
KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64
cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return
irql;
}
void
WPONx64(KIRQL irql)
{
UINT64
cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}
NTSTATUS Unhook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Unhook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
NTSTATUS Hook2() {
KIRQL irql = WPOFFx64();
for
(
int
i = 0; i <
sizeof
(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return
STATUS_SUCCESS;
}
PDRIVER_OBJECT g_Object = NULL;
typedef
struct
_LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
//驱动的进入点 DriverEntry
ULONG
SizeOfImage;
UNICODE_STRING FullDllName;
//驱动的满路径
UNICODE_STRING BaseDllName;
//不带路径的驱动名字
ULONG
Flags;
USHORT
LoadCount;
USHORT
TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID
SectionPointer;
ULONG
CheckSum;
};
};
union
{
struct
{
ULONG
TimeDateStamp;
};
struct
{
PVOID
LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef
NTSTATUS (* FuncPtr) (
_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength
);
typedef
NTSTATUS (* FuncPtr2 )(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key
);
NTSTATUS EnumerateKernelThreads();
typedef
NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG
,
PVOID
,
ULONG
,
PULONG
);
typedef
struct
_SYSTEM_PROCESS_INFORMATION {
ULONG
NextEntryOffset;
ULONG
NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG
BasePriority;
HANDLE
ProcessId;
HANDLE
InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef
struct
_SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG
WaitTime;
PVOID
StartAddress;
CLIENT_ID ClientId;
ULONG
Priority;
LONG
BasePriority;
ULONG
ContextSwitchCount;
LONG
State;
LONG
WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef
enum
_SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;
#define SystemModuleInformation 11
ULONG
myCreateFile(_Out_
PHANDLE
FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_
ULONG
FileAttributes,
_In_
ULONG
ShareAccess,
_In_
ULONG
CreateDisposition,
_In_
ULONG
CreateOptions,
_In_reads_bytes_opt_(EaLength)
PVOID
EaBuffer,
_In_
ULONG
EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if
(!wcscmp(ObjectAttributes->ObjectName->Buffer, L
"\\??\\C:\\card.txt"
)) {
kprintf((
"call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
//DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return
s;
}
MDLWriteMemory(
PVOID
pBaseAddress,
PVOID
pWriteData,
SIZE_T
writeDataSize)
{
PMDL pMdl = NULL;
PVOID
pNewAddress = NULL;
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if
(NULL == pMdl)
{
return
FALSE;
}
MmBuildMdlForNonPagedPool(pMdl);
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if
(NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return
TRUE;
}
VOID
PatchInstr()
{
LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int
i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
UNICODE_STRING name;
RtlInitUnicodeString(&name,L
"Loader.sys"
);
;
while
(LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
if
(RtlEqualUnicodeString(&Tmp->BaseDllName, &name,FALSE)) {
kprintf((
"DLLname:%S DLLBase=%p nowcode=%p\n"
), Tmp->BaseDllName.Buffer,Tmp->DllBase,(
ULONG64
)(Tmp->DllBase) + 0xa27e);
char
buffer[] = { 0x90,0x90 };
MDLWriteMemory((
ULONG64
)(Tmp->DllBase) + 0xa27e, buffer, 2);
return
;
}
LinkList = LinkList->Flink;
i++;
}
}
ULONG
myReadFile(
_In_
HANDLE
FileHandle,
_In_opt_
HANDLE
Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_
PVOID
ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length)
PVOID
Buffer,
_In_
ULONG
Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_
PULONG
Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if
(FileHandler && FileHandler == FileHandle) {
kprintf((
"call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"
), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
kprintf((
"buffer in %p\n"
), Buffer);
PatchInstr();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return
s;
}
void
DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf((
"Line %d:xia0ji233: start unload\n"
), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) {
DriverObject->DriverUnload = DriverUnload;
kprintf((
"Line %d:xia0ji233: RegistryPath = %S\n"
), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf((
"Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"
), __LINE__, target,target2);
g_Object = DriverObject;
if
(target&&target2) {
for
(
int
i = 0; i <
sizeof
(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(
UINT64
*)(newcode + 2) = myCreateFile;
*(
UINT64
*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else
{
kprintf((
"xia0ji233:hahaha"
));
}
return
0;
}
int
Filter(
ULONG
Start)
{
LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int
i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
while
(LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
ULONG
BASE = Tmp->DllBase;
ULONG
Size = Tmp->SizeOfImage;
if
(Start >= BASE && Start < BASE + Size) {
return
0;
}
LinkList = LinkList->Flink;
i++;
}
return
1;
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)
typedef
struct
_CALLBACK_ENTRY
{
LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG
Active;
PVOID
Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
ULONG
unknown;
} CALLBACK_ENTRY, *PCALLBACK_ENTRY;
typedef
struct
_LDR_DATA
// 24 elements, 0xE0 bytes (sizeof)
{
/*0x000*/
struct
_LIST_ENTRY InLoadOrderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x010*/
struct
_LIST_ENTRY InMemoryOrderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x020*/
struct
_LIST_ENTRY InInitializationOrderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x030*/
VOID
* DllBase;
/*0x038*/
VOID
* EntryPoint;
/*0x040*/
ULONG32
SizeOfImage;
/*0x044*/
UINT8 _PADDING0_[0x4];
/*0x048*/
struct
_UNICODE_STRING FullDllName;
// 3 elements, 0x10 bytes (sizeof)
/*0x058*/
struct
_UNICODE_STRING BaseDllName;
// 3 elements, 0x10 bytes (sizeof)
/*0x068*/
ULONG32
Flags;
/*0x06C*/
UINT16 LoadCount;
/*0x06E*/
UINT16 TlsIndex;
union
// 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/
struct
_LIST_ENTRY HashLinks;
// 2 elements, 0x10 bytes (sizeof)
struct
// 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/
VOID
* SectionPointer;
/*0x078*/
ULONG32
CheckSum;
/*0x07C*/
UINT8 _PADDING1_[0x4];
};
};
union
// 2 elements, 0x8 bytes (sizeof)
{
/*0x080*/
ULONG32
TimeDateStamp;
/*0x080*/
VOID
* LoadedImports;
};
/*0x088*/
struct
_ACTIVATION_CONTEXT* EntryPointActivationContext;
/*0x090*/
VOID
* PatchInformation;
/*0x098*/
struct
_LIST_ENTRY ForwarderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x0A8*/
struct
_LIST_ENTRY ServiceTagLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x0B8*/
struct
_LIST_ENTRY StaticLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x0C8*/
VOID
* ContextInformation;
/*0x0D0*/
UINT64
OriginalBase;
/*0x0D8*/
union
_LARGE_INTEGER LoadTime;
// 4 elements, 0x8 bytes (sizeof)
}LDR_DATA, *PLDR_DATA;
typedef
struct
_OBJECT_TYPE_INITIALIZER
// 25 elements, 0x70 bytes (sizeof)
{
/*0x000*/
UINT16 Length;
union
// 2 elements, 0x1 bytes (sizeof)
{
/*0x002*/
UINT8 ObjectTypeFlags;
struct
// 7 elements, 0x1 bytes (sizeof)
{
/*0x002*/
UINT8 CaseInsensitive : 1;
// 0 BitPosition
/*0x002*/
UINT8 UnnamedObjectsOnly : 1;
// 1 BitPosition
/*0x002*/
UINT8 UseDefaultObject : 1;
// 2 BitPosition
/*0x002*/
UINT8 SecurityRequired : 1;
// 3 BitPosition
/*0x002*/
UINT8 MaintainHandleCount : 1;
// 4 BitPosition
/*0x002*/
UINT8 MaintainTypeList : 1;
// 5 BitPosition
/*0x002*/
UINT8 SupportsObjectCallbacks : 1;
// 6 BitPosition
};
};
/*0x004*/
ULONG32
ObjectTypeCode;
/*0x008*/
ULONG32
InvalidAttributes;
/*0x00C*/
struct
_GENERIC_MAPPING GenericMapping;
// 4 elements, 0x10 bytes (sizeof)
/*0x01C*/
ULONG32
ValidAccessMask;
/*0x020*/
ULONG32
RetainAccess;
/*0x024*/
enum
_POOL_TYPE PoolType;
/*0x028*/
ULONG32
DefaultPagedPoolCharge;
/*0x02C*/
ULONG32
DefaultNonPagedPoolCharge;
/*0x030*/
PVOID
DumpProcedure;
/*0x038*/
PVOID
OpenProcedure;
/*0x040*/
PVOID
CloseProcedure;
/*0x048*/
PVOID
DeleteProcedure;
/*0x050*/
PVOID
ParseProcedure;
/*0x058*/
PVOID
SecurityProcedure;
/*0x060*/
PVOID
QueryNameProcedure;
/*0x068*/
PVOID
OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef
struct
_EX_PUSH_LOCK
// 7 elements, 0x8 bytes (sizeof)
{
union
// 3 elements, 0x8 bytes (sizeof)
{
struct
// 5 elements, 0x8 bytes (sizeof)
{
/*0x000*/
UINT64
Locked : 1;
// 0 BitPosition
/*0x000*/
UINT64
Waiting : 1;
// 1 BitPosition
/*0x000*/
UINT64
Waking : 1;
// 2 BitPosition
/*0x000*/
UINT64
MultipleShared : 1;
// 3 BitPosition
/*0x000*/
UINT64
Shared : 60;
// 4 BitPosition
};
/*0x000*/
UINT64
Value;
/*0x000*/
VOID
* Ptr;
};
};
typedef
struct
_MY_OBJECT_TYPE
// 12 elements, 0xD0 bytes (sizeof)
{
/*0x000*/
struct
_LIST_ENTRY TypeList;
// 2 elements, 0x10 bytes (sizeof)
/*0x010*/
struct
_UNICODE_STRING Name;
// 3 elements, 0x10 bytes (sizeof)
/*0x020*/
VOID
* DefaultObject;
/*0x028*/
UINT8 Index;
/*0x029*/
UINT8 _PADDING0_[0x3];
/*0x02C*/
ULONG32
TotalNumberOfObjects;
/*0x030*/
ULONG32
TotalNumberOfHandles;
/*0x034*/
ULONG32
HighWaterNumberOfObjects;
/*0x038*/
ULONG32
HighWaterNumberOfHandles;
/*0x03C*/
UINT8 _PADDING1_[0x4];
/*0x040*/
struct
_OBJECT_TYPE_INITIALIZER TypeInfo;
// 25 elements, 0x70 bytes (sizeof)
/*0x0B0*/
struct
_EX_PUSH_LOCK TypeLock;
// 7 elements, 0x8 bytes (sizeof)
/*0x0B8*/
ULONG32
Key;
/*0x0BC*/
UINT8 _PADDING2_[0x4];
/*0x0C0*/
struct
_LIST_ENTRY CallbackList;
// 2 elements, 0x10 bytes (sizeof)
}MY_OBJECT_TYPE, *PMY_OBJECT_TYPE;
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
VOID
UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS EnumerateKernelThreads();
typedef
NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG
,
PVOID
,
ULONG
,
PULONG
);
typedef
struct
_SYSTEM_PROCESS_INFORMATION {
ULONG
NextEntryOffset;
ULONG
NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG
BasePriority;
HANDLE
ProcessId;
HANDLE
InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef
struct
_SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG
WaitTime;
PVOID
StartAddress;
CLIENT_ID ClientId;
ULONG
Priority;
LONG
BasePriority;
ULONG
ContextSwitchCount;
LONG
State;
LONG
WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef
enum
_SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;
#define SystemModuleInformation 11
PVOID
obHandle;
DRIVER_INITIALIZE DriverEntry;
PDRIVER_OBJECT g_Object = NULL;
typedef
struct
_LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
//驱动的进入点 DriverEntry
ULONG
SizeOfImage;
UNICODE_STRING FullDllName;
//驱动的满路径
UNICODE_STRING BaseDllName;
//不带路径的驱动名字
ULONG
Flags;
USHORT
LoadCount;
USHORT
TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID
SectionPointer;
ULONG
CheckSum;
};
};
union
{
struct
{
ULONG
TimeDateStamp;
};
struct
{
PVOID
LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
MDLWriteMemory(
PVOID
pBaseAddress,
PVOID
pWriteData,
SIZE_T
writeDataSize)
{
PMDL pMdl = NULL;
PVOID
pNewAddress = NULL;
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if
(NULL == pMdl)
{
return
FALSE;
}
MmBuildMdlForNonPagedPool(pMdl);
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if
(NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return
TRUE;
}
VOID
PatchInstr()
{
LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int
i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
UNICODE_STRING name;
RtlInitUnicodeString(&name,L
"Loader.sys"
);
;
while
(LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
if
(RtlEqualUnicodeString(&Tmp->BaseDllName, &name,FALSE)) {
kprintf((
"DLLname:%S DLLBase=%p nowcode=%p\n"
), Tmp->BaseDllName.Buffer,Tmp->DllBase,(
ULONG64
)(Tmp->DllBase) + 0xa27e);
char
buffer[] = { 0x90,0x90 };
MDLWriteMemory((
ULONG64
)(Tmp->DllBase) + 0xa27e, buffer, 2);
return
;
}
LinkList = LinkList->Flink;
i++;
}
}
// 文件回调
OB_PREOP_CALLBACK_STATUS FileObjectpreCall(
PVOID
RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{
UNICODE_STRING DosName;
PFILE_OBJECT fileo = OperationInformation->Object;
HANDLE
CurrentProcessId = PsGetCurrentProcessId();
UNREFERENCED_PARAMETER(RegistrationContext);
if
(OperationInformation->ObjectType != *IoFileObjectType)
{
return
OB_PREOP_SUCCESS;
}
// 过滤无效指针
if
(fileo->FileName.Buffer == NULL ||
!MmIsAddressValid(fileo->FileName.Buffer) ||
fileo->DeviceObject == NULL ||
!MmIsAddressValid(fileo->DeviceObject))
{
return
OB_PREOP_SUCCESS;
}
// 过滤无效路径
if
(!_wcsicmp(fileo->FileName.Buffer, L
"\\Endpoint"
) ||
!_wcsicmp(fileo->FileName.Buffer, L
"?"
) ||
!_wcsicmp(fileo->FileName.Buffer, L
"\\.\\."
) ||
!_wcsicmp(fileo->FileName.Buffer, L
"\\"
))
{
return
OB_PREOP_SUCCESS;
}
// 将对象转为DOS路径
RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName);
if
(!wcscmp(fileo->FileName.Buffer, L
"\\card.txt"
)) {
PETHREAD pct=PsGetCurrentThread();
PVOID
addr=*(
ULONG64
*)((
char
*)pct + 0x450);
PatchInstr();
//EnumerateKernelThreads();
DbgBreakPoint();
}
return
OB_PREOP_SUCCESS;
}
VOID
EnableObType(POBJECT_TYPE ObjectType)
{
PMY_OBJECT_TYPE myobtype = (PMY_OBJECT_TYPE)ObjectType;
myobtype->TypeInfo.SupportsObjectCallbacks = 1;
}
VOID
UnDriver(PDRIVER_OBJECT driver)
{
UNREFERENCED_PARAMETER(driver);
ObUnRegisterCallbacks(obHandle);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
PLDR_DATA ldr;
kprintf((
"hello xia0ji233\n"
));
g_Object = Driver;
OB_CALLBACK_REGISTRATION obRegFileCallBack;
OB_OPERATION_REGISTRATION opRegFileCallBack;
// enable IoFileObjectType
EnableObType(*IoFileObjectType);
// bypass MmVerifyCallbackFunction
ldr = (PLDR_DATA)Driver->DriverSection;
ldr->Flags |= 0x20;
// 初始化回调
memset
(&obRegFileCallBack, 0,
sizeof
(obRegFileCallBack));
obRegFileCallBack.Version = ObGetFilterVersion();
obRegFileCallBack.OperationRegistrationCount = 1;
obRegFileCallBack.RegistrationContext = NULL;
RtlInitUnicodeString(&obRegFileCallBack.Altitude, L
"321000"
);
obRegFileCallBack.OperationRegistration = &opRegFileCallBack;
memset
(&opRegFileCallBack, 0,
sizeof
(opRegFileCallBack));
opRegFileCallBack.ObjectType = IoFileObjectType;
opRegFileCallBack.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opRegFileCallBack.PreOperation = (POB_PRE_OPERATION_CALLBACK)&FileObjectpreCall;
status = ObRegisterCallbacks(&obRegFileCallBack, &obHandle);
if
(!NT_SUCCESS(status))
{
kprintf((
"注册回调错误 \n"
));
status = STATUS_UNSUCCESSFUL;
}
UNREFERENCED_PARAMETER(RegistryPath);
Driver->DriverUnload = &UnDriver;
return
status;
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)
typedef
struct
_CALLBACK_ENTRY
{
LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG
Active;
PVOID
Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
ULONG
unknown;
} CALLBACK_ENTRY, *PCALLBACK_ENTRY;
typedef
struct
_LDR_DATA
// 24 elements, 0xE0 bytes (sizeof)
{
/*0x000*/
struct
_LIST_ENTRY InLoadOrderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x010*/
struct
_LIST_ENTRY InMemoryOrderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x020*/
struct
_LIST_ENTRY InInitializationOrderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x030*/
VOID
* DllBase;
/*0x038*/
VOID
* EntryPoint;
/*0x040*/
ULONG32
SizeOfImage;
/*0x044*/
UINT8 _PADDING0_[0x4];
/*0x048*/
struct
_UNICODE_STRING FullDllName;
// 3 elements, 0x10 bytes (sizeof)
/*0x058*/
struct
_UNICODE_STRING BaseDllName;
// 3 elements, 0x10 bytes (sizeof)
/*0x068*/
ULONG32
Flags;
/*0x06C*/
UINT16 LoadCount;
/*0x06E*/
UINT16 TlsIndex;
union
// 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/
struct
_LIST_ENTRY HashLinks;
// 2 elements, 0x10 bytes (sizeof)
struct
// 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/
VOID
* SectionPointer;
/*0x078*/
ULONG32
CheckSum;
/*0x07C*/
UINT8 _PADDING1_[0x4];
};
};
union
// 2 elements, 0x8 bytes (sizeof)
{
/*0x080*/
ULONG32
TimeDateStamp;
/*0x080*/
VOID
* LoadedImports;
};
/*0x088*/
struct
_ACTIVATION_CONTEXT* EntryPointActivationContext;
/*0x090*/
VOID
* PatchInformation;
/*0x098*/
struct
_LIST_ENTRY ForwarderLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x0A8*/
struct
_LIST_ENTRY ServiceTagLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x0B8*/
struct
_LIST_ENTRY StaticLinks;
// 2 elements, 0x10 bytes (sizeof)
/*0x0C8*/
VOID
* ContextInformation;
/*0x0D0*/
UINT64
OriginalBase;
/*0x0D8*/
union
_LARGE_INTEGER LoadTime;
// 4 elements, 0x8 bytes (sizeof)
}LDR_DATA, *PLDR_DATA;
typedef
struct
_OBJECT_TYPE_INITIALIZER
// 25 elements, 0x70 bytes (sizeof)
{
/*0x000*/
UINT16 Length;
union
// 2 elements, 0x1 bytes (sizeof)
{
/*0x002*/
UINT8 ObjectTypeFlags;
struct
// 7 elements, 0x1 bytes (sizeof)
{
/*0x002*/
UINT8 CaseInsensitive : 1;
// 0 BitPosition
/*0x002*/
UINT8 UnnamedObjectsOnly : 1;
// 1 BitPosition
/*0x002*/
UINT8 UseDefaultObject : 1;
// 2 BitPosition
/*0x002*/
UINT8 SecurityRequired : 1;
// 3 BitPosition
/*0x002*/
UINT8 MaintainHandleCount : 1;
// 4 BitPosition
/*0x002*/
UINT8 MaintainTypeList : 1;
// 5 BitPosition
/*0x002*/
UINT8 SupportsObjectCallbacks : 1;
// 6 BitPosition
};
};
/*0x004*/
ULONG32
ObjectTypeCode;
/*0x008*/
ULONG32
InvalidAttributes;
/*0x00C*/
struct
_GENERIC_MAPPING GenericMapping;
// 4 elements, 0x10 bytes (sizeof)
/*0x01C*/
ULONG32
ValidAccessMask;
/*0x020*/
ULONG32
RetainAccess;
/*0x024*/
enum
_POOL_TYPE PoolType;
/*0x028*/
ULONG32
DefaultPagedPoolCharge;
/*0x02C*/
ULONG32
DefaultNonPagedPoolCharge;
/*0x030*/
PVOID
DumpProcedure;
/*0x038*/
PVOID
OpenProcedure;
/*0x040*/
PVOID
CloseProcedure;
/*0x048*/
PVOID
DeleteProcedure;
/*0x050*/
PVOID
ParseProcedure;
/*0x058*/
PVOID
SecurityProcedure;
/*0x060*/
PVOID
QueryNameProcedure;
/*0x068*/
PVOID
OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef
struct
_EX_PUSH_LOCK
// 7 elements, 0x8 bytes (sizeof)
{
union
// 3 elements, 0x8 bytes (sizeof)
{
struct
// 5 elements, 0x8 bytes (sizeof)
{
/*0x000*/
UINT64
Locked : 1;
// 0 BitPosition
/*0x000*/
UINT64
Waiting : 1;
// 1 BitPosition
/*0x000*/
UINT64
Waking : 1;
// 2 BitPosition
/*0x000*/
UINT64
MultipleShared : 1;
// 3 BitPosition
/*0x000*/
UINT64
Shared : 60;
// 4 BitPosition
};
/*0x000*/
UINT64
Value;
/*0x000*/
VOID
* Ptr;
};
};
typedef
struct
_MY_OBJECT_TYPE
// 12 elements, 0xD0 bytes (sizeof)
{
/*0x000*/
struct
_LIST_ENTRY TypeList;
// 2 elements, 0x10 bytes (sizeof)
/*0x010*/
struct
_UNICODE_STRING Name;
// 3 elements, 0x10 bytes (sizeof)
/*0x020*/
VOID
* DefaultObject;
/*0x028*/
UINT8 Index;
/*0x029*/
UINT8 _PADDING0_[0x3];
/*0x02C*/
ULONG32
TotalNumberOfObjects;
/*0x030*/
ULONG32
TotalNumberOfHandles;
/*0x034*/
ULONG32
HighWaterNumberOfObjects;
/*0x038*/
ULONG32
HighWaterNumberOfHandles;
/*0x03C*/
UINT8 _PADDING1_[0x4];
/*0x040*/
struct
_OBJECT_TYPE_INITIALIZER TypeInfo;
// 25 elements, 0x70 bytes (sizeof)
/*0x0B0*/
struct
_EX_PUSH_LOCK TypeLock;
// 7 elements, 0x8 bytes (sizeof)
/*0x0B8*/
ULONG32
Key;
/*0x0BC*/
UINT8 _PADDING2_[0x4];
/*0x0C0*/
struct
_LIST_ENTRY CallbackList;
// 2 elements, 0x10 bytes (sizeof)
}MY_OBJECT_TYPE, *PMY_OBJECT_TYPE;
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
VOID
UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS EnumerateKernelThreads();
typedef
NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG
,
PVOID
,
ULONG
,
PULONG
);
typedef
struct
_SYSTEM_PROCESS_INFORMATION {
ULONG
NextEntryOffset;
ULONG
NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG
BasePriority;
HANDLE
ProcessId;
HANDLE
InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef
struct
_SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG
WaitTime;
PVOID
StartAddress;
CLIENT_ID ClientId;
ULONG
Priority;
LONG
BasePriority;
ULONG
ContextSwitchCount;
LONG
State;
LONG
WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef
enum
_SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;
#define SystemModuleInformation 11
PVOID
obHandle;
DRIVER_INITIALIZE DriverEntry;
PDRIVER_OBJECT g_Object = NULL;
typedef
struct
_LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
//驱动的进入点 DriverEntry
ULONG
SizeOfImage;
UNICODE_STRING FullDllName;
//驱动的满路径
UNICODE_STRING BaseDllName;
//不带路径的驱动名字
ULONG
Flags;
USHORT
LoadCount;
USHORT
TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID
SectionPointer;
ULONG
CheckSum;
};
};
union
{
struct
{
ULONG
TimeDateStamp;
};
struct
{
PVOID
LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
MDLWriteMemory(
PVOID
pBaseAddress,
PVOID
pWriteData,
SIZE_T
writeDataSize)
{
赞赏
|
|
---|---|
|
太强了
|
|
tql
|
|
关写保护那有些不严谨,没有考虑到可能会出现CR4.CET开启的情况是不能直接把CR0.WP清除的
具体可以看intel的System Programming Guide的第二章的2.5节Control Registers |
|
cccwwdd 关写保护那有些不严谨,没有考虑到可能会出现CR4.CET开启的情况是不能直接把CR0.WP清除的 具体可以看intel的System Programming Guide的第二章的2.5节Contro ...是的,一般虚拟机是没有这个,真机测试的时候是不能这么操作的,所以得用MDL,但是因为之前用的很多的hook都这么写的,虚拟机也没啥问题就一直懒得改了 |
- [原创]强网杯S8决赛Reverse writeup 2113
- 强网杯S8决赛pwn writeup 3373
- [原创]强网杯S8初赛pwn writeup 3592
- [原创]KCTF2024 第八题 writeup 3818
- 腾讯游戏安全大赛2024决赛题解 11648