首页
社区
课程
招聘
[讨论]使用hyper的EPT功能进行R3代码段无痕HOOK没有效果
发表于: 14小时前 436

[讨论]使用hyper的EPT功能进行R3代码段无痕HOOK没有效果

14小时前
436

NTSTATUS hook_R3(
PCHAR findname,
SIZE_T bufsize,PCWSTR moudlename,
ULONG64 offset,PVOID hook2,unsigned char* hookcode,
ULONG64 hooktytpe,
ULONG64 hooklenght)
{
HANDLE pid=GetProcessId_byName(findname, bufsize);
if (pid == 0) {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
    DbgPrintEx(77, 0, "dbg pid is zero\n");
    return 1;
}
PEPROCESS EProcess = NULL;
 
UNICODE_STRING fun_name = { 0 };
RtlInitUnicodeString(&fun_name, L"PsLookupProcessByProcessId");
myPpsLookupProcessByProcessId =(PpsLookupProcessByProcessId) MmGetSystemRoutineAddress(&fun_name);
 
if (myPpsLookupProcessByProcessId == 0) {
 
    DbgPrintEx(77, 0, "dbg myPpsLookupProcessByProcessId is zero\n");
    return 1;
}
NTSTATUS Status = myPpsLookupProcessByProcessId((HANDLE)pid, &EProcess);
if (!NT_SUCCESS(Status))
{
    DbgPrintEx(77, 0, "dbg PsLookupProcessByProcessId error 1\n");
    return 1;
}
unsigned char* hookaddress = 0;
KAPC_STATE ApcState = { 0 };
fun_name = { 0 };
RtlInitUnicodeString(&fun_name, L"KeStackAttachProcess");
mypKeStackAttachProcess = (pKeStackAttachProcess)MmGetSystemRoutineAddress(&fun_name);
 
 
fun_name = { 0 };
RtlInitUnicodeString(&fun_name, L"KeUnstackDetachProcess");
mypKeUnstackDetachProcess = (pKeUnstackDetachProcess)MmGetSystemRoutineAddress(&fun_name);
 
 
 
 
 
if (mypKeStackAttachProcess == 0 || mypKeUnstackDetachProcess == 0) {
    ObDereferenceObject(EProcess);
    DbgPrintEx(77, 0, "dbg mypKeStackAttachProcess or mypKeUnstackDetachProcess is zero\n");
 
 
    return 1;
}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
if (hook2) {
 
    hookaddress = (unsigned char*)(hook2);
 
}
else {
    UNICODE_STRING string = { 0 };
    RtlInitUnicodeString(&string, moudlename);
    SIZE_T size = 0;
    mypKeStackAttachProcess((PRKPROCESS)EProcess, &ApcState);
    PVOID baseaddress = GetUserModuleQQ(EProcess, &string, 0, &size);
    mypKeUnstackDetachProcess(&ApcState);
     
    if (baseaddress == 0) {
        ObDereferenceObject(EProcess);
        DbgPrintEx(77, 0, "dbg baseaddress is zero\n");
        return 1;
    }
    hookaddress = (unsigned char*)((ULONG64)baseaddress + offset);
 
}
DbgPrintEx(77, 0, "dbg  hookaddress%p \n", hookaddress);
mypKeStackAttachProcess((PRKPROCESS)EProcess, &ApcState);
if (hooktytpe == 0)
{
    ULONG64 size2 = 0x1000;
    ULONG oldprotect = 0;
    Status=ZwProtectVirtualMemory((HANDLE)-1,(PVOID*) &hookaddress,(PULONG) &size2, 0x40, &oldprotect);
    if (!NT_SUCCESS(Status))
    {
        mypKeUnstackDetachProcess(&ApcState);
        ObDereferenceObject(EProcess);
        DbgPrintEx(77, 0, "dbg ZwProtectVirtualMemory 0x40 1\n");
        return 1;
    }
 
     
 
    hookaddress[0] = hookaddress[0];
    Status = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&hookaddress, (PULONG)&size2, oldprotect, &oldprotect);
    if (!NT_SUCCESS(Status))
    {
        mypKeUnstackDetachProcess(&ApcState);
        ObDereferenceObject(EProcess);
        DbgPrintEx(77, 0, "dbg ZwProtectVirtualMemory oldprotect 1\n");
        return 1;
    }
 
 
    PVOID exec_page = 0;
    ULONG64 size111 = 0x1000;
    ZwAllocateVirtualMemory((HANDLE)-1, &exec_page, 0, &size111, MEM_COMMIT, 0x40);
    //auto const exec_page = (uint8_t*)ExAllocatePoolWithTag(NonPagedPool, 0x1000, 'pepe');
    if (exec_page == 0 ) {
        mypKeUnstackDetachProcess(&ApcState);
        ObDereferenceObject(EProcess);
        DbgPrintEx(77, 0, "dbg mypKeStackAttachProcess or mypKeUnstackDetachProcess is zero\n");
 
 
        return 1;
    }
    // install our hook
    memcpy(exec_page, reinterpret_cast<void*>(reinterpret_cast<uint64_t>(hookaddress) & ~0xFFFull), 0x1000);
 
    memcpy((void*)((ULONG64)exec_page + ((uint64_t)g_bytepatch_addr & 0xFFF)), hookcode, hooklenght);
     
    for (size_t i = 0; i < KeQueryActiveProcessorCount(nullptr); ++i) {
        auto const orig_affinity = KeSetSystemAffinityThreadEx(1ull << i);
 
        hv::hypercall_input input;
        input.code = hv::hypercall_install_ept_hook;
        input.key = hv::hypercall_key;
        auto patch_phy = MmGetPhysicalAddress(hookaddress).QuadPart >> 12;
        DbgPrintEx(77, 0, "dbg  patch_phy%p \n", patch_phy);
        input.args[0] = patch_phy;
        auto exec_page_phy = MmGetPhysicalAddress(exec_page).QuadPart >> 12;
        DbgPrintEx(77, 0, "dbg  exec_page_phy%p \n", exec_page_phy);
         
        input.args[1] = exec_page_phy;
        hv::vmx_vmcall(input);
 
        KeRevertToUserAffinityThreadEx(orig_affinity);
    }
 
 
    mypKeUnstackDetachProcess(&ApcState);
    ObDereferenceObject(EProcess);
     
 
    return 0;
 
 
 
 
 
 
 
 
 
 
}

}


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//