-
-
[讨论]使用hyper的EPT功能进行R3代码段无痕HOOK没有效果
-
发表于: 14小时前 436
-
NTSTATUS hook_R3(
PCHAR findname,
SIZE_T bufsize,PCWSTR moudlename,
ULONG64 offset,PVOID hook2,unsigned char* hookcode,
ULONG64 hooktytpe,
ULONG64 hooklenght)
{
HANDLE pid=GetProcessId_byName(findname, bufsize);
if (pid == 0) {
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 | DbgPrintEx( 77 , 0 , "dbg pid is zero\n" ); return 1 ; } PEPROCESS EProcess = NULL; UNICODE_STRING fun_name = { 0 }; RtlInitUnicodeString(&fun_name, L "PsLookupProcessByProcessId" ); myPpsLookupProcessByProcessId = (PpsLookupProcessByProcessId) MmGetSystemRoutineAddress(&fun_name); if (myPpsLookupProcessByProcessId = = 0 ) { DbgPrintEx( 77 , 0 , "dbg myPpsLookupProcessByProcessId is zero\n" ); return 1 ; } NTSTATUS Status = myPpsLookupProcessByProcessId((HANDLE)pid, &EProcess); if (!NT_SUCCESS(Status)) { DbgPrintEx( 77 , 0 , "dbg PsLookupProcessByProcessId error 1\n" ); return 1 ; } unsigned char * hookaddress = 0 ; KAPC_STATE ApcState = { 0 }; fun_name = { 0 }; RtlInitUnicodeString(&fun_name, L "KeStackAttachProcess" ); mypKeStackAttachProcess = (pKeStackAttachProcess)MmGetSystemRoutineAddress(&fun_name); fun_name = { 0 }; RtlInitUnicodeString(&fun_name, L "KeUnstackDetachProcess" ); mypKeUnstackDetachProcess = (pKeUnstackDetachProcess)MmGetSystemRoutineAddress(&fun_name); if (mypKeStackAttachProcess = = 0 || mypKeUnstackDetachProcess = = 0 ) { ObDereferenceObject(EProcess); DbgPrintEx( 77 , 0 , "dbg mypKeStackAttachProcess or mypKeUnstackDetachProcess is zero\n" ); return 1 ; } if (hook2) { hookaddress = (unsigned char * )(hook2); } else { UNICODE_STRING string = { 0 }; RtlInitUnicodeString(&string, moudlename); SIZE_T size = 0 ; mypKeStackAttachProcess((PRKPROCESS)EProcess, &ApcState); PVOID baseaddress = GetUserModuleQQ(EProcess, &string, 0 , &size); mypKeUnstackDetachProcess(&ApcState); if (baseaddress = = 0 ) { ObDereferenceObject(EProcess); DbgPrintEx( 77 , 0 , "dbg baseaddress is zero\n" ); return 1 ; } hookaddress = (unsigned char * )((ULONG64)baseaddress + offset); } DbgPrintEx( 77 , 0 , "dbg hookaddress%p \n" , hookaddress); mypKeStackAttachProcess((PRKPROCESS)EProcess, &ApcState); if (hooktytpe = = 0 ) { ULONG64 size2 = 0x1000 ; ULONG oldprotect = 0 ; Status = ZwProtectVirtualMemory((HANDLE) - 1 ,(PVOID * ) &hookaddress,(PULONG) &size2, 0x40 , &oldprotect); if (!NT_SUCCESS(Status)) { mypKeUnstackDetachProcess(&ApcState); ObDereferenceObject(EProcess); DbgPrintEx( 77 , 0 , "dbg ZwProtectVirtualMemory 0x40 1\n" ); return 1 ; } hookaddress[ 0 ] = hookaddress[ 0 ]; Status = ZwProtectVirtualMemory((HANDLE) - 1 , (PVOID * )&hookaddress, (PULONG)&size2, oldprotect, &oldprotect); if (!NT_SUCCESS(Status)) { mypKeUnstackDetachProcess(&ApcState); ObDereferenceObject(EProcess); DbgPrintEx( 77 , 0 , "dbg ZwProtectVirtualMemory oldprotect 1\n" ); return 1 ; } PVOID exec_page = 0 ; ULONG64 size111 = 0x1000 ; ZwAllocateVirtualMemory((HANDLE) - 1 , &exec_page, 0 , &size111, MEM_COMMIT, 0x40 ); / / auto const exec_page = (uint8_t * )ExAllocatePoolWithTag(NonPagedPool, 0x1000 , 'pepe' ); if (exec_page = = 0 ) { mypKeUnstackDetachProcess(&ApcState); ObDereferenceObject(EProcess); DbgPrintEx( 77 , 0 , "dbg mypKeStackAttachProcess or mypKeUnstackDetachProcess is zero\n" ); return 1 ; } / / install our hook memcpy(exec_page, reinterpret_cast<void * >(reinterpret_cast<uint64_t>(hookaddress) & ~ 0xFFFull ), 0x1000 ); memcpy((void * )((ULONG64)exec_page + ((uint64_t)g_bytepatch_addr & 0xFFF )), hookcode, hooklenght); for (size_t i = 0 ; i < KeQueryActiveProcessorCount(nullptr); + + i) { auto const orig_affinity = KeSetSystemAffinityThreadEx( 1ull << i); hv::hypercall_input input ; input .code = hv::hypercall_install_ept_hook; input .key = hv::hypercall_key; auto patch_phy = MmGetPhysicalAddress(hookaddress).QuadPart >> 12 ; DbgPrintEx( 77 , 0 , "dbg patch_phy%p \n" , patch_phy); input .args[ 0 ] = patch_phy; auto exec_page_phy = MmGetPhysicalAddress(exec_page).QuadPart >> 12 ; DbgPrintEx( 77 , 0 , "dbg exec_page_phy%p \n" , exec_page_phy); input .args[ 1 ] = exec_page_phy; hv::vmx_vmcall( input ); KeRevertToUserAffinityThreadEx(orig_affinity); } mypKeUnstackDetachProcess(&ApcState); ObDereferenceObject(EProcess); return 0 ; } |
}
赞赏
他的文章
看原图
赞赏
雪币:
留言: