祝各位新年快乐
一边听音乐一边写代码真的很舒服阿很舒服
先简单说以下,NP和HS都hook了以下一些SSDT
什么是SSDT?我不想说那些复杂的理论,希望以简单的事实帮助介绍
先向大S道歉,下文如有冒犯,还请大S原谅
怎么说呢,SSDT本身就是一个地址表,我们当他是个地址簿,也就是写了每个人的地址的记录表
今天,偶想给大S送新年礼物,怎么送到大S家里呢?就得查看地址簿了
上面是这样写的 大S: 游戏达人,外挂高人,破解牛人,脱壳圣人;分身有如月,堀北真希,花泽类,猪的理想;实际上是个阳光宝宝,吃的的白白胖胖的,每天都很开心;家住上海市X区X路X楼,进门左转、左转、再左转,敲门说找S.H.E就行了。
标准SSDT hook的方式就是改变这个地址,HS就是八地址改写成abnlab实验室,如果你照着走就到abnlab实验室了
他们就要检查你了,这么大一箱礼物?是不是带了炸弹阿,识别你的身份阿,但是这样怎么能行呢,经过他们一审核
我的新年礼物岂不是要过年以后才能到了?不行不行
只能先联系大S,大S说家在上海X别墅区X,偶于是就上门了,到了别墅,门卫不让偶进去阿,理由是偶没有邀请函
; MmDeleteTeb(x,x)+Ep ...
.text:004129B3
.text:004129B3 BugCheckParameter1= dword ptr 8
.text:004129B3 arg_4 = dword ptr 0Ch
.text:004129B3
.text:004129B3 ; FUNCTION CHUNK AT .text:00445DD6 SIZE 00000049 BYTES
.text:004129B3
.text:004129B3 mov edi, edi
.text:004129B5 push ebp
.text:004129B6 mov ebp, esp
.text:004129B8 push esi
.text:004129B9 push edi
.text:004129BA mov eax, large fs:124h
.text:004129C0 mov edi, [ebp+BugCheckParameter1]
.text:004129C3 mov esi, eax
.text:004129C5 cmp [esi+44h], edi
.text:004129C8 jz short loc_4129FF
.text:004129CA cmp byte ptr [esi+165h], 0
.text:004129D1 jnz loc_445DD6
.text:004129D7 mov eax, large fs:994h
.text:004129DD test eax, eax
.text:004129DF jnz loc_445DD6
.text:004129E5 call ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
.text:004129EB mov byte ptr [ebp+BugCheckParameter1], al
.text:004129EE lea eax, [esi+14Ch]
.text:004129F4 push eax
.text:004129F5 push [ebp+BugCheckParameter1]
.text:004129F8 push edi
.text:004129F9 push esi
.text:004129FA call _KiAttachProcess@16 ; KiAttachProcess(x,x,x,x)
.text:004129FF
.text:004129FF loc_4129FF: ; CODE XREF: KeAttachProcess(x)+15j
.text:004129FF pop edi
.text:00412A00 pop esi
.text:00412A01 pop ebp
.text:00412A02 retn 4
.text:00412A02 _KeAttachProcess@4 endp
.text:004189DB ; __stdcall KeStackAttachProcess(x, x)
.text:004189DB public _KeStackAttachProcess@8
.text:004189DB _KeStackAttachProcess@8 proc near ; CODE XREF: MmAttachSession(x,x)+58p
.text:004189DB ; MiAttachToSecureProcessInSession(x)+43p ...
.text:004189DB
.text:004189DB arg_0 = dword ptr 8
.text:004189DB arg_4 = dword ptr 0Ch
.text:004189DB
.text:004189DB mov edi, edi
.text:004189DD push ebp
.text:004189DE mov ebp, esp
.text:004189E0 push esi
.text:004189E1 push edi
.text:004189E2 mov eax, large fs:124h
.text:004189E8 mov esi, eax
.text:004189EA mov eax, large fs:994h
.text:004189F0 test eax, eax
.text:004189F2 jnz loc_445DF1
.text:004189F8 mov edi, [ebp+arg_0]
.text:004189FB cmp [esi+44h], edi
.text:004189FE jz short loc_418A34
.text:00418A00 call ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
.text:00418A06 cmp byte ptr [esi+165h], 0
.text:00418A0D mov byte ptr [ebp+arg_0], al
.text:00418A10 jnz loc_445E0D
.text:00418A16 lea eax, [esi+14Ch]
.text:00418A1C push eax
.text:00418A1D push [ebp+arg_0]
.text:00418A20 push edi
.text:00418A21 push esi
.text:00418A22 call _KiAttachProcess@16 ; KiAttachProcess(x,x,x,x)
.text:00418A27 mov eax, [ebp+arg_4]
.text:00418A2A and dword ptr [eax+10h], 0
.text:00418A2E
.text:00418A2E loc_418A2E: ; CODE XREF: KeStackAttachProcess(x,x)+63j
.text:00418A2E ; KeAttachProcess(x)+33467j
.text:00418A2E pop edi
.text:00418A2F pop esi
.text:00418A30 pop ebp
.text:00418A31 retn 8
我们有以下办法
1.直接执行函数+5字节处
这样可以,但是有其他问题,如果NP把函数hook改到函数中间或者末尾,我们很难定位
2.执行底层函数KiAttachProcess
KiAttachProcess(EPROCESS *Process,Irql)
.text:00412855 ; __stdcall KiAttachProcess(x, x, x, x)
.text:00412855 _KiAttachProcess@16 proc near ; CODE XREF: KeAttachProcess(x)+47p
.text:00412855 ; KeStackAttachProcess(x,x)+47p ...
.text:00412855
.text:00412855 arg_0 = dword ptr 8
.text:00412855 arg_4 = dword ptr 0Ch
.text:00412855 arg_8 = byte ptr 10h
.text:00412855 arg_C = dword ptr 14h
.text:00412855
.text:00412855 ; FUNCTION CHUNK AT .text:00445D4F SIZE 0000001E BYTES
.text:00412855 ; FUNCTION CHUNK AT .text:00445D72 SIZE 00000064 BYTES
.text:00412855
.text:00412855 mov edi, edi
.text:00412857 push ebp
.text:00412858 mov ebp, esp
.text:0041285A push ebx
.text:0041285B mov ebx, [ebp+arg_4]
.text:0041285E inc word ptr [ebx+60h]
.text:00412862 push esi
.text:00412863 mov esi, [ebp+arg_0]
.text:00412866 push edi
.text:00412867 push [ebp+arg_C]
.text:0041286A lea edi, [esi+34h]
.text:0041286D push edi
.text:0041286E call _KiMoveApcState@8 ; KiMoveApcState(x,x)
.text:00412873 mov [edi+4], edi
.text:00412876 mov [edi], edi
.text:00412878 lea eax, [esi+3Ch]
.text:0041287B mov [eax+4], eax
.text:0041287E mov [eax], eax
.text:00412880 lea eax, [esi+14Ch]
.text:00412886 cmp [ebp+arg_C], eax
.text:00412889 mov [esi+44h], ebx
.text:0041288C mov byte ptr [esi+48h], 0
.text:00412890 mov byte ptr [esi+49h], 0
.text:00412894 mov byte ptr [esi+4Ah], 0
.text:00412898 jnz short loc_4128AD
.text:0041289A mov [esi+138h], eax
.text:004128A0 mov [esi+13Ch], edi
.text:004128A6 mov byte ptr [esi+165h], 1
.text:004128AD
.text:004128AD loc_4128AD: ; CODE XREF: KiAttachProcess(x,x,x,x)+43j
.text:004128AD cmp byte ptr [ebx+65h], 0
.text:004128B1 jnz loc_445D72
.text:004128B7 lea esi, [ebx+40h]
.text:004128BA
.text:004128BA loc_4128BA: ; CODE XREF: KiAttachProcess(x,x,x,x)+33513j
.text:004128BA mov eax, [esi]
.text:004128BC cmp eax, esi
.text:004128BE jnz loc_445D4F
.text:004128C4 mov eax, [ebp+arg_C]
.text:004128C7 push dword ptr [eax+10h]
.text:004128CA push ebx
.text:004128CB call _KiSwapProcess@8 ; KiSwapProcess(x,x)
.text:004128D0 mov cl, [ebp+arg_8]
.text:004128D3 call @KiUnlockDispatcherDatabase@4 ; KiUnlockDispatcherDatabase(x)
.text:004128D8
.text:004128D8 loc_4128D8: ; CODE XREF: .text:00445D6Dj
.text:004128D8 ; KiAttachProcess(x,x,x,x)+3357Cj
.text:004128D8 pop edi
.text:004128D9 pop esi
.text:004128DA pop ebx
.text:004128DB pop ebp
.text:004128DC retn 10h
.text:004128DC _KiAttachProcess@16 endp
.text:004128DC
或者执行更加底层函数KiSwapProcess
.text:00404AC4 ; __stdcall KiSwapProcess(x, x)
.text:00404AC4 _KiSwapProcess@8 proc near ; CODE XREF: KiAttachProcess(x,x,x,x)+76p
.text:00404AC4 ; KeDetachProcess()+73p ...
.text:00404AC4
.text:00404AC4 arg_0 = dword ptr 4
.text:00404AC4
.text:00404AC4 mov edx, [esp+arg_0]
.text:00404AC8 xor eax, eax
.text:00404ACA cmp [edx+20h], ax
.text:00404ACE jz short loc_404AFF
.text:00404AD0 mov ecx, ds:0FFDFF03Ch
.text:00404AD6 mov eax, [edx+20h]
.text:00404AD9 mov [ecx+48h], eax
.text:00404ADC mov eax, [edx+24h]
.text:00404ADF mov [ecx+4Ch], eax
.text:00404AE2 mov ecx, ds:0FFDFF038h
.text:00404AE8 mov eax, [edx+28h]
.text:00404AEB mov [ecx+108h], eax
.text:00404AF1 mov eax, [edx+2Ch]
.text:00404AF4 mov [ecx+10Ch], eax
.text:00404AFA mov eax, 48h
.text:00404AFF
.text:00404AFF loc_404AFF: ; CODE XREF: KiSwapProcess(x,x)+Aj
.text:00404AFF lldt ax
.text:00404B02 mov ecx, ds:0FFDFF040h
.text:00404B08 mov edx, [esp+arg_0]
.text:00404B0C xor eax, eax
.text:00404B0E mov gs, ax
.text:00404B10 mov eax, [edx+18h]
.text:00404B13 mov [ecx+1Ch], eax
.text:00404B16 mov cr3, eax
.text:00404B19 mov ax, [edx+30h]
.text:00404B1D mov [ecx+66h], ax
.text:00404B21 retn 8
.text:00404B21 _KiSwapProcess@8 endp
.text:00404B21
我们仔细看代码,就是更改cr3
我们自己用代码完成-以下代码参考sinister
KiAttachProcess(EPROCESS *Process,Irql){
//CurThread=fs:124h
//CurProcess=CurThread->ApcState.Process;
if(CurProcess!=Process){
if(CurProcess->ApcStateIndex || KPCR->DpcRoutineActive)KeBugCheckEx...
}
//if we already in process's context
if(CurProcess==Process){KiUnlockDispatcherDatabase(Irql);return;}
Process->StackCount++;
KiMoveApcState(&CurThread->ApcState,&CurThread->SavedApcState);
// init lists
CurThread->ApcState.ApcListHead[0].Blink=&CurThread->ApcState.ApcListHead[0];
CurThread->ApcState.ApcListHead[0].Flink=&CurThread->ApcState.ApcListHead[0];
CurThread->ApcState.ApcListHead[1].Blink=&CurThread->ApcState.ApcListHead[1];
CurThread->ApcState.ApcListHead[1].Flink=&CurThread->ApcState.ApcListHead[1];;
//fill curtheads's fields
CurThread->ApcState.Process=Process;
CurThread->ApcState.KernelApcInProgress=0;
CurThread->ApcState.KernelApcPending=0;
CurThread->ApcState.UserApcPending=0;
CurThread->ApcState.ApcStatePointer.SavedApcState=&CurThread->SavedApcState;
CurThread->ApcState.ApcStatePointer.ApcState=&CurThread->ApcState;
CurThread->ApcStateIndex=1;
//if process ready, just swap it...
if(!Process->State)//state==0, ready
{
KiSwapProcess(Process,CurThread->SavedApcState.Process);
KiUnlockDispatcherDatabase(Irql);
return;
}
CurThread->State=1; //ready?
CurThread->ProcessReadyQueue=1;
//put Process in Thread's waitlist
CurThread->WaitListEntry.Flink=&Process->ReadyListHead.Flink;
CurThread->WaitListEntry.Blink=Process->ReadyListHead.Blink;
Process->ReadyListHead.Flink->Flink=&CurThread->WaitListEntry.Flink;
Process->ReadyListHead.Blink=&CurThread->WaitListEntry.Flink;
// else, move process to swap list and wait
if(Process->State==1){//idle?
Process->State=2; //trans
Process->SwapListEntry.Flink=&KiProcessInSwapListHead.Flink;
Process->SwapListEntry.Blink=KiProcessInSwapListHead.Blink;
KiProcessInSwapListHead.Blink=&Process->SwapListEntry.Flink;
KiSwapEvent.Header.SignalState=1;
if(KiSwapEvent.Header.WaitListHead.Flink!=&KiSwapEvent.Header.WaitListHead.
Flink)
KiWaitTest(&KiSwapEvent,0xa); //fastcall
}
CurThread->WaitIrql=Irql;
KiSwapThread();
return;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!