-
-
[讨论] ntldr & osloader & hal.dll & Tophet
-
发表于: 2009-2-21 14:31
-
keyword : ntldr & osloader & hal.dll & Tophet
Last Year, Chinese Hacker MJ001 had showed some informations about her new BootKit (MJ0011.tophet) -- Tophet, and She had given mush more details in the Conference of the XCON 2008(Tophet.Doc). I just pick up a little technics from it, although it's old-fashioned, but still useful to me.Aha, How inferiority and ugly I am!
按照MJ大侠的文档,胡乱写了个雏形,功能再慢慢加,初学调试ntldr,还是蛮有意思的,呵呵. 效果如下:
-------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_1
Waiting to reconnect...
BD: Boot Debugger Initialized
BD: osloader.exe base address 00400000
Connected to Windows Boot Debugger 3790 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*E:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Module List address is NULL - debugger not initialized properly.
WARNING: .reload failed, module list may be incomplete
KdDebuggerData.KernBase < SystemRangeStart
Windows Boot Debugger Kernel Version 3790 UP Checked x86 compatible
Primary image base = 0x00000000 Loaded module list = 0x00000000
System Uptime: not available
The call to LoadLibrary(bootext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
BD: \NTBOOTDD.SYS base address 80002000
+**************************************************+
* *
* Hello,Tophet! from sudami in osloader *
* *
+**************************************************+
BD: \WINDOWS\system32\ntoskrnl.exe base address 804EA000
BD: \WINDOWS\system32\hal.dll base address 806FF000
BD: \WINDOWS\system32\KDCOM.DLL base address 80720000
[sudami's Tophet] Path \WINDOWS\system32\ntoskrnl.exe, Address: 0x804ea000
----- Ntoskrnl.exe Address: 0x804ea000 -----
[sudami's Tophet] Path \WINDOWS\system32\hal.dll, Address: 0x806ff000
[sudami's Tophet] Path \WINDOWS\system32\KDCOM.DLL, Address: 0x80720000
BD: \WINDOWS\system32\BOOTVID.dll base address 80010000
BD: \WINDOWS\system32\DRIVERS\ACPI.sys base address 803B3000
[sudami's Tophet] Path ACPI.sys, Address: 0x803b3000
BD: \WINDOWS\system32\DRIVERS\WMILIB.SYS base address 80008000
BD: \WINDOWS\system32\DRIVERS\pci.sys base address 80062000
[sudami's Tophet] Path pci.sys, Address: 0x80062000
BD: \WINDOWS\system32\DRIVERS\isapnp.sys base address 80013000
[sudami's Tophet] Path isapnp.sys, Address: 0x80013000
BD: \WINDOWS\system32\DRIVERS\compbatt.sys base address 8000A000
[sudami's Tophet] Path compbatt.sys, Address: 0x8000a000
BD: \WINDOWS\system32\DRIVERS\BATTC.SYS base address 8001C000
BD: \WINDOWS\system32\DRIVERS\intelide.sys base address 8000D000
[sudami's Tophet] Path intelide.sys, Address: 0x8000d000
BD: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS base address 803E1000
BD: \WINDOWS\System32\Drivers\MountMgr.sys base address 803E8000
[sudami's Tophet] Path MountMgr.sys, Address: 0x803e8000
BD: \WINDOWS\system32\DRIVERS\ftdisk.sys base address 80722000
[sudami's Tophet] Path ftdisk.sys, Address: 0x80722000
BD: \WINDOWS\System32\drivers\dmload.sys base address 80073000
[sudami's Tophet] Path dmload.sys, Address: 0x80073000
BD: \WINDOWS\System32\drivers\dmio.sys base address 80741000
[sudami's Tophet] Path dmio.sys, Address: 0x80741000
BD: \WINDOWS\System32\Drivers\PartMgr.sys base address 803F3000
[sudami's Tophet] Path PartMgr.sys, Address: 0x803f3000
BD: \WINDOWS\System32\Drivers\VolSnap.sys base address 80767000
[sudami's Tophet] Path VolSnap.sys, Address: 0x80767000
BD: \WINDOWS\system32\DRIVERS\atapi.sys base address 80773000
[sudami's Tophet] Path atapi.sys, Address: 0x80773000
BD: \WINDOWS\system32\DRIVERS\vmscsi.sys base address 803F8000
[sudami's Tophet] Path vmscsi.sys, Address: 0x803f8000
BD: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS base address 8078B000
BD: \WINDOWS\system32\DRIVERS\disk.sys base address 807A3000
[sudami's Tophet] Path disk.sys, Address: 0x807a3000
BD: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS base address 807AC000
BD: \WINDOWS\system32\DRIVERS\fltMgr.sys base address 807B9000
[sudami's Tophet] Path fltMgr.sys, Address: 0x807b9000
BD: \WINDOWS\System32\Drivers\KSecDD.sys base address 807D9000
[sudami's Tophet] Path KSecDD.sys, Address: 0x807d9000
BD: \WINDOWS\System32\Drivers\Ntfs.sys base address 80A02000
[sudami's Tophet] Path Ntfs.sys, Address: 0x80a02000
BD: \WINDOWS\System32\Drivers\NDIS.sys base address 80A8F000
[sudami's Tophet] Path NDIS.sys, Address: 0x80a8f000
Start Geting ntoskrnl's EAT func...
----- DbgPrint's Address: 0x804ed5f4 -----
----- RtlImageNtHeader's Address: 0x805d56d7 -----
----- _wcsupr's Address: 0x8051f367 -----
----- ExAllocatePool's Address: 0x8053d69e -----
----- ExFreePool's Address: 0x80622e97 -----
----- PsGetCurrentProcessId's Address: 0x80595824 -----
----- KeInsertQueueApc's Address: 0x8051ccb1 -----
BlTransferToKernel Address: 0x0041317a | Patch BlTransferToKernel,Done!
Patch MmLoadSystemImage,Done!
DoPatch() Over!
Unhook BlAllocateDataTableEntry. Done!
BD: \WINDOWS\System32\Drivers\Mup.sys base address 80ABC000
BD: \WINDOWS\system32\DRIVERS\agp440.sys base address 807F0000
Hijack ntoskrnl.exe'EP, Done!
Shutdown occurred...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: .sympath SRV*e:\DebugSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_gdr.061219-0316
Kernel base = 0x804ea000 PsLoadedModuleList = 0x8056d620
System Uptime: not available
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\intelppm.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\i8042prt.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\kbdclass.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\vmmouse.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\mouclass.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\parport.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\serial.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\serenum.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\fdc.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\imapi.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\cdrom.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\redbook.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\ks.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\usbuhci.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\USBPORT.SYS
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\vmx_svga.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\vmxnet.sys
[Tophet] LoadImage: \SystemRoot\system32\drivers\es1371mp.sys
[Tophet] LoadImage: \SystemRoot\system32\drivers\portcls.sys
[Tophet] LoadImage: \SystemRoot\system32\drivers\drmk.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\CmBatt.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\fsvga.sys
(⊙_⊙)?
----------------------------------------------------------------------------------------------
[上个帖子的问题]
【已解决】
个人愚见:
ntoskrnl中有的section会被reloc,我恰好patch了这个区段中的function.于是没效果.实验了MmLoadxx,成功.其他毅然. 仅是个人调试osloader的一点儿心得,欢迎批评指正. 呵呵
---------------------------------------------------------------------------------------
osloader把权限交给ntoskrnl后,内核自己什么时候会再次被reloc啊?
在osloader里面, 我的驱动已经把KeInsertQueueApc patch掉了. 用windbg观察,正常. F5后,系统启动完毕,进入熟悉的蓝天白云桌面, 此时发现挂的钩子已经没有了. 再一u,发现 KeInsertQueueApc 的地址已经变了, 在进入到KiSystemStartUp中后,系统会将ntoskrnl.exe / hal.dll重新定位一次. 这是在什么时候呢?
---------------------------
Nt4src里面, 在函数 MiReloadBootLoadedDrivers内没有reloac 内核.
期待牛人解答~
Last Year, Chinese Hacker MJ001 had showed some informations about her new BootKit (MJ0011.tophet) -- Tophet, and She had given mush more details in the Conference of the XCON 2008(Tophet.Doc). I just pick up a little technics from it, although it's old-fashioned, but still useful to me.Aha, How inferiority and ugly I am!
按照MJ大侠的文档,胡乱写了个雏形,功能再慢慢加,初学调试ntldr,还是蛮有意思的,呵呵. 效果如下:
-------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_1
Waiting to reconnect...
BD: Boot Debugger Initialized
BD: osloader.exe base address 00400000
Connected to Windows Boot Debugger 3790 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*E:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Module List address is NULL - debugger not initialized properly.
WARNING: .reload failed, module list may be incomplete
KdDebuggerData.KernBase < SystemRangeStart
Windows Boot Debugger Kernel Version 3790 UP Checked x86 compatible
Primary image base = 0x00000000 Loaded module list = 0x00000000
System Uptime: not available
The call to LoadLibrary(bootext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
BD: \NTBOOTDD.SYS base address 80002000
+**************************************************+
* *
* Hello,Tophet! from sudami in osloader *
* *
+**************************************************+
BD: \WINDOWS\system32\ntoskrnl.exe base address 804EA000
BD: \WINDOWS\system32\hal.dll base address 806FF000
BD: \WINDOWS\system32\KDCOM.DLL base address 80720000
[sudami's Tophet] Path \WINDOWS\system32\ntoskrnl.exe, Address: 0x804ea000
----- Ntoskrnl.exe Address: 0x804ea000 -----
[sudami's Tophet] Path \WINDOWS\system32\hal.dll, Address: 0x806ff000
[sudami's Tophet] Path \WINDOWS\system32\KDCOM.DLL, Address: 0x80720000
BD: \WINDOWS\system32\BOOTVID.dll base address 80010000
BD: \WINDOWS\system32\DRIVERS\ACPI.sys base address 803B3000
[sudami's Tophet] Path ACPI.sys, Address: 0x803b3000
BD: \WINDOWS\system32\DRIVERS\WMILIB.SYS base address 80008000
BD: \WINDOWS\system32\DRIVERS\pci.sys base address 80062000
[sudami's Tophet] Path pci.sys, Address: 0x80062000
BD: \WINDOWS\system32\DRIVERS\isapnp.sys base address 80013000
[sudami's Tophet] Path isapnp.sys, Address: 0x80013000
BD: \WINDOWS\system32\DRIVERS\compbatt.sys base address 8000A000
[sudami's Tophet] Path compbatt.sys, Address: 0x8000a000
BD: \WINDOWS\system32\DRIVERS\BATTC.SYS base address 8001C000
BD: \WINDOWS\system32\DRIVERS\intelide.sys base address 8000D000
[sudami's Tophet] Path intelide.sys, Address: 0x8000d000
BD: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS base address 803E1000
BD: \WINDOWS\System32\Drivers\MountMgr.sys base address 803E8000
[sudami's Tophet] Path MountMgr.sys, Address: 0x803e8000
BD: \WINDOWS\system32\DRIVERS\ftdisk.sys base address 80722000
[sudami's Tophet] Path ftdisk.sys, Address: 0x80722000
BD: \WINDOWS\System32\drivers\dmload.sys base address 80073000
[sudami's Tophet] Path dmload.sys, Address: 0x80073000
BD: \WINDOWS\System32\drivers\dmio.sys base address 80741000
[sudami's Tophet] Path dmio.sys, Address: 0x80741000
BD: \WINDOWS\System32\Drivers\PartMgr.sys base address 803F3000
[sudami's Tophet] Path PartMgr.sys, Address: 0x803f3000
BD: \WINDOWS\System32\Drivers\VolSnap.sys base address 80767000
[sudami's Tophet] Path VolSnap.sys, Address: 0x80767000
BD: \WINDOWS\system32\DRIVERS\atapi.sys base address 80773000
[sudami's Tophet] Path atapi.sys, Address: 0x80773000
BD: \WINDOWS\system32\DRIVERS\vmscsi.sys base address 803F8000
[sudami's Tophet] Path vmscsi.sys, Address: 0x803f8000
BD: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS base address 8078B000
BD: \WINDOWS\system32\DRIVERS\disk.sys base address 807A3000
[sudami's Tophet] Path disk.sys, Address: 0x807a3000
BD: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS base address 807AC000
BD: \WINDOWS\system32\DRIVERS\fltMgr.sys base address 807B9000
[sudami's Tophet] Path fltMgr.sys, Address: 0x807b9000
BD: \WINDOWS\System32\Drivers\KSecDD.sys base address 807D9000
[sudami's Tophet] Path KSecDD.sys, Address: 0x807d9000
BD: \WINDOWS\System32\Drivers\Ntfs.sys base address 80A02000
[sudami's Tophet] Path Ntfs.sys, Address: 0x80a02000
BD: \WINDOWS\System32\Drivers\NDIS.sys base address 80A8F000
[sudami's Tophet] Path NDIS.sys, Address: 0x80a8f000
Start Geting ntoskrnl's EAT func...
----- DbgPrint's Address: 0x804ed5f4 -----
----- RtlImageNtHeader's Address: 0x805d56d7 -----
----- _wcsupr's Address: 0x8051f367 -----
----- ExAllocatePool's Address: 0x8053d69e -----
----- ExFreePool's Address: 0x80622e97 -----
----- PsGetCurrentProcessId's Address: 0x80595824 -----
----- KeInsertQueueApc's Address: 0x8051ccb1 -----
BlTransferToKernel Address: 0x0041317a | Patch BlTransferToKernel,Done!
Patch MmLoadSystemImage,Done!
DoPatch() Over!
Unhook BlAllocateDataTableEntry. Done!
BD: \WINDOWS\System32\Drivers\Mup.sys base address 80ABC000
BD: \WINDOWS\system32\DRIVERS\agp440.sys base address 807F0000
Hijack ntoskrnl.exe'EP, Done!
Shutdown occurred...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: .sympath SRV*e:\DebugSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_gdr.061219-0316
Kernel base = 0x804ea000 PsLoadedModuleList = 0x8056d620
System Uptime: not available
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\intelppm.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\i8042prt.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\kbdclass.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\vmmouse.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\mouclass.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\parport.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\serial.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\serenum.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\fdc.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\imapi.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\cdrom.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\redbook.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\ks.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\usbuhci.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\USBPORT.SYS
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\vmx_svga.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\vmxnet.sys
[Tophet] LoadImage: \SystemRoot\system32\drivers\es1371mp.sys
[Tophet] LoadImage: \SystemRoot\system32\drivers\portcls.sys
[Tophet] LoadImage: \SystemRoot\system32\drivers\drmk.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\CmBatt.sys
[Tophet] LoadImage: \SystemRoot\system32\DRIVERS\fsvga.sys
(⊙_⊙)?
----------------------------------------------------------------------------------------------
[上个帖子的问题]
【已解决】
个人愚见:
ntoskrnl中有的section会被reloc,我恰好patch了这个区段中的function.于是没效果.实验了MmLoadxx,成功.其他毅然. 仅是个人调试osloader的一点儿心得,欢迎批评指正. 呵呵
---------------------------------------------------------------------------------------
osloader把权限交给ntoskrnl后,内核自己什么时候会再次被reloc啊?
在osloader里面, 我的驱动已经把KeInsertQueueApc patch掉了. 用windbg观察,正常. F5后,系统启动完毕,进入熟悉的蓝天白云桌面, 此时发现挂的钩子已经没有了. 再一u,发现 KeInsertQueueApc 的地址已经变了, 在进入到KiSystemStartUp中后,系统会将ntoskrnl.exe / hal.dll重新定位一次. 这是在什么时候呢?
---------------------------
Nt4src里面, 在函数 MiReloadBootLoadedDrivers内没有reloac 内核.
VOID
MiReloadBootLoadedDrivers (
IN PLOADER_PARAMETER_BLOCK LoaderBlock
)
/*++
Routine Description:
The kernel, HAL and boot drivers are relocated by the loader.
All the boot drivers are then relocated again here.
This function relocates osloader-loaded images into system PTEs. This
gives these images the benefits that all other drivers already enjoy,
including :
1. Paging of the drivers (this is more than 500K today).
2. Write-protection of their text sections.
3. Automatic unload of drivers on last dereference.
--*/
for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
//
// Skip the kernel and the HAL. Note their relocation sections will
// be automatically reclaimed.
//
i += 1;
if (i <= 2) {
continue;
}
期待牛人解答~
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
哎, 自己解决咯....
|
|
|
|
