[求助][求助]老是BOSD，请各位高手指点下-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助][求助]老是BOSD，请各位高手指点下 0.00雪花

发表于: 2009-4-20 20:05 2725

[旧帖] [求助][求助]老是BOSD，请各位高手指点下 0.00雪花

mufasa

2009-4-20 20:05

2725

我想拿KeInsertQueueApc练练手，学习下inline hook。。可老是Bosd，找半天没有头绪。。
请高手们指点下。。。
可能时恢复堆栈时出的问题。。。。主要时红色的代码部分。。。请高手们指点谢谢

#include <ntddk.h>
#include <windef.h>


#define		 HOOK_FUNCTION_NAME			L"KeInsertQueueApc" 
#define		 HOOK_LENGTH				5

UCHAR		g_origcode [5]  = { 0x00, 0x00, 0x00, 0x00, 0x00 };  
UCHAR		g_hook_code[5]  = { 0xe9/*short jmp*/, 0x00, 0x00, 0x00, 0x00 };    
UCHAR		g_back_code[7]  = { 0xea/*long  jmp*/, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00 };    


ULONG		g_cr0;
ULONG		g_function_address;



ULONG		get_function_address( IN PCWSTR _pname );

NTSTATUS	hook_native_api( );

NTSTATUS	un_hook_native_api( );

void	    fake_my_native_api(PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment );

void	    fake_proxy_my_native_api(PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment);


/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
void WPOFF()
{  
    ULONG uAttr;
   
    _asm
    {
        push eax;
        mov eax, cr0;
        mov uAttr, eax;
        and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
        mov cr0, eax;
        pop eax;
        cli
    };   
    g_cr0 = uAttr; 
   
}


/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
VOID WPON()
{ 
    _asm
    {
        sti
        push eax;
        mov eax, g_cr0; 
        mov cr0, eax;
        pop eax;
    };  
}



/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
//
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
NTSTATUS  hook_native_api()
{
	KIRQL  oldIrql;
	

	g_function_address			= get_function_address( HOOK_FUNCTION_NAME );


	*((PULONG)&g_hook_code[1])  = (ULONG)fake_my_native_api - g_function_address - 5; 

	*((PULONG)&g_back_code[1])  = (ULONG) ((BYTE*)g_function_address + 5);


	RtlCopyMemory( g_origcode, (BYTE*)g_function_address, HOOK_LENGTH );

    WPOFF();
    oldIrql = KeRaiseIrqlToDpcLevel();
 

	RtlCopyMemory( (BYTE*)g_function_address, g_hook_code, 5 );
	

	RtlCopyMemory( (BYTE*)fake_proxy_my_native_api, g_origcode, 5 );
	RtlCopyMemory( (BYTE*)fake_proxy_my_native_api+5, g_back_code, 7 );


    KeLowerIrql(oldIrql);
    WPON();

	return STATUS_SUCCESS;

}



/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
NTSTATUS	un_hook_native_api( )
{
    KIRQL  oldIrql;
	

    WPOFF();
    oldIrql = KeRaiseIrqlToDpcLevel();

	RtlCopyMemory( (BYTE*) g_function_address, g_origcode, 5 );
 

    KeLowerIrql(oldIrql);
    WPON();

	return STATUS_SUCCESS;
}


/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
[COLOR="Red"]_declspec (naked )
void fake_my_native_api(PKAPC Apc, 
						PVOID SystemArgument1, 
						PVOID SystemArgument2, 
						KPRIORITY Increment )
{

	 ULONG  ptarget_thread;
	 ULONG  ptarget_process;

	 ULONG  pcurrent_process;
 
	 PUCHAR  ptarget_process_name;
	 PUCHAR  pcurrent_process_name;

	 __asm
	 {
		  push ebp
		  pushad 
		  mov  ebp, esp
	 }


	 ptarget_thread   = (ULONG)(Apc->Thread);
	 ptarget_process   = *(PULONG)(ptarget_thread + 0x220);
 
	 ptarget_process_name = (PUCHAR)(ptarget_process + 0x174);


	 pcurrent_process  = *(PULONG)PsGetCurrentProcess(); 
	 pcurrent_process_name   = (PUCHAR)(pcurrent_process + 0x174);


	 if( _stricmp( ptarget_process_name, "notepad.exe") == 0 )
	 {
		  if( _stricmp(pcurrent_process_name, "notepad.exe") != 0 )
		  {
			   __asm
			   {
					popad
					mov esp, ebp
					pop ebp
					mov eax, 0x0
					ret  0x10
			   }
		  }
	 }

	 else
	 {
		  __asm
		  {
			   popad
			   mov esp, ebp
			   pop ebp
			   jmp fake_proxy_my_native_api    
		  }
	 }



}[/COLOR]

/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
//
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
_declspec ( naked )
void fake_proxy_my_native_api(PKAPC Apc, 
							  PVOID SystemArgument1, 
							  PVOID SystemArgument2, 
							  KPRIORITY Increment )
{
	__asm
	{

		_emit  0x90		//	\		
		_emit  0x90		//	|
		_emit  0x90		//	|  
		_emit  0x90		//	|
		_emit  0x90		//	/

		_emit  0x90		// jmp (0xea)		
		_emit  0x90		// \/
		_emit  0x90		// |   
		_emit  0x90		// |
		_emit  0x90		// /

		_emit  0x90	    // ;0x08	
		_emit  0x90		// ;0x00
	}
}




/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 
//       

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
ULONG  get_function_address( IN PCWSTR _pname )
{
	
	UNICODE_STRING	us_function_name;

	RtlInitUnicodeString( &us_function_name, _pname );

	return (ULONG)MmGetSystemRoutineAddress( &us_function_name );

}



/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
  DbgPrint("My Driver Unloaded!");
  un_hook_native_api();
}



/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author:  herso		date:  2009/04/18		 
--------------------------------------------------------------------------------------------
// 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
NTSTATUS  DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath   )
{

	DbgPrint("My Driver Loaded!");
	theDriverObject->DriverUnload = OnUnload;

	hook_native_api();

	return STATUS_SUCCESS;
}

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (2)
weolar 雪币： 364 活跃值： (152) 能力值： ( LV12，RANK：450 ) 在线值：发帖 142 回帖 620 粉丝 20 关注私信	weolar 10 2 楼 pushad mov ebp, esp 这句换个顺序试试 2009-4-20 22:17 0
mufasa 雪币： 218 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 25 粉丝 0 关注私信	mufasa 3 楼还是不行。。我把执行过程贴一下看看有用不？ hookKeInsertQueueApc!fake_my_native_api+0x2: fcbc0642 55 push ebp kd> p hookKeInsertQueueApc!fake_my_native_api+0x3: fcbc0643 8bec mov ebp,esp kd> p hookKeInsertQueueApc!fake_my_native_api+0x5: fcbc0645 60 pushad kd> p hookKeInsertQueueApc!fake_my_native_api+0x6: fcbc0646 8b4508 mov eax,dword ptr [ebp+8] kd> p hookKeInsertQueueApc!fake_my_native_api+0xf: fcbc064f 8b55f4 mov edx,dword ptr [ebp-0Ch] kd> p hookKeInsertQueueApc!fake_my_native_api+0x1b: fcbc065b 8b4dfc mov ecx,dword ptr [ebp-4] kd> p hookKeInsertQueueApc!fake_my_native_api+0x27: fcbc0667 682006bcfc push offset hookKeInsertQueueApc!un_hook_native_api+0x40 (fcbc0620) kd> p Access violation - code c0000005 (!!! second chance !!!) nt!SeLockSubjectContext+0x1a: 80565a37 ff7030 2009-4-20 23:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

mufasa

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
weolar 雪币： 364 活跃值： (152) 能力值： ( LV12，RANK：450 ) 在线值：发帖 142 回帖 620 粉丝 20 关注私信	weolar 10 2 楼 pushad mov ebp, esp 这句换个顺序试试 2009-4-20 22:17 0
mufasa 雪币： 218 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 25 粉丝 0 关注私信	mufasa 3 楼还是不行。。我把执行过程贴一下看看有用不？ hookKeInsertQueueApc!fake_my_native_api+0x2: fcbc0642 55 push ebp kd> p hookKeInsertQueueApc!fake_my_native_api+0x3: fcbc0643 8bec mov ebp,esp kd> p hookKeInsertQueueApc!fake_my_native_api+0x5: fcbc0645 60 pushad kd> p hookKeInsertQueueApc!fake_my_native_api+0x6: fcbc0646 8b4508 mov eax,dword ptr [ebp+8] kd> p hookKeInsertQueueApc!fake_my_native_api+0xf: fcbc064f 8b55f4 mov edx,dword ptr [ebp-0Ch] kd> p hookKeInsertQueueApc!fake_my_native_api+0x1b: fcbc065b 8b4dfc mov ecx,dword ptr [ebp-4] kd> p hookKeInsertQueueApc!fake_my_native_api+0x27: fcbc0667 682006bcfc push offset hookKeInsertQueueApc!un_hook_native_api+0x40 (fcbc0620) kd> p Access violation - code c0000005 (!!! second chance !!!) nt!SeLockSubjectContext+0x1a: 80565a37 ff7030 2009-4-20 23:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复