阅读:3166回复:36
召唤wowowowock
啊摩西列~~~莫妮卡里~~~~蛮力蛮力弘
神牛啊。。。出现吧!!!帮我实现一个愿望。。。 我打算HOOK QueryValueKey,但是老是不稳定,hook是可以调用,但是会莫名其妙的挂掉,有空帮我调试下 |
|
|
沙发#
发布于:2007-09-12 11:42
等wowocock
|
|
|
板凳#
发布于:2007-09-12 12:24
代码很零乱,为什么用那么奇怪的HOOK 方法????
|
|
|
地板#
发布于:2007-09-12 13:09
引用第0楼boywhp于2007-09-12 09:52发表的 召唤wowowowock : ,你太搞笑了。。哈哈。。估计你游戏玩多了,在游戏里练召唤系的吧。。哈哈。。不过,还真灵,出现了。。这个咒语不错,下次我COPY来用用。。 |
|
|
驱动小牛
|
地下室#
发布于:2007-09-12 14:13
阅读这么多代码,兄台的HOOK是小可第一次看见.好复杂
|
5楼#
发布于:2007-09-12 15:34
难道是传说中的DETOURS in Kernel?貌似你又是自己写的,为啥不直接移植DETOURS?
|
|
6楼#
发布于:2007-09-12 16:13
To wowocock 当然凌乱了啊,我测试代码
那个Hook NtDeviceIoControl貌似工作正常,关键是HOOK QueryValueKey不稳定,老是给我BSOD 这样写是为了躲开利用前7个字节JMP来检查inline hook的工具 |
|
7楼#
发布于:2007-09-13 00:11
避开前7字节检测也不用这么猥亵吧~~一点小小技巧即可~~
|
|
|
8楼#
发布于:2007-09-13 08:05
我不怎么相信WQXNETQIQI,不能用你的方法,貌似你是搞杀流氓软件的,用你的方法肯定会被杀的 哈哈
你是不是搞360卫士的,给小弟一条活路吧 谢谢 PS:WQXNETQIQI = 王琪兴 网络 琪琪???好怪异的字符串,期待解释ing,本人也姓王,本家啊,以后就托付给你了,哈哈 |
|
驱动小牛
|
9楼#
发布于:2007-09-13 08:44
有些东西像从winpooch中拷贝过来的.
|
10楼#
发布于:2007-09-13 08:56
王琪兴是mm
|
|
|
11楼#
发布于:2007-09-13 10:02
|
|
12楼#
发布于:2007-09-13 10:47
你这种方法只能躲避写比较烂的检测工具,好的工具即使你修改原始代码的任何一个字节,都能检测出来。你的程序比较乱,指令和堆栈的处理上都有问题,早上浪费点时间帮你看了下,
修改后在XPSP2下测试没问题,硬编码太多了,意义不大。 #include <ntddk.h> #include "AsmCodeLen.h" #include "main.h" BYTE oldByte[9] = {0}; BYTE newcode[9] = {0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00, 0x90, 0x90}; BYTE oldByte2[8] = {0}; BYTE newcode2[8] = {0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00,0x90}; PBYTE g_lpDeviceIoControlFile = NULL; PBYTE g_lpQueryValueKey = NULL; NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { int i; //PBYTE lpDeviceIoControlFile = (PBYTE)NtDeviceIoControlFile; //PBYTE lpHookDeviceIoControlFile = (PBYTE)my_function_detour_ntdeviceiocontrolfile; PBYTE lpQueryValueKey = GetSSDTFunction((PBYTE)ZwQueryValueKey); PBYTE lpHookQueryValueKey = (PBYTE)HOOKQueryValueKey; //g_lpDeviceIoControlFile = lpDeviceIoControlFile; g_lpQueryValueKey = lpQueryValueKey; //NtDeviceIoControlFile·´»ã±àÈçÏ //55 PUSH EBP //8BEC MOV EBP, ESP //6A01 PUSH 01 //FF752C PUSH DWORD PTR [EBP + 2C] //ff7528 push dword ptr [ebp+0x28] //ff7524 push dword ptr [ebp+0x24] //ff7520 push dword ptr [ebp+0x20] //... //Hook it At ff7528 - ff7520 //with write 7 bytes [far jmp 0xAAAAAAAA:0800] + 2bytes nop //*(PULONG)(newcode+1) = (ULONG)lpHookDeviceIoControlFile; *(PULONG)(newcode2+1) = (ULONG)lpHookQueryValueKey; //*(PULONG)(newcode2+1) = (ULONG)HOOKQueryValueKey; //Öض¨Î»HookÖеÄ0xAAAAAAAA /*for(i=0; i<256;i++) { if ((0xAA == lpHookDeviceIoControlFile) && (0xAA == lpHookDeviceIoControlFile[i+1]) && (0xAA == lpHookDeviceIoControlFile[i+2]) && (0xAA == lpHookDeviceIoControlFile[i+3])) { *(PULONG)(lpHookDeviceIoControlFile + i) = (ULONG)lpDeviceIoControlFile + 8 + sizeof(newcode); break; } }*/ for(i=0; i<256; i++) { if ((0x90 == lpHookQueryValueKey) && (0x90 == lpHookQueryValueKey[i+1]) && (0x90 == lpHookQueryValueKey[i+2]) && (0x90 == lpHookQueryValueKey[i+3])) { //write 15 bytes RtlCopyBytes(lpHookQueryValueKey + i, lpQueryValueKey, 15+ sizeof(newcode2)); //×¢ÒâEAÕ¼1Byte *(PULONG)(&lpHookQueryValueKey[i + 15+ sizeof(newcode2) + 1]) = (ULONG)(lpQueryValueKey + 15 + sizeof(newcode2)); break; } } //hook _asm { CLI; //dissable interrupt MOV EAX, CR0; //move CR0 register into EAX AND EAX, NOT 10000H; //disable WP bit MOV CR0, EAX; //write register back } //RtlCopyBytes(oldByte, lpDeviceIoControlFile+8, sizeof(newcode)); //RtlCopyBytes(lpDeviceIoControlFile+8, newcode, sizeof(newcode)); //HOOKQueryValueKey RtlCopyBytes(oldByte2, lpQueryValueKey+15, sizeof(newcode2)); RtlCopyBytes(lpQueryValueKey+15, newcode2, sizeof(newcode2)); _asm { MOV EAX, CR0; OR EAX, 10000H; MOV CR0, EAX; STI; } //KdPrint(("Success, %08x, %08x", lpHookQueryValueKey, lpHookDeviceIoControlFile)); KdPrint(("Success, %08x", lpHookQueryValueKey)); DriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } VOID DriverUnload (IN struct _DRIVER_OBJECT *DriverObject) { //back up _asm { CLI; //dissable interrupt MOV EAX, CR0; //move CR0 register into EAX AND EAX, NOT 10000H; //disable WP bit MOV CR0, EAX; //write register back } //RtlCopyBytes(g_lpDeviceIoControlFile+8, oldByte, sizeof(newcode)); RtlCopyBytes(g_lpQueryValueKey+15, oldByte2, sizeof(newcode2)); _asm { MOV EAX, CR0; OR EAX, 10000H; MOV CR0, EAX; STI; } KdPrint(("Unload")); } /* * µÃµ½NTÄں˺¯ÊýµÄʵ¼ÊÖ´ÐеØÖ· */ PBYTE GetSSDTFunction(PBYTE lpNtFunction) { //·µ»ØÖ¸¶¨º¯ÊýµÄʵ¼ÊµØÖ·ÒÔ±ãinline hook //MOV eax, FunID //LEA EDX, [esp+4] //INT 2E //RET // ULONG id = *(PULONG)(lpNtFunction + 1); return (PBYTE)(*((PULONG)KeServiceDescriptorTable->ServiceTableBase + id)); } NTSTATUS CheckFunctionBytesNtDeviceIoControlFile() { int i=0; char *p = (char *)NtDeviceIoControlFile; //The beginning of the NtDeviceIoControlFile function //should match: //55 PUSH EBP //8BEC MOV EBP, ESP //6A01 PUSH 01 //FF752C PUSH DWORD PTR [EBP + 2C] // BYTE c[] = {0x55, 0x8B, 0xEC, 0x6A, 0x01, 0xFF, 0x75, 0x2C}; while(i<8) { DbgPrint(" - 0x%02X ", (unsigned char)p); DbgPrint("\n"); if(p != c) { return STATUS_UNSUCCESSFUL; } i++; } return STATUS_SUCCESS; } //-------------------------------------------------------------------- // naked functions have no prolog/epilog code - they are functionally like the // target of a goto statement //-------------------------------------------------------------------- __declspec(naked) NTAPI my_function_detour_ntdeviceiocontrolfile(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ) { //Ê×ÏÈ·´Ïò»Ö¸´¶ÑÕ» //55 PUSH EBP //8BEC MOV EBP, ESP //6A01 PUSH 01 //FF752C PUSH DWORD PTR [EBP + 2C] _asm { add esp, 8; //pushad; //ÆÕͨ¼Ä´æÆ÷˳ÐòÈëÕ» //Ö´ÐÐԭʼNtDeviceIoControlFileº¯Êý push OutputBufferLength; push OutputBuffer; push InputBufferLength; push InputBuffer; push IoControlCode; push IoStatusBlock; push ApcContext; push ApcRoutine; push Event; push FileHandle; jmp forwArd; bAck: push ebp; mov ebp, esp push 0x01 push dword ptr [ebp+0x2C]; push dword ptr [ebp+0x28]; push dword ptr [ebp+0x24]; push dword ptr [ebp+0x20]; _emit 0xEA; _emit 0xAA; _emit 0xAA; _emit 0xAA; _emit 0xAA; _emit 0x08; _emit 0x00; forwArd: call bAck; } //ok! //¹ýÂËIPÊý¾Ý if (IOCTL_TCP_QUERY_INFORMATION_EX == IoControlCode) { //ÏÔʾÊý¾Ýµ½µ÷ÊÔ DebugBuffer(InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); } _asm { //popad; mov esp, ebp; pop ebp; ret; } } __declspec(naked) NTAPI HOOKQueryValueKey(IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Lenth, OUT PULONG ResultLength ) { _asm { //first execulte overwrited 7BYTES //int 3; add esp, 4; pushfd; push ResultLength; push Lenth; push KeyValueInformation; push KeyValueInformationClass; push ValueName; push KeyHandle; jmp forwArd; bAck: //.........15bytes _emit 0x90;//1 _emit 0x90;//2 _emit 0x90;//3 _emit 0x90;//4 _emit 0x90;//5 _emit 0x90;//6 _emit 0x90;//7 _emit 0x90;//8 _emit 0x90;//9 _emit 0x90;//10 _emit 0x90;//11 _emit 0x90;//12 _emit 0x90;//13 _emit 0x90;//14 _emit 0x90;//15 _emit 0x90;//16 _emit 0x90;//17 _emit 0x90;//18 _emit 0x90;//18 _emit 0x90;//20 _emit 0x90;//21 _emit 0x90;//22 _emit 0x90;//23 //......... _emit 0xEA; _emit 0x90; _emit 0x90; _emit 0x90; _emit 0x90; _emit 0x08; _emit 0x00; forwArd: call bAck; } //´¦Àí½á¹û KdPrint(("%08x, %08x, %08x, %wZ\n", KeyHandle, Lenth, ResultLength, ValueName)); _asm { popfd; mov esp, ebp; pop ebp; ret; } } VOID DebugBuffer(IN PVOID lpBuf, IN ULONG BufLen, IN PVOID lpOutBuf, IN ULONG OutBufLen) { ULONG i; TDIObjectID *TdiObj = (PTDIObjectID)lpBuf; //KdPrint(("%08x,%08x,%08x,%08x,%08x", TdiObj->toi_type, TdiObj->toi_class, TdiObj->toi_id, BufLen, OutBufLen)); if (0x102 == TdiObj->toi_id) { //ipconfig use it to get ip! //KdPrint(("OutBuf Len [%08x]", OutBufLen)); for(i=0; i<OutBufLen-1; i+=4) { if (0x0201a8c0 == *(PULONG)((PBYTE)lpOutBuf + i)) { *(PULONG)((PBYTE)lpOutBuf + i) = 0x0301a8c0; } //KdPrint(("[%d]%08x", i>>2, *(PULONG)((PBYTE)lpOutBuf + i))); } } } |
|
|
13楼#
发布于:2007-09-13 11:07
谢谢!谢谢
还是大哥好,我马上去调试下。。。 |
|
14楼#
发布于:2007-09-13 11:16
_emit 0x90;//16
_emit 0x90;//17 _emit 0x90;//18 _emit 0x90;//18 _emit 0x90;//20 _emit 0x90;//21 _emit 0x90;//22 _emit 0x90;//23 ???这段不理解啊,为什么要加这多的NOP指令呢??? |
|
15楼#
发布于:2007-09-13 11:20
上面的哪个是FREE版本,在DBG版本下班CALL KDPRINT会有问题,要先保护下环境
__declspec(naked) NTAPI HOOKQueryValueKey(IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Lenth, OUT PULONG ResultLength ) { _asm { //first execulte overwrited 7BYTES //int 3; add esp, 4; pushfd; push ResultLength; push Lenth; push KeyValueInformation; push KeyValueInformationClass; push ValueName; push KeyHandle; jmp forwArd; bAck: //.........15bytes _emit 0x90;//1 _emit 0x90;//2 _emit 0x90;//3 _emit 0x90;//4 _emit 0x90;//5 _emit 0x90;//6 _emit 0x90;//7 _emit 0x90;//8 _emit 0x90;//9 _emit 0x90;//10 _emit 0x90;//11 _emit 0x90;//12 _emit 0x90;//13 _emit 0x90;//14 _emit 0x90;//15 _emit 0x90;//16 _emit 0x90;//17 _emit 0x90;//18 _emit 0x90;//18 _emit 0x90;//20 _emit 0x90;//21 _emit 0x90;//22 _emit 0x90;//23 //......... _emit 0xEA; _emit 0x90; _emit 0x90; _emit 0x90; _emit 0x90; _emit 0x08; _emit 0x00; forwArd: call bAck; pushfd pushad } //´¦Àí½á¹û if (ValueName && (ValueName->Length >0)) { KdPrint(("%08x, %08x, %08x, %wZ\n", KeyHandle, Lenth, ResultLength, ValueName)); } _asm { popad popfd; mov esp, ebp; pop ebp; ret; } } 必须拷贝15+8条指令,前面是原有指令后面是等同于你自己PATCH 的指令. |
|
|
16楼#
发布于:2007-09-13 11:24
哦 !我明白了
|
|
17楼#
发布于:2007-09-13 11:27
关键是必须拷贝15+8条指令,前面是原有指令后面是等同于你自己PATCH 的指令
否则跳转到我的HOOKQueryValueKey, 又会继续Jmp到我的HOOKQueryValueKey,因为我把后面的API 7个字节改为JMP了 难怪有时候会式循环哦! |
|
18楼#
发布于:2007-09-13 11:29
谢谢wowowowocock,小弟刚从VB6转行过来
|
|
19楼#
发布于:2007-09-13 11:54
流氓软件用XX和XX已经没用了
建议你至少再往下HOOK再深3层以上,,这样才能躲过新的360 scan enginer~ |
|
|
上一页
下一页