看流星社区

 找回密码
 注册账号
查看: 2171|回复: 0

内核态下基于动态感染技术的应用程序执行保护(三 获取SSDT)

[复制链接]

该用户从未签到

发表于 2017-6-1 17:26:36 | 显示全部楼层 |阅读模式
imageheaderstringdoshookfile


(转载请注明博客地址:http://blog.csdn.net/hitetoshi)

前面我们经常提到SSDT,那么什么是SSDT呢?SSDT(SystemServices Descriptor Table):系统服务描述符表。要对它有清楚的认识,我们先以用户态下调用CreateThread来举个例子。

如果你有兴趣,可以用OllyDbg在CreateThread上下断点,你会发现,经过一些简单的处理,CreateThread会调用CreateRemoteThread,按F7进入CreateRemoteThread,再经过一段跟踪,会发现CreateRemoteThread实际上又调用ZwCreateThread,再按F7跟踪进去,ZwCreateThread的代码非常简单:

7C92D1AE > B8 35000000 MOV EAX,35

7C92D1B3 BA 0003FE7F MOVEDX,7FFE0300

7C92D1B8 FF12 CALL DWORD PTR DS:[EDX]

7C92D1BA C2 2000 RETN 20

注意MOV EDX,7FFE0300/CALL DWORD PTRDS:[EDX]这两条指令,从OD上可以看到,这实际上是调用ntdll.dll中的KiFastSystemCall,KiFastSystemCall的代码也很简单:

7C92E510 > 8BD4 MOV EDX,ESP

7C92E512 0F34 SYSENTER

7C92E514 > C3 RETN

如果这时候你再用F7一步一步的跟,你会发现,到SYSENTER这条指令时,OllyDbg无法跟踪进去,而当这条指令执行完时,实际上ZwCreateThread的功能已经执行完成――用户态的一切玄机似乎都在SYSENTER这条指令上。SYSENTER指令在用户态下向内核态发起系统调用,此时代码切换到内核,因此OllyDbg这样的用户态调试器是无法调试的。和KiFastSystemCall类似,ntdll.dll中也有一个KiIntSystemCall。PII以前的处理器并不支持SYSENTER这条指令,因此KiIntSystemCall以一条INT
2E指令切换到内核。

SYSENTER进入内核的KiFastCallEntry(该函数没有被ntoskrnl.exe导出,你可能需要下载ntoskrnl.exe的Symbol才能看到它),KiFastCallEntry大致进行的工作就是按照SSDT表找到对应服务函数的地址,并转入到服务函数,即内核NtCreateThread中去。SSDT包含在一个叫SDT(服务描述表)的结构中,SDT由ntoskrnl.exe(某些系统下可能不是这个文件名,例如多核处理器下可能是ntkrnlpa.exe,但为简便起见,下文都用ntoskrnl.exe来表述)以KeServiceDescriptorTable为名称导出,SDT的定义如下:

ServiceDescriptorEntry STRUCT

pvSSDTBase dd ? ;SSDT基地址

pvServiceCounterTable dd ? ;SSDT中每个服务被调用次数的表

ulNumberOfServices dd ? ;描述的服务的数目

pvParamTableBase dd ? ;每个系统服务参数的字节数的表

ServiceDescriptorEntry ENDS

我们可以在LiveKd中用d nt!KeServiceDescriptorTable来观察内核中这个结构的数据:




可见系统中有0x11C个SSDT项,基地址为0x80505480,我们来看看SSDT表的内容,用d 80505480命令:




从0x80505480开始,存放每个系统服务项的函数地址,那么怎么确定内核NtCreateThread的地址呢?答案就在用户态下ZwCreateThread的mov eax,0x35这条指令,它指明了NtCreateThread在SSDT中是第0x35项,计算一下0x80505480+0x35*4=0x80505554,看一看:




大约NtCreateThread应该在0x805D2018这个地址,用u nt!NtCreateThread命令看一下:




正是这个地址!(大家肯定会比较奇怪NtCreateThread的第一条指令怎么会是Jmp,我也是今天写这篇稳当时才发现我的NtCreateThread居然被Inline hook了!NND!一看模块,IsDrv122.sys,原来是开着冰刃……)。

出了冰刃这个事件也好,也就是我想跟大家说的Hook SSDT,刚才大家已经看到,冰刃对SSDT的NtCreateThread做了Inline hook,我曾经说过,我极不推荐做Inline hook,除非你技术实力非常强大。原因我会在后面的文章介绍。这里我们有一个思路,如果把0x80505554这个地址的内容替换了,换成我们的函数,不是一样达到HookNtCreateThread的效果了吗?这就是SSDT Hook。在SSDT上做Hook或者是InlineHook是非常强大的,因为用户态上所有CreateThread的调用最终都会进入这个函数。很多杀毒软件会Hook
SSDT的这个位置,用来监视是否有进程试图用CreateRemoteThread向其它进程启动远程线程,这是防止远程线程的一个很有效的方法。不过我们Hook NtCreateThread的目的不是这个,我前面已经说了,我们要用它来监视进程的创建,并向进程中注入代码。

今天的这篇文章我并不会完成Hook SSDT的代码,因为在我们的内核程序中还有很多事情要做:获取NtCreateThread的服务序号、获取保存NtCreateThread地址的位置以及获取NtCreateThread的地址。

我们在上次的DynamicHook.asm的DriverEntry中加一些代码(红色部分是新加的代码):

DriverEntry proc pDriverObjectDRIVER_OBJECT,pusRegistryPathUNICODE_STRING

local status:NTSTATUS

local pDeviceObjectDEVICE_OBJECT



mov status,STATUS_DEVICE_CONFIGURATION_ERROR



invoke IoCreateDevice,pDriverObject,0,addrg_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject

.if eax==STATUS_SUCCESS

invoke IoCreateSymbolicLink,addrg_usSymbolicLinkName,addr g_usDeviceName

.if eax==STATUS_SUCCESS



mov eax,pDriverObject

assume eax:ptr DRIVER_OBJECT

mov [eax].DriverUnload,offset DriverUnload

mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offsetDispatchCreateClose

mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offsetDispatchCreateClose



invoke DbgPrint,$CTA0("Driver entry")



invoke HookNtCreateThread

NT_SUCCESS eax

.if eax

invoke DbgPrint,$CTA0("Hook success")

mov status,STATUS_SUCCESS

.else

invoke DbgPrint,$CTA0("Hook failure")

.endif



assume eax:nothing

.else

invoke IoDeleteDevice,pDeviceObject

.endif

.endif

@@:

mov eax,status

ret

DriverEntry endp



在.const节中加入:

CCOUNTED_UNICODE_STRING "NtCreateThread",g_usNtCreateThread,4

完成HookNtCreateThread函数:

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

HookNtCreateThread proc

local dwNtCreateThreadIndex

local dwNtCreateThreadAddress

local status:NTSTATUS



mov status,STATUS_UNSUCCESSFUL



;获取NtCreateThread服务序号

invoke GetSysCallIndex,addrg_usNtCreateThread

.if eax

mov dwNtCreateThreadIndex,eax



;获取NtCreteThread在内核中的地址

invoke GetSSDTOrigValue,dwNtCreateThreadIndex

.if eax

mov dwNtCreateThreadAddress,eax

invoke DbgPrint,$CTA0("NtCreateThreadindex:%08X,address:%08X"),dwNtCreateThreadIndex,dwNtCreateThreadAddress

mov status,STATUS_SUCCESS

.endif

.endif



mov eax,status



ret

HookNtCreateThread endp



为了完成GetSysCallIndex和GetSSDTOrigValue这两个函数,我增加了PEFile.asm和SSDT.asm两个文件以及对应的PEFile.inc、SSDT.inc和DyanmicHook.inc,你把这些文件加入进去时,注意要向上次那样设置PEFile.asm和SSDT.asm的汇编选项,设置各个文件的依赖项(自己看include去设置,就不详述了)。先把这五个文件的内容贴出来:

EFile.asm



.386

.model flat,stdcall

option casemap:none



include ntddk.inc

include native.inc

include hal.inc

include ntoskrnl.inc

include strings.mac



include DynamicHook.inc

include PEFile.inc



.code

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetAlignedSize proc uses edx ecx dwSize,dwAlignment



xor edx,edx

mov eax,dwSize

mov ecx,dwAlignment

div ecx

.if edx==0

mov eax,dwSize

.else

inc eax

mul dwAlignment

.endif

ret

GetAlignedSize endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetTotalImageSize proc uses edi edx ecx pDosHeaderIMAGE_DOS_HEADER,pNtHeadersIMAGE_NT_HEADERS

local dwResultWORD

local dwAlignmentWORD

local dwSectionsWORD



and dwResult,0

mov edi,pNtHeaders

assume edi:ptrIMAGE_NT_HEADERS

M2M dwAlignment,[edi].OptionalHeader.SectionAlignment

xor edx,edx

mov eax,[edi].OptionalHeader.SizeOfHeaders

mov ecx,dwAlignment

div ecx

.if edx==0

mov eax,[edi].OptionalHeader.SizeOfHeaders

add dwResult,eax

.else

inc eax

mul dwAlignment

add dwResult,eax

.endif

mov edi,pNtHeaders

assume edi:ptrIMAGE_NT_HEADERS



movzx eax,[edi].FileHeader.NumberOfSections

mov dwSections,eax

add edi,sizeofIMAGE_NT_HEADERS

assume edi:ptrIMAGE_SECTION_HEADER

xor edx,edx

.while edx<dwSections

push edx

mov eax,[edi].Misc.VirtualSize

.if eax

xor edx,edx

mov ecx,dwAlignment

div ecx

.if edx==0

mov eax,[edi].Misc.VirtualSize

add dwResult,eax

.else

inc eax

mul dwAlignment

add dwResult,eax

.endif

.endif

pop edx

add edi,sizeofIMAGE_SECTION_HEADER

inc edx

.endw

assume edi:nothing

mov eax,dwResult

ret

GetTotalImageSize endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetPEInfo proc uses edi esi pBaseVOID,ppDosHeader:ptr PIMAGE_DOS_HEADER,ppNtHeaders:ptrPIMAGE_NT_HEADERS

local status:NTSTATUS



mov status,STATUS_UNSUCCESSFUL

mov edi,pBase

assume edi:ptrIMAGE_DOS_HEADER

.if [edi].e_magic!=IMAGE_DOS_SIGNATURE

jmp @F

.endif

mov esi,ppDosHeader

.if esi

mov dwordptr [esi],edi

.endif

add edi,[edi].e_lfanew

assume edi:ptrIMAGE_NT_HEADERS

.if [edi].Signature!=IMAGE_NT_SIGNATURE

jmp @F

.endif

mov esi,ppNtHeaders

.if esi

mov dwordptr [esi],edi

.endif



mov status,STATUS_SUCCESS

@@:

mov eax,status

ret

GetPEInfo endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

KLoadPEFile proc uses edi esi pBaseAddressVOID,pLoadAddressVOID

local status:NTSTATUS

local pDosHeaderIMAGE_DOS_HEADER

local pNtHeadersIMAGE_NT_HEADERS

local pPtr:PVOID

local dwSectionsWORD

local dwAlignmentWORD



mov status,STATUS_UNSUCCESSFUL

invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

mov status,STATUS_INVALID_LEVEL

jmp @F

.endif

M2M pPtr,pLoadAddress



invoke GetPEInfo,pBaseAddress,addrpDosHeader,addr pNtHeaders

.if eax==STATUS_SUCCESS

mov edi,pNtHeaders

assume edi:ptrIMAGE_NT_HEADERS

invoke memcpy,pPtr,pBaseAddress,[edi].OptionalHeader.SizeOfHeaders

M2M dwAlignment,[edi].OptionalHeader.SectionAlignment

invoke GetAlignedSize,[edi].OptionalHeader.SizeOfHeaders,dwAlignment

add pPtr,eax



movzx eax,[edi].FileHeader.NumberOfSections

mov dwSections,eax

add edi,sizeofIMAGE_NT_HEADERS

assume edi:ptrIMAGE_SECTION_HEADER

xor edx,edx

.while edx<dwSections

push edx



mov eax,[edi].SizeOfRawData

.if eax>0

.if eax>[edi].Misc.VirtualSize

mov eax,[edi].Misc.VirtualSize

.endif

mov esi,pBaseAddress

add esi,[edi].PointerToRawData

invoke memcpy,pPtr,esi,eax

invoke GetAlignedSize,[edi].Misc.VirtualSize,dwAlignment

add pPtr,eax

.endif



pop edx

add edi,sizeof IMAGE_SECTION_HEADER

inc edx

.endw

mov status,STATUS_SUCCESS

assume edi:nothing

.endif

@@:

mov eax,status

ret

KLoadPEFile endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;装载PE文件到内存并对齐

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

KLoadLibrary proc pusFileName:PUNICODE_STRING

local oa:OBJECT_ATTRIBUTES

local iosb:IO_STATUS_BLOCK

local hFile:HANDLE

local dwFileSizeWORD

local fsi:FILE_STANDARD_INFORMATION

local pFile:PVOID

local pDosHeader:PIMAGE_DOS_HEADER

local pNtHeaders:PIMAGE_NT_HEADERS

local dwImageSize

local pImage:PVOID





and pImage,0

invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp @F

.endif



InitializeObjectAttributes addr oa,pusFileName,OBJ_CASE_INSENSITIVE orOBJ_KERNEL_HANDLE,NULL,NULL

invoke ZwOpenFile,addrhFile,FILE_READ_DATA or FILE_EXECUTE or SYNCHRONIZE,addr oa,addriosb,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT

NT_SUCCESS eax

.if eax

invoke RtlZeroMemory,addrfsi,sizeof fsi

invoke ZwQueryInformationFile,hFile,addriosb,addr fsi,sizeof fsi,FileStandardInformation

NT_SUCCESS eax

.if eax

M2M dwFileSize,fsi.EndOfFile.LowPart

;分配内存

invoke ExAllocatePool,PagedPool,dwFileSize

.if eax

mov pFile,eax

invoke ZwReadFile,hFile,0,NULL,NULL,addr iosb,pFile,dwFileSize,0,NULL

NT_SUCCESS eax

.if eax

invoke GetPEInfo,pFile,addr pDosHeader,addrpNtHeaders

.if eax==STATUS_SUCCESS

invoke GetTotalImageSize,pDosHeader,pNtHeaders

.if eax

mov dwImageSize,eax

invoke ExAllocatePool,PagedPool,dwImageSize

.if eax

mov pImage,eax

invoke KLoadPEFile,pFile,pImage

.if eax!=STATUS_SUCCESS

invoke ExFreePool,pImage

and pImage,0

.endif

.endif

.endif

.endif

.endif

invoke ExFreePool,pFile

.endif

.endif



invoke ZwClose,hFile

.endif

@@:

mov eax,pImage

ret

KLoadLibrary endp



;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetPEImageBase proc uses edi pBaseAddress:PVOID

local dwReturnWORD



and dwReturn,0



mov edi,pBaseAddress

assume edi:ptrIMAGE_DOS_HEADER

.if [edi].e_magic!=IMAGE_DOS_SIGNATURE

jmp @F

.endif

add edi,[edi].e_lfanew

assume edi:ptrIMAGE_NT_HEADERS

.if [edi].Signature!=IMAGE_NT_SIGNATURE

jmp @F

.endif

M2M dwReturn,[edi].OptionalHeader.ImageBase

assume edi:nothing

@@:

mov eax,dwReturn

ret

GetPEImageBase endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetFuncInfoByName proc uses esi edi ecx pusFuncName:PUNICODE_STRING,pBaseAddress:PVOID,pOrdinal:PDWORD

local dwAddress

local lpAddressOfNames

local lpAddressOfNameOrdinals

local dwIndex

local usExportFunctionName:UNICODE_STRING

local ansExportFunctionName:ANSI_STRING



xor eax,eax

mov dwAddress,eax

mov esi,pOrdinal

.if esi

mov dwordptr [esi],0

.endif



invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp _RETURN

.endif



mov esi,pBaseAddress

assume esi:ptrIMAGE_DOS_HEADER

add esi,[esi].e_lfanew

assume esi:ptrIMAGE_NT_HEADERS

mov eax,[esi].OptionalHeader.DataDirectory.VirtualAddress

.if !eax

jmp _RETURN

.endif

add eax,pBaseAddress

mov edi,eax

assume edi:ptrIMAGE_EXPORT_DIRECTORY



mov eax,[edi].AddressOfNames

add eax,pBaseAddress

mov lpAddressOfNames,eax

mov eax,[edi].AddressOfNameOrdinals

add eax,pBaseAddress

mov lpAddressOfNameOrdinals,eax

mov eax,[edi].AddressOfFunctions

add eax,pBaseAddress

mov esi,eax

mov ecx,[edi].NumberOfFunctions

mov dwIndex,0

@@:

pushad

mov eax,dwIndex

push edi

mov ecx,[edi].NumberOfNames

cld

mov edi,lpAddressOfNameOrdinals

repnz scasw

.if ZERO?

sub edi,lpAddressOfNameOrdinals

sub edi,2

shl edi,1

add edi,lpAddressOfNames

mov eax,dwordptr [edi]

add eax,pBaseAddress



invoke RtlInitAnsiString,addransExportFunctionName,eax

invoke RtlAnsiStringToUnicodeString,addrusExportFunctionName,addr ansExportFunctionName,TRUE

invoke RtlCompareUnicodeString,addrusExportFunctionName,pusFuncName,FALSE

push eax

invoke RtlFreeUnicodeString,addrusExportFunctionName

pop eax

.if eax==0

M2M dwAddress,dwordptr [esi]

pop edi

mov esi,pOrdinal

.if esi

mov ecx,dwIndex

add ecx,[edi].nBase

mov dword ptr [esi],ecx

.endif

popad

jmp _RETURN

.endif

.endif



pop edi

popad

add esi,4

inc dwIndex

loop @B



_RETURN:

assume esi:nothing

mov eax,dwAddress

ret

GetFuncInfoByName endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取DLL导出函数信息

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetFunctionInformation proc uses esi edi pusFuncName:PUNICODE_STRING,pusDllName:PUNICODE_STRING,pFuncInfo:PFUNCTION_INFORMATION

local status:NTSTATUS

local pBaseAddress:PVOID



xor eax,eax

mov pBaseAddress,eax

mov status,STATUS_UNSUCCESSFUL



invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

mov status,STATUS_INVALID_LEVEL

jmp @F

.endif





invoke KLoadLibrary,pusDllName

.if eax

mov pBaseAddress,eax

mov esi,pFuncInfo

assume esi:ptrFUNCTION_INFORMATION

lea edi,[esi].dwOridnal

invoke GetFuncInfoByName,pusFuncName,pBaseAddress,edi

.if eax

lea edi,[esi].dwAddress

mov dword ptr [edi],eax

lea edi,[esi].byEntryCode

mov esi,[esi].dwAddress

add esi,pBaseAddress

invoke memcpy,edi,esi,16

mov status,STATUS_SUCCESS

.else

mov status,STATUS_UNSUCCESSFUL

.endif

invoke ExFreePool,pBaseAddress

assume esi:nothing

.endif

@@:

mov eax,status

ret

GetFunctionInformation endp



end





;SSDT.asm

.386

.model flat,stdcall

option casemap:none



include ntddk.inc

include native.inc

include ntoskrnl.inc

include hal.inc

include strings.mac



includePEFile.inc

include DynamicHook.inc

include SSDT.inc



.const

CCOUNTED_UNICODE_STRING "\\Systemroot\\System32\\ntdll.dll",g_usntdllFileName,4

CCOUNTED_UNICODE_STRING "KeServiceDescriptorTable",g_usKeServiceDescriptorTable,4



.code

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取内核文件名

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetKernel proc uses edi pusFileName:PUNICODE_STRING

local dwLengthWORD

local dwAddressWORD

local pBuffer

local szFileName[260]:byte

local ansFileName:ANSI_STRING

local dwBaseWORD



and dwLength,0

and pBuffer,0

and dwAddress,0

invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp @F

.endif



invoke ZwQuerySystemInformation,SystemModuleInformation,NULL,0,addrdwLength

.if dwLength

invoke ExAllocatePool,PagedPool,dwLength

.if eax

mov pBuffer,eax

invoke ZwQuerySystemInformation,SystemModuleInformation,pBuffer,dwLength,addrdwLength

NT_SUCCESS eax

.if eax

mov eax,pBuffer

add eax,4

assume eax:ptr SYSTEM_MODULE_INFORMATION

M2M dwBase,[eax].Base

lea edi,[eax].ImageName

movzx eax,[eax].ModuleNameOffset

add edi,eax

assume eax:nothing

invoke RtlZeroMemory,addr szFileName,260

invoke strcpy,addr szFileName,$CTA0("\\Systemroot\\System32\\")

invoke strcat,addr szFileName,edi

invoke RtlInitAnsiString,addr ansFileName,addr szFileName

.if pusFileName!=NULL

invoke RtlAnsiStringToUnicodeString,pusFileName,addransFileName,TRUE

M2M dwAddress,dwBase

.endif

.endif

invoke ExFreePool,pBuffer

.endif

.endif

@@:

mov eax,dwAddress

ret

GetKernel endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

FindKiServiceTableEx proc uses ecx edi esi edx hModule,dwKSDT

local dwReturn:DWORD

local bFirstChunk:BOOL

local dwCount:DWORD

local dwFixups:DWORD

local dwImageBase:DWORD



and dwReturn,0

and dwFixups,0



mov edi,hModule

assume edi:ptrIMAGE_DOS_HEADER

.if [edi].e_magic!=IMAGE_DOS_SIGNATURE

jmp @F

.endif

add edi,[edi].e_lfanew

assume edi:ptrIMAGE_NT_HEADERS

.if [edi].Signature!=IMAGE_NT_SIGNATURE

jmp @F

.endif

push [edi].OptionalHeader.ImageBase

pop dwImageBase

mov eax,[edi].OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC*sizeofIMAGE_DATA_DIRECTORY].VirtualAddress

movzx ecx,[edi].FileHeader.Characteristics

and ecx,IMAGE_FILE_RELOCS_STRIPPED

.if (eax)&amp;&amp; !(ecx)

mov edi,hModule

add edi,eax

assume edi:ptrIMAGE_BASE_RELOCATION

mov bFirstChunk,TRUE

.while bFirstChunk|| [edi].VirtualAddress

mov bFirstChunk,FALSE

mov esi,edi

add esi,sizeof IMAGE_BASE_RELOCATION

assume esi:ptr IMAGE_FIXUP_ENTRY

mov edx,[edi].SizeOfBlock

sub edx,sizeof IMAGE_BASE_RELOCATION

ror edx,1

mov dwCount,edx

xor edx,edx

.while edx<dwCount

push edx



mov ax,word ptr [esi]

and ax,0F000h

ror ax,12

.if ax==IMAGE_REL_BASED_HIGHLOW

inc dwFixups



mov ax,word ptr [esi]

and ax,0FFFh

movzx eax,ax

add eax,[edi].VirtualAddress

add eax,hModule

mov ecx,eax

mov eax,dword ptr [eax]

sub eax,dwImageBase

.if eax==dwKSDT

mov eax,ecx

sub eax,2

mov ax,word ptr [eax]

.if ax==5C7h

mov eax,ecx

add eax,4

mov eax,dword ptr [eax]

sub eax,dwImageBase

mov dwReturn,eax

jmp @F

.endif

.endif

.endif



pop edx

inc edx

add esi,sizeof WORD

.endw

add edi,[edi].SizeOfBlock

assume esi:nothing

.endw

.endif

assume edi:nothing

@@:

mov eax,dwReturn

ret

FindKiServiceTableEx endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取SSDT原始&#20540;

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetSSDTOrigValue proc uses edi dwIndex

local dwReturn:DWORD

local usKernelFileName:UNICODE_STRING

local dwKernelBase:DWORD

local pBaseAddress:PVOID

local dwImageBase:DWORD



xor eax,eax

mov dwReturn,eax

mov pBaseAddress,eax

mov dwKernelBase,eax



invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp @F

.endif

invoke GetKernel,addrusKernelFileName

.if eax

mov dwKernelBase,eax

;映射PE文件



invoke KLoadLibrary,addrusKernelFileName

.if eax

mov pBaseAddress,eax

invoke GetPEImageBase,pBaseAddress

.if eax

mov dwImageBase,eax

invoke GetFuncInfoByName,addrg_usKeServiceDescriptorTable,pBaseAddress,NULL

.if eax

invoke FindKiServiceTableEx,pBaseAddress,eax

.if eax

add eax,pBaseAddress

mov edi,eax

mov eax,dwIndex

rol eax,2

add edi,eax

mov eax,dword ptr [edi]

sub eax,dwImageBase

add eax,dwKernelBase

mov dwReturn,eax

.endif

.endif

.endif

invoke ExFreePool,pBaseAddress

.endif



invoke RtlFreeUnicodeString,addrusKernelFileName

.endif



@@:

mov eax,dwReturn

ret

GetSSDTOrigValue endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取函数的Service Index

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetSysCallIndex proc pusFuncName:PUNICODE_STRING

local FuncInfo:FUNCTION_INFORMATION



invoke GetFunctionInformation,pusFuncName,addrg_usntdllFileName,addr FuncInfo

.if eax==STATUS_SUCCESS

lea eax,FuncInfo.byEntryCode

.if byteptr [eax]==0B8h

inc eax

mov eax,dword ptr [eax]

ret

.endif

.endif

xor eax,eax

ret

GetSysCallIndex endp



end





;SSDT.inc

IFNDEF __SSDT_INC__

__SSDT_INC__ equ <1>



ServiceDescriptorEntry STRUCT

pvSSDTBase dd ?

pvServiceCounterTable dd ?

ulNumberOfServices dd ?

pvParamTableBase dd ?

ServiceDescriptorEntry ENDS



GetSysCallIndex proto :PUNICODE_STRING

GetSSDTOrigValue proto :DWORD

GetKernel proto :PUNICODE_STRING



ENDIF



EFile.inc

IFNDEF __PEFILE_INC__

__PEFILE_INC__ equ <1>



FUNCTION_INFORMATION STRUCT

byEntryCode db 16 dup (?) ;前16字节

dwOridnal dd ?

dwAddress dd ?

FUNCTION_INFORMATION ENDS



PFUNCTION_INFORMATION typedef ptr FUNCTION_INFORMATION





IMAGE_DOS_SIGNATURE equ 5A4Dh

IMAGE_NT_SIGNATURE equ 00004550h

IMAGE_SIZEOF_SHORT_NAME equ 8

IMAGE_FILE_RELOCS_STRIPPED equ 0001h

IMAGE_REL_BASED_HIGHLOW equ 3



IMAGE_DIRECTORY_ENTRY_EXPORT equ 0

IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5

IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16



IMAGE_DOS_HEADERSTRUCT

e_magic WORD ?

e_cblp WORD ?

e_cp WORD ?

e_crlc WORD ?

e_cparhdr WORD ?

e_minalloc WORD ?

e_maxalloc WORD ?

e_ss WORD ?

e_sp WORD ?

e_csum WORD ?

e_ip WORD ?

e_cs WORD ?

e_lfarlc WORD ?

e_ovno WORD ?

e_res WORD 4 dup(?)

e_oemid WORD ?

e_oeminfo WORD ?

e_res2 WORD 10 dup(?)

e_lfanew DWORD ?

IMAGE_DOS_HEADERENDS



PIMAGE_DOS_HEADER typedef ptr IMAGE_DOS_HEADER



IMAGE_DATA_DIRECTORYSTRUCT

VirtualAddress DWORD ?

isize DWORD ?

IMAGE_DATA_DIRECTORYENDS



IMAGE_OPTIONAL_HEADER32STRUCT

Magic WORD ?

MajorLinkerVersion BYTE ?

MinorLinkerVersion BYTE ?

SizeOfCode DWORD ?

SizeOfInitializedData DWORD ?

SizeOfUninitializedData DWORD ?

AddressOfEntryPoint DWORD ?

BaseOfCode DWORD ?

BaseOfData DWORD ?

ImageBase DWORD ?

SectionAlignment DWORD ?

FileAlignment DWORD ?

MajorOperatingSystemVersion WORD ?

MinorOperatingSystemVersion WORD ?

MajorImageVersion WORD ?

MinorImageVersion WORD ?

MajorSubsystemVersion WORD ?

MinorSubsystemVersion WORD ?

Win32VersionValue DWORD ?

SizeOfImage DWORD ?

SizeOfHeaders DWORD ?

CheckSum DWORD ?

Subsystem WORD ?

DllCharacteristics WORD ?

SizeOfStackReserve DWORD ?

SizeOfStackCommit DWORD ?

SizeOfHeapReserve DWORD ?

SizeOfHeapCommit DWORD ?

LoaderFlags DWORD ?

NumberOfRvaAndSizes DWORD ?

DataDirectory IMAGE_DATA_DIRECTORYIMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>)

IMAGE_OPTIONAL_HEADER32ENDS



IMAGE_OPTIONAL_HEADER equ <IMAGE_OPTIONAL_HEADER32>

PIMAGE_OPTIONAL_HEADER typedef ptr IMAGE_OPTIONAL_HEADER



IMAGE_EXPORT_DIRECTORYSTRUCT

Characteristics DWORD ?

TimeDateStamp DWORD ?

MajorVersion WORD ?

MinorVersion WORD ?

nName DWORD ?

nBase DWORD ?

NumberOfFunctions DWORD ?

NumberOfNames DWORD ?

AddressOfFunctions DWORD ?

AddressOfNames DWORD ?

AddressOfNameOrdinals DWORD ?

IMAGE_EXPORT_DIRECTORYENDS



IMAGE_FILE_HEADERSTRUCT

Machine WORD ?

NumberOfSections WORD ?

TimeDateStamp DWORD ?

PointerToSymbolTable DWORD ?

NumberOfSymbols DWORD ?

SizeOfOptionalHeader WORD ?

Characteristics WORD ?

IMAGE_FILE_HEADERENDS



IMAGE_NT_HEADERSSTRUCT

Signature DWORD ?

FileHeader IMAGE_FILE_HEADER <>

OptionalHeader IMAGE_OPTIONAL_HEADER32 <>

IMAGE_NT_HEADERSENDS



PIMAGE_NT_HEADERS typedef ptr IMAGE_NT_HEADERS



IMAGE_SECTION_HEADERSTRUCT

Name1 db IMAGE_SIZEOF_SHORT_NAME dup(?)

union Misc

PhysicalAddress dd ?

VirtualSize dd ?

ends

VirtualAddress dd ?

SizeOfRawData dd ?

PointerToRawData dd ?

PointerToRelocations dd ?

PointerToLinenumbers dd ?

NumberOfRelocations dw ?

NumberOfLinenumbers dw ?

Characteristics dd ?

IMAGE_SECTION_HEADERENDS



PIMAGE_SECTION_HEADER typedef ptr IMAGE_SECTION_HEADER



IMAGE_BASE_RELOCATIONSTRUCT

VirtualAddress dd ?

SizeOfBlock dd ?

IMAGE_BASE_RELOCATIONENDS



PIMAGE_BASE_RELOCATION typedef ptr IMAGE_BASE_RELOCATION



GetFunctionInformation proto :PUNICODE_STRING,:PUNICODE_STRING,:PFUNCTION_INFORMATION

GetFuncInfoByName proto :PUNICODE_STRING,:PVOID,:PDWORD

GetPEImageBase proto :PVOID

GetPEImageLength proto :PUNICODE_STRING

KLoadLibrary proto :PUNICODE_STRING



ENDIF



;SSDT.inc



;DyanmicHook.inc



IFNDEF __DYNAMICHOOK_INC__

__DYNAMICHOOK_INC__ equ <1>





OPEN_EXISTING equ 3

INVALID_HANDLE_VALUE equ -1

FILE_MAP_READ equ SECTION_MAP_READ

MAX_PATH equ 260



M2M macro M1,M2

push M2

pop M1

ENDM



NT_SUCCESS macro status

mov eax,status

and eax,80000000h

.if eax

mov eax,FALSE

.else

mov eax,TRUE

.endif

ENDM



ENDIF



先贴代码,再来讲原理。根据我们刚才对SSDT的认识,要顺利找到SSDT的位置,首先要确定NtCreateThread的服务序号。不幸的是我尚未找到有效准确的获取方式。我唯一的思路是在ntdll.dll中找到ZwCreateThread,判断如果它的第一字节为0xB8(汇编代码MOV EAX,XXXXXXXX)那么它第二字节开始的双字就是其服务序号。用C语言描述应该是:SysCallIndex = *( (WORD*)((DWORD)GetProcAddress(ntdll,ZwCreateThread)+
1) );

为此,专门写了PEFile.asm这个文件,这个文件提供了一些函数:

GetFunctionInformation proto :PUNICODE_STRING,:PUNICODE_STRING,:PFUNCTION_INFORMATION

GetFuncInfoByName proto :PUNICODE_STRING,:PVOID,:PDWORD

GetPEImageBase proto :PVOID

GetPEImageLength proto :PUNICODE_STRING

KLoadLibrary proto :PUNICODE_STRING

其中,KLoadLibrary将PE文件按加载到内存中(不是读取到内存中,类似PE加载器一样按照PE结构中的描述对其进行加载,以便通过导出表分析导出函数在内存中的位置),其它几个函数就顾名思义了。这些函数的意思我就不再详细解释,因为这也是我3年前的代码,我也记不得太清楚。有了这几个函数,你就能够理解SSDT.asm中的GetSysCallIndex这个函数的原理。当然,我讲了这是我唯一的思路,也希望大家不吝赐教,把你知道的方法告诉我(你别说用0x35硬编码就行)

确定了NtCreateThread的服务序号,下面我们就要在SSDT中寻找NtCreateThread的存放位置以及原始的函数地址。其实这比获取服务序号简单多了,因为一切秘密都在KeDescriptorTable这个导出符号中。需要注意的是前面我们已经说了,并不是所有系统中内核文件名都叫ntoskrnl.exe,所以先用ZwQuerySystemInformation获取一下当前系统中的内核文件名,通过对导出符号KeDescriptorTable的分析,顺利获得NtCreateThread的真实地址。具体的代码在SSDT.asm中,函数比较少,看名字就懂意思,具体我也不详细解释了,再解释又扯得很远,而且这是我3年前的代码。

好了,打开DebugView,用KmdManager加载一下我们生成的内核程序:




与前面LiveKd看到的一样,貌似一切都很顺利。
这一章就讲完了,下一章我们就完成HookSSDT、UnHookSSDT这两个函数,我们把NtCreateThread函数Hook住,监视一下进程的创建,同时我在下一章告诉大家为什么我极不推荐普通人对SSDT使用Inline Hook,虽然它的功能更加强大!顺便希望大家检查下我的代码,谢谢。




分类: 技术--汇编

imageheaderstringdoshookfile


(转载请注明博客地址:http://blog.csdn.net/hitetoshi)

前面我们经常提到SSDT,那么什么是SSDT呢?SSDT(SystemServices Descriptor Table):系统服务描述符表。要对它有清楚的认识,我们先以用户态下调用CreateThread来举个例子。

如果你有兴趣,可以用OllyDbg在CreateThread上下断点,你会发现,经过一些简单的处理,CreateThread会调用CreateRemoteThread,按F7进入CreateRemoteThread,再经过一段跟踪,会发现CreateRemoteThread实际上又调用ZwCreateThread,再按F7跟踪进去,ZwCreateThread的代码非常简单:

7C92D1AE > B8 35000000 MOV EAX,35

7C92D1B3 BA 0003FE7F MOVEDX,7FFE0300

7C92D1B8 FF12 CALL DWORD PTR DS:[EDX]

7C92D1BA C2 2000 RETN 20

注意MOV EDX,7FFE0300/CALL DWORD PTRDS:[EDX]这两条指令,从OD上可以看到,这实际上是调用ntdll.dll中的KiFastSystemCall,KiFastSystemCall的代码也很简单:

7C92E510 > 8BD4 MOV EDX,ESP

7C92E512 0F34 SYSENTER

7C92E514 > C3 RETN

如果这时候你再用F7一步一步的跟,你会发现,到SYSENTER这条指令时,OllyDbg无法跟踪进去,而当这条指令执行完时,实际上ZwCreateThread的功能已经执行完成――用户态的一切玄机似乎都在SYSENTER这条指令上。SYSENTER指令在用户态下向内核态发起系统调用,此时代码切换到内核,因此OllyDbg这样的用户态调试器是无法调试的。和KiFastSystemCall类似,ntdll.dll中也有一个KiIntSystemCall。PII以前的处理器并不支持SYSENTER这条指令,因此KiIntSystemCall以一条INT
2E指令切换到内核。

SYSENTER进入内核的KiFastCallEntry(该函数没有被ntoskrnl.exe导出,你可能需要下载ntoskrnl.exe的Symbol才能看到它),KiFastCallEntry大致进行的工作就是按照SSDT表找到对应服务函数的地址,并转入到服务函数,即内核NtCreateThread中去。SSDT包含在一个叫SDT(服务描述表)的结构中,SDT由ntoskrnl.exe(某些系统下可能不是这个文件名,例如多核处理器下可能是ntkrnlpa.exe,但为简便起见,下文都用ntoskrnl.exe来表述)以KeServiceDescriptorTable为名称导出,SDT的定义如下:

ServiceDescriptorEntry STRUCT

pvSSDTBase dd ? ;SSDT基地址

pvServiceCounterTable dd ? ;SSDT中每个服务被调用次数的表

ulNumberOfServices dd ? ;描述的服务的数目

pvParamTableBase dd ? ;每个系统服务参数的字节数的表

ServiceDescriptorEntry ENDS

我们可以在LiveKd中用d nt!KeServiceDescriptorTable来观察内核中这个结构的数据:




可见系统中有0x11C个SSDT项,基地址为0x80505480,我们来看看SSDT表的内容,用d 80505480命令:




从0x80505480开始,存放每个系统服务项的函数地址,那么怎么确定内核NtCreateThread的地址呢?答案就在用户态下ZwCreateThread的mov eax,0x35这条指令,它指明了NtCreateThread在SSDT中是第0x35项,计算一下0x80505480+0x35*4=0x80505554,看一看:




大约NtCreateThread应该在0x805D2018这个地址,用u nt!NtCreateThread命令看一下:




正是这个地址!(大家肯定会比较奇怪NtCreateThread的第一条指令怎么会是Jmp,我也是今天写这篇稳当时才发现我的NtCreateThread居然被Inline hook了!NND!一看模块,IsDrv122.sys,原来是开着冰刃……)。

出了冰刃这个事件也好,也就是我想跟大家说的Hook SSDT,刚才大家已经看到,冰刃对SSDT的NtCreateThread做了Inline hook,我曾经说过,我极不推荐做Inline hook,除非你技术实力非常强大。原因我会在后面的文章介绍。这里我们有一个思路,如果把0x80505554这个地址的内容替换了,换成我们的函数,不是一样达到HookNtCreateThread的效果了吗?这就是SSDT Hook。在SSDT上做Hook或者是InlineHook是非常强大的,因为用户态上所有CreateThread的调用最终都会进入这个函数。很多杀毒软件会Hook
SSDT的这个位置,用来监视是否有进程试图用CreateRemoteThread向其它进程启动远程线程,这是防止远程线程的一个很有效的方法。不过我们Hook NtCreateThread的目的不是这个,我前面已经说了,我们要用它来监视进程的创建,并向进程中注入代码。

今天的这篇文章我并不会完成Hook SSDT的代码,因为在我们的内核程序中还有很多事情要做:获取NtCreateThread的服务序号、获取保存NtCreateThread地址的位置以及获取NtCreateThread的地址。

我们在上次的DynamicHook.asm的DriverEntry中加一些代码(红色部分是新加的代码):

DriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING

local status:NTSTATUS

local pDeviceObject:PDEVICE_OBJECT



mov status,STATUS_DEVICE_CONFIGURATION_ERROR



invoke IoCreateDevice,pDriverObject,0,addrg_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject

.if eax==STATUS_SUCCESS

invoke IoCreateSymbolicLink,addrg_usSymbolicLinkName,addr g_usDeviceName

.if eax==STATUS_SUCCESS



mov eax,pDriverObject

assume eax:ptr DRIVER_OBJECT

mov [eax].DriverUnload,offset DriverUnload

mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offsetDispatchCreateClose

mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offsetDispatchCreateClose



invoke DbgPrint,$CTA0("Driver entry")



invoke HookNtCreateThread

NT_SUCCESS eax

.if eax

invoke DbgPrint,$CTA0("Hook success")

mov status,STATUS_SUCCESS

.else

invoke DbgPrint,$CTA0("Hook failure")

.endif



assume eax:nothing

.else

invoke IoDeleteDevice,pDeviceObject

.endif

.endif

@@:

mov eax,status

ret

DriverEntry endp



在.const节中加入:

CCOUNTED_UNICODE_STRING "NtCreateThread",g_usNtCreateThread,4

完成HookNtCreateThread函数:

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

HookNtCreateThread proc

local dwNtCreateThreadIndex

local dwNtCreateThreadAddress

local status:NTSTATUS



mov status,STATUS_UNSUCCESSFUL



;获取NtCreateThread服务序号

invoke GetSysCallIndex,addrg_usNtCreateThread

.if eax

mov dwNtCreateThreadIndex,eax



;获取NtCreteThread在内核中的地址

invoke GetSSDTOrigValue,dwNtCreateThreadIndex

.if eax

mov dwNtCreateThreadAddress,eax

invoke DbgPrint,$CTA0("NtCreateThreadindex:%08X,address:%08X"),dwNtCreateThreadIndex,dwNtCreateThreadAddress

mov status,STATUS_SUCCESS

.endif

.endif



mov eax,status



ret

HookNtCreateThread endp



为了完成GetSysCallIndex和GetSSDTOrigValue这两个函数,我增加了PEFile.asm和SSDT.asm两个文件以及对应的PEFile.inc、SSDT.inc和DyanmicHook.inc,你把这些文件加入进去时,注意要向上次那样设置PEFile.asm和SSDT.asm的汇编选项,设置各个文件的依赖项(自己看include去设置,就不详述了)。先把这五个文件的内容贴出来:

EFile.asm



.386

.model flat,stdcall

option casemap:none



include ntddk.inc

include native.inc

include hal.inc

include ntoskrnl.inc

include strings.mac



include DynamicHook.inc

include PEFile.inc



.code

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetAlignedSize proc uses edx ecx dwSize,dwAlignment



xor edx,edx

mov eax,dwSize

mov ecx,dwAlignment

div ecx

.if edx==0

mov eax,dwSize

.else

inc eax

mul dwAlignment

.endif

ret

GetAlignedSize endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetTotalImageSize proc uses edi edx ecx pDosHeader:PIMAGE_DOS_HEADER,pNtHeaders:PIMAGE_NT_HEADERS

local dwResult:DWORD

local dwAlignment:DWORD

local dwSections:DWORD



and dwResult,0

mov edi,pNtHeaders

assume edi:ptrIMAGE_NT_HEADERS

M2M dwAlignment,[edi].OptionalHeader.SectionAlignment

xor edx,edx

mov eax,[edi].OptionalHeader.SizeOfHeaders

mov ecx,dwAlignment

div ecx

.if edx==0

mov eax,[edi].OptionalHeader.SizeOfHeaders

add dwResult,eax

.else

inc eax

mul dwAlignment

add dwResult,eax

.endif

mov edi,pNtHeaders

assume edi:ptrIMAGE_NT_HEADERS



movzx eax,[edi].FileHeader.NumberOfSections

mov dwSections,eax

add edi,sizeofIMAGE_NT_HEADERS

assume edi:ptrIMAGE_SECTION_HEADER

xor edx,edx

.while edx<dwSections

push edx

mov eax,[edi].Misc.VirtualSize

.if eax

xor edx,edx

mov ecx,dwAlignment

div ecx

.if edx==0

mov eax,[edi].Misc.VirtualSize

add dwResult,eax

.else

inc eax

mul dwAlignment

add dwResult,eax

.endif

.endif

pop edx

add edi,sizeofIMAGE_SECTION_HEADER

inc edx

.endw

assume edi:nothing

mov eax,dwResult

ret

GetTotalImageSize endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetPEInfo proc uses edi esi pBase:PVOID,ppDosHeader:ptr PIMAGE_DOS_HEADER,ppNtHeaders:ptrPIMAGE_NT_HEADERS

local status:NTSTATUS



mov status,STATUS_UNSUCCESSFUL

mov edi,pBase

assume edi:ptrIMAGE_DOS_HEADER

.if [edi].e_magic!=IMAGE_DOS_SIGNATURE

jmp @F

.endif

mov esi,ppDosHeader

.if esi

mov dwordptr [esi],edi

.endif

add edi,[edi].e_lfanew

assume edi:ptrIMAGE_NT_HEADERS

.if [edi].Signature!=IMAGE_NT_SIGNATURE

jmp @F

.endif

mov esi,ppNtHeaders

.if esi

mov dwordptr [esi],edi

.endif



mov status,STATUS_SUCCESS

@@:

mov eax,status

ret

GetPEInfo endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

KLoadPEFile proc uses edi esi pBaseAddress:PVOID,pLoadAddress:PVOID

local status:NTSTATUS

local pDosHeader:PIMAGE_DOS_HEADER

local pNtHeaders:PIMAGE_NT_HEADERS

local pPtr:PVOID

local dwSections:DWORD

local dwAlignment:DWORD



mov status,STATUS_UNSUCCESSFUL

invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

mov status,STATUS_INVALID_LEVEL

jmp @F

.endif

M2M pPtr,pLoadAddress



invoke GetPEInfo,pBaseAddress,addrpDosHeader,addr pNtHeaders

.if eax==STATUS_SUCCESS

mov edi,pNtHeaders

assume edi:ptrIMAGE_NT_HEADERS

invoke memcpy,pPtr,pBaseAddress,[edi].OptionalHeader.SizeOfHeaders

M2M dwAlignment,[edi].OptionalHeader.SectionAlignment

invoke GetAlignedSize,[edi].OptionalHeader.SizeOfHeaders,dwAlignment

add pPtr,eax



movzx eax,[edi].FileHeader.NumberOfSections

mov dwSections,eax

add edi,sizeofIMAGE_NT_HEADERS

assume edi:ptrIMAGE_SECTION_HEADER

xor edx,edx

.while edx<dwSections

push edx



mov eax,[edi].SizeOfRawData

.if eax>0

.if eax>[edi].Misc.VirtualSize

mov eax,[edi].Misc.VirtualSize

.endif

mov esi,pBaseAddress

add esi,[edi].PointerToRawData

invoke memcpy,pPtr,esi,eax

invoke GetAlignedSize,[edi].Misc.VirtualSize,dwAlignment

add pPtr,eax

.endif



pop edx

add edi,sizeof IMAGE_SECTION_HEADER

inc edx

.endw

mov status,STATUS_SUCCESS

assume edi:nothing

.endif

@@:

mov eax,status

ret

KLoadPEFile endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;装载PE文件到内存并对齐

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

KLoadLibrary proc pusFileName:PUNICODE_STRING

local oa:OBJECT_ATTRIBUTES

local iosb:IO_STATUS_BLOCK

local hFile:HANDLE

local dwFileSize:DWORD

local fsi:FILE_STANDARD_INFORMATION

local pFile:PVOID

local pDosHeader:PIMAGE_DOS_HEADER

local pNtHeaders:PIMAGE_NT_HEADERS

local dwImageSize

local pImage:PVOID





and pImage,0

invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp @F

.endif



InitializeObjectAttributes addr oa,pusFileName,OBJ_CASE_INSENSITIVE orOBJ_KERNEL_HANDLE,NULL,NULL

invoke ZwOpenFile,addrhFile,FILE_READ_DATA or FILE_EXECUTE or SYNCHRONIZE,addr oa,addriosb,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT

NT_SUCCESS eax

.if eax

invoke RtlZeroMemory,addrfsi,sizeof fsi

invoke ZwQueryInformationFile,hFile,addriosb,addr fsi,sizeof fsi,FileStandardInformation

NT_SUCCESS eax

.if eax

M2M dwFileSize,fsi.EndOfFile.LowPart

;分配内存

invoke ExAllocatePool,PagedPool,dwFileSize

.if eax

mov pFile,eax

invoke ZwReadFile,hFile,0,NULL,NULL,addr iosb,pFile,dwFileSize,0,NULL

NT_SUCCESS eax

.if eax

invoke GetPEInfo,pFile,addr pDosHeader,addrpNtHeaders

.if eax==STATUS_SUCCESS

invoke GetTotalImageSize,pDosHeader,pNtHeaders

.if eax

mov dwImageSize,eax

invoke ExAllocatePool,PagedPool,dwImageSize

.if eax

mov pImage,eax

invoke KLoadPEFile,pFile,pImage

.if eax!=STATUS_SUCCESS

invoke ExFreePool,pImage

and pImage,0

.endif

.endif

.endif

.endif

.endif

invoke ExFreePool,pFile

.endif

.endif



invoke ZwClose,hFile

.endif

@@:

mov eax,pImage

ret

KLoadLibrary endp



;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetPEImageBase proc uses edi pBaseAddress:PVOID

local dwReturn:DWORD



and dwReturn,0



mov edi,pBaseAddress

assume edi:ptrIMAGE_DOS_HEADER

.if [edi].e_magic!=IMAGE_DOS_SIGNATURE

jmp @F

.endif

add edi,[edi].e_lfanew

assume edi:ptrIMAGE_NT_HEADERS

.if [edi].Signature!=IMAGE_NT_SIGNATURE

jmp @F

.endif

M2M dwReturn,[edi].OptionalHeader.ImageBase

assume edi:nothing

@@:

mov eax,dwReturn

ret

GetPEImageBase endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetFuncInfoByName proc uses esi edi ecx pusFuncName:PUNICODE_STRING,pBaseAddress:PVOID,pOrdinal:PDWORD

local dwAddress

local lpAddressOfNames

local lpAddressOfNameOrdinals

local dwIndex

local usExportFunctionName:UNICODE_STRING

local ansExportFunctionName:ANSI_STRING



xor eax,eax

mov dwAddress,eax

mov esi,pOrdinal

.if esi

mov dwordptr [esi],0

.endif



invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp _RETURN

.endif



mov esi,pBaseAddress

assume esi:ptrIMAGE_DOS_HEADER

add esi,[esi].e_lfanew

assume esi:ptrIMAGE_NT_HEADERS

mov eax,[esi].OptionalHeader.DataDirectory.VirtualAddress

.if !eax

jmp _RETURN

.endif

add eax,pBaseAddress

mov edi,eax

assume edi:ptrIMAGE_EXPORT_DIRECTORY



mov eax,[edi].AddressOfNames

add eax,pBaseAddress

mov lpAddressOfNames,eax

mov eax,[edi].AddressOfNameOrdinals

add eax,pBaseAddress

mov lpAddressOfNameOrdinals,eax

mov eax,[edi].AddressOfFunctions

add eax,pBaseAddress

mov esi,eax

mov ecx,[edi].NumberOfFunctions

mov dwIndex,0

@@:

pushad

mov eax,dwIndex

push edi

mov ecx,[edi].NumberOfNames

cld

mov edi,lpAddressOfNameOrdinals

repnz scasw

.if ZERO?

sub edi,lpAddressOfNameOrdinals

sub edi,2

shl edi,1

add edi,lpAddressOfNames

mov eax,dwordptr [edi]

add eax,pBaseAddress



invoke RtlInitAnsiString,addransExportFunctionName,eax

invoke RtlAnsiStringToUnicodeString,addrusExportFunctionName,addr ansExportFunctionName,TRUE

invoke RtlCompareUnicodeString,addrusExportFunctionName,pusFuncName,FALSE

push eax

invoke RtlFreeUnicodeString,addrusExportFunctionName

pop eax

.if eax==0

M2M dwAddress,dwordptr [esi]

pop edi

mov esi,pOrdinal

.if esi

mov ecx,dwIndex

add ecx,[edi].nBase

mov dword ptr [esi],ecx

.endif

popad

jmp _RETURN

.endif

.endif



pop edi

popad

add esi,4

inc dwIndex

loop @B



_RETURN:

assume esi:nothing

mov eax,dwAddress

ret

GetFuncInfoByName endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取DLL导出函数信息

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetFunctionInformation proc uses esi edi pusFuncName:PUNICODE_STRING,pusDllName:PUNICODE_STRING,pFuncInfo:PFUNCTION_INFORMATION

local status:NTSTATUS

local pBaseAddress:PVOID



xor eax,eax

mov pBaseAddress,eax

mov status,STATUS_UNSUCCESSFUL



invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

mov status,STATUS_INVALID_LEVEL

jmp @F

.endif





invoke KLoadLibrary,pusDllName

.if eax

mov pBaseAddress,eax

mov esi,pFuncInfo

assume esi:ptrFUNCTION_INFORMATION

lea edi,[esi].dwOridnal

invoke GetFuncInfoByName,pusFuncName,pBaseAddress,edi

.if eax

lea edi,[esi].dwAddress

mov dword ptr [edi],eax

lea edi,[esi].byEntryCode

mov esi,[esi].dwAddress

add esi,pBaseAddress

invoke memcpy,edi,esi,16

mov status,STATUS_SUCCESS

.else

mov status,STATUS_UNSUCCESSFUL

.endif

invoke ExFreePool,pBaseAddress

assume esi:nothing

.endif

@@:

mov eax,status

ret

GetFunctionInformation endp



end





;SSDT.asm

.386

.model flat,stdcall

option casemap:none



include ntddk.inc

include native.inc

include ntoskrnl.inc

include hal.inc

include strings.mac



includePEFile.inc

include DynamicHook.inc

include SSDT.inc



.const

CCOUNTED_UNICODE_STRING "\\Systemroot\\System32\\ntdll.dll",g_usntdllFileName,4

CCOUNTED_UNICODE_STRING "KeServiceDescriptorTable",g_usKeServiceDescriptorTable,4



.code

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取内核文件名

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetKernel proc uses edi pusFileName:PUNICODE_STRING

local dwLength:DWORD

local dwAddress:DWORD

local pBuffer

local szFileName[260]:byte

local ansFileName:ANSI_STRING

local dwBase:DWORD



and dwLength,0

and pBuffer,0

and dwAddress,0

invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp @F

.endif



invoke ZwQuerySystemInformation,SystemModuleInformation,NULL,0,addrdwLength

.if dwLength

invoke ExAllocatePool,PagedPool,dwLength

.if eax

mov pBuffer,eax

invoke ZwQuerySystemInformation,SystemModuleInformation,pBuffer,dwLength,addrdwLength

NT_SUCCESS eax

.if eax

mov eax,pBuffer

add eax,4

assume eax:ptr SYSTEM_MODULE_INFORMATION

M2M dwBase,[eax].Base

lea edi,[eax].ImageName

movzx eax,[eax].ModuleNameOffset

add edi,eax

assume eax:nothing

invoke RtlZeroMemory,addr szFileName,260

invoke strcpy,addr szFileName,$CTA0("\\Systemroot\\System32\\")

invoke strcat,addr szFileName,edi

invoke RtlInitAnsiString,addr ansFileName,addr szFileName

.if pusFileName!=NULL

invoke RtlAnsiStringToUnicodeString,pusFileName,addransFileName,TRUE

M2M dwAddress,dwBase

.endif

.endif

invoke ExFreePool,pBuffer

.endif

.endif

@@:

mov eax,dwAddress

ret

GetKernel endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

FindKiServiceTableEx proc uses ecx edi esi edx hModule,dwKSDT

local dwReturn:DWORD

local bFirstChunk:BOOL

local dwCount:DWORD

local dwFixups:DWORD

local dwImageBase:DWORD



and dwReturn,0

and dwFixups,0



mov edi,hModule

assume edi:ptrIMAGE_DOS_HEADER

.if [edi].e_magic!=IMAGE_DOS_SIGNATURE

jmp @F

.endif

add edi,[edi].e_lfanew

assume edi:ptrIMAGE_NT_HEADERS

.if [edi].Signature!=IMAGE_NT_SIGNATURE

jmp @F

.endif

push [edi].OptionalHeader.ImageBase

pop dwImageBase

mov eax,[edi].OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC*sizeofIMAGE_DATA_DIRECTORY].VirtualAddress

movzx ecx,[edi].FileHeader.Characteristics

and ecx,IMAGE_FILE_RELOCS_STRIPPED

.if (eax)&amp;&amp; !(ecx)

mov edi,hModule

add edi,eax

assume edi:ptrIMAGE_BASE_RELOCATION

mov bFirstChunk,TRUE

.while bFirstChunk|| [edi].VirtualAddress

mov bFirstChunk,FALSE

mov esi,edi

add esi,sizeof IMAGE_BASE_RELOCATION

assume esi:ptr IMAGE_FIXUP_ENTRY

mov edx,[edi].SizeOfBlock

sub edx,sizeof IMAGE_BASE_RELOCATION

ror edx,1

mov dwCount,edx

xor edx,edx

.while edx<dwCount

push edx



mov ax,word ptr [esi]

and ax,0F000h

ror ax,12

.if ax==IMAGE_REL_BASED_HIGHLOW

inc dwFixups



mov ax,word ptr [esi]

and ax,0FFFh

movzx eax,ax

add eax,[edi].VirtualAddress

add eax,hModule

mov ecx,eax

mov eax,dword ptr [eax]

sub eax,dwImageBase

.if eax==dwKSDT

mov eax,ecx

sub eax,2

mov ax,word ptr [eax]

.if ax==5C7h

mov eax,ecx

add eax,4

mov eax,dword ptr [eax]

sub eax,dwImageBase

mov dwReturn,eax

jmp @F

.endif

.endif

.endif



pop edx

inc edx

add esi,sizeof WORD

.endw

add edi,[edi].SizeOfBlock

assume esi:nothing

.endw

.endif

assume edi:nothing

@@:

mov eax,dwReturn

ret

FindKiServiceTableEx endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取SSDT原始&#20540;

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetSSDTOrigValue proc uses edi dwIndex

local dwReturn:DWORD

local usKernelFileName:UNICODE_STRING

local dwKernelBase:DWORD

local pBaseAddress:PVOID

local dwImageBase:DWORD



xor eax,eax

mov dwReturn,eax

mov pBaseAddress,eax

mov dwKernelBase,eax



invoke KeGetCurrentIrql

.if eax!=PASSIVE_LEVEL

jmp @F

.endif

invoke GetKernel,addrusKernelFileName

.if eax

mov dwKernelBase,eax

;映射PE文件



invoke KLoadLibrary,addrusKernelFileName

.if eax

mov pBaseAddress,eax

invoke GetPEImageBase,pBaseAddress

.if eax

mov dwImageBase,eax

invoke GetFuncInfoByName,addrg_usKeServiceDescriptorTable,pBaseAddress,NULL

.if eax

invoke FindKiServiceTableEx,pBaseAddress,eax

.if eax

add eax,pBaseAddress

mov edi,eax

mov eax,dwIndex

rol eax,2

add edi,eax

mov eax,dword ptr [edi]

sub eax,dwImageBase

add eax,dwKernelBase

mov dwReturn,eax

.endif

.endif

.endif

invoke ExFreePool,pBaseAddress

.endif



invoke RtlFreeUnicodeString,addrusKernelFileName

.endif



@@:

mov eax,dwReturn

ret

GetSSDTOrigValue endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;获取函数的Service Index

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

GetSysCallIndex proc pusFuncName:PUNICODE_STRING

local FuncInfo:FUNCTION_INFORMATION



invoke GetFunctionInformation,pusFuncName,addrg_usntdllFileName,addr FuncInfo

.if eax==STATUS_SUCCESS

lea eax,FuncInfo.byEntryCode

.if byteptr [eax]==0B8h

inc eax

mov eax,dword ptr [eax]

ret

.endif

.endif

xor eax,eax

ret

GetSysCallIndex endp



end





;SSDT.inc

IFNDEF __SSDT_INC__

__SSDT_INC__ equ <1>



ServiceDescriptorEntry STRUCT

pvSSDTBase dd ?

pvServiceCounterTable dd ?

ulNumberOfServices dd ?

pvParamTableBase dd ?

ServiceDescriptorEntry ENDS



GetSysCallIndex proto :PUNICODE_STRING

GetSSDTOrigValue proto :DWORD

GetKernel proto :PUNICODE_STRING



ENDIF



EFile.inc

IFNDEF __PEFILE_INC__

__PEFILE_INC__ equ <1>



FUNCTION_INFORMATION STRUCT

byEntryCode db 16 dup (?) ;前16字节

dwOridnal dd ?

dwAddress dd ?

FUNCTION_INFORMATION ENDS



PFUNCTION_INFORMATION typedef ptr FUNCTION_INFORMATION





IMAGE_DOS_SIGNATURE equ 5A4Dh

IMAGE_NT_SIGNATURE equ 00004550h

IMAGE_SIZEOF_SHORT_NAME equ 8

IMAGE_FILE_RELOCS_STRIPPED equ 0001h

IMAGE_REL_BASED_HIGHLOW equ 3



IMAGE_DIRECTORY_ENTRY_EXPORT equ 0

IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5

IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16



IMAGE_DOS_HEADERSTRUCT

e_magic WORD ?

e_cblp WORD ?

e_cp WORD ?

e_crlc WORD ?

e_cparhdr WORD ?

e_minalloc WORD ?

e_maxalloc WORD ?

e_ss WORD ?

e_sp WORD ?

e_csum WORD ?

e_ip WORD ?

e_cs WORD ?

e_lfarlc WORD ?

e_ovno WORD ?

e_res WORD 4 dup(?)

e_oemid WORD ?

e_oeminfo WORD ?

e_res2 WORD 10 dup(?)

e_lfanew DWORD ?

IMAGE_DOS_HEADERENDS



PIMAGE_DOS_HEADER typedef ptr IMAGE_DOS_HEADER



IMAGE_DATA_DIRECTORYSTRUCT

VirtualAddress DWORD ?

isize DWORD ?

IMAGE_DATA_DIRECTORYENDS



IMAGE_OPTIONAL_HEADER32STRUCT

Magic WORD ?

MajorLinkerVersion BYTE ?

MinorLinkerVersion BYTE ?

SizeOfCode DWORD ?

SizeOfInitializedData DWORD ?

SizeOfUninitializedData DWORD ?

AddressOfEntryPoint DWORD ?

BaseOfCode DWORD ?

BaseOfData DWORD ?

ImageBase DWORD ?

SectionAlignment DWORD ?

FileAlignment DWORD ?

MajorOperatingSystemVersion WORD ?

MinorOperatingSystemVersion WORD ?

MajorImageVersion WORD ?

MinorImageVersion WORD ?

MajorSubsystemVersion WORD ?

MinorSubsystemVersion WORD ?

Win32VersionValue DWORD ?

SizeOfImage DWORD ?

SizeOfHeaders DWORD ?

CheckSum DWORD ?

Subsystem WORD ?

DllCharacteristics WORD ?

SizeOfStackReserve DWORD ?

SizeOfStackCommit DWORD ?

SizeOfHeapReserve DWORD ?

SizeOfHeapCommit DWORD ?

LoaderFlags DWORD ?

NumberOfRvaAndSizes DWORD ?

DataDirectory IMAGE_DATA_DIRECTORYIMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>)

IMAGE_OPTIONAL_HEADER32ENDS



IMAGE_OPTIONAL_HEADER equ <IMAGE_OPTIONAL_HEADER32>

PIMAGE_OPTIONAL_HEADER typedef ptr IMAGE_OPTIONAL_HEADER



IMAGE_EXPORT_DIRECTORYSTRUCT

Characteristics DWORD ?

TimeDateStamp DWORD ?

MajorVersion WORD ?

MinorVersion WORD ?

nName DWORD ?

nBase DWORD ?

NumberOfFunctions DWORD ?

NumberOfNames DWORD ?

AddressOfFunctions DWORD ?

AddressOfNames DWORD ?

AddressOfNameOrdinals DWORD ?

IMAGE_EXPORT_DIRECTORYENDS



IMAGE_FILE_HEADERSTRUCT

Machine WORD ?

NumberOfSections WORD ?

TimeDateStamp DWORD ?

PointerToSymbolTable DWORD ?

NumberOfSymbols DWORD ?

SizeOfOptionalHeader WORD ?

Characteristics WORD ?

IMAGE_FILE_HEADERENDS



IMAGE_NT_HEADERSSTRUCT

Signature DWORD ?

FileHeader IMAGE_FILE_HEADER <>

OptionalHeader IMAGE_OPTIONAL_HEADER32 <>

IMAGE_NT_HEADERSENDS



PIMAGE_NT_HEADERS typedef ptr IMAGE_NT_HEADERS



IMAGE_SECTION_HEADERSTRUCT

Name1 db IMAGE_SIZEOF_SHORT_NAME dup(?)

union Misc

PhysicalAddress dd ?

VirtualSize dd ?

ends

VirtualAddress dd ?

SizeOfRawData dd ?

PointerToRawData dd ?

PointerToRelocations dd ?

PointerToLinenumbers dd ?

NumberOfRelocations dw ?

NumberOfLinenumbers dw ?

Characteristics dd ?

IMAGE_SECTION_HEADERENDS



PIMAGE_SECTION_HEADER typedef ptr IMAGE_SECTION_HEADER



IMAGE_BASE_RELOCATIONSTRUCT

VirtualAddress dd ?

SizeOfBlock dd ?

IMAGE_BASE_RELOCATIONENDS



PIMAGE_BASE_RELOCATION typedef ptr IMAGE_BASE_RELOCATION



GetFunctionInformation proto :PUNICODE_STRING,:PUNICODE_STRING,:PFUNCTION_INFORMATION

GetFuncInfoByName proto :PUNICODE_STRING,:PVOID,:PDWORD

GetPEImageBase proto :PVOID

GetPEImageLength proto :PUNICODE_STRING

KLoadLibrary proto :PUNICODE_STRING



ENDIF



;SSDT.inc



;DyanmicHook.inc



IFNDEF __DYNAMICHOOK_INC__

__DYNAMICHOOK_INC__ equ <1>





OPEN_EXISTING equ 3

INVALID_HANDLE_VALUE equ -1

FILE_MAP_READ equ SECTION_MAP_READ

MAX_PATH equ 260



M2M macro M1,M2

push M2

pop M1

ENDM



NT_SUCCESS macro status

mov eax,status

and eax,80000000h

.if eax

mov eax,FALSE

.else

mov eax,TRUE

.endif

ENDM



ENDIF



先贴代码,再来讲原理。根据我们刚才对SSDT的认识,要顺利找到SSDT的位置,首先要确定NtCreateThread的服务序号。不幸的是我尚未找到有效准确的获取方式。我唯一的思路是在ntdll.dll中找到ZwCreateThread,判断如果它的第一字节为0xB8(汇编代码MOV EAX,XXXXXXXX)那么它第二字节开始的双字就是其服务序号。用C语言描述应该是:SysCallIndex = *( (WORD*)((DWORD)GetProcAddress(ntdll,ZwCreateThread)+
1) );

为此,专门写了PEFile.asm这个文件,这个文件提供了一些函数:

GetFunctionInformation proto :PUNICODE_STRING,:PUNICODE_STRING,:PFUNCTION_INFORMATION

GetFuncInfoByName proto :PUNICODE_STRING,:PVOID,:PDWORD

GetPEImageBase proto :PVOID

GetPEImageLength proto :PUNICODE_STRING

KLoadLibrary proto :PUNICODE_STRING

其中,KLoadLibrary将PE文件按加载到内存中(不是读取到内存中,类似PE加载器一样按照PE结构中的描述对其进行加载,以便通过导出表分析导出函数在内存中的位置),其它几个函数就顾名思义了。这些函数的意思我就不再详细解释,因为这也是我3年前的代码,我也记不得太清楚。有了这几个函数,你就能够理解SSDT.asm中的GetSysCallIndex这个函数的原理。当然,我讲了这是我唯一的思路,也希望大家不吝赐教,把你知道的方法告诉我(你别说用0x35硬编码就行)

确定了NtCreateThread的服务序号,下面我们就要在SSDT中寻找NtCreateThread的存放位置以及原始的函数地址。其实这比获取服务序号简单多了,因为一切秘密都在KeDescriptorTable这个导出符号中。需要注意的是前面我们已经说了,并不是所有系统中内核文件名都叫ntoskrnl.exe,所以先用ZwQuerySystemInformation获取一下当前系统中的内核文件名,通过对导出符号KeDescriptorTable的分析,顺利获得NtCreateThread的真实地址。具体的代码在SSDT.asm中,函数比较少,看名字就懂意思,具体我也不详细解释了,再解释又扯得很远,而且这是我3年前的代码。

好了,打开DebugView,用KmdManager加载一下我们生成的内核程序:




与前面LiveKd看到的一样,貌似一切都很顺利。
这一章就讲完了,下一章我们就完成HookSSDT、UnHookSSDT这两个函数,我们把NtCreateThread函数Hook住,监视一下进程的创建,同时我在下一章告诉大家为什么我极不推荐普通人对SSDT使用Inline Hook,虽然它的功能更加强大!顺便希望大家检查下我的代码,谢谢。
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 12:17

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表