- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
- NTSTATUS PassHSProcessProtect()
- {
- NTSTATUS status;
- UNICODE_STRING funtionName;
- ULONG addr;
- LONG HSHook;
- PMDL pMdl;
- PVOID pMyNtOP;
- RtlInitUnicodeString(&funtionName,L"NtOpenProcess");
- addr = (ULONG)MmGetSystemRoutineAddress(&funtionName);
- KdPrint(("NtOpenProcess的地址是%X",addr));
- //简单判断是否被HOOK,感觉上是鸡肋
- if (!(addr == (ULONG)NtOpenProcess))
- {
- return STATUS_UNSUCCESSFUL;
- }
- status = MapMemoryToSystemVA(pMdl, (PVOID)addr, 4096, pMyNtOP);
- if (STATUS_UNSUCCESSFUL == status)
- {
- KdPrint(("MapMemoryToSystemVA 调用失败。111"));
- return STATUS_UNSUCCESSFUL;
- }
- KdPrint(("pMyNtOP为:%X" ,(ULONG)pMyNtOP));
- //读取HS的Hook的地址
- {
- __asm
- {
- mov ebx, pMyNtOP
- mov eax, dword ptr[ebx + 0xB]
- mov HSHook, eax
- }
- }
- MmUnmapLockedPages(pMyNtOP,pMdl);
- //获得HS的Detour函数的地址
- HSHook = (ULONG)NtOpenProcess + 0xA + 5 + HSHook;
- KdPrint(("pHSHook:%X" ,HSHook));
- status = MapMemoryToSystemVA(pMdl, (PVOID)HSHook, 4096, (PVOID*)HSHook);
- if (status == STATUS_UNSUCCESSFUL)
- {
- KdPrint(("MapMemoryToSystemVA 调用失败!"));
- return STATUS_UNSUCCESSFUL;
- }
- KdPrint(("pHSHook:%X" ,HSHook));
- return STATUS_SUCCESS;
- //开了HS后的NtOpenProcess
- //805cc3fc 68c4000000 push 0C4h
- //805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
- //805cc406 e8957cc109 call 8a1e40a0 ;被HOOK的地方
- //805cc40b 33f6 xor esi,esi
- //805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
- //805cc410 33c0 xor eax,eax
- //805cc412 8d7dd8 lea edi,[ebp-28h]
- //805cc415 ab stos dword ptr es:[edi]
- //这里是HS的Detour函数
- //8a1e40a0 e9db009e26 jmp b0bc4180 ;据说这里HS不会检测这里的CRC,果断NOP掉
- //8a1e40a5 90 nop
- //8a1e40a6 90 nop
- //8a1e40a7 90 nop
- //8a1e40a8 e9d38a35f6 jmp nt!_SEH_prolog (8053cb80)
- //8a1e40ad 90 nop
- //8a1e40ae 90 nop
- //8a1e40af 90 nop
- //NnHook之后NtOpenProcess就变成原来的效果了
- //HS是先用一个Detour函数来HookNtOpenProcess,然后跳转到自己的函数里面去。但是我逆向才开始学,所以就以后再去研究(而且可能还有CRC)。
- //然后就自己nop下这个跳转指令。发现可以!
- //JMP指令占5个字节,你懂的。
- //取消NtOpenProcess的Hook
- {
- __asm
- {
- mov ebx, HSHook
- mov dword ptr[ebx], 0x90909090
- mov byte ptr[ebx+4], 0x90
- }
- }
- //下面的是我用错了还是怎么了,没反应
- //InterlockedExchange(&HSHook,0x90909090);
- //HSHook = HSHook + 1;
- //InterlockedExchange(&HSHook,0x90909090);
- MmUnmapLockedPages((PVOID)HSHook, pMdl);
- IoFreeMdl(pMdl);
- return STATUS_SUCCESS;
- }
- NTSTATUS MapMemoryToSystemVA
- (
- OUT MDL* pMdl,
- IN PVOID pAddr,
- IN SIZE_T pageSize,
- OUT PVOID* MappedAddr
- )
- /*++
- 函数描述:
- 使用MDL以及相关函数把内存中的一块内存映射到系统空间
- 参数:
- pMdl
- MDL结构的地址
- pAddr
- 需要映射的地址
- pageSize
- 需要映射的页面大小
- MappedAddr
- 映射完的地址
- 返回值:
- 成功返回STATUS_SUCCESS,否则返回STATUS_UNSUCCESSFUL。
- --*/
- {
- //创建MDL
- pMdl = MmCreateMdl(NULL,(PVOID)pAddr,4096);
- if (!pMdl)
- {
- KdPrint(("MmCreateMdl 调用失败!pMdl:%X",(ULONG)pMdl));
- return STATUS_UNSUCCESSFUL;
- }
- //在不分页内存中分配MDL
- MmBuildMdlForNonPagedPool(pMdl);
- //映射到系统空间
- pMdl->MdlFlags = pMdl->MdlFlags| MDL_MAPPED_TO_SYSTEM_VA;
- //锁定区域,并返回映射区域的指针
- *MappedAddr = (PVOID)MmMapLockedPages(pMdl, KernelMode);
- if (*MappedAddr == NULL)
- {
- KdPrint(("MmMapLockedPages 调用失败!"));
- return STATUS_UNSUCCESSFUL;
- }
- return STATUS_SUCCESS;
- }
|
|
发表于 2013-6-20 12:03:06
