网上一个仿TP挂钩内核的源码
最近研究TESSAFE.SYS的驱动,GOOGLE搜索到微点也是一样的手法HOOK call ObOpenObjectByPointe,把不完整的代码给编写实现了下。未实现检测,应该是有修改我的代码或恢复HOOK call即重启或蓝屏,我为了方便没实现,下载我改动后驱动文件,用来保护记事本不被OPENprocess。。
然后unhook call ObOpenObjectByPointe 的代码从网上摘来,在搞虚拟机里可以过掉,但主机确是老蓝屏8e代码。原来是代码根本不对,看雪上发的贴,有指出不对的代码拷贝函数,我做下修改为指令长度拷贝,终于可以了。反inline hook 深层call驱动文件,可以下载,源码都在下面了,文件里就没放。注意顺序,必须先开这个驱动才有用,因为是从内存拷贝来的,先让inline hook 深层call驱动加载了,在拷贝内存也是错误的。关闭时倒序来,否则蓝了别怪我,模拟就只是模拟罢了。
//unhok call 这是SSDT hook,在深层call ObOpenObjectByPointe驱动加载前复制NtOpenThread NtOpenProcess 两个代码到别处SSDT。原来主机蓝屏,但虚拟机也实现不蓝,反汇编下看到代码烤过来的不对,果然是拷贝函数没处理细节,做下修改BufferCode函数加了反汇编引擎判断指令长度,按长度来拷贝,再根据指令做重定位。
#include "ntddk.h"
#include <ntdef.h>
#include "LDasm.h"
#define ThreadLength 0x4f4 //要保存的 NtOpenThread 原代码的长度
#define ProcessLength 0x28a //要保存的 NtOpenProcess 原代码的长度
#define DeviceLink L"\\Device\\DNFCracker"
#define SymbolicLink L"\\DosDevices\\DNFCracker"
#define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x886, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef NTSTATUS (* NTOPENTHREAD)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN OPTIONAL PCLIENT_ID ClientId
);
typedef NTSTATUS (* NTOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PVOID ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfService;
ULONG ParamTableBase;
}
SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
VOID Hook();
VOID Unhook();
VOID BufferCode(PUCHAR pCode, ULONG TrgAddr, ULONG BufferLength);
NTOPENTHREAD OldThread;
NTOPENPROCESS OldProcess;
ULONG AddrRead, AddrWrite;
//原 NtReadVirtualMemory/NtWriteVirtualMemory 的前 16 字节代码
ULONG OrgRead[2], OrgWrite[2];
//保存 NtOpenThread/NtOpenProcess 代码
UCHAR MyThread[ThreadLength], MyProcess[ProcessLength];
NTSTATUS MyNtOpenThread(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
ACCESS_MASK oDA;
OBJECT_ATTRIBUTES oOA;
CLIENT_ID oCID;
NTSTATUS statusF, statusT;
oDA = DesiredAccess;
oOA = *ObjectAttributes;
oCID = *ClientId;
statusF = OldThread(ThreadHandle, oDA, &oOA, &oCID);
statusT = ((NTOPENTHREAD)MyThread)(ThreadHandle, DesiredAccess, ObjectAttributes, ClientId);
return statusT;
}
NTSTATUS MyNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
ACCESS_MASK oDA;
OBJECT_ATTRIBUTES oOA;
CLIENT_ID oCID;
NTSTATUS statusF, statusT;
oDA = DesiredAccess;
oOA = *ObjectAttributes;
oCID = *ClientId;
statusF = OldProcess(ProcessHandle, oDA, &oOA, &oCID);
statusT = ((NTOPENPROCESS)MyProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
return statusT;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
//UNICODE_STRING usLink;
Unhook();
DbgPrint("DNF Cracker Unloaded!");
}
VOID Hook()
{
ULONG AddrProcess, AddrThread;
KIRQL Irql;
AddrRead = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xBA * 4;
AddrWrite = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x115 * 4;
AddrThread = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x80 * 4;
AddrProcess = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;
OldThread = (NTOPENTHREAD)(*(PULONG)AddrThread);
OldProcess = (NTOPENPROCESS)(*(PULONG)AddrProcess);
//DbgPrint("MyThread:0xX OldThread:0xX", MyThread, OldThread);
//DbgPrint("MyProcess:0xX OldProcess:0xX", MyProcess, OldProcess);
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
Irql=KeRaiseIrqlToDpcLevel();
//记录 NtReadVirtualMemory/NtWriteVirtualMemory 前 16 字节
//保存原代码
BufferCode(MyThread, (ULONG)OldThread, ThreadLength);
BufferCode(MyProcess, (ULONG)OldProcess, ProcessLength);
//SSDT Hook
*(PULONG)AddrThread = (ULONG)MyNtOpenThread;
*(PULONG)AddrProcess = (ULONG)MyNtOpenProcess;
KeLowerIrql(Irql);
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
DbgPrint("OldThread!:X\n",(ULONG)OldThread);
DbgPrint("OldProcess!:X\n",(ULONG)OldProcess);
DbgPrint("MyThread!:X\n",(ULONG)MyThread);
DbgPrint("MyProcess!:X\n",(ULONG)MyProcess);
}
VOID Unhook()
{
ULONG AddrProcess, AddrThread;KIRQL Irql;
AddrThread = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x80 * 4;
AddrProcess = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
Irql=KeRaiseIrqlToDpcLevel();
//恢复 SSDT
*(PULONG)AddrThread = (ULONG)OldThread;
*(PULONG)AddrProcess = (ULONG)OldProcess;
KeLowerIrql(Irql);
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DbgPrint("DNF Cracker Loaded!");
DriverObject->DriverUnload = OnUnload;
Hook();
return STATUS_SUCCESS;
}
// OrgRel 原相对跳转地址
// CurAbs 当前代码绝对地址
// MyAbs 替换代码绝对地址
// CodeLen 跳转代码占据的长度
// 返回值 到替换代码的相对地址
LONG GetRelAddr(LONG OrgRel, ULONG CurAbs, ULONG MyAbs) //, ULONG CodeLen)
{
ULONG TrgAbs;
TrgAbs = CurAbs + OrgRel; // + CodeLen; //目的地址
return TrgAbs - MyAbs;
}
// 保存原来整个函数的代码(已修改的正确拷贝指令函数)
// pCode 用来保存代码的数组的地址
// TrgAddr 要保存的函数的地址
// BufferLength 整个函数占用的大小
VOID BufferCode(PUCHAR pCode, ULONG TrgAddr, ULONG BufferLength)
{
PUCHAR cPtr, pOpcode;
ULONG cAbs, i;
LONG oRel, cRel;
ULONG Length;
memset(pCode, 0x90, BufferLength);
for (i = 0; i < BufferLength; i+= Length)
{
cAbs = TrgAddr + i;
pCode[i] = *(PUCHAR)cAbs;
Length = SizeOfCode((PUCHAR)cAbs, &pOpcode);//計算當前指令長度
if(Length)
{//不为0则考过来指令, 长度:Length
memcpy(pCode + i, (PVOID)(cAbs), Length);
}//下面对这条指令重新处理,修正定位
//if (!Length) break;
switch (*(PUCHAR)cAbs)
{
case 0x0F: //JXX NEAR X
if ((*(PUCHAR)(cAbs + 1) >= 0x80)&&(*(PUCHAR)(cAbs + 1) <= 0x8F))
{
oRel = *(PLONG)(cAbs + 2);
if ((oRel + cAbs + 6 > TrgAddr + BufferLength)||
(oRel + cAbs + 6 < TrgAddr)) //判断跳转是否在过程范围内
{
pCode[i + 1] = *(PUCHAR)(cAbs + 1);
cRel = GetRelAddr(oRel, cAbs, (ULONG)pCode + i);
memcpy(pCode + i + 2, &cRel, sizeof(LONG));
//DbgPrint("JXX: 0xX -> 0xX", cAbs, (ULONG)pCode + i);
//i += sizeof(LONG) + 1;
}
}
break;
case 0xE8: //CALL
oRel = *(PLONG)(cAbs + 1);
if ((oRel + cAbs + 5 > TrgAddr + BufferLength)||
(oRel + cAbs + 5 < TrgAddr)) //判断跳转是否在过程范围内
{
cRel = GetRelAddr(oRel, cAbs, (ULONG)pCode + i);
memcpy(pCode + i + 1, &cRel, sizeof(LONG));
//DbgPrint("CALL: 0xX -> 0xX", cAbs, (ULONG)pCode + i);
}
break;
case 0x80: //CMP BYTE PTR X
if (*(PUCHAR)(cAbs + 1) == 0x7D)
{
memcpy(pCode + i + 1, (PVOID)(cAbs + 1), 3);
//i += 3;
continue;
}
break;
case 0xC2: //RET X
if (*(PUSHORT)(cAbs +1) == 0x10)
{
memcpy(pCode + i + 1, (PVOID)(cAbs + 1), sizeof(USHORT));
//i += sizeof(USHORT);
}
break;
//default:
}
//DbgPrint("addr:X//n:X//Length!X\n",(ULONG)cAbs,*(PUCHAR)cAbs,Length);
}
}
//不过学习这些还是有好处的,不经意间注意到一个细节被我过了,哈哈。。
----------------------------------------------------
网上一个仿TP挂钩内核的源码相关推荐
- 分享一个仿就看天气应用源码
2019独角兽企业重金招聘Python工程师标准>>> 作者xcc3641,源码SeeWeather,就看天气--是一款遵循Material Design风格的只看天气的APP.无流 ...
- 最新友价T5仿虚拟交易商城网站源码+PHP内核
正文: 最新友价T5仿虚拟交易商城网站源码+PHP内核,采用最新友价版本二次开发,内含几套模板. 程序: wwtjd.lanzoum.com/i45Xm09cm84b 图片:
- 高仿红孩子网上商城服务端和客户端应用源码
非常难得的一款高仿红孩子网上商城服务端和客户端应用源码. 源码下载: 客户端源码:http://code.662p.com/view/2177.html 服务端源码:http://code.662p. ...
- Thinkphp内核高仿拼多多拼团源码 完美运营级商城系统
Thinkphp内核高仿拼多多拼团源码 完美运营级商城系统 可封装APP 多用户 完美运营级商城系统支持商家入驻,是目前来说最新微信拼团系统.完美运营版,带详细配置教程! 运行环境:php+mysql ...
- 帝国CMS仿核弹头H5小游戏模板/92game帝国CMS内核仿游戏网整站源码
帝国CMS仿核弹头H5小游戏模板/92game帝国CMS内核仿游戏网整站源码 ☑️ 编号:ym498 ☑️ 品牌:帝国CMS ☑️ 语言:php ☑️ 大小:360MB ☑️ 类型:仿核弹头H5小游戏 ...
- 五子棋服务端程序java_9网上五子棋对战(java)服务端源码
9网上五子棋对战(java)服务端源码 网上五子棋对战(java)服务端源码 /* 五子棋游戏是本人在学习java swing时写的一个程序,程序分两部分:服务器端和客户端.运行程序时先运行服务器端, ...
- 仿速度装机联盟程序源码,装机联盟程序源码 安装联盟程序源码
仿速度装机联盟程序源码,装机联盟程序源码 安装联盟程序源码 需要者联系 售价800 马腾化570-9 53077 仿速度装机联盟程序源码,装机联盟程序源码 安装联盟程序源码 需要者联系 售价800 马 ...
- JAVA JSP javaweb网上订餐系统餐厅点餐系统源码(ssm点餐系统)网上订餐系统在线订餐
JSP javaweb网上订餐系统餐厅点餐系统源码(ssm点餐系统)网上订餐系统在线订餐 大家好,很高兴和大家分享Java项目和经验.不管同学们是出于什么需求.都希望各位计算机专业的同学有一个提高. ...
- 第十期-Linux内核补丁源码分析(2)
作者:罗宇哲,中国科学院软件研究所智能软件研究中心 在上一期中,我们通过CAKE系统的实例介绍了一种对Linux内核补丁的初步分析方法,这一期我们将继续通过CAKE系统的例子介绍一种对补丁文件源码的分 ...
最新文章
- 知乎2w人关注,没有工程开发经验的人是怎么找到工作的?
- 基础篇-verilog-FPGA实现频率相位调制DDS信号
- webpack 的webpack.config文件配置css-loader,style-loader注意的问题
- 【SpringCloud】Spring cloud Alibaba Sentinel 服务降级 (阿里版本Hystrix)
- LeetCode 889. Construct Binary Tree from Preorder and Postorder Traversal
- NYOJ题目325-zb的生日
- python 扫描枪_python实现超市扫码仪计费
- Swagger注解说明
- 超定方程组最小二乘matlab,超定方程组最优解(最小二乘解)推导
- 最齐全的企业BI建设地图,附高清完整版BI知识图谱
- 内部投资回报率IRR
- SpringCloud Day05---服务网关(Gateway)
- 战神引擎传奇手游源码【诛仙玛法单职业五大陆】
- Jetpack新成员,App Startup一篇就懂
- database rough 1
- http域名跳转到https域名
- 【Python函数综合实例】
- 掉入黑洞会怎样?被拉成面条,还是前往另一个宇宙?
- 中国推出网上“防沉迷系统”
- ng-class和ng-show的使用