最近研究TESSAFE.SYS的驱动,GOOGLE搜索到微点也是一样的手法HOOK call ObOpenObjectByPointe,把不完整的代码给编写实现了下。未实现检测,应该是有修改我的代码或恢复HOOK call即重启或蓝屏,我为了方便没实现,下载我改动后驱动文件,用来保护记事本不被OPENprocess。。
然后unhook call ObOpenObjectByPointe 的代码从网上摘来,在搞虚拟机里可以过掉,但主机确是老蓝屏8e代码。原来是代码根本不对,看雪上发的贴,有指出不对的代码拷贝函数,我做下修改为指令长度拷贝,终于可以了。反inline hook 深层call驱动文件,可以下载,源码都在下面了,文件里就没放。注意顺序,必须先开这个驱动才有用,因为是从内存拷贝来的,先让inline hook 深层call驱动加载了,在拷贝内存也是错误的。关闭时倒序来,否则蓝了别怪我,模拟就只是模拟罢了。
//unhok call 这是SSDT hook,在深层call ObOpenObjectByPointe驱动加载前复制NtOpenThread NtOpenProcess 两个代码到别处SSDT。原来主机蓝屏,但虚拟机也实现不蓝,反汇编下看到代码烤过来的不对,果然是拷贝函数没处理细节,做下修改BufferCode函数加了反汇编引擎判断指令长度,按长度来拷贝,再根据指令做重定位。
#include "ntddk.h"
#include <ntdef.h>
#include "LDasm.h"
#define ThreadLength 0x4f4 //要保存的 NtOpenThread 原代码的长度
#define ProcessLength 0x28a //要保存的 NtOpenProcess 原代码的长度
#define DeviceLink L"\\Device\\DNFCracker"
#define SymbolicLink L"\\DosDevices\\DNFCracker"
#define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x886, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef NTSTATUS (* NTOPENTHREAD)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN OPTIONAL PCLIENT_ID ClientId
);
typedef NTSTATUS (* NTOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PVOID ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfService;
ULONG ParamTableBase;
}
SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
VOID Hook();
VOID Unhook();
VOID BufferCode(PUCHAR pCode, ULONG TrgAddr, ULONG BufferLength);
NTOPENTHREAD OldThread;
NTOPENPROCESS OldProcess;
ULONG AddrRead, AddrWrite;
//原 NtReadVirtualMemory/NtWriteVirtualMemory 的前 16 字节代码
ULONG OrgRead[2], OrgWrite[2];
//保存 NtOpenThread/NtOpenProcess 代码
UCHAR MyThread[ThreadLength], MyProcess[ProcessLength];
NTSTATUS MyNtOpenThread(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
ACCESS_MASK oDA;
OBJECT_ATTRIBUTES oOA;
CLIENT_ID oCID;
NTSTATUS statusF, statusT;
oDA = DesiredAccess;
oOA = *ObjectAttributes;
oCID = *ClientId;
statusF = OldThread(ThreadHandle, oDA, &oOA, &oCID);
statusT = ((NTOPENTHREAD)MyThread)(ThreadHandle, DesiredAccess, ObjectAttributes, ClientId);
return statusT;
}
NTSTATUS MyNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
ACCESS_MASK oDA;
OBJECT_ATTRIBUTES oOA;
CLIENT_ID oCID;
NTSTATUS statusF, statusT;
oDA = DesiredAccess;
oOA = *ObjectAttributes;
oCID = *ClientId;
statusF = OldProcess(ProcessHandle, oDA, &oOA, &oCID);
statusT = ((NTOPENPROCESS)MyProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
return statusT;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
//UNICODE_STRING usLink;
/*ULONG i;
for (i = 0; i < ThreadLength; i += 4)
{
DbgPrint("%02x %02x %02x %02x\n", MyThread[i], MyThread[i + 1], MyThread[i + 2], MyThread[i + 3]);
DbgPrint("%02x %02x %02x %02x\n", MyProcess[i], MyProcess[i + 1], MyProcess[i + 2], MyProcess[i + 3]);
}
*/
Unhook();
DbgPrint("DNF Cracker Unloaded!");
}
VOID Hook()
{
ULONG AddrProcess, AddrThread;
KIRQL Irql;
AddrRead = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xBA * 4;
AddrWrite = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x115 * 4;
AddrThread = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x80 * 4;
AddrProcess = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;
OldThread = (NTOPENTHREAD)(*(PULONG)AddrThread);
OldProcess = (NTOPENPROCESS)(*(PULONG)AddrProcess);
//DbgPrint("MyThread:0x%08X OldThread:0x%08X", MyThread, OldThread);
//DbgPrint("MyProcess:0x%08X OldProcess:0x%08X", MyProcess, OldProcess);
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
Irql=KeRaiseIrqlToDpcLevel();
//记录 NtReadVirtualMemory/NtWriteVirtualMemory 前 16 字节
/* OrgRead[0] = *(PULONG)(*(PULONG)AddrRead);
OrgRead[1] = *(PULONG)(*(PULONG)AddrRead + 4);
OrgWrite[0] = *(PULONG)(*(PULONG)AddrWrite);
OrgWrite[1] = *(PULONG)(*(PULONG)AddrWrite + 4);*/
//保存原代码
BufferCode(MyThread, (ULONG)OldThread, ThreadLength);
BufferCode(MyProcess, (ULONG)OldProcess, ProcessLength);
//SSDT Hook
*(PULONG)AddrThread = (ULONG)MyNtOpenThread;
*(PULONG)AddrProcess = (ULONG)MyNtOpenProcess;
KeLowerIrql(Irql);
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
DbgPrint("OldThread!:%08X\n",(ULONG)OldThread);
DbgPrint("OldProcess!:%08X\n",(ULONG)OldProcess);
DbgPrint("MyThread!:%08X\n",(ULONG)MyThread);
DbgPrint("MyProcess!:%08X\n",(ULONG)MyProcess);
}
VOID Unhook()
{
ULONG AddrProcess, AddrThread;KIRQL Irql;
AddrThread = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x80 * 4;
AddrProcess = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
Irql=KeRaiseIrqlToDpcLevel();
//恢复 SSDT
*(PULONG)AddrThread = (ULONG)OldThread;
*(PULONG)AddrProcess = (ULONG)OldProcess;
KeLowerIrql(Irql);
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DbgPrint("DNF Cracker Loaded!");
DriverObject->DriverUnload = OnUnload;
Hook();
return STATUS_SUCCESS;
}
// OrgRel 原相对跳转地址
// CurAbs 当前代码绝对地址
// MyAbs 替换代码绝对地址
// CodeLen 跳转代码占据的长度
// 返回值 到替换代码的相对地址
LONG GetRelAddr(LONG OrgRel, ULONG CurAbs, ULONG MyAbs) //, ULONG CodeLen)
{
ULONG TrgAbs;
TrgAbs = CurAbs + OrgRel; // + CodeLen; //目的地址
return TrgAbs - MyAbs;
}
// 保存原来整个函数的代码(已修改的正确拷贝指令函数)
// pCode 用来保存代码的数组的地址
// TrgAddr 要保存的函数的地址
// BufferLength 整个函数占用的大小
VOID BufferCode(PUCHAR pCode, ULONG TrgAddr, ULONG BufferLength)
{
PUCHAR cPtr, pOpcode;
ULONG cAbs, i;
LONG oRel, cRel;
ULONG Length;
memset(pCode, 0x90, BufferLength);
for (i = 0; i < BufferLength; i+= Length)
{
cAbs = TrgAddr + i;
pCode[i] = *(PUCHAR)cAbs;
Length = SizeOfCode((PUCHAR)cAbs, &pOpcode);//計算當前指令長度
if(Length)
{//不为0则考过来指令, 长度:Length
memcpy(pCode + i, (PVOID)(cAbs), Length);
}//下面对这条指令重新处理,修正定位
//if (!Length) break;
switch (*(PUCHAR)cAbs)
{
case 0x0F: //JXX NEAR X
if ((*(PUCHAR)(cAbs + 1) >= 0x80)&&(*(PUCHAR)(cAbs + 1) <= 0x8F))
{
oRel = *(PLONG)(cAbs + 2);
if ((oRel + cAbs + 6 > TrgAddr + BufferLength)||
(oRel + cAbs + 6 < TrgAddr)) //判断跳转是否在过程范围内
{
pCode[i + 1] = *(PUCHAR)(cAbs + 1);
cRel = GetRelAddr(oRel, cAbs, (ULONG)pCode + i);
memcpy(pCode + i + 2, &cRel, sizeof(LONG));
//DbgPrint("JXX: 0x%08X -> 0x%08X", cAbs, (ULONG)pCode + i);
//i += sizeof(LONG) + 1;
}
}
break;
case 0xE8: //CALL
oRel = *(PLONG)(cAbs + 1);
if ((oRel + cAbs + 5 > TrgAddr + BufferLength)||
(oRel + cAbs + 5 < TrgAddr)) //判断跳转是否在过程范围内
{
cRel = GetRelAddr(oRel, cAbs, (ULONG)pCode + i);
memcpy(pCode + i + 1, &cRel, sizeof(LONG));
//DbgPrint("CALL: 0x%08X -> 0x%08X", cAbs, (ULONG)pCode + i);
}
break;
case 0x80: //CMP BYTE PTR X
if (*(PUCHAR)(cAbs + 1) == 0x7D)
{
memcpy(pCode + i + 1, (PVOID)(cAbs + 1), 3);
//i += 3;
continue;
}
break;
case 0xC2: //RET X
if (*(PUSHORT)(cAbs +1) == 0x10)
{
memcpy(pCode + i + 1, (PVOID)(cAbs + 1), sizeof(USHORT));
//i += sizeof(USHORT);
}
break;
/*case 0xE9: //JMP
oRel = *(PLONG)(cAbs + 1);
if (oRel + cAbs > TrgAddr + BufferLength)
{
cRel = GetRelAddr(oRel, cAbs, (ULONG)pCode + i);
memcpy(pCode + i + 1, &cRel, sizeof(LONG));
i += 4;
}*/
//default:
}
/*下面的处理都不必用了
if ((*(PUCHAR)cAbs == 0x39)||(*(PUCHAR)cAbs == 0x89)||(*(PUCHAR)cAbs == 0x8D))
{
memcpy(pCode + i + 1, (PVOID)(cAbs + 1), sizeof(USHORT));
i += sizeof(USHORT);
continue;
}*/
//DbgPrint("addr:%08X//n:%02X//Length!%08X\n",(ULONG)cAbs,*(PUCHAR)cAbs,Length);
/*if ((*(PUCHAR)cAbs >= 0x70)&&(*(PUCHAR)cAbs <= 0x7F)&&(*(PUCHAR)(cAbs - 1) != 0xFF))
{
oRel = (LONG)(*(PCHAR)(cAbs + 1));
cRel = GetRelAddr(oRel, cAbs, (ULONG)pCode + i);
memcpy(pCode + i + 1, &cRel, 1);
i++; continue;
}*/
}
}
//不过学习这些还是有好处的,不经意间注意到一个细节被我过了,哈哈。。
----------------------------------------------------
下面是 原来网上hook 深层call ObOpenObjectByPointe的实现代码 源自于微点