<ins id="pjuwb"></ins>

<blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

<noscript id="pjuwb"></noscript>

<sup id="pjuwb"><pre id="pjuwb"></pre></sup>

<dd id="pjuwb"></dd>

<abbr id="pjuwb"></abbr>

<code id="geuam"><tr id="geuam"></tr></code>

<abbr id="geuam"></abbr>

<nav id="geuam"></nav>

<center id="geuam"><acronym id="geuam"></acronym></center>

<rt id="geuam"><tr id="geuam"></tr></rt>

前世今非

前世五百次的回眸，換來今世的一次擦肩而過。

hook PsCreateSystemThread

很多RootKit在ring0下利用PsCreateSystemThread來創建系統線程做某些WS的事情，我們平時不利用ARK工具的話，是很難發現這些線程，在某些情況下，需要anti一些特定的rootkit，這里給出一個簡單的示例：

.h:

#pragma once

#include <ntddk.h>

typedef long LONG;

typedef unsigned char BOOL, *PBOOL;

typedef unsigned char BYTE, *PBYTE;

typedef unsigned long DWORD, *PDWORD;

typedef unsigned short WORD, *PWORD;

typedef void *HMODULE;

typedef long NTSTATUS, *PNTSTATUS;

typedef unsigned long DWORD;

typedef DWORD * PDWORD;

typedef unsigned long ULONG;

typedef unsigned long ULONG_PTR;

typedef ULONG *PULONG;

typedef unsigned short WORD;

typedef unsigned char BYTE;

typedef unsigned char UCHAR;

typedef unsigned short USHORT;

typedef void *PVOID;

typedef BYTE BOOLEAN;

#define SEC_IMAGE 0x01000000

NTSTATUS

PsLookupProcessByProcessId(

IN HANDLE ProcessId,

OUT PEPROCESS *Process

);

.c:

#include "HookPsThread.h"

/******************************************************************************

Hook PsCreateSystemThread

out adress

******************************************************************************/

//=============================================================================

// Version Define

//=============================================================================

#define EPROCESS_SIZE 1

#define PEB_OFFSET 2

#define FILE_NAME_OFFSET 3

#define PROCESS_LINK_OFFSET 4

#define PROCESS_ID_OFFSET 5

#define EXIT_TIME_OFFSET 6

//=============================================================================

// Logic Define

//=============================================================================

ULONG PsCreateSystemThreadAddr = 0;

char PsCreateSystemThreadData[5] = {0};

DWORD ProcessNameOffset;

//-----------------------------------------------------------------------------

// GetPlantformDependentInfo

//-----------------------------------------------------------------------------

DWORD GetPlantformDependentInfo( DWORD dwFlag )

{

DWORD current_build;

DWORD ans = 0;

PsGetVersion(NULL, NULL, &current_build, NULL);

switch ( dwFlag )

{

case EPROCESS_SIZE:

if (current_build == 2195) ans = 0 ; // 2000，當前不支持2000，下同

if (current_build == 2600) ans = 0x25C; // xp

if (current_build == 3790) ans = 0x270; // 2003

break;

case PEB_OFFSET:

if (current_build == 2195) ans = 0;

if (current_build == 2600) ans = 0x1b0;

if (current_build == 3790) ans = 0x1a0;

break;

case FILE_NAME_OFFSET:

if (current_build == 2195) ans = 0;

if (current_build == 2600) ans = 0x174;

if (current_build == 3790) ans = 0x164;

break;

case PROCESS_LINK_OFFSET:

if (current_build == 2195) ans = 0;

if (current_build == 2600) ans = 0x088;

if (current_build == 3790) ans = 0x098;

break;

case PROCESS_ID_OFFSET:

if (current_build == 2195) ans = 0;

if (current_build == 2600) ans = 0x084;

if (current_build == 3790) ans = 0x094;

break;

case EXIT_TIME_OFFSET:

if (current_build == 2195) ans = 0;

if (current_build == 2600) ans = 0x078;

if (current_build == 3790) ans = 0x088;

break;

}

return ans;

}

//-----------------------------------------------------------------------------

// GetFunctionAddr

//-----------------------------------------------------------------------------

ULONG GetFunctionAddr( IN PCWSTR FunctionName)

{

UNICODE_STRING UniCodeFunctionName;

RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );

return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );

}

//-----------------------------------------------------------------------------

// _PsCreateSystemThread

//-----------------------------------------------------------------------------

NTSTATUS _PsCreateSystemThread(IN PKSTART_ROUTINE StartRoutine)

{

ULONG RAddr = (ULONG)StartRoutine; //Routine Address

//Get Process Info

LPTSTR CurProc;

PEPROCESS EProcess;

PsLookupProcessByProcessId(PsGetCurrentProcessId(), &EProcess);

CurProc =(LPTSTR)EProcess;

CurProc =CurProc+ProcessNameOffset;

if (strncmp((char*)CurProc,"System",6) != 0)

{

DbgPrint("Current Process : %s, StartRoutine : %X\n", (char *)CurProc, StartRoutine);

}

return 0;

}

//-----------------------------------------------------------------------------

// MyPsCreateSystemThread

//-----------------------------------------------------------------------------

__declspec (naked)void MyPsCreateSystemThread()

{

_asm

{

pushad

push [esp+20h+18h]

call _PsCreateSystemThread

popad

mov edi,edi

push ebp

mov ebp,esp

jmp PsCreateSystemThreadAddr

}

}

//-----------------------------------------------------------------------------

// Install Hook

//-----------------------------------------------------------------------------

VOID InHook()

{

PsCreateSystemThreadAddr = GetFunctionAddr(L"PsCreateSystemThread");

__asm

{

push eax

mov eax, CR0

and eax, 0FFFEFFFFh

mov CR0, eax

pop eax

}

//Save asmCode

memcpy(PsCreateSystemThreadData, (PVOID)PsCreateSystemThreadAddr, 5);

(ULONG)PsCreateSystemThreadAddr += 5;

//Inline PsCreateSystemThread

__asm

{

mov esi, PsCreateSystemThreadAddr

sub esi, 5

mov byte ptr[esi], 0xE9

lea eax, [MyPsCreateSystemThread]

sub eax, esi

sub eax, 5

mov dword ptr [esi+1],eax

}

__asm

{

push eax

mov eax, CR0

or eax, NOT 0FFFEFFFFh

mov CR0, eax

pop eax

}

DbgPrint("Hooked OK

.\n");

return;

}

//-----------------------------------------------------------------------------

// Uninstall Hook

//-----------------------------------------------------------------------------

VOID UnHook()

{

__asm

{

push eax

mov eax, CR0

and eax, 0FFFEFFFFh

mov CR0, eax

pop eax

}

(ULONG)PsCreateSystemThreadAddr -= 5;

memcpy((PVOID)PsCreateSystemThreadAddr, PsCreateSystemThreadData, 5);

__asm

{

push eax

mov eax, CR0

or eax, NOT 0FFFEFFFFh

mov CR0, eax

pop eax

}

DbgPrint("UnHook OK

.\n");

return;

}

//-----------------------------------------------------------------------------

// Driver UnLoad

//-----------------------------------------------------------------------------

void OnUnload(PDRIVER_OBJECT pDriverObj)

{

UnHook();

DbgPrint("UnLoading Driver");

}

//-----------------------------------------------------------------------------

// Driver LoadEntry

//-----------------------------------------------------------------------------

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)

{

pDriverObj->DriverUnload = OnUnload;

DbgPrint("Loading Driver");

ProcessNameOffset = GetPlantformDependentInfo(FILE_NAME_OFFSET);

InHook();

return STATUS_SUCCESS;

}

posted on 2009-09-17 20:14 梵天閱讀(2312) 評論(0) 編輯收藏引用所屬分類: C/C++

只有注冊用戶登錄后才能發表評論。
【推薦】100%開源！大型工業跨平臺軟件C++源碼提供，建模，組態！



網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

導航

2009年9月

日

一

二

三

四

五

六

30

31

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

18

19

20

21

22

23

24

25

26

27

28

29

30

1

2

3

4

5

6

7

8

9

10

統計

隨筆 - 1
文章 - 0
評論 - 0
引用 - 0

常用鏈接

留言簿

隨筆分類

C/C++(1) (rss)

隨筆檔案

2009年9月 (1)

搜索

最新評論

四虎国产精品成人免费久久| 国产精品伦理久久久久久| 区久久AAA片69亚洲| 久久天天躁狠狠躁夜夜躁2O2O| 久久久久人妻精品一区二区三区 | 国产成人精品久久综合| 久久国产成人精品国产成人亚洲| 少妇被又大又粗又爽毛片久久黑人| 亚洲精品乱码久久久久久蜜桃不卡| 浪潮AV色综合久久天堂| 99久久成人18免费网站| 欧美噜噜久久久XXX| 久久久久久国产a免费观看不卡| 日本亚洲色大成网站WWW久久 | 久久久久亚洲精品男人的天堂| 97久久婷婷五月综合色d啪蜜芽 | 性欧美丰满熟妇XXXX性久久久 | 国产99久久久国产精品小说 | 亚洲欧美日韩久久精品| 国产精品久久久久久| 欧美与黑人午夜性猛交久久久| 国产Av激情久久无码天堂| 精品久久亚洲中文无码| 亚洲国产精品综合久久网络 | 亚洲综合久久久| 国内精品久久久久久中文字幕| 国产产无码乱码精品久久鸭| 一本久久知道综合久久| 亚洲七七久久精品中文国产| 精品久久久久久久久久久久久久久 | 久久精品www| 国产精品一久久香蕉产线看 | yy6080久久| 99久久这里只精品国产免费| 开心久久婷婷综合中文字幕| 狠狠精品干练久久久无码中文字幕 | 狠狠色丁香久久婷婷综合五月| 亚洲精品无码成人片久久| 亚洲欧美成人久久综合中文网| 久久精品国产精品亜洲毛片| 国产精品熟女福利久久AV|

<nav id="csaom"><dl id="csaom"></dl></nav>

<dl id="csaom"><acronym id="csaom"></acronym></dl><rt id="csaom"></rt><tfoot id="csaom"><delect id="csaom"></delect></tfoot>

<li id="csaom"><dl id="csaom"></dl></li>

<li id="csaom"></li>