欧美网站在线,国内精品久久久久久久影视麻豆,国产精品视频网站

[轉] hook PsCreateSystemThread

Posted on 2009-09-17 21:59 S.l.e!ep.￠% 閱讀(787) 評論(0) 編輯收藏引用所屬分類: Windows WDM

hook PsCreateSystemThread

很多RootKit在ring0下利用PsCreateSystemThread來創建系統線程做某些WS的事情，我們平時不利用ARK工具的話，是很難發現這些線程，在某些情況下，需要anti一些特定的rootkit，這里給出一個簡單的示例：

.h:

#pragma?once

#include?<ntddk.h>?

typedef?long?LONG;

typedef?unsigned?char??BOOL,?*PBOOL;

typedef?unsigned?char??BYTE,?*PBYTE;

typedef?unsigned?long??DWORD,?*PDWORD;

typedef?unsigned?short?WORD,?*PWORD;

typedef?void??*HMODULE;

typedef?long?NTSTATUS,?*PNTSTATUS;

typedef?unsigned?long?DWORD;

typedef?DWORD?*?PDWORD;

typedef?unsigned?long?ULONG;

typedef?unsigned?long?ULONG_PTR;

typedef?ULONG?*PULONG;

typedef?unsigned?short?WORD;

typedef?unsigned?char?BYTE;?

typedef?unsigned?char?UCHAR;

typedef?unsigned?short?USHORT;

typedef?void?*PVOID;

typedef?BYTE?BOOLEAN;

#define?SEC_IMAGE????0x01000000

NTSTATUS

??PsLookupProcessByProcessId(

????IN?HANDLE?ProcessId,

????OUT?PEPROCESS?*Process

????);

.c:

#include?"HookPsThread.h"

/******************************************************************************

????Hook?PsCreateSystemThread

????out?adress

******************************************************************************/

//=============================================================================

//????????Version?Define

//=============================================================================

#define?EPROCESS_SIZE????????????1

#define?PEB_OFFSET????????????????2???

#define?FILE_NAME_OFFSET????????3???

#define?PROCESS_LINK_OFFSET?????4???

#define?PROCESS_ID_OFFSET???????5?

#define?EXIT_TIME_OFFSET????????6?

//=============================================================================

//????????Logic?Define

//=============================================================================

ULONG?PsCreateSystemThreadAddr?=?0;

char?PsCreateSystemThreadData[5]?=?{0};

DWORD??ProcessNameOffset;

//-----------------------------------------------------------------------------

//????????GetPlantformDependentInfo

//-----------------------------------------------------------------------------

DWORD?GetPlantformDependentInfo(?DWORD?dwFlag?)????

{?????

????DWORD?current_build;?????

????DWORD?ans?=?0;?????

???

????PsGetVersion(NULL,?NULL,?&current_build,?NULL);?????

???

????switch?(?dwFlag?)????

????{?????

????case?EPROCESS_SIZE:?????

????????if?(current_build?==?2195)?ans?=?0?;????????//?2000，當前不支持2000，下同????

????????if?(current_build?==?2600)?ans?=?0x25C;?????//?xp????

????????if?(current_build?==?3790)?ans?=?0x270;?????//?2003????

????????break;?????

????case?PEB_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x1b0;?????

????????if?(current_build?==?3790)??ans?=?0x1a0;????

????????break;?????

????case?FILE_NAME_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x174;?????

????????if?(current_build?==?3790)??ans?=?0x164;????

????????break;?????

????case?PROCESS_LINK_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x088;?????

????????if?(current_build?==?3790)??ans?=?0x098;????

????????break;?????

????case?PROCESS_ID_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x084;?????

????????if?(current_build?==?3790)??ans?=?0x094;????

????????break;?????

????case?EXIT_TIME_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x078;?????

????????if?(current_build?==?3790)??ans?=?0x088;????

????????break;?????

????}?????

????return?ans;?????

}

//-----------------------------------------------------------------------------

//????????GetFunctionAddr

//-----------------------------------------------------------------------------

ULONG?GetFunctionAddr(?IN?PCWSTR?FunctionName)

{

????UNICODE_STRING?UniCodeFunctionName;

????RtlInitUnicodeString(?&UniCodeFunctionName,?FunctionName?);

????return?(ULONG)MmGetSystemRoutineAddress(?&UniCodeFunctionName?);???

}

//-----------------------------------------------------------------------------

//????????_PsCreateSystemThread

//-----------------------------------------------------------------------------

NTSTATUS?_PsCreateSystemThread(IN?PKSTART_ROUTINE??StartRoutine)

{

????ULONG?RAddr?=?(ULONG)StartRoutine;??//Routine?Address

????//Get?Process?Info

????LPTSTR???CurProc;

????PEPROCESS?EProcess;

????PsLookupProcessByProcessId(PsGetCurrentProcessId(),?&EProcess);

????CurProc?=(LPTSTR)EProcess;

????CurProc?=CurProc+ProcessNameOffset;

????if?(strncmp((char*)CurProc,"System",6)?!=?0)

????{

????????DbgPrint("Current?Process?:?%s,?StartRoutine?:?%X\n",?(char?*)CurProc,?StartRoutine);

????}

????return?0;

}

//-----------------------------------------------------------------------------

//????????MyPsCreateSystemThread

//-----------------------------------------------------------------------------

__declspec?(naked)void?MyPsCreateSystemThread()

{

????_asm

????{

????????pushad

????????push?[esp+20h+18h]

????????call?_PsCreateSystemThread

????????popad

????????

????????mov?edi,edi

????????push?ebp

????????mov?ebp,esp

????????jmp?PsCreateSystemThreadAddr

????}

}

//-----------------------------------------------------------------------------

//????????Install?Hook

//-----------------------------------------------------------------------------

VOID?InHook()

{

????PsCreateSystemThreadAddr?=?GetFunctionAddr(L"PsCreateSystemThread");

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????and????????eax,?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????//Save?asmCode

????memcpy(PsCreateSystemThreadData,?(PVOID)PsCreateSystemThreadAddr,?5);

????(ULONG)PsCreateSystemThreadAddr?+=?5;

????//Inline?PsCreateSystemThread

????__asm

????{

????????mov?esi,?PsCreateSystemThreadAddr

????????sub?esi,?5

????????mov?byte?ptr[esi],?0xE9

????????lea?eax,?[MyPsCreateSystemThread]

????????sub?eax,?esi

????????sub?eax,?5

????????mov?dword?ptr?[esi+1],eax

????}

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????or????????eax,?NOT?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????DbgPrint("Hooked?OK

.\n");

????return;

}

//-----------------------------------------------------------------------------

//????????Uninstall?Hook

//-----------------------------------------------------------------------------

VOID?UnHook()

{

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????and????????eax,?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????(ULONG)PsCreateSystemThreadAddr?-=?5;

????memcpy((PVOID)PsCreateSystemThreadAddr,?PsCreateSystemThreadData,?5);

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????or????????eax,?NOT?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????DbgPrint("UnHook?OK

.\n");

????return;

}

//-----------------------------------------------------------------------------

//????????Driver?UnLoad

//-----------------------------------------------------------------------------

void?OnUnload(PDRIVER_OBJECT?pDriverObj)

{

????UnHook();

????DbgPrint("UnLoading?Driver");

}

//-----------------------------------------------------------------------------

//????????Driver?LoadEntry

//-----------------------------------------------------------------------------

NTSTATUS?DriverEntry(PDRIVER_OBJECT?pDriverObj,?PUNICODE_STRING?pRegistryString)

{

????pDriverObj->DriverUnload?=?OnUnload;

????DbgPrint("Loading?Driver");

????ProcessNameOffset?=?GetPlantformDependentInfo(FILE_NAME_OFFSET);

????InHook();

????return?STATUS_SUCCESS;

}

#pragma?once

#include?<ntddk.h>?

typedef?long?LONG;

typedef?unsigned?char??BOOL,?*PBOOL;

typedef?unsigned?char??BYTE,?*PBYTE;

typedef?unsigned?long??DWORD,?*PDWORD;

typedef?unsigned?short?WORD,?*PWORD;

typedef?void??*HMODULE;

typedef?long?NTSTATUS,?*PNTSTATUS;

typedef?unsigned?long?DWORD;

typedef?DWORD?*?PDWORD;

typedef?unsigned?long?ULONG;

typedef?unsigned?long?ULONG_PTR;

typedef?ULONG?*PULONG;

typedef?unsigned?short?WORD;

typedef?unsigned?char?BYTE;?

typedef?unsigned?char?UCHAR;

typedef?unsigned?short?USHORT;

typedef?void?*PVOID;

typedef?BYTE?BOOLEAN;

#define?SEC_IMAGE????0x01000000

NTSTATUS

??PsLookupProcessByProcessId(

????IN?HANDLE?ProcessId,

????OUT?PEPROCESS?*Process

????);

.c:

#include?"HookPsThread.h"

/******************************************************************************

????Hook?PsCreateSystemThread

????out?adress

******************************************************************************/

//=============================================================================

//????????Version?Define

//=============================================================================

#define?EPROCESS_SIZE????????????1

#define?PEB_OFFSET????????????????2???

#define?FILE_NAME_OFFSET????????3???

#define?PROCESS_LINK_OFFSET?????4???

#define?PROCESS_ID_OFFSET???????5?

#define?EXIT_TIME_OFFSET????????6?

//=============================================================================

//????????Logic?Define

//=============================================================================

ULONG?PsCreateSystemThreadAddr?=?0;

char?PsCreateSystemThreadData[5]?=?{0};

DWORD??ProcessNameOffset;

//-----------------------------------------------------------------------------

//????????GetPlantformDependentInfo

//-----------------------------------------------------------------------------

DWORD?GetPlantformDependentInfo(?DWORD?dwFlag?)????

{?????

????DWORD?current_build;?????

????DWORD?ans?=?0;?????

???

????PsGetVersion(NULL,?NULL,?&current_build,?NULL);?????

???

????switch?(?dwFlag?)????

????{?????

????case?EPROCESS_SIZE:?????

????????if?(current_build?==?2195)?ans?=?0?;????????//?2000，當前不支持2000，下同????

????????if?(current_build?==?2600)?ans?=?0x25C;?????//?xp????

????????if?(current_build?==?3790)?ans?=?0x270;?????//?2003????

????????break;?????

????case?PEB_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x1b0;?????

????????if?(current_build?==?3790)??ans?=?0x1a0;????

????????break;?????

????case?FILE_NAME_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x174;?????

????????if?(current_build?==?3790)??ans?=?0x164;????

????????break;?????

????case?PROCESS_LINK_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x088;?????

????????if?(current_build?==?3790)??ans?=?0x098;????

????????break;?????

????case?PROCESS_ID_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x084;?????

????????if?(current_build?==?3790)??ans?=?0x094;????

????????break;?????

????case?EXIT_TIME_OFFSET:?????

????????if?(current_build?==?2195)??ans?=?0;?????

????????if?(current_build?==?2600)??ans?=?0x078;?????

????????if?(current_build?==?3790)??ans?=?0x088;????

????????break;?????

????}?????

????return?ans;?????

}

//-----------------------------------------------------------------------------

//????????GetFunctionAddr

//-----------------------------------------------------------------------------

ULONG?GetFunctionAddr(?IN?PCWSTR?FunctionName)

{

????UNICODE_STRING?UniCodeFunctionName;

????RtlInitUnicodeString(?&UniCodeFunctionName,?FunctionName?);

????return?(ULONG)MmGetSystemRoutineAddress(?&UniCodeFunctionName?);???

}

//-----------------------------------------------------------------------------

//????????_PsCreateSystemThread

//-----------------------------------------------------------------------------

NTSTATUS?_PsCreateSystemThread(IN?PKSTART_ROUTINE??StartRoutine)

{

????ULONG?RAddr?=?(ULONG)StartRoutine;??//Routine?Address

????//Get?Process?Info

????LPTSTR???CurProc;

????PEPROCESS?EProcess;

????PsLookupProcessByProcessId(PsGetCurrentProcessId(),?&EProcess);

????CurProc?=(LPTSTR)EProcess;

????CurProc?=CurProc+ProcessNameOffset;

????if?(strncmp((char*)CurProc,"System",6)?!=?0)

????{

????????DbgPrint("Current?Process?:?%s,?StartRoutine?:?%X\n",?(char?*)CurProc,?StartRoutine);

????}

????return?0;

}

//-----------------------------------------------------------------------------

//????????MyPsCreateSystemThread

//-----------------------------------------------------------------------------

__declspec?(naked)void?MyPsCreateSystemThread()

{

????_asm

????{

????????pushad

????????push?[esp+20h+18h]

????????call?_PsCreateSystemThread

????????popad

????????

????????mov?edi,edi

????????push?ebp

????????mov?ebp,esp

????????jmp?PsCreateSystemThreadAddr

????}

}

//-----------------------------------------------------------------------------

//????????Install?Hook

//-----------------------------------------------------------------------------

VOID?InHook()

{

????PsCreateSystemThreadAddr?=?GetFunctionAddr(L"PsCreateSystemThread");

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????and????????eax,?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????//Save?asmCode

????memcpy(PsCreateSystemThreadData,?(PVOID)PsCreateSystemThreadAddr,?5);

????(ULONG)PsCreateSystemThreadAddr?+=?5;

????//Inline?PsCreateSystemThread

????__asm

????{

????????mov?esi,?PsCreateSystemThreadAddr

????????sub?esi,?5

????????mov?byte?ptr[esi],?0xE9

????????lea?eax,?[MyPsCreateSystemThread]

????????sub?eax,?esi

????????sub?eax,?5

????????mov?dword?ptr?[esi+1],eax

????}

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????or????????eax,?NOT?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????DbgPrint("Hooked?OK

.\n");

????return;

}

//-----------------------------------------------------------------------------

//????????Uninstall?Hook

//-----------------------------------------------------------------------------

VOID?UnHook()

{

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????and????????eax,?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????(ULONG)PsCreateSystemThreadAddr?-=?5;

????memcpy((PVOID)PsCreateSystemThreadAddr,?PsCreateSystemThreadData,?5);

????__asm

????{

????????push????eax

????????mov????????eax,?CR0

????????or????????eax,?NOT?0FFFEFFFFh

????????mov????????CR0,?eax

????????pop????????eax

????}

????DbgPrint("UnHook?OK

.\n");

????return;

}

//-----------------------------------------------------------------------------

//????????Driver?UnLoad

//-----------------------------------------------------------------------------

void?OnUnload(PDRIVER_OBJECT?pDriverObj)

{

????UnHook();

????DbgPrint("UnLoading?Driver");

}

//-----------------------------------------------------------------------------

//????????Driver?LoadEntry

//-----------------------------------------------------------------------------

NTSTATUS?DriverEntry(PDRIVER_OBJECT?pDriverObj,?PUNICODE_STRING?pRegistryString)

{

????pDriverObj->DriverUnload?=?OnUnload;

????DbgPrint("Loading?Driver");

????ProcessNameOffset?=?GetPlantformDependentInfo(FILE_NAME_OFFSET);

????InHook();

????return?STATUS_SUCCESS;

}

只有注冊用戶登錄后才能發表評論。
【推薦】100%開源！大型工業跨平臺軟件C++源碼提供，建模，組態！

相關文章: inside windows 【轉載】WRK簡單介紹 Understanding IRQL 中斷請求級別(IRQL) 什么是中斷請求(IRQ)? 中斷請求分頁內存和非分頁內存驅動中的幾種內存分配和釋放的用法 ExInitializeResourceLite() Windows 文件過濾驅動經驗總結

網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

S.l.e!ep.￠%

[轉] hook PsCreateSystemThread

hook PsCreateSystemThread

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜