过驱动保护之TesSafe读写内存OD能附加下硬件断点 1Word文件下载.docx

过驱动保护之TesSafe读写内存OD能附加下硬件断点 1Word文件下载.docx

《过驱动保护之TesSafe读写内存OD能附加下硬件断点 1Word文件下载.docx》由会员分享，可在线阅读，更多相关《过驱动保护之TesSafe读写内存OD能附加下硬件断点 1Word文件下载.docx（28页珍藏版）》请在冰豆网上搜索。

ExternPSERVICE_DESCRIPTOR_TABLEKeServiceDescriptorTable;

//KeServiceDescriptorTable为导出函数

/////////////////////////////////////

VOIDHook（）;

VOIDUnhook（）;

VOIDOnUnload（INPDRIVER_OBJECTDriverObject）;

//////////////////////////////////////

ULONGJmpAddress;

//跳转到NtOpenProcess里的地址

ULONGJmpAddress1;

ULONGOldServiceAddress;

//原来NtOpenProcess的服务地址

ULONGOldServiceAddress1;

__declspec（naked）NTSTATUS__stdcallMyNtReadVirtualMemory（HANDLEProcessHandle,

PVOIDBaseAddress,

PVOIDBuffer,

ULONGNumberOfBytesToRead,

PULONGNumberOfBytesReaded）

//跳过去

__asm

push0x1c

push804eb560h//共十个字节

jmp[JmpAddress]

}

__declspec（naked）NTSTATUS__stdcallMyNtWriteVirtualMemory（HANDLEProcessHandle,

ULONGNumberOfBytesToWrite,

jmp[JmpAddress1]

///////////////////////////////////////////////////

NTSTATUSDriverEntry（INPDRIVER_OBJECTDriverObject,PUNICODE_STRINGRegistryPath）

DriverObject->

DriverUnload=OnUnload;

DbgPrint（"

Unhookerload"

）;

Hook（）;

returnSTATUS_SUCCESS;

/////////////////////////////////////////////////////

VOIDOnUnload（INPDRIVER_OBJECTDriverObject）

Unhookerunload!

"

Unhook（）;

VOIDHook（）

ULONGAddress,Address1;

Address=（ULONG）KeServiceDescriptorTable->

ServiceTableBase+0xBA*4;

//0x7A为NtOpenProcess服务ID

Address1=（ULONG）KeServiceDescriptorTable->

ServiceTableBase+0x115*4;

Address:

0x%08X"

Address）;

OldServiceAddress=*（ULONG*）Address;

//保存原来NtOpenProcess的地址

OldServiceAddress1=*（ULONG*）Address1;

OldServiceAddress:

OldServiceAddress）;

OldServiceAddress1:

OldServiceAddress1）;

MyNtOpenProcess:

MyNtReadVirtualMemory）;

MyNtWriteVirtualMemory）;

JmpAddress=（ULONG）0x805b528a+7;

//跳转到NtOpenProcess函数头＋10的地方，这样在其前面写的JMP都失效了

JmpAddress1=（ULONG）0x805b5394+7;

JmpAddress:

JmpAddress）;

JmpAddress1:

JmpAddress1）;

{//去掉内存保护

cli

moveax,cr0

andeax,not10000h

movcr0,eax

*（（ULONG*）Address）=（ULONG）MyNtReadVirtualMemory;

//HOOKSSDT

*（（ULONG*）Address1）=（ULONG）MyNtWriteVirtualMemory;

{//恢复内存保护

oreax,10000h

sti

//////////////////////////////////////////////////////

VOIDUnhook（）

//查找SSDT

__asm{

*（（ULONG*）Address）=（ULONG）OldServiceAddress;

//还原SSDT

*（（ULONG*）Address1）=（ULONG）OldServiceAddress1;

Unhook"

由于它不断对DebugPort清零，所以要修改调试相关函数，使得所有的访问DebugPort的地方全部访问EPROCESS中的

ExitTime字节，这样它怎么清零都无效了，也检测不到

.386

.modelflat,stdcall

optioncasemap:

none

includednf_hook.inc

.c*****t

Dspdo_1equ80643db6h

Dmpp_1equ80642d5eh

Dmpp_2equ80642d64h

Dct_1equ806445d3h

Dqm_1equ80643089h

Kde_1equ804ff5fdh

Dfe_1equ80644340h

Pcp_1equ805d1a0dh

Mcp_1equ805b0c06h

Mcp_2equ805b0d7fh

Dmvos_1equ8064497fh

Dumvos_1equ80644a45h

Pet_1equ805d32f8h

Det_1equ8064486ch

Dep_1equ806448e6h

.code

;

还原自己的Hook

DriverUnloadprocpDriverObject:

PDRIVER_OBJECT

ret

DriverUnloadendp

ModifyFuncAboutDbgprocaddrOdFunc,cmd_1,cmd_2

pushad

movebx,addrOdFunc

moveax,cmd_1

movDWORDptr[ebx],eax

moveax,cmd_2

movDWORDptr[ebx+4],eax

popad

ModifyFuncAboutDbgendp

DriverEntryprocpDriverObject:

PDRIVER_OBJECT,pusRegistryPath:

PUNICODE_STRING

cli

moveax,cr0

andeax,not10000h

movcr0,eax

invokeModifyFuncAboutDbg,Dspdo_1,90784789h,0fde89090h

invokeModifyFuncAboutDbg,Dmpp_1,90787e39h,950f9090h

invokeModifyFuncAboutDbg,Dct_1,90785e39h,840f9090h

invokeModifyFuncAboutDbg,Dqm_1,9078408bh,45899090h

invokeModifyFuncAboutDbg,Kde_1,90787839h,13749090h

invokeModifyFuncAboutDbg,Dfe_1,9078418bh,0d2329090h

invokeModifyFuncAboutDbg,Pcp_1,90784389h,45f69090h

invokeModifyFuncAboutDbg,Mcp_1,90785e39h,950f9090h

invokeModifyFuncAboutDbg,Mcp_2,90784a89h,5e399090h

invokeModifyFuncAboutDbg,Dmvos_1,9078498bh,0cb3b9090h

invokeModifyFuncAboutDbg,Dumvos_1,00787983h,74909090h

invokeModifyFuncAboutDbg,Pet_1,00787f83h,74909090h

invokeModifyFuncAboutDbg,Det_1,9078498bh,0c9859090h

invokeModifyFuncAboutDbg,Dep_1,9078498bh,0c9859090h

invokeModifyFuncAboutDbg,Dmpp_2,8bc0950fh,8b90c032h

moveax,pDriverObject

assumeeax:

ptrDRIVER_OBJECT

mov[eax].DriverUnload,offsetDriverUnload

nothing

moveax,cr0

oreax,10000h

moveax,STATUS_SUCCESS

ret

DriverEntryendp

endDriverEntry

绕过NtOpenProcess，NtOpenThread，KiAttachProcess

以及最重要的，不能让它检测到有硬件断点，所以要对CONTEXT做一些伪装，把真实的DR0～DR7的数据存放到别的地方，

OD访问的时候返回正确的数据，如果是DNF要获取上下文，就稍微做下手脚

NtOpenProcessHookAddrequ805cc626h

NtOpenProcessRetAddrequ805cc631h

NtOpenProcessNoChangeequ805cc62ch

NtOpenThreadHookAddrequ805cc8a8h

NtOpenThreadRetAddrequ805cc8b3h

NtOpenThreadNoChangeequ805cc8aeh

KiAttachProcessAddrequ804f9a08h

KiAttachProcessRetAddrequ804f9a0fh

ObOpenObjectByPointerAddrequ805bcc78h

NtGetContextThreadAddrequ805d2551h;

805c76a3h

NtGetContextThreadRetAddrequ805c76a7h;

805d2555h

.data

nameOffsetdd?

threadCxtLinkdd0

tmpLinkdd?

GetProcessNameproc

invokePsGetCurrentProcess

movebx,eax

addebx,nameOffset

invokeDbgPrint,$CTA0（"

\n"

）

pushebx

invokeDbgPrint,ebx

popebx

invokestrncmp,$CTA0（"

DNF.exe"

）,ebx,6

pusheax

popeax

GetProcessNameendp

HookCodeproc

执行被覆盖的代码

pushdwordptr[ebp-38h]

pushdwordptr[ebp-24h]

判断是否dnf的进程

invokeGetProcessName

.if!

eax;

如果是DNF自己的进程，那么跳转回去执行它的Hook代码

pushad

invokeDbgPrint,$CTA0（"

\nNotUnHook\n"

popad

moveax,NtOpenProcessNoChange;

805c13e6h

jmpeax

.else;

如果不是DNF自己的进程，那么直接调用ObOpenObjectByPointer，再返回到后面

\nUnHook\n"

moveax,ObOpenObjectByPointerAddr;

805b13f0h

calleax

movebx,NtOpenProcessRetAddr;

805c13ebh

jmpebx

.endif

HookCodeendp

获取系统名称偏移

GetNameOffsetprocepe

localtmpOffset

movebx,epe

invokestrlen,$CTA0（"

System"

xorecx,ecx

@@:

pushecx

）,ebx,eax

popecx

eax

popeax

movtmpOffset,ecx

moveax,tmpOffset

.elseif

incebx

incecx

cmpecx,4096

je@F

jmp@B

moveax,-1

GetNameOffsetendp

Hookproc

头5字节跳转

moveax,offsetHookCode

subeax,NtOpenProcessHookAddr;

805c13e0h;

805c13edh

subeax,5

movebx,NtOpenProcessHookAddr;

movcl,0E9h

movBYTEPTR[ebx],cl

movDWORDPTR[ebx+1],eax

Hookendp

HookThreadCodeproc

pushdwordptr[ebp-34h]

pushdwordptr[ebp-20h]

moveax,NtOpenThreadNoChange;

movebx,NtOpenThreadRetAddr;

HookThreadCodeendp

HookThreadproc

moveax,offsetHookThreadCode

subeax,NtOpenThreadHookAddr;

movebx,NtOpenThreadHookAddr;

HookThreadendp

HookDbgproc

movedi,edi

pushebp

movebp,esp

pushesi

movesi,KiAttachProcessRetAddr

jmpesi

HookDbgendp

Dbgproc

moveax,offsetHookDbg

subeax,KiAttachProcessAddr;

movebx,KiAttachProcessAddr;

Dbgendp

还原进程处理

moveax,0ffc875ffh

movebx,805cc656h

moveax,43e8dc75h

还原线程处理

moveax,0ffcc75ffh

movebx,805cc8d8h

moveax