object:Object hook的思路和实现过程来源: 发布时间:星期二, 2008年9月16日 浏览:142次 评论:0
本来不准备写出来污染眼球的,因为最终没有完全实现.但觉得思路可行,之前也没人具分析过,于是匆匆的写点儿文章,给大家提供些资料参考,也许有兴趣的同学能够进一步的深入...
写的很菜,老鸟飘过 . =.=| 今天上午在坛子看到一帖,关于"抹掉所有进程中自己的Handle",来防止炉子的LzOpenProcess,防dump等作用.主要思路就是NtClose;其实那个古老的RK--FUTO_enhanced的code中已经实现的更加完善. 抽点儿时间想了想,于是就有了下面的一些分析: lkd> u NtClose nt!NtClose: 8056f9e9 8bff mov edi,edi 8056f9eb 55 push ebp 8056f9ec 8bec mov ebp,esp 8056f9ee 64a124010000 mov eax,dword ptr fs:[00000124h] 8056f9f4 0fbe8040010000 movsx eax,byte ptr [eax+140h] 8056f9fb 6a00 push 0 ;比WRK中多一个参数 8056f9fd 50 push eax 8056f9fe ff7508 push dword ptr [ebp+8] 8056fa01 e85bffffff call nt!ObpCloseHandle (8056f961) ;ObpCloseHandle(Handle, KeGetCurrentThread()->PreviousMode, 0); 8056fa06 5d pop ebp 8056fa07 c20400 ret 4 8056fa0a 90 nop 8056fa0b 90 nop 8056fa0c 90 nop 8056fa0d 90 nop 8056fa0e 90 nop ------------------------------------------------------------------- lkd> u ObpCloseHandle l 20 nt!ObpCloseHandle: 8056f96c c645ff00 mov byte ptr [ebp-1],0 8056f970 64a124010000 mov eax,dword ptr fs:[00000124h] 8056f976 8b4d08 mov ecx,dword ptr [ebp+8] ;ecx = Handle 8056f979 8bf0 mov esi,eax 8056f97b 8b5e44 mov ebx,dword ptr [esi+44h] ;ebx = PsGetCurrentProcess(); 8056f97e b800000080 mov eax,80000000h 8056f983 23c8 and ecx,eax 8056f985 3bc8 cmp ecx,eax ;/* Check if we're dealing with a kernel handle */ ;#define KERNEL_HANDLE_FLAG (1 << ((sizeof(HANDLE) * 8) - 1)) ; return (BOOLEAN)((ULONG_PTR)Handle & KERNEL_HANDLE_FLAG); 8056f987 0f84ccf00000 je nt!ObpCloseHandle+0x28 (8057ea59) ; -->Is a kernel handle 8056f98d 8bbbc4000000 mov edi,dword ptr [ebx+0C4h] ;edi = HandleTable = Process->ObjectTable; ;其他的判断会跳到这里 8056f993 ff7508 push dword ptr [ebp+8] ; 8056f996 ff8ed4000000 dec dword ptr [esi+0D4h];/* Disable Kernel APCs */ ;Thread->KernelApcDisable--; 8056f99c 57 push edi 8056f99d e88bf6ffff call nt!ExMapHandleToPointer (8056f02d) ;eax = HandleTableEntry = ExMapHandleToPointer(HandleTable, Handle); 8056f9a2 85c0 test eax,eax 8056f9a4 0f844e210200 je nt!ObpCloseHandle+0xbc (80591af8) ;-->failed,很多处理... 8056f9aa ff7510 push dword ptr [ebp+10h] ;比WRK中多一个参数 8056f9ad 6a00 push 0 8056f9af ff750c push dword ptr [ebp+0Ch] 8056f9b2 ff7508 push dword ptr [ebp+8] 8056f9b5 50 push eax 8056f9b6 57 push edi 8056f9b7 e853000000 call nt!ObpCloseHandleTableEntry (8056fa0f) ; /* Now close the entry */ ;ObpCloseHandleTableEntry( HandleTable,HandleTableEntry,Handle, ; AccessMode,FALSE,0 ); 8056f9bc ff86d4000000 inc dword ptr [esi+0D4h];/* Enable Kernel APCs */ ;Thread->KernelApcDisable++; ------------------------------------------------------------------- lkd> u 8057ea59 l 20 ;-->Is a kernel handle nt!ObpCloseHandle+0x28: 8057ea59 807d0c00 cmp byte ptr [ebp+0Ch],0 8057ea5d 0f852a0fffff jne nt!ObpCloseHandle+0x5c (8056f98d) 8057ea63 837d08fe cmp dword ptr [ebp+8],0FFFFFFFEh 8057ea67 0f84200fffff je nt!ObpCloseHandle+0x5c (8056f98d) 8057ea6d 837d08ff cmp dword ptr [ebp+8],0FFFFFFFFh 8057ea71 0f84160fffff je nt!ObpCloseHandle+0x5c (8056f98d) 8057ea77 314508 xor dword ptr [ebp+8],eax ;#define ObKernelHandleToHandle(Handle) \ ; (HANDLE)((ULONG_PTR)(Handle) & ~KERNEL_HANDLE_FLAG) ;Handle = ObKernelHandleToHandle(Handle); 8057ea7a a154965680 mov eax,dword ptr [nt!PsInitialSystemProcess (80569654)] 8057ea7f 3bd8 cmp ebx,eax ;/* Check if we're not in the system process */ 8057ea81 8b3d388c5680 mov edi,dword ptr [nt!ObpKernelHandleTable (80568c38)] 8057ea87 0f84060fffff je nt!ObpCloseHandle+0x62 (8056f993) 8057ea8d 8d4de4 lea ecx,[ebp-1Ch] 8057ea90 51 push ecx 8057ea91 50 push eax 8057ea92 e8fe8af7ff call nt!KeStackAttachProcess (804f7595) 8057ea97 c645ff01 mov byte ptr [ebp-1],1 8057ea9b e9f30effff jmp nt!ObpCloseHandle+0x62 (8056f993);attach到system进程后跳回去 -------------------------------------------------------------- ;继续进到ObpCloseHandleTableEntry函数中: nt!ObpCloseHandleTableEntry: 8056fa17 8b7d0c mov edi,dword ptr [ebp+0Ch] 8056fa1a 8b37 mov esi,dword ptr [edi] 8056fa1c 83e6f8 and esi,0FFFFFFF8h ;esi = ObjectHeader = ObpGetHandleObject(HandleEntry); ;#define ObpGetHandleObject(x) \ ; ((POBJECT_HEADER)((ULONG_PTR)x->Object & ~OBJ_HANDLE_ATTRIBUTES)) 8056fa1f 8b4e08 mov ecx,dword ptr [esi+8] ;nt!_OBJECT_HEADER +0x008 Type : Ptr32 _OBJECT_TYPE ;ecx = ObjectType = ObjectHeader->Type; 8056fa22 83b9a800000000 cmp dword ptr [ecx+0A8h],0 0
相关文章读者评论发表评论 |
|
 |
专注于互联网--专注于架构 |
最新标签 网站地图 文章索引 Rss订阅 |
