最新处理HS保护的NtOpenProcess Hook
NTSTATUS PassHSProcessProtect(){
NTSTATUS status;
UNICODE_STRING funtionName;
ULONG addr;
LONG HSHook;
PMDL pMdl;
PVOID pMyNtOP;
RtlInitUnicodeString(&funtionName,L"NtOpenProcess");
addr = (ULONG)MmGetSystemRoutineAddress(&funtionName);
KdPrint(("NtOpenProcess的地址是%X",addr));
//简单判断是否被HOOK,感觉上是鸡肋
if (!(addr == (ULONG)NtOpenProcess))
{
return STATUS_UNSUCCESSFUL;
}
status = MapMemoryToSystemVA(pMdl, (PVOID)addr, 4096, pMyNtOP);
if (STATUS_UNSUCCESSFUL == status)
{
KdPrint(("MapMemoryToSystemVA 调用失败。111"));
return STATUS_UNSUCCESSFUL;
}
KdPrint(("pMyNtOP为:%X" ,(ULONG)pMyNtOP));
//读取HS的Hook的地址
{
__asm
{
mov ebx, pMyNtOP
mov eax, dword ptr
mov HSHook, eax
}
}
MmUnmapLockedPages(pMyNtOP,pMdl);
//获得HS的Detour函数的地址
HSHook = (ULONG)NtOpenProcess + 0xA + 5 + HSHook;
KdPrint(("pHSHook:%X" ,HSHook));
status = MapMemoryToSystemVA(pMdl, (PVOID)HSHook, 4096, (PVOID*)HSHook);
if (status == STATUS_UNSUCCESSFUL)
{
KdPrint(("MapMemoryToSystemVA 调用失败!"));
return STATUS_UNSUCCESSFUL;
}
KdPrint(("pHSHook:%X" ,HSHook));
return STATUS_SUCCESS;
//开了HS后的NtOpenProcess
//805cc3fc 68c4000000 push 0C4h
//805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
//805cc406 e8957cc109 call 8a1e40a0 ;被HOOK的地方
//805cc40b 33f6 xor esi,esi
//805cc40d 8975d4 mov dword ptr ,esi
//805cc410 33c0 xor eax,eax
//805cc412 8d7dd8 lea edi,
//805cc415 ab stos dword ptr es:
//这里是HS的Detour函数
//8a1e40a0 e9db009e26 jmp b0bc4180 ;据说这里HS不会检测这里的CRC,果断NOP掉
//8a1e40a5 90 nop
//8a1e40a6 90 nop
//8a1e40a7 90 nop
//8a1e40a8 e9d38a35f6 jmp nt!_SEH_prolog (8053cb80)
//8a1e40ad 90 nop
//8a1e40ae 90 nop
//8a1e40af 90 nop
//NnHook之后NtOpenProcess就变成原来的效果了
//HS是先用一个Detour函数来HookNtOpenProcess,然后跳转到自己的函数里面去。但是我逆向才开始学,所以就以后再去研究(而且可能还有CRC)。
//然后就自己nop下这个跳转指令。发现可以!
//JMP指令占5个字节,你懂的。
//取消NtOpenProcess的Hook
{
__asm
{
mov ebx, HSHook
mov dword ptr, 0x90909090
mov byte ptr, 0x90
}
}
//下面的是我用错了还是怎么了,没反应
//InterlockedExchange(&HSHook,0x90909090);
//HSHook = HSHook + 1;
//InterlockedExchange(&HSHook,0x90909090);
MmUnmapLockedPages((PVOID)HSHook, pMdl);
IoFreeMdl(pMdl);
return STATUS_SUCCESS;
}
NTSTATUS MapMemoryToSystemVA
(
OUT MDL* pMdl,
IN PVOID pAddr,
IN SIZE_T pageSize,
OUT PVOID* MappedAddr
)
/*++
函数描述:
使用MDL以及相关函数把内存中的一块内存映射到系统空间
参数:
pMdl
MDL结构的地址
pAddr
需要映射的地址
pageSize
需要映射的页面大小
MappedAddr
映射完的地址
返回值:
成功返回STATUS_SUCCESS,否则返回STATUS_UNSUCCESSFUL。
--*/
{
//创建MDL
pMdl = MmCreateMdl(NULL,(PVOID)pAddr,4096);
if (!pMdl)
{
KdPrint(("MmCreateMdl 调用失败!pMdl:%X",(ULONG)pMdl));
return STATUS_UNSUCCESSFUL;
}
//在不分页内存中分配MDL
MmBuildMdlForNonPagedPool(pMdl);
//映射到系统空间
pMdl->MdlFlags = pMdl->MdlFlags| MDL_MAPPED_TO_SYSTEM_VA;
//锁定区域,并返回映射区域的指针
*MappedAddr = (PVOID)MmMapLockedPages(pMdl, KernelMode);
if (*MappedAddr == NULL)
{
KdPrint(("MmMapLockedPages 调用失败!"));
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
} 嗯,不错,MDL都用了,
页:
[1]