簡單逆下Hs-NtReadProcessMemory
簡單逆下Hs-NtReadProcessMemory
直接用KD簡單逆的
偽代碼就不上了 歡迎找碴
= ReturnLength
= ProcessInformation
= ProcessHandle
= 返回值(success Or error c)
= Pid
= ???
----------保護暫存器---------------
0xB31F7C00mov eax, esp
0xB31F7C02add eax, 8
0xB31F7C05pushad
0xB31F7C06pushfd
0xB31F7C07push ebp
0xB31F7C08mov ebp, esp
0xB31F7C0Asub esp, 40
0xB31F7C0Dmov ecx, dword ptr
0xB31F7C10mov dword ptr , ecx
0xB31F7C13mov ecx, B3206968//B3206968=ProcessInformation
0xB31F7C18call dword ptr [<&ntkrnlpa.InterlockedIncrement>]//不讓多執行序共享變量(保護)
0xB31F7C1Elea eax, dword ptr //把局部變量ebp-c的地址給eax
0xB31F7C21push eax //ReturnLength
0xB31F7C22push 18 //ProcessInformationLength
0xB31F7C24lea ecx, dword ptr
0xB31F7C27push ecx//ProcessInformation
0xB31F7C28push 0//ProcessInformationClass
0xB31F7C2Amov edx, dword ptr //保存在局部變量ebp-4=ProcessHandle
0xB31F7C2Dpush edx //ProcessHandle
0xB31F7C2Ecall dword ptr [<&ntkrnlpa.ZwQueryInformationProcess>]
0xB31F7C34mov dword ptr , eax//返回值(success Or error)給局部變量
0xB31F7C37xor eax, eax //eax=0
0xB31F7C39cmp dword ptr , 0
0xB31F7C3Dsetge al//如果ZF=1則,al等於,否則等於
0xB31F7C40cmp eax, 1 //比較eax是否為
0xB31F7C43jne B31F7D13 //eax不為●跳到 "正確"
0xB31F7C49call B31FFB66//PsGetCurrentId 得到目前PID值
0xB31F7C4Emov dword ptr , eax//ebp8], eax//ebp--8 = Pid 8 = Pid
0xB31F7C51push 1
0xB31F7C53mov ecx, dword ptr //ecx = Pid
0xB31F7C56push ecx //Pid
0xB31F7C57call B31FD460//這個Call內部有 KeGetCurrentIrql(得到目前IRQL)
//和建立快速互斥 and 釋放快速互斥
0xB31F7C5Cmovzx edx, al//返回值給edx
0xB31F7C5Fcmp edx, 1 //edx和做比較
0xB31F7C62jne short B31F7CB1//繼續判斷
0xB31F7C64push 4 0xB31F7C64push 4
0xB31F7C66mov eax, dword ptr
0xB31F7C69push eax
0xB31F7C6Apush B320F3A0
0xB31F7C6Fcall B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
0xB31F7C74movzx ecx, al //把回傳值給ecx
0xB31F7C77cmp ecx, 1 //ecx和比較
0xB31F7C7Ajne short B31F7CAF ●ecx 為"跳到正確"
0xB31F7C7Cpush 4
0xB31F7C7Emov edx, dword ptr //edx=Pid
0xB31F7C81push edx //push Pid
0xB31F7C82push B320F3A0
0xB31F7C87call B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
0xB31F7C8Cmovzx eax, al
0xB31F7C8Fcmp eax, 1
0xB31F7C92je short B31F7C99 //如果eax=1 正確就繼續判斷
0xB31F7C94jmp B31F7D29 ●eax = 0 跳到錯誤
0xB31F7C99push 1
0xB31F7C9Bcall B31FFB6C //PsGetCurrentThreadId 得到目前的Tid值
0xB31F7CA0push eax//eax = Tid
0xB31F7CA1call B31F2680//這個Call內部有建立快速互斥 and 釋放快速互斥
0xB31F7CA6mov edx, dword ptr edx = Pid
0xB31F7CA9push edx
0xB31F7CAAcall B31FD3B0//這個Call內部有 KeGetCurrentIrql(得到目前IRQL)
//和建立快速互斥 and 釋放快速互斥
//Call中又有個Call 呼叫InterlockedPushEntrySlist函數在棧頂添加一個元素
0xB31F7CAFjmp short B31F7D13 ●"跳到正確"
0xB31F7CB1push 4 0xB31F7CB1push 4
0xB31F7CB3mov eax, dword ptr
0xB31F7CB6push eax
0xB31F7CB7push B320F3A0
0xB31F7CBCcall B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
0xB31F7CC1movzx ecx, al
0xB31F7CC4cmp ecx, 1
0xB31F7CC7jne short B31F7D13 ●ecx = 0 跳到正確
0xB31F7CC9push 4
0xB31F7CCBmov edx, dword ptr //eax=Pid
0xB31F7CCEpush edx
0xB31F7CCFpush B320F3A0
0xB31F7CD4call B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
0xB31F7CD9movzx eax, al
0xB31F7CDCcmp eax, 1//比較eax是否=1
0xB31F7CDFje short B31F7D06●如果eax=1 跳到正確
0xB31F7CE1push 1
0xB31F7CE3call dword ptr [<&ntkrnlpa.IoGetCurrentProcess>] //得到一個PEPROCESS結構
0xB31F7CE9push eaxeax=目前調用的PEPROCESS結構
0xB31F7CEAcall B31FD596 //Hs的判斷CALL 可能是黑名單 or 白名單
0xB31F7CEFmovzx ecx, al
0xB31F7CF2cmp ecx, 1 //ecx和判斷
0xB31F7CF5je short B31F7D04●如果ecx=1跳到正確
0xB31F7CF7push 1 0xB31F7CF7push 1
0xB31F7CF9mov edx, dword ptr //edx=Pid
0xB31F7CFCpush edx //push Pid
0xB31F7CFDcall B31FD230//這個Call內部有 KeGetCurrentIrql(得到目前TRQL)
//和建立快速互斥 and 釋放快速互斥
//Call中又有個Call 呼叫InterlockedPushEntrySlist函數在棧頂添加一個元素
0xB31F7D02jmp short B31F7D29 ●跳到錯誤
0xB31F7D04jmp short B31F7D13 ●跳到正確
0xB31F7D06push 1
0xB31F7D08call B31FFB6C //PsGetCurrentThreadId
0xB31F7D0Dpush eax //eax=Tid
0xB31F7D0Ecall B31F2680 //傳入Tid值的Call
0xB31F7D13mov ecx, B3206968//ecx=ProcessInformation
0xB31F7D18call dword ptr [<&ntkrnlpa.InterlockedDecrement>] //在多線程中保護某個變量
-------------------還原現場----------------------------
0xB31F7D1Eadd esp, 40
0xB31F7D21pop ebp
0xB31F7D22popfd
0xB31F7D23popad
0xB31F7D24jmp B31F72E0 //這句Jmp●(8053CB90) ●原本被Hook前的Call地址 "正確"
0xB31F7D29mov ecx, B3206968●ecx=ProcessInformation 下面接著返回錯誤代碼"錯誤"
0xB31F7D2Ecall dword ptr [<&ntkrnlpa.InterlockedDecrement>]//在多線程中保護某個變量
0xB31F7D34add esp, 40
0xB31F7D37pop ebp
0xB31F7D38popfd
0xB31F7D39popad
0xB31F7D3Apop eax
0xB31F7D3Bpop eax
0xB31F7D3Cpop eax
0xB31F7D3Dmov eax,C0000022//返回eax = C0000022錯誤代碼
0xB31F7D42retn 14
0xB31F7D45CCint3
0xB31F7D46CCint3
0xB31F7D47CCint3
0xB31F7D48CCint3 ---------------Hs內核函數調用表------------------------
0xB31FFB5A | FF25 C83620B3 | jmp dword ptr [<&ntkrnlpa.PsSetCreateProcessNotifyRoutine>
0xB31FFB60 | FF25 703620B3 | jmp dword ptr [<&ntkrnlpa.PsGetVersion>]
0xB31FFB66 | FF25 E83520B3 | jmp dword ptr [<&ntkrnlpa.PsGetCurrentProcessId>]
0xB31FFB6C | FF25 443520B3 | jmp dword ptr [<&ntkrnlpa.PsGetCurrentThreadId>]
0xB31FFB72 | FF25 503520B3 | jmp dword ptr [<&ntkrnlpa.stricmp>]
0xB31FFB78 | FF25 543520B3 | jmp dword ptr [<&ntkrnlpa.strrchr>]
0xB31FFB7E | FF25 643520B3 | jmp dword ptr [<&ntkrnlpa.except_handler3>]
0xB31FFB84 | FF25 7C3520B3 | jmp dword ptr [<&ntkrnlpa.KeGetCurrentThread>]
0xB31FFB8A | FF25 AC3520B3 | jmp dword ptr [<&ntkrnlpa.allmul>]
0xB31FFB90 | FF25 B03520B3 | jmp dword ptr [<&ntkrnlpa.alldiv>]
0xB31FFB96 | FF25 B43520B3 | jmp dword ptr [<&ntkrnlpa.wcslen>]
0xB31FFB9C | FF25 B83520B3 | jmp dword ptr [<&ntkrnlpa.wcsrchr>]
0xB31FFBA2 | FF25 C03520B3 | jmp dword ptr [<&ntkrnlpa.KeDetachProcess>]
0xB31FFBA8 | FF25 C43520B3 | jmp dword ptr [<&ntkrnlpa.KeAttachProcess>]
0xB31FFBAE | FF25 C83520B3 | jmp dword ptr [<&ntkrnlpa.PsLookupProcessByProcessId>]
0xB31FFBB4 | FF25 DC3520B3 | jmp dword ptr [<&ntkrnlpa.wcscpy>]
0xB31FFBBA | FF25 C43620B3 | jmp dword ptr [<&ntkrnlpa.ObReferenceObjectByName>]
0xB31FFBC0 | FF25 1C3620B3 | jmp dword ptr [<&ntkrnlpa.ObOpenObjectByPointer>]
0xB31FFBC6 | FF25 303620B3 | jmp dword ptr [<&ntkrnlpa.wcsnicmp>]
0xB31FFBCC | FF25 403620B3 | jmp dword ptr [<&ntkrnlpa.IoQueueWorkItem>]
0xB31FFBD2 | FF25 443620B3 | jmp dword ptr [<&ntkrnlpa.IoAllocateWorkItem>]
0xB31FFBD8 | FF25 483620B3 | jmp dword ptr [<&ntkrnlpa.IoFreeWorkItem>]
0xB31FFBDE | FF25 543620B3 | jmp dword ptr [<&ntkrnlpa.PsIsThreadTerminating>]
0xB31FFBE4 | FF25 583620B3 | jmp dword ptr [<&ntkrnlpa.PsLookupThreadByThreadId>]
页:
[1]