技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 7452|回复: 12
收起左侧

TsSysKit深度分析

[复制链接]

266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
发表于 2015-9-20 11:20:40 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
本帖最后由 元始天尊 于 2015-9-27 13:07 编辑

TsSysKit.sys分析报告
        该驱动为qq管家穿透驱动,提供文件、注册表穿透,和解锁文件、驱动加载、句柄、进程等操作,导出接口给其他驱动使用,设备名\\Device\\TSSysKit,符号名\\DosDevices\\TSSysKit。加密手段:Rabbit算法、MD5算法。
目录
TsSysKit.sys分析报告        1
一、        驱动入口DriverEntry        2
1.1 检测加载者是否为Ntos        2
1.2 执行删除任务 DoDeleteJob        3
二、        驱动接口Interface        5
2.1 DeviceExtension接口        5
2.2 与WRK代码异同点        6
2.3 重置/保存注册表对象ObjectInitialzer例程        6
NtCreateKey        7
NtOpenKey        9
NtQueryValueKey        10
NtSetValueKeyEx        11
NtDeleteValueKey        12
NtDeleteKey        13
IopCreateFile        13
三、        控制码        17
0x221C00解锁文件        21
0x222004普通结束进程        21
0x22242C穿透创建服务加载驱动        22
四、        默认派遣例程        26
3.1 根据进程id结束进程        26
3.2 获取当前进程进程名        26
3.3 由进程ID获取进程设备名        27
3.4 设备名转DOS路径        28
3.5 得到EPROCESS对应ImageDosPath        29
3.6 随机化程序名机制        30
3.7 根据进程文件名获取进程信息        31
3.8 两种方式调用内核函数        31
3.9 获取对象类型        32
3.10 基础库功能——检测腾讯程序合法性        32
3.11 解锁文件        34
五、        获取ObjectInitializer        40
4.1 获取注册表OBJECT_TYPE,匹配对象类型        40
4.2获取ParseProcedure        42
4.3 获取GetCellRoutine偏移,Hook GetCellRoutine        43
4.4 Hook和UnHook GetCellRoutine        44
4.5 创建系统线程获取 Cm*函数        45
4.6 匹配结构        49
4.7 获取DeviceObject对象类型        59


一、        驱动入口DriverEntry
        获取系统版本_1
        获取EPROCESS的ObjectTypeIndex  (win7以前 0x1C  win8 0x1F  Win8.1 0x1E)
        创建\\Device\\TSSysKit设备和\\DosDevices\\TSSysKit符号链接
        设置DeviceExtension为通信接口(Interface函数指针)
        注册IRP_MJ_CREATE、IRP_MJ_CLOSE、IRP_MJ_DEVICE_CONTROL派遣例程为DefaultDispatch
        获取CmpKeyObject、DeviceObject的OBJECT_TYPE_INITIALIZER
GetCmpKeyObjectInitializerFunc        GetDeviceObjectInitializerFunc
        获取ZwQueryVirtualMemory、IoVolumeDeviceToDosName、PsGetProcessSectionBaseAddress地址和NtQueryVirtualMemory的index
        检测加载者是否为Ntos (CheckIopLoadDriver)
        执行开机删除操作(DoDeleteJob)  删除ShutdownRecord.ini指定的文件
  

1.1 检测加载者是否为Ntos
顺带保存IopLoadDriver
[C++] 纯文本查看 复制代码
int CheckIopLoadDriver()
{
	unsigned int IopLoadDriverNext; // esi@2
	PRTL_PROCESS_MODULES modules; // ebx@5
	int IopLoadDriver; // esi@8
	PVOID Base; // eax@9
	PVOID Callers[4]; // [sp+8h] [bp-18h]@1
	BOOL ret; // [sp+18h] [bp-8h]@1
	ULONG SystemInformationLength; // [sp+1Ch] [bp-4h]@1

	Callers[0] = 0;
	Callers[1] = 0;
	Callers[2] = 0;
	Callers[3] = 0;
	ret = 0;
	SystemInformationLength = 0;
	::IopLoadDriver = 0;
	if ( RtlWalkFrameChain(Callers, 4u, 0) == 4 ) 
		// [0]=RtlWalkFrameChain next
		// [1]=DriverEntry
		// [2]=IopLoadDriver
		// [3]=IopInitializeSystemDrivers
	{
		IopLoadDriverNext = Callers[3];
		if ( MmIsAddressValid(Callers[3]) )
		{
			if ( IopLoadDriverNext >= MmUserProbeAddress && *(IopLoadDriverNext - 5) == 0xE8u )// call ***
			{
				SystemInformationLength = sizeof(SYSTEM_MODULE_INFORMATION) + 3 * sizeof(RTL_PROCESS_MODULE_INFORMATION);
				modules = ExAllocatePoolWithTag(0, SystemInformationLength, '!KIT');
				if ( modules )
				{
					memset(modules, 0, SystemInformationLength);
					if ( ZwQuerySystemInformation(SystemModuleInformation,modules,SystemInformationLength,&SystemInformationLength) >= 0 )
					{
						if ( modules->NumberOfModules )
						{
							IopLoadDriver = *(IopLoadDriverNext - 4) + IopLoadDriverNext;
							if ( MmIsAddressValid(IopLoadDriver) )
							{
								Base = modules->Modules[0].ImageBase;
								if ( IopLoadDriver >= Base && IopLoadDriver <= (Base + modules->Modules[0].ImageSize) )
								{                               // 检测IopLoadDriver是否在ntos中
									::IopLoadDriver = IopLoadDriver;
									ret = 1;
								}
							}
						}
					}
					ExFreePool(modules);
				}
			}
		}
	}
	return ret;
}

1.2 执行删除任务 DoDeleteJob
如果腾讯安装目录存在ShutdownRecord.ini文件则删除该文件,解析文件列表中指定的文件并逐个删除,其中解析ini的api、文件操作都是自己实现的。删除方式采用NtSetInformationFile 置FileDispositionInformation。

ShutdownRecord.ini格式:
[DELETEFILECOUNT]
Count=3
[DELETEFILELIST]
0=0.txt
1=1.txt
2=2.txt

enum
{
        WIN2000=1,
        WINXP=2,
        WINXPSP3=3,
        WINVISTA=4,
        WIN7=5,
        WIN8=7,
        WIN8_1=8,
        WIN10=9,
        UNKNOWN=10,
};

二、        驱动接口Interface
2.1 DeviceExtension接口
DeviceObject->DeviceExtension(=Interface)  通过制定序号返回对应函数指针,穿透函数内部在ObOpenObjectByName前后会保存和恢复注册表Objectinitializer:
FARPROC Interface(intindex)
{//注意下面的函数都是自己实现的穿透函数
    switch(index)
    {
    case 1:
        return NtOpenKey;
    case 2:
        return NtQueryValueKey;
    case 3:
        return NtSetValueKeyEx;
    case 4:
        return NtDeleteValueKey;
    case 5:
        return NtDeleteKey;
    case 20:
        return IopCreateFile;
    case 21:
        return NtReadFile;
    case 22:
        return NtWriteFile;
    case 23:
        return NtSetInformationFile;
    case 24:
        return NtQueryInformationFile;
    case 25:
        return NtQueryDirectoryFile;
    }
}

函数原型:
0:NTSTATUS __stdcall NtCreateKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG TitleIndex, PUNICODE_STRING Class, ULONG CreateOptions, PULONG Disposition)
1:NTSTATUS __stdcall NtOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes)
2:NTSTATUS __stdcall NtQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength)
3:NTSTATUS __stdcall NtSetValueKeyEx(HANDLE Handle, PUNICODE_STRING ValueName, ULONG Type, PVOID Data, ULONG DataSize)
和NtSetValueKey的用法类似,只是没有TitleIndex这个参数
4:NTSTATUS __stdcall NtDeleteValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName)
5:NTSTATUS __stdcall NtDeleteKey(HANDLE KeyHandle)
20:NTSTATUS __stdcall IopCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG Disposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength, CREATE_FILE_TYPE CreateFileType, PVOID ExtraCreateParameters, ULONG Options, ULONG InternalFlags, PVOID DeviceObject)
21:NTSTATUS __stdcall NtReadFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key)
22:NTSTATUS __stdcall NtWriteFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key)
23:NTSTATUS __stdcall NtSetInformationFile(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass, BOOL DelCurrentFile)
24:NTSTATUS __stdcall NtQueryInformationFile(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass, BOOL DelCurrentFile)
25:NTSTATUS __stdcall NtQueryDirectoryFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass, BOOLEAN ReturnSingleEntry, PUNICODE_STRING FileName, BOOLEAN RestartScan)

2.2 与WRK代码异同点
注册表穿透操作是使用Cm*函数实现Nt*函数,而文件穿透操作则基本和WRK代码一致,Iop*函数最大程度的实现内联。
这些实现中和WRK主要区别在于:去掉了AccessMode=UserMode分支、和ObReferenceObjectByName调用前后重置ObjectInitializer
NtReadFile实现额外处理了IoCallDriver返回文件锁定(STATUS_FILE_LOCK_CONFLICT)的处理,此时通过创建文件映射实现读取

2.3 重置/保存注册表对象ObjectInitialzer例程

enum
{
        EClose,
        EDelete,
        EParse,
        ESecurtiy,
        EQueryName,
        EOpen,
};
[C++] 纯文本查看 复制代码
BOOLEAN ReplaceObjectinitializer(int Type,FARPROC* OutFunc,BOOLEAN ResetOrRestore)
{
	FARPROC* Initailier = NULL;
	if(Type <0 || Type >= ECmMax)
	{
		if(!RegObjectInitialzer[Type] || !CmpKeyObjectType || !OutFunc)
			return 0;
	}
	if(VersionIndex >= WIN2000 && VersionIndex <= WINXPSP3)
	{
		switch(Type)
		{
			case EClose:
				Initailier = &((POBJECT_TYPE_XP)CmpKeyObjectType)->TypeInfo.CloseProcedure;
				break;
			case EDelete:
				Initailier = &((POBJECT_TYPE_XP)CmpKeyObjectType)->TypeInfo.DeleteProcedure;
				break;
			case EParse:
				Initailier = &((POBJECT_TYPE_XP)CmpKeyObjectType)->TypeInfo.ParseProcedure;
				break;
			case ESecurity:
				Initailier = &((POBJECT_TYPE_XP)CmpKeyObjectType)->TypeInfo.SecurityProcedure;
				break;
			case EQueryName:
				Initailier = &((POBJECT_TYPE_XP)CmpKeyObjectType)->TypeInfo.QueryNameProcedure;
				break;
			case EOpen:
				Initailier = &((POBJECT_TYPE_XP)CmpKeyObjectType)->TypeInfo.OpenProcedure;
				break;
		}
	}
	else if(VersionIndex >= WINVISTA && VersionIndex <= WIN10)
	{
		switch(Type)
		{
		case EClose:
			Initailier = &((POBJECT_TYPE_WIN7)CmpKeyObjectType)->TypeInfo.CloseProcedure;
			break;
		case EDelete:
			Initailier = &((POBJECT_TYPE_WIN7)CmpKeyObjectType)->TypeInfo.DeleteProcedure;
			break;
		case EParse:
			Initailier = &((POBJECT_TYPE_WIN7)CmpKeyObjectType)->TypeInfo.ParseProcedure;
			break;
		case ESecurity:
			Initailier = &((POBJECT_TYPE_WIN7)CmpKeyObjectType)->TypeInfo.SecurityProcedure;
			break;
		case EQueryName:
			Initailier = &((POBJECT_TYPE_WIN7)CmpKeyObjectType)->TypeInfo.QueryNameProcedure;
			break;
		case EOpen:
			Initailier = &((POBJECT_TYPE_WIN7)CmpKeyObjectType)->TypeInfo.OpenProcedure;
			break;
		}
	}
	if(ResetOrRestore)
	{//Get
		if(*Initailier != RegObjectInitialzer[Type])
		{
			*OutFunc = *Initailier;
			*Initailier = RegObjectInitialzer[Type];
			return TRUE;
		}
	}
	else
	{//Set
		if(*OutFunc != *Initailier)
		{
			*Initailier = *OutFunc;
			return TRUE;
		}
	}
	return FALSE;
}

NtCreateKey
NTSTATUS __stdcall NtCreateKey(PHANDLE KeyHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,
	ULONG TitleIndex,PUNICODE_STRING Class,ULONG CreateOptions,PULONG Disposition)
{
	NTSTATUS            status;
	KPROCESSOR_MODE     mode;
	CM_PARSE_CONTEXT    ParseContext;
	PCM_KEY_BODY        KeyBody = NULL;
	HANDLE              Handle = 0;
	UNICODE_STRING      CapturedObjectName = {0};
	FARPROC				SavedInitializer = NULL;
	BOOL				NeedRestore = FALSE;

	RtlZeroMemory(&ParseContext,sizeof(ParseContext));
	if (ARGUMENT_PRESENT(Class)) 
	{
		ParseContext.Class = *Class;
	}
	if ((CreateOptions & (REG_LEGAL_OPTION | REG_OPTION_PREDEF_HANDLE)) != CreateOptions) 
	{
		return STATUS_INVALID_PARAMETER;
	}
	ParseContext.TitleIndex = 1;
	ParseContext.CreateOptions = CreateOptions;
	ParseContext.Disposition = 0L;
	ParseContext.CreateLink = FALSE;
	ParseContext.PredefinedHandle = NULL;
	ParseContext.CreateOperation = TRUE;
	ParseContext.OriginatingPoint = NULL;
	if(ReplaceObjectinitializer(EParse,&SavedInitializer,1))//还原为系统默认值
		NeedRestore = TRUE;
	status = ObOpenObjectByName(ObjectAttributes,CmpKeyObjectType,mode,NULL,DesiredAccess,(PVOID)&ParseContext,&Handle);
	if(NeedRestore)
		ReplaceObjectinitializer(EParse,&SavedInitializer,0);
	if (status==STATUS_PREDEFINED_HANDLE) 
	{
		if(VersionIndex < WINVISTA)
		{
			status = ObReferenceObjectByHandle(Handle,0,CmpKeyObjectType,KernelMode,(PVOID *)(&KeyBody),NULL);
			if (NT_SUCCESS(status)) 
			{
				HANDLE TempHandle;
				TempHandle = (HANDLE)LongToHandle(KeyBody->Type);
				ObDereferenceObject(KeyBody);
				ZwClose(Handle);
				*KeyHandle = TempHandle;
				status = STATUS_SUCCESS;
			}
		}
		else
		{
			TempHandle = (HANDLE)LongToHandle(KeyBody->Type);
			ObDereferenceObject((PVOID)KeyBody);
			NtClose(Handle);
			*KeyHandle = ParseContext.OriginatingPoint;
			status = STATUS_SUCCESS;
		}
	}
	if (ARGUMENT_PRESENT(Disposition)) 
	{
		*Disposition = ParseContext.Disposition;
	}
	return status;
}


NtOpenKey
NTSTATUS __stdcall NtOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes)
{
	CM_PARSE_CONTEXT	ParseContext;
	PVOID				Context;
	HANDLE				Handle =0;
	NTSTATUS			status = STATUS_SUCCESS;
	PCM_KEY_BODY		KeyBody;
	FARPROC				SavedInitializer = NULL;
	BOOL				NeedRestore = FALSE;
	RtlZeroMemory(&ParseContext,sizeof(CM_PARSE_CONTEXT));
	Context = VersionIndex!=WIN2000?&ParseContext:NULL;
	ParseContext.CreateOperation = FALSE;
	if(ReplaceObjectinitializer(EParse,&SavedInitializer,1))//还原为系统默认值
		NeedRestore = TRUE;
	status = ObOpenObjectByName(ObjectAttributes,CmpKeyObjectType,KernelMode,NULL,DesiredAccess,(PVOID)&Context,&Handle);
	if(NeedRestore)
		ReplaceObjectinitializer(EParse,&SavedInitializer,0);
	if (status==STATUS_PREDEFINED_HANDLE) 
	{
		status = ObReferenceObjectByHandle(Handle,0,CmpKeyObjectType,KernelMode,(PVOID *)(&KeyBody),NULL);
		if (NT_SUCCESS(status)) 
		{
			*KeyHandle = (HANDLE)LongToHandle(KeyBody->Type);
			ObDereferenceObject((PVOID)KeyBody);
			if(*KeyHandle) 
			{
				status = STATUS_SUCCESS;
			} 
			else 
			{
				status = STATUS_OBJECT_NAME_NOT_FOUND;
			}
		}
		ZwClose(Handle);
	} 
	else if (NT_SUCCESS(status)) 
	{
		*KeyHandle = Handle;
	}
	return status;
}

NtQueryValueKey
NTSTATUS __stdcall NtQueryValueKey(HANDLE KeyHandle,PUNICODE_STRING ValueName,KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
    PVOID KeyValueInformation,ULONG Length,PULONG ResultLength)
{
    NTSTATUS    status;
    PCM_KEY_BODY   KeyBody = NULL;
    KPROCESSOR_MODE mode;
	UNICODE_STRING LocalValueName = {0};
    if(!ValueName || (KeyValueInformationClass != KeyValueBasicInformation && KeyValueInformationClass != KeyValueFullInformation
		&& KeyValueInformationClass != KeyValuePartialInformation && KeyValueInformationClass != KeyValueFullInformationAlign64 &&
		KeyValueInformationClass != KeyValuePartialInformationAlign64))
		return STATUS_INVALID_PARAMETER;
	if(CmMatchData[VersionIndex][ECmQueryValueKey].InitFlag && CmMatchData[VersionIndex][ECmQueryValueKey].FuncAddr)
	{
		mode = KeGetPreviousMode();
		status = ObReferenceObjectByHandle(KeyHandle,KEY_QUERY_VALUE,CmpKeyObjectType,mode,(PVOID *)(&KeyBody),NULL);
		LocalValueName = *ValueName;
		if (NT_SUCCESS(status)) 
		{
			switch(VersionIndex)
			{
			case WIN2000:
			case WINXP:
			case WINXPSP3:
				CmMatchData[VersionIndex][ECmQueryValueKey].FuncAddr(KeyBody->KeyControlBlock,LocalValueName,
					KeyValueInformationClass,KeyValueInformation,Length,ResultLength);
				break;
			case WINVISTA:
			case WIN7:
			case WIN7_1:
				CmMatchData[VersionIndex][ECmQueryValueKey].FuncAddr(KeyBody,KeyValueInformationClass,KeyValueInformation
					Length,ResultLength,LocalValueName);
				break;
			case WIN8:
				CmMatchData[VersionIndex][ECmQueryValueKey].FuncAddr(KeyBody,LocalValueName,KeyValueInformationClass,
					KeyValueInformation,Length,ResultLength);
				break;
			case WIN8_1:
			case WIN10:
				CmMatchData[VersionIndex][ECmQueryValueKey].FuncAddr(KeyBody,KeyValueInformationClass,KeyValueInformation,
					Length,ResultLength,LocalValueName);
				break;
			default:
				status = STATUS_NOT_SUPPORTED;
				break;
			}
		}
	}
	else
	{
		status = STATUS_NOT_SUPPORTED;
	}
	if(KeyBody)
		ObDereferenceObject(KeyBody);
	return status;
}

NtSetValueKeyEx
NTSTATUS __stdcall NtSetValueKeyEx(HANDLE KeyHandle,PUNICODE_STRING ValueName,ULONG Type,PVOID Data,ULONG DataSize)
{
	NTSTATUS    status;
	PCM_KEY_BODY   KeyBody = NULL;
	KPROCESSOR_MODE mode;
	UNICODE_STRING LocalValueName = {0};
	PWSTR CapturedName=NULL;
	OBJECT_HANDLE_INFORMATION HandleInformation = {0};
	if(CmMatchData[VersionIndex][ECmQueryValueKey].InitFlag && CmMatchData[VersionIndex][ECmQueryValueKey].FuncAddr)
	{
		mode = KeGetPreviousMode();
		status = ObReferenceObjectByHandle(KeyHandle,KEY_SET_VALUE,CmpKeyObjectType,mode,(PVOID *)(&KeyBody),&HandleInformation);
		LocalValueName = *ValueName;
		if (NT_SUCCESS(status)) 
		{
			switch(VersionIndex)
			{
				switch(VersionIndex)
				{
				case WIN2000:
				case WINXP:
				case WINXPSP3:
					CmMatchData[VersionIndex][ECmSetValueKey].FuncAddr(KeyBody->KeyControlBlock,&LocalValueName,Type,Data,DataSize);
					break;
				case WINVISTA:
				case WIN7:
				case WIN7_1:
				case WIN8:
				case WIN8_1:
					CmMatchData[VersionIndex][ECmSetValueKey].FuncAddr(KeyBody,&LocalValueName,Type,Data,DataSize,0,
						HandleInformation.HandleAttributes & 4);
					break;
				case WIN10:
					CmMatchData[VersionIndex][ECmSetValueKey].FuncAddr(KeyBody,&LocalValueName,Type,Data,DataSize,0,
						HandleInformation.HandleAttributes & 4);
					break;
				default:
					status = STATUS_NOT_SUPPORTED;
					break;
			}
		}
	}
	else
	{
		status = STATUS_NOT_SUPPORTED;
	}
	if(KeyBody)
		ObDereferenceObject(KeyBody);
	return status;
}

NtDeleteValueKey
NTSTATUS __stdcall NtDeleteValueKey(HANDLE KeyHandle,PUNICODE_STRING ValueName)
{
	NTSTATUS    status;
	PCM_KEY_BODY   KeyBody = NULL;
	KPROCESSOR_MODE mode;
	UNICODE_STRING LocalValueName = {0};
	PWSTR CapturedName=NULL;
	OBJECT_HANDLE_INFORMATION HandleInformation = {0};
	if(CmMatchData[VersionIndex][ECmDeleteValueKey].InitFlag && CmMatchData[VersionIndex][ECmDeleteValueKey].FuncAddr)
	{
		mode = KeGetPreviousMode();
		status = ObReferenceObjectByHandle(KeyHandle,KEY_SET_VALUE,CmpKeyObjectType,mode,(PVOID *)(&KeyBody),&HandleInformation);
		LocalValueName = *ValueName;
		if (NT_SUCCESS(status)) 
		{
			switch(VersionIndex)
			{
				case WIN2000:
				case WINXP:
				case WINXPSP3:
					CmMatchData[VersionIndex][ECmDeleteValueKey].FuncAddr(KeyBody->KeyControlBlock,LocalValueName);
					break;
				case WINVISTA:
				case WIN7:
				case WIN7_1:
					CmMatchData[VersionIndex][ECmDeleteValueKey].FuncAddr(KeyBody,KeyHandle,HandleInformation.HandleAttributes & 4,LocalValueName);
					break;
				case WIN8:
					CmMatchData[VersionIndex][ECmDeleteValueKey].FuncAddr(KeyBody,LocalValueName,KeyHandle,HandleInformation.HandleAttributes & 4);
					break;
				case WIN8_1:
				case WIN10:
					CmMatchData[VersionIndex][ECmDeleteValueKey].FuncAddr(KeyBody,&LocalValueName,Type,Data,DataSize,0,
						HandleInformation.HandleAttributes & 4);
					break;
				default:
					status = STATUS_NOT_SUPPORTED;
					break;
			}
		}
	}
	else
	{
		status = STATUS_NOT_SUPPORTED;
	}
	if(KeyBody)
		ObDereferenceObject(KeyBody);
	return status;
}

NtDeleteKey
NTSTATUS __stdcall NtDeleteKey(HANDLE KeyHandle)
{
	NTSTATUS    status;
	PCM_KEY_BODY   KeyBody = NULL;
	KPROCESSOR_MODE mode;
	UNICODE_STRING LocalValueName = {0};
	PWSTR CapturedName=NULL;
	OBJECT_HANDLE_INFORMATION HandleInformation = {0};
	if(CmMatchData[VersionIndex][ECmDeleteKey].InitFlag && CmMatchData[VersionIndex][ECmDeleteKey].FuncAddr)
	{
		mode = KeGetPreviousMode();
		status = ObReferenceObjectByHandle(KeyHandle,KEY_SET_VALUE,CmpKeyObjectType,mode,(PVOID *)(&KeyBody),&HandleInformation);
		LocalValueName = *ValueName;
		if (NT_SUCCESS(status)) 
		{
			switch(VersionIndex)
			{
			case WIN2000:
			case WINXP:
			case WINXPSP3:
			case WINVISTA:
			case WIN7:
			case WIN7_1:
			case WIN8:
			case WIN8_1:
			case WIN10:
				CmMatchData[VersionIndex][ECmDeleteKey].FuncAddr(KeyBody);
				break;
			default:
				status = STATUS_NOT_SUPPORTED;
				break;
			}
		}
	}
	else
	{
		status = STATUS_NOT_SUPPORTED;
	}
	if(KeyBody)
		ObDereferenceObject(KeyBody);
	return status;
}

IopCreateFile

代码基本和WRK一致,区别在于2点:
OPEN_PACKET结构不同  
ObOpenObjectByName调用之前会将IoFileObjectType的ObjectInitailier重置为系统初始值


// WIN2000
// WINXP
// WINXPSP3
#pragma pack(push)
#pragma pack(8)
typedef struct _OPEN_PACKET_XP
{
        CSHORT Type;
        CSHORT Size;
        PFILE_OBJECT FileObject;
        NTSTATUS FinalStatus;
        ULONG_PTR Information;
        ULONG ParseCheck;
        PFILE_OBJECT RelatedFileObject;
        LARGE_INTEGER AllocationSize;
        ULONG CreateOptions;
        USHORT FileAttributes;
        USHORT ShareAccess;
        PVOID EaBuffer;
        ULONG EaLength;
        ULONG Options;
        ULONG Disposition;
        PFILE_BASIC_INFORMATION BasicInformation;
        PFILE_NETWORK_OPEN_INFORMATION NetworkInformation;
        CREATE_FILE_TYPE CreateFileType;
        PVOID ExtraCreateParameters;
        BOOLEAN Override;
        BOOLEAN QueryOnly;
        BOOLEAN DeleteOnly;
        BOOLEAN FullAttributes;
        PDUMMY_FILE_OBJECT LocalFileObject;
        BOOLEAN TraversedMountPoint;
        ULONG           InternalFlags;
        PDEVICE_OBJECT  TopDeviceObjectHint;
} OPEN_PACKET_XP, *POPEN_PACKET_XP;
#pragma pack(pop)

// WINVISTA
// WIN7
// WIN7_1
#pragma pack(push)
#pragma pack(8)
typedef struct _OPEN_PACKET_WIN7
{
        CSHORT Type;
        CSHORT Size;
        PFILE_OBJECT FileObject;
        NTSTATUS FinalStatus;
        ULONG_PTR Information;
        ULONG ParseCheck;
        PFILE_OBJECT RelatedFileObject;
        POBJECT_ATTRIBUTES OriginalAttributes;
        LARGE_INTEGER AllocationSize;
        ULONG CreateOptions;
        USHORT FileAttributes;
        USHORT ShareAccess;
        PVOID EaBuffer;
        ULONG EaLength;
        ULONG Options;
        ULONG Disposition;
        PFILE_BASIC_INFORMATION BasicInformation;
        PFILE_NETWORK_OPEN_INFORMATION NetworkInformation;
        CREATE_FILE_TYPE CreateFileType;
        PVOID MailslotOrPipeParameters;
        BOOLEAN Override;
        BOOLEAN QueryOnly;
        BOOLEAN DeleteOnly;
        BOOLEAN FullAttributes;
        PDUMMY_FILE_OBJECT LocalFileObject;
        ULONG           InternalFlags;
        IO_DRIVER_CREATE_CONTEXT  DriverCreateContext;
} OPEN_PACKET_WIN7, *POPEN_PACKET_WIN7;
#pragma pack(pop)
// WIN8
// WIN8_1
// WIN10
#pragma pack(push)
#pragma pack(8)
typedef struct _OPEN_PACKET_WIN8
{
        CSHORT Type;
        CSHORT Size;
        PFILE_OBJECT FileObject;
        NTSTATUS FinalStatus;
        ULONG_PTR Information;
        ULONG ParseCheck;
        union
        {
                PFILE_OBJECT RelatedFileObject;
                PDEVICE_OBJECT ReferencedDeviceObject;
        };
        POBJECT_ATTRIBUTES OriginalAttributes;
        LARGE_INTEGER AllocationSize;
        ULONG CreateOptions;
        USHORT FileAttributes;
        USHORT ShareAccess;
        PVOID EaBuffer;
        ULONG EaLength;
        ULONG Options;
        ULONG Disposition;
        PFILE_BASIC_INFORMATION BasicInformation;
        PFILE_NETWORK_OPEN_INFORMATION NetworkInformation;
        CREATE_FILE_TYPE CreateFileType;
        PVOID MailslotOrPipeParameters;
        BOOLEAN Override;
        BOOLEAN QueryOnly;
        BOOLEAN DeleteOnly;
        BOOLEAN FullAttributes;
        PDUMMY_FILE_OBJECT LocalFileObject;
        ULONG           InternalFlags;
        KPROCESSOR_MODE AccessMode;
        IO_DRIVER_CREATE_CONTEXT  DriverCreateContext;
} OPEN_PACKET_WIN8, *POPEN_PACKET_WIN8;
#pragma pack(pop)

266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-9-27 13:15:36 | 显示全部楼层
附件包含完整文档及idb文件,密码为我的qq

TsSysKit.rar

521.53 KB, 下载次数: 61

266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-9-21 08:46:04 | 显示全部楼层
本帖最后由 元始天尊 于 2015-9-27 13:10 编辑

三、        控制码
        IRP_MJ_DEVICE_CONTROL        =>        调用DeviceIoControl派遣(DeviceIoControlDispatch)
能力:
解锁文件
驱动加载
句柄操作
进程打开、结束
注册表穿透操作

TSSysKit    IoControlCode对应表:
0x221C00
    解锁文件
    buffer=     sizeof=0x804
    +00 NTSTATUS status     out
    +04 WCHAR FileName[1024]    in
0x221C04
0x221C08
0x221C0C
0x221C10
0x221C14
    尚未实现
0x222004
    普通结束进程
    buffer=     sizeof=4
    +00 DWORD ProcessId
0x222008
    穿透NtDeleteKey
    buffer=     sizeof=8
    +00 NTSTATUS status     out
    +04 HANDLE  KeyHandle   in
0x22200C
    穿透NtDeleteValueKey        成员含义见NtDeleteValueKey
    buffer=     sizeof=0xC
    +00 NTSTATUS status     out
    +04 HANDLE  KeyHandle   in
    +08 PUNICODE_STRING ValueName   in
0x222010
    通过进程id或进程对象名(只能选一)穿透打开进程NtOpenProcess   成员含义见NtOpenProcess
    buffer=     sizeof=0x18
    +00 NTSTATUS status     out
    +04 HANDLE ProcessHandle    out
    +08 ACCESS_MASK DesiredAccess in
    +0C POBJECT_ATTRIBUTES ObjectAttributes in
    +10 PCLIENT_ID ClientId
0x222404
    普通关闭句柄NtClose
    buffer=     sizeof=8
    +00 NTSTATUS status     out
    +04 HANDLE Handle   in
0x222408
    穿透创建注册表项NtCreateKey         成员含义见NtCreateKey
    buffer=     sizeof=0x20
    +00 HANDLE  KeyHandle   out
    +04 NTSTATUS status     out     注意status不是第一成员了!!
    +08 ULONG Disposition   out
    +0C ACCESS_MASK DesiredAccess   in
    +10 POBJECT_ATTRIBUTES ObjectAttributes in
    +14 ULONG TitleIndex    in
    +18 PUNICODE_STRING Class   in
    +1C ULONG CreateOptions in
0x22240C
    穿透打开注册表项NtOpenKey           成员含义见NtOpenKey
    buffer=     sizeof=0x10
    +00 HANDLE  KeyHandle   out
    +04 NTSTATUS status     out     注意status不是第一成员了!!
    +08 ACCESS_MASK DesiredAccess   in
    +0C POBJECT_ATTRIBUTES ObjectAttributes in
0x222410
    同0x222008  NtDeleteKey
0x222414
    同0x222008  NtDeleteValueKey
0x222418
    穿透设置注册表项NtSetValueKeyEx     成员含义见NtSetValueKey
    buffer=     sizeof=0x1C
    +00 NTSTATUS status     out
    +04 HANDLE  KeyHandle   in
    +08 PUNICODE_STRING ValueName        in
    +0C ULONG TitleIndex        未使用
    +10 ULONG   Type        in
    +14 PVOID   Data        in
    +18 ULONG   DataSize        in
0x22241C
    穿透设置注册表项NtQueryValueKey     成员含义见NtQueryValueKey
    buffer=     sizeof=0x1C
    +00 DWORD ResultLength  out
    +04 NTSTATUS status     out     注意status不是第一成员了!!
    +08 HANDLE  KeyHandle   in
    +0C PUNICODE_STRING ValueName
    +10 ULONG Type          out     KeyValueInformation->DataLength
    +14 PVOID Data          out     KeyValueInformation->Data
    +18 ULONG DataLength    out     KeyValueInformation->DataLength
0x222420
    穿透枚举注册表项NtEnumerateKey      成员含义见NtEnumerateKey
    buffer=     sizeof=0x1C
    +00 NTSTATUS status     out
    +04 DWORD ResultLength  out
    +08 HANDLE KeyHandle        in
    +0C ULONG Index             in
    +10 KEY_INFORMATION_CLASS KeyInformationClass   in
    +14 PVOID KeyInformation    in
    +18 ULONG Length
0x222424
    NtEnumerateValueKey     成员含义见NtEnumerateValueKey
    buffer=
    +00 NTSTATUS status     out
    +04 ULONG ResultLength  out
    +08 HANDLE KeyHandle    in
    +0C ULONG Index     in
    +10 KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass    in
    +14 PVOID KeyValueInformation   out
    +18 ULONG Length    in
0x222428
    TsSysKit驱动是否初始化
    *(DWORD*)buffer => SomeFlag
    *(DWORD*)buffer <= IsTsSysKitInit
0x22242C
    穿透创建服务加载驱动
    buffer=     sizeof=0x91C
    +000    WCHAR ImagePath[260] 驱动文件路径
    +208    DWORD Type  驱动注册表Type项
    +20C    DWORD Start 驱动注册表项Start类型
    +210    DWORD flag  (决定是否设置注册表Tag和Group信息)
    +214    ???
    +468    DWORD Tag 驱动注册表Tag项
    +46C    WCHAR DisplayName[300] 驱动注册表项DisplayName
    +6C4    WCHAR ServiceName[300] 驱动服务名
0x222430
    获取操作系统版本
    buffer=RTL_OSVERSIONINFOEXW     sizeof=0x11C
0x222800
0x222804
    2个初始化TSSysKit的通道
0x224008
        更新Q管目录
+00        DWORD Tag=0x20120502
        +04        DWORD =0
0x22400C
        穿透创建文件
        Buffer=        sizeof=0x30        具体参数含义见NtCreateFile
+00        NTSTATUS status     out
        +04        PHANDLE FileHandle
        +08        ACCESS_MASK DesiredAccess
        +0C        POBJECT_ATTRIBUTES ObjectAttributes
        +10        PIO_STATUS_BLOCK IoStatusBloc
        +14        PLARGE_INTEGER AllocationSize
        +18        ULONG FileAttributes
        +1C        ULONG ShareAccess
        +20        ULONG CreateDisposition
        +24        ULONG CreateOptions
        +28        PVOID EaBuffer
        +2C        ULONG EaLength
0x224010
        穿透打开文件
Buffer=        sizeof=0x1C         具体参数含义见NtOpenFile
+00        NTSTATUS status     out
+04        PHANDLE FileHandle
+08        PHANDLE FileHandle
+0C        POBJECT_ATTRIBUTES ObjectAttributes
+10        PIO_STATUS_BLOCK IoStatusBlock
+14        ULONG ShareAccess
+18        ULONG OpenOptions
0x224014
穿透读取文件
Buffer=        sizeof=0x28                具体参数含义见NtReadFile
+00        NTSTATUS status     out
+04        HANDLE FileHandle        in
+08        HANDLE Event                in
+0C        ApcRoutine                in
+10        ApcContext                in
+14        PIO_STATUS_BLOCK IoStatusBlock        in
+18        PVOID Buffer                out
+1C        ULONG Length                in
+20        PLARGE_INTEGER ByteOffset       
+24        PULONG Key
0x224018
穿透写入文件
Buffer=        sizeof=0x28                具体参数含义见NtWriteFile
+00        NTSTATUS status     out
+04        HANDLE FileHandle        in
+08        HANDLE Event                in
+0C        ApcRoutine                in
+10        ApcContext                in
+14        PIO_STATUS_BLOCK IoStatusBlock        in
+18        PVOID Buffer                out
+1C        ULONG Length                in
+20        PLARGE_INTEGER ByteOffset       
+24        PULONG Key
0x22401C
    普通关闭句柄NtClose
    buffer=     sizeof=8
    +00 NTSTATUS status     out
    +04 HANDLE Handle   in
0x224020
        穿透设置文件
        Buffer=        sizeof=0x1C       具体参数含义见NtSetInformationFile
        +00        NTSTATUS status;
        +04        HANDLE FileHandle                        in
        +08        PIO_STATUS_BLOCK IoStatus                out       
        +0C        PVOID FileInformation                in
        +10        ULONG Length                        in
        +14        FILE_INFORMATION_CLASS FileInformationClass        in
        +18        BOOL DelCurrentFile                in
0x224024
        穿透查询文件
        Buffer=        sizeof=0x1C       具体参数含义见NtQueryInformationFile
        +00        NTSTATUS status                                out
        +04        HANDLE FileHandle                        in
        +08        PIO_STATUS_BLOCK IoStatus                out       
        +0C        PVOID FileInformation                in
        +10        ULONG Length                        in
        +14        FILE_INFORMATION_CLASS FileInformationClass        in
        +18        BOOL DelCurrentFile                in
0x224028
尚未实现
0x22402C
        穿透查询目录
        Buffer=        sizeof=0x30        具体参数含义见NtQueryDirectoryFile
        +00        NTSTATUS status                out
        +04        HANDLE FileHandle        in
        +08        HANDLE Event                in
        +0C         PIO_APC_ROUTINE ApcRoutine        未使用
        +10        PVOID ApcContext        未使用
        +14         PIO_STATUS_BLOCK IoStatus                out
        +18        PVOID FileInformation        in
        +1C        ULONG Length                in
        +20        FILE_INFORMATION_CLASS FileInformationClass        in
        +24        BOOLEAN ReturnSingleEntry                in
        +28        PUNICODE_STRING FileName        in
        +2C        BOOLEAN RestartScan        in
0x228404
        穿透查询文件属性
        Buffer=        sizeof=0xC                具体参数含义见NtQueryAttributesFile
                        +0        NTSTATUS status                out
                        +4        POBJECT_ATTRIBUTES ObjectAttributes                in                        路径前缀匹配\??\c:
+8        FILE_NETWORK_OPEN_INFORMATION networkInformation        out

0x221C00解锁文件
见3.13 解锁文件

0x222004普通结束进程
[C++] 纯文本查看 复制代码
BOOLEAN TerminateProcessById(HANDLE ProcessId)
{
	BOOLEAN Result = FALSE;
	PEPROCESS Process = NULL;
	HANDLE ProcessHandle = NULL;
	if(NT_SUCCESS(PsLookupProcessByProcessId(ProcessId,&Process)) &&
		NT_SUCCESS(ObOpenObjectByPointer(Process,0,NULL,PROCESS_ALL_ACCESS,NULL,KernelMode,&ProcessHandle)) &&
		NT_SUCCESS(ZwTerminateProcess(ProcessHandle,0)))
	{
		Result = TRUE;
	}
	if(Process)
	{
		ObDereferenceObject(Process);
		Process = NULL;
	}
	if(ProcessHandle)
		ZwClose(ProcessHandle);
	return Result;
}


0x22242C穿透创建服务加载驱动

struct LOADDRIVERSTRUCT
{
        WCHAR ImagePath[260]; //驱动文件路径
        DWORD Type;  //驱动注册表Type项
        DWORD Start; //驱动注册表项Start类型
        WCHAR Group[300];//驱动注册表Group名
        DWORD Tag; //驱动注册表Tag项
        WCHAR DisplayName[300]; //驱动注册表项DisplayName
        WCHAR ServiceName[300]; //驱动服务名
};

#define MakeUnicodeString(X) {sizeof(X),sizeof(X)+2,X}
UNICODE_STRING UImagePath=MakeUnicodeString(L"ImagePath");
UNICODE_STRING UType=MakeUnicodeString(L"Type");
UNICODE_STRING UStart=MakeUnicodeString(L"Start");
UNICODE_STRING UGroup=MakeUnicodeString(L"Group");
UNICODE_STRING UDisplayName=MakeUnicodeString(L"DisplayName");
UNICODE_STRING UErrorControl=MakeUnicodeString(L"ErrorControl");
UNICODE_STRING UTag=MakeUnicodeString(L"Tag");
UNICODE_STRING UZwLoadDriver=MakeUnicodeString(L"ZwLoadDriver");

struct LOADDRIVERPARAM
{
        WORK_QUEUE_ITEM WorkItem;
        KEVENT Event;
        ULONG mem1;
        PUNICODE_STRING DriverServiceName;
        NTSTATUS Status;
};

[C++] 纯文本查看 复制代码
void LoadDriverWorker(LOADDRIVERPARAM* WorkItem)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL,outstatus;
	HANDLE KeyHandle = NULL;
	OBJECT_ATTRIBUTES Oa;
	if(WorkItem)
	{
		InitializeObjectAttributes(&Oa,WorkItem->DriverServiceName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
		status = NtOpenKey(&KeyHandle,KEY_READ,&Oa);//穿透
		if(NT_SUCCESS(status))
		{//xp win7的IopLoadDriver 为不同的调用方式
			if(VersionInfo < WINVISTA)
			{//NTSTATUS __stdcall IopLoadDriver(HANDLE KeyHandle, BOOLEAN CheckForSafeBoot, BOOLEAN IsFilter, NTSTATUS *DriverEntryStatus)
				IopLoadDriver(KeyHandle,HANDLE_FLAG_INHERIT,FALSE,&outstatus);
				if(status == STATUS_FAILED_DRIVER_ENTRY)
					status = outstatus;
				else if(status == STATUS_DRIVER_FAILED_PRIOR_UNLOAD)
					status = STATUS_OBJECT_NAME_NOT_FOUND;
			}
			else
			{//NTSTATUS __userpurge IopLoadDriver<eax>(HANDLE KeyHandle<ecx>, BOOLEAN CheckForSafeBoot, BOOLEAN IsFilter, NTSTATUS *DriverEntryStatus)  第一参用ecx传值

				status = IopLoadDriver(KeyHandle,HANDLE_FLAG_INHERIT,FALSE,&outstatus);////事先获取的函数指针,见1.1
			}
		}
	}
	WorkItem->Status = status;
	KeSetEvent(WorkItem->Event,0,FALSE);
}

NTSTATUS LoadDriverEx(PUNICODE_STRING DriverServiceName)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	LOADDRIVERPARAM LoadDriver;
	if(IopLoadDriver)//事先获取的函数指针,见1.1
	{
		LoadDriver.DriverServiceName = DriverServiceName;
		LoadDriver.mem1 = 0;
		KeInitializeEvent(&LoadDriver.Event,NotificationEvent,FALSE);
		ExInitializeWorkItem(&LoadDriver,LoadDriverWorker,&LoadDriver);
		ExQueueWorkItem(&LoadDriver.WorkItem,DelayedWorkQueue);
		KeWaitForSingleObject(&LoadDriver.Event,UserRequest,KernelMode,FALSE,NULL);
		return LoadDriver.Status;
	}
	else
	{
		FARPROC ZwLoadDriver = MmGetSystemRoutineAddress(&UZwLoadDriver);
		if(ZwLoadDriver)
			return ZwLoadDriver(DriverServiceName);
	}
	return status;
}

NTSTATUS CreateServiceAndLoadDriver(DWORD InLen,LOADDRIVERSTRUCT* Data)
{//InLen = IrpSp->Parameters.DeviceIoControl.InputBufferLength
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	UNICODE_STRING DriverServicePath;
	UNICODE_STRING ServiceName;
	OBJECT_ATTRIBUTES Oa;
	WCHAR* Buf = NULL;
	HANDLE KeyHandle = NULL;
	const int BufLen = 520;
	ULONG ErrorControl = SERVICE_ERROR_NORMAL;
	ULONG Disposition = REG_OPENED_EXISTING_KEY;
	if(!SeSinglePrivilegeCheck(SE_LOAD_DRIVER_PRIVILEGE,UserMode))
		return STATUS_PRIVILEGE_NOT_HELD;
	if(VersionInfo < WINXP)
		return STATUS_NOT_SUPPORTED;
	if((Data->Type & SERVICE_DRIVER) && Data->ServiceName && Data->ImagePath && Data->DisplayName)
	{
		RtlInitUnicodeString(&ServiceName,Data->ServiceName);
		Buf = (WCHAR*)ExAllocatePool(NonPagedPool,BufLen);
		RtlZeroMemory(Buf,BufLen);
		wcscpy(Buf,L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
		DriverServicePath.Length = 2*wcslen(Buf);
		DriverServicePath.MaximumLength = BufLen;
		DriverServicePath.Buffer = Buf;
		status = RtlAppendUnicodeStringToString(&DriverServicePath, &ServiceName);
		if(NT_SUCCESS(status))
		{
			InitializeObjectAttributes(&Oa,&DriverServicePath,OBJ_CASE_INSENSITIVE,NULL,NULL);
			status = ZwCreateKey(&KeyHandle,KEY_READ|KEY_SET_VALUE, &Oa, 0,NULL, 0, &Disposition);//穿透
		}
		if(NT_SUCCESS(status))
		{
			status = ZwSetValueKeyEx(KeyHandle,&UImagePath,REG_SZ,Data->ImagePath,2*wcslen(Data->ImagePath)+2);//穿透
		}
		if(NT_SUCCESS(status))
		{
			status = ZwSetValueKeyEx(KeyHandle,&UType,REG_DWORD,Data->Type,sizeof(DWORD));
		}
		if(NT_SUCCESS(status))
		{
			status = ZwSetValueKeyEx(KeyHandle,&UStart,REG_DWORD,Data->Start,sizeof(DWORD));
		}
		if(NT_SUCCESS(status))
		{
			status = ZwSetValueKeyEx(KeyHandle,&UDisplayName,REG_SZ,Data->DisplayName,2*wcslen(Data->DisplayName)+2);
		}
		if(NT_SUCCESS(status))
		{//此处q管源码有bug
			status = ZwSetValueKeyEx(KeyHandle,&UGroup,REG_SZ,Data->Group,2*wcslen(Data->Group)+2);
		}
		if(NT_SUCCESS(status))
		{
			status = ZwSetValueKeyEx(KeyHandle,&UTag,REG_DWORD,Data->Tag,sizeof(DWORD));
		}
		if(NT_SUCCESS(status))
		{
			status = ZwSetValueKeyEx(KeyHandle,&UErrorControl,REG_DWORD,ErrorControl,sizeof(DWORD));
		}
		if(NT_SUCCESS(status))
		{
			ZwFlushKey(KeyHandle);
			status = LoadDriverEx(&DriverServicePath);
		}
	}
	if(KeyHandle)
	{
		ZwClose(KeyHandle);
		KeyHandle = NULL;
	}
	if(Buf)
		ExFreePool(Buf);
}


四、        默认派遣例程
        IRP_MJ_CREATE
检查当前所属进程是否有腾讯标记  (CheckDriverLoaderValid)
重置驱动注册表项信息 (ResetRegServiceInfo)
随机化EPROCESS的ImageFileName(RandomImageNameToHide)

3.1 根据进程id结束进程
[C++] 纯文本查看 复制代码
void TerminateProcessById(HANDLE ProcessId)
{
	PEPROCESS Process = NULL;
	HANDLE ProcessHandle = NULL;
	NTSTATUS status = PsLookupProcessByProcessId(ProcessId,&Process);
	if(NT_SUCCESS(status))
	{
		status = ObOpenObjectByPointer(Process,0,NULL,PROCESS_ALL_ACCESS,0,NULL,&ProcessHandle);
		if(NT_SUCCESS(status))
		{
			status = ZwTerminateProcess(ProcessHandle,0);
		}
	}
	if(Process)
	{
		ObDereferenceObject(Process);
		Process = NULL;
	}
	if(ProcessHandle)
		ZwClose(ProcessHandle);


检测PE格式合法性

bool CheckNtImageValid(LPVOID ImageAddress)
{
	if(ImageAddress && MmIsAddressValid(ImageAddress))
	{
		PIMAGE_DOS_HEADER DosHeader = (IMAGE_DOS_HEADER)ImageAddress;
		if(MmIsAddressValid(&DosHeader->e_lfanew) && DosHeader->e_magic == 'ZM')
		{
			PIMAGE_NT_HEADERS NtHeader = (PIMAGE_NT_HEADERS)((BYTE*)DosHeader + DosHeader->e_lfanew);
			if(NtHeader && MmIsAddressValid(NtHeader) && NtHeader->Signature == 'EP')
				return true;
		}
	}
}

3.2 获取当前进程进程名
[C++] 纯文本查看 复制代码
typedef ULONG DWORD;
typedef struct _MEMORY_BASIC_INFORMATION 
{
	PVOID BaseAddress;
	PVOID AllocationBase;
	DWORD AllocationProtect;
	SIZE_T RegionSize;
	DWORD State;
	DWORD Protect;
	DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
typedef struct _MEMORY_SECTION_NAME
{
	UNICODE_STRING SectionFileName;
	WCHAR NameBuffer[0];
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;

extern "C" PVOID __stdcall PsGetProcessSectionBaseAddress(PEPROCESS Process);
extern "C" NTSTATUS __stdcall ZwQueryVirtualMemory(HANDLE ProcessHandle,PVOID BaseAddress,MEMORY_INFORMATION_CLASS MemoryInformationClass,
	PVOID MemoryInformation,SIZE_T MemoryInformationLength,PSIZE_T ReturnLength);
#define MEM_IMAGE 0x1000000 

bool GetCurrentProcessName(PVOID Buffer,SIZE_T Length)
 {
	 NTSTATUS status;
	if(!Buffer || !Length)
		return;
	UNICODE_STRING UIoVolumeDeviceToDosName;
	PVOID ImageBase = PsGetProcessSectionBaseAddress(IoGetCurrentProcess());
	PVOID SectionName = ExAllocatePool(NonPagedPool,Length + sizeof(MEMORY_SECTION_NAME));
	if(!SectionName)
		return;
	if(ImageBase)
	{
		MEMORY_BASIC_INFORMATION BasicInfo;
		status = ZwQueryVirtualMemory(NtCurrentProcess(),ImageBase,MemoryBasicInformation,&BasicInfo,sizeof(BasicInfo),NULL);
		if(NT_SUCCESS(status) && BasicInfo.Type == MEM_IMAGE)
		{
			status = ZwQueryVirtualMemory(NtCurrentProcess(),ImageBase,MemorySectionName,SectionName,Length + sizeof(MEMORY_SECTION_NAME),NULL);
			if(NT_SUCCESS(status))
			{
				wcsncpy((WCHAR*)Buffer,((PMEMORY_SECTION_NAME)SectionName)->SectionFileName.Buffer,Length);
				return true;
			}
		}
	}
	return false;
 }


3.3 由进程ID获取进程设备名

[C++] 纯文本查看 复制代码
bool GetProcessNameById(HANDLE ProcessId,PVOID Buffer,SIZE_T Length)
{
	NTSTATUS status;
	if(ProcessId == (HANDLE)4)
	{
		wcsncpy((WCHAR*)Buffer,L"System",Length);
	}
	else if(ProcessId == PsGetCurrentProcessId())
	{
		GetCurrentProcessName(Buffer,Length);
	}
	else
	{
		PEPROCESS Process = NULL;
		if(NT_SUCCESS(PsLookupProcessByProcessId(ProcessId,&Process)))
		{
			KAPC_STATE KApc;
			KeStackAttachProcess(Process,&KApc);
			GetCurrentProcessName(Buffer,Length);
			KeUnstackDetachProcess(&KApc);
			ObDereferenceObject(&Process);
		}
		
	}
	return true;
}

3.4 设备名转DOS路径


[C++] 纯文本查看 复制代码
NTSTATUS GetDeviceDosName(WCHAR* DeviceName,WCHAR* DosName,DWORD Len)
{
	NTSTATUS status;
	//检查设备路径
	if(!DeviceName || !DosName)
		return STATUS_INVALID_PARAMETER;
	if(wcsnicmp(DeviceName, L"\\Device\\", 8u))
		return STATUS_INVALID_PARAMETER_1;
	WCHAR* ptr = wcsstr(DeviceName + 8,L"\\");
	if(!ptr)
		return STATUS_UNSUCCESSFUL;
	int len = ptr - DeviceName;
	PVOID Buffer = ExAllocatePool(NonPagedPool,2*len+2);
	if(!Buffer)
		return;
	wcsncpy((WCHAR*)Buffer,DeviceName,len);
	//根据设备名获取设备对象
	PDEVICE_OBJECT DeviceObject;
	UNICODE_STRING UDeviceName;
	PFILE_OBJECT FileObject;
	RtlInitUnicodeString(&UDeviceName,(WCHAR*)Buffer);
	//GetDeviceObjectByName
	status = IoGetDeviceObjectPointer(&UDeviceName,0,&FileObject,&DeviceObject);
	if(NT_SUCCESS(status))
	{
		if(DeviceObject->Type == FILE_DEVICE_DISK)
		{
			UNICODE_STRING RootDeviceDosName;
			status = IoVolumeDeviceToDosName(DeviceObject,&RootDeviceDosName);
			if(NT_SUCCESS(status))
			{
				wcsncpy(DosName,RootDeviceDosName.Buffer,RootDeviceDosName.Length);
				ExFreePool(RootDeviceDosName.Buffer);
				int len2 = wcslen((WCHAR*)Buffer);//拼接全路径
				wcsncat(DosName,DeviceName+len2,Len);
			}
		}
		else if(DeviceObject->Type == FILE_DEVICE_NETWORK_FILE_SYSTEM)
		{
			wcsncpy(DosName,L"\\",Len);
			int len2 = wcslen((WCHAR*)Buffer);
			wcsncat(DosName,DeviceName+len2,Len);
		}
		else
		{
			status = STATUS_DEVICE_DATA_ERROR;
		}
		ObReferenceObject(FileObject);
		ObReferenceObject(DeviceObject);
	}
	ExFreePool(Buffer);
}


3.5 得到EPROCESS对应ImageDosPath

[C++] 纯文本查看 复制代码
void GetProcessDosPathByObject(PEPROCESS Process,LPVOID Buffer,ULONG Len)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	HANDLE ProcessHandle = NULL;
	HANDLE FileHandle = NULL;
	const int FileBufSize = 4096;
	PUNICODE_STRING pFilePath = ExAllocatePoolWithTag(NonPagedPool,FileBufSize);
	if(!pFilePath)
		return;
	status = ObOpenObjectByPointer(Process,OBJ_KERNEL_HANDLE,NULL,0,NULL,KernelMode,&ProcessHandle);
	if(NT_SUCCESS(status))
	{
		status = NtQueryInformationProcess(ProcessHandle,ProcessImageFileName,pFilePath,FileBufSize,NULL);
		if(NT_SUCCESS(status) && MmIsAddressValid(pFilePath->Buffer))
		{
			OBJECT_ATTRIBUTES oa;
			IO_STATUS_BLOCK IoStatusBlock;
			InitializeObjectAttributes(&oa,pFilePath,OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE,NULL,NULL);
			status = IoCreateFile(&FileHandle,GENERIC_READ | SYNCHRONIZE,&oa,&IoStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,
				FILE_SHARE_READ,FILE_OPEN,FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,NULL,0,CreateFileTypeNone,
				NULL,IO_NO_PARAMETER_CHECKING);
			if(NT_SUCCESS(status))
			{// GetProcessDosPathByHandle
				OBJECT_HANDLE_INFORMATION HandleInformation;
				PFILE_OBJECT FileObject = NULL;
				UNICODE_STRING DriveDosName = {0};
				status = ObReferenceObjectByHandle(FileHandle,0,NULL,KernelMode,(PVOID*)&FileObject,&HandleInformation);
				if(NT_SUCCESS(status) && FileObject != NULL && MmIsAddressValid(FileObject) && MmIsAddressValid(FileObject->FileName.Buffer))
				{
					if(IoGetRelatedDeviceObject(FileObject))
					{
						status = RtlVolumeDeviceToDosName(FileObject->DeviceObject,&DriveDosName);//获取盘符
						if(NT_SUCCESS(status) && DriveDosName.Buffer && DriveDosName.Length + FileObject->FileName.Length < Len)
						{
							memcpy(Buffer,DriveDosName.Buffer,DriveDosName.Length);
							memcpy((char*)Buffer+DriveDosName.Length,FileObject->FileName.Buffer,FileObject->FileName.Length);
						}
					}
					ObDereferenceObject(FileObject);
					if(DriveDosName.Buffer)
						ExFreePool(DriveDosName.Buffer);
				}
			}
		}
	}

	if(FileHandle)
		NtClose(FileHandle);
	if(ProcessHandle)
		NtClose(ProcessHandle);
	ExFreePool(pFilePath);
}

3.6 随机化程序名机制

[C++] 纯文本查看 复制代码
Void RandomImageNameToHide()
{
ANSI_STRING QQEXEA,IMAGENAMEA;
	char* ImageName;
	RtlInitAnsiString(&QQEXEA,"QQPCRTP.EXE");
	ImageName = PsGetProcessImageFileName(IoGetCurrentProcess());
	RtlInitAnsiString(&IMAGENAMEA,ImageName);
	if(!RtlCompareString(&IMAGENAMEA,&QQEXEA,TRUE))
	{
		LARGE_INTEGER Time,LocalTime;
		TIME_FIELDS TimeFields;
		KeQuerySystemTime(&Time);
		ExSystemTimeToLocalTime(&Time,&LocalTime);
		RtlTimeToTimeFields(&LocalTime,&TimeFields);
		ImageName[TimeFields.Second % 5] = (TimeFields.Second % 26) + 'A';
	}
}


3.7 根据进程文件名获取进程信息

[C++] 纯文本查看 复制代码
Bool GetProcessInfoByFileName(char* FileName, PVOID Buffer,int Size)
{
	ULONG InfoLen;
	PVOID Modules;
	NTSTATUS status;
	BOOL Find = FALSE;
	ZwQuerySystemInformation(SystemModuleInformation,&InfoLen,0,&InfoLen);
	modules = ExAllocatePool(PagedPool,InfoLen);
	If(!modules)
		Return FALSE;
	status = ZwQuerySystemInformation(SystemModuleInformation, modules,InfoLen);
	If(NT_SUCCESS(status))
	{
		For(int i=0;i<modules-> NumberOfModules;i++)
		{
			Int offset = modules->Modules[i].OffsetToFileName;
			If(!stricmp(modules->Modules[i].FullPathName[offset],FileName)
			{
				Memcpy(Buffer, &modules->Modules[i],Size);
				Find = TRUE;
				Break;
			}
		}
}
ExFreePool(modules);
Return FALSE;
}

3.8 两种方式调用内核函数

法一:以ZwQueryVirtualMemory为例
UNICODE_STRING FuncName;
FARPROC fZwQueryVirtualMemory;
RtiInitUnicodeString(&FuncName, L”ZwQueryVirtualMemory”);
fZwQueryVirtualMemory = MmGetSystemRoutineAddress(&FuncName);

法二:
RTL_PROCESS_MODULE_INFORMATION ImageInfo;
RtlZeroMemory(&ImageInfo,sizeof(ImageInfo));
If(GetProcessInfoByFileName(“ntdll.dll”,&ImageInfo,sizeof(ImageInfo)))
NtQueryVirtualMemorySSDTIndex = GetSSDTApiIndex(ImageInfo.ImageBase,"NtQueryVirtualMemory");

用法:
ZwQueryVirtualMemoryEx(...)
{
        _asm
        {
                Push ebp
                Mov ebp,esp
                Mov eax, fZwQueryVirtualMemory
                Test eax,eax
                Jz $+3
                Pop ebp
                Jmp eax
                Cmp NtQueryVirtualMemorySSDTIndex,-1
                Jz $+6
                Pop ebp
                Jmp TAG
                Mov eax,C0000001h
                Pop ebp
                Retn 18h
TAG:
                Mov eax, NtQueryVirtualMemorySSDTIndex
                Lea edx,dword ptr [esp+4]
                Int 2Eh
                Retn 18h
        }
}

判断一段地址有效性
BOOLEAN  CheckAddressValid(PVOID VirtualAddress, int Length)
{
        int result;
        if ( VirtualAddress )
                result = MmIsAddressValid(VirtualAddress) && MmIsAddressValid(VirtualAddress + Length);
        else
                result = 0;
        return result;
}

3.9 获取对象类型
[C++] 纯文本查看 复制代码
POBJECT_TYPE GetTypeFromObject(PVOID Object)
{//从对象获取对象类型
	UNICODE_STRING UObGetObjectType;
	POBJECT_TYPE ObjectType;
	RtlInitUnicodeString(&UObGetObjectType,L"ObGetObjectType");
	PVOID ObGetObjectType = MmGetSystemRoutineAddress(&UObGetObjectType);
	if(ObGetObjectType)
	{
		ObjectType = ((POBJECT_TYPE (__stdcall*)(PVOID ))ObGetObjectType)(Object);
	}
	else//Vista以前
	{
		ObjectType = ((OBJECT_HEADER*)OBJECT_TO_OBJECT_HEADER(Object))->Type;
	}
}

3.10 基础库功能——检测腾讯程序合法性
对当加载驱动的进程进行md5校验,如果校验失败则拒绝加载
从\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TSKSP\\InstallDir获取q管安装目录

[C++] 纯文本查看 复制代码
void CheckTsFileValid(PEPROCESS Process)
{
	NTSTATUS status;
	const int BufSize = 522;
	WCHAR CurProcFileDosName[260];
	WCHAR* FileDosName = (WCHAR*)ExAllocatePool(NonPagedPool,BufSize);
	WCHAR* FileFullName = (WCHAR*)ExAllocatePool(NonPagedPool,520);
	if(FileDosName && FileFullName)
	{
		memset(FileDosName,0,BufSize);
		if(GetProcessDosPathByObject(Process,FileDosName,520))
		{
			status = GetProcessNameById(PsGetCurrentProcessId(),CurProcFileDosName,520);
			if(NT_SUCCESS(status) && !wcsicmp(CurProcFileDosName,FileDosName))
			{
				UNICODE_STRING UFileFullName;
				OBJECT_ATTRIBUTES oa;
				HANDLE FileHandle;
				IO_STATUS_BLOCK IoStatusBlock;
				RtlZeroMemory(FileFullName,520);
				wnsprintfW(FileFullName,259,L"\\??\\%ws",FileDosName);
				InitializeObjectAttributes(&oa,FileFullName,OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE,NULL,NULL);
				status = IoCreateFile(&FileHandle,GENERIC_READ | SYNCHRONIZE,&oa,&IoStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,
					FILE_SHARE_READ,FILE_OPEN,FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,NULL,0,CreateFileTypeNone,
					NULL,IO_NO_PARAMETER_CHECKING);
				if(NT_SUCCESS(status))
				{
					FILE_STANDARD_INFORMATION FileInformation;
					status = ZwQueryInformationFile(FileHandle,&IoStatusBlock,&FileInformation,sizeof(FileInformation),FileStandardInformation);
					if(NT_SUCCESS(status) && FileInformation.EndOfFile.LowPart < 0xA00000)
					{
						PVOID Buffer = ExAllocatePool(NonPagedPool,FileInformation.EndOfFile.LowPart);
						if(Buffer)
						{
							status = ZwReadFile(FileHandle,NULL,NULL,NULL,&IoStatusBlock,Buffer,FileInformation.EndOfFile.LowPart,NULL,NULL);
							if(NT_SUCCESS(status) && CheckNtImageValid(Buffer))
							{
								ULONG SecretDataOffset = *(ULONG*)((PIMAGE_DOS_HEADER)Buffer)->e_res2;
								/************************************************************************/
								/* 下面将Buffer+SecretDataOffset处的128字节数据进行md5校验,原始数据如下*/
								// b8 92 77 ac 41 ee 20 b1-0d 0c ce d7 a2 95 b3 96
								// 46 3f 16 ba 72 4d b9 df-2c 2f a5 f9 d2 63 3c 35
								// 06 45 a2 dc bf 5c a7 6f-89 d5 45 e2 2b db 30 75
								// d3 76 93 84 9b fc e4 62-ed 21 d5 6a db 90 84 df
								// fc 1f ba 07 8d fd 7f 6d-f8 67 41 34 cc f3 e2 4a
								// 04 73 8b 8a f6 7c 2c d5-10 21 cf 25 80 18 fc be
								// 9f 5f c8 ea 47 c8 95 5a-79 07 be 54 9c 0d 12 36
								// 0c f6 9a e6 71 0d c1 27-29 c2 9d e8 7e f0 b7 05
								/************************************************************************/
								//.........................省略md5计算过程
							}
							ExFreePool(Buffer);
						}
					}
					ZwClose(FileHandle);
				}
			}
		}
	}
	if(FileDosName)
		ExFreePool(FileDosName);
	if(FileFullName)
		ExFreePool(FileFullName);
}

3.11 解锁文件
设置文件属性为FILE_ATTRIBUTE_NORMAL
执行IopCloseFile  IRP_MJ_LOCK_CONTROL IRP_MN_UNLOCK_ALL
从句柄表中找到所有文件对象,如果路径匹配则关闭句柄CmCloseHandle

[C++] 纯文本查看 复制代码
typedef NTSTATUS EndSetFileAttributes ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context )
{
	Irp->UserIosb->Status = Irp->IoStatus.Status;
	Irp->UserIosb->Information = Irp->IoStatus.Information;
	KeSetEvent(Irp->UserEvent, 0, FALSE);
	IoFreeIrp(Irp);
	return STATUS_MORE_PROCESSING_REQUIRED;
}

NTSTATUS ResetFileAttributes(HANDLE FileHandle)
{
	NTSTATUS status;
	PDEVICE_OBJECT pDevObj = NULL;
	PIRP pIrp = NULL;
	KEVENT Event;
	IO_STATUS_BLOCK ios = {0};
	FILE_BASIC_INFORMATION BasicInfo;
	PIO_STACK_LOCATION IrpSp;
	status = ObReferenceObjectByHandle(FileHandle,0,*IoFileObjectType,KernelMode,&FileObject,NULL);
	if(NT_SUCCESS(status))
	{
		pDevObj = IoGetRelatedDeviceObject(FileObject);//穿透
		pIrp = IoAllocateIrp(pDevObj->StackSize,TRUE);
		if(pIrp)
		{
			KeInitializeEvent(&Event,SynchronizationEvent,FALSE);
			RtlZeroMemory(&BasicInfo,sizeof(BasicInfo));
			BasicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL;
			pIrp->AssociatedIrp.SystemBuffer = (PVOID)&BasicInfo;
			pIrp->UserEvent = &Event;
			pIrp->UserIosb = &ios;
			pIrp->Tail.Overlay.OriginalFileObject = FileObject;
			pIrp->Tail.Overlay.Thread = KeGetCurrentThread();
			pIrp->RequestorMode = 0;
			IrpSp = IoGetNextIrpStackLocation( pIrp );
			IrpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
			IrpSp->DeviceObject = pDevObj;
			IrpSp->FileObject = FileObject;
			IrpSp->Parameters.SetFile.Length = sizeof(BasicInfo);
			IrpSp->Parameters.SetFile.FileInformationClass = FileBasicInformation;
			IrpSp->Parameters.SetFile.FileObject = FileObject;
			IrpSp->CompletionRoutine = EndSetFileAttributes;
			IrpSp->Context = NULL;
			IrpSp->Control = SL_INVOKE_ON_CANCEL|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR;
			IoCallDriver(pDevObj,Irp);
			KeWaitForSingleObject(&Event,0,KernelMode,FALSE,NULL);
			ObDereferenceObject(FileObject);
		}
		else
		{
			status = STATUS_INSUFFICIENT_RESOURCES;
		}
	}
	if ( FileObject )
		ObDereferenceObject(FileObject);
	return status;
}

void UnlockFileThread(PVOID StartContext)
{
	CmpSetHandleProtection(&Ohfi,FALSE);
	if(StartContext)
		NtClose(StartContext);
	PsTerminateSystemThread(0);
}

void TryUnlockFile(PFILE_OBJECT FileObject)
{
	SYSTEM_HANDLE_INFORMATION HandleInformation1;
	ULONG RetLen = 0;
	PVOID Buffer;
	ZwQuerySystemInformation(SystemHandleInformation,&HandleInformation1,sizeof(HandleInformation1),&RetLen);
	if(RetLen)
	{
		POBJECT_NAME_INFORMATION ObjectNameInfo1 = (POBJECT_NAME_INFORMATION)ExAllocatePool(NonPagedPool,2056);
		POBJECT_NAME_INFORMATION ObjectNameInfo2 = (POBJECT_NAME_INFORMATION)ExAllocatePool(NonPagedPool,2056);
		ObjectNameInfo1->Name.Length = 2048;
		ObjectNameInfo2->Name.Length = 2048;
		Buffer = ExAllocatePool(PagedPool,RetLen+4096);

		status = ObQueryNameString(FileObject,ObjectNameInfo2,ObjectNameInfo2->Name.Length,&RetLen);
		if(NT_SUCCESS(status) && Buffer && ObjectNameInfo1)
		{
			status = ZwQuerySystemInformation(SystemHandleInformation,Buffer,RetLen+4096,&RetLen);
			if(NT_SUCCESS(status))
			{
				UCHAR ObjectTypeIndex = 0;
				PSYSTEM_HANDLE_INFORMATION HandleInformation2 = (PSYSTEM_HANDLE_INFORMATION)Buffer;
				for(int i=0;i<HandleInformation2->NumberOfHandles;i++)
				{
					if(HandleInformation2->Handles[i].Object == FileObject)
					{
						ObjectTypeIndex = HandleInformation2->Handles[i].ObjectTypeIndex;
						Break;
					}
				}
				if(ObjectTypeIndex)
				{
					for(int i=0;i<HandleInformation2->NumberOfHandles;i++)
					{
						if(HandleInformation2->Handles[i].ObjectTypeIndex == ObjectTypeIndex)
						{
							CLIENT_ID ClientId;
							HANDLE TargetProcessHandle = NULL;
							HANDLE CurrentProcessHandle = NULL;
							HANDLE TargetHandle = NULL;
							PVOID TargetFileObject = NULL;
							OBJECT_ATTRIBUTES oa;
							ULONG RetLen;
							InitializeObjectAttributes(&oa,NULL,OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE,NULL,NULL);
							ClientId.UniqueProcess = HandleInformation2->Handles[i].UniqueProcessId;
							ClientId.UniqueThread = 0;
							status = ZwOpenProcess(&CurrentProcessHandle,PROCESS_ALL_ACCESS, &oa, &ClientId);
							if(NT_SUCCESS(status))
							{
								InitializeObjectAttributes(&oa,NULL,OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE,NULL,NULL);
								ClientId.UniqueProcess = PsGetCurrentProcessId();
								ClientId.UniqueThread = 0;
								status = ZwOpenProcess(&TargetProcessHandle,PROCESS_ALL_ACCESS, &oa, &ClientId);
								if(NT_SUCCESS(status))
								{//从引用到该对象的进程复制一份句柄到当前进程
									status = ZwDuplicateObject(CurrentProcessHandle,HandleInformation2->Handles[i].HandleValue,TargetProcessHandle,&TargetHandle,0,0,DUPLICATE_SAME_ACCESS);
									if(NT_SUCCESS(status) && TargetHandle)
									{
										status = ObReferenceObjectByHandle(TargetHandle,GENERIC_READ,IoFileObjectType,0,&TargetFileObject,0);
										if(NT_SUCCESS(status) && MmIsAddressValid(TargetFileObject) && TargetFileObject->DeviceObject->DeviceType == FILE_DEVICE_DISK)
										{
											status = ObQueryNameString(TargetFileObject,ObjectNameInfo1,ObjectNameInfo1->Name.Length,&RetLen);
											if(NT_SUCCESS(status))
											{
												__try
												{
													if(RtlEqualUnicodeString(ObjectNameInfo1,ObjectNameInfo2,TRUE))
													{
														PEPROCESS Process = NULL;
														KAPC_STATE ApcState;
														HANDLE ProcessId = HandleInformation2->Handles[i].UniqueProcessId;
														HANDLE ObjectHandle = HandleInformation2->Handles[i].HandleValue;
														OBJECT_HANDLE_FLAG_INFORMATION Ohfi;
														if(ProcessId != 0 && ProcessId != 4 && ProcessId != 8)
														{
															status = PsLookupProcessByProcessId(ProcessId,&Process);
															if(NT_SUCCESS(status))
															{
																KeStackAttachProcess(Process,&ApcState);
																CmpSetHandleProtection(&Ohfi,FALSE);
																ZwClose(ObjectHandle);
																KeUnstackDetachProcess(&ApcState);
																if(Process)
																{
																	ObDereferenceObject(Process);
																	Process = NULL;
																}
															}
														}
													}
													else
													{
														HANDLE ThreadHandle = DecodeKernelHandle(HandleInformation2->Handles[i].HandleValue);
														PsCreateSystemThread(&ThreadHandle,THREAD_ALL_ACCESS,NULL,NULL,NULL,UnlockFileThread,ThreadHandle);
														ZwWaitForSingleObject(ThreadHandle,FALSE,NULL);
														ZwClose(ThreadHandle);
													}
												}
												__finally
												{
												}
											}
										}
									}
								}
							}


							if (TargetProcessHandle)
							{
								ZwClose(TargetProcessHandle);
								TargetProcessHandle = 0;
							}
							if ( CurrentProcessHandle )
							{
								ZwClose(CurrentProcessHandle);
								CurrentProcessHandle = 0;
							}
							if ( TargetHandle )
							{
								ZwClose(TargetHandle);
								TargetHandle = 0;
							}
							if ( TargetFileObject )
							{
								ObfDereferenceObject(TargetFileObject);
								TargetFileObject = 0;
							}
						}
					}
				}
			}
		}
		if(Buffer)
			ExFreePool(Buffer);
		if(ObjectNameInfo1)
			ExFreePool(ObjectNameInfo1);
		if(ObjectNameInfo2)
			ExFreePool(ObjectNameInfo2);
	}
}

NTSTATUS UnlockFile(PUNICODE_STRING FileDosPath)
{
	IO_STATUS_BLOCK IoStatusBlock = {0};
	OBJECT_ATTRIBUTES oa;
	NTSTATUS status;
	HANDLE FileHandle = NULL;
	PFILE_OBJECT FileObject = NULL;
	InitializeObjectAttributes(&oa,FileDosPath,OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE,NULL,NULL);
	//穿透IopCreateFile得到FileHandle
	status = ResetFileAttributes(FileHandle);
	if(NT_SUCCESS(status) )
	{
		status = ObReferenceObjectByHandle(FileHandle,0,*IoFileObjectType,KernelMode,&FileObject,NULL);
		if(NT_SUCCESS(status))
		{
			IopDeleteFile(FileObject);
			TryUnlockFile(FileObject);
			FileHandle = NULL;
			ObDereferenceObject(FileObject);
		}
	}
	else if(status == STATUS_DELETE_PENDING)
	{
		TryUnlockFile(FileObject);
		status = STATUS_SUCCESS;
		FileHandle = NULL;
	}
	if(FileHandle)
		ZwClose(FileHandle);
	return status;
}


266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-9-27 13:12:14 | 显示全部楼层
五、        获取ObjectInitializer
获取RegObjectInitializer:
1.        获取操作系统版本并转化为数组下标[0-9]
2.        获取\\Registry\\Machine\\SYSTEM对应KeyObject,得到其POBJECT_TYPE,判断是否为”Key”类型
3.        获取Ntos地址,获取CmpKeyObjectType的ParseProcedure,检测是否在Ntos中
4.        获取PCM_KEY_BODY->KeyControlBlock-> KeyHive的偏移,为获取GetCellRoutine
5.        Hook GetCellRoutine为NewGetCellRoutine
6.        创建线程依次执行ZwSetValueKey ZwQueryValueKey ZwEnumerateValueKey ZwEnumerateKey ZwDeleteValueKey ZwDeleteKey,触发GetCellRoutine
7.        NewGetCellRoutine中在回溯栈中查找对应Zw*匹配机器码,符合则取得相应Cm*地址
8.        解除Hook

获取DriverObjectInitializer和DeviceObjectInitializer:
1.        获取操作系统版本并转化为数组下标[0-9]
2.        获取DriverObject,得到其POBJECT_TYPE,判断是否为”Device”类型
3.        分别获取DriverObjectType和DeviceObjectType的ObjectInitializer

VersionIndex对照表
major   minor   build   out
*       *               10
5       1               1
5       2               2/3
5       *               10
6       0               4
6       1               5
6       2       8102    7
6       2       9200    8
6       2       *       10      
6       3       9600    9
6       3       *       10  

4.1 获取注册表OBJECT_TYPE,匹配对象类型
  使用\\Registry\\Machine\\SYSTEM注册表对象
[C++] 纯文本查看 复制代码
POBJECT_TYPE GetRegKeyType()
{
	UNICODE_STRING RegPath,FuncName;
	OBJECT_ATTRIBUTES Oa;
	HANDLE KeyHandle = NULL;
	ULONG Disposition;
	PCM_KEY_BODY KeyBody;
	POBJECT_TYPE ObjType = NULL;
	FARPROC ObGetObjectType;
	NTSTATUS status;
	RtlInitUnicodeString(&RegPath,L"\\Registry\\Machine\\SYSTEM");
	InitializeObjectAttributes(&Oa,&RegPath,ExGetPreviousMode() != KernelMode?OBJ_CASE_INSENSITIVE :
		OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);		
	status = ZwCreateKey(&KeyHandle,KEY_QUERY_VALUE,&Oa,0,NULL,REG_OPTION_NON_VOLATILE,&Disposition);
	if(NT_SUCCESS(status))
	{
		status = ObReferenceObjectByHandle(KeyHandle,GENERIC_READ,NULL,KernelMode,&KeyBody,NULL);
		if(NT_SUCCESS(status))
		{
			RtlInitUnicodeString(&FuncName,L"ObGetObjectType");
			ObGetObjectType = MmGetSystemRoutineAddress(&FuncName);
			if(ObGetObjectType)
			{
				ObjType = ((POBJECT_TYPE (__stdcall*)(PVOID))ObGetObjectType)(KeyBody);
			}
			else if(VersionIndex < 5)//win7 之前
			{
				ObjType = ((OBJECT_HEADER*)OBJECT_TO_OBJECT_HEADER(Object))->Type;
			}
			ObDereferenceObject(KeyBody);
		}
		ZwClose(KeyHandle);
	}
	return ObjType;
}

typedef struct _OBJECT_TYPE_XP
{
	ERESOURCE Mutex;
	LIST_ENTRY TypeList;
	UNICODE_STRING Name;  
	PVOID DefaultObject;
	ULONG Index;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	OBJECT_TYPE_INITIALIZER TypeInfo;
	ERESOURCE ObjectLocks[ OBJECT_LOCK_COUNT ];
} OBJECT_TYPE_XP, *POBJECT_TYPE_XP;

typedef struct _OBJECT_TYPE_WIN7
{
	LIST_ENTRY TypeList;
	UNICODE_STRING Name;
	PVOID DefaultObject;
	ULONG Index;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	OBJECT_TYPE_INITIALIZER TypeInfo;
	EX_PUSH_LOCK TypeLock;
	ULONG Key;
	LIST_ENTRY CallbackList;
} OBJECT_TYPE_WIN7, *POBJECT_TYPE_WIN7;

BOOLEAN CmpRegKeyType(POBJECT_TYPE ObjType)
{
	UNICODE_STRING ObjTypeName;
	RtlInitUnicodeString(&ObjTypeName,L"Key");
	PUNICODE_STRING SrcTypeName;
	if(VersionIndex >= 1 && VersionIndex <= 3)//xp 2000
	{
		POBJECT_TYPE_XP _ObjType = (POBJECT_TYPE_XP)ObjType;
		if(!IsAddressRegionValid(&_ObjType->Name,sizeof(UNICODE_STRING)))
			return FALSE;
		SrcTypeName = &ObjType->Name;
	}
	else if(VersionIndex >= 4 && VersionIndex <= 9)//vista及之后
	{
		POBJECT_TYPE_WIN7 _ObjType = (POBJECT_TYPE_WIN7)ObjType;
		if(!IsAddressRegionValid(&_ObjType->Name,sizeof(UNICODE_STRING)))
			return FALSE;
		SrcTypeName = &ObjType->Name;
	}
	else
	{
		return FALSE;
	}
	if(IsAddressRegionValid(SrcTypeName->Buffer,SrcTypeName->Length))
		return RtlCompareUnicodeString(&ObjTypeName,SrcTypeName,TRUE) == 0;
	return FALSE;
}

4.2获取ParseProcedure

[C++] 纯文本查看 复制代码
FARPROC RegObjectInitialzer[6];
FARPROC FileObjectInitialzer[6];
// 0 CloseProcedure
// 1 DeleteProcedure
// 2 ParseProcedure
// 3 SecurityProcedure
// 4 QueryNameProcedure
// 5 OpenProcedure

BOOLEAN GetParseProcedure(POBJECT_TYPE ObjectType)
{
	PVOID modules;
	ULONG InfoLen = 0;
	OB_PARSE_METHOD Proc = NULL;
	ULONG_PTR NtosBegin = 0;
	ULONG_PTR NtosEnd = 0;
	RtlZeroMemory(RegObjectInitialzer,sizeof(RegObjectInitialzer));
	if(!ObjectType)
		return FALSE;
	ZwQuerySystemInformation(SystemModuleInformation,&InfoLen,0,&InfoLen);
	if(InfoLen == 0)
		return FALSE;
	modules = ExAllocatePool(PagedPool,InfoLen);
	if(!modules)
		return FALSE;
	status = ZwQuerySystemInformation(SystemModuleInformation,modules,&InfoLen);
	if(NT_SUCCESS(status) && modules->NumberOfModules)
	{
		NtosBegin = modules->Modules[0].ImageBase;
		NtosEnd = NtosBegin + modules->Modules[0].ImageSize;
		if(VersionIndex >= 1 && VersionIndex <= 3)//xp 2000
		{
			POBJECT_TYPE_XP _ObjType = (POBJECT_TYPE_XP)ObjType;
			Proc = _ObjType->TypeInfo.ParseProcedure;
		}
		else if(VersionIndex >= 4 && VersionIndex <= 9)//vista及之后
		{
			POBJECT_TYPE_WIN7 _ObjType = (POBJECT_TYPE_WIN7)ObjType;
			Proc = _ObjType->TypeInfo.ParseProcedure;
		}
	}
	ExFreePool(Modules);
	if(Proc && Proc >= NtosBegin && Proc <= NtosEnd)
	{
		RegObjectInitialzer[2] = Proc;
		return TRUE;
	}
	else
	{
		return FALSE;
	}
}

4.3 获取GetCellRoutine偏移,Hook GetCellRoutine
[C++] 纯文本查看 复制代码
BOOLEAN GetCellRoutineOffset()
{
  ULONG result = 0;
  switch ( VersionIndex )
  {
    case WIN2000:
    case WINXP:
    case WINXPSP3:
    case WINVISTA:
    case 6:
      CellRoutineOffset = 16;
      Return true;
    case WIN7:
    case WIN8:
    case WIN8_1:
    case WIN10:
      CellRoutineOffset = 20;
	Return true;
    default:
      return result;
  }
  return result;
}



4.4 Hook和UnHook GetCellRoutine

[C++] 纯文本查看 复制代码
volatile ULONG HookCellRoutineRefCount = 0;
volatile ULONG EnterCellRoutineRefCount = 0;
ULONG_PTR OldGetCellRoutine = 0;
BOOLEAN IsGetCell = FALSE;
ULONG_PTR pGetCellRoutine = 0;

BOOLEAN HookCellRoutine(BOOLEAN Hook)
{

	OBJECT_ATTRIBUTES Oa;
	UNICODE_STRING RegPath;
	NTSTATUS status;
	HANDLE KeyHandle = NULL;
	PCM_KEY_BODY KeyBody = NULL;
	BOOLEAN success = FALSE;

	while(InterlockedCompareExchange(&HookCellRoutineRefCount,1,0))//同步
	{
		LARGE_INTEGER Interval;
		Interval.QuadPart = -10000i64 * 100;
		KeDelayExecutionThread(KernelMode,FALSE,&Interval);
	}

	if(Hook)
	{
		if((CellRoutineBit & 0x111111) == 0x111111)
		{
			RtlInitUnicodeString(&RegPath);
			InitializeObjectAttributes(&Oa,&RegPath,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
			status = ZwOpenKey(&KeyHandle,KEY_ALL_ACCESS,&Oa);
			if(NT_SUCCESS(status))
			{
				status = ObReferenceObjectByHandle(KeyHandle,KEY_SET_VALUE,*CmKeyObjectType,KernelMode,&KeyBody,NULL);
				if(NT_SUCCESS(status))
				{
					ULONG_PTR pGetCellRoutine = (ULONG_PTR)&((HHIVE*)((BYTE*)KeyBody->KeyControlBlock + CellRoutineOffset))->GetCellRoutine;
					OldGetCellRoutine = InterlockedExchange(pGetCellRoutine,NewGetCellRoutine);
					IsGetCell = TRUE;
					success = TRUE;
				}
			}
			if(KeyBody)
				ObReferenceObjectByHandle(KeyBody);
			if(KeyHandle)
				ZwClose(KeyHandle);
		}
	}
	else//UnHook
	{
		if(IsGetCell && OldGetCellRoutine && pGetCellRoutine)
		{
			int count = 0;
			InterlockedExchange(pGetCellRoutine,OldGetCellRoutine);
			do 
			{
				LARGE_INTEGER Interval;
				Interval.QuadPart = -10000i64 * 50;
				KeDelayExecutionThread(KernelMode,FALSE,&Interval);
				InterlockedExchange(&count,EnterCellRoutineRefCount);
			} while (count);
			OldGetCellRoutine = 0;
			pGetCellRoutine = 0;
			IsGetCell = FALSE;
			success = TRUE;
		}
	}
	InterlockedExchange(&HookCellRoutineRefCount,0);
	return success;
}

4.5 创建系统线程获取 Cm*函数





[C++] 纯文本查看 复制代码
int CmIndex;
/*
	CmQueryValueKey 0
	CmSetValueKey 1
	CmDeleteValueKey 2
	CmDeleteKey 3
	CmEnumerateKey 4
	CmEnumerateValueKey 5
*/
BOOLEAN SetCmTrap()
{//通过注册表操作触发已经Hook的ObjectInitializer
	WCHAR ValueName[] = L"100000";
	WCHAR KeyPath[] = L"\\Registry\\Machine\\SYSTEM\\00000";
	OBJECT_ATTRIBUTES Oa;
	UNICODE_STRING UKeyPath,UValueName;
	LARGE_INTEGER CurrentTime,LocalTime;
	HANDLE KeyHandle = NULL;;
	NTSTATUS status;
	DWORD RetLen;
	TIME_FIELDS TimeFields;
	ULONG Disposition;
	BOOLEAN result = FALSE;
	KeQuerySystemTime(&CurrentTime);
	ExSystemTimeToLocalTime(&CurrentTime,LocalTime);
	RtlTimeToTimeFields(&LocalTime,&TimeFields);
	ValueName[0] += TimeFields.Milliseconds % 9;
	ValueName[1] += TimeFields.Second % 8;
	ValueName[3] += TimeFields.Minute % 7;
	ValueName[4] += TimeFields.Milliseconds % 9;
	ValueName[5] += TimeFields.Second % 8;
	KeyPath[25] += TimeFields.Second % 9;
	KeyPath[26] += TimeFields.Milliseconds % 8;
	KeyPath[27] += TimeFields.Second % 7;
	KeyPath[28] += TimeFields.Milliseconds % 9;
	KeyPath[29] += TimeFields.Minute % 8;
	RtlInitUnicodeString(&UKeyPath,KeyPath);
	InitializeObjectAttributes(&Oa,UKeyPath,OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE,NULL,NULL);
	status = ZwCreateKey(&KeyHandle,KEY_ALL_ACCESS,&Oa,0,NULL,REG_OPTION_NON_VOLATILE,&Disposition);
	if(NT_SUCCESS(status))
	{
		RtlInitUnicodeString(&UValueName,ValueName);
//和NewGetCellRoutine配合使用
		CmIndex = ECmSetValueKey;
		ZwSetValueKey(KeyHandle,&UValueName,0,REG_SZ,ValueName,wcslen(ValueName)+2);
		CmIndex = ECmQueryValueKey;
		ZwQueryValueKey(KeyHandle,&UValueName,KeyValuePartialInformation,NULL,0,&RetLen);
		CmIndex = ECmEnumerateValueKey;
		ZwEnumerateValueKey(KeyHandle,0,KeyValueBasicInformation,NULL,0,&RetLen);
		CmIndex = ECmEnumerateKey;
		ZwEnumerateKey(KeyHandle,0,KeyValueBasicInformation,NULL,0,&RetLen);
		CmIndex = ECmDeleteValueKey;
		ZwDeleteValueKey(KeyHandle,&UValueName);
		CmIndex = ECmDeleteKey;
		ZwDeleteKey(KeyHandle);
		result = TRUE;
	}
	CmIndex = ECmMax;
	if(KeyHandle)
		ZwClose(KeyHandle);
	return result;
}

BOOLEAN CheckAndGetCmInnerFunc(ULONG Address,int CmIndex)
{//通过回溯查找cm*地址
/*
对比call   nt!CmSetValueKey之前偏移0x25的机器码:
80619a1f 7c1f            jl      nt!NtSetValueKey+0x234 (80619a40)
80619a21 53              push    ebx
80619a22 ff7518          push    dword ptr [ebp+18h]
80619a25 ff7514          push    dword ptr [ebp+14h]
80619a28 8d45c4          lea     eax,[ebp-3Ch]
80619a2b 50              push    eax
80619a2c ff7704          push    dword ptr [edi+4]
80619a2f e88e0b0100      call    nt!CmSetValueKey (8062a5c2)

CmInnerFuncs
b2e4c640  00 00 00 00 00 00 00 00-7c 00 53 ff 75 00 ff 75  ........|.S.u..u
b2e4c650  00 8d 45 00 50 ff 77 00-01 00 00 00 02 00 00 00  ..
*/
	UCHAR Code[32];
	if(!Address || Address - 0x2F <= 0x7FFFFFFF || !IsAddressRegionValid(Address-0x2F,0x2F))
		return FALSE;
	if(CmMatchData[VersionIndex][CmIndex].CodeMask)
	{
		RtlCopyMemory(Code,Address-0x25,sizeof(Code));
		for(int i=31;i>=0;i--)
		{
			ULONG bit = CmMatchData[VersionIndex][CmIndex].CodeMask >> (31-i);
			if(bit & 1)
			{
				if(CmMatchData[VersionIndex][CmIndex].ByteCode[i] != Code[i])
					return FALSE;
			}
			else if(bit == 0)
			{
				break;
			}
			CmMatchData[VersionIndex][CmIndex].FuncAddr = Address+*(ULONG_PTR*)(Address-1);
			CellRoutineBit |= CmMatchData[VersionIndex][CmIndex].CmFlag;
			CmMatchData[VersionIndex][CmIndex].InitFlag = TRUE;
			return TRUE;
		}
	}

	return FALSE;
}

BOOLEAN GetCmFuncsByIndex(ULONG Esp,int CmIndex)
{
	if(!Esp)
		return FALSE;
	for(int i=0;i<100;i++)
	{
		if(!IsAddressRegionValid(Esp,4))
			break;
		if(Esp >= NtosBegin && Esp <= NtosEnd && CheckAndGetCmInnerFunc(Esp,CmIndex))
			return TRUE;
		Esp += 4;
	}
	return FALSE;
}

NTSTATUS __stdcall NewGetCellRoutine(HHIVE Hive,HCELL Cell)
{
	NTSTATUS status;
	ULONG_PTR _Esp = 0;
	_asm
	{
		mov _Esp,esp;
	}
	InterlockedExchangeAdd(&EnterCellRoutineRefCount,1);
	if(PsGetCurrentThreadId() == GetCmRegFuncsThreadId && CmIndex < 6)
	{
		if(CmMatchData[VersionIndex][CmIndex].InitFlag && CmMatchData[VersionIndex][CmIndex].FuncAddr)
		{
			if(!(CmMatchData[VersionIndex][CmIndex].CmFlag & CellRoutineBit))
				CellRoutineBit |= CmMatchData[VersionIndex][CmIndex].CmFlag;
		}
		else
		{
			switch(CmIndex)
			{
			case ECmQueryValueKey:
				GetCmFuncsByIndex();
				break;
			case ECmSetValueKey:
				GetCmFuncsByIndex();
				break;
			case ECmDeleteValueKey:
				GetCmFuncsByIndex();
				break;
			case ECmDeleteKey:
				GetCmFuncsByIndex();
				break;
			case ECmEnumerateKey:
				GetCmFuncsByIndex();
				break;
			case ECmEnumerateValueKey:
				GetCmFuncsByIndex();
				break;
			}

		}
	}
	status = OldGetCellRoutine(Hive,Cell);
	InterlockedExchangeAdd(&EnterCellRoutineRefCount,-1);
	return status;
}

4.6 匹配结构

用于匹配cm*函数调用周围的机器码
#define MaxVersion 10
enum
{
        ECmQueryValueKey=0,
        ECmSetValueKey,
        ECmDeleteValueKey,
        ECmDeleteKey,
        ECmEnumerateKey,
        ECmEnumerateValueKey,
        ECmMax,
        NCmQueryValueKey=1,
        NCmSetValueKey=0x10,
        NCmDeleteValueKey=0x100,
        NCmDeleteKey=0x1000,
        NCmEnumerateKey=0x10000,
        NCmEnumerateValueKey=0x100000,
};

struct CM_MATCH_DATA
{
        ULONG InitFlag;//是否初始化
        ULONG FuncAddr;//获取到的cm函数地址
        ULONG CmFlag;//cm函数类型,1~0x100000 对应于各个cm函数
        ULONG CodeMask;//32bit对应于BYTE ByteCode[32]的掩码,决定是否比较
        UCHAR ByteCode[32];//用于比较cm函数的机器码
        UCHAR ByteCode_1[8];//用于比较cm函数的机器码
};

CM_MATCH_DATA CmMatchData[MaxVersion][ECmMax]=
{
        {//NON
                {
                        0, NULL, NCmQueryValueKey, 0,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                        },
                        0, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                               
                        },
                        0, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
                        },
                        0, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
                        },
                        0, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
                        },
                        0, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
                        },
                        1, 0,
                },
        },
        {//WIN2000
                {
                        0, NULL , NCmQueryValueKey, 0x176DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x00, 0x57, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x76, 0x00,
                        },
                        1, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0xBB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x7C, 0x00, 0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x77, 0x00,
                        },
                        1, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x3DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x39, 0x75, 0xE4, 0x7C, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        1, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0x6DB6D,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x46, 0x00,
                                0xF6, 0x40, 0x00, 0x80, 0x75, 0x00, 0x8B, 0x40, 0x00, 0xF6, 0x40, 0x00, 0x80, 0x75, 0x00, 0x56,
                        },
                        1, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 1AEDB6h,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x5D, 0x00, 0x7C, 0x00,
                                0x56, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        1, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 1AEDB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x5D, 0x00, 0x7C, 0x00,
                                0x56, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        2, 0,
                },
        },
        {//WINXPSP1
                {
                        0, NULL , NCmQueryValueKey, 0x3B6DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8B, 0x7D, 0x00, 0xFF, 0x77, 0x00,
                        },
                        2, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0xBB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x7C, 0x00, 0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x76, 0x00,
                        },
                        2, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x1DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x85, 0xF6, 0x7C, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        2, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0xDB6D,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0xF6, 0x40, 0x00, 0x80, 0x75, 0x00, 0x8B, 0x40, 0x00, 0xF6, 0x40, 0x00, 0x80, 0x75, 0x00, 0x56,
                        },
                        2, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0xEEDB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x85, 0xF6, 0x7C, 0x00, 0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF,
                                0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00
                        },
                        2, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0xEEDB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x85, 0xF6, 0x7C, 0x00,
                                0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        3, 0,
                },
        },
        {//WINXPSP3
                {
                        0, NULL , NCmQueryValueKey, 0x176DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x00, 0x56, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        3, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0xBB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x7C, 0x00, 0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x76, 0x00,
                        },
                        3, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x1DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x85, 0xF6, 0x7C, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        3, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0xDB6D, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0xF6, 0x40, 0x00, 0x80, 0x75, 0x00, 0x8B, 0x40, 0x00, 0xF6, 0x40, 0x00, 0x80, 0x75, 0x00, 0x56,
                        },
                        3, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0xEEDB6, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0xF6, 0x7C, 0x00,
                                0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        3, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0xEEDB6, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0xF6, 0x7C, 0x00,
                                0x53, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x77, 0x00,
                        },
                        4, 0,
                },
        },
        {//WINVISTA
                {
                        0, NULL , NCmQueryValueKey, 0x1DB6DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x7C, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        4, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0x3BB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0xFF,
                                0x75, 0x00, 0x56, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x75, 0x00,
                        },
                        4, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x37FF6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x45,
                                0x00, 0xC1, 0xE8, 0x02, 0x25, 0x01, 0xFF, 0xFF, 0xFF, 0x50, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        4, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0x3FD,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBB, 0x22, 0x00, 0x00, 0xC0, 0x3B, 0xDE, 0x7C, 0x00, 0x57,
                        },
                        4, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0x16DBB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x00, 0xFF, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8B, 0x4D, 0x00,
                        },
                        4, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0x2DB76,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        5, 0,
                },
        },
        {//WIN7
                {
                        0, NULL , NCmQueryValueKey, 0x1DB6DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x7C, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        5, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0x7FBB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x01, 0x0F, 0xB6, 0xC0, 0x50, 0xFF,
                                0x75, 0x00, 0x56, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x75, 0x00,
                        },
                        5, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x7FF6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0xC1, 0xE8, 0x02, 0x24, 0x01, 0x0F, 0xB6, 0xC0, 0x50, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        5, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0x67E61,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x00,
                                0x00, 0x22, 0x00, 0x00, 0xC0, 0x39, 0x5C, 0x00, 0x00, 0x0F, 0x8C, 0x00, 0x00, 0x00, 0x00, 0x57,
                        },
                        5, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0x16DBB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x00, 0xFF, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0x8B, 0x4D, 0x00, 0x8B, 0x55, 0x00,
                        },
                        5, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0x2DB76,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        6, 0,
                },
        },
        {//??
                {
                        0, NULL , NCmQueryValueKey, 0x1DB6DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3B, 0xC7, 0x7C, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        6, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0x3BB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0xFF,
                                0x75, 0x00, 0x56, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x75, 0x00,
                        },
                        6, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x37FF6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x45,
                                0x00, 0xC1, 0xE8, 0x02, 0x25, 0x01, 0xFF, 0xFF, 0xFF, 0x50, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        6, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0x3FD,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBB, 0x22, 0x00, 0x00, 0xC0, 0x3B, 0xDE, 0x7C, 0x00, 0x57,
                        },
                        6, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0x16DBB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x00, 0xFF, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8B, 0x4D, 0x00,
                        },
                        6, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0x2DB76,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        7, 0,
                },
        },
        {//WIN8
                {
                        0, NULL , NCmQueryValueKey, 0x1DA7A6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x78, 0x00, 0xFF,
                                0x75, 0x00, 0xFF, 0x75, 0x00, 0x56, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        7, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0xFFFB6E,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC1, 0xE8, 0x02, 0x24, 0x01, 0x0F, 0xB6, 0xC0,
                                0x50, 0x56, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0xFF, 0x75, 0x00,
                        },
                        7, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x1FFDB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC1, 0xE8, 0x02, 0x24, 0x01,
                                0x0F, 0xB6, 0xC0, 0x50, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        7, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0x3FD,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBB, 0x22, 0x00, 0x00, 0xC0, 0x85, 0xDB, 0x78, 0x00, 0x56,
                        },
                        7, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0x7DB6DB6,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0xF0, 0x85, 0xF6, 0x78, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8B, 0x45, 0x00,
                        },
                        7, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0x36DB76,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7D, 0x00, 0x00, 0x75, 0x00,
                                0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x57, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        8, 0,
                },
        },
        {//WIN8.1
                {
                        0, NULL , NCmQueryValueKey, 0x786DBE,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x85, 0x00, 0x00, 0x00,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x56, 0x57, 0x53, 0xFF, 0x75, 0x00,
                        },
                        8, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0xE1F76DD,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x04, 0x0F, 0x85, 0x00, 0x00, 0x00, 0x00, 0x33, 0xC0, 0x50, 0xFF, 0x75,
                                0x00, 0x56, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x8D, 0x45, 0x00, 0x50, 0x8B, 0x5D, 0x00, 0x53,
                        },
                        8, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0x1B87FB76,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x5D, 0x00, 0x0F, 0xB6, 0x85, 0x00, 0x00, 0x00, 0x00, 0xC1, 0xE8, 0x02,
                                0x83, 0xE0, 0x01, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x50, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00,
                        },
                        8, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0xF0F879C,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x85, 0xC0, 0x0F,
                                0x84, 0x00, 0x00, 0x00, 0x00, 0x33, 0xDB, 0x8B, 0x74, 0x00, 0x00, 0x56, 0x88, 0x5C, 0x00, 0x00,
                        },
                        8, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0x37876DBB,
                        {
                                0x00, 0x00 ,0x8B, 0x75, 0x00, 0x85, 0xDB, 0x0F, 0x88, 0x00, 0x00, 0x00, 0x00, 0x57, 0xFF, 0x75,
                                0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0xFF, 0x75, 0x00, 0x56, 0x8B, 0x7D, 0x00, 0x8B, 0xC7,
                        },
                        8, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0x3F0EEDDD,
                        {
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0xF6, 0x0F, 0x85, 0x00, 0x00, 0x00, 0x00,
                                0x57, 0xFF, 0x75, 0x00, 0x53, 0xFF, 0x75, 0x00, 0x8B, 0x5D, 0x00, 0x53, 0x8B, 0x7D, 0x00, 0x57,
                        },
                        9, 0,
                },
        },
        {//WIN10
                {
                        0, NULL , NCmQueryValueKey, 0xFFFFFFFF,
                        {
                                0x00, 0x00, 0x85, 0xF6, 0x0F, 0x85, 0x0A, 0xD7, 0x10, 0x00, 0x8B, 0x7D, 0xB8, 0xFF, 0x75, 0xCC,
                                0xFF, 0x75, 0xC8, 0xFF, 0x75, 0xB4, 0x53, 0x57, 0x8B, 0x5D, 0x10, 0x8B, 0xD3, 0x8B, 0x4D, 0xBC
                        },
                        9, 1,
                },
                {
                        0, NULL, NCmSetValueKey, 0xFFFFFFFF,
                        {
                                0x5D, 0xCB, 0x0F, 0xB6, 0x85, 0x74, 0xFF, 0xFF, 0xFF, 0xC1, 0xE8, 0x02, 0x83, 0xE0, 0x01, 0x50,
                                0xFF, 0x75, 0x88, 0x57, 0xFF, 0x75, 0xAC, 0xFF, 0x75, 0x14, 0x8D, 0x55, 0xB8, 0x8B, 0x4D, 0xB4
                        },
                        9, 2,
                },
                {
                        0, NULL, NCmDeleteValueKey, 0xFFFFFFFF,
                        {
                                0xC4, 0x0D, 0x00, 0x88, 0x5D, 0xCB, 0x0F, 0xB6, 0x85, 0x7C, 0xFF, 0xFF, 0xFF, 0xC1, 0xE8, 0x02,
                                0x83, 0xE0, 0x01, 0xFF, 0x75, 0xBC, 0xFF, 0x75, 0xB8, 0x50, 0x8B, 0x55, 0xA8, 0x8B, 0x4D, 0xB4
                        },
                        9, 3,
                },
                {
                        0, NULL, NCmDeleteKey, 0xFFFFFFFF,
                        {
                                0x01, 0x00, 0x00, 0x40, 0x66, 0x89, 0x81, 0x3C, 0x01, 0x00, 0x00, 0x66, 0x85, 0xC0, 0x0F, 0x84,
                                0x9E, 0x00, 0x00, 0x00, 0x33, 0xDB, 0x8B, 0x74, 0x24, 0x10, 0x8B, 0xCE, 0x88, 0x5C, 0x24, 0x2C
                        },
                        9, 4,
                },
                {
                        0, NULL, NCmEnumerateKey, 0xFFFFFFFF,
                        {
                                0xE8, 0x5A, 0xB1, 0xFF, 0xFF, 0x8B, 0xF0, 0x85, 0xF6, 0x78, 0x1C, 0xFF, 0x75, 0xB8, 0xFF, 0x75,
                                0x18, 0xFF, 0x75, 0xBC, 0xFF, 0x75, 0x10, 0xFF, 0x75, 0x0C, 0x8B, 0x55, 0xC4, 0x8B, 0x4D, 0xC8
                        },
                        9, 5,
                },
                {
                        0, NULL, NCmEnumerateValueKey, 0xFFFFFFFF,
                        {
                                0x8B, 0xF0, 0x85, 0xF6, 0x78, 0x21, 0x8B, 0x4D, 0xCC, 0x83, 0x7D, 0xC8, 0x00, 0x0F, 0x85, 0x84,
                                0xCA, 0x0D, 0x00, 0xFF, 0x75, 0xC0, 0xFF, 0x75, 0x18, 0xFF, 0x75, 0xC4, 0x57, 0x8B, 0x55, 0x0C
                        },
                        10, 0,
                },
        },
};

4.7 获取DeviceObject对象类型
[C++] 纯文本查看 复制代码
POBJECT_TYPE GetDeviceObjectType()
{
	UNICODE_STRING UAcpi;
	UNICODE_STRING UFilePath;
	NTSTATUS status;
	PDRIVER_OBJECT pDrvObj = NULL;
	PDEVICE_OBJECT pDevObj = NULL;
	HANDLE FileHandle = NULL;
	POBJECT_TYPE ObjectType = NULL;
	RtlInitUnicodeString(&UAcpi,L"\\Driver\\ACPI");
	status = ObReferenceObjectByName(&UAcpi,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,0,*IoDriverObjectType,KernelMode,NULL,&pDrvObj);
	if(NT_SUCCESS(status) && pDrvObj && pDrvObj->DeviceObject)
	{
		pDevObj = pDrvObj->DeviceObject;
	}
	if(pDevObj)
	{
		ObjectType = (POBJECT_TYPE)((PUCHAR)pDevObj-16);
	}
	if(pDrvObj)
	{
		ObDereferenceObject(pDrvObj);
		pDrvObj = NULL;
	}
	if(FileHandle)
	{
		ZwClose(FileHandle);
		FileHandle = NULL;
	}
	return ObjectType;
}

0

主题

13

帖子

90

积分

用户组: 小·技术宅

UID
965
精华
0
威望
0 点
宅币
77 个
贡献
0 次
宅之契约
0 份
在线时间
6 小时
注册时间
2015-7-18
发表于 2015-9-27 13:32:33 | 显示全部楼层
这个是咋分析出了的?也忒牛了吧?

34

主题

133

帖子

6946

积分

用户组: 管理员

UID
77
精华
11
威望
112 点
宅币
6405 个
贡献
129 次
宅之契约
0 份
在线时间
91 小时
注册时间
2014-2-22
发表于 2015-9-27 13:47:38 | 显示全部楼层
好帖!
回复

使用道具 举报

266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-10-2 15:17:20 | 显示全部楼层
TsFltMgr.sys 深度分析

TsFltMgr.sys分析报告
        该驱动为qq管家函数过滤驱动,提供SSDT、SSSDT、进程和线程回调等过滤操作,导出接口给TsKsp.sys使用,2者共同做函数过滤操作,TsFltMgr提供设置函数过滤的框架,而实际拦截过程在TsKsp中。设备名\\Device\\TsFltMgr ,符号名\\DosDevices\\TsFltMgr 。加密手段:Rabbit算法、MD5算法。通过InlineHook KifastCallEntry实现挂钩。
目录
TsFltMgr.sys分析报告        1
一、        驱动入口DriverEntry        2
1.1 过滤模型        3
1.2 检查当前系统是否为默认挂钩系统        3
1.3 打开TsFltMgr日志记录        4
1.4 控制信息        4
1.5 全局表        4
1.6 Proxy*函数模型        19
二、        驱动接口Interface        22
2.1 DeviceExtension接口        22
2.2 SetEvaluateTime        22
2.3 AddDisablePrevFilter        23
2.4 SetPostFilter        23
2.5 ExecOriginFromPacket        23
2.6 AddPrevFilter        23
2.7 RemovePrevFilter        24
2.8 GetCurrentHookInfo        25
2.9 GetDProxyTable        26
三、        控制码        27
四、        默认派遣例程        28
3.1 根据进程id结束进程        28
五、        基础库        29
5.1 获取注册表键值        29
5.2 通过进程名获取进程ID        31
六、        InlineHook KiFastCallEntry        32
6.1 获取SSDT/SSSDT/Hook点        33
6.2 从KiSystemService获取KiFastCallEntry        36
6.3 获取SSSDT信息        36
6.4 初始化InlineHook KiFastCallEntry跳转表        38
6.5 获取系统服务号的2种方式        41
6.6 InlineHook过程        42
6.7 构造InlineHook跳转后的执行语句        45
6.8 强制单核互斥执行指定Procedure        48
6.9 进行SSDT hook        49
6.10 对重要回调(进程回调、线程回调、映像加载回调)的挂钩        52
6.11 Hook KeUserModeCallback        54
6.12 交换内存        55
6.13 获取函数Iat偏移        55
6.14 另一种方式获取ShadowSSDT信息        56

一、        驱动入口DriverEntry
        创建\\Device\\TSSysKit设备和\\DosDevices\\TSSysKit符号链接
        设置DeviceExtension为通信接口(Interface函数指针)
        分别注册IRP_MJ_CREATE、IRP_MJ_CLOSE、IRP_MJ_DEVICE_CONTROL、IRP_MJ_SHUTDOWN(关机回调)派遣例程为,CreateCloseDispatch、DeviceIoControlDispatch、ShutdownDispatch
        注册”Boot驱动加载结束”回调DriverReinitializationRoutine
        为注册表日志记录分配资源RegLogSpace
        检查当前系统是否为注册表version键指定的系统,如果在列表中则在挂钩KiFastCallEntry时需要做额外工作
        设置注册表键IsBsod为1,用于检测该驱动是否引起蓝屏(正常关机置0)
        获取系统BuildNumber
        分配和设置”内核Api代理”结构
        挂钩KiFastCallEntry
        挂钩重要回调
        启动注册表日志记录
        挂钩KeUserModeCallback
        记录当前配置



1.1 过滤模型
















①        Ntdll.NtCreateFile通过Sysenter调用进入nt.KiFastCallEntry
②        在nt.KiFastCallEntry 执行call ebx(原始为nt.NtCreateFile)前跳到TsFltMgr. InlineKiFastCallEntry
③        执行进入TsFltMgr.HookFilter,在这里通过ServiceMapTable表映射到对应Dproxy元素,将Dproxy->ProxyNtCreateFile设置到ebx,将其设置为ebx
④        Nt.KiFastCallEntry执行call ebx,进入ProxyNtCreateFile
⑤        构造FilterPacket结构(用于承载参数、原始api和PostFilterFunc执行的所有过滤函数都用到),依次执行Dproxy->PrevFilterSlot的16个过滤函数(PrevFilter是Tsksp事先设置好的)
⑥        依次执行单个Tsksp.PrevFilter,进行真正的过滤或对packet. PostFilterSlot进行设置
⑦        返回TsFltMgr.ProxyNtCreateFile,执行nt.NtCreateFile
⑧        执行packet. PostFilterSlot的16个过滤函数(Tsksp)
⑨        返回nt.KiFastCallEntry

1.2 检查当前系统是否为默认挂钩系统
[C++] 纯文本查看 复制代码
BOOLEAN IsUnSupportedSystem()
{
/*注:\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\TSKS	version
	存放没有预存 函数调用号ServiceIndex 的系统版本列表 格式:
BuildNumber1;BuildNumber2;...
	对于这些版本在进行SSDT Hook时,会临时取得服务号
*/
	NTSTATUS status;
	ULONG BuildNumber = 0,MajorVersion,MinorVersion;
	const int BufSize = 1024;
	ULONG Size,Type;
	WCHAR BuildNumberStr[10] = {0};
	BOOLEAN Match = FALSE;
	UNICODE_STRING UBuildNumber;
	WCHAR* Buffer = (WCHAR*)ExAllocatePool(NonPagedPool,BufSize);
	status = GetRegDataWithSizeAndType(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\TSKSP",L"version",
		Buffer,BufSize,&Size,&Type);
	if(NT_SUCCESS(status) && Type == REG_SZ && Size)
	{
		Buffer[510] = 0;
		RtlInitUnicodeString(&UBuildNumber,BuildNumberStr);
		PsGetVersion(&MajorVersion,&MinorVersion,&BuildNumber,NULL);
		RtlIntegerToUnicodeString(BuildNumber,10,&UBuildNumber);
		if(wcsstr((wchar_t*)Buffer,UBuildNumber.Buffer))
			Match = TRUE;
	}
	ExFreePool(Buffer);
	return Match;
}

1.3 打开TsFltMgr日志记录
在无保护情况下为\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TsFltMgr添加TsDbgLog键,内容设置为目标文件路径(例如\??\C:\TsDbgLog.txt),如果不存在会自动创建文件,重启生效。内容示例:
[0x00000000] 2015.09.27 20:05:24.109        TS TsFltMgr DbgHelper
[0x00000001] 2015.09.27 20:06:13.750        [Sysnap DbgLog] Block--> TableIndex 0, Process spoolsv.exe[1800]
[0x00000002] 2015.09.27 20:10:35.156        [Sysnap DbgLog] Block--> TableIndex 4, Process regedit.exe[2296]
[0x00000003] 2015.09.27 20:13:46.500        [Sysnap DbgLog] Block--> TableIndex 4, Process regedit.exe[2296]

DriverReinitializationRoutine中做初始化,此时最后一个boot驱动初始化完毕
在执行KiFastCallEntry hook时再次尝试启动打印日志线程
ExecPrevSlotFunc中,如果存在过滤函数进行了放行和拦截,都会打印日志

1.4 控制信息

禁止hook
\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TsFltMgr dws=1
\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\services\\QQSysMon\\DWS dws!=0

强制SSDT hook
\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TsFltMgr thm=1

关机回调
设置\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TsFltMgr  IsBsod=0,以便下次启动检测是否TsFltMgr引起蓝屏

1.5 全局表
系统Build号与全局表索引对应关系
BuildNumber:
Win2000
    2195    1
WinXp
    2600    2
WinServer2003
    3790    3
WinVista
    6000    4
    6001    5
    6002    6
Win7
    7600    7
    7601    8
Win8
    8102    9
    8250    10
    8400    11
    8432    12
    8441    12
    8520    13
Win8.1
    9200    14
    9600    15
Win10
    9841    16
    9860    17
    9926    18
    10041   19
    10049   20
未知  0

[C++] 纯文本查看 复制代码
enum
{
	WIN2000=1,
	WINXP,
	WINXPSP3,
	WINVISTA,
	WINVISTASP1,
	WINVISTASP2,
	WIN7,
	WIN7SP1,
	WIN8_8102,
	WIN8_8250,
	WIN8_8400,
	WIN8_8432,
	WIN8_8441=WIN8_8432,
	WIN8_8520,
	WIN81_9200,
	WIN81_9600,
	WIN10_9841,
	WIN10_9860,
	WIN10_9926,
	WIN10_10041,
	WIN10_10049,
	BUILDMAX,
};
enum
{
	SSDT=0,
	SSSDT=1,
	END=2,
	CALLBACK=3,
};

#define APINUMBER 105

struct SProxy
{
	ULONG ServiceTableType;//0:SSDT 1:Shadow SSDT 2:结束符
	PWCHAR ApiName;//函数名
	ULONG  ProxyFunc;//代理函数地址
	ULONG ServiceIndex[BUILDMAX];
	ULONG IndexInTable;//在全局表中的索引
};

struct DProxy
{
	ULONG ServiceTableType;//0:SSDT 1:Shadow SSDT 2:结束符 3:回调函数
	ULONG ServiceIndex;//服务号
	PWCHAR ApiName;//函数名
	ULONG TableIndex;//自定义序号
	BOOLEAN IsInitialized;
	ULONG PrevFilterRefCount;//引用计数
	ULONG PostFilterRefCount;//引用计数
	ULONG OriginFuncAddr;//原始函数地址
	ULONG ProxyFuncAddr;//代理函数地址
	PVOID Log;//用于记录日志
	KEVENT Lock;
	BOOLEAN DisablePrevFilter;//关闭Filter
	ULONG UsedSlotCount;// 当前使用的Slot个数
	FILTER_SLOT PrevFilterSlot[16];//过滤函数结构
};

struct FILTER_SLOT
{
	ULONG Tag;
	ULONG CallCount;
	ULONG DeleteCount;
	KTIMER Timer;
	ULONG Filter;
};

struct FilterPacket
{
	ULONG CurrentSlot;//当前Filter序号
	ULONG ParamNumber;//参数个数
	ULONG Params[12];//参数
	ULONG TagSlot[16];//标志过滤函数用,也可用于传递修改参数
	NTSTATUS Status;//执行结果
	ULONG OriginFuncAddr;//原始函数
	ULONG IndexInTable;//在DProxyTable中的索引
	ULONG Access;//访问权限
	ULONG PostFilterSlot[16];//过滤函数
	ULONG UsedSlotCount;//当前使用的Slot个数
};

TsFltMgr有3张表与函数过滤相关:
静态Api代理表SProxy        SProxyTable[APINUMBER+1]                用于初始化后面2个表
动态Api代理表DProxy*        DProxyTable[APINUMBER+1]        用于Proxy*函数中进行实际过滤操作   方便用SProxy指定的序号配置
DProxy* ServiceMapTable[2][1024]                用于InlineHook KiFastCallEntry改变ebx,映射ServiceIndex到Proxy*函数。函数前1024个用于存储SSDT函数,后1024用于存储SSSDT函数

可以用简单的python命令自动获取到g_ProxyApiTable内容
addr=0x25200
index=0
while index < 106:
if Dword(addr) == 0:
type="SSDT"
elif Dword(addr) == 1:
type="SSSDT"
else:
type="END"
ApiName=GetString(Dword(addr+4),-1,ASCSTR_UNICODE)
ProxyFunc="Proxy"+ApiName
print "{\n\t%s,L\"%s\",%s,\n\t{" %(type,ApiName,ProxyFunc)
print "\t\t%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d" %(Dword(addr+12),Dword(addr+16),Dword(addr+20),Dword(addr+24),Dword(addr+28),Dword(addr+32),Dword(addr+36),Dword(addr+40),Dword(addr+44),Dword(addr+48),Dword(addr+52),Dword(addr+56),Dword(addr+60),Dword(addr+64),Dword(addr+68),Dword(addr+72),Dword(addr+76),Dword(addr+80),Dword(addr+84),Dword(addr+88),Dword(addr+92))
print "\t},%d\n}," %(Dword(addr+96))
addr=addr+100
index=index+1

[C++] 纯文本查看 复制代码
struct SProxy	SProxyTable[APINUMBER+1] = 
{
	{
		SSDT,L"ZwCreateKey",ProxyZwCreateKey,
		{
			1023,35,41,43,64,64,64,70,70,347,351,351,350,350,350,354,355,355,356,359,359
		},0
	},
	{
		SSDT,L"ZwTerminateProcess",ProxyZwTerminateProcess,
		{
			1023,224,257,266,338,334,334,370,370,35,35,35,35,35,35,35,36,36,36,36,36
		},1
	},
	{
		SSDT,L"ZwSetInformationFile",ProxyZwSetInformationFile,
		{
			1023,194,224,233,305,301,301,329,329,78,79,79,78,78,78,81,82,82,82,82,82
		},2
	},
	{
		SSDT,L"ZwWriteFile",ProxyZwWriteFile,
		{
			1023,237,274,284,359,355,355,396,396,4,5,5,5,5,5,6,7,7,7,7,7
		},3
	},
	{
		SSDT,L"ZwSetValueKey",ProxyZwSetValueKey,
		{
			1023,215,247,256,328,324,324,358,358,48,48,48,48,48,48,49,50,50,50,50,50
		},4
	},
	{
		SSDT,L"ZwWriteVirtualMemory",ProxyZwWriteVirtualMemory,
		{
			1023,240,277,287,362,358,358,399,399,1,2,2,2,2,2,3,4,4,4,4,4
		},5
	},
	{
		SSDT,L"ZwCreateFile",ProxyZwCreateFile,
		{
			1023,32,37,39,60,60,60,66,66,351,356,356,355,355,355,360,361,361,362,365,365
		},6
	},
	{
		SSDT,L"ZwOpenProcess",ProxyZwOpenProcess,
		{
			1023,106,122,128,194,194,194,190,190,220,222,222,221,221,221,224,225,225,226,227,227
		},7
	},
	{
		SSDT,L"ZwDeleteKey",ProxyZwDeleteKey,
		{
			1023,53,63,66,123,123,123,103,103,310,314,314,313,313,313,317,318,318,319,321,321
		},8
	},
	{
		SSDT,L"ZwDeleteValueKey",ProxyZwDeleteValueKey,
		{
			1023,55,65,68,126,126,126,106,106,307,311,311,310,310,310,314,315,315,316,318,318
		},9
	},
	{
		SSDT,L"ZwRequestWaitReplyPort",ProxyZwRequestWaitReplyPort,
		{
			1023,176,200,208,275,276,276,299,299,108,110,110,109,109,109,112,113,113,114,114,114
		},10
	},
	{
		SSDT,L"ZwQueryValueKey",ProxyZwQueryValueKey,
		{
			1023,155,177,185,252,252,252,266,266,143,145,145,144,144,144,147,148,148,149,149,149
		},11
	},
	{
		SSDT,L"ZwEnumerateValueKey",ProxyZwEnumerateValueKey,
		{
			1023,61,73,77,136,136,136,119,119,292,296,296,295,295,295,299,300,300,301,303,303
		},12
	},
	{
		SSDT,L"ZwCreateThread",ProxyZwCreateThread,
		{
			1023,46,53,55,78,78,78,87,87,330,334,334,333,333,333,337,338,338,339,342,342
		},13
	},
	{
		SSDT,L"ZwDuplicateObject",ProxyZwDuplicateObject,
		{
			1023,58,68,71,129,129,129,111,111,300,304,304,303,303,303,307,308,308,309,311,311
		},14
	},
	{
		SSDT,L"ZwLoadDriver",ProxyZwLoadDriver,
		{
			1023,85,97,101,165,165,165,155,155,255,257,257,256,256,256,259,260,260,261,263,263
		},15
	},
	{
		SSDT,L"ZwDeviceIoControlFile",ProxyZwDeviceIoControlFile,
		{
			1023,56,66,69,127,127,127,107,107,304,308,308,307,307,307,311,312,312,313,315,315
		},16
	},
	{
		SSDT,L"ZwAlpcSendWaitReceivePort",ProxyZwAlpcSendWaitReceivePort,
		{
			1023,1023,1023,1023,38,38,38,39,39,381,386,386,385,385,385,390,391,391,393,396,396
		},17
	},
	{
		SSDT,L"ZwSetSystemInformation",ProxyZwSetSystemInformation,
		{
			1023,208,240,249,321,317,317,350,350,56,56,56,56,56,56,57,58,58,58,58,58
		},18
	},
	{
		SSDT,L"ZwDeleteFile",ProxyZwDeleteFile,
		{
			1023,52,62,65,122,122,122,102,102,311,315,315,314,314,314,318,319,319,320,322,322
		},19
	},
	{
		SSDT,L"ZwOpenSection",ProxyZwOpenSection,
		{
			1023,108,125,131,197,197,197,194,194,216,218,218,217,217,217,220,221,221,222,222,222
		},20
	},
	{
		SSDT,L"ZwCreateSection",ProxyZwCreateSection,
		{
			1023,43,50,52,75,75,75,84,84,333,337,337,336,336,336,340,341,341,342,345,345
		},21
	},
	{
		SSDT,L"ZwSuspendThread",ProxyZwSuspendThread,
		{
			1023,221,254,263,335,331,331,367,367,38,38,38,38,38,38,38,39,39,39,39,39
		},22
	},
	{
		SSDT,L"ZwTerminateThread",ProxyZwTerminateThread,
		{
			1023,225,258,267,339,335,335,371,371,34,34,34,34,34,34,34,35,35,35,35,35
		},23
	},
	{
		SSDT,L"ZwSystemDebugControl",ProxyZwSystemDebugControl,
		{
			1023,222,255,264,336,332,332,368,368,37,37,37,37,37,37,37,38,38,38,38,38
		},24
	},
	{
		SSDT,L"ZwProtectVirtualMemory",ProxyZwProtectVirtualMemory,
		{
			1023,1023,137,143,210,210,210,215,215,194,196,196,195,195,195,198,199,199,200,200,200
		},38
	},
	{
		SSDT,L"ZwCreateSymbolicLinkObject",ProxyZwCreateSymbolicLinkObject,
		{
			1023,45,52,54,77,77,77,86,86,331,335,335,334,334,334,338,339,339,340,343,343
		},39
	},
	{
		SSDT,L"ZwSetContextThread",ProxyZwSetContextThread,
		{
			1023,1023,213,221,293,289,289,316,316,91,92,92,91,91,91,94,95,95,95,95,95
		},40
	},
	{
		SSDT,L"ZwRenameKey",ProxyZwRenameKey,
		{
			1023,1023,192,200,267,267,267,290,290,117,119,119,118,118,118,121,122,122,123,123,123
		},41
	},
	{
		SSDT,L"ZwOpenThread",ProxyZwOpenThread,
		{
			1023,111,128,134,201,201,201,198,198,214,214,214,213,213,213,216,217,217,218,218,218
		},42
	},
	{
		SSDT,L"ZwGetNextThread",ProxyZwGetNextThread,
		{
			1023,1023,1023,1023,372,368,368,140,140,271,271,271,270,270,270,273,274,274,275,277,277
		},43
	},
	{
		SSDT,L"ZwCreateThreadEx",ProxyZwCreateThreadEx,
		{
			1023,1023,1023,1023,388,382,382,88,88,333,333,333,332,332,332,336,337,337,338,341,341
		},44
	},
	{
		SSDT,L"ZwRestoreKey",ProxyZwRestoreKey,
		{
			1023,1023,204,212,279,280,280,302,302,105,107,107,106,106,106,109,110,110,111,111,111
		},55
	},
	{
		SSDT,L"ZwReplaceKey",ProxyZwReplaceKey,
		{
			1023,1023,193,201,268,268,268,292,292,115,117,117,116,116,116,119,120,120,121,121,121
		},56
	},
	{
		SSDT,L"ZwGetNextProcess",ProxyZwGetNextProcess,
		{
			1023,1023,1023,1023,371,367,367,139,139,270,272,272,271,271,271,274,275,275,276,278,278
		},45
	},
	{
		SSDT,L"ZwUnmapViewOfSection",ProxyZwUnmapViewOfSection,
		{
			1023,231,267,277,352,348,348,385,385,19,19,19,19,19,19,19,20,20,20,20,20
		},46
	},
	{
		SSDT,L"ZwAssignProcessToJobObject",ProxyZwAssignProcessToJobObject,
		{
			1023,18,19,21,42,42,42,43,43,377,382,382,381,381,381,386,387,387,389,392,392
		},47
	},
	{
		SSDT,L"ZwAllocateVirtualMemory",ProxyZwAllocateVirtualMemory,
		{
			1023,16,17,18,18,18,18,19,19,403,407,407,406,406,406,411,412,412,415,418,418
		},57
	},
	{
		SSDT,L"ZwFreeVirtualMemory",ProxyZwFreeVirtualMemory,
		{
			1023,71,83,87,147,147,147,131,131,278,281,281,280,280,280,284,285,285,286,288,288
		},58
	},
	{
		SSSDT,L"NtUserFindWindowEx",ProxyNtUserFindWindowEx,
		{
			1023,368,378,377,391,391,391,396,396,455,457,458,459,460,459,460,462,466,466,466,467
		},25
	},
	{
		SSSDT,L"NtUserBuildHwndList",ProxyNtUserBuildHwndList,
		{
			1023,302,312,311,322,322,322,323,323,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},26
	},
	{
		SSSDT,L"NtUserQueryWindow",ProxyNtUserQueryWindow,
		{
			1023,466,483,481,504,504,504,515,515,478,480,481,482,483,482,483,485,489,489,489,490
		},27
	},
	{
		SSSDT,L"NtUserGetForegroundWindow",ProxyNtUserGetForegroundWindow,
		{
			1023,393,404,403,418,418,418,423,423,426,428,429,430,430,429,430,431,435,435,435,435
		},28
	},
	{
		SSSDT,L"NtUserWindowFromPoint",ProxyNtUserWindowFromPoint,
		{
			1023,568,592,588,617,617,617,629,629,640,643,646,648,650,649,652,658,664,665,666,667
		},29
	},
	{
		SSSDT,L"NtUserSetParent",ProxyNtUserSetParent,
		{
			1023,510,529,526,550,550,550,560,560,582,585,587,589,591,590,593,595,601,602,603,604
		},30
	},
	{
		SSSDT,L"NtUserSetWindowLong",ProxyNtUserSetWindowLong,
		{
			1023,525,544,540,566,566,566,578,578,560,562,564,566,567,566,569,571,575,576,576,577
		},31
	},
	{
		SSSDT,L"NtUserMoveWindow",ProxyNtUserMoveWindow,
		{
			1023,449,465,464,484,484,484,495,495,499,501,502,503,504,503,505,507,511,511,511,512
		},32
	},
	{
		SSSDT,L"NtUserSetWindowPos",ProxyNtUserSetWindowPos,
		{
			1023,527,546,542,568,568,568,580,580,558,560,562,564,565,564,567,569,573,574,574,575
		},33
	},
	{
		SSSDT,L"NtUserSetWindowPlacement",ProxyNtUserSetWindowPlacement,
		{
			1023,526,545,541,567,567,567,579,579,559,561,563,565,566,565,568,570,574,575,575,576
		},34
	},
	{
		SSSDT,L"NtUserShowWindow",ProxyNtUserShowWindow,
		{
			1023,536,555,551,579,579,579,591,591,547,549,551,553,554,553,556,558,562,563,563,564
		},35
	},
	{
		SSSDT,L"NtUserShowWindowAsync",ProxyNtUserShowWindowAsync,
		{
			1023,537,556,552,580,580,580,592,592,546,548,550,552,553,552,555,557,561,562,562,563
		},36
	},
	{
		SSSDT,L"NtUserSendInput",ProxyNtUserSendInput,
		{
			1023,481,502,500,525,525,525,536,536,606,609,611,613,615,614,617,619,625,626,627,628
		},37
	},
	{
		SSSDT,L"NtUserSetWinEventHook",ProxyNtUserSetWinEventHook,
		{
			1023,533,552,548,576,576,576,588,588,550,552,554,556,557,556,559,561,565,566,566,567
		},49
	},
	{
		SSSDT,L"NtUserClipCursor",ProxyNtUserClipCursor,
		{
			1023,0,330,329,343,343,343,348,348,333,334,335,335,335,335,337,338,342,342,342,342
		},48
	},
	{
		SSSDT,L"NtUserSetWindowsHookEx",ProxyNtUserSetWindowsHookEx,
		{
			1023,530,549,545,573,573,573,585,585,553,555,557,559,560,559,562,564,568,569,569,570
		},50
	},
	{
		SSDT,L"ZwMakeTemporaryObject",ProxyZwMakeTemporaryObject,
		{
			1023,1023,105,110,174,174,174,164,164,246,248,248,247,247,247,250,251,251,252,254,254
		},59
	},
	{
		SSDT,L"ZwCreateUserProcess",ProxyZwCreateUserProcess,
		{
			1023,1023,1023,1023,1023,383,383,93,93,322,326,326,325,325,325,329,330,330,331,334,334
		},60
	},
	{
		SSSDT,L"NtUserMessageCall",ProxyNtUserMessageCall,
		{
			1023,444,460,459,479,479,479,490,490,504,506,507,508,509,508,510,512,516,516,516,517
		},61
	},
	{
		SSSDT,L"NtUserPostMessage",ProxyNtUserPostMessage,
		{
			1023,459,475,474,497,497,497,508,508,486,488,489,490,491,490,492,494,498,498,498,499
		},62
	},
	{
		SSSDT,L"NtUserPostThreadMessage",ProxyNtUserPostThreadMessage,
		{
			1023,460,476,475,498,498,498,509,509,485,487,488,489,490,489,491,493,497,497,497,498
		},63
	},
	{
		SSSDT,L"NtUserBuildHwndList_WIN8",ProxyNtUserBuildHwndList_WIN8,
		{
			1023,1023,1023,1023,1023,1023,1023,1023,1023,358,359,360,360,360,360,362,363,367,367,367,367
		},64
	},
	{
		SSDT,L"ZwFsControlFile",ProxyZwFsControlFile,
		{
			1023,1023,84,1023,150,150,150,134,134,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},65
	},
	{
		SSSDT,L"NtUserSetImeInfoEx",ProxyNtUserSetImeInfoEx,
		{
			1023,1023,517,1023,1023,1023,1023,550,550,1023,1023,1023,1023,1023,600,603,605,611,612,613,1023
		},66
	},
	{
		SSDT,L"ZwCreateProcessEx",ProxyZwCreateProcessEx,
		{
			1023,1023,48,50,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},72
	},
	{
		SSSDT,L"NtUserGetRawInputData",ProxyNtUserGetRawInputData,
		{
			1023,1023,428,1023,1023,1023,1023,448,448,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},67
	},
	{
		SSSDT,L"NtUserGetRawInputBuffer",ProxyNtUserGetRawInputBuffer,
		{
			1023,1023,427,1023,1023,1023,1023,447,447,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},68
	},
	{
		SSSDT,L"NtUserGetAsyncKeyState",ProxyNtUserGetAsyncKeyState,
		{
			1023,1023,383,1023,1023,1023,1023,402,402,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},69
	},
	{
		SSSDT,L"NtUserGetKeyState",ProxyNtUserGetKeyState,
		{
			1023,1023,416,1023,1023,1023,1023,436,436,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},70
	},
	{
		SSSDT,L"NtUserGetKeyboardState",ProxyNtUserGetKeyboardState,
		{
			1023,1023,414,1023,1023,1023,1023,434,434,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},71
	},
	{
		SSDT,L"ZwQueueApcThread",ProxyZwQueueApcThread,
		{
			1023,1023,180,1023,1023,1023,1023,269,269,1023,1023,1023,1023,1023,139,142,143,143,144,144,144
		},74
	},
	{
		SSDT,L"ZwSetSecurityObject",ProxyZwSetSecurityObject,
		{
			1023,1023,237,1023,1023,1023,1023,347,347,1023,1023,1023,1023,1023,59,60,61,61,61,61,61
		},75
	},
	{
		SSDT,L"ZwOpenFile",ProxyZwOpenFile,
		{
			1023,1023,116,1023,1023,1023,1023,179,179,1023,1023,1023,1023,1023,232,235,236,236,237,238,238
		},76
	},
	{
		SSDT,L"ZwQueueApcThreadEx",ProxyZwQueueApcThreadEx,
		{
			1023,1023,1023,1023,1023,1023,1023,270,270,1023,1023,1023,1023,1023,138,141,142,142,143,143,143
		},77
	},
	{
		SSDT,L"ZwCreateMutant",ProxyZwCreateMutant,
		{
			1023,1023,43,45,67,67,67,74,74,1023,1023,1023,1023,1023,346,350,351,351,352,355,355
		},78
	},
	{
		SSDT,L"ZwQuerySystemInformation",ProxyZwQuerySystemInformation,
		{
			1023,1023,173,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},79
	},
	{
		SSDT,L"ZwQueryIntervalProfile",ProxyZwQueryIntervalProfile,
		{
			1023,1023,158,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},80
	},
	{
		SSDT,L"ZwSetInformationProcess",ProxyZwSetInformationProcess,
		{
			1023,1023,228,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},81
	},
	{
		SSSDT,L"NtGdiAddFontMemResourceEx",ProxyNtGdiAddFontMemResourceEx,
		{
			1023,1023,4,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},82
	},
	{
		SSDT,L"ZwReplyWaitReceivePortEx",ProxyZwReplyWaitReceivePortEx,
		{
			1023,1023,196,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},83
	},
	{
		END,L"KeUserModeCallback",ProxyKeUserModeCallback,
		{
			1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},51
	},
	{
		SSDT,L"ZwOpenKey",ProxyZwOpenKey,
		{
			1023,1023,119,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},84
	},
	{
		SSDT,L"ZwMapViewOfSection",ProxyZwMapViewOfSection,
		{
			1023,1023,108,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},85
	},
	{
		SSDT,L"ZwSetIntervalProfile",ProxyZwSetIntervalProfile,
		{
			1023,1023,231,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},86
	},
	{
		SSSDT,L"NtGdiAddFontResourceW",ProxyNtGdiAddFontResourceW,
		{
			1023,1023,2,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},87
	},
	{
		SSSDT,L"NtGdiAddRemoteFontToDC",ProxyNtGdiAddRemoteFontToDC,
		{
			1023,1023,3,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},88
	},
	{
		SSDT,L"ZwQueryInformationProcess",ProxyZwQueryInformationProcess,
		{
			1023,1023,154,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},89
	},
	{
		SSDT,L"ZwQueryInformationThread",ProxyZwQueryInformationThread,
		{
			1023,1023,155,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},90
	},
	{
		SSDT,L"ZwCreateProfile",ProxyZwCreateProfile,
		{
			1023,1023,49,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},91
	},
	{
		SSDT,L"ZwVdmControl",ProxyZwVdmControl,
		{
			1023,1023,268,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},92
	},
	{
		SSDT,L"ZwCreateProcess",ProxyZwCreateProcess,
		{
			1023,1023,47,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},93
	},
	{
		SSSDT,L"NtGdiAddEmbFontToDC",ProxyNtGdiAddEmbFontToDC,
		{
			1023,1023,214,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},94
	},
	{
		SSDT,L"NtDebugActiveProcess",ProxyNtDebugActiveProcess,
		{
			1023,1023,57,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},95
	},
	{
		SSDT,L"NtAlpcCreatePort",ProxyNtAlpcCreatePort,
		{
			1023,1023,1023,1023,1023,1023,1023,23,23,1023,1023,1023,1023,1023,401,406,407,407,410,413,413
		},96
	},
	{
		SSDT,L"NtCreatePort",ProxyNtCreatePort,
		{
			1023,1023,46,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},97
	},
	{
		SSDT,L"ZwAdjustPrivilegesToken",ProxyZwAdjustPrivilegesToken,
		{
			1023,1023,11,1023,1023,1023,1023,12,12,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},98
	},
	{
		SSDT,L"ZwConnectPort",ProxyZwConnectPort,
		{
			1023,1023,31,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},99
	},
	{
		SSDT,L"ZwSecureConnectPort",ProxyZwSecureConnectPort,
		{
			1023,1023,210,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},100
	},
	{
		SSDT,L"ZwQueryKey",ProxyZwQueryKey,
		{
			1023,1023,160,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},101
	},
	{
		SSDT,L"ZwEnumerateKey",ProxyZwEnumerateKey,
		{
			1023,1023,71,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},102
	},
	{
		SSDT,L"ZwClose",ProxyZwClose,
		{
			1023,1023,25,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},103
	},
	{
		SSSDT,L"NtUserSystemParametersInfo",ProxyNtUserSystemParametersInfo,
		{
			1023,1023,559,1023,1023,1023,1023,559,595,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023
		},104
	},
	{
		END,NULL,NULL,
		{
			-1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
		},105
	}
};

266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-10-2 15:19:23 | 显示全部楼层
1.6 Proxy*函数模型
[C++] 纯文本查看 复制代码
NPAGED_LOOKASIDE_LIST FilterLookAside;
BOOLEAN g_EvaluateTime;
//Proxy*函数模型  3参数函数为例
NTSTATUS __stdcall ProxyNtFunc(int param1,int param2,int param3)
{
	NTSTATUS status = STATUS_ACCESS_DENIED;
	ULONG Result;//自定义结果
	ULONGLONG Time = 0;
	DProxy* proxydata = DProxyTable[ENtFunc];
	FilterPacket* packet = ExAllocateFromNPagedLookasideList(&FilterLookAside);
	if(g_EvaluateTime)
		Time = KeQueryInterruptTime();
	if(!packet)
	{
		if(!proxydata->OriginFuncAddr)
			return status;
		return proxydata->OriginFuncAddr(param1,param2,param3);
	}
	packet->Params[0] = param1;
	packet->Params[1] = param2;
	packet->Params[2] = param3;
	packet->ParamNumber = 3;
	packet->OriginFuncAddr = proxydata->OriginFuncAddr;
	packet->IndexInTable = ENtFunc;
	InterlockedIncrement(&proxydata->PrevFilterRefCount);
	Result = ExecPrevFilter(packet,proxydata);//Prev过滤
	InterlockedDecrement(&proxydata->PrevFilterRefCount);
	if(Result == SYSMON_UNHANDLED)
	{
		if(packet->OriginFuncAddr)
		{
			status = packet->OriginFuncAddr(param1,param2,param3);
			packet->Status = status;
			InterlockedIncrement(&proxydata->PostFilterRefCount);
			Result = ExecPostFilter(packet);//Post过滤
			InterlockedDecrement(&proxydata->PostFilterRefCount);
		}
	}
	if(Result == SYSMON_HANDLED)
	{
		status = packet->Status;
	}
	if(g_EvaluateTime)
		EvaluateTime(proxydata,Time);
	ExDeleteNPagedLookasideList(packet);
	return status;
}

ULONG ExecPrevFilter(FilterPacket* packet,DProxy* proxydata)
{
	ULONG Result;
	if(!proxydata || !packet || packet->DisablePrevFilter)
		return SYSMON_UNHANDLED;
	for(int i=0;i<16;i++)
	{
		if(!proxydata->PrevFilterSlot[i].DeleteCount && proxydata->PrevFilterSlot[i].Filter && proxydata->SlotNum != 0)
		{
			InterlockedIncrement(&proxydata->PrevFilterSlot[i].CallCount);
			packet->CurrentSlot = i;
			Result = proxydata->PrevFilterSlot[i].Filter(packet);
			InterlockedDecrement(&proxydata->PrevFilterSlot[i].CallCount);
			if(packet->Access & 0x10)//如果权限被设置为放行
			{
				TsLogSprintfOutput(SysMonLogPt,"[Sysnap DbgLog] Modify--> TableIndex %d, Process %s[%d] ",
					proxydata->TableIndex,PsGetProcessImageFileName(IoGetCurrentProcess()),PsGetCurrentProcessId());
			}
			switch(Result)
			{
			case SYSMON_FORBID:
				TsLogSprintfOutput(SysMonLogPt,"[Sysnap DbgLog] Block--> TableIndex %d, Process %s[%d] ",
					proxydata->TableIndex,PsGetProcessImageFileName(IoGetCurrentProcess()),PsGetCurrentProcessId());
				return SYSMON_FORBID;
			case SYSMON_HANDLED:
				return SYSMON_HANDLED;
			case SYSMON_PASS:
			case SYSMON_PASS1:
				return SYSMON_UNHANDLED;
			default:
				break;
			}
		}
	}
}

ULONG ExecPostFilter(FilterPacket* packet)
{
	ULONG Result;
	if(!packet)
		return SYSMON_UNHANDLED;
	FILTER_SLOT* CurrentSlot = DProxyTable[packet->IndexInTable]->PrevFilterSlot;
	for(int i=0;i<16;i++)
	{
		if(!CurrentSlot [i].DeleteCount)
		{
			InterlockedIncrement(&CurrentSlot [i].CallCount);
			packet->CurrentSlot = i;
			Result = packet->PostFilterSlot(packet);
			InterlockedDecrement(&CurrentSlot [i].CallCount);
		}
		switch(Result)
		{
		case SYSMON_HANDLED:
			return SYSMON_HANDLED;
		case SYSMON_PASS:
		case SYSMON_PASS1:
		case SYSMON_FORBID:
			return SYSMON_UNHANDLED;
		default:
			break;
		}
	}
}

二、        驱动接口Interface
2.1 DeviceExtension接口
DeviceObject->DeviceExtension结构:
+00h        TAG=’TSFL’
+14h        FARPROC Interface
FARPROC Interface(intindex)

[C++] 纯文本查看 复制代码
NTSTATUS Interface(int index,FARPROC* outfunc)
{//注意下面的函数都是自己实现的穿透函数
	If(!outfunc)
		Return STATUS_UNSUCCESSFUL;
    switch(index)
    {
    case 0:
*outfunc = SetEvaluateTime;
		Break;
    case 1:
*outfunc = AddDisablePrevFilter;
		Break;
    case 2:
*outfunc = SetPostFilter;
		Break;
    case 3:
*outfunc = ExecOriginFromPacket;
		Break;
    case 4:
*outfunc = AddPrevFilter;
		Break;
    case 5:
*outfunc = RemovePrevFilter;
		Break;
    case 6:
*outfunc = GetCurrentHookInfo;
		Break;
    case 7:
*outfunc = GetDProxyTable;
		Break;
default:
		*outfunc = NULL;
		Break;
}
Return STATUS_SUCESS;
}

2.2 SetEvaluateTime
Void __stdcall SetEvaluateTime(bool EvaluateTime)
{//设置计算过滤函数执行耗时
        g_EvaluateTime = EvaluateTime;
}

2.3 AddDisablePrevFilter
Void __stdcall AddDisablePrevFilter(ULONG Index,BOOLEAN Disable)
{//设置是否执行PrevFilter(同时也是PostFilter)
        If(Index < APINUMBER)
{
        If(DProxyTable[Index])
                DProxyTable[Index]-> DisablePrevFilter = Disable;
}
}

2.4 SetPostFilter
Void __stdcall SetPostFilter(FilterPacket* Packet,FARPROC Filter,ULONG Tag)
{//设置PostFilter函数
        If(Packet)
{
        Packet->TagSlot[Packet->CurrentSlot] = Tag;//用于修改参数或区分Filter
        Packet->PostFilterSlot[Packet->CurrentSlot] = Filter;
        Packet->SlotCount++;
}
}

2.5 ExecOriginFromPacket
NTSTATUS __stdcall ExecOriginFromPacket(FilterPacket* Packet)
{//执行Nt*原始函数
        If(!Packet || !Packet->OriginFuncAddr)
                Return STATUS_UNSUCCESSFUL;
        _asm
        {
                Mov eax, Packet->ParamNumber
                Test eax,eax
                Jbe tag1
                Lea ecx,[eax-1]
                Test ecx,ecx
                Jl tag1
                Lea edx,Packet->Params[ecx]//参数逐个压栈
Tag1:
                Mov eax,[edx]
                Push eax
                Sub ecx,1
                Sub edx,4
                Test ecx,ecx
                Jge tag2
Tag2:
                Call Packet->OriginFuncAddr
        }
}

2.6 AddPrevFilter
NTSTATUS __stdcall AddPrevFilter(ULONG Index,FARPROC Filter,ULONG Tag,ULONG PreferSlot,PULONG OutSlot)
{
        /*
                Index :Nt函数在全局表DProxyTable中的索引
                Filter:要设置的过滤函数
                Tag:标志过滤函数(可用于保存参数)
                PreferSlot:优先选用的函数槽
                OutSlot:实际选用的函数槽
*/
        if(!Filter || Index >= APINUMBER || PreferSlot >= 16)
                return STATUS_UNSUCCESSFUL;
        if(!DProxyTable[Index] || !DProxyTable[Index]->IsInitialized)
                return STATUS_UNSUCCESSFUL;
        if(DProxyTable[Index]->PrevFilterSlot[PreferSlot].Filter)
        {//若函数槽已被占用
                for(int i=0;i<16;i++)
                {
                        if(!DProxyTable[Index]->PrevFilterSlot.Filter)
                        {
                                DProxyTable[Index]->PrevFilterSlot.Tag = Tag;
                                InterlockedExchange(&DProxyTable[Index]->PrevFilterSlot.Filter,Filter);
                                InterlockedIncrement(&DProxyTable[Index]->UsedSlotCount);
                                if(OutSlot)
                                        *OutSlot = i;
                                return STATUS_SUCCESS;
                        }
                }
        }
        else
        {
                DProxyTable[Index]->PrevFilterSlot.Tag = Tag;
                InterlockedExchange(&DProxyTable[Index]->PrevFilterSlot.Filter,Filter);
                InterlockedIncrement(&DProxyTable[Index]->UsedSlotCount);
                if(OutSlot)
                        *OutSlot = i;
                return STATUS_SUCCESS;
        }
        return STATUS_UNSUCCESSFUL;
}

2.7 RemovePrevFilter
void WaitStop(FILTER_SLOT* CurrentSlot)
{
        KeInitializeTimer(&CurrentSlot->Timer);
        Li.QuadPart = 1000000;
        while(CurrentSlot->CallCount)
        {
                KeSetTimer(&CurrentSlot->Timer,&Li,NULL);
                KeWaitForSingleObject(&CurrentSlot->Timer,Executive,KernelMode,FALSE,NULL);
        }
        KeCancelTimer(&CurrentSlot->Timer);
}

NTSTATUS __fastcall RemovePrevFilter(ULONG Index,FARPROC Filter)
{//从Index对应的函数过滤中查找删除Filter
        if(!Filter || Index >= APINUMBER)
                return STATUS_UNSUCCESSFUL;
        if(!DProxyTable[Index] || !DProxyTable[Index]->IsInitialized)
                return STATUS_UNSUCCESSFUL;
        for(int i=0;i<16;i++)
        {
                if(DProxyTable[Index]->PrevFilterSlot.Filter == Filter)
                {
                        LARGE_INTEGER Li;
                        FILTER_SLOT* CurrentSlot = &DProxyTable[Index]->PrevFilterSlot;
                        CurrentSlot->DeleteCount = FALSE;
                        InterlockedIncrement(&CurrentSlot->DeleteCount);
                        WaitStop(CurrentSlot);
                        InterlockedExchange(&CurrentSlot->Filter,NULL);
                        InterlockedDecrement(&DProxyTable[Index]->UsedSlotCount);
                        WaitStop(CurrentSlot);
                        InterlockedDecrement(&CurrentSlot->DeleteCount);
                        return STATUS_UNSUCCESSFUL;
                }
        }
        return STATUS_UNSUCCESSFUL;
}

2.8 GetCurrentHookInfo
NTSTATUS __stdcall GetCurrentHookInfo(PULONG pLastErrorCode,PULONG pserHookType,PULONG pOsVer,PULONG pHookErrorIndex)
{
        if(OsVer && !LastErrorCode && HookErrorIndex == -1)
        {
                if(pLastErrorCode)
                        *pLastErrorCode = 0;//获取系统buildnumber
                if(pserHookType)
                        *pserHookType = serHookType;
                if(pOsVer)
                        *pOsVer = OsVer;
                if(pHookErrorIndex)
                        *pHookErrorIndex = HookErrorIndex;
        }
        return STATUS_UNSUCCESSFUL;
}

LastErrorCode
0x01        ZwQuerySystemInformation获取失败
0x02        KeServiceDescriptorTable获取失败
0x04        KeAddSystemServiceTable获取失败
0x08        ShadowSSDT获取失败
0x10        MmUserProbeAddress获取失败
0x20        Int2E校验失败

InitState
0x01        ZwQuerySystemInformation获取成功
0x02        KeServiceDescriptorTable获取成功
0x04        ShadowSSDT获取成功
0x08        获取Inline Hook点成功

serHookType 对KiFastCallEntry做inline hook的类型
0.        Nonhook                        HOOKTYPE_NONE
1.        Inlinehook                        HOOKTYPE_INLINE
2.        SSDTHook                        HOOKTYPE_SSDT
3.        金山共存Inlinehook        HOOKTYPE_KSINLINE

OsVer
BuildNumber:
Win2000
2195                1
WinXp
2600                2
WinServer2003
3790                3
WinVista
6000                4
6001                5
6002                6
Win7
7600                7
7601                8
Win8
8102                9
8250                10
8400                11
8432                12
8441                12
8520                13
Win8.1
9200                14
9600                15
Win10
9841                16
9860                17
9926                18
10041        19
10049        20
?? 0

HookErrorIndex
        -1

IsBsod
        记录蓝屏

2.9 GetDProxyTable
Dproxy** GetDProxyTable()
{
        Return DProxyTable;
}

五、        基础库
5.1 获取注册表键值
[C++] 纯文本查看 复制代码
NTSTATUS GetRegDataWithType(PWCHAR RegPath,PWCHAR KeyName,PVOID OutData,ULONG BufSize,PULONG OutType)
{
	NTSTATUS status;
	HANDLE KeyHandle = NULL;
	ULONG ResultLength = 0;
	OBJECT_ATTRIBUTES Oa;
	UNICODE_STRING URegPath,UKeyName;
	PVOID ValueInfo;
	const int BufSize = sizeof(PKEY_VALUE_PARTIAL_INFORMATION) + sizeof(WCHAR[260]);
	if(!RegPath || !KeyName)
		return STATUS_INVALID_PARAMETER;
	InitializeObjectAttributes(&Oa,&URegPath,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
	status = ZwOpenKey(&KeyHandle,KEY_EXECUTE,&Oa);
	ValueInfo = ExAllocatePool(NonPagedPool,BufSize);
	if(NT_SUCCESS(status) && ValueInfo)
	{
		RtlZeroMemory(ValueInfo,BufSize);
		RtlInitUnicodeString(&UKeyName,KeyName);
		status = ZwQueryValueKey(KeyHandle,&UKeyName,KeyValuePartialInformation,ValueInfo,BufSize,&ResultLength);
		if(NT_SUCCESS(status))
		{
			PKEY_VALUE_PARTIAL_INFORMATION Info = (PKEY_VALUE_PARTIAL_INFORMATION)ValueInfo;
			if(OutType)
				*OutType = Info->Type;
			if(OutData)
				RtlCopyMemory(OutData,Info->Data,BufSize<Info->DataLength?BufSize:Info->DataLength);
		}
	}
	if(KeyHandle)
		ZwClose(KeyHandle);
	if(ValueInfo)
		ExFreePool(ValueInfo);
	return status;
}

NTSTATUS GetRegDataWithSize(PWCHAR RegPath,PWCHAR KeyName,PVOID OutData,ULONG BufSize,PULONG OutSize)
{
	NTSTATUS status;
	HANDLE KeyHandle = NULL;
	ULONG ResultLength = 0;
	OBJECT_ATTRIBUTES Oa;
	UNICODE_STRING URegPath,UKeyName;
	PVOID ValueInfo;
	const int BufSize = sizeof(PKEY_VALUE_PARTIAL_INFORMATION) + sizeof(WCHAR[260]);
	if(!RegPath || !KeyName)
		return STATUS_INVALID_PARAMETER;
	InitializeObjectAttributes(&Oa,&URegPath,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
	status = ZwOpenKey(&KeyHandle,KEY_EXECUTE,&Oa);
	ValueInfo = ExAllocatePool(NonPagedPool,BufSize);
	if(NT_SUCCESS(status) && ValueInfo)
	{
		RtlZeroMemory(ValueInfo,BufSize);
		RtlInitUnicodeString(&UKeyName,KeyName);
		status = ZwQueryValueKey(KeyHandle,&UKeyName,KeyValuePartialInformation,ValueInfo,BufSize,&ResultLength);
		if(NT_SUCCESS(status))
		{
			PKEY_VALUE_PARTIAL_INFORMATION Info = (PKEY_VALUE_PARTIAL_INFORMATION)ValueInfo;
			if(OutSize)
				*OutSize = Info->DataLength;
			if(OutData)
				RtlCopyMemory(OutData,Info->Data,BufSize<Info->DataLength?BufSize:Info->DataLength);
		}
	}
	if(KeyHandle)
		ZwClose(KeyHandle);
	if(ValueInfo)
		ExFreePool(ValueInfo);
	return status;
}

NTSTATUS GetRegDataWithSizeAndType(PWCHAR RegPath,PWCHAR KeyName,PVOID OutData,ULONG BufSize,PULONG OutSize,PULONG OutType)
{
	NTSTATUS status;
	HANDLE KeyHandle = NULL;
	ULONG ResultLength = 0;
	OBJECT_ATTRIBUTES Oa;
	UNICODE_STRING URegPath,UKeyName;
	PVOID ValueInfo;
	const int BufSize = sizeof(PKEY_VALUE_PARTIAL_INFORMATION) + sizeof(WCHAR[260]);
	if(!RegPath || !KeyName)
		return STATUS_INVALID_PARAMETER;
	InitializeObjectAttributes(&Oa,&URegPath,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
	status = ZwOpenKey(&KeyHandle,KEY_EXECUTE,&Oa);
	ValueInfo = ExAllocatePool(NonPagedPool,BufSize);
	if(NT_SUCCESS(status) && ValueInfo)
	{
		RtlZeroMemory(ValueInfo,BufSize);
		RtlInitUnicodeString(&UKeyName,KeyName);
		status = ZwQueryValueKey(KeyHandle,&UKeyName,KeyValuePartialInformation,ValueInfo,BufSize,&ResultLength);
		if(NT_SUCCESS(status))
		{
			PKEY_VALUE_PARTIAL_INFORMATION Info = (PKEY_VALUE_PARTIAL_INFORMATION)ValueInfo;
			if(OutSize)
				*OutSize = Info->DataLength;
			if(OutType)
				*OutType = Info->Type;
			if(OutData)
				RtlCopyMemory(OutData,Info->Data,BufSize<Info->DataLength?BufSize:Info->DataLength);
		}
	}
	if(KeyHandle)
		ZwClose(KeyHandle);
	if(ValueInfo)
		ExFreePool(ValueInfo);
	return status;
}


5.2 通过进程名获取进程ID
[C++] 纯文本查看 复制代码
HANDLE GetProcessIdByName(PWCHAR ProcessName)
{//根据进程名获取进程ID
	HANDLE ProcessId = 0;
	NTSTATUS status = STATUS_SUCCESS;
	SIZE_T size = 512;
	UNICODE_STRING UProcessName;
	LPVOID Buffer;
	RtlInitUnicodeString(&UProcessName,ProcessName);
	while(true)
	{
		Buffer = ExAllocatePool(PagedPool,size);
		if(!Buffer)
			return 0;
		status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,Buffer,size,NULL);
		if(status != STATUS_INFO_LENGTH_MISMATCH)
			break;
		ExFreePool(Buffer);
		size *= 2;
	}
	if(!NT_SUCCESS(Buffer))
		ExFreePool(Buffer);
	PSYSTEM_PROCESS_INFORMATION ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)Buffer;
	while(ProcessInfo->NextEntryOffset)
	{
		ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((UCHAR*)ProcessInfo + ProcessInfo->NextEntryOffset);
		if(RtlEqualUnicodeString(&UProcessName,&ProcessInfo->ImageName,TRUE)
			ProcessId = ProcessInfo->UniqueProcessId;
	}
	ExFreePool(Buffer);
	return ProcessId;
}




266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-10-2 15:21:07 | 显示全部楼层
六、        InlineHook KiFastCallEntry
①        重置蓝屏死机计数  用于检测hook造成的蓝屏
②        获取SSDT/SSSDT/ hook点
③        分配跳转表ServiceMapTable
④        改写KiFastCallEntry使跳转表生效
⑤        Hook重要回调
⑥        开启日志记录
⑦        Hook KeUserModeCallback


6.1 获取SSDT/SSSDT/Hook点
ULONG InitState = 0;
ULONG LastErrorCode = 0;


[C++] 纯文本查看 复制代码
UCHAR int2Ecode1[10] = {0x8B, 0xFC, 0x3B, 0x35, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x83};
UCHAR int2Ecode2[22] = {0x8B, 0xFC, 0xF6, 0x45, 0x72, 0x02, 0x75, 0x06, 0xF6, 0x45, 0x6C,
						0x01, 0x74, 0x0C, 0x3B, 0x35, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x83};

ULONG GetHookPoint1()
{//检测系统原始KiFastCallEntry
	*(ULONG*)(int2Ecode2 + 4) = MmUserProbeAddress;//构造cmp esi,dword ptr ds:[MmUserProbeAddress]
	if(!MmUserProbeAddress)
		return 0;
	ULONG ptr = GetKiSystemServiceAddr();//KiFastCallEntry总在KiSystemService之后
	if(ptr < NtosBase || ptr > NtosBase+NtosSize)
		return 0;
	for(int offset = 0;offset < 1024;offset++,ptr++)
	{
		/*
			mov edi,esp
			cmp esi,dword ptr ds:[MmUserProbeAddress]
			jae ??
		*/
		if(RtlCompareMemory(ptr,int2Ecode1,sizeof(int2Ecode1)) == sizeof(int2Ecode1))
			return ptr;
	}
	return 0;
}

ULONG GetHookPoint2()
{//检测是否被金山inline hook过得KiFastCallEntry
	*(ULONG*)(int2Ecode2 + 16) = MmUserProbeAddress;//构造cmp esi,dword ptr ds:[MmUserProbeAddress]
	if(!MmUserProbeAddress)
		return 0;
	ULONG ptr = GetKiSystemServiceAddr();
	if(ptr < NtosBase || ptr > NtosBase+NtosSize)
		return 0;
	for(int offset = 0;offset < 1024;offset++,ptr++)
	{
		/*
			mov edi,esp
			test byte ptr[ebp+72h],2
			jne $1
			test byte ptr[ebp+6Ch],1
			je ??
			$1:
			cmp esi,dword ptr ds:[MmUserProbeAddress]
			jae ??
		*/
		if(RtlCompareMemory(ptr,int2Ecode2,sizeof(int2Ecode2)) == sizeof(int2Ecode2))
			return ptr;
	}
	return 0;
}

ULONG InitState = 0,LastErrorCode = 0,serHookType = 0;
ULONG NtosBase,NtosSize,SSDTBase,SSDTLimit,ShadowSSDTBase,ShadowSSDTLimit,Win32kBase,Win32kSize;
ULONG dwcsrssId;
ULONG BuildIndex;
PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
ULONG MmUserProbeAddress;

struct HOOKINFO
{
	ULONG InlinePoint;
	ULONG JmpBackPoint;
	UCHAR OriginCode[8];
};

HOOKINFO HookInfo1={0},HookInfo2={0};
/*
KiFastCallEntry+0xde:
	mov     ebx,dword ptr [edi+eax*4]
	jmp     81f9e3e0
	nop												=>	InlinePoint
	nop
	nop
	jmp     TsFltMgr+0x2300 (f8517300)
	jae     nt!KiSystemCallExit2+0x9f (8053e7ec)	=>	JmpBackPoint
	rep movs dword ptr es:[edi],dword ptr [esi]
	call    ebx

	OriginCode[8];
	8bfc            mov     edi,esp
	3b35549a5580    cmp     esi,dword ptr [nt!MmUserProbeAddress]
*/
NTSTATUS PrepareHook()
{
	RTL_PROCESS_MODULE_INFORMATION Win32kInfo,NtosInfo;
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	ULONG ReturnLength = 0;
	ULONG OutData;
	LPVOID Buffer = NULL;
	RtlZeroMemory(&Win32kInfo,sizeof(Win32kInfo));
	RtlZeroMemory(&NtosInfo,sizeof(NtosInfo));
	InitState = 0;
	LastErrorCode = 0;
	status = GetRegDataWithType(L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TsFltMgr", 
		L"thm", &OutData, 4, 0)
	if(NT_SUCCESS(status) && OutData == 1)
		serHookType = HOOKTYPE_SSDT;
	ZwQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
	if(ReturnLength)
		Buffer = ExAllocatePool(PagedPool,ReturnLength);
	if(Buffer)
		status = ZwQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
	if(!NT_SUCCESS(status))
	{
		ExFreePool(Buffer);
		Buffer = NULL;
	}
	if(Buffer)
	{
		RtlCopyMemory(&NtosInfo,((PRTL_PROCESS_MODULES)Buffer)->Modules,sizeof(NtosInfo));
		ExFreePool(Buffer);
		NtosBase = NtosInfo.ImageBase;
		NtosSize = NtosInfo.ImageSize;
		ULONG FuncAddr = MiLocateExportName(NtosBase,"KeServiceDescriptorTable");
		if(FuncAddr && MmIsAddressValid(FuncAddr))
		{
			PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable = (PKSERVICE_TABLE_DESCRIPTOR)FuncAddr;
			SSDTBase = KeServiceDescriptorTable[0].Base;
			SSDTLimit = KeServiceDescriptorTable[0].Limit;
			InitState |= 2;
			dwcsrssId = GetProcessIdByName(L"csrss.exe");
			if(GetProcessInfoByFileName("WIN32K.SYS",&Win32kInfo))
			{
				Win32kBase = Win32kInfo.ImageBase;
				Win32kSize = Win32kInfo.ImageSize;
				if(NT_SUCCESS(GetShadowSSDTInfo()))
					InitState |= 4;
			}
			
			UNICODE_STRING UMmUserProbeAddress;
			RtlInitUnicodeString(&UMmUserProbeAddress,L"MmUserProbeAddress");
			ULONG MmUserProbeAddress = MmGetSystemRoutineAddress(&UMmUserProbeAddress);
			if(MmUserProbeAddress && MmIsAddressValid(MmUserProbeAddress))
			{
				HookInfo1.InlinePoint = GetHookPoint1();
				if(HookInfo1.InlinePoint)
					HookInfo1.JmpBackPoint = HookInfo1.InlinePoint + 8;
				else
				{
					HookInfo2.InlinePoint = GetHookPoint2();
					if(HookInfo2.InlinePoint)
						HookInfo2.JmpBackPoint = HookInfo2.InlinePoint + 6;
				}
				if(HookInfo1.InlinePoint == 0 && HookInfo2.InlinePoint == 0)
				{
					LastErrorCode |= 0x20;
					return status;
				}
				InitState |= 8;
				MmUserProbeAddress = *(ULONG*)MmUserProbeAddress;
				status = STATUS_SUCCESS;
			}
			else
			{
				LastErrorCode |= 0x10;
			}
		}
		else
		{
			LastErrorCode |= 2;
		}
	}
	else
	{
		LastErrorCode |= 1;
	}
	return status;
}

6.2 从KiSystemService获取KiFastCallEntry
struct IDTR
{
        USHORT IDTLimit;
        PKIDTENTRY IDTBase;
};
ULONG GetKiSystemServiceAddr()
{
        IDTR idt = {0};
        RTL_PROCESS_MODULE_INFORMATION NtosInfo,Win32kInfo;
        RtlZeroMemory(&NtosInfo,sizeof(NtosInfo));
        __sidt(&idt);
        if(idt.IDTBase)
        {
                KIDTENTRY int2e = idt.IDTBase[0x2E];
                if(MmIsAddressValid(int2e))
                        return MAKEULONG(int2e.ExtendedOffset,int2e.Offset);
        }
        return 0;
}

6.3 获取SSSDT信息
[C++] 纯文本查看 复制代码
NTSTATUS GetShadowSSDTInfo()
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	PVOID pt = MiLocateExportName(NtosBase, "KeAddSystemServiceTable");
	PMDL mdl = NULL;
	if(pt && !MmIsAddressValid(pt))
	{//页换出
		mdl = MmCreateMdl(NULL,pt,0x1000);
		if(mdl)
		{
			MmProbeAndLockPages(mdl,KernelMode,IoReadAccess);
		}
	}
	if(!pt || !MmIsAddressValid(pt))
	{
		LastErrorCode |= 4;
		goto END;
	}

	switch(BuildIndex)
	{
	case WIN2000:
	case WINXP:
	case WINXPSP3:
	case WINVISTA:
	case WINVISTASP1:
	case WINVISTASP2:
	case WIN7:
	case WIN7SP1:
		for(int i=0;i<256;i++)
		{
			if(MmIsAddressValid(pt) && *(USHORT*)pt == 0x888D)
			{//8d88603f5580    lea     ecx,nt!KeServiceDescriptorTableShadow 
				PKSERVICE_TABLE_DESCRIPTOR Table = *(ULONG*)(pt+2);
				ShadowSSDTBase = Table[1].Base;
				ShadowSSDTLimit = Table[1].Limit;
				status = STATUS_SUCCESS;
			}
		}
		break;
	case WIN8_8102:
	case WIN8_8250:
	case WIN81_9200:
	case WIN81_9600:
		for(int i=0;i<256;i++)
		{
			if(MmIsAddressValid(pt) && *(USHORT*)pt == 0xB983)
			{//83b9603f558083  cmp     dword ptr nt!KeServiceDescriptorTableShadow
				PKSERVICE_TABLE_DESCRIPTOR Table = *(ULONG*)(pt+2);
				if(KeServiceDescriptorTable == Table)
				{
					ShadowSSDTBase = Table[1].Base;
					ShadowSSDTLimit = Table[1].Limit;
					status = STATUS_SUCCESS;
				}
			}
		}
		break;
	case WIN10_9841:
	case WIN10_9860:
	case WIN10_9926:
	case WIN10_10041:
	case WIN10_10049:
		for(int i=0;i<256;i++)
		{
			if(MmIsAddressValid(pt) && *(USHORT*)pt == 0x3D83)
			{//833d90d28d8100  cmp     dword ptr [nt!KeServiceDescriptorTableShadow+0x10],0
				PKSERVICE_TABLE_DESCRIPTOR Table = *(ULONG*)(pt+2) - 16;
				if(KeServiceDescriptorTable == Table)
				{
					ShadowSSDTBase = Table[1].Base;
					ShadowSSDTLimit = Table[1].Limit;
					status = STATUS_SUCCESS;
				}
			}
		}
		break;
	}
	if(!ShadowSSDTBase)
		LastErrorCode |= 8;
END:
	if(mdl)
	{
		MmUnlockPages(mdl);
		IoFreeMdl(mdl);
	}
}


6.4 初始化InlineHook KiFastCallEntry跳转表
[C++] 纯文本查看 复制代码
BOOLEAN InitProxyTable()
{
	ULONG BuildIndex = GetBuildNumberAsIndex();
	for(int i = 0;i < APINUMBER;i++)
	{
		for(int j = 0;j < BUILDMAX;j++)
		{
			if(SProxyTable[i].ServiceIndex[j] == 0)
				SProxyTable[i].ServiceIndex[j] = 1023;//置为无效
		}
	}
	if(GetServiceIndex("ZwCreateKey") == -1)
	{//不能获取到服务号
		if(NtosBase)
		{
			for(int i = 0;i < APINUMBER;i++)
			{
				if(SProxyTable[i].ServiceTableType == END)
					break;
				else if(SProxyTable[i].ServiceTableType == SSDT)
				{
					if(SProxyTable[i].ApiName)
					{
						UNICODE_STRING UApiName;
						ANSI_STRING AApiName;
						RtlInitUnicodeString(&UApiName,SProxyTable[i].ApiName);
						if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&AApiName,&UApiName,TRUE)))
						{
							GetServiceIndexFromNtos(AApiName.Buffer);
							RtlFreeAnsiString(AApiName);
						}
					}				
				}
			}
		}
	}
	else
	{//能获取到服务号   由于SProxyTable已存服务号,所以下面代码本身无效
		for(int i = 0;i < APINUMBER;i++)
		{
			if(SProxyTable[i].ServiceTableType == END)
				break;
			if(SProxyTable[i].ServiceTableType == SSDT)
			{
				if(SProxyTable[i].ApiName)
				{
					UNICODE_STRING UApiName;
					ANSI_STRING AApiName;
					RtlInitUnicodeString(&UApiName,SProxyTable[i].ApiName);
					if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&AApiName,&UApiName,TRUE)))
					{
						ULONG Index = GetServiceIndexFromNtdll(AApiName.Buffer);
						if(Index != -1)
							SProxyTable[i].ServiceIndex[BuildIndex] = Index;
						RtlFreeAnsiString(AApiName);
					}
				}
			}
		}
	}
	return TRUE;
}

int AllocHookTable()
{//已知系统情况下初始化代理表,直接使用ServiceIndex
	ULONG BuildIndex = GetBuildNumberAsIndex();
	DProxy* Proxydata = NULL;
	ULONG Count = 0;//未成功布置的代理函数个数
	if(BuildIndex >= 0 && BuildIndex < BUILDMAX)
	{
		InitProxyTable();
		for(int i=0;i<APINUMBER;i++)
		{
			if(SProxyTable[i].ServiceTableType == END)
				break;
			if(SProxyTable[i].ServiceIndex[BuildIndex] != 1023)
			{
				if(SProxyTable[i].ApiName && SProxyTable[i].ProxyFunc && SProxyTable[i].IndexInTable < APINUMBER)
				{
					Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
					if(Proxydata)
					{
						Proxydata->IsInitialized = FALSE;
						Proxydata->ApiName = SProxyTable[i].ApiName;
						Proxydata->TableIndex = SProxyTable[i].IndexInTable;
						Proxydata->ProxyFuncAddr = SProxyTable[i].ProxyFunc;
						Proxydata->ServiceIndex = -1;
						KeInitializeEvent(Proxydata->Lock,SynchronizationEvent,FALSE);
						DProxyTable[SProxyTable[i].IndexInTable] = Proxydata;
						ULONG ServiceType = SProxyTable[i].ServiceTableType;
						ULONG ServiceIndex = SProxyTable[i].ServiceIndex[BuildIndex];
						if(ServiceType >= 2 ||  ServiceIndex== -1 || ServiceIndex >= 1024)
						{
							Count++;
						}
						else
						{
							ServiceMapTable[ServiceType][ServiceIndex] = Proxydata;
							Proxydata->ServiceTableType = ServiceType;
							Proxydata->ServiceIndex = ServiceIndex;
						}
					}
				}
			}
		}
		return Count;
	}
	return APINUMBER;//返回未成功代理的个数
}

int AllocHookTableU()
{//未知系统情况下初始化代理表,临时从Ntos模块获取ServiceIndex
	
	if(!NtosBase)
		return 0;//返回成功布置代理的个数
	for(int i=0;i<APINUMBER;i++)
	{
		if(SProxyTable[i].ServiceTableType == END)
			break;
		else if(SProxyTable[i].ServiceTableType == SSDT)
		{
			if(SProxyTable[i].ApiName)
			{
				PUNICODE_STRING UApiName;
				ANSI_STRING AApiName;
				ULONG Index = -1;
				RtlInitUnicodeString(&UApiName,SProxyTable[i].ApiName);
				if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&AApiName,&UApiName,TRUE)))
				{
					Index = GetServiceIndexFromNtos(AApiName.Buffer);
					RtlFreeAnsiString(&AApiName);
				}
				if(Index != -1)
				{
					if(SProxyTable[i].ApiName && SProxyTable[i].ProxyFunc && SProxyTable[i].IndexInTable < APINUMBER)
					{
						Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
						if(Proxydata)
						{
							Proxydata->IsInitialized = FALSE;
							Proxydata->ApiName = SProxyTable[i].ApiName;
							Proxydata->TableIndex = SProxyTable[i].IndexInTable;
							Proxydata->ProxyFuncAddr = SProxyTable[i].ProxyFunc;
							Proxydata->ServiceIndex = -1;
							KeInitializeEvent(Proxydata->Lock,SynchronizationEvent,FALSE);
							DProxyTable[SProxyTable[i].IndexInTable] = Proxydata;
							ULONG ServiceType = SProxyTable[i].ServiceTableType;
							ULONG ServiceIndex = SProxyTable[i].ServiceIndex[BuildIndex];
							if(ServiceType >= 2 ||  ServiceIndex== -1 || ServiceIndex >= 1024)
							{
								Count++;
								ServiceMapTable[ServiceType][ServiceIndex] = Proxydata;
								Proxydata->ServiceTableType = ServiceType;
								Proxydata->ServiceIndex = ServiceIndex;
							}
						}
					}
				}
			}
		}
	}
	return Count;
}

6.5 获取系统服务号的2种方式
[C++] 纯文本查看 复制代码
ULONG GetServiceIndexFromNtdll(PCHAR ApiName)
{
	ULONG result = -1;
	RTL_PROCESS_MODULE_INFORMATION ProcessInfo;
	ULONG Index;
	RtlZeroMemory(&ProcessInfo,sizeof(ProcessInfo));
	if(GetProcessInfoByFileName("ntdll.dll",&ProcessInfo) && ProcessInfo.ImageBase && ApiName)
	{
		Index = MiLocateExportName(ProcessInfo.ImageBase,ApiName);
		if(Index)
		{
			result = *(ULONG*)(Index+1);
		}
	}
	return result;
}

ULONG GetServiceIndexFromNtos(PCHAR ApiName)
{
	ULONG result = -1;
	ULONG Index = MiLocateExportName(ProcessInfo.ImageBase,ApiName);
	if(Index)
	{
		result = *(ULONG*)(Index+1);
	}
	if(Index & 0xFFFFC000)
	{
		result = -1;
	}
	return result;
}

6.6 InlineHook过程
[C++] 纯文本查看 复制代码
NTSTATUS DoInlineHook()
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	ULONG MajorVersion = 0,MinorVersion = 0,BuildNumber = 0;
	PsGetVersion(&MajorVersion,&MinorVersion,&BuildNumber,NULL);
	if(serHookType == HOOKTYPE_SSDT || !(InitState & 8))//外部hook或没找到hook挂载点
		return status;
	if(HookInfo1.InlinePoint)
	{//如果为默认方式hook
		if(GetBuildNumberAsIndex() >= WINVISTA)
			status = ModifyAndHook(HookInfo1.InlinePoint,InlineKiFastCallEntry1);
		else
			status = ModifyAndHook(HookInfo1.InlinePoint,InlineKiFastCallEntry2);
		if(NT_SUCCESS(status))
			serHookType = HOOKTYPE_INLINE;
	}
	else if(HookInfo2.InlinePoint)
	{//如果为金山共存方式hook
		if(GetBuildNumberAsIndex() >= WINVISTA)
			status = ModifyAndHookK(HookInfo2.InlinePoint,InlineKiFastCallEntry3);
		else
			status = ModifyAndHookK(HookInfo2.InlinePoint,InlineKiFastCallEntry4);
		if(NT_SUCCESS(status))
			serHookType = HOOKTYPE_KSINLINE;
	}
	if(NT_SUCCESS(status))
	{
		for(int i=0;i<APINUMBER;i++)
		{
			if(DProxyTable[i] != 0 && (DProxyTable[i]->ServiceTableType == SSDT || DProxyTable[i]->ServiceTableType == SSSDT))
				DProxyTable[i]->IsInitialized = TRUE;
		}
	}
}

NTSTATUS DoInlineHookU()
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	ULONG MajorVersion = 0,MinorVersion = 0,BuildNumber = 0;
	PsGetVersion(&MajorVersion,&MinorVersion,&BuildNumber,NULL);
	if(serHookType == HOOKTYPE_SSDT || !(InitState & 8))//采用外部hook或没找到hook挂载点
		return status;
	if(HookInfo1.InlinePoint)
	{//如果为默认方式hook
		if(GetBuildNumberAsIndex() >= WINVISTA)
			status = ModifyAndHook(HookInfo1.InlinePoint,InlineKiFastCallEntry1);
		else
			status = ModifyAndHook(HookInfo1.InlinePoint,InlineKiFastCallEntry2);
		if(NT_SUCCESS(status))
			serHookType = HOOKTYPE_INLINE;
	}
	else if(HookInfo2.InlinePoint)
	{//如果为金山共存方式hook
		if(GetBuildNumberAsIndex() >= WINVISTA)
			status = ModifyAndHookK(HookInfo2.InlinePoint,InlineKiFastCallEntry3);
		else
			status = ModifyAndHookK(HookInfo2.InlinePoint,InlineKiFastCallEntry4);
		if(NT_SUCCESS(status))
			serHookType = HOOKTYPE_KSINLINE;
	}
	if(NT_SUCCESS(status))
	{
		for(int i=0;i<APINUMBER;i++)
		{
			if(DProxyTable[i] != 0 && (DProxyTable[i]->ServiceTableType == SSDT || DProxyTable[i]->ServiceTableType == SSSDT))
				DProxyTable[i]->IsInitialized = TRUE;
		}
	}
}

NTSTATUS ModifyAndHook(ULONG InlinePoint,FARPROC JmpToFunc)
{//HOOKTYPE_INLINE 更改KiFastCallEntry
	NTSTATUS status;
	PVOID MappedAddress = NULL;
	if(!InlinePoint || !InlineHookFunc)
		return STATUS_UNSUCCESSFUL;
	PMDL mdl = GetWritablePage(InlinePoint,16,&MappedAddress);
	/*
		改写						为
		mov edi,esp						nop
		cmp esp,dword ptr ds:[?]		nop
										nop
										jmp ?
	*/
	if(!mdl)
		return STATUS_UNSUCCESSFUL;
	ULONG data[3] = {InlinePoint,JmpToFunc,MappedAddress};
	status = MakeJmp(data,DoHook);
	MmUnlockPages(mdl);
	IoFreeMdl(mdl);
	return status;
}

NTSTATUS ModifyAndHookK(ULONG InlinePoint,FARPROC JmpToFunc)
{//HOOKTYPE_KSINLINE 更改KiFastCallEntry
	NTSTATUS status;
	PVOID MappedAddress = NULL;
	if(!InlinePoint || !InlineHookFunc)
		return STATUS_UNSUCCESSFUL;
	PMDL mdl = GetWritablePage(InlinePoint,16,&MappedAddress);
	if(!mdl)
		return STATUS_UNSUCCESSFUL;
	ULONG data[3] = {InlinePoint,JmpToFunc,MappedAddress};
	status = MakeJmp(data,DoHookK);
	MmUnlockPages(mdl);
	IoFreeMdl(mdl);
	return status;
}

NTSTATUS DoHook(ULONG* data)
{//HOOKTYPE_INLINE
	ULONGLONG shellcode;
	if(!data)
		return STATUS_UNSUCCESSFUL;
	*(ULONGLONG*)(HookInfo1.OriginCode) = *(ULONGLONG*)data[0];//保存原始8字节
	*(ULONG*)((UCHAR*)&shellcode+4) = data[1] - data[0] - 8;//填写偏移 jmp offset
	*(ULONG*)((UCHAR*)&shellcode) = 0xE9909090;//写入新8字节
	/*
		构造
		nop
		nop
		nop
		jmp ????
	*/
	InterlockedCompareExchange64((LONGLONG*)data[2],shellcode,*(LONGLONG*)data[2]);
	return STATUS_SUCCESS;
}

NTSTATUS DoHookK(ULONG* data)
{//HOOKTYPE_KSINLINE
	ULONGLONG shellcode;
	if(!data)
		return STATUS_UNSUCCESSFUL;
	*(ULONGLONG*)(HookInfo1.OriginCode) = *(ULONGLONG*)data[0];//保存原始8字节
	*(USHORT*)((UCHAR*)&shellcode+6) = 0x0675;
	*(ULONG*)((UCHAR*)&shellcode+2) = data[1] - data[0] - 8;//填写偏移 jmp offset
	*(ULONG*)((UCHAR*)&shellcode) = 0xE990;//写入新8字节
	InterlockedCompareExchange64((LONGLONG*)data[2],shellcode,*(LONGLONG*)data[2]);
	return STATUS_SUCCESS;
}

PMDL GetWritablePage(PVOID VirtualAddress,ULONG Length,PVOID* pMappedAddress)
{
	PMDL mdl = IoAllocateMdl(VirtualAddress,Length,FALSE,TRUE,NULL);
	if(mdl)
	{
		MmProbeAndLockPages(mdl,KernelMode,IoWriteAccess);
		PVOID NewAddr = MmGetSystemAddressForMdlSafe (Mdl, NormalPagePriority);
		if(!NewAddr)
		{
			MmUnlockPages(mdl);
			IoFreeMdl(mdl);
			mdl = NULL;
		}
		if(NewAddr)
			*pMappedAddress = NewAddr;
	}
	return mdl;
}

266

主题

438

帖子

4597

积分

用户组: 真·技术宅

UID
2
精华
61
威望
147 点
宅币
3435 个
贡献
125 次
宅之契约
0 份
在线时间
593 小时
注册时间
2014-1-25
 楼主| 发表于 2015-10-2 15:22:49 | 显示全部楼层
6.7 构造InlineHook跳转后的执行语句
[C++] 纯文本查看 复制代码
ULONG Filter(ULONG ServiceIndex,ULONG OriginFunc,ULONG Base)
{
	if(ServiceIndex >= 1024)
		return OriginFunc;
	ULONG TableType;
	if(Base == SSDTBase && ServiceIndex <= SSDTLimit)
	{
		TableType = SSDT;
	}
	else if(KeServiceDescriptorTable && KeServiceDescriptorTable->Base == Base && ServiceIndex <= SSDTLimit)
	{
		TableType = SSDT;
	}
	else if(Base == ShadowSSDTBase && ServiceIndex <= ShadowSSDTLimit)
	{
		TableType = SSSDT;
	}
	else
	{
		return OriginFunc;
	}
	if(ServiceMapTable[TableType][ServiceIndex])
	{
		ULONG NewAddr = ServiceMapTable[TableType][ServiceIndex]->ProxyFuncAddr;
		if(NewAddr)
		{
			ServiceMapTable[TableType][ServiceIndex]->OriginFuncAddr = OriginFunc;
			return NewAddr;
		}
	}
	return OriginFunc;
}

void __declspec(naked) InlineKiFastCallEntry1()
{
	/*  HOOKTYPE_INLINE   >=VISTA
		输入
		eax=ServiceIndex
		edx=OriginFunc
		edi=SSDTBase
		输出
		edx=FuncAddr  最终函数调用地址
	*/
	_asm
	{
		pushf;
		pusha;
		push edi;
		push edx;
		push eax;
		call Filter;
		mov [esp+0x14],eax;//改栈中的edx
		popa;
		popf;
		mov edi,esp;
		cmp esi,MmUserProbeAddress;
		push dword ptr HookInfo1.JmpBackPoint;
		retn;//跳回JmpBackPoint
	}
}

void __declspec(naked) InlineKiFastCallEntry2()
{
	/*  HOOKTYPE_INLINE   <VISTA
		输入
		eax=ServiceIndex
		edx=OriginFunc
		edi=SSDTBase
		输出
		ebx=FuncAddr  最终函数调用地址
	*/
	_asm
	{
		pushf;
		pusha;
		push edi;
		push edx;
		push eax;
		call Filter;
		mov [esp+0x10],eax;//改栈中的ebx
		popa;
		popf;
		mov edi,esp;
		cmp esi,MmUserProbeAddress;
		push dword ptr HookInfo1.JmpBackPoint;
		retn;
	}
}

void __declspec(naked) InlineKiFastCallEntry3()
{
	/*  HOOKTYPE_KSINLINE   <VISTA
		输入
		eax=ServiceIndex
		edx=OriginFunc
		edi=SSDTBase
		输出
		edx=FuncAddr  最终函数调用地址    (KiFastCallEntry后面mov ebx,edx)
	*/
	_asm
	{
		pushf;
		pusha;
		push edi;
		push edx;
		push eax;
		call Filter;
		mov [esp+0x14],eax;//改栈中的edx
		popa;
		popf;
		mov edi,esp;
		test byte ptr [ebp+0x72],2;
		push dword ptr HookInfo2.JmpBackPoint;
		retn;//跳回JmpBackPoint
	}
}

void __declspec(naked) InlineKiFastCallEntry4()
{
	/*  HOOKTYPE_KSINLINE   <VISTA
		输入
		eax=ServiceIndex
		edx=OriginFunc
		edi=SSDTBase
		输出
		ebx=FuncAddr  最终函数调用地址
	*/
	_asm
	{
		pushf;
		pusha;
		push edi;
		push edx;
		push eax;
		call Filter;
		mov [esp+0x14],eax;//改栈中的edx
		popa;
		popf;
		mov edi,esp;
		test byte ptr [ebp+0x72],2;
		push dword ptr HookInfo2.JmpBackPoint;
		retn;//跳回JmpBackPoint
	}
}

6.8 强制单核互斥执行指定Procedure
[C++] 纯文本查看 复制代码
struct SpinData
{
	KSPIN_LOCK SpinLock;
	ULONG SpinRefCount;
}g_Spin = {0};
KDPC Dpc[32];

void DpcRoutine(PKDPC Dpc,PVOID DeferredContext,PVOID SystemArgument1,PVOID SystemArgument2)
{
	KIRQL OldIrql;
	SpinData* spin = (SpinData*)DeferredContext;zh
	_disable();
	OldIrql = KeRaiseIrqlToDpcLevel();
	InterlockedIncrement(spin->SpinRefCount);
	KeAcquireSpinLockAtDpcLevel(spin->SpinLock);
	KeReleaseSpinLockFromDpcLevel(spin->SpinLock);
	KeLowerIrql(OldIrql);
	_enable();
}

NTSTATUS MakeJmp(ULONG* data,FARPROC addr)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	ULONG ulCurrentCpu = 0;
	KIRQL OldIrql,NewIrql;
	KAFFINITY CpuAffinity;
	if(!addr)
		return status;
	CpuAffinity = KeQueryActiveProcessors();
	for(int i = 0;i < 32;i++)
	{
		if((CpuAffinity >> i) & 1)
			ulCurrentCpu++;
	}
	if(ulCurrentCpu == 1)//单核
	{
		_disable();
		OldIrql = KeRaiseIrqlToDpcLevel();
		status = addr(data);
		KeLowerIrql(OldIrql);
		_enable();
	}
	else//多核  将除当前cpu以外的cpu用自旋锁锁住
	{
		SpinData* pSpinData = &g_Spin;
		ULONG ulNumberOfActiveCpu = 0;
		KeInitializeSpinLock(&g_Spin.SpinLock);
		for(int i = 0;i < 32;i++)
		{
			KeInitializeDpc(&Dpc[i],DpcRoutine,&pSpinData);
		}
		pSpinData->SpinRefCount = 0;
		_disable();
		NewIrql = KeAcquireSpinLock(&g_Spin.SpinLock);
		ulCurrentCpu = KeGetCurrentProcessorNumber();
		for(int i = 0;i < 32;i++)
		{
			if((CpuAffinity >> i) & 1)
				ulNumberOfActiveCpu++;
			if(i != ulCurrentCpu)
			{
				KeSetTargetProcessorDpc(Dpc[i],i);
				KeSetImportanceDpc(Dpc[i],HighImportance);
				KeInsertQueueDpc(Dpc[i],NULL,NULL);
			}
			KeInitializeDpc(&Dpc[i],DpcRoutine,&pSpinData);
		}
		//此时只有一个核在工作
		for(int i = 0;i < 16;i++)//尝试16次
		{
			for(int count = 1000000;count > 0;count--);//延时
			if(g_Spin.SpinRefCount == ulNumberOfActiveCpu - 1)//等待DpcRoutine全部执行到死锁
			{
				status = addr(data);
				break;
			}
		}
		KeReleaseSpinLock(&g_Spin.SpinLock,NewIrql);//恢复多核运行
		_enable();
	}
	return status;
}

6.9 进行SSDT hook
        在注册表Services\\TsFltMgr thm=1的情况下,或者Inline hook KiFastCallEntry失败的情况下,会进行SSDT表 hook
[C++] 纯文本查看 复制代码
NTSTATUS BeginSSDTHook()
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	int result = -1;
	PVOID MappedAddress = NULL;
	PMDL mdl = NULL;
	if(serHookType == HOOKTYPE_INLINE || serHookType == HOOKTYPE_KSINLINE)//已成功inline hook
		return STATUS_UNSUCCESSFUL;
	serHookType = HOOKTYPE_SSDT;
	for(int i = 0;i <= APINUMBER;i++)
	{
		if(DProxyTable[i] && DProxyTable[i]->ServiceIndex != -1 && !DProxyTable[i]->IsInitialized)
		{
			if(DProxyTable[i]->ServiceTableType == SSDT)
			{
				int index = DProxyTable[i]->ServiceIndex;
				if(index != 1023 && DProxyTable[i]->ProxyFunc && SSDTBase)
				{
					PVOID MappedAddress = NULL;
					PMDL mdl = GetWritablePage(SSDTBase,4*SSDTLimit,&MappedAddress);
					if(mdl)
					{
						DProxyTable[i]->OriginFuncAddr = ((ULONG*)SSDTBase)[index];
						((ULONG*)MappedAddress)[index] = DProxyTable[i]->ProxyFunc;
						MmUnlockPages(mdl);
						IoFreeMdl(mdl);
						result = index;
					}
				}
			}
			else if(DProxyTable[i]->ServiceTableType == SSSDT)
			{
				int index = DProxyTable[i]->ServiceIndex;
				if(index != 1023 && DProxyTable[i]->ProxyFunc && ShadowSSDTBase)
				{
					HANDLE CurProcessId = PsGetCurrentProcessId();
					HANDLE SmssProcessId = GetProcessIdByName(L"smss.exe");
					if(!dwcsrssId)//如果没有获取到csrss.exe的id
					{
						if(CurProcessId == SmssProcessId)//使用smss.exe的SSSDT
						{
							mdl = GetWritablePage(ShadowSSDTBase,4*ShadowSSDTLimit,&MappedAddress);
							if(mdl)
							{
								DProxyTable[i]->OriginFuncAddr = ((ULONG*)ShadowSSDTBase)[index];
								((ULONG*)MappedAddress)[index] = DProxyTable[i]->ProxyFunc;
								MmUnlockPages(mdl);
								IoFreeMdl(mdl);
								result = index;
							}
						}
					}
					else
					{//附加到csrss.exe
						PVOID attachobj = AttachDriverToProcess(dwcsrssId);
						if(attachobj)
						{
							mdl = GetWritablePage(ShadowSSDTBase,4*ShadowSSDTLimit,&MappedAddress);
							if(mdl)
							{
								DProxyTable[i]->OriginFuncAddr = ((ULONG*)ShadowSSDTBase)[index];
								((ULONG*)MappedAddress)[index] = DProxyTable[i]->ProxyFunc;
								MmUnlockPages(mdl);
								IoFreeMdl(mdl);
								result = index;
							}
							DetachDriverFromProcess(attachobj);
						}
					}
				}	
			}
			if(result != -1)
				DProxyTable[i]->IsInitialized = TRUE;
		}
	}
	return STATUS_SUCCESS;
}

struct AttachData
{
	KAPC_STATE ApcState;
	PVOID Process;
};

PVOID AttachDriverToProcess(HANDLE ProcessId)
{
	PVOID Process = NULL;
	AttachData* Buffer = NULL;
	if(ProcessId == PsGetCurrentProcessId())
		return 0xEEEEDDDD;//自身标识
	if(ProcessId && NT_SUCCESS(PsLookupProcessByProcessId(ProcessId,&Process)))
	{
		Buffer = (AttachData*)ExAllocatePool(PagedPool,sizeof(AttachData));
		if(!Buffer)
		{
			ObDereferenceObject(Process);
			return NULL;
		}
		Buffer->Process = Process;
		KeStackAttachProcess(Process,&Buffer->ApcState)
	}
}

NTSTATUS DetachDriverFromProcess(PVOID Buffer)
{
	if(Buffer && (ULONG)Buffer != 0xEEEEDDDD)
	{
		AttachData* data = (AttachData*)Buffer;
		KeUnstackDetachProcess(&data->ApcState);
		ObDereferenceObject(data->Process);
		ExFreePool(Buffer);
	}
}


6.10 对重要回调(进程回调、线程回调、映像加载回调)的挂钩
[C++] 纯文本查看 复制代码
/*
	Sproxy Index:
	普通api使用index 0-0x33 0x37-0x48 0x4A-0x69
	52    CreateNotifyRoutine
	53    ThreadNofify
	54    ImageNotify
	73    CreateNotifyRoutine2
*/
enum
{
	INDEX_KECALLBACK = 51,
	INDEX_PROCESS = 52,
	INDEX_THREAD = 53,
	INDEX_IMAGE = 54,
	INDEX_PROCESSEX = 73,
};

NTSTATUS HookImportantNotify()
{
	if(!DProxyTable[INDEX_PROCESS])
	{
		DProxy* Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
		if(Proxydata)
		{
			Proxydata->IsInitialized = FALSE;
			Proxydata->ApiName = "ProcessNotify";
			Proxydata->TableIndex = INDEX_PROCESS;
			Proxydata->ProxyFuncAddr = CreateNotifyRoutine1;
			Proxydata->ServiceIndex = -1;
			KeInitializeEvent(&Proxydata->Lock,SynchronizationEvent,FALSE);
			DProxyTable[INDEX_PROCESS] = Proxydata;
		}
	}
	if(DProxyTable[INDEX_PROCESS] && !DProxyTable[INDEX_PROCESS]->IsInitialized)
	{
		DProxyTable[INDEX_PROCESS]->ServiceTableType = CALLBACK;
		if(NT_SUCCESS(PsSetCreateProcessNotifyRoutine(CreateProcessNotify,FALSE)))
			DProxyTable[INDEX_PROCESS]->IsInitialized = TRUE;
	}
	if(!DProxyTable[INDEX_PROCESSEX])
	{
		DProxy* Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
		if(Proxydata)
		{
			Proxydata->IsInitialized = FALSE;
			Proxydata->ApiName = "ProcessNotifyEx";
			Proxydata->TableIndex = INDEX_PROCESSEX;
			Proxydata->ProxyFuncAddr = CreateNotifyRoutine1Ex;
			Proxydata->ServiceIndex = -1;
			KeInitializeEvent(&Proxydata->Lock,SynchronizationEvent,FALSE);
			DProxyTable[INDEX_PROCESSEX] = Proxydata;
		}
	}
	if(DProxyTable[INDEX_PROCESSEX] && !DProxyTable[INDEX_PROCESSEX]->IsInitialized)
	{
		DProxyTable[INDEX_PROCESSEX]->ServiceTableType = CALLBACK;
		if(NT_SUCCESS(PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEx,FALSE)))
			DProxyTable[INDEX_PROCESSEX]->IsInitialized = TRUE;
	}
	if(!DProxyTable[INDEX_THREAD])
	{
		DProxy* Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
		if(Proxydata)
		{
			Proxydata->IsInitialized = FALSE;
			Proxydata->ApiName = "ThreadNotify";
			Proxydata->TableIndex = INDEX_THREAD;
			Proxydata->ProxyFuncAddr = CreateThreadNotify;
			Proxydata->ServiceIndex = -1;
			KeInitializeEvent(&Proxydata->Lock,SynchronizationEvent,FALSE);
			DProxyTable[INDEX_THREAD] = Proxydata;
		}
	}
	if(DProxyTable[INDEX_THREAD] && !DProxyTable[INDEX_THREAD]->IsInitialized)
	{
		DProxyTable[INDEX_THREAD]->ServiceTableType = CALLBACK;
		if(NT_SUCCESS(PsSetCreateThreadNotifyRoutine(CreateThreadNotify,FALSE)))
			DProxyTable[INDEX_THREAD]->IsInitialized = TRUE;
	}
	if(!DProxyTable[INDEX_IMAGE])
	{
		DProxy* Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
		if(Proxydata)
		{
			Proxydata->IsInitialized = FALSE;
			Proxydata->ApiName = "ImageNotify";
			Proxydata->TableIndex = INDEX_IMAGE;
			Proxydata->ProxyFuncAddr = LoadImageNotify;
			Proxydata->ServiceIndex = -1;
			KeInitializeEvent(&Proxydata->Lock,SynchronizationEvent,FALSE);
			DProxyTable[INDEX_IMAGE] = Proxydata;
		}
	}
	if(DProxyTable[INDEX_IMAGE] && !DProxyTable[INDEX_IMAGE]->IsInitialized)
	{
		DProxyTable[INDEX_IMAGE]->ServiceTableType = CALLBACK;
		if(NT_SUCCESS(PsSetLoadImageNotifyRoutine(LoadImageNotify,FALSE)))
			DProxyTable[INDEX_IMAGE]->IsInitialized = TRUE;
	}
}

6.11 Hook KeUserModeCallback
[C++] 纯文本查看 复制代码
NTSTATUS HookKeUserModeCallback()
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	if(!Win32kBase)
		return status;
	OBJECT_ATTRIBUTES Oa;
	IO_STATUS_BLOCK IoStatusBlock;
	HANDLE SectionHandle = NULL;
	ULONG ViewSize = 0;
	HANDLE FileHandle = NULL;
	PVOID BaseAddress = 0x5000000;
	UNICODE_STRING UKeUserModeCallback;
	if(!DProxyTable[INDEX_KECALLBACK])
	{
		DProxy* Proxydata = (DProxy*)ExAllocatePool(NonPagedPool,sizeof(DProxy));
		if(Proxydata)
		{
			Proxydata->IsInitialized = FALSE;
			Proxydata->ApiName = "ImageNotify";
			Proxydata->TableIndex = INDEX_KECALLBACK;
			Proxydata->ProxyFuncAddr = ProxyKeUserModeCallback;
			Proxydata->ServiceIndex = -1;
			KeInitializeEvent(&Proxydata->Lock,SynchronizationEvent,FALSE);
			DProxyTable[INDEX_KECALLBACK] = Proxydata;
		}
	}
	RtlInitUnicodeString(&UKeUserModeCallback,L"\\SystemRoot\\System32\\Win32k.sys");
	InitializeObjectAttributes(&Oa,L"KeUserModeCallback",OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
	status = ZwOpenFile(&FileHandle,GENERIC_READ,&Oa,&IoStatusBlock,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT);
	if(NT_SUCCESS(status))
	{
		Oa.ObjectName = NULL;
		status = ZwCreateSection(&SectionHandle,SECTION_MAP_EXECUTE,&Oa,NULL,PAGE_WRITECOPY,SEC_IMAGE);
		if(NT_SUCCESS(status))
		{
			status = ZwMapViewOfSection(&SectionHandle,NtCurrentProcess(),&BaseAddress,0,0,NULL,&ViewSize,ViewUnmap,0,PAGE_EXECUTE);
			if(!NT_SUCCESS(status))
			{
				BaseAddress = NULL;
				ZwMapViewOfSection(&SectionHandle,NtCurrentProcess(),&BaseAddress,0,0,NULL,&ViewSize,ViewUnmap,0,PAGE_EXECUTE);
			}
		}
	}
	if(BaseAddress)
	{
		if(!DProxyTable[INDEX_KECALLBACK]->IsInitialized)
		{
			ULONG IatOffset = GetProcOffsetFromIat(BaseAddress);
			DProxyTable[INDEX_KECALLBACK]->OriginFuncAddr = ExchangeMem(IatOffset,Win32kBase,ProxyKeUserModeCallback);
			if(DProxyTable[INDEX_KECALLBACK]->OriginFuncAddr)
			{
				DProxyTable[INDEX_KECALLBACK]->IsInitialized;
				status = STATUS_SUCCESS;
			}
		}
		ZwUnmapViewOfSection(NtCurrentProcess(),BaseAddress);
	}
	return status;
}

6.12 交换内存
[C++] 纯文本查看 复制代码
ULONG ExchangeMem(ULONG Offset,ULONG BaseAddress,ULONG NewValue)
{//替换基址BaseAddress 偏移Offset 处的ULONG数据,返回原始数据
	HANDLE CurProcessId = PsGetCurrentProcessId();
	HANDLE SmssProcessId = GetProcessIdByName(L"smss.exe");
	ULONG OriginValue = 0;
	PMDL mdl = NULL;
	if(!dwcsrssId)//如果没有获取到csrss.exe的id
	{
		if(CurProcessId == SmssProcessId)//使用smss.exe的SSSDT
		{
			mdl = GetWritablePage(BaseAddress+Offset,16,&MappedAddress);
			if(mdl)
			{
				OriginValue = InterlockedExchange(MappedAddress,NewValue);
				MmUnlockPages(mdl);
				IoFreeMdl(mdl);
			}
		}
	}
	else
	{//附加到csrss.exe
		PVOID attachobj = AttachDriverToProcess(dwcsrssId);
		if(attachobj)
		{
			mdl = GetWritablePage(BaseAddress+Offset,4,&MappedAddress);
			if(mdl)
			{
				OriginValue = InterlockedExchange(MappedAddress,NewValue);
				MmUnlockPages(mdl);
				IoFreeMdl(mdl);
			}
			DetachDriverFromProcess(attachobj);
		}
	}
	return OriginValue;
}

6.13 获取函数Iat偏移
[C++] 纯文本查看 复制代码
ULONG GetProcOffsetFromIat(PVOID ImageBase,PCHAR ModuleName,PCHAR ApiName)
{//ImageBase当前进程映像基址  ModuleName导入模块映像基址  ApiName导入函数名
	ANSI_STRING AApiName;
	UNICODE_STRING UApiname;
	PIMAGE_IMPORT_DESCRIPTOR ImportModuleDirectory;
	ULONG ObjProcAddr;
	ULONG Offset = 0;
	PCHAR ImportedName;
	PIMAGE_THUNK_DATA FunctionNameList;
	RtlInitAnsiString(&AApiName,ApiName);
	if(!NT_SUCCESS(RtlAnsiStringToUnicodeString(&UApiname,&AApiName,TRUE)))
		return 0;
	ObjProcAddr = MmGetSystemRoutineAddress(&UApiname);
	RtlFreeUnicodeString(&UApiname);
	ImportModuleDirectory = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(ImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT);
	if(!ImportModuleDirectory)
		return 0;
	for (;(ImportModuleDirectory->Name != 0) && (ImportModuleDirectory->FirstThunk != 0);ImportModuleDirectory++)
	{
		ImportedName = (PCHAR)ImageBase + ImportModuleDirectory->Name;
		if(!stricmp(ModuleName,ImportedName))
		{
			FunctionNameList = (PIMAGE_THUNK_DATA)((UCHAR*)ImageBase+ImportModuleDirectory->FirstThunk);
			while(*FunctionNameList != 0)
			{
				if((*FunctionNameList) & 0x80000000)
				{
					if(FunctionNameList->u1.Function == ObjProcAddr)
						return (UCHAR*)FunctionNameList - (UCHAR*)ImageBase;
				}
				else
				{
					IMAGE_IMPORT_BY_NAME *pe_name = (IMAGE_IMPORT_BY_NAME*)((PCHAR)ImageBase + *FunctionNameList);
					if(pe_name->Name[0] == 'K' && !stricmp(pe_name->Name,"KeUserModeCallback"))
						return (UCHAR*)FunctionNameList - (UCHAR*)ImageBase;
				}
				FunctionNameList++;
			}
		}
	}
	return 0;
}

6.14 另一种方式获取ShadowSSDT信息
当常规方式获取SSSDT失败时,会临时设置ZwSetSystemInformation的过滤函数捕获系统设置服务表(SYSTEM_INFORMATION_CLASS =SystemExtendServiceTableInformation),
[C++] 纯文本查看 复制代码
void TryAnotherWayToGetShadowSSDT()
{
	AddPrevFilter(EZwSetSystemInformation,ZwSetSystemInformationFilter1,0,0,NULL);
}

ULONG OldKeAddSystemServiceTable;

ULONG __stdcall ZwSetSystemInformationFilter1(FilterPacket* Packet)
{//改EAT以获取SSSDT
	if(!ShadowSSDTBase && Packet->Params[0] == SystemExtendServiceTableInformation && !OldKeAddSystemServiceTable)
	{
		OldKeAddSystemServiceTable = ExchangeEat(NtosBase,NewKeAddSystemServiceTable);
		if(OldKeAddSystemServiceTable)
		{
			Packet->TagSlot[Packet->CurrentSlot] = 0xABCDEEEE;//用于标记
			Packet->PostFilterSlot[Packet->CurrentSlot] = ZwSetSystemInformationFilter2;
			Packet->UsedSlotCount++;
		}
	}
	return SYSMON_PASSTONEXT;
}

ULONG __stdcall ZwSetSystemInformationFilter2(FilterPacket* Packet)
{//获取之后恢复EAT
	if(Packet->TagSlot[Packet->CurrentSlot] == 0xABCDEEEE)//检查标记
	{
		if(serHookType != 1 && serHookType != 3)//是否SSDT型Hook
		{
			BeginSSDTHook();
		}
	}
	return SYSMON_PASSTONEXT;
}

BOOLEAN __stdcall KeAddSystemServiceTable(PULONG_PTR Base,PULONG Count,ULONG Limit,PUCHAR Number,ULONG Index)
{//获取SSSDT
	RTL_PROCESS_MODULE_INFORMATION ProcessInfo;
	RtlZeroMemory(&ProcessInfo,sizeof(ProcessInfo));
	if(!ShadowSSDTBase && GetProcessInfoByFileName("win32k.sys",&ProcessInfo) &&
		Base >= ProcessInfo.ImageBase && Base <= ProcessInfo.ImageBase+ProcessInfo.ImageSize)
	{
		Win32kBase = ProcessInfo.ImageBase;
		Win32kSize = ProcessInfo.ImageSize;
		ShadowSSDTBase = Base;
		ShadowSSDTLimit = Limit;
		ExchangeEat(NtosBase,OldKeAddSystemServiceTable);
	}
	return  OldKeAddSystemServiceTable(Base,Count,Limit,Number,Index);
}

ULONG ExchangeEat(ULONG ImageBase,ULONG NewFunc)
{
	PVOID Address = MiLocateExportName(ImageBase,"KeAddSystemServiceTable");
	if(Address)
	{
		return ExchangeMem(0,Address,NewFunc);
	}
	return 0;
}

0

主题

1

帖子

11

积分

用户组: 初·技术宅

UID
2855
精华
0
威望
0 点
宅币
10 个
贡献
0 次
宅之契约
0 份
在线时间
0 小时
注册时间
2017-9-10
发表于 2017-9-10 22:42:17 | 显示全部楼层
不知道能不能用

0

主题

1

帖子

27

积分

用户组: 初·技术宅

UID
3411
精华
0
威望
2 点
宅币
22 个
贡献
0 次
宅之契约
0 份
在线时间
3 小时
注册时间
2018-1-29
发表于 2018-1-29 11:19:48 | 显示全部楼层
嗨 您好 下载了您的压缩包 但是需要您的QQ号码

0

主题

1

帖子

22

积分

用户组: 初·技术宅

UID
4151
精华
0
威望
1 点
宅币
19 个
贡献
0 次
宅之契约
0 份
在线时间
1 小时
注册时间
2018-8-10
发表于 2018-8-10 16:10:28 | 显示全部楼层
想学习一下驱动的开发,下载了您的文档。请问你的qq是多少啊

本版积分规则

QQ|申请友链|Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号|网站地图

GMT+8, 2018-10-19 22:00 , Processed in 0.179676 second(s), 42 queries , Gzip On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表