- 注册时间
- 2011-2-1
- 最后登录
- 2011-2-6
- 在线时间
- 1 小时
编程入门
- 魔鬼币
- 25
|
楼主 |
发表于 2011-2-3 13:39:55
|
显示全部楼层
接上面的
;还原自己的Hook
DriverUnload proc pDriverObjectDRIVER_OBJECT
ret
DriverUnload endp
ModifyFuncAboutDbg proc addrOdFunc, cmd_1, cmd_2
pushad
mov ebx, addrOdFunc
mov eax, cmd_1
mov DWORD ptr [ebx], eax
mov eax, cmd_2
mov DWORD ptr [ebx + 4], eax
popad
ret
ModifyFuncAboutDbg endp
DriverEntry proc pDriverObjectDRIVER_OBJECT, pusRegistryPathUNICODE_STRING
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
invoke ModifyFuncAboutDbg, Dspdo_1, 90784789h, 0fde89090h
invoke ModifyFuncAboutDbg, Dmpp_1, 90787e39h, 950f9090h
invoke ModifyFuncAboutDbg, Dct_1, 90785e39h, 840f9090h
invoke ModifyFuncAboutDbg, Dqm_1, 9078408bh, 45899090h
invoke ModifyFuncAboutDbg, Kde_1, 90787839h, 13749090h
invoke ModifyFuncAboutDbg, Dfe_1, 9078418bh, 0d2329090h
invoke ModifyFuncAboutDbg, Pcp_1, 90784389h, 45f69090h
invoke ModifyFuncAboutDbg, Mcp_1, 90785e39h, 950f9090h
invoke ModifyFuncAboutDbg, Mcp_2, 90784a89h, 5e399090h
invoke ModifyFuncAboutDbg, Dmvos_1, 9078498bh, 0cb3b9090h
invoke ModifyFuncAboutDbg, Dumvos_1, 00787983h, 74909090h
invoke ModifyFuncAboutDbg, Pet_1, 00787f83h, 74909090h
invoke ModifyFuncAboutDbg, Det_1, 9078498bh, 0c9859090h
invoke ModifyFuncAboutDbg, Dep_1, 9078498bh, 0c9859090h
;invoke ModifyFuncAboutDbg, Dmpp_2, 8bc0950fh, 8b90c032h
mov eax, pDriverObject
assume eax : ptr DRIVER_OBJECT
jmp ebx
.endif
HookCode endp
;获取系统名称偏移
GetNameOffset proc epe
local tmpOffset
pushad
mov ebx, epe
invoke strlen, $CTA0("System")
xor ecx, ecx
@@:
push eax
push ecx
invoke strncmp, $CTA0("System"), ebx, eax
pop ecx
.if !eax
pop eax
mov tmpOffset, ecx
popad
mov eax, tmpOffset
ret
.elseif
pop eax
inc ebx
inc ecx
cmp ecx, 4096
je @F
jmp @B
.endif
@@:
popad
mov eax, -1
ret
GetNameOffset endp
Hook proc
pushad
;头5字节跳转
mov eax, offset HookCode
sub eax, NtOpenProcessHookAddr;805c13e0h;805c13edh
sub eax, 5
mov ebx, NtOpenProcessHookAddr;805c13e0h;805c13edh
mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax
popad
ret
Hook endp
HookThreadCode proc
;执行被覆盖的代码
push dword ptr [ebp-34h]
push dword ptr [ebp-20h]
;判断是否dnf的进程
invoke GetProcessName
.if !eax ;如果是DNF自己的进程,那么跳转回去执行它的Hook代码
pushad
invoke DbgPrint, $CTA0("\nNotUnHook\n")
popad
mov eax, NtOpenThreadNoChange;805c13e6h
jmp eax
.else ;如果不是DNF自己的进程,那么直接调用ObOpenObjectByPointer,再返回到后面
pushad
invoke DbgPrint, $CTA0("\nUnHook\n")
popad
mov eax, ObOpenObjectByPointerAddr;805b13f0h
call eax
mov ebx, NtOpenThreadRetAddr;805c13ebh
jmp ebx
.endif
HookThreadCode endp
HookThread proc
pushad
;头5字节跳转
mov eax, offset HookThreadCo
sub eax, NtOpenThreadHookAddr;805c13e0h;805c13edh
sub eax, 5
mov ebx, NtOpenThreadHookAddr;805c13e0h;805c13edh
mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax
popad
ret
HookThread endp
HookDbg proc
mov edi, edi
push ebp
mov ebp, esp
push ebx
push esi
mov esi, KiAttachProcessRetAddr
jmp esi
HookDbg endp
Dbg proc
pushad
;头5字节跳转
mov eax, offset HookDbg
sub eax, KiAttachProcessAddr;805c13e0h;805c13edh
sub eax, 5
mov ebx, KiAttachProcessAddr;805c13e0h;805c13edh
mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax
popad
ret
Dbg endp
;还原自己的Hook
DriverUnload proc pDriverObjectDRIVER_OBJECT
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
;还原进程处理
mov eax, 0ffc875ffh
mov ebx, 805cc656h
mov DWORD ptr [ebx], eax
mov eax, 43e8dc75h
mov DWORD ptr [ebx + 4], eax
;还原线程处理
mov eax, 0ffcc75ffh
mov ebx, 805cc8d8h
mov DWORD ptr [ebx], eax
mov eax, 0c1e8e075h
mov DWORD ptr [ebx + 4], eax
;还原调试处理
mov eax, 08b55ff8bh
mov ebx, 804f9a08h
mov DWORD ptr [ebx], eax
mov eax, 08b5653ech
mov DWORD ptr [ebx + 4], eax
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
ret
DriverUnload endp
;显示LinkTable的信息
ShowLinkTableInfo proc ptrLT
pushad
invoke DbgPrint, $CTA0("\nThe LinkTable Info:\n")
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).ThreadHandle
invoke DbgPrint, $CTA0("ThreadHandle:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr0Seg
invoke DbgPrint, $CTA0("Dr0Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr1Seg
invoke DbgPrint, $CTA0("Dr1Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr2Seg
invoke DbgPrint, $CTA0("Dr2Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr3Seg
invoke DbgPrint, $CTA0("Dr3Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr6Seg
invoke DbgPrint, $CTA0("Dr6Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr7Seg
invoke DbgPrint, $CTA0("Dr7Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).LinkPtr
invoke DbgPrint, $CTA0("LinkPtr:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).NextLinkPtr
invoke DbgPrint, $CTA0("NextLinkPtr:%0X\n"), eax
popad
ret
ShowLinkTableInfo endp
;判断该线程是否存在
;如果不存在则返回0,存在则返回指向该链表的指针,1代表链表为空
ExsitsLinkTable proc pHandle
pushad
mov eax, threadCxtLink
.if !eax ;链表为空
pushad
invoke DbgPrint, $CTA0("\nLinkTable Is Null.\n")
popad
popad
mov eax, 1
ret
.endif
@@:
mov ebx, (LinkTable ptr [eax]).ThreadHandle
cmp ebx, pHandle ;如果匹配已经存在
je @F
mov eax, (LinkTable ptr [eax]).NextLinkPtr
.if !eax ;已经到达末尾,没有找到匹配
pushad
invoke DbgPrint, $CTA0("\pHandle Is Not Found.\n")
popad
popad
xor eax, ea
ret
.endif
jmp @B
@@:
pushad
invoke DbgPrint, $CTA0("\npHandle Is Exsits.\n")
popad
invoke ShowLinkTableInfo, eax
;返回链表指针
mov tmpLink, eax
popad
mov eax, tmpLink
ret
ExsitsLinkTable endp
;拷贝Context到LinkTable中
CopyContextToLinkTable proc ptrContext, ptrLT
pushad
mov ebx, ptrContext
mov edx, ptrLT
mov ecx, 4
@@:
mov eax, DWORD ptr [ebx + ecx]
mov DWORD ptr [edx + ecx], eax
add ecx, 4
cmp ecx, 18h
jbe @B
popad
ret
CopyContextToLinkTable endp
;添加LinkTable表
AddLinkTable proc pHandle, ptrContext
pushad
invoke ExsitsLinkTable, pHandle
.if eax > 1
;已经存在只需要更新dr寄存器即可
invoke CopyContextToLinkTable, eax, ptrContext
.else
push eax
invoke ExAllocatePool, 1, size LinkTable
.if eax
;申请内存成功
mov ebx, eax
pop eax
;置地一个元素
mov ecx, pHandle
mov (LinkTable ptr [ebx]).ThreadHandle, ecx
;拷贝dr寄存器的值
invoke CopyContextToLinkTable, ptrContext, ebx
;置另外两个元素
mov (LinkTable ptr [ebx]).LinkPtr, ebx
mov (LinkTable ptr [ebx]).NextLinkPtr, 0
invoke ShowLinkTableInfo, ebx
;把新的链表项添加到链表中
.if eax == 1 |
|