标签:
某p在双机调试时,会检测KdEnteredDebugger是否等于1,如果等于1就重启。
我们的办法是让检测永远检测到0。经过分析,当位置为KdEnteredDebugger+0x20时值是0。我们可以修改指向。只要inline hook IoAllocateMdl 即可
PMDL MyIoAllocateMdl( __in_opt PVOID VirtualAddress, __in ULONG Length, __in BOOLEAN SecondaryBuffer, __in BOOLEAN ChargeQuota, __inout_opt PIRP Irp OPTIONAL) { PVOID pKdEnteredDebugger = (PVOID)GetKdEnteredDebuggerAddr(); if (pKdEnteredDebugger == VirtualAddress) { VirtualAddress = (PVOID)((SIZE_T)pKdEnteredDebugger + 0x20); //+0x20 是让他读到其他的位置 } return old_IoAllocateMdl(VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp); }
具体代码实现:
#include<NTDDK.H> #include<windef.h> #include<ntstatus.h> BYTE OriginalBytes[5] = {0}; BYTE HookCode[5] = {0xe9,0,0,0,0};//跳转地址 BYTE JmpCode[7] = {0xea,0,0,0,0,0x08,0};//cs模式为1b,内核位08 ULONG CR0VALUE; #define kmalloc(_s) ExAllocatePoolWithTag(NonPagedPool, _s, ‘SYSQ‘) // 查找KdEnteredDebugger地址 extern SIZE_T KdEnteredDebugger; SIZE_T GetKdEnteredDebuggerAddr() { return KdEnteredDebugger; } // HookIoAllocMdl typedef PMDL(__stdcall *_MyIoAllocateMdl)( _In_opt_ PVOID VirtualAddress, _In_ ULONG Length, _In_ BOOLEAN SecondaryBuffer, _In_ BOOLEAN ChargeQuota, _Inout_opt_ PIRP Irp ); _MyIoAllocateMdl old_IoAllocateMdl; PMDL MyIoAllocateMdl( __in_opt PVOID VirtualAddress, __in ULONG Length, __in BOOLEAN SecondaryBuffer, __in BOOLEAN ChargeQuota, __inout_opt PIRP Irp OPTIONAL) { PVOID pKdEnteredDebugger = (PVOID)GetKdEnteredDebuggerAddr(); if (pKdEnteredDebugger == VirtualAddress) { VirtualAddress = (PVOID)((SIZE_T)pKdEnteredDebugger + 0x20); //+0x20 是让他读到其他的位置 } return old_IoAllocateMdl(VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp); } void hookIoAllocateMdl() { KIRQL Irql; DbgPrint("NtIoAllocateMdl] :0x%x",IoAllocateMdl); DbgPrint("[MyIoAllocateMdl] :0x%x",MyIoAllocateMdl); //地址验证 RtlCopyMemory(OriginalBytes,(BYTE *)IoAllocateMdl,5); *(ULONG *)(HookCode+1) = (ULONG)MyIoAllocateMdl - ((ULONG)IoAllocateMdl+5); DbgPrint("*(ULONG *)(HookCode+1) = (ULONG)MyIoAllocateMdl - ((ULONG)IoAllocateMdl+5);"); *(ULONG *)(JmpCode+1) = (ULONG)((BYTE*)IoAllocateMdl +5); RtlCopyMemory((BYTE*)old_IoAllocateMdl,OriginalBytes,5); RtlCopyMemory((BYTE*)old_IoAllocateMdl+5,JmpCode,7); //去除写保护 _asm { push eax mov eax, cr0 mov CR0VALUE, eax and eax, 0fffeffffh mov cr0, eax pop eax } //提升IRQL中断级别 Irql = KeRaiseIrqlToDpcLevel(); DbgPrint(" Irql = KeRaiseIrqlToDpcLevel();"); RtlCopyMemory((BYTE*)IoAllocateMdl,HookCode,5); DbgPrint("RtlCopyMemory((BYTE*)IoAllocateMdl,HookCode,5);"); KeLowerIrql(Irql); //开启写保护 __asm { push eax mov eax, CR0VALUE mov cr0, eax pop eax }; DbgPrint("已经hook"); } void myDriverUnload(PDRIVER_OBJECT P) { DbgPrint("已经恢复"); } NTSTATUS DriverEntry( IN OUT PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { DbgPrint("开始hook"); DriverObject->DriverUnload = myDriverUnload; old_IoAllocateMdl = (_MyIoAllocateMdl)kmalloc(20); memset(old_IoAllocateMdl, 0x90, 20); hookIoAllocateMdl(); return STATUS_SUCCESS; }
标签:
原文地址:http://www.cnblogs.com/yufd/p/5325376.html