- 注册时间
- 2022-8-23
- 最后登录
- 2024-3-6
- 在线时间
- 2 小时
编程入门
- 天马币
- 22
|
簡單逆下Hs-NtReadProcessMemory
直接用KD簡單逆的
偽代碼就不上了 歡迎找碴
- [ebp-C] = ReturnLength
- [ebp-28] = ProcessInformation
- [ebp-4] = ProcessHandle
- [ebp-10] = 返回值(success Or error c)
- [ebp-8] = Pid
- [ebp-18] = ???
-
-
- ----------保護暫存器---------------
- 0xB31F7C00 mov eax, esp
- 0xB31F7C02 add eax, 8
- 0xB31F7C05 pushad
- 0xB31F7C06 pushfd
- 0xB31F7C07 push ebp
- 0xB31F7C08 mov ebp, esp
- 0xB31F7C0A sub esp, 40
-
-
- 0xB31F7C0D mov ecx, dword ptr [eax+8]
- 0xB31F7C10 mov dword ptr [ebp-4], ecx
- 0xB31F7C13 mov ecx, B3206968 //B3206968=ProcessInformation
- 0xB31F7C18 call dword ptr [<&ntkrnlpa.InterlockedIncrement>] //不讓多執行序共享變量(保護)
-
-
- 0xB31F7C1E lea eax, dword ptr [ebp-C] //把局部變量ebp-c的地址給eax
- 0xB31F7C21 push eax //ReturnLength
- 0xB31F7C22 push 18 //ProcessInformationLength
- 0xB31F7C24 lea ecx, dword ptr [ebp-28]
- 0xB31F7C27 push ecx //ProcessInformation
- 0xB31F7C28 push 0 //ProcessInformationClass
- 0xB31F7C2A mov edx, dword ptr [ebp-4] //保存在局部變量ebp-4=ProcessHandle
- 0xB31F7C2D push edx //ProcessHandle
- 0xB31F7C2E call dword ptr [<&ntkrnlpa.ZwQueryInformationProcess>]
-
-
- 0xB31F7C34 mov dword ptr [ebp-10], eax //返回值(success Or error)給局部變量
- 0xB31F7C37 xor eax, eax //eax=0
- 0xB31F7C39 cmp dword ptr [ebp-10], 0
- 0xB31F7C3D setge al //如果ZF=1則,al等於,否則等於
- 0xB31F7C40 cmp eax, 1 //比較eax是否為
- 0xB31F7C43 jne B31F7D13 //eax不為 ●跳到 "正確"
- 0xB31F7C49 call B31FFB66 //PsGetCurrentId 得到目前PID值
-
-
- 0xB31F7C4E mov dword ptr [ebp0xB31F7C4E mov dword ptr [ebp--8], eax //ebp8], eax //ebp--8 = Pid 8 = Pid
- 0xB31F7C51 push 1
- 0xB31F7C53 mov ecx, dword ptr [ebp-8] //ecx = Pid
- 0xB31F7C56 push ecx //Pid
- 0xB31F7C57 call B31FD460 //這個Call內部有 KeGetCurrentIrql(得到目前IRQL)
- //和建立快速互斥 and 釋放快速互斥
- 0xB31F7C5C movzx edx, al //返回值給edx
- 0xB31F7C5F cmp edx, 1 //edx和做比較
- 0xB31F7C62 jne short B31F7CB1 //繼續判斷
-
-
- 0xB31F7C64 push 4 0xB31F7C64 push 4
- 0xB31F7C66 mov eax, dword ptr [ebp-18]
- 0xB31F7C69 push eax
- 0xB31F7C6A push B320F3A0
- 0xB31F7C6F call B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
- 0xB31F7C74 movzx ecx, al //把回傳值給ecx
- 0xB31F7C77 cmp ecx, 1 //ecx和比較
- 0xB31F7C7A jne short B31F7CAF ●ecx 為"跳到正確"
-
-
- 0xB31F7C7C push 4
- 0xB31F7C7E mov edx, dword ptr [ebp-8] //edx=Pid
- 0xB31F7C81 push edx //push Pid
- 0xB31F7C82 push B320F3A0
- 0xB31F7C87 call B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
- 0xB31F7C8C movzx eax, al
- 0xB31F7C8F cmp eax, 1
- 0xB31F7C92 je short B31F7C99 //如果eax=1 正確就繼續判斷
- 0xB31F7C94 jmp B31F7D29 ●eax = 0 跳到錯誤
-
-
- 0xB31F7C99 push 1
- 0xB31F7C9B call B31FFB6C //PsGetCurrentThreadId 得到目前的Tid值
- 0xB31F7CA0 push eax //eax = Tid
- 0xB31F7CA1 call B31F2680 //這個Call內部有建立快速互斥 and 釋放快速互斥
-
-
- 0xB31F7CA6 mov edx, dword ptr [ebp-8] edx = Pid
- 0xB31F7CA9 push edx
- 0xB31F7CAA call B31FD3B0 //這個Call內部有 KeGetCurrentIrql(得到目前IRQL)
- //和建立快速互斥 and 釋放快速互斥
- //Call中又有個Call 呼叫InterlockedPushEntrySlist函數在棧頂添加一個元素
- 0xB31F7CAF jmp short B31F7D13 ●"跳到正確"
-
-
- 0xB31F7CB1 push 4 0xB31F7CB1 push 4
- 0xB31F7CB3 mov eax, dword ptr [ebp-18]
- 0xB31F7CB6 push eax
- 0xB31F7CB7 push B320F3A0
- 0xB31F7CBC call B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
- 0xB31F7CC1 movzx ecx, al
- 0xB31F7CC4 cmp ecx, 1
- 0xB31F7CC7 jne short B31F7D13 ●ecx = 0 跳到正確
-
-
- 0xB31F7CC9 push 4
- 0xB31F7CCB mov edx, dword ptr [ebp-8] //eax=Pid
- 0xB31F7CCE push edx
- 0xB31F7CCF push B320F3A0
- 0xB31F7CD4 call B31F07F0 ●這個Call出現多次 把Pid當參數傳入 回傳值 Or 0
- 0xB31F7CD9 movzx eax, al
- 0xB31F7CDC cmp eax, 1 //比較eax是否=1
- 0xB31F7CDF je short B31F7D06 ●如果eax=1 跳到正確
-
-
- 0xB31F7CE1 push 1
- 0xB31F7CE3 call dword ptr [<&ntkrnlpa.IoGetCurrentProcess>] //得到一個PEPROCESS結構
- 0xB31F7CE9 push eax eax=目前調用的PEPROCESS結構
- 0xB31F7CEA call B31FD596 //Hs的判斷CALL 可能是黑名單 or 白名單
- 0xB31F7CEF movzx ecx, al
- 0xB31F7CF2 cmp ecx, 1 //ecx和判斷
- 0xB31F7CF5 je short B31F7D04 ●如果ecx=1 跳到正確
-
-
- 0xB31F7CF7 push 1 0xB31F7CF7 push 1
- 0xB31F7CF9 mov edx, dword ptr [ebp-8] //edx=Pid
- 0xB31F7CFC push edx //push Pid
- 0xB31F7CFD call B31FD230 //這個Call內部有 KeGetCurrentIrql(得到目前TRQL)
- //和建立快速互斥 and 釋放快速互斥
- //Call中又有個Call 呼叫InterlockedPushEntrySlist函數在棧頂添加一個元素
- 0xB31F7D02 jmp short B31F7D29 ●跳到錯誤
- 0xB31F7D04 jmp short B31F7D13 ●跳到正確
-
-
- 0xB31F7D06 push 1
- 0xB31F7D08 call B31FFB6C //PsGetCurrentThreadId
- 0xB31F7D0D push eax //eax=Tid
- 0xB31F7D0E call B31F2680 //傳入Tid值的Call
- 0xB31F7D13 mov ecx, B3206968 //ecx=ProcessInformation
- 0xB31F7D18 call dword ptr [<&ntkrnlpa.InterlockedDecrement>] //在多線程中保護某個變量
- -------------------還原現場----------------------------
- 0xB31F7D1E add esp, 40
- 0xB31F7D21 pop ebp
- 0xB31F7D22 popfd
- 0xB31F7D23 popad
- 0xB31F7D24 jmp B31F72E0 //這句Jmp ●(8053CB90) ●原本被Hook前的Call地址 "正確"
-
-
- 0xB31F7D29 mov ecx, B3206968 ●ecx=ProcessInformation 下面接著返回錯誤代碼 "錯誤"
- 0xB31F7D2E call dword ptr [<&ntkrnlpa.InterlockedDecrement>] //在多線程中保護某個變量
- 0xB31F7D34 add esp, 40
- 0xB31F7D37 pop ebp
- 0xB31F7D38 popfd
- 0xB31F7D39 popad
- 0xB31F7D3A pop eax
- 0xB31F7D3B pop eax
- 0xB31F7D3C pop eax
- 0xB31F7D3D mov eax,C0000022 //返回eax = C0000022 錯誤代碼
- 0xB31F7D42 retn 14
- 0xB31F7D45 CC int3
- 0xB31F7D46 CC int3
- 0xB31F7D47 CC int3
- 0xB31F7D48 CC int3
|
- 0xB31FFB5A | FF25 C83620B3 | jmp dword ptr [<&ntkrnlpa.PsSetCreateProcessNotifyRoutine>
- 0xB31FFB60 | FF25 703620B3 | jmp dword ptr [<&ntkrnlpa.PsGetVersion>]
- 0xB31FFB66 | FF25 E83520B3 | jmp dword ptr [<&ntkrnlpa.PsGetCurrentProcessId>]
- 0xB31FFB6C | FF25 443520B3 | jmp dword ptr [<&ntkrnlpa.PsGetCurrentThreadId>]
- 0xB31FFB72 | FF25 503520B3 | jmp dword ptr [<&ntkrnlpa.stricmp>]
- 0xB31FFB78 | FF25 543520B3 | jmp dword ptr [<&ntkrnlpa.strrchr>]
- 0xB31FFB7E | FF25 643520B3 | jmp dword ptr [<&ntkrnlpa.except_handler3>]
- 0xB31FFB84 | FF25 7C3520B3 | jmp dword ptr [<&ntkrnlpa.KeGetCurrentThread>]
- 0xB31FFB8A | FF25 AC3520B3 | jmp dword ptr [<&ntkrnlpa.allmul>]
- 0xB31FFB90 | FF25 B03520B3 | jmp dword ptr [<&ntkrnlpa.alldiv>]
- 0xB31FFB96 | FF25 B43520B3 | jmp dword ptr [<&ntkrnlpa.wcslen>]
- 0xB31FFB9C | FF25 B83520B3 | jmp dword ptr [<&ntkrnlpa.wcsrchr>]
- 0xB31FFBA2 | FF25 C03520B3 | jmp dword ptr [<&ntkrnlpa.KeDetachProcess>]
- 0xB31FFBA8 | FF25 C43520B3 | jmp dword ptr [<&ntkrnlpa.KeAttachProcess>]
- 0xB31FFBAE | FF25 C83520B3 | jmp dword ptr [<&ntkrnlpa.PsLookupProcessByProcessId>]
- 0xB31FFBB4 | FF25 DC3520B3 | jmp dword ptr [<&ntkrnlpa.wcscpy>]
- 0xB31FFBBA | FF25 C43620B3 | jmp dword ptr [<&ntkrnlpa.ObReferenceObjectByName>]
- 0xB31FFBC0 | FF25 1C3620B3 | jmp dword ptr [<&ntkrnlpa.ObOpenObjectByPointer>]
- 0xB31FFBC6 | FF25 303620B3 | jmp dword ptr [<&ntkrnlpa.wcsnicmp>]
- 0xB31FFBCC | FF25 403620B3 | jmp dword ptr [<&ntkrnlpa.IoQueueWorkItem>]
- 0xB31FFBD2 | FF25 443620B3 | jmp dword ptr [<&ntkrnlpa.IoAllocateWorkItem>]
- 0xB31FFBD8 | FF25 483620B3 | jmp dword ptr [<&ntkrnlpa.IoFreeWorkItem>]
- 0xB31FFBDE | FF25 543620B3 | jmp dword ptr [<&ntkrnlpa.PsIsThreadTerminating>]
- 0xB31FFBE4 | FF25 583620B3 | jmp dword ptr [<&ntkrnlpa.PsLookupThreadByThreadId>]
|
|
发表于 2024-2-29 13:01:22