void *p = (void *)rand();
post @ 2018-02-24

转载至: csdn链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#pragma optimize( "gs", off )
void calc(int nMax)
{
int nTotal = 0;
for (int index = 0;index < nMax;index++)
{
nTotal = 0;
for (int subIndex = index;subIndex < nMax+index;subIndex++ )
{
nTotal += subIndex;
}
}
}
#pragma optimize( "gs", on )

记录。

阅读此文

上次说道PUBG,抹除权限的线程结束就好了。 上次链接
抽空仔细分析了一下。
代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
void EnumHandele()
{
LIST_ENTRY le;
PEPROCESS pep = NULL;
ULONG csrss = GetProcessId("csrss.exe");
//ULONG pid = GetProcessId("CE.exe");
ULONG pid = 2588;
NTSTATUS status = PsLookupProcessByProcessId(csrss, &pep);
if (NT_SUCCESS(status))
{
KdPrint(("start\n"));
HANDLE_TABLE ht = *(PHANDLE_TABLE)*(PULONG64)((PUCHAR)pep + 0x200);
PLIST_ENTRY HandleTableList = ht.HandleTableList;
PLIST_ENTRY ListEntry = NULL;
for (ListEntry = HandleTableList->Flink; ListEntry != HandleTableList; ListEntry = ListEntry->Flink)
{
if (MmIsAddressValid((PUCHAR)ListEntry - 0x20) == FALSE)
{
continue;
}
PHANDLE_TABLE HandleTab = (PHANDLE_TABLE)((PUCHAR)ListEntry - 0x20);
char *szName = PsGetProcessImageFileName(HandleTab->QuotaProcess);
//KdPrint(("%p %s cont[%d]\n", HandleTab, szName, HandleTab->HandleCount));
if (HandleTab->UniqueProcessId == pid && HandleTab->HandleCount < 0xFF)
{
KdPrint(("%p %s cont[%d]\n", HandleTab, szName, HandleTab->HandleCount));
for (size_t i = 0; i < HandleTab->HandleCount; i++)
{
PHANDLE_TABLE_ENTRY HTE = (PHANDLE_TABLE_ENTRY)(HandleTab->TableCode + i * 0x10);
ULONG64 Object = HTE->Object;
Object = Object >> 3;
Object = Object << 3;
char *filename = PsGetProcessImageFileName(Object + 0x30);
Object += 0x18;
if (MmIsAddressValid(Object))
{
BYTE TypeIndex = *(BYTE *)(Object);
//KdPrint(("object[%p][%x][%x]\n", HTE, HTE->GrantedAccess, TypeIndex));
if (TypeIndex == OB_TYPE_INDEX_JOB)
{
KdPrint(("object[%p][%x][%x][%s]\n", HTE, HTE->GrantedAccess, TypeIndex, filename));
HTE->GrantedAccess = 0x1f1fff;
}
}
}
}
}
}
}

这样 会得到我们对应的GrantedAccess在内核的地址。
object[FFFFF8A007762A30][1f1bc5][7][TslGame.exe]
ida+gdb可直接调试BE 对地址下访问断点。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
MEMORY:FFFFF88006212371 mov [rbx+8], eax //nop 完事 写入
MEMORY:FFFFF88006212374 setbe bl
MEMORY:FFFFF88006212377
MEMORY:FFFFF88006212377 loc_FFFFF88006212377: ; CODE XREF: MEMORY:loc_FFFFF88006212363j
MEMORY:FFFFF88006212377 xor al, al
MEMORY:FFFFF88006212379 cmp r14b, 0E0h ; '
MEMORY:FFFFF8800621237D movsx edi, r12w
MEMORY:FFFFF88006212381 mov rbx, [rsp+30h]
MEMORY:FFFFF88006212386 add rsp, 20h
MEMORY:FFFFF8800621238A movsxd rdi, r15d
MEMORY:FFFFF8800621238D setns dil
MEMORY:FFFFF88006212391 pop rdi
MEMORY:FFFFF88006212392 retn
MEMORY:FFFFF880062122D3 jnz loc_FFFFF88006212302
MEMORY:FFFFF880062122D9 mov eax, [rbx+8] //读取
MEMORY:FFFFF880062122DC cmp r11d, ebx
MEMORY:FFFFF880062122DF test dl, r10b
MEMORY:FFFFF880062122E2 test ecx, offset unk_7E5F0EAD
MEMORY:FFFFF880062122E8 test eax, 43Ah
MEMORY:FFFFF880062122ED jmp $+5
MEMORY:FFFFF880062122F2 ; ---------------------------------------------------------------------------
MEMORY:FFFFF880062122F2
MEMORY:FFFFF880062122F2 loc_FFFFF880062122F2: ; CODE XREF: MEMORY:FFFFF880062122EDj
MEMORY:FFFFF880062122F2 jz loc_FFFFF88006212377
MEMORY:FFFFF880062122F8 and eax, offset unk_FFFFFBC5
MEMORY:FFFFF880062122FD jmp loc_FFFFF88006212371

懒,简单粗暴 nop。

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
VOID PassBeThread(IN PVOID Nothing)
{
while (!StopThread)
{
MySleep(3000);
if (!isinstall)
{
continue;
}
ULONG besize = NULL;
ULONGLONG bebase = (ULONGLONG)GetKernelModuleHandle(&besize, (PUCHAR)"BEDaisy.sys");
if (bebase)
{
ULONGLONG writebe = bebase + 0x1E1371;
ULONGLONG readbe = bebase + 0x1E12D9;
if (MmIsAddressValid((PVOID)readbe) && MmIsAddressValid((PVOID)writebe))
{
BYTE isread = *(BYTE *)readbe;
BYTE iswrite = *(BYTE *)writebe;
if (isread == 0x8B)
{
Dedbg(("find be read\n"));
KIRQL irq = WPOFFx64();
BYTE data[] = { 0x90, 0x90, 0x90 };
memcpy((PVOID)readbe, data, 3);
WPONx64(irq);
}
if (iswrite == 0x89)
{
Dedbg(("find be write\n"));
KIRQL irq = WPOFFx64();
BYTE data[] = { 0x90, 0x90, 0x90 };
memcpy((PVOID)writebe, data, 3);
WPONx64(irq);
}
}
}
}
PsTerminateSystemThread(STATUS_SUCCESS);
}

本想去hook读取的地方 想想算了。

至此即可做任何操作。

阅读此文

win10下获取ServiceDescriptorTableShadow这些与win7差不多,略过。

  • hook
    FFFFF960F4B119F0 FF25 B2AB0000 jmp qword ptr [rip+ABB2]
    直接修改rip+ABB2指针的值 及得保存原来的。

NtUserBuildHwndList 这个函数在win7 下

1
2
3
4
5
6
7
typedef NTSTATUS(__fastcall *TYPENtUserBuildHwndList)(IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded);

最初直接套用,发现蓝屏。 ida查看伪代码发现
win7:

1
2
3
4
5
6
7
__int64 __fastcall NtUserBuildHwndList(__int64 a1, __int64 a2, PVOID Address, unsigned int a4, unsigned int a5, PVOID phwndFirst, unsigned __int64 pcHwndNeeded)
if ( a5 > 0x1FFFFFFF )
ExRaiseAccessViolation();
ProbeForWrite(phwndFirst, 8 * v25, 4u);
v26 = (_DWORD *)pcHwndNeeded;
v27 = (_DWORD *)pcHwndNeeded;
if ( pcHwndNeeded >= (unsigned __int64)W32UserProbeAddress )

win10:

1
2
3
4
5
6
7
__int64 __fastcall NtUserBuildHwndList(__int64 a1, __int64 a2, int a3, int a4, PVOID Address, __int64 a6, PVOID Addressa, unsigned __int64 a8)
ProbeForWrite(Addressa, 8i64 * (unsigned int)a6, 4u);
v13 = (_DWORD *)a8;
v20 = (_DWORD *)a8;
if ( a8 >= *(_QWORD *)W32UserProbeAddress )
v20 = *(_DWORD **)W32UserProbeAddress;
*v20 = *v20;

可以知道是在参数a7 之前加入了一个参数 也就是 phwndFirst 之前
google:
链接 好像被墙。

so
win10:

1
2
3
4
5
6
7
8
typedef NTSTATUS(__fastcall *TYPENtUserBuildHwndListWin10)(IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
PVOID a5,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded);

阅读此文

各种问题各种坑。
记录下步骤吧,可能还有更简便的方式。

  • 开机启动win10
  • 更改UAC
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System;
    • 目录下的EnableLUA = 0;
    • 重启;
  • 复制VirtualKD目录下的target文件夹到虚拟机,运行vminstall.exe 重启;
  • F8 禁止驱动签名验证 不知为何 我bcdedit不管用。
  • HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager/
  • 新建key,名字为Debug Print Filter ,然后在此key下新建一个DWORD value ,名字为DEFAULT,然后设置值为0x00000008 重启 完事。
阅读此文

工程要编译成x64位的。

还需要两个DLL dbghelp.dll symsrv.dll 和编译生成的EXE放在一起 (在windbg目录有这俩个DLL)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#include <Windows.h>
#include <stdio.h>
#include <string>
#include <psapi.h>
#include "dbghelp.h"
#pragma comment(lib,"dbghelp.lib")
BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)
{
if (strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine") == 0 ||
strcmp((pSymInfo->Name), "PspLoadImageNotifyRoutine") == 0 ||
strcmp((pSymInfo->Name), "PspCreateThreadNotifyRoutine") == 0)
{
printf("%-30s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
return TRUE;
}
int main()
{
std::string strMod;
PVOID dwBaseAddr = 0;
PVOID pDrvAddr[128*8];
DWORD dwcbNeeded = 0;
if (EnumDeviceDrivers(pDrvAddr,sizeof(pDrvAddr),&dwcbNeeded))
{
for (unsigned int i=0 ; i<(dwcbNeeded/8) ; i++)
{
LPSTR chDrvName[MAX_PATH];
GetDeviceDriverBaseNameA(pDrvAddr[i],(LPSTR)chDrvName,MAX_PATH);
dwBaseAddr = pDrvAddr[i];
strMod = std::string((char*)chDrvName);
printf("%-20s 0x%p\n",strMod.c_str(),dwBaseAddr);
break;
}
}
SymSetOptions(SYMOPT_DEFERRED_LOADS);
HANDLE hProcess = GetCurrentProcess();
SymInitialize(hProcess, 0, FALSE);
std::string strSymbolPath = "srv*C:\\Windows\\symbols*http://msdl.microsoft.com/download/symbols";
std::string strSystemPath = "C:\\Windows\\System32\\" + strMod;
SymSetSearchPath(hProcess, strSymbolPath.c_str());
HANDLE hSystemFile = CreateFileA(strSystemPath.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL);
DWORD dwFileSize = GetFileSize(hSystemFile, NULL);
DWORD64 dwBase = SymLoadModule64(hProcess, NULL, strSystemPath.c_str(), NULL, (DWORD64)dwBaseAddr, dwFileSize);
printf("正在枚举符号...\n");
SymEnumSymbols(hProcess, dwBase, 0, EnumSymCallBack, 0);
printf("枚举符号结束...\n");
SymUnloadModule64(hProcess, dwBase);
SymCleanup(hProcess);
system("pause");
return 0;
}
阅读此文
post @ 2017-12-13

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

前不久刚出的。
简单明了的办法就是直接运行后删除自身。

另一种:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
运行过的程序记录。
就像pchunter你放那没事,运行有卸载驱动关闭pchunter,上游戏BE还是会弹提示。
so 想到应该是获取刚运行后的文件。
以下是代码 很丑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
CHAR GetROT13Key(CHAR uKey)
{
CHAR pRet = uKey;
if (uKey >= 'a' && uKey <= 'm')
{
pRet += 13;
}
else if (uKey >= 'n' && uKey <= 'z')
{
pRet -= 13;
}
else if (uKey >= 'A' && uKey <= 'M')
{
pRet += 13;
}
else if (uKey >= 'N' && uKey <= 'Z')
{
pRet -= 13;
}
return pRet;
}
VOID DecryptionKey(CHAR* pKeyData, INT inLen)
{
if ((NULL == pKeyData) || (0 == inLen))
{
return;
}
for (INT i = 0; i < inLen; i++)
{
pKeyData[i] = GetROT13Key(pKeyData[i]);
}
}
void cRunLog::test()
{
CRegKey Key;
CString KeyPath = _T("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist");
if (Key.Open(HKEY_CURRENT_USER, KeyPath) == ERROR_SUCCESS)
{
char subKeyName[MAX_PATH];
DWORD dwLength = MAX_PATH;
for (DWORD i = 0; Key.EnumKey(i, subKeyName, &dwLength) != ERROR_NO_MORE_ITEMS; dwLength = MAX_PATH, i++)
{
printf(subKeyName);
CRegKey Key1;
char subKeyName1[MAX_PATH];
if (Key1.Open(HKEY_CURRENT_USER, KeyPath + "\\" + subKeyName) == ERROR_SUCCESS)
{
for (DWORD ii = 0; Key1.EnumKey(ii, subKeyName1, &dwLength) != ERROR_NO_MORE_ITEMS; dwLength = MAX_PATH, ii++)
{
printf(subKeyName1);
CRegKey Key2;
char subKeyName2[MAX_PATH];
if (Key2.Open(HKEY_CURRENT_USER, KeyPath + "\\" + subKeyName + "\\" + subKeyName1) == ERROR_SUCCESS)
{
dwLength = MAXBYTE;
DWORD dwType = NULL;
DWORD iii = 0;
DWORD rt = NULL;
while (!RegEnumValue(Key2.m_hKey, iii++, subKeyName2, &dwLength, NULL, &dwType, NULL, NULL))
{
DecryptionKey(subKeyName2, dwLength);
OutputDebugString(subKeyName2);
OutputDebugString("\n");
dwLength = MAXBYTE;
}
Key2.Close();
}
}
Key1.Close();
}
}
Key.Close();
}
}

内核版:
看雪链接

撂。。。

阅读此文

记录使用。
转载至: csdn链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
1、pid->handle
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID clientid;
InitializeObjectAttributes(&ObjectAttributes, 0 ,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
clientid.UniqueProcess = (HANDLE)pid;
clientid.UniqueThread=0;
ZwOpenProcess(&handle, PROCESS_ALL_ACCESS, &ObjectAttributes, &clientid);
handle即为所求。
2、handle->pid
PROCESS_BASIC_INFORMATION pbi;
ns = ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation, (PVOID)&pbi, sizeof(ProcessBasicInformation), NULL);
pid = pbi.UniqueProcessId;
pid即为所求。
3、pid->eprocess
PEPROCESS pEProc;
PsLookupProcessByProcessId((HANDLE)pid, &pEProc);
ObDereferenceObject(pEProc);
pEProc即为所求eprocess的指针。
4、handle->eprocess
st = ObReferenceObjectByHandle (ProcessHandle,
PROCESS_TERMINATE,
PsProcessType,
KeGetPreviousModeByThread(&Self->Tcb),
&Process,
NULL);
5、eprocess->pid
_EPROCESS.UniqueProcessId即为所求,虽然声明类型为HANDLE,但实际上是pid。
6、eprocess->handle
Status = ObOpenObjectByPointer(
Process,
Attributes,
&AccessState,
0,
PsProcessType,
PreviousMode,
&Handle
);

下面是自己想到的:
HANDLE -> EPROCESS -> PID

1
2
3
4
5
6
7
PEPROCESS pEProcess;
ULONG PID = NULL;
NTSTATUS Status = ObReferenceObjectByHandle(ProcessHandle, FILE_READ_DATA, NULL, KernelMode, &pEProcess, NULL);
if (NT_SUCCESS(Status))
{
PID = PsGetProcessId(pEProcess);
}

阅读此文

老版本可直接注册个object钩子即可全系统读写。
处理代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
if (pOperationInformation->ObjectType != *PsProcessType)
{
return OB_PREOP_SUCCESS;
}
UNREFERENCED_PARAMETER(RegistrationContext);
if (!_stricmp("TslGame.exe", PsGetProcessImageFileName((PEPROCESS)pOperationInformation->Object)))
{
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0x1F1FFF;//0x1F1FFF;
}
}
return OB_PREOP_SUCCESS;
}

前几日更新后发现无法读写获取等等。

Process Hacker查看句柄发现:
0x1f1fff (Query information, Set information, Set quotas, Set session ID, Create threads, Create processes, VM operation, Duplicate handles, Suspend/resume, Terminate, Synchronize, Delete, Read control, Write DAC, Write owner)

少了(VM read, VM write)

简单处理方法:
2292 0xFFFFFA8005C8FB60 0x0000000000000000 9 0xFFFFF8800604E660 BEDaisy.sys 2326 等待
内核结束掉BE驱动的线程即可。
底层基础不好,未做仔细分析。

代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
VOID PassBeThread(IN PVOID Nothing)
{
DEF_StartAddress_Offset = GetStartAddressOffset();
if (!DEF_StartAddress_Offset)
{
DbgPrint("Error offset\n");
return;
}
while (TRUE)
{
bebase = GetKernelBase(&besize, "BEDaisy.sys");
if (bebase)
{
KdPrint(("be mod[%p %.8x]\n", bebase, besize));
PETHREAD ethread = NULL;
for (ULONG i = 4; i < 0x40000; i = i + 4)
{
if (!NT_SUCCESS(PsLookupThreadByThreadId((HANDLE)i, &ethread)))
{
continue;
}
if (ethread != NULL)
{
PEPROCESS eprocess = PsGetThreadProcess(ethread);
char *szName = PsGetProcessImageFileName(eprocess);
PVOID startadr = GetThreadStartAdr(ethread);
if (!_stricmp(szName, "System") && IsBeMod(startadr))
{
KdPrint(("%s %p %p\n", szName, ethread, startadr));
KillThread(ethread);
ObDereferenceObject(ethread);
break;
}
ObDereferenceObject(ethread);
}
}
}
MySleep(1000);
if (iskillthread == 1)
{
KdPrint(("kill my thread!\n"));
iskillthread = 2;
PsTerminateSystemThread(STATUS_SUCCESS);
}
}
}

至此即可做任何操作。

阅读此文
post @ 2017-11-05

项目需要,触及windows PG(PatchGuard) windbg + VMware PG是不初始化及启动。
so 选择gdb + vmware.
坑及IDAPython
IDA下载

解压,目录下里面的路径替换成你的,导入注册表。
安装目录下的python或自行下载27版本安装。
ida打开后可看见:
ida

转载自看雪:链接

下面备份一个吧!

debugStub.listen.guest64 = “TRUE”
debugStub.hideBreakpoints= “TRUE”
debugStub.listen.guest64.remote = “TRUE”

8864 or 8832

测试文章,完结撒花。

阅读此文
⬆︎TOP