Сообщение Re[4]: NtCreateFile отличить путь к файлу от pipe, etc от 02.01.2018 11:36
Изменено 02.01.2018 11:36 sergey77666
Re[4]: NtCreateFile отличить путь к файлу от pipe, etc
Здравствуйте, Alexander G, Вы писали:
S>>Чем лучше?
AG>Штатностью, соответственно совместимостью.
А конкретнее?
Берем новый ноут с вин10 x64, работают хуки если откл. проверку подписей?
S>>Чем лучше?
AG>Штатностью, соответственно совместимостью.
А конкретнее?
Берем новый ноут с вин10 x64, работают хуки если откл. проверку подписей?
HOOK SSDT::Hook(const char* apiname, void* newfunc)
{
SSDTStruct* SSDT = SSDTfind();
if(!SSDT)
{
Log("SSDT not found...\r\n");
return 0;
}
ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable;
if(!SSDTbase)
{
Log("ServiceTable not found...\r\n");
return 0;
}
int FunctionIndex = NTDLL::GetExportSsdtIndex(apiname);
if(FunctionIndex == -1)
return 0;
if((ULONGLONG)FunctionIndex >= SSDT->NumberOfServices)
{
Log("nvalid API offset...\r\n");
return 0;
}
HOOK hHook = 0;
LONG oldValue = SSDT->pServiceTable[FunctionIndex];
LONG newValue;
/*
x64 SSDT Hook;
1) find API addr
2) get code page+size
3) find cave address
4) hook cave address (using hooklib)
5) change SSDT value
*/
static ULONG CodeSize = 0;
static PVOID CodeStart = 0;
if(!CodeStart)
{
ULONG_PTR Lowest = SSDTbase;
ULONG_PTR Highest = Lowest + 0x0FFFFFFF;
Log("Range: 0x%p-0x%p\r\n", Lowest, Highest);
CodeSize = 0;
CodeStart = PE::GetPageBase(Undocumented::GetKernelBase(), &CodeSize, (PVOID)((oldValue >> 4) + SSDTbase));
if(!CodeStart || !CodeSize)
{
Log("PeGetPageBase failed...\r\n");
return 0;
}
Log("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);
if((ULONG_PTR)CodeStart < Lowest) //start of the page is out of range (impossible, but whatever)
{
CodeSize -= (ULONG)(Lowest - (ULONG_PTR)CodeStart);
CodeStart = (PVOID)Lowest;
Log("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);
}
Log("Range: 0x%p-0x%p\r\n", CodeStart, (ULONG_PTR)CodeStart + CodeSize);
}
PVOID CaveAddress = FindCaveAddress(CodeStart, CodeSize, sizeof(HOOKOPCODES));
if(!CaveAddress)
{
Log("FindCaveAddress failed...\r\n");
return 0;
}
Log("CaveAddress: 0x%p\r\n", CaveAddress);
hHook = Hooklib::Hook(CaveAddress, (void*)newfunc);
if(!hHook)
return 0;
newValue = (LONG)((ULONG_PTR)CaveAddress - SSDTbase);
newValue = (newValue << 4) | oldValue & 0xF;
//update HOOK structure
hHook->SSDTindex = FunctionIndex;
hHook->SSDTold = oldValue;
hHook->SSDTnew = newValue;
hHook->SSDTaddress = (oldValue >> 4) + SSDTbase;
InterlockedSet(&SSDT->pServiceTable[FunctionIndex], newValue);
Log("SSDThook(%s:0x%p, 0x%p)\r\n", apiname, hHook->SSDTold, hHook->SSDTnew);
return hHook;
}
static HOOK hook_internal(ULONG_PTR addr, void* newfunc)
{
//allocate structure
HOOK hook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT));
//set hooking address
hook->addr = addr;
//set hooking opcode
#ifdef _WIN64
hook->hook.mov = 0xB848;
#else
hook->hook.mov = 0xB8;
#endif
hook->hook.addr = (ULONG_PTR)newfunc;
hook->hook.push = 0x50;
hook->hook.ret = 0xc3;
//set original data
RtlCopyMemory(&hook->orig, (const void*)addr, sizeof(HOOKOPCODES));
if(!NT_SUCCESS(RtlSuperCopyMemory((void*)addr, &hook->hook, sizeof(HOOKOPCODES))))
{
RtlFreeMemory(hook);
return 0;
}
return hook;
}Re[4]: NtCreateFile отличить путь к файлу от pipe, etc
Здравствуйте, Alexander G, Вы писали:
S>>Чем лучше?
AG>Штатностью, соответственно совместимостью.
А конкретнее?
Берем новый ноут с вин10 x64, работают хуки если откл. проверку подписей?
S>>Чем лучше?
AG>Штатностью, соответственно совместимостью.
А конкретнее?
Берем новый ноут с вин10 x64, работают хуки если откл. проверку подписей?
HOOK SSDT::Hook(const char* apiname, void* newfunc)
{
SSDTStruct* SSDT = SSDTfind();
if(!SSDT)
{
Log("SSDT not found...\r\n");
return 0;
}
ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable;
if(!SSDTbase)
{
Log("ServiceTable not found...\r\n");
return 0;
}
int FunctionIndex = NTDLL::GetExportSsdtIndex(apiname);
if(FunctionIndex == -1)
return 0;
if((ULONGLONG)FunctionIndex >= SSDT->NumberOfServices)
{
Log("nvalid API offset...\r\n");
return 0;
}
HOOK hHook = 0;
LONG oldValue = SSDT->pServiceTable[FunctionIndex];
LONG newValue;
/*
x64 SSDT Hook;
1) find API addr
2) get code page+size
3) find cave address
4) hook cave address (using hooklib)
5) change SSDT value
*/
static ULONG CodeSize = 0;
static PVOID CodeStart = 0;
if(!CodeStart)
{
ULONG_PTR Lowest = SSDTbase;
ULONG_PTR Highest = Lowest + 0x0FFFFFFF;
Log("Range: 0x%p-0x%p\r\n", Lowest, Highest);
CodeSize = 0;
CodeStart = PE::GetPageBase(Undocumented::GetKernelBase(), &CodeSize, (PVOID)((oldValue >> 4) + SSDTbase));
if(!CodeStart || !CodeSize)
{
Log("PeGetPageBase failed...\r\n");
return 0;
}
Log("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);
if((ULONG_PTR)CodeStart < Lowest) //start of the page is out of range (impossible, but whatever)
{
CodeSize -= (ULONG)(Lowest - (ULONG_PTR)CodeStart);
CodeStart = (PVOID)Lowest;
Log("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);
}
Log("Range: 0x%p-0x%p\r\n", CodeStart, (ULONG_PTR)CodeStart + CodeSize);
}
PVOID CaveAddress = FindCaveAddress(CodeStart, CodeSize, sizeof(HOOKOPCODES));
if(!CaveAddress)
{
Log("FindCaveAddress failed...\r\n");
return 0;
}
Log("CaveAddress: 0x%p\r\n", CaveAddress);
hHook = Hooklib::Hook(CaveAddress, (void*)newfunc);
if(!hHook)
return 0;
newValue = (LONG)((ULONG_PTR)CaveAddress - SSDTbase);
newValue = (newValue << 4) | oldValue & 0xF;
//update HOOK structure
hHook->SSDTindex = FunctionIndex;
hHook->SSDTold = oldValue;
hHook->SSDTnew = newValue;
hHook->SSDTaddress = (oldValue >> 4) + SSDTbase;
InterlockedSet(&SSDT->pServiceTable[FunctionIndex], newValue);
Log("SSDThook(%s:0x%p, 0x%p)\r\n", apiname, hHook->SSDTold, hHook->SSDTnew);
return hHook;
}
Hooklib----
static HOOK hook_internal(ULONG_PTR addr, void* newfunc)
{
//allocate structure
HOOK hook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT));
//set hooking address
hook->addr = addr;
//set hooking opcode
#ifdef _WIN64
hook->hook.mov = 0xB848;
#else
hook->hook.mov = 0xB8;
#endif
hook->hook.addr = (ULONG_PTR)newfunc;
hook->hook.push = 0x50;
hook->hook.ret = 0xc3;
//set original data
RtlCopyMemory(&hook->orig, (const void*)addr, sizeof(HOOKOPCODES));
if(!NT_SUCCESS(RtlSuperCopyMemory((void*)addr, &hook->hook, sizeof(HOOKOPCODES))))
{
RtlFreeMemory(hook);
return 0;
}
return hook;
}