[原创]fuck all the "time protected" Software(1)
文章作者:sudami [[email]xiao_rui_119@163.com[/email] ]信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
[b]置顶[/b]:在家装DDK死活装不上,装vc 6.0也出错,256的小内存跑啊跑;作罢,一个月内不能编译驱动
[b]心情[/b]:想哭...
[b]主题[/b]:
探讨修改系统时间(R0),anti所有的安全软件(eg: 360TimeProt.sys, Micropoint,antiarp.sys...)
[b]正文[/b]:
[b]<一> [/b]
关于修改系统时间不是突发奇想的,之前好多病毒木马都是把时间调到很久以前来使部分安全软件过期(eg 卡巴,微点),用的伎俩不过是调用R3的几个API,或者直接来个bat,改改注册表之类的...
所以很多安全软件意识到这点.先出手的便是360安全卫士,不过大致看来也就是HOOK SSDT中的[b]ZwSetSystemTime[/b],只要能恢复SSDT(若能顺利加载驱动,恢复就简单啦.若在R3,想获得系统高2GB的地址访问权限是越来越难咯,好多HIPS都封的死死的; 当然不排除利用重启的时间加载驱动,或者感染Win32k.sys、利用第3方软件的漏洞提升权限...晕,偏题了[s:267]),也就破除了它的屏障. 对于微点这样有个[b]KTIMER[/b]的就需要投递[b]APC[/b]了...
不过恢复SDT毕竟不是最好的办法,所以我们绕过SDT,自己实现ZwSetSystemTime,甚至[b]KeSetSyetemTime[/b],这样就可以修改时间了(但最终是系统在R0不断改变[b]SharedUserData [/b]这个区域里面的系统时间.我们也可以直接修改这个R0、R3共享区来达到修改锁定时间的目的;或者直接写进[b]CMOS[/b]).
btw:关于[b]360TimeProt.sys[/b],已有好多大牛逆出了源码,原理很简单,给个链接科普:
[url=http://www.debugman.com/read.php?tid=770]http://www.debugman.com/read.php?tid=770[/url]
------------------------------------------------------------------------------------------------
[b]<二>[/b]
关于[b]ZwSetSystemTime的执行流程[/b],偶还是简单的说下吧,虽然笔记记了一大堆,但又不能直接copy出来,还得慢慢打...
NTSTATUS
NTAPI
NtSetSystemTime(
IN PLARGE_INTEGER SystemTime, [color=#008000]// 需要设置的时间[/color]
OUT PLARGE_INTEGER PreviousTime OPTIONAL [color=#008000]// 保存以前的时间[/color]
)
/*++
调用[b]ExGetPreviousMode[/b]得到当前的PreviousMode,检查其是R0 or R3.
[b]if(PreviousMode != KernelMode) {...}[/b]但不管是哪个,目的都是把传进来的[b]SystemTime[/b]赋予给一个[b]LARGE_INTEGER [/b]局部变量 [b]NewSystemTime[/b](只不过R3下需要进一步的安全检测,保证传进来的参数在R0中可读,传出去的参数在R0中可写,用到[b]ProbeForReadLargeInteger[/b]、[b]ProbeForWriteLargeInteger[/b])-->接下来的一步很关键,调用[b]SeSinglePrivilegeCheck[/b]函数来检查当前用户是否有权限修改系统时间(参见WRK和IDA; Windbg出来的见下)--> 转化时间并set it in HAL,调用3个函数:[b]ExSystemTimeToLocalTime[/b]、[b]RtlTimeToTimeFields[/b]、[b]HalSetRealTimeClock[/b]-->最后调用[b]KeSetSystemTime[/b]来设置系统时间,若传进来的PreviousTime有效,则把旧的时间装在它里面,返回status
--*/
[color=#008000]/*
lkd> u 808a1f7e l 45
nt!SeSinglePrivilegeCheck:
808a1f7e 8bff mov edi,edi ; 偶就修改了这开头5字节的内容
808a1f80 55 push ebp ; 太容易被查出来咯; 不过可以自己再
808a1f81 8bec mov ebp,esp ; 深入深入~
808a1f83 83ec24 sub esp,24h
808a1f86 8365ec00 and dword ptr [ebp-14h],0
808a1f8a 33c0 xor eax,eax
808a1f8c 40 inc eax
808a1f8d 8945dc mov dword ptr [ebp-24h],eax
808a1f90 8945e0 mov dword ptr [ebp-20h],eax
808a1f93 8b4508 mov eax,dword ptr [ebp+8]
808a1f96 8945e4 mov dword ptr [ebp-1Ch],eax
808a1f99 8b450c mov eax,dword ptr [ebp+0Ch]
808a1f9c 8945e8 mov dword ptr [ebp-18h],eax
808a1f9f 8d45f0 lea eax,[ebp-10h]
808a1fa2 50 push eax
808a1fa3 e84cbdffff call nt!SeCaptureSubjectContext (8089dcf4)
808a1fa8 ff7510 push dword ptr [ebp+10h]
808a1fab 8d45f0 lea eax,[ebp-10h]
808a1fae 50 push eax
808a1faf 8d45dc lea eax,[ebp-24h]
808a1fb2 50 push eax
808a1fb3 e8a0bcffff call nt!SePrivilegeCheck (8089dc58)
...
*/[/color]
而我这里的思路是关注[b][color=#0000FF]SeSinglePrivilegeCheck[/color][/b],在它里面实现inline hook来拒绝其他进程修改系统时间. 注意看WRK
[color=#0000D0]BOOLEAN[/color] STDCALL
SeSinglePrivilegeCheck (
IN [color=#0000D0]LUID[/color] PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode
)
全局变量[b]SeSystemtimePrivilege[/b]从LARGE_INTEGER转化为[b]LUID[/b]后作为其参数,我们只要在自己的函数中判断它就可以达到效果啦.
[attach]7161[/attach]
[attach]7160[/attach]
对于[b]KeSetSystemTime[/b],它主要是修改[b]0xffdf0000[/b]区域:
[color=#008000]/* Set the new system time */[/color]
SharedUserData->SystemTime.LowPart = NewTime->LowPart;
SharedUserData->SystemTime.High1Time = NewTime->HighPart;
SharedUserData->SystemTime.High2Time = NewTime->HighPart;
然后Update system boot time
[color=#008000]/* Calculate the difference between the new and the old time */[/color]
DeltaTime.QuadPart = NewTime->QuadPart - OldTime->QuadPart;
KeBootTime.QuadPart += DeltaTime.QuadPart;
KeBootTimeBias = KeBootTimeBias + DeltaTime.QuadPart;
[quote]
SharedUserData 是操作系统为每个进程提供的个共享数据结构,里面存放有很多重要的系统信息,如TickCount、系统时间、SystemRoot等...
其在DDK定义为:
[color=#0000D0]#define[/color] KI_USER_SHARED_DATA 0xffdf0000
[color=#0000D0]#define[/color] SharedUserData ((KUSER_SHARED_DATA * [color=#0000D0]const[/color]) KI_USER_SHARED_DATA)
它在内核中的地址是0xffdf0000,操作系统通过共享映射把这个结构以只读方式映射到每个进程的0×7ffe0000的地方。
[/quote]
当然从KeSetSystemTime下手也是可以的.这样更深一层.
--------------------------------------------------------------------------------
<三>
综上,写了个[b]inine hook SeSinglePrivilegeCheck[/b]的驱动.因为无DDK编译,所以只有代码,不过应该能编译通过,思路出来了,代码也有了,编译调试需要你自己去弄了(如果调试通过了,麻烦把sys帖出来哦,谢谢了啊[s:289])
[color=#008000]/*******************************************************************************
* Name : AntiTimeProtected.c
* Author : sudami [[email]xiao_rui_119@163.com[/email]]
* Time : 08/01/24 v 1.0
*
* Comment:
*
* ZwSetSystemTime |-->SeSinglePrivilegeCheck-->SePrivilegeCheck
* |-->KeSetSyetemTime
*
* 修改并锁定系统时间,fuck all the "time protected" Software...
*
* 1. 自己实现ZwSetSystemTime
* 2. inline hook系统的SeSinglePrivilegeCheck函数.在其内部的某个地方
* 跳转到定义的fake函数中,判断传进来的第一个参数--PrivilegeValue.若为
* SeSystemtimePrivilege,则返回FALSE,表明当前用户无权限修改系统时间;
* 否则跳转到原函数中继续执行.[如果在函数的开头5字节修改,可能不需要考
* 虑堆栈平衡.但若深入到内部再跳转,可能需要自己去平衡堆栈.所以要仔细
* 考虑. 当然可以多处inlieHOOK,eg.进到SePrivilegeCheck.
* 3. FSD强行删除保护时间的驱动,生成相同驱动占炕
* 4. 启动一个thread反复inline HOOK, 另一个thread不断检测KTIMER是否被摘除
* 5. 感染Win32k.sys,随系统启动sys.定期修改系统时间(需要在自己的inline
* hook中排除自己)
*
* btw:
* 修改系统时间最终是系统在R0不断改变SharedUserData 这个区域里面的系统时间.我们
* 也可以直接修改这个R0、R3共享区来达到修改锁定时间的目的;或者直接写进CMOS...
* 偶很菜,就写个肤浅的练练手,嘿嘿~
*
* <要解决的问题>
* 1. 得到SeSinglePrivilegeCheck、ExSystemTimeToLocalTime、RtlTimeToTimeFileds、
* HalSetRealTimeClock、KeSetSyetemTime在系统中的实际地址-->映射ntoskrnl.exe到
* 进程的虚拟地址空间,遍历EAT得到部分导出函数的RVA(或者根据重定位信息,IDA反汇编
* ntoskrnl.exe,得到和指定函数相关的2进制,在reloc中搜索之),再加上系统内核的地址
* 这样就得到这些函数的实际地址啦.
* 2. 锁定系统时间中,需要考虑可能的堆栈平衡
*
********************************************************************************/[/color]
[attach]7159[/attach]
关键部分如下:
[color=#008000]//[/color]
[color=#008000]// 开始inline hook[/color]
[color=#008000]//[/color]
[color=#0000D0]void[/color] StartHook ()
{
[color=#008000]// 保存原函数的前5字节内容[/color]
RtlCopyMemory (g_OrigCode, ([color=#0000D0]BYTE[/color]*)SeSinglePrivilegeCheck, 5);
*( ([color=#0000D0]ULONG[/color]*)(g_HookCode + 1) ) = ([color=#0000D0]ULONG[/color])fake_SeSinglePrivilegeCheck - ([color=#0000D0]ULONG[/color])SeSinglePrivilegeCheck - 5;
[color=#008000]// 禁止系统写保护,提升IRQL到DPC,然后在PspTerminateThreadByPointer中实现Inline Hook[/color]
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
[color=#008000]// 替换SeSinglePrivilegeCheck的前5字节[/color]
RtlCopyMemory ( ([color=#0000D0]BYTE[/color]*)SeSinglePrivilegeCheck, g_HookCode, 5 );
*( ([color=#0000D0]ULONG[/color]*)(jmp_orig_code + 1) ) = ([color=#0000D0]ULONG[/color]) ( ([color=#0000D0]BYTE[/color]*)SeSinglePrivilegeCheck + 5 );
RtlCopyMemory ( ([color=#0000D0]BYTE[/color]*)Proxy_SeSinglePrivilegeCheck, g_OrigCode, 5);
RtlCopyMemory ( ([color=#0000D0]BYTE[/color]*)Proxy_SeSinglePrivilegeCheck + 5, jmp_orig_code, 7);
KeLowerIrql(oldIrql);
WPON();
g_bHooked = [color=#0000D0]TRUE[/color];
}
[color=#008000]//[/color]
[color=#008000]// 停止inline hook[/color]
[color=#008000]//[/color]
[color=#0000D0]void[/color] StopHook ()
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory ( ([color=#0000D0]BYTE[/color]*)SeSinglePrivilegeCheck, g_OrigCode, 5 );
KeLowerIrql(oldIrql);
WPON();
g_bHooked = [color=#0000D0]FALSE[/color];
}
[color=#008000]//[/color]
[color=#008000]// 跳转到我们的函数里面进行预处理[/color]
[color=#008000]//[/color]
[color=#0000D0]BOOLEAN[/color]
[color=#0000D0]__stdcall[/color]
fake_SeSinglePrivilegeCheck (
IN [color=#0000D0]LUID[/color] PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode
)
{
[color=#0000D0]BOOLEAN[/color] Result;
[color=#0000D0]if[/color] (PrivilegeValue == ([color=#0000D0]LUID[/color]) SeSystemtimePrivilege) {
[color=#008000]// 有进程想设置系统时间了.返回FALSE[/color]
[color=#008000]// 这个可以加个判断以排除自身进程,使自己可以修改时间[/color]
[color=#0000D0]return[/color] [color=#0000D0]FALSE[/color];
}
Result = Proxy_SeSinglePrivilegeCheck (PrivilegeValue, PreviousMode);
[color=#0000D0]return[/color] Result;
}
[color=#008000]//[/color]
[color=#008000]// 代理函数,负责跳转到原函数中继续执行[/color]
[color=#008000]//[/color]
[color=#0000D0]__declspec[/color] ([color=#0000D0]naked[/color])
[color=#0000D0]BOOLEAN[/color]
Proxy_SeSinglePrivilegeCheck(
IN [color=#0000D0]LUID[/color] PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode
)
{
[color=#0000D0]__asm[/color] { [color=#008000]// 共12字节[/color]
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90 [color=#008000]// 前5字节实现原函数的头5字节功能[/color]
_emit 0x90 [color=#008000]// 这个填充jmp[/color]
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90 [color=#008000]// 这4字节保存原函数+5处的地址[/color]
_emit 0x90
_emit 0x90 [color=#008000]// 因为是长转移,所以必须是 0x0080[/color]
}
}
[color=#008000]//////////////////////////////////// √ /////////////////////////////////////////// [/color]
[color=#0000D0]void[/color]
fake_NtSetSystemTime (
IN PLARGE_INTEGER SystemTime
)
[color=#008000]/*++
Author : sudami [[email]xiao_rui_119@163.com[/email]]
Time : 08/01/24
参数 :
SystemTime - [IN] 需要设置的系统时间
返回 : NULL
功能 :
自己实现NtSetSystemTime,其实就是对真实NtSetSystemTime函数的简化.
调用几个其他函数而已并非完全自己实现.
--*/[/color]
{
[color=#008000]// 省去判断是R0还是R3调用,因为函数本身在R0中执行[/color]
LARGE_INTEGER OldSystemTime;
LARGE_INTEGER NewSystemTime;
LARGE_INTEGER LocalTime;
TIME_FIELDS TimeFields;
KPROCESSOR_MODE PreviousMode;
PreviousMode = KeGetCurrentThread()->PreviousMode;
NewSystemTime = (LARGE_INTEGER) ExAllocatePool (NonPagedPool, [color=#0000D0]sizeof[/color](LARGE_INTEGER));
OldSystemTime = (LARGE_INTEGER) ExAllocatePool (NonPagedPool, [color=#0000D0]sizeof[/color](LARGE_INTEGER));
LocalTime = (LARGE_INTEGER) ExAllocatePool (NonPagedPool, [color=#0000D0]sizeof[/color](LARGE_INTEGER));
TimeFields = (TIME_FIELDS) ExAllocatePool (NonPagedPool, [color=#0000D0]sizeof[/color](TIME_FIELDS));
NewSystemTime = *SystemTime;
[color=#008000]/* Make sure we have permission to change the time */[/color]
[color=#0000D0]if[/color] (!SeSinglePrivilegeCheck (SeSystemtimePrivilege, PreviousMode)) {
[color=#0000D0]return[/color];
}
[color=#008000]/* Convert the time and set it in HAL */[/color]
ExSystemTimeToLocalTime (&NewSystemTime, &LocalTime);
RtlTimeToTimeFields (&LocalTime, &TimeFields);
HalSetRealTimeClock (&TimeFields);
[color=#008000]/* Now set system time */[/color]
KeSetSystemTime (&NewSystemTime, &OldSystemTime, [color=#0000D0]FALSE[/color], [color=#0000D0]NULL[/color]);
ExFreePool (NewSystemTime);
ExFreePool (OldSystemTime);
ExFreePool (LocalTime);
ExFreePool (TimeFields);
} 好像ZWsetsystemtime的逆向过程有问题把,
分析下来好像是:call ExpSetSystemTime
|
|---- call KeSetSystemTime
|---- call ExSystemTimeToLocalTime
|----- call ExSystemTimeToLocalTime
|------ call RtlTimeToTimeFields
|-------call ds:HalSetRealTimeClock
|-------call PoNotifySystemTimeSet 你系统是不是XP SP2的呀?
俺用Windbg看了看, 没看出什么名堂,郁闷啊[s:225]
nt!ZwSetSystemTime:
808069a4 b8f2000000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color],0F2h
808069a9 8d542404 [color=#0000D0]lea[/color] [color=#FF0000]edx[/color],[[color=#FF0000]esp[/color]+4]
808069ad 9c [color=#0000D0]pushfd[/color]
808069ae 6a08 [color=#0000D0]push[/color] 8
808069b0 e87c0c0000 [color=#0000D0]call[/color] nt!ZwYieldExecution+0x9bd (80807631)
808069b5 c20800 [color=#0000D0]ret[/color] 8
-------------------------------------------------------
lkd> u 80807631 l 60
nt!ZwYieldExecution+0x9bd:
80807631 6a00 [color=#0000D0]push[/color] 0
80807633 55 [color=#0000D0]push[/color] [color=#FF0000]ebp[/color]
80807634 53 [color=#0000D0]push[/color] [color=#FF0000]ebx[/color]
80807635 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
80807636 57 [color=#0000D0]push[/color] [color=#FF0000]edi[/color]
80807637 0fa0 [color=#0000D0]push[/color] [color=#FF0000]fs[/color]
80807639 bb30000000 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],30h [color=#008000]; 0011 0000[/color]
8080763e 8ee3 [color=#0000D0]mov[/color] [color=#FF0000]fs[/color],[color=#FF0000]bx[/color] [color=#008000]; [/color]
80807640 ff3500f0dfff [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[0FFDFF000h] [color=#008000]; _KPCR[/color]
80807646 c70500f0dfffffffffff [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[0FFDFF000h],0FFFFFFFFh [color=#008000]; 赋值为-1 [/color]
80807650 8b3524f1dfff [color=#0000D0]mov[/color] [color=#FF0000]esi[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[0FFDFF124h] [color=#008000]; esi保存当前的ETHREAD[/color]
80807656 ffb640010000 [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+140h] [color=#008000]; PreviousMode[/color]
8080765c 83ec48 [color=#0000D0]sub[/color] [color=#FF0000]esp[/color],48h [color=#008000];[/color]
8080765f 8b5c246c [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+6Ch] [color=#008000];第一个参数给ebx[/color]
80807663 83e301 [color=#0000D0]and[/color] [color=#FF0000]ebx[/color],1 [color=#008000]; 保留ebx的最后一位 [/color]
80807666 889e40010000 [color=#0000D0]mov[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+140h],[color=#FF0000]bl[/color]
8080766c 8bec [color=#0000D0]mov[/color] [color=#FF0000]ebp[/color],[color=#FF0000]esp[/color]
8080766e 8b9e34010000 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+134h] [color=#008000]; +0x134 TrapFrame[/color]
80807674 895d3c [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]+3Ch],[color=#FF0000]ebx[/color]
80807677 89ae34010000 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+134h],[color=#FF0000]ebp[/color]
8080767d fc [color=#0000D0]cld[/color]
8080767e 8b5d60 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]+60h]
80807681 8b7d68 [color=#0000D0]mov[/color] [color=#FF0000]edi[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]+68h]
80807684 89550c [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]+0Ch],[color=#FF0000]edx[/color] [color=#008000];参数一 SystemTime[/color]
80807687 c74508000ddbba [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]+8],0BADB0D00h
8080768e 895d00 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]],[color=#FF0000]ebx[/color]
80807691 897d04 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ebp[/color]+4],[color=#FF0000]edi[/color]
80807694 f6462cff [color=#0000D0]test[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+2Ch],0FFh
80807698 0f858efeffff [color=#0000D0]jne[/color] nt!ZwYieldExecution+0x8b8 (8080752c)
8080769e fb [color=#0000D0]sti[/color]
8080769f e9dd000000 [color=#0000D0]jmp[/color] nt!ZwYieldExecution+0xb0d (80807781)
------------------------------------------------------------------------
lkd> u 80807781 l40
nt!ZwYieldExecution+0xb0d:
80807781 8bf8 [color=#0000D0]mov[/color] [color=#FF0000]edi[/color],[color=#FF0000]eax[/color] [color=#008000]; 服务号 0F2h[/color]
80807783 c1ef08 [color=#0000D0]shr[/color] [color=#FF0000]edi[/color],8
80807786 83e730 [color=#0000D0]and[/color] [color=#FF0000]edi[/color],30h
80807789 8bcf [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color],[color=#FF0000]edi[/color]
8080778b 03bee0000000 [color=#0000D0]add[/color] [color=#FF0000]edi[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+0E0h] [color=#008000]; ServiceTable.找到索引[/color]
80807791 8bd8 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],[color=#FF0000]eax[/color]
80807793 25ff0f0000 [color=#0000D0]and[/color] [color=#FF0000]eax[/color],0FFFh
80807798 3b4708 [color=#0000D0]cmp[/color] [color=#FF0000]eax[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edi[/color]+8]
8080779b 0f8341fdffff [color=#0000D0]jae[/color] nt!ZwYieldExecution+0x86e (808074e2)
808077a1 83f910 [color=#0000D0]cmp[/color] [color=#FF0000]ecx[/color],10h
808077a4 751a [color=#0000D0]jne[/color] nt!ZwYieldExecution+0xb4c (808077c0)
808077a6 8b0d18f0dfff [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[0FFDFF018h]
[color=#008000];0FFDFF018h即fs:[18],它是一个指向_tib(fs:[0])结构的指针[/color]
808077ac 33db [color=#0000D0]xor[/color] [color=#FF0000]ebx[/color],[color=#FF0000]ebx[/color]
808077ae 0b99700f0000 [color=#0000D0]or[/color] [color=#FF0000]ebx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ecx[/color]+0F70h]
808077b4 740a [color=#0000D0]je[/color] nt!ZwYieldExecution+0xb4c (808077c0)
808077b6 52 [color=#0000D0]push[/color] [color=#FF0000]edx[/color]
808077b7 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color]
808077b8 ff15c4268880 [color=#0000D0]call[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [nt!KeServiceDescriptorTable+0x44 (808826c4)]
808077be 58 [color=#0000D0]pop[/color] [color=#FF0000]eax[/color]
808077bf 5a [color=#0000D0]pop[/color] [color=#FF0000]edx[/color]
808077c0 ff0538f6dfff [color=#0000D0]inc[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[0FFDFF638h] [color=#008000];+0x518 KeSystemCalls [/color]
808077c6 8bf2 [color=#0000D0]mov[/color] [color=#FF0000]esi[/color],[color=#FF0000]edx[/color]
808077c8 8b5f0c [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edi[/color]+0Ch]
808077cb 33c9 [color=#0000D0]xor[/color] [color=#FF0000]ecx[/color],[color=#FF0000]ecx[/color] 恩,我是XP SP2的,逆向的zwsetsystemtime:,分析下来觉得进入ExpSetSystemTime才能调用KeSetSystemTime
8096f487 6a40 push 40h
8096f489 6838338580 push offset nt!abWPAStringKey+0x58 (80853338)
8096f48e e8ffc5e9ff call nt!_SEH_prolog (8080ba92)
8096f493 8b5d08 mov ebx,dword ptr [ebp+8]
8096f496 33ff xor edi,edi
8096f498 3bdf cmp ebx,edi
8096f49a 0f845f010000 je nt!NtSetSystemTime+0x15d (8096f5ff)//跳就异常
8096f4a0 64a124010000 mov eax,dword ptr fs:[00000124h]
8096f4a6 8a8040010000 mov al,byte ptr [eax+140h]
8096f4ac 8845e4 mov byte ptr [ebp-1Ch],al
8096f4af ff75e4 push dword ptr [ebp-1Ch]
8096f4b2 ff354c699b80 push dword ptr [nt!SeSystemtimePrivilege+0x4 (809b694c)]
8096f4b8 ff3548699b80 push dword ptr [nt!SeSystemtimePrivilege (809b6948)]
8096f4be e871e0f2ff call nt!SeSinglePrivilegeCheck (8089d534)
8096f4c3 84c0 test al,al
8096f4c5 750a jne nt!NtSetSystemTime+0x4a (8096f4d1) //跳
8096f4c7 b8610000c0 mov eax,0C0000061h
8096f4cc e9df010000 jmp nt!NtSetSystemTime+0x20e (8096f6b0) //跳就异常
8096f4d1 807de400 cmp byte ptr [ebp-1Ch],0 比较previousmode是否为0
8096f4d5 7476 je nt!NtSetSystemTime+0xb9 (8096f54d)
8096f4d7 897dfc mov dword ptr [ebp-4],edi
8096f4da f6c303 test bl,3
8096f4dd 7405 je nt!NtSetSystemTime+0x5d (8096f4e4)
8096f4df e8d1020000 call nt!ExRaiseDatatypeMisalignment (8096f7b5)
8096f4e4 a134858880 mov eax,dword ptr [nt!MmUserProbeAddress (80888534)]
8096f4e9 3bd8 cmp ebx,eax
8096f4eb 7207 jb nt!NtSetSystemTime+0x6d (8096f4f4)
8096f4ed 8938 mov dword ptr [eax],edi
8096f4ef a134858880 mov eax,dword ptr [nt!MmUserProbeAddress (80888534)]
8096f4f4 8b5d0c mov ebx,dword ptr [ebp+0Ch]
8096f4f7 3bdf cmp ebx,edi
8096f4f9 741e je nt!NtSetSystemTime+0x92 (8096f519)
8096f4fb 895dd8 mov dword ptr [ebp-28h],ebx
8096f4fe 3bd8 cmp ebx,eax
8096f500 7203 jb nt!NtSetSystemTime+0x7e (8096f505)
8096f502 c60000 mov byte ptr [eax],0
8096f505 f6c303 test bl,3
8096f508 7405 je nt!NtSetSystemTime+0x88 (8096f50f)
8096f50a e8a6020000 call nt!ExRaiseDatatypeMisalignment (8096f7b5)
8096f50f 8a03 mov al,byte ptr [ebx]
8096f511 8803 mov byte ptr [ebx],al
8096f513 8a4304 mov al,byte ptr [ebx+4]
8096f516 884304 mov byte ptr [ebx+4],al
8096f519 8b4508 mov eax,dword ptr [ebp+8]
8096f51c 8b08 mov ecx,dword ptr [eax]
8096f51e 894dc8 mov dword ptr [ebp-38h],ecx
8096f521 8b4004 mov eax,dword ptr [eax+4]
8096f524 8945cc mov dword ptr [ebp-34h],eax
8096f527 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
8096f52b eb2e jmp nt!NtSetSystemTime+0xc7 (8096f55b)
8096f52d 90 nop
8096f52e 90 nop
8096f52f 90 nop
8096f530 90 nop
8096f531 90 nop
8096f532 8b45ec mov eax,dword ptr [ebp-14h]
8096f535 8b00 mov eax,dword ptr [eax]
8096f537 8b00 mov eax,dword ptr [eax]
8096f539 8945e0 mov dword ptr [ebp-20h],eax
8096f53c 33c0 xor eax,eax
8096f53e 40 inc eax
8096f53f c3 ret
8096f540 90 nop
8096f541 90 nop
8096f542 90 nop
8096f543 90 nop
8096f544 90 nop
8096f545 8b45e0 mov eax,dword ptr [ebp-20h]
8096f548 e98a000000 jmp nt!NtSetSystemTime+0x135 (8096f5d7)
8096f54d 8b03 mov eax,dword ptr [ebx]
8096f54f 8945c8 mov dword ptr [ebp-38h],eax
8096f552 8b4304 mov eax,dword ptr [ebx+4]
8096f555 8945cc mov dword ptr [ebp-34h],eax
8096f558 8b5d0c mov ebx,dword ptr [ebp+0Ch]
8096f55b 3bc7 cmp eax,edi //eax还会小于0??
8096f55d 0f8c92000000 jl nt!NtSetSystemTime+0x153 (8096f5f5) //跳就异常
8096f563 3d00000020 cmp eax,20000000h
8096f568 0f8f87000000 jg nt!NtSetSystemTime+0x153 (8096f5f5) //跳就异常
8096f56e 33f6 xor esi,esi
8096f570 46 inc esi
8096f571 56 push esi
8096f572 e8915af5ff call nt!ExAcquireTimeRefreshLock (808c5008)
8096f577 8d45d0 lea eax,[ebp-30h]
8096f57a 50 push eax
8096f57b ff75cc push dword ptr [ebp-34h]
8096f57e ff75c8 push dword ptr [ebp-38h]
8096f581 57 push edi
8096f582 56 push esi
8096f583 e81f380200 call nt!ExpSetSystemTime (80992da7)
8096f588 ff75cc push dword ptr [ebp-34h]
8096f58b ff75c8 push dword ptr [ebp-38h]
8096f58e ff75d4 push dword ptr [ebp-2Ch]
8096f591 ff75d0 push dword ptr [ebp-30h]
8096f594 e8950dffff call nt!SeAuditSystemTimeChange (8096032e)
8096f599 e8415af5ff call nt!ExReleaseTimeRefreshLock (808c4fdf)
8096f59e 3bdf cmp ebx,edi
8096f5a0 744c je nt!NtSetSystemTime+0x14c (8096f5ee) //跳就异常
8096f5a2 807de400 cmp byte ptr [ebp-1Ch],0
8096f5a6 743b je nt!NtSetSystemTime+0x141 (8096f5e3) //跳就异常,看来EBP-1C不能等于0?
8096f5a8 8975fc mov dword ptr [ebp-4],esi
8096f5ab 8b45d0 mov eax,dword ptr [ebp-30h]
8096f5ae 8903 mov dword ptr [ebx],eax
8096f5b0 8b45d4 mov eax,dword ptr [ebp-2Ch]
8096f5b3 894304 mov dword ptr [ebx+4],eax
8096f5b6 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
8096f5ba eb32 jmp nt!NtSetSystemTime+0x14c (8096f5ee) //跳就异常
8096f5bc 90 nop
8096f5bd 90 nop
8096f5be 90 nop
8096f5bf 90 nop
8096f5c0 90 nop
8096f5c1 8b45ec mov eax,dword ptr [ebp-14h]
8096f5c4 8b00 mov eax,dword ptr [eax]
8096f5c6 8b00 mov eax,dword ptr [eax]
8096f5c8 8945dc mov dword ptr [ebp-24h],eax
8096f5cb 33c0 xor eax,eax
8096f5cd 40 inc eax
8096f5ce c3 ret
8096f5cf 90 nop
8096f5d0 90 nop
8096f5d1 90 nop
8096f5d2 90 nop
8096f5d3 90 nop
8096f5d4 8b45dc mov eax,dword ptr [ebp-24h]
8096f5d7 8b65e8 mov esp,dword ptr [ebp-18h]
8096f5da 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
8096f5de e9cd000000 jmp nt!NtSetSystemTime+0x20e (8096f6b0) //跳就异常
8096f5e3 8b45d0 mov eax,dword ptr [ebp-30h]
8096f5e6 8903 mov dword ptr [ebx],eax
8096f5e8 8b45d4 mov eax,dword ptr [ebp-2Ch]
8096f5eb 894304 mov dword ptr [ebx+4],eax
8096f5ee 33f6 xor esi,esi
8096f5f0 e9b9000000 jmp nt!NtSetSystemTime+0x20c (8096f6ae) //异常出错
8096f5f5 b80d0000c0 mov eax,0C000000Dh
8096f5fa e9b1000000 jmp nt!NtSetSystemTime+0x20e (8096f6b0) //异常出错
e0d0000c0 mov esi,0C000000Dh
8096f604 6a01 push 1
8096f606 e8fd59f5ff call nt!ExAcquireTimeRefreshLock (808c5008)
8096f60b 8a1da0a68780 mov bl,byte ptr [nt!ExpSystemIsInCmosMode (8087a6a0)]
8096f611 803da1a6878000 cmp byte ptr [nt!ExCmosClockIsSane (8087a6a1)],0
8096f618 0f848b000000 je nt!NtSetSystemTime+0x207 (8096f6a9) //跳就异常
8096f61e 8d45b0 lea eax,[ebp-50h]
8096f621 50 push eax
8096f622 ff1588058080 call dword ptr [nt!_imp__HalQueryRealTimeClock (80800588)]
8096f628 84c0 test al,al
8096f62a 747d je nt!NtSetSystemTime+0x207 (8096f6a9) //跳就异常
8096f62c 8d45c0 lea eax,[ebp-40h]
8096f62f 50 push eax
8096f630 8d45b0 lea eax,[ebp-50h]
8096f633 50 push eax
8096f634 e8003decff call nt!RtlTimeFieldsToTime (80833339)
8096f639 8d45c0 lea eax,[ebp-40h]
8096f63c 50 push eax
8096f63d e844bdf8ff call nt!ExpRefreshTimeZoneInformation (808fb386)
8096f642 84c0 test al,al
8096f644 7463 je nt!NtSetSystemTime+0x207 (8096f6a9) //跳就异常
8096f646 393d20f78780 cmp dword ptr [nt!ExpRealTimeIsUniversal (8087f720)],edi
8096f64c 7554 jne nt!NtSetSystemTime+0x200 (8096f6a2) //跳就异常
8096f64e 8d45d0 lea eax,[ebp-30h]
8096f651 50 push eax
8096f652 e8dadae9ff call nt!KeQuerySystemTime (8080d131)
8096f657 84db test bl,bl
8096f659 752b jne nt!NtSetSystemTime+0x1e4 (8096f686)
8096f65b 8d45c0 lea eax,[ebp-40h]
8096f65e 50 push eax
8096f65f 8d45d0 lea eax,[ebp-30h]
8096f662 50 push eax
8096f663 e8aa71ebff call nt!ExSystemTimeToLocalTime (80826812)
8096f668 8d45b0 lea eax,[ebp-50h]
8096f66b 50 push eax
8096f66c 8d45c0 lea eax,[ebp-40h]
8096f66f 50 push eax
8096f670 e86f6eecff call nt!RtlTimeToTimeFields (808364e4)
8096f675 8d45b0 lea eax,[ebp-50h]
8096f678 50 push eax
8096f679 ff15d0058080 call dword ptr [nt!_imp__HalSetRealTimeClock (808005d0)]
8096f67f a2a1a68780 mov byte ptr [nt!ExCmosClockIsSane (8087a6a1)],al
8096f684 eb1c jmp nt!NtSetSystemTime+0x200 (8096f6a2)
8096f686 8d45c8 lea eax,[ebp-38h]
8096f689 50 push eax
8096f68a 8d45c0 lea eax,[ebp-40h]
8096f68d 50 push eax
8096f68e e831cbebff call nt!ExLocalTimeToSystemTime (8082c1c4)
8096f693 57 push edi
8096f694 57 push edi
8096f695 8d45d0 lea eax,[ebp-30h]
8096f698 50 push eax
8096f699 8d45c8 lea eax,[ebp-38h]
8096f69c 50 push eax
8096f69d e817e4ecff call nt!KeSetSystemTime (8083dab9)
8096f6a2 e8cfe8ecff call nt!PoNotifySystemTimeSet (8083df76)
8096f6a7 33f6 xor esi,esi
8096f6a9 e83159f5ff call nt!ExReleaseTimeRefreshLock (808c4fdf)
8096f6ae 8bc6 mov eax,esi
8096f6b0 e81dc4e9ff call nt!_SEH_epilog (8080bad2)
8096f6b5 c20800 ret 8 [quote]引用第2楼sudami于2008-01-25 20:56发表的 :
你系统是不是XP SP2的呀?
俺用Windbg看了看, 没看出什么名堂,郁闷啊[s:225]
nt!ZwSetSystemTime:
808069a4 b8f2000000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color],0F2h
.......[/quote]
[quote]
[quote]call nt!ZwYieldExecution+0x9bd (80807631)[/quote]
。。。你的符号文件太IMBA了!!!!
偶们支持u NtSetSystemTime而不是ZwSetSystemTime[s:264][s:264][s:264]
[font=宋体][color=#000000]lkd[/color][color=#0000FF]> [/color][color=#000000]u ZwSetSystemTime
nt!ZwSetSystemTime[/color][color=#0000FF]:
[/color][color=#800080]804de9a4 [/color][color=#000000]b8f2000000 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],[/color][color=#800080]0F2h
804de9a9 8d542404 [/color][color=#0000FF]lea [/color][color=#FF8000]edx[/color][color=#0000FF],[[/color][color=#FF8000]esp[/color][color=#0000FF]+[/color][color=#800080]4[/color][color=#0000FF]]
[/color][color=#800080]804de9ad 9c [/color][color=#0000FF]pushfd
[/color][color=#800080]804de9ae 6a08 [/color][color=#0000FF]push [/color][color=#800080]8
804de9b0 [/color][color=#000000]e87c0c0000 [/color][color=#0000FF]call [/color][color=#000000]nt!KiSystemService [/color][color=#0000FF]([/color][color=#800080]804df631[/color][color=#0000FF])
[/color][color=#800080]804de9b5 [/color][color=#000000]c20800 [/color][color=#0000FF]ret [/color][color=#800080]8
[/color][color=#000000]nt!ZwSetThreadExecutionState[/color][color=#0000FF]:
[/color][color=#800080]804de9b8 [/color][color=#000000]b8f3000000 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],[/color][color=#800080]0F3h
804de9bd 8d542404 [/color][color=#0000FF]lea [/color][color=#FF8000]edx[/color][color=#0000FF],[[/color][color=#FF8000]esp[/color][color=#0000FF]+[/color][color=#800080]4[/color][color=#0000FF]]
[/color][color=#000000]lkd[/color][color=#0000FF]> [/color][color=#000000]u NtSetSystemTime
nt!NtSetSystemTime[/color][color=#0000FF]:
[/color][color=#800080]806470f7 [/color][color=#000000]?? ???
[/color][color=#0000FF]^ Memory [/color][color=#000000]access [/color][color=#0000FF]error in [/color][color=#008000]'u NtSetSystemTime'
[/color][color=#000000]lkd[/color][color=#0000FF]> [/color][color=#000000]u NtSetSystemTime
nt!NtSetSystemTime[/color][color=#0000FF]:
[/color][color=#800080]806470f7 6a40 [/color][color=#0000FF]push [/color][color=#800080]40h
806470f9 68f8ac5280 [/color][color=#0000FF]push offset [/color][color=#000000]nt!abWPAStringKey[/color][color=#0000FF]+[/color][color=#800080]0x58 [/color][color=#0000FF]([/color][color=#800080]8052acf8[/color][color=#0000FF])
[/color][color=#800080]806470fe [/color][color=#000000]e838c3e9ff [/color][color=#0000FF]call [/color][color=#000000]nt!_SEH_prolog [/color][color=#0000FF]([/color][color=#800080]804e343b[/color][color=#0000FF])
[/color][color=#800080]80647103 8b5d08 [/color][color=#0000FF]mov [/color][color=#FF8000]ebx[/color][color=#0000FF],dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]+[/color][color=#800080]8[/color][color=#0000FF]]
[/color][color=#800080]80647106 33ff [/color][color=#0000FF]xor [/color][color=#FF8000]edi[/color][color=#0000FF],[/color][color=#FF8000]edi
[/color][color=#800080]80647108 3bdf [/color][color=#0000FF]cmp [/color][color=#FF8000]ebx[/color][color=#0000FF],[/color][color=#FF8000]edi
[/color][color=#800080]8064710a 0f845f010000 [/color][color=#0000FF]je [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x15d [/color][color=#0000FF]([/color][color=#800080]8064726f[/color][color=#0000FF])
[/color][color=#800080]80647110 64a124010000 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],dword ptr [/color][color=#FF8000]fs[/color][color=#0000FF]:[[/color][color=#800080]00000124h[/color][color=#0000FF]]
[/color][color=#000000]lkd[/color][color=#0000FF]> [/color][color=#000000]u NtSetSystemTime L [/color][color=#800080]30
[/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]:
[/color][color=#800080]806470f7 6a40 [/color][color=#0000FF]push [/color][color=#800080]40h
806470f9 68f8ac5280 [/color][color=#0000FF]push offset [/color][color=#000000]nt!abWPAStringKey[/color][color=#0000FF]+[/color][color=#800080]0x58 [/color][color=#0000FF]([/color][color=#800080]8052acf8[/color][color=#0000FF])
[/color][color=#800080]806470fe [/color][color=#000000]e838c3e9ff [/color][color=#0000FF]call [/color][color=#000000]nt!_SEH_prolog [/color][color=#0000FF]([/color][color=#800080]804e343b[/color][color=#0000FF])
[/color][color=#800080]80647103 8b5d08 [/color][color=#0000FF]mov [/color][color=#FF8000]ebx[/color][color=#0000FF],dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]+[/color][color=#800080]8[/color][color=#0000FF]]
[/color][color=#800080]80647106 33ff [/color][color=#0000FF]xor [/color][color=#FF8000]edi[/color][color=#0000FF],[/color][color=#FF8000]edi
[/color][color=#800080]80647108 3bdf [/color][color=#0000FF]cmp [/color][color=#FF8000]ebx[/color][color=#0000FF],[/color][color=#FF8000]edi
[/color][color=#800080]8064710a 0f845f010000 [/color][color=#0000FF]je [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x15d [/color][color=#0000FF]([/color][color=#800080]8064726f[/color][color=#0000FF])
[/color][color=#800080]80647110 64a124010000 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],dword ptr [/color][color=#FF8000]fs[/color][color=#0000FF]:[[/color][color=#800080]00000124h[/color][color=#0000FF]]
[/color][color=#800080]80647116 8a8040010000 [/color][color=#0000FF]mov [/color][color=#FF8000]al[/color][color=#0000FF],byte ptr [[/color][color=#FF8000]eax[/color][color=#0000FF]+[/color][color=#800080]140h[/color][color=#0000FF]]
[/color][color=#800080]8064711c 8845e4 [/color][color=#0000FF]mov byte ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]1Ch[/color][color=#0000FF]],[/color][color=#FF8000]al
[/color][color=#800080]8064711f [/color][color=#000000]ff75e4 [/color][color=#0000FF]push dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]1Ch[/color][color=#0000FF]]
[/color][color=#800080]80647122 [/color][color=#000000]ff35cce56880 [/color][color=#0000FF]push dword ptr [[/color][color=#000000]nt!SeSystemtimePrivilege[/color][color=#0000FF]+[/color][color=#800080]0x4 [/color][color=#0000FF]([/color][color=#800080]8068e5cc[/color][color=#0000FF])]
[/color][color=#800080]80647128 [/color][color=#000000]ff35c8e56880 [/color][color=#0000FF]push dword ptr [[/color][color=#000000]nt!SeSystemtimePrivilege [/color][color=#0000FF]([/color][color=#800080]8068e5c8[/color][color=#0000FF])]
[/color][color=#800080]8064712e [/color][color=#000000]e869cbf2ff [/color][color=#0000FF]call [/color][color=#000000]nt!SeSinglePrivilegeCheck [/color][color=#0000FF]([/color][color=#800080]80573c9c[/color][color=#0000FF])
[/color][color=#800080]80647133 84c0 [/color][color=#0000FF]test [/color][color=#FF8000]al[/color][color=#0000FF],[/color][color=#FF8000]al
[/color][color=#800080]80647135 750a [/color][color=#0000FF]jne [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x4a [/color][color=#0000FF]([/color][color=#800080]80647141[/color][color=#0000FF])
[/color][color=#800080]80647137 [/color][color=#000000]b8610000c0 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],[/color][color=#800080]0C0000061h
8064713c [/color][color=#000000]e9df010000 [/color][color=#0000FF]jmp [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x20e [/color][color=#0000FF]([/color][color=#800080]80647320[/color][color=#0000FF])
[/color][color=#800080]80647141 807de400 [/color][color=#0000FF]cmp byte ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]1Ch[/color][color=#0000FF]],[/color][color=#800080]0
80647145 7476 [/color][color=#0000FF]je [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0xb9 [/color][color=#0000FF]([/color][color=#800080]806471bd[/color][color=#0000FF])
[/color][color=#800080]80647147 897dfc [/color][color=#0000FF]mov dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]4[/color][color=#0000FF]],[/color][color=#FF8000]edi
[/color][color=#800080]8064714a [/color][color=#000000]f6c303 [/color][color=#0000FF]test [/color][color=#FF8000]bl[/color][color=#0000FF],[/color][color=#800080]3
8064714d 7405 [/color][color=#0000FF]je [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x5d [/color][color=#0000FF]([/color][color=#800080]80647154[/color][color=#0000FF])
[/color][color=#800080]8064714f [/color][color=#000000]e8d1020000 [/color][color=#0000FF]call [/color][color=#000000]nt!ExRaiseDatatypeMisalignment [/color][color=#0000FF]([/color][color=#800080]80647425[/color][color=#0000FF])
[/color][color=#800080]80647154 [/color][color=#000000]a134005680 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],dword ptr [[/color][color=#000000]nt!MmUserProbeAddress [/color][color=#0000FF]([/color][color=#800080]80560034[/color][color=#0000FF])]
[/color][color=#800080]80647159 3bd8 [/color][color=#0000FF]cmp [/color][color=#FF8000]ebx[/color][color=#0000FF],[/color][color=#FF8000]eax
[/color][color=#800080]8064715b 7207 [/color][color=#0000FF]jb [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x6d [/color][color=#0000FF]([/color][color=#800080]80647164[/color][color=#0000FF])
[/color][color=#800080]8064715d 8938 [/color][color=#0000FF]mov dword ptr [[/color][color=#FF8000]eax[/color][color=#0000FF]],[/color][color=#FF8000]edi
[/color][color=#800080]8064715f [/color][color=#000000]a134005680 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],dword ptr [[/color][color=#000000]nt!MmUserProbeAddress [/color][color=#0000FF]([/color][color=#800080]80560034[/color][color=#0000FF])]
[/color][color=#800080]80647164 8b5d0c [/color][color=#0000FF]mov [/color][color=#FF8000]ebx[/color][color=#0000FF],dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]+[/color][color=#800080]0Ch[/color][color=#0000FF]]
[/color][color=#800080]80647167 3bdf [/color][color=#0000FF]cmp [/color][color=#FF8000]ebx[/color][color=#0000FF],[/color][color=#FF8000]edi
[/color][color=#800080]80647169 741e [/color][color=#0000FF]je [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x92 [/color][color=#0000FF]([/color][color=#800080]80647189[/color][color=#0000FF])
[/color][color=#800080]8064716b 895dd8 [/color][color=#0000FF]mov dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]28h[/color][color=#0000FF]],[/color][color=#FF8000]ebx
[/color][color=#800080]8064716e 3bd8 [/color][color=#0000FF]cmp [/color][color=#FF8000]ebx[/color][color=#0000FF],[/color][color=#FF8000]eax
[/color][color=#800080]80647170 7203 [/color][color=#0000FF]jb [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x7e [/color][color=#0000FF]([/color][color=#800080]80647175[/color][color=#0000FF])
[/color][color=#800080]80647172 [/color][color=#000000]c60000 [/color][color=#0000FF]mov byte ptr [[/color][color=#FF8000]eax[/color][color=#0000FF]],[/color][color=#800080]0
80647175 [/color][color=#000000]f6c303 [/color][color=#0000FF]test [/color][color=#FF8000]bl[/color][color=#0000FF],[/color][color=#800080]3
80647178 7405 [/color][color=#0000FF]je [/color][color=#000000]nt!NtSetSystemTime[/color][color=#0000FF]+[/color][color=#800080]0x88 [/color][color=#0000FF]([/color][color=#800080]8064717f[/color][color=#0000FF])
[/color][color=#800080]8064717a [/color][color=#000000]e8a6020000 [/color][color=#0000FF]call [/color][color=#000000]nt!ExRaiseDatatypeMisalignment [/color][color=#0000FF]([/color][color=#800080]80647425[/color][color=#0000FF])
[/color][color=#800080]8064717f 8a03 [/color][color=#0000FF]mov [/color][color=#FF8000]al[/color][color=#0000FF],byte ptr [[/color][color=#FF8000]ebx[/color][color=#0000FF]]
[/color][color=#800080]80647181 8803 [/color][color=#0000FF]mov byte ptr [[/color][color=#FF8000]ebx[/color][color=#0000FF]],[/color][color=#FF8000]al
[/color][color=#800080]80647183 8a4304 [/color][color=#0000FF]mov [/color][color=#FF8000]al[/color][color=#0000FF],byte ptr [[/color][color=#FF8000]ebx[/color][color=#0000FF]+[/color][color=#800080]4[/color][color=#0000FF]]
[/color][color=#800080]80647186 884304 [/color][color=#0000FF]mov byte ptr [[/color][color=#FF8000]ebx[/color][color=#0000FF]+[/color][color=#800080]4[/color][color=#0000FF]],[/color][color=#FF8000]al
[/color][color=#800080]80647189 8b4508 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]+[/color][color=#800080]8[/color][color=#0000FF]]
[/color][color=#800080]8064718c 8b08 [/color][color=#0000FF]mov [/color][color=#FF8000]ecx[/color][color=#0000FF],dword ptr [[/color][color=#FF8000]eax[/color][color=#0000FF]]
[/color][color=#800080]8064718e 894dc8 [/color][color=#0000FF]mov dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]38h[/color][color=#0000FF]],[/color][color=#FF8000]ecx
[/color][color=#800080]80647191 8b4004 [/color][color=#0000FF]mov [/color][color=#FF8000]eax[/color][color=#0000FF],dword ptr [[/color][color=#FF8000]eax[/color][color=#0000FF]+[/color][color=#800080]4[/color][color=#0000FF]]
[/color][color=#800080]80647194 8945cc [/color][color=#0000FF]mov dword ptr [[/color][color=#FF8000]ebp[/color][color=#0000FF]-[/color][color=#800080]34h[/color][color=#0000FF]],[/color][color=#FF8000]eax
[/color][/font][/quote] 汗。。quote用乱了- -!
btw:多少贴才能在这个版块发主题啊。。。偶的TerminateThread憋了好久了。。(虽然很古老 [s:266] ) void StartHook():
[quote] // 禁止系统写保护,提升IRQL到DPC,然后在PspTerminateThreadByPointer中实现Inline Hook[/quote]
哈哈 注释都没改掉 [s:270] 这个注释也是俺自己写的,写这写这写忘了..
R,
前些天Windbg 符号出问题了. 不能显示出 u Nt** 的,所以只有分析 Zw的了..
谢谢炉子牛提醒
[s:238]
页:
[1]