文章作者:zhuwg
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
粗略逆向1下fishpe的sys
大牛们别来取笑偶啊
大概标记了1下各个hook函数
如果你想简单处理 直接patch这个驱动就ok了
另外注意清除notify--这个不会检测 嘿嘿
更加简单的办法是
对下面这个函数打patch
所有的hook都会进到这个判断
直接return 0
那么hook就已经失去作用了
fishpe会检测ssdt是否被恢复 如果恢复自动hook
我们在他hook函数里面打inline patch
这样--嘿嘿 随便怎么恢复都米作用
复制内容到剪贴板
代码:
.text:000110DA compare proc near ; CODE XREF: MyZwOpenProcess+12�p
.text:000110DA ; MyZwQuerySystemInformation+40�p ...
.text:000110DA
.text:000110DA arg_0 = dword ptr 8
.text:000110DA arg_4 = dword ptr 0Ch
.text:000110DA
.text:000110DA mov edi, edi
.text:000110DC push ebp
.text:000110DD mov ebp, esp
.text:000110DF mov eax, [ebp+arg_0]
.text:000110E2 jmp short loc_110EE
.text:000110E4 ; ---------------------------------------------------------------------------
.text:000110E4
.text:000110E4 loc_110E4: ; CODE XREF: compare+16�j
.text:000110E4 mov ecx, [ebp+arg_4]
.text:000110E7 cmp ecx, [eax+4]
.text:000110EA jz short loc_110F2
.text:000110EC mov eax, [eax]
.text:000110EE
.text:000110EE loc_110EE: ; CODE XREF: compare+8�j
.text:000110EE test eax, eax
.text:000110F0 jnz short loc_110E4
.text:000110F2
.text:000110F2 loc_110F2: ; CODE XREF: compare+10�j
.text:000110F2 pop ebp
.text:000110F3 retn 8
.text:000110F3 compare endp
.text:000110F3
.text:000110F3 ; ---------------------------------------------------------------------------
.text:000110F6好像作者用的一个函数多次hook
看起来不错 能够hook+unhook
不过 没有mj的hook函数好
这个关闭中断似乎不能对付多核cpu-如果你要对付要setthread到其他cpu
应该提起自旋锁更好
复制内容到剪贴板
代码:
HookZwOpenProcess proc near ; CODE XREF: RemoveNotify+14�p
.text:0001190A ; DriverEntry+AD�p
.text:0001190A mov edi, edi
.text:0001190C cli
.text:0001190D mov eax, cr0
.text:00011910 and eax, 0FFFEFFFFh
.text:00011915 mov cr0, eax
.text:00011918 cmp IsHook, 0
.text:0001191F mov ecx, ds:KeServiceDescriptorTable
.text:00011925 mov eax, ds:ZwOpenProcess
.text:0001192A mov ecx, [ecx]
.text:0001192C mov eax, [eax+1]
.text:0001192F jnz short loc_11969
.text:00011931 mov dword ptr [ecx+eax*4], offset MyZwOpenProcess
.text:00011938 mov eax, ds:KeServiceDescriptorTable
.text:0001193D mov eax, [eax]
.text:0001193F mov ecx, dword_1501C
.text:00011945 mov dword ptr [eax+ecx*4], offset MyZwReadVirtualMemory
.text:0001194C mov eax, ds:KeServiceDescriptorTable
.text:00011951 mov eax, [eax]
.text:00011953 mov ecx, dword_1500C
.text:00011959 mov dword ptr [eax+ecx*4], offset MyZwWriteVirtualMemory
.text:00011960 mov IsHook, 1
.text:00011967 jmp short loc_119A5
.text:00011969 ; ---------------------------------------------------------------------------
.text:00011969
.text:00011969 loc_11969: ; CODE XREF: HookZwOpenProcess+25�j
.text:00011969 mov edx, OldZwOpenProcess
.text:0001196F mov [ecx+eax*4], edx
.text:00011972 mov eax, ds:KeServiceDescriptorTable
.text:00011977 mov eax, [eax]
.text:00011979 mov ecx, dword_1501C
.text:0001197F mov edx, OldZwReadVirtualMemory
.text:00011985 mov [eax+ecx*4], edx
.text:00011988 mov eax, ds:KeServiceDescriptorTable
.text:0001198D mov eax, [eax]
.text:0001198F mov ecx, dword_1500C
.text:00011995 mov edx, OldZwWriteVirtualMemory
.text:0001199B mov [eax+ecx*4], edx
.text:0001199E mov IsHook, 0
.text:000119A5
.text:000119A5 loc_119A5: ; CODE XREF: HookZwOpenProcess+5D�j
.text:000119A5 mov eax, cr0
.text:000119A8 or eax, 10000h
.text:000119AD mov cr0, eax
.text:000119B0 sti
.text:000119B1 retn
.text:000119B1 HookZwOpenProcess endp
.text:000119B1
.text:000119B1 ; ----------------
