零度x's blog

DebugPort清零实现反调试

零度x — Sat, 19 May 2012 03:00:22 +0000

每个进程都有一个EPROCESS结构，这个结构里面有一个DebugPort成员，在处于正常运行状态时候这个值是零。当进程处于被调试状态的时候DebugPort就是一个指针，指向一个专门用于调试的内核对象。

所以当进程处于被调试状态的时候，DebugPort是指向内核的调试对象的，在这时我们强行把DebugProt清零，会导致被调试进程和调试器无法通信，从而达到反调试的效果。

下面是代码，编译加载驱动，ring3使用DeviceIoControl传递进来进程ID后就无法调试了。


UNICODE_STRING SymbolicLinkName;

VOID Unload(PDRIVER_OBJECT pDriverObject)
{
 NTSTATUS status;
 PDEVICE_OBJECT pDevice1;
 PDEVICE_OBJECT pDevice2;

 status = IoDeleteSymbolicLink(&SymbolicLinkName);//删除符号链接
 if(STATUS_SUCCESS != status)
 {
  DbgPrint("IoDeleteSymbolicLink Error!\r\n");
 }

 pDevice1 = pDriverObject->DeviceObject;

 while(pDevice1)//删除设备链表
 {
  pDevice2 = pDevice1;
  pDevice1 = pDevice2->NextDevice;
  IoDeleteDevice(pDevice2);
 }

 DbgPrint("Unloaded!\r\n");
}

NTSTATUS MyFunction(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
 PIO_STACK_LOCATION pIoStackLocation;
 HANDLE hProcess;
 OBJECT_ATTRIBUTES ObjectAttributes;
 CLIENT_ID ClientDId;
 ULONG ulProcessId;
 NTSTATUS status;
 PEPROCESS Eprocess;
 pIoStackLocation = IoGetCurrentIrpStackLocation(pIrp);//获取irp的IO堆栈

 pIrp->IoStatus.Status = STATUS_SUCCESS;
 pIrp->IoStatus.Information = 0;

 if(IRP_MJ_CREATE == pIoStackLocation->MajorFunction)
  DbgPrint("create!\r\n");
 else if(IRP_MJ_CLOSE == pIoStackLocation->MajorFunction)
  DbgPrint("close!\r\n");
 else if(IRP_MJ_DEVICE_CONTROL == pIoStackLocation->MajorFunction)//ring3进程向驱动专递进程id
 {
  ulProcessId = *(ULONG *)pIrp->AssociatedIrp.SystemBuffer;
  DbgPrint("%d\r\n", ulProcessId);
  InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0);
  ClientDId.UniqueProcess = ulProcessId;
  ClientDId.UniqueThread = 0;

  status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientDId);//通过进程id获取进程句柄
  if(NT_SUCCESS(status))
  {
   status = ObReferenceObjectByHandle(hProcess, FILE_READ_DATA, 0, KernelMode, &Eprocess, 0);//通过句柄获取EPROCESS结构
   if(NT_SUCCESS(status))
   {
    *(PULONG)((ULONG)Eprocess + 0x0bc) = 0;//EPROCESS结构偏移0x0bc就是DebugPort成员
    DbgPrint("OK!\r\n");
   }
  }
 }

 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
 return pIrp->IoStatus.Status;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
 UNICODE_STRING DeviceName;
 DEVICE_OBJECT MyDevice;
 NTSTATUS status;

 pDriverObject->DriverUnload = Unload;

 RtlInitUnicodeString(&DeviceName, L"\\Device\\MyDevice");
 RtlInitUnicodeString(&SymbolicLinkName, L"\\??\\MySymbolicLink");

 pDriverObject->MajorFunction[IRP_MJ_CREATE] = MyFunction;
 pDriverObject->MajorFunction[IRP_MJ_CLOSE] = MyFunction;
 pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyFunction;//设置派遣函数

 status = IoCreateDevice(pDriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &MyDevice);//创建设备
 if(STATUS_SUCCESS != status)
 {
  DbgPrint("IoCreateDevicve Error!\r\n");
 }

 status = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);//绑定符号链接
 if(STATUS_SUCCESS != status)
 {
  DbgPrint("IoCreateSymbolicLink Error!\r\n");
 }

 return STATUS_SUCCESS;
}

SSDT HOOK ZwOpenProcess(续)

零度x — Tue, 15 May 2012 14:29:39 +0000

昨天写的改写ssdt中ZwOpenProcess地址实现了HOOK ZwOpenProcess（见连接：http://www.lingdux.com/2012/261.html）禁止了任何进程对记事本进程OpenProcess，不能得到记事本进程的句柄。这样实现了我想要的目的（其实没什么目的，就是练手），但是同业也带来了副作用，系统进程也无法获取记事本进程的句柄了，导致记事本没有XP主题的样式，任务管理器中也看不到创建记事本进程的用户名了。

由于本人喜欢完美，这样子实在是不好看，今天就看了一下记事本程序创建进程时候那些系统进程会跳用OpenProcess获取自己的进程句柄。用之前写的ssdt hook把拒绝访问的进程输出到DbgView，发现一共才两个进程，只有explorer.exe和svchost.exe。试了一下发现是允许svchost进程调用主题就没问题了，任务管理器中记事本进程的用户名也可以正常显示了。

代码就很简单了，PsGetCurrentProcess获取进程结构EPROCESS的指针，然后从该结构中读取进程名，如果是svchost就放行。修改后的MyNtOpenProcess代码如下：

NTSTATUS MyNtOpenProcess(PHANDLE pProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES pObjectAttributes, PCLIENT_ID pClientId)
{
	NTSTATUS status;
	PEPROCESS Eprocess;
	UCHAR *pProcessName;

	PEPROCESS SourEprocess;
	UCHAR *pSourProcessName;

	status = pRealZwOpenProcess(pProcessHandle, DesiredAccess, pObjectAttributes, pClientId);//获取进程句柄
	if(status == STATUS_SUCCESS)
	{
		status = ObReferenceObjectByHandle(*pProcessHandle, FILE_READ_DATA, 0, KernelMode, &Eprocess, 0);//通过句柄获取PEPROCESS
		if(status == STATUS_SUCCESS)
		{
			pProcessName = PsGetProcessImageFileName(Eprocess);//从PEPROCESS中读出进程名
			if(strcmp(pProcessName, "notepad.exe") == 0)
			{
				SourEprocess = PsGetCurrentProcess();//获取EPROCESS结构
				pSourProcessName = PsGetProcessImageFileName(SourEprocess);//从结构中获得进程名
				if(strcmp(pSourProcessName, "svchost.exe") != 0)//判断下，不是svchost调用的才返回失败
				{
					return STATUS_ACCESS_DENIED;
				}
			}

		}
		else
			DbgPrint("ObReferenceObjectByHandle Failed!\r\n");
	}
	else
		DbgPrint("pRealZwOpenProcess Failed!\r\n");

	status = pRealZwOpenProcess(pProcessHandle, DesiredAccess, pObjectAttributes, pClientId);
	return status;
}

SSDT HOOK ZwOpenProcess

零度x — Mon, 14 May 2012 14:12:46 +0000

博客好久没更新了，今天好好整理一下博客，然后重新记录学习的过程。
最近突然发现工作了以后每天和混日子一样，技术上面没有进步了。这种感觉实在是让人难以忍受，还是静下心来好好学点东西吧。

入正题，最近看了SSDT HOOK，发现没有预想那么复杂，直接替换了SSDT表的函数地址就完成了，灰常简单。
这次hook了ZwOpenProcess，为啥hook它？我也不知道，练手随便写的。ring3结束进程，读写内存，注入都需要先获取进程句柄的，hook了这个应该就都不行了吧。
SSDT的原理就不说了，百度一下好几篇，都是很易懂的，下面上代码

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
   PVOID    ServiceTableBase;
   PULONG   ServiceCounterTableBase;
   ULONG    NumberOfService;
   ULONG    ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;

extern PSERVICE_DESCRIPTOR_TABLE     KeServiceDescriptorTable;

typedef NTSTATUS (_stdcall* PRealZwOpenProcess)(
  __out     PHANDLE ProcessHandle,
  __in      ACCESS_MASK DesiredAccess,
  __in      POBJECT_ATTRIBUTES ObjectAttributes,
  __in_opt  PCLIENT_ID ClientId
);

ULONG AddressOfNtOpenProcess = 0;
ULONG OldAddress = 0;
PRealZwOpenProcess pRealZwOpenProcess = NULL;

UCHAR *PsGetProcessImageFileName(PEPROCESS EProcess);

//这个函数判断了ZwOpenProcess的目标是不是notepad，如果是的话就返回拒绝访问
NTSTATUS MyNtOpenProcess(PHANDLE pProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES pObjectAttributes, PCLIENT_ID pClientId)
{
	NTSTATUS status;
	PEPROCESS Eprocess;
	UCHAR *pProcessName;

	status = pRealZwOpenProcess(pProcessHandle, DesiredAccess, pObjectAttributes, pClientId);//获取进程句柄
	if(status == STATUS_SUCCESS)
	{
		status = ObReferenceObjectByHandle(*pProcessHandle, FILE_READ_DATA, 0, KernelMode, &Eprocess, 0);//通过句柄获取PEPROCESS
		if(status == STATUS_SUCCESS)
		{
			pProcessName = PsGetProcessImageFileName(Eprocess);//从PEPROCESS中读出进程名
			if(strcmp(pProcessName, "notepad.exe") == 0)
				return STATUS_ACCESS_DENIED;//

		}
		else
			DbgPrint("ObReferenceObjectByHandle Failed!\r\n");
	}
	else
		DbgPrint("pRealZwOpenProcess Failed!\r\n");

	status = pRealZwOpenProcess(pProcessHandle, DesiredAccess, pObjectAttributes, pClientId);
	return status;
}

VOID UnHook()
{
	*(ULONG *)AddressOfNtOpenProcess = OldAddress;//卸载时候把真是的地址写回去就好了
}

VOID Unload(PDRIVER_OBJECT DriverObject)
{
	UnHook();
}

VOID Hook()
{

	AddressOfNtOpenProcess = 0x7a * 4 + (ULONG)KeServiceDescriptorTable->ServiceTableBase;//7a是ZwOpenProcess的服务号，ring3分析OpenPorcess得到
	OldAddress = *(ULONG *)AddressOfNtOpenProcess;//保存SSDT中ZwOpenProcess函数地址，恢复的时候用

	pRealZwOpenProcess = NtOpenProcess;//取到真实的ZwOpenProcess给我们自己调用

	*(ULONG *)AddressOfNtOpenProcess = (ULONG)MyNtOpenProcess;//把SSDT中ZwOpenProcess函数的地址替换成MyOpenProcess

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{

	pDriverObject->DriverUnload=Unload;

	Hook();

	return STATUS_SUCCESS;
}

最后上两张效果图
Hook ZwOpenProcess之后主题XP都没有了，莫非是进程注入？

获取进程数

零度x — Wed, 09 Mar 2011 14:16:17 +0000

DWORD dwProcs[1024*2]; DWORD dwNeeded; EnumProcesses( dwProcs, sizeof(dwProcs), &dwNeeded ); 阅读全文——共124字

很久没更新了。。。

零度x — Tue, 22 Feb 2011 06:53:11 +0000

很久没更新了，最近太忙，项目终于大体成型了，也搞定了360主攻防御，哇哈哈~

VC监控打印机

零度x — Sun, 02 Jan 2011 01:09:55 +0000

char temp[50];
HANDLE hPrinter = NULL;
DWORD dwNeeded = 0;
DWORD dwReturned = 0;
JOB_INFO_1 *pJobInfo = NULL;
int n = 0;
int ret = OpenPrinter(“\\\\192.168.10.13\\Canon MX310 series Printer”, &hPrinter, NULL);
if(ret == 0)
{
p->MessageBox(“打开打印机失败！”);
return 0;
}

while(p->IsListening)
{
EnumJobs(hPrinter,0,0xFFFFFFFF,1,NULL,0,&dwNeeded,&dwReturned);
if((pJobInfo = (JOB_INFO_1*)malloc(dwNeeded)) == NULL)
{
p->MessageBox(“分配空间失败！”);
ClosePrinter(hPrinter);
return 0;
}
if(!EnumJobs(hPrinter,0,0xFFFFFFFF,1,(LPBYTE)pJobInfo,dwNeeded,&dwNeeded,&dwReturned))
{
p->MessageBox(“枚举失败！”);
ClosePrinter(hPrinter);
free(pJobInfo);
return 0;
}

if(p->id != pJobInfo->JobId)
{
n = p->m_list.GetItemCount();
p->m_list.InsertItem(n, pJobInfo->pDocument);
p->m_list.SetItemText(n, 1, pJobInfo->pDatatype);
p->m_list.SetItemText(n, 2, pJobInfo->pMachineName);
p->m_list.SetItemText(n, 3, pJobInfo->pUserName);
p->m_list.SetItemText(n, 4, pJobInfo->pPrinterName);
memset(temp, 0, sizeof(temp));
itoa(pJobInfo->JobId, temp, 10);
p->m_list.SetItemText(n, 5, temp);
p->id = pJobInfo->JobId;
}
free(pJobInfo);
Sleep(1000);
}

WNET获取共享信息

零度x — Sat, 01 Jan 2011 05:04:02 +0000

char RemoteName[] = “\\\\192.168.105.9″;
DWORD ret;
NETRESOURCE nr;
memset(&nr, 0, sizeof(nr));
nr.dwScope = RESOURCE_CONNECTED;
nr.dwType = RESOURCETYPE_ANY;
nr.dwDisplayType = RESOURCEDISPLAYTYPE_GENERIC;
nr.dwUsage = RESOURCEUSAGE_CONNECTABLE;
nr.lpRemoteName = RemoteName;
ret = WNetAddConnection2(&nr, NULL, NULL, CONNECT_UPDATE_PROFILE);

if(ret != NO_ERROR)
{
MessageBox(“失败！”);
return;
}
HANDLE hEnum;
ret = WNetOpenEnum(RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 0, &nr, &hEnum);
if(ret != NO_ERROR)
{
MessageBox(“失败！”);
return;
}

DWORD dwResultEnum;
BYTE buf[16384];
DWORD cbBuffer = 16384; // 16K is a good size
LPNETRESOURCE lpnrLocal = (LPNETRESOURCE)buf;
DWORD cEntries = -1;

do
{
cbBuffer = 16384;
memset(lpnrLocal, 0, 16384);
dwResultEnum = WNetEnumResource(hEnum, // resource handle
&cEntries, // defined locally as -1
lpnrLocal, // LPNETRESOURCE
&cbBuffer); // buffer size
if (dwResultEnum == NO_ERROR)
{
for (DWORD i=0; i {
//CString str_remote = lpnrLocal[i].lpRemoteName;//得到共享名称
if(lpnrLocal[i].dwType == RESOURCETYPE_PRINT)
MessageBox(lpnrLocal[i].lpRemoteName);
}
}
else if (dwResultEnum != ERROR_NO_MORE_ITEMS)
{
break;
}
}
while (dwResultEnum != ERROR_NO_MORE_ITEMS);
WNetCloseEnum(hEnum);

VC socket 实现post提交~

零度x — Thu, 02 Dec 2010 04:02:39 +0000

DWORD WINAPI Start(LPVOID lParam)
{
CPostDlg *p = (CPostDlg *)lParam;
SOCKET sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock == SOCKET_ERROR)
{
p->MessageBox(“创建套接字失败~”);
return 0;
}
SOCKADDR_IN addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
char url[20] = “192.168.10.104″;

addr.sin_addr.S_un.S_addr = inet_addr(“192.168.10.104″);
int ret =connect(sock, (SOCKADDR *)&addr, sizeof(SOCKADDR_IN));
if(ret == SOCKET_ERROR)
{
p->MessageBox(“连接失败~”);
return 0;
}
char buffer[4096];
char pwd[] = “fuckhacker”;
int len = strlen(pwd) + 21;
sprintf(buffer, “POST /webshell1.php HTTP/1.1\r\n”
“Content-Type: application/x-www-form-urlencoded\r\n”
“Host: 192.168.10.104\r\n”
“Content-Length: %d\r\n”
“\r\n”
“password=%s&doing=login”,
len,
pwd);
ret = send(sock, buffer, sizeof(buffer), 0);
if(ret == SOCKET_ERROR)
{
p->MessageBox(“发送失败~”);
return 0;
}
memset(buffer, 0, sizeof(buffer));
ret = recv(sock, buffer, sizeof(buffer), 0);
if(ret == SOCKET_ERROR)
{
p->MessageBox(“接受失败~”);
return 0;
}
CString buf(buffer);
if(buf.Find(“Success”, 0) != -1)
p->MessageBox(“密码正确~”);
else
p->MessageBox(“密码错误~”);
return 0;
}

使用匿名管道实现CMD回显

零度x — Tue, 16 Nov 2010 08:55:31 +0000

DWORD WINAPI MyThread(LPVOID lParam)
{
CTestDlg *p = (CTestDlg *)lParam;

char path[1024];
char cmdline[1024];
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
memset(cmdline, 0, sizeof(cmdline));
memset(path, 0, sizeof(path));
::GetSystemDirectory(path, sizeof(path));

strcpy(cmdline, “ping.exe”);
strcat(cmdline, ” 127.0.0.1″);

HANDLE hwrite,hread;
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if(!::CreatePipe(&hread, &hwrite, &sa,0))
{
p->MessageBox(“创建管道出错！”);
return 0;
}

STARTUPINFO si;
memset(&si, 0, sizeof(si));
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.hStdOutput = hwrite;
si.hStdError = hwrite;
si.wShowWindow = SW_HIDE;
PROCESS_INFORMATION pi;
memset(&pi, 0, sizeof(pi));

if(!::CreateProcess( NULL, cmdline, NULL, NULL, TRUE, 0, NULL, path, &si, &pi))
{
p->MessageBox(“打开进程出错！”);
return 0;
}
::CloseHandle(hwrite);

DWORD byte = 0;

p->m_out = “”;
while(TRUE)
{
if(!ReadFile(hread, buffer, sizeof(buffer), &byte, NULL))
break;
if(byte > 0)
{
p->m_out += buffer;
}
Sleep(1000);
}
p->UpdateData(FALSE);
return 0;
}

使用ado中的Stream对象向数据库上传图片

零度x — Tue, 26 Oct 2010 08:15:31 +0000

try
{
CoInitialize(NULL);
_ConnectionPtr pConnection(__uuidof(Connection));
_RecordsetPtr pRecordset(__uuidof(Recordset));

pConnection->ConnectionString = “Provider=SQLOLEDB.1;Persist Security Info=False;User ID = sa;Initial Catalog = CodeTest;Data Source = 164.70.6.219″;
pConnection->Open(pConnection->ConnectionString, “”, “”, -1);//连接数据库

pRecordset->Open(“SELECT * FROM ma_q_test”,_variant_t((IDispatch*)pConnection,true),adOpenStatic,adLockOptimistic,adCmdText);
//打开记录集

_StreamPtr pStream(__uuidof(Stream));
_variant_t varOptional(DISP_E_PARAMNOTFOUND,VT_ERROR);
pStream->PutType(adTypeBinary);//设置类型为二进制
pStream->Open(varOptional, adModeUnknown, adOpenStreamUnspecified, _bstr_t(), _bstr_t());//生成二进制流
pStream->LoadFromFile(_bstr_t(“D:\\1.jpg”));//读取文件
_variant_t varBLOB = pStream->Read(adReadAll);//读取到varBLOB

pRecordset->AddNew();//曾加一条记录
pRecordset->GetFields()->GetItem(“image”)->Value = varBLOB;//保存数据对象
pRecordset->PutCollect(“id”, “1″);//设置id
pRecordset->Update();//更新~

pStream->Close();
pStream.Release();
pRecordset->Close();
pRecordset.Release();
if(pConnection->State)
pConnection->Close();
pConnection.Release();
CoUninitialize();
}
catch(_com_error e)
{
MessageBox(e.ErrorMessage());
}