本文为看雪论坛优秀文章
看雪论坛作者ID:下咯
0x0 前言
0x1 InfinityHook寻找指针方式解析
PVOID* StackMax = (PVOID*)__readgsqword(OFFSET_KPCR_RSP_BASE);
PVOID* StackFrame = (PVOID*)_AddressOfReturnAddress();
for (PVOID* StackCurrent = StackMax;
StackCurrent > StackFrame;
--StackCurrent)
{
//
// This is intentionally being read as 4-byte magic on an 8
// byte aligned boundary.
//
PULONG AsUlong = (PULONG)StackCurrent;
if (*AsUlong != INFINITYHOOK_MAGIC_1)
{
continue;
}
//
// If the first magic is set, check for the second magic.
//
--StackCurrent;
PUSHORT AsShort = (PUSHORT)StackCurrent;
if (*AsShort != INFINITYHOOK_MAGIC_2)
{
continue;
}
for (;StackCurrent < StackMax;++StackCurrent)
{
PULONGLONG AsUlonglong = (PULONGLONG)StackCurrent;
if (!(PAGE_ALIGN(*AsUlonglong) >= SystemCallEntryPage &&
PAGE_ALIGN(*AsUlonglong) < (PVOID)((uintptr_t)SystemCallEntryPage + (PAGE_SIZE * 2))))
{
continue;
}
void** SystemCallFunction = &StackCurrent[9];
if (IfhpCallback)
{
IfhpCallback(SystemCallIndex, SystemCallFunction);
}
break;
}
0x2 逆向HOOK系统调用事件
从调用栈分析, ntdll!NtCreateEvent+0xa进入系统调用,然后在nt!KiSystemServiceExit+0x26a进入etw的记录函数,那么关键就应该是PerfInfoLogSysCallEntry函数,通过函数头部的二进制,在IDA里搜索。
.text:0000000140162A40 mov r11, rsp
.text:0000000140162A43 sub rsp, 48h
.text:0000000140162A47 lea rax, [r11+8]
.text:0000000140162A4B mov [r11+8], rcx
.text:0000000140162A4F lea rcx, [r11-18h]
.text:0000000140162A53 mov [r11-18h], rax
.text:0000000140162A57 and [rsp+48h+var_C], 0
.text:0000000140162A5C mov r9d, 0F33h
.text:0000000140162A62 mov edx, 1
.text:0000000140162A67 mov r8d, 40000040h
.text:0000000140162A6D mov [rsp+48h+var_20], 501802h
.text:0000000140162A75 and qword ptr [r11-28h], 0
.text:0000000140162A7A mov [rsp+48h+var_10], 8
.text:0000000140162A82 call EtwpTraceKernelEvent
.text:0000000140162A87 add rsp, 48h
.text:0000000140162A8B retn
void** SystemCallFunction = &StackCurrent[9];
DbgBreakPoint();
kd> dq 0xfffff880`03b82b88
fffff880`03b82b88 fffff800`03ee0205 fffff960`00134164
fffff880`03b82b98 00000000`00000000 00000000`0000002a
fffff880`03b82ba8 fffff960`00133fd6 00000000`00000003
fffff880`03b82bb8 00000000`00000000 00000000`0192efb0
fffff880`03b82bc8 00000000`00000005 fffff960`00134164
fffff880`03b82bd8 fffff800`03edff93 fffffa80`31d69660
fffff880`03b82be8 fffffa80`31d63910 00000000`00000000
fffff880`03b82bf8 fffffa80`31d63910 00000000`00000000
kd> u fffff800`03ee0205
nt!KiSystemServiceExit+0x26a:
fffff800`03ee0205 488b4c2420 mov rcx,qword ptr [rsp+20h]
fffff800`03ee020a 488b542428 mov rdx,qword ptr [rsp+28h]
fffff800`03ee020f 4c8b442430 mov r8,qword ptr [rsp+30h]
fffff800`03ee0214 4c8b4c2438 mov r9,qword ptr [rsp+38h]
fffff800`03ee0219 4c8b542440 mov r10,qword ptr [rsp+40h]
fffff800`03ee021e 4883c450 add rsp,50h
fffff800`03ee0222 41ffd2 call r10
fffff800`03ee0225 488945b0 mov qword ptr [rbp-50h],rax
kd> dq 0xfffff880`03b82b88
fffff880`03b82b88 fffff800`03ee0205 fffff960`00134164
fffff880`03b82b98 00000000`00000000 00000000`0000002a
fffff880`03b82ba8 fffff960`00133fd6 00000000`00000003
fffff880`03b82bb8 00000000`00000000 00000000`0192efb0
fffff880`03b82bc8 00000000`00000005 fffff960`00134164
fffff880`03b82bd8 fffff800`03edff93 fffffa80`31d69660
fffff880`03b82be8 fffffa80`31d63910 00000000`00000000
fffff880`03b82bf8 fffffa80`31d63910 00000000`00000000
kd> u fffff960`00134164
win32k!NtUserCallNoParam:
fffff960`00134164 48895c2408 mov qword ptr [rsp+8],rbx
fffff960`00134169 57 push rdi
fffff960`0013416a 4883ec20 sub rsp,20h
fffff960`0013416e 8bf9 mov edi,ecx
fffff960`00134170 488b0da1a72000 mov rcx,qword ptr [win32k!gpresUser (fffff960`0033e918)]
fffff960`00134177 ff15f3d21c00 call qword ptr [win32k!_imp_ExEnterPriorityRegionAndAcquireResourceExclusive (fffff960`00301470)]
fffff960`0013417d c605249e200001 mov byte ptr [win32k!gbValidateHandleForIL (fffff960`0033dfa8)],1
fffff960`00134184 48890565c32000 mov qword ptr [win32k!gptiCurrent (fffff960`003404f0)],rax
MyDriver2!IfhpInternalGetCpuClock+0x15e [c:\users\hasee\documents\visual studio 2013\projects\mydriver1\mydriver1\infinityhook.cpp @ 622]
nt!EtwpReserveTraceBuffer+0xe2
nt!EtwpLogKernelEvent+0x24d
nt!EtwpTraceKernelEvent+0xa6
nt!PerfInfoLogSysCallEntry+0x47
nt!KiSystemServiceExit+0x26a
user32!NtUserCallNoParam+0xa
: Args to Child : Call Site
fffff880`03b82b40 : fffff960`00134164 : nt!PerfInfoLogSysCallEntry+0x47
kd> dq fffff880`03b82b40
fffff880`03b82b40 fffffa80`31d69660 fffff880`03b82c60
fffff880`03b82b50 00000000`0192f250 00000000`00000001
fffff880`03b82b60 00000000`00000000 fffff800`00501802
fffff880`03b82b70 fffff880`03b82b90 00000000`00000008
fffff880`03b82b80 fffff880`03b82b88 fffff800`03ee0205
fffff880`03b82b90 fffff960`00134164 00000000`00000000
kd> dq 0xfffff880`03b82b88
fffff880`03b82b88 fffff800`03ee0205 fffff960`00134164
fffff880`03b82b98 00000000`00000000 00000000`0000002a
fffff880`03b82ba8 fffff960`00133fd6 00000000`00000003
fffff880`03b82bb8 00000000`00000000 00000000`0192efb0
fffff880`03b82bc8 00000000`00000005 fffff960`00134164
fffff880`03b82bd8 fffff800`03edff93 fffffa80`31d69660
fffff880`03b82be8 fffffa80`31d63910 00000000`00000000
fffff880`03b82bf8 fffffa80`31d63910 00000000`00000000
0x3 逆向其他事件
EVENT_TRACE_FLAG_PROCESS
0x00000001
Property->EnableFlags = 0x00000001;
nt!EtwpReserveTraceBuffer+0xe2
nt!EtwpLogKernelEvent+0x122
nt!EtwpTraceKernelEvent+0xa6
nt! ?? ::NNGAKEGL::`string'+0x219f0
nt!PspExitProcess+0x4e
nt!PspExitThread+0x4e9
nt!NtTerminateProcess+0x138
nt!KiSystemServiceCopyEnd+0x13
ntdll!NtTerminateProcess+0xa
fffff800`0412de2b 8b5504 mov edx,dword ptr [rbp+4]
fffff800`0412de2e 488d8d90000000 lea rcx,[rbp+90h]
fffff800`0412de35 450fb7cd movzx r9d,r13w
fffff800`0412de39 41b801000000 mov r8d,1
fffff800`0412de3f c744242803195000 mov dword ptr [rsp+28h],501903h
fffff800`0412de47 488364242000 and qword ptr [rsp+20h],0
fffff800`0412de4d e8bedae8ff call nt!EtwpTraceKernelEvent (fffff800`03fbb910)
fffff800`0412de52 488d4d20 lea rcx,[rbp+20h]
nt!EtwpReserveTraceBuffer+0xe2
nt!EtwpLogKernelEvent+0x122
nt!EtwpTraceKernelEvent+0xa6
nt! ?? ::NNGAKEGL::`string'+0x219f0
nt!PspExitProcess+0x4e
nt!PspExitThread+0x4e9
nt!NtTerminateProcess+0x138
nt!KiSystemServiceCopyEnd+0x13
ntdll!NtTerminateProcess+0xa
nt!PspExitProcess:
fffff800`04191288 48895c2408 mov qword ptr [rsp+8],rbx
fffff800`0419128d 48896c2410 mov qword ptr [rsp+10h],rbp
fffff800`04191292 4889742418 mov qword ptr [rsp+18h],rsi
fffff800`04191297 57 push rdi
fffff800`04191298 4154 push r12
fffff800`0419129a 4155 push r13
fffff800`0419129c 4156 push r14
fffff800`0419129e 4157 push r15
fffff800`041912a0 4883ec30 sub rsp,30h
fffff800`041912a4 488bda mov rbx,rdx
fffff800`041912a7 448af9 mov r15b,cl
fffff800`041912aa f0838a4004000004 lock or dword ptr [rdx+440h],4
fffff800`041912b2 65488b3c2588010000 mov rdi,qword ptr gs:[188h]
fffff800`041912bb 4533ed xor r13d,r13d
fffff800`041912be 41be01000000 mov r14d,1
fffff800`041912c4 413acd cmp cl,r13b
fffff800`041912c7 747c je nt!PspExitProcess+0xbd (fffff800`04191345)
fffff800`041912c9 ba02030000 mov edx,302h
fffff800`041912ce 488bcb mov rcx,rbx
fffff800`041912d1 e842d6feff call nt!EtwTraceProcess (fffff800`0417e918)
fffff800`041912d6 66ff8fc4010000 dec word ptr [rdi+1C4h]
看雪ID:下咯
https://bbs.pediy.com/user-home-838741.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!