在Win7x64上加载无签名驱动以及让PatchGuard失效(Win7x64内核越狱)

x64asm · 发表于 2011-12-21 06:57:45

PAGE:00000001403F4760 SepInitializeCodeIntegrity proc near
PAGE:00000001403F4760
PAGE:00000001403F4760 arg_0          = qword ptr  8
PAGE:00000001403F4760
PAGE:00000001403F4760                mov    [rsp+arg_0], rbx
PAGE:00000001403F4765                push rdi
PAGE:00000001403F4766                sub    rsp, 20h
PAGE:00000001403F476A                xor    ebx, ebx
PAGE:00000001403F476C                cmp    cs:InitIsWinPEMode, bl
PAGE:00000001403F4772                jnz    loc_1403F480C
PAGE:00000001403F4778                xor    eax, eax
PAGE:00000001403F477A                mov    cs:g_CiEnabled, 1
PAGE:00000001403F4781                lea    edi, [rbx+6]
PAGE:00000001403F4784                mov    cs:g_CiCallbacks, rax
PAGE:00000001403F478B                mov    cs:qword_1402266A8, rax
PAGE:00000001403F4792                mov    cs:qword_1402266B0, rax
PAGE:00000001403F4799                mov    rax, cs:KeLoaderBlock_0
PAGE:00000001403F47A0                cmp    rax, rbx
PAGE:00000001403F47A3                jz    short loc_1403F47F7
PAGE:00000001403F47A5                cmp    [rax+98h], rbx
PAGE:00000001403F47AC                jz    short loc_1403F47EE
PAGE:00000001403F47AE                mov    rcx, [rax+98h]
PAGE:00000001403F47B5                lea    rdx, aDisable_integr ; "DISABLE_INTEGRITY_CHECKS"
PAGE:00000001403F47BC                call SepIsOptionPresent
PAGE:00000001403F47C1                mov    rcx, cs:KeLoaderBlock_0
PAGE:00000001403F47C8                lea    rdx, aTestsigning ; "TESTSIGNING"
PAGE:00000001403F47CF                mov    rcx, [rcx+98h]
PAGE:00000001403F47D6                cmp    eax, ebx
PAGE:00000001403F47D8                cmovnz  edi, ebx
PAGE:00000001403F47DB                call SepIsOptionPresent
PAGE:00000001403F47E0                cmp    eax, ebx
PAGE:00000001403F47E2                mov    rax, cs:KeLoaderBlock_0
PAGE:00000001403F47E9                jz    short loc_1403F47EE
PAGE:00000001403F47EB                or    edi, 8
PAGE:00000001403F47EE
PAGE:00000001403F47EE loc_1403F47EE:                         ; CODE XREF: SepInitializeCodeIntegrity+4Cj
PAGE:00000001403F47EE                                        ; SepInitializeCodeIntegrity+89j
PAGE:00000001403F47EE                cmp    rax, rbx
PAGE:00000001403F47F1                jz    short loc_1403F47F7
PAGE:00000001403F47F3                lea    rbx, [rax+30h]
PAGE:00000001403F47F7
PAGE:00000001403F47F7 loc_1403F47F7:                         ; CODE XREF: SepInitializeCodeIntegrity+43j
PAGE:00000001403F47F7                                        ; SepInitializeCodeIntegrity+91j
PAGE:00000001403F47F7                lea    r8, g_CiCallbacks
PAGE:00000001403F47FE                mov    rdx, rbx
PAGE:00000001403F4801                mov    ecx, edi
PAGE:00000001403F4803                call CiInitialize_0
PAGE:00000001403F4808                mov    ebx, eax
PAGE:00000001403F480A                jmp    short loc_1403F4812
PAGE:00000001403F480C ; ---------------------------------------------------------------------------
PAGE:00000001403F480C
PAGE:00000001403F480C loc_1403F480C:                         ; CODE XREF: SepInitializeCodeIntegrity+12j
PAGE:00000001403F480C                mov    cs:g_CiEnabled, bl
PAGE:00000001403F4812
PAGE:00000001403F4812 loc_1403F4812:                         ; CODE XREF: SepInitializeCodeIntegrity+AAj
PAGE:00000001403F4812                mov    eax, ebx
PAGE:00000001403F4814                mov    rbx, [rsp+28h+arg_0]
PAGE:00000001403F4819                add    rsp, 20h
PAGE:00000001403F481D                pop    rdi
PAGE:00000001403F481E                retn
PAGE:00000001403F481E SepInitializeCodeIntegrity endp

PAGE:00000001403F4772                jnz    loc_1403F480C

貌似他修改的就是这里吧

Tesla.Angela · 发表于 2011-12-21 12:15:47

x64asm 发表于 2011-12-21 06:57
PAGE:00000001403F4760 SepInitializeCodeIntegrity proc near
PAGE:00000001403F4760
PAGE:00000001403F ...

差不多，最近我正在研究这个工具的源码，不过修改了三个地方！

x64asm · 发表于 2011-12-23 03:32:55

NTOSKRNL.EXE后面附加的数据是PATCH GUARD的
看来在WINDOWS 7 SP1里的PATCH GUARD加强了

Tesla.Angela · 发表于 2011-12-23 11:22:42

x64asm 发表于 2011-12-23 03:32
NTOSKRNL.EXE后面附加的数据是PATCH GUARD的
看来在WINDOWS 7 SP1里的PATCH GUARD加强了

fyyre照样破解了。。。

VIPLZM · 发表于 2012-1-17 12:47:04

呵呵，终于要到隐藏的源码了！

Tesla.Angela · 发表于 2012-1-17 12:59:13

VIPLZM 发表于 2012-1-17 12:47
呵呵，终于要到隐藏的源码了！

这么快吃完饭了。

ithurricane · 发表于 2012-1-20 23:11:27

提示: 作者被禁止或删除内容自动屏蔽

brodbus · 发表于 2012-1-25 17:19:57

这个论坛很给力哦，就是积分不够啊

opq211211 · 发表于 2012-2-13 17:24:54

好东西支持下 64位的HOOK需要过patchguard 要不然要蓝屏109错误驱动有意或无意篡改内核关键代码

wenh7788 · 发表于 2012-2-21 13:48:42

我总是从某一些帖子中跳到这里来，不下10次了，没有权限啊啊啊啊啊啊啊

PS
顺便灌水，赚积分。

帐号		自动登录	找回密码
密码			加入我们