|
很多年前我在《黑客防线》上发过一篇文章,叫做“WIN64上实现RING3级别的HIPS”,其实HIPS不可能存在RING3级别的,因为RING3的INLINE HOOK是毫无用处的。
先请大家先看看NTDLL32对NATIVE API的实现(NTDLL64类似):
- WIN2003X64
- ==========
- ntdll32!ZwOpenProcess:
- 00000000`7d61cb43 b823000000 mov eax,23h
- 00000000`7d61cb48 33c9 xor ecx,ecx
- 00000000`7d61cb4a 8d542404 lea edx,[rsp+4]
- 00000000`7d61cb4e 64ff15c0000000 call qword ptr fs:[ntdll32!NtReadFileScatter+0x12 (00000000`7d61cc15)]
- 00000000`7d61cb55 c21000 ret 10h
- 00000000`7d61cb58 8d4900 lea ecx,[rcx]
- ntdll32!NtSetInformationFile:
- 00000000`7d61cb5b b824000000 mov eax,24h
- 00000000`7d61cb60 33c9 xor ecx,ecx
- 00000000`7d61cb62 8d542404 lea edx,[rsp+4]
- 00000000`7d61cb66 64ff15c0000000 call qword ptr fs:[ntdll32!ZwOpenThreadTokenEx+0x12 (00000000`7d61cc2d)]
- 00000000`7d61cb6d c21400 ret 14h
- 00000000`7d61cb70 8d4900 lea ecx,[rcx]
- WIN7X64
- =======
- ntdll32!ZwOpenProcess:
- 00000000`7765fc10 b823000000 mov eax,23h
- 00000000`7765fc15 33c9 xor ecx,ecx
- 00000000`7765fc17 8d542404 lea edx,[rsp+4]
- 00000000`7765fc1b 64ff15c0000000 call qword ptr fs:[ntdll32!NtReadFileScatter+0xe (00000000`7765fce2)]
- 00000000`7765fc22 83c404 add esp,4
- 00000000`7765fc25 c21000 ret 10h
- ntdll32!ZwSetInformationFile:
- 00000000`7765fc28 b824000000 mov eax,24h
- 00000000`7765fc2d 33c9 xor ecx,ecx
- 00000000`7765fc2f 8d542404 lea edx,[rsp+4]
- 00000000`7765fc33 64ff15c0000000 call qword ptr fs:[ntdll32!ZwOpenThreadTokenEx+0xa (00000000`7765fcfa)]
- 00000000`7765fc3a 83c404 add esp,4
- 00000000`7765fc3d c21400 ret 14h
- WIN8X64
- =======
- ntdll!NtOpenProcess:
- 77aa0fbc b824000000 mov eax,24h
- 77aa0fc1 64ff15c0000000 call dword ptr fs:[0C0h]
- 77aa0fc8 c21000 ret 10h
- 77aa0fcb 90 nop
- ntdll!ZwSetInformationFile:
- 77aa0fcc b825000000 mov eax,25h
- 77aa0fd1 64ff15c0000000 call dword ptr fs:[0C0h]
- 77aa0fd8 c21400 ret 14h
- 77aa0fdb 90 nop
- WIN8.1X64
- =========
- ntdll!ZwOpenProcess:
- 7710b850 b825000000 mov eax,25h
- 7710b855 64ff15c0000000 call dword ptr fs:[0C0h]
- 7710b85c c21000 ret 10h
- 7710b85f 90 nop
- ntdll!NtSetInformationFile:
- 7710b860 b826000000 mov eax,26h
- 7710b865 64ff15c0000000 call dword ptr fs:[0C0h]
- 7710b86c c21400 ret 14h
- 7710b86f 90 nop
复制代码
下面说说怎么对付RING3的INLINE HOOK:
|
|