【紫水晶首发】VB小子玩转驱动程序(6):结束线程
本帖最后由 xiaoly99 于 2014-7-10 20:41 编辑VB小子玩转驱动程序(6):结束线程
作者:0.0
①.准备工具
WinDbg和未导出函数符号包
未下载请打开:http://www.m5home.com/bbs/thread-3442-1-1.html
1.前提
本例使用了未导出函数PspExitThread,未导出函数KiInsertQueueApc经测试容易蓝屏,所以使用导出函数KeInsertQueueApc.
系统调用列表:NtTerminateProcess -> XXX -> PspTermianteThreadByPointer ->KeInsertQueueApc ->KiINsertQueueApc -> InsertHeadList -> PspExitThread
2.获得PspExitThread地址
PspExitThread貌似不被任何一个已导出函数调用,本例中通过查找未导出函数PspTerminateThreadByPointerAddr中,而PspTerminateThreadByPointerAddr被导出函数PsTerminateSystemThread调用.
lkd> u PsTerminateSystemThread l 10
nt!PsTerminateSystemThread:
805c9f74 8bff mov edi,edi
805c9f76 55 push ebp
805c9f77 8bec mov ebp,esp
805c9f79 64a124010000 mov eax,dword ptr fs:
805c9f7f f6804802000010test byte ptr ,10h
805c9f86 7507 jne nt!PsTerminateSystemThread+0x1b (805c9f8f)
805c9f88 b80d0000c0 mov eax,0C000000Dh
805c9f8d eb09 jmp nt!PsTerminateSystemThread+0x24 (805c9f98)
805c9f8f ff7508 push dword ptr
805c9f92 50 push eax
805c9f93 e828fcffff call nt!PspTerminateThreadByPointer (805c9bc0)
注意:为什么用红色标注了两句呢?因为特征码是两句,特征码是50e8########,按照ULONG的读法就是e850########
驱动代码:
PVOID GetFunctionAddr(IN PCWSTR FunctionName){UNICODE_STRING UniCodeFunctionName;RtlInitUnicodeString(&UniCodeFunctionName,FunctionName);return MmGetSystemRoutineAddress(&UniCodeFunctionName);}
PUCHAR GetPspTerminateThreadByPointerAddr();
{
int i = 0;
PUCHAR psExitSystemThreadAddr = (PUCHAR)GetFunctionAddr(L"PsTerminateSystemThread");//获得函数地址
for ( i=0; i<= 0x50; i++)
{
psExitSystemThreadAddr ++;
if ( *(PWCHAR)psExitSystemThreadAddr == 0xe850 )//校验特征码
{
psExitSystemThreadAddr++;
return (PUCHAR)((ULONG)psExitSystemThreadAddr + 5 + *(PULONG)(psExitSystemThreadAddr + 1));//返回地址
break;
}
}
return;
}
lkd> u PspTerminateThreadByPointer l 20
nt!PspTerminateThreadByPointer:
805c9bc0 8bff mov edi,edi
805c9bc2 55 push ebp
805c9bc3 8bec mov ebp,esp
805c9bc5 83ec0c sub esp,0Ch
..............................................
805c9c0a ff750c push dword ptr
805c9c0d e87af7ffff call nt!PspExitThread (805c938c)
按照ULONG读出特征码就是0xe80C75FF
驱动代码:
PVOID GetPspExitThread()
PUCHAR PspTerminateThreadByPointerAddr = NULL;
int i = 0;
PspTerminateThreadByPointerAddr = GetPspTerminateThreadByPointerAddr();
for ( i = 0; i<= 0x50; i++)
{
PspTerminateThreadByPointerAddr ++;
if ( *(PULONG)PspTerminateThreadByPointerAddr == 0xe80C75FF)
{
PspTerminateThreadByPointerAddr++;
PspTerminateThreadByPointerAddr++;
PspTerminateThreadByPointerAddr++;
return (PSPEXITTHREAD)( (ULONG)PspTerminateThreadByPointerAddr + 5 + *(PULONG)(PspTerminateThreadByPointerAddr +1) );
break;
}
}
return;
}
3.调用(结束线程)
先声明:
NTKERNELAPI VOID KeInitializeApc (PRKAPC Apc,PKTHREAD Thread,KAPC_ENVIRONMENT Environment,PKKERNEL_ROUTINE KernelRoutine,PKRUNDOWN_ROUTINE RundownRoutine,PKNORMAL_ROUTINE NormalRoutine,KPROCESSOR_MODE ApcMode,PVOID NormalContext);
NTKERNELAPI BOOLEAN KeInsertQueueApc(IN PKAPC Apc,IN PVOID SystemArgument1,IN PVOID SystemArgument2,IN KPRIORITY PriorityBoost);
typedef VOID (*PSPEXITTHREAD)(IN NTSTATUS ExitStatus);
PSPEXITTHREAD PspExitThread = NULL;
代码和注释:
VOID KernelTerminateThreadRoutine(IN PKAPC Apc,IN OUT PKNORMAL_ROUTINE *NormalRoutine,IN OUT PVOID *NormalContext,IN OUT PVOID *SystemArgument1,IN OUT PVOID *SystemArgument2)
{
PspExitThread(0);//结束自身线程 因为已经通过Apc进行Attach到内部Exit的YY操作
}
VOID TerminateThread(PETHREAD Thread)
{
PKAPC Apc=NULL;
Apc=ExAllocatePool(NonPagedPool,sizeof(KAPC));//分配Apc内存
GetPspExitThreadAddr();//获得地址
KeInitializeApc(Apc,(PKTHREAD)Thread,OriginalApcEnvironment,KernelTerminateThreadRoutine,NULL,NULL,KernelMode,NULL); //初始化Apc
KeInsertQueueApc(Apc,0,0,0);//插Apc
ExFreePool(Apc);
} 不用这么狠吧,结束个线程就PspExitThread? 加个for循环就能结束进程了 本帖最后由 HoviDelphic 于 2010-1-25 15:53 编辑
你的前途不可估量!你才11岁啊! 狠是狠了点 对于网上某些Hook PspExitThread的YY程序.......IceFreak内部是加了恢复的 狠是狠了点 对于网上某些Hook PspExitThread的YY程序.......IceFreak内部是加了恢复的
xiaoly99 发表于 2010-1-25 15:48 http://www.m5home.com/bbs/images/common/back.gif
我还真的没见过这样的YY程序。 WP是什么? 回复 9# 本网站最菜的人
那是MP吧 又不是WeiPoint
lkd> u keterminatethread l 25
nt!KeTerminateThread:
804fce90 8bff mov edi,edi
804fce92 55 push ebp
804fce93 8bec mov ebp,esp
804fce95 83ec10 sub esp,10h
804fce98 56 push esi
804fce99 57 push edi
804fce9a 64a124010000 mov eax,dword ptr fs:
804fcea0 8bf0 mov esi,eax
804fcea2 8b7e44 mov edi,dword ptr
804fcea5 8d4f58 lea ecx,
804fcea8 8d55f0 lea edx,
804fceab ff1590864d80 call dword ptr
804fceb1 a120b25580 mov eax,dword ptr
804fceb6 8986dc010000 mov dword ptr ,eax
804fcebc 803d24b2558000 cmp byte ptr ,0
804fcec3 893520b25580 mov dword ptr ,esi
804fcec9 7518 jne nt!KeTerminateThread+0x53 (804fcee3)
804fcecb 6a00 push 0
804fcecd ba10b25580 mov edx,offset nt!PsReaperWorkItem (8055b210)
804fced2 b9b8c15580 mov ecx,offset nt!ExWorkerQueue+0x78 (8055c1b8)
804fced7 c60524b2558001 mov byte ptr ,1
804fcede e8e7f4ffff call nt!KiInsertQueue (804fc3ca)
804fcee3 8b8ee4000000 mov ecx,dword ptr
804fcee9 85c9 test ecx,ecx
804fceeb 7415 je nt!KeTerminateThread+0x72 (804fcf02)
804fceed 8d8618010000 lea eax,
804fcef3 8b10 mov edx,dword ptr
804fcef5 8b4004 mov eax,dword ptr
804fcef8 8910 mov dword ptr ,edx
804fcefa 894204 mov dword ptr ,eax
804fcefd e828f1ffff call nt!KiActivateWaiterQueue (804fc02a)
804fcf02 8d4608 lea eax,
804fcf05 3900 cmp dword ptr ,eax
804fcf07 c7460401000000 mov dword ptr ,1
804fcf0e 740a je nt!KeTerminateThread+0x8a (804fcf1a)
804fcf10 8b5508 mov edx,dword ptr
804fcf13 8bce mov ecx,esi
哪有PspExitThread? 不懂 继续学习
页:
[1]