关于过倒霉蛋儿的MiniSafe
本帖最后由 Tesla.Angela 于 2010-8-18 12:34 编辑好几天没上论坛了,今天一上,发现关于过倒霉蛋儿的MiniSafe讨论得如火如荼,其实大家换种思维,会发现过Ring3的Inline Hook十分简单。
倒霉蛋儿关于进程防杀的钩子全部钩在ntdll.dll上,如果我们不用ntdll.dll,倒霉蛋儿的钩子就无效了。
众网友:什么?不用ntdll.dll?
我:是的。
众网友:难道你自己写一个ntdll.dll不成?
我:非也。重新加载一份ntdll.dll就可以了。
#include <stdio.h>
#include <windows.h>
typedef long (*P1)(ULONG,ULONG,ULONG,PULONG);
typedef long (*P2)(PULONG,ULONG,PULONG,PULONG);
typedef long (*P3)(ULONG,ULONG);
int main()
{
CopyFileA("c:\\windows\\system32\\ntdll.dll","c:\\tadll.dll",TRUE);
HMODULE ht=LoadLibraryA("c:\\tadll.dll");
P1 p1=(P1)GetProcAddress(ht,"RtlAdjustPrivilege");
P2 p2=(P2)GetProcAddress(ht,"NtOpenProcess");
P3 p3=(P3)GetProcAddress(ht,"NtTerminateProcess");
ULONG oa={0};
ULONG cid={0};
ULONG hp=0,rv=0;
p1(20,1,0,&rv);
printf("Input PID: ");
scanf("%ld",&hp);
oa=24;
cid=hp;
p2(&hp,1,oa,cid);
hp=p3(hp,0);
CloseHandle(hp);
getchar();getchar();
FreeLibrary(ht);
DeleteFileA("c:\\tadll.dll");
return 0;
}
效果自己测试吧。。。 本帖最后由 Tesla.Angela 于 2010-8-18 08:37 编辑
想象:如果我们重新加载一份ntoskrnl.exe,会什么效果? 直接恢复自身进程的Inline Hook也可以:
Option Explicit
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32.dll" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function VirtualProtect _
Lib "kernel32.dll" (ByRef lpAddress As Any, _
ByVal dwSize As Long, _
ByVal flNewProtect As Long, _
ByRef lpflOldProtect As Long) As Long
Private Declare Function MapViewOfFile _
Lib "kernel32.dll" (ByVal hFileMappingObject As Long, _
ByVal dwDesiredAccess As Long, _
ByVal dwFileOffsetHigh As Long, _
ByVal dwFileOffsetLow As Long, _
ByVal dwNumberOfBytesToMap As Long) As Long
Private Declare Sub CopyMemory _
Lib "kernel32.dll" _
Alias "RtlMoveMemory" (ByRef Destination As Any, _
ByRef Source As Any, _
ByVal Length As Long)
Private Declare Function UnmapViewOfFile _
Lib "kernel32.dll" (ByRef lpBaseAddress As Any) As Long
Private Declare Function CloseHandle _
Lib "kernel32.dll" (ByVal hObject As Long) As Long
Private Declare Function LoadLibrary _
Lib "kernel32.dll" _
Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress _
Lib "kernel32.dll" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Private Declare Function CreateFile _
Lib "kernel32.dll" _
Alias "CreateFileA" (ByVal lpFileName As String, _
ByVal dwDesiredAccess As Long, _
ByVal dwShareMode As Long, _
ByRef lpSecurityAttributes As Long, _
ByVal dwCreationDisposition As Long, _
ByVal dwFlagsAndAttributes As Long, _
ByVal hTemplateFile As Long) As Long
Private Declare Function CreateFileMapping _
Lib "kernel32.dll" _
Alias "CreateFileMappingA" (ByVal hFile As Long, _
ByRef lpFileMappigAttributes As Long, _
ByVal flProtect As Long, _
ByVal dwMaximumSizeHigh As Long, _
ByVal dwMaximumSizeLow As Long, _
ByVal lpName As String) As Long
Private Declare Function GetFileSize _
Lib "kernel32.dll" (ByVal hFile As Long, _
ByRef lpFileSizeHigh As Long) As Long
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Const FILE_ATTRIBUTE_NORMAL As Long = &H80
Const SECTION_MAP_READ As Long = &H4
Const FILE_MAP_READ As Long = SECTION_MAP_READ
Const FILE_SHARE_READ As Long = &H1
Const GENERIC_READ As Long = &H80000000
Const OPEN_EXISTING As Long = 3
Const PAGE_EXECUTE_READWRITE As Long = &H40
Const PAGE_READONLY As Long = &H2
Const SEC_IMAGE As Long = &H1000000
Const INVALID_HANDLE_VALUE As Long = (-1)
Public Function RemoveFWHook(szDllPath As String, szFuncName As String) As Boolean
Dim hModule As Long, lpFunc As Long, lpBase As Long, dwRVA As Long, hFile As Long
Dim dwSize As Long, hMapFile As Long, lpBaseMap As Long, lpRealFunc As Long, dwOldProtect As Long
Dim bRes As Boolean
lpBase = LoadLibrary(szDllPath)
lpFunc = GetProcAddress(ByVal lpBase, szFuncName)
If lpFunc = False Then
RemoveFWHook = False
End If
dwRVA = lpFunc - lpBase
hFile = CreateFile(szDllPath, GENERIC_READ, FILE_SHARE_READ, ByVal 0&, OPEN_EXISTING, _
FILE_ATTRIBUTE_NORMAL, 0)
If hFile = INVALID_HANDLE_VALUE Then
RemoveFWHook = False
End If
dwSize = GetFileSize(hFile, 0)
hMapFile = CreateFileMapping(hFile, ByVal 0&, PAGE_READONLY Or SEC_IMAGE, 0, dwSize, 0)
lpBaseMap = MapViewOfFile(hMapFile, FILE_MAP_READ, 0, 0, dwSize)
lpRealFunc = lpBaseMap + dwRVA
bRes = True
If (VirtualProtect(ByVal lpFunc, 10, PAGE_EXECUTE_READWRITE, dwOldProtect)) Then
CopyMemory ByVal lpFunc, ByVal lpRealFunc, 10
Else
bRes = False
End If
UnmapViewOfFile lpBaseMap
CloseHandle (hMapFile)
CloseHandle (hFile)
RemoveFWHook = bRes
End Function
Private Sub Command1_Click()
MsgBox RemoveFWHook(Environ$("windir") & "\system32\ntdll.dll", "NtOpenProcess"), , "Is Removed"
Call TerminateProcess(OpenProcess(1, 0, CLng(Text1.Text)), 0)
End Sub
核心代码不是我写的,是我2009年初收集的。 另外我还是要忍不住地夸赞倒霉蛋儿的MiniSafe几句:他的MiniSafe在Windows 7 x86下有效,无论是GUI进程还是CUI进程。 没测试
看来TA已经很强大了
倒霉蛋也是近年来论坛上罕见的高手
想请教lz一个问题
就是如果没有倒霉蛋的源代码
你是怎么知道他hook了哪些函数?
通过什么软件测试或者说找到的? 回复 5# ok100fen
用XueTr查看:
钩子 -> 用户层钩子 -> [自己选择一个进程] -> [对选择的进程单击右键] -> 检测 倒霉蛋的那个怎么才检查出一个来?
不是有好多个吗? 回复 7# ok100fen
不是检查自己,而是检查其它进程,比如任务管理器。 而且是要等 倒霉蛋儿的程序启动后 再启动任务管理器,才能看到被挂钩的函数。 原来是这样
难道要每个系统进程都要查看?
我刚才看了一下explorer.exe
也被倒霉蛋的那个hook了很多
就是这样一个一个查看? 还有,TA能不能根据倒霉蛋这个例子
做一个从检测到彻底结束进程的讲解
最好图文并茂
很久没看到你这方面的教程了
这几天看你的vb小子学驱动的教程,几乎入门了 1."几乎入门了"
2.貌似教程里面说的你好像没懂几个......
3.貌似是一个都不会......
4.检测到彻底结束进程,倒霉鸡蛋这个好像是Ring3的吧......
5.这是玩Ring3,不是Ring0......
6.每个自我保护都要根据实例分析......
7.ok大哥为什么能金牌会员?而我只是中级会员?因为它发了整整33个主题贴.回复还不算.而且没有一个帖子不是关于编程,问问题的.
总结:没有入门,太多不会,全都是求助贴.关于倒霉鸡蛋MINISafe,每个例子都要具体分析. 保护与破坏永无止境 - Hook PspExitProcess,恐怕高手也不能绕过,任何进程的结束用任何猥琐办法(包括VirtualProtect)恐怕都要经过它.其实它是回调性质的,仅仅是做了点清理工作.
你再强大的hook,关电源.你奈何? - 关电源整个电脑都关掉了,你的程序也活不了了,有意义吗? 折腾吧,呼呼 1.Who is ET "Big Cow"?
2.是PspExitProcess,PspExitProcess把进程从活动链上摘除,难道没有从活动连上摘除吗?就是PsActiveprocessLink,如果没有摘除你就还能看到它.Zzzians神牛的话错了吧. 呵呵先感谢大家的关注
这个是没怎么完善
重新加载份NTDLL这个思路很好 又学了一招
顺遍问下TA NTOSKRNL在RING3能直接调用么?
能的话就邪恶了哈~~ 好象用IAT HOOK LZ的方法就没用了...
顺便说下关于废掉杀软的方法不知可行否我开学勒,没时间测试...
枚举CSRSS中AV句柄,获得路径,判断是否为AV进程的相关句柄是的话远程创建线程直行ZWCLOSE驱动句柄被关,会执行MJ_CLOSE,然后AV应该会在这时un hook然后就失去保护做用了...
手机发贴 有错字请愿谅..累死我了~~ 7.ok大哥为什么能金牌会员?而我只是中级会员?xiaoly99 发表于 2010-8-18 16:38 http://www.m5home.com/bbs/images/common/back.gif
现在对于积分的计算还在尝试中,主要是不方便进行技术帖(帮助别人等)与非技术帖(受别人帮助,聊天扯淡等)的区分,让这个积分公式有些难以设计......{:1_153:}
我改了一下积分方案,现在的积分方案:
总积分=((精华帖数*10)+(发帖数*0.5)+(生命值*1)+(热心值*1)+(页面浏览量*0.5)+(在线时间(小时)*0.5))/6
不知道是否合适.... 回复 21# 倒霉蛋儿
顺遍问下TA NTOSKRNL在RING3能直接调用么?
不知道这句话是什么意思。。。 回复 22# 倒霉蛋儿
不知道,你写个给我玩玩。 OK大哥从金牌会员变成了.....额,实习记者.
关于区分吗,可以从标题来判断:
请教,问题,麻烦,区别,在哪里,解释,谢谢,问题,不知道,哪里,强烈,请求,介绍,学习,求助,帮忙.
这些词汇都是从OK大哥的非技术贴里提炼出来的.
可以做个数组,把这些放进去.作为一个Alpha功能.
----------------------------------------------------------------------------------------------------
不知老马能否采纳? 你看我的帖子,每一个都没有这种词汇.它们也都是技术贴.
但是关于聊天,扯淡.这个判断就麻烦了....... 回复 27# xiaoly99
所以现在这个论坛系统挺不爽的,弄得我也头痛.
但是即使是技术讨论,也不必要把气氛搞得很紧张,这样弄得我也非常紧张了......
要知道像我一样的驱动菜鸟那可是多数,你们这些牛人们的气场还是稍微压一压,不然我们很紧张了{:2_39:} 1.驱动菜鸟是挺多的.
2.老马的回复挺即时的. 以下纯属个人观点..
1.cmd->taskkill...在我这里控制台程序无法注入...
2.DebugActiveProcess
3.WinStationTerminateProcess
不知道这些怎么钩上去... 回复 31# hx1997
可能是你的机器有保护,我的机器上根本无法启动taskkill(报错)。
剩下两个因为都用到了ntdll的函数,所以也不成功。
页:
[1]
2