TA,关于深度inline hook的又一个问题

ok100fen 发表于 2010-10-17 00:24:50

在用反汇编引擎寻找call+4个字节的时候
从开始到80572902，这中间有很多满足条件的啊
比如805727d1这个地址就满足，也是e8650cf7ff
为什么不选择这个呢？

ok100fen 发表于 2010-10-17 00:27:58

本帖最后由 ok100fen 于 2010-10-17 00:30 编辑

下面代码中，红色的都满足吧
还是我理解错了？

lkd> u ntopenprocess
nt!NtOpenProcess:
805727c7 68c4000000    push 0C4h
805727cc 68d8b04e80    push offset nt!ObReferenceObjectByPointer+0x127 (804eb0d8)
805727d1 e8650cf7ff    call nt!CIsqrt+0x2da (804e343b)
805727d6 33f6          xor esi,esi
805727d8 8975d4       mov dword ptr ,esi
805727db 33c0          xor eax,eax
805727dd 8d7dd8       lea edi,
805727e0 ab          stos dword ptr es:
lkd> u
nt!NtOpenProcess+0x1a:
805727e1 64a124010000 mov eax,dword ptr fs:
805727e7 8a8040010000 mov al,byte ptr
805727ed 8845cc       mov byte ptr ,al
805727f0 84c0          test al,al
805727f2 0f84b0b10600 je    nt!ObSetSecurityDescriptorInfo+0x115 (805dd9a8)
805727f8 8975fc       mov dword ptr ,esi
805727fb a1d40b5680    mov eax,dword ptr
80572800 8b4d08       mov ecx,dword ptr
lkd> u
nt!NtOpenProcess+0x3c:
80572803 3bc8          cmp ecx,eax
80572805 0f83e36c0800 jae nt!IoCheckFunctionAccess+0x17987 (805f94ee)
8057280b 8b01          mov eax,dword ptr
8057280d 8901          mov dword ptr ,eax
8057280f 8b5d10       mov ebx,dword ptr
80572812 f6c303       test bl,3
80572815 0f85da6c0800 jne nt!IoCheckFunctionAccess+0x1798e (805f94f5)
8057281b a1d40b5680    mov eax,dword ptr
lkd> u
nt!NtOpenProcess+0x59:
80572820 3bd8          cmp ebx,eax
80572822 0f83d76c0800 jae nt!IoCheckFunctionAccess+0x17998 (805f94ff)
80572828 397308       cmp dword ptr ,esi
8057282b 0f9545e6    setne byte ptr
8057282f 8b4b0c       mov ecx,dword ptr
80572832 894dc8       mov dword ptr ,ecx
80572835 8b4d14       mov ecx,dword ptr
80572838 3bce          cmp ecx,esi
lkd> u
nt!NtOpenProcess+0x73:
8057283a 0f8446060300 je    nt!FsRtlOplockFsctrl+0x522 (805a2e86)
80572840 f6c103       test cl,3
80572843 0f85c26c0800 jne nt!IoCheckFunctionAccess+0x179a4 (805f950b)
80572849 3bc8          cmp ecx,eax
8057284b 0f83cc6c0800 jae nt!IoCheckFunctionAccess+0x179b6 (805f951d)
80572851 8b01          mov eax,dword ptr
80572853 8945d4       mov dword ptr ,eax
80572856 8b4104       mov eax,dword ptr
lkd> u
nt!NtOpenProcess+0x92:
80572859 8945d8       mov dword ptr ,eax
8057285c c645e701    mov byte ptr ,1
80572860 834dfcff    or    dword ptr ,0FFFFFFFFh
80572864 807de600    cmp byte ptr ,0
80572868 0f85d66c0800 jne nt!IoCheckFunctionAccess+0x179dd (805f9544)
8057286e a158245680    mov eax,dword ptr
80572873 83c068       add eax,68h
80572876 50          push eax
lkd> u
nt!NtOpenProcess+0xb0:
80572877 ff750c       push dword ptr
8057287a 8d852cffffff lea eax,
80572880 50          push eax
80572881 8d8548ffffff lea eax,
80572887 50          push eax
80572888 e83429ffff    call nt!SeCreateAccessState (805651c1)
8057288d 3bc6          cmp eax,esi
8057288f 0f8cac000000 jl    nt!NtOpenProcess+0x17a (80572941)
lkd> u
nt!NtOpenProcess+0xce:
80572895 ff75cc       push dword ptr
80572898 ff357c056980 push dword ptr
8057289e ff3578056980 push dword ptr
805728a4 e8b4feffff    call nt!SeSinglePrivilegeCheck (8057275d)
805728a9 84c0          test al,al
805728ab 0f85e3640100 jne nt!RtlNtStatusToDosError+0x7b (80588d94)
805728b1 807de600    cmp byte ptr ,0
805728b5 0f85a76c0800 jne nt!IoCheckFunctionAccess+0x179fb (805f9562)
lkd> u
nt!NtOpenProcess+0xf4:
805728bb 807de700    cmp byte ptr ,0
805728bf 0f84d3050300 je    nt!FsRtlOplockFsctrl+0x534 (805a2e98)
805728c5 8975d0       mov dword ptr ,esi
805728c8 3975d8       cmp dword ptr ,esi
805728cb 0f8560fa0100 jne nt!ObReferenceObjectByName+0x184c (80592331)
805728d1 8d45dc       lea eax,
805728d4 50          push eax
805728d5 ff75d4       push dword ptr
lkd> u
nt!NtOpenProcess+0x111:
805728d8 e871000000    call nt!PsLookupProcessByProcessId (8057294e)
805728dd 8bf8          mov edi,eax
805728df 3bfe          cmp edi,esi
805728e1 0f8c8e050300 jl    nt!FsRtlOplockFsctrl+0x511 (805a2e75)
805728e7 8d45e0       lea eax,
805728ea 50          push eax
805728eb ff75cc       push dword ptr
805728ee ff3558245680 push dword ptr
lkd> u
nt!NtOpenProcess+0x12d:
805728f4 56          push esi
805728f5 8d8548ffffff lea eax,
805728fb 50          push eax
805728fc ff75c8       push dword ptr
805728ff ff75dc       push dword ptr
80572902 e86fc1ffff    call nt!ObOpenObjectByPointer (8056ea76)
80572907 8bf8          mov edi,eax
80572909 8d8548ffffff lea eax,

ok100fen 发表于 2010-10-17 00:35:06

为什么只说这句“80572902 e86fc1ffff call nt!ObOpenObjectByPointer (8056ea76)”满足？

Tesla.Angela 发表于 2010-10-17 12:00:35

因为打开进程的过程是：
NtOpenProcess -> PsLookupProcessByProcessId -> ObOpenObjectByPointer -> ObpCreateHandle

Tesla.Angela 发表于 2010-10-17 12:03:49

NTSTATUS ObOpenObjectByPointer(
__in    PVOID Object,
__in    ULONG HandleAttributes,
__in_optPACCESS_STATE PassedAccessState,
__in    ACCESS_MASK DesiredAccess,
__in_optPOBJECT_TYPE ObjectType,
__in    KPROCESSOR_MODE AccessMode,
__out PHANDLE Handle
);

处理的是Handle。
http://msdn.microsoft.com/en-us/library/ff550985(VS.85).aspx

ok100fen 发表于 2010-10-17 13:03:04

可不可以在这里hook？

80572881 8d8548ffffff lea eax,
80572887 50          push eax
80572888 e83429ffff    call nt!SeCreateAccessState (805651c1)
8057288d 3bc6          cmp eax,esi

Tesla.Angela 发表于 2010-10-17 13:45:51

回复 6# ok100fen

可以，但是你这么做没有任何意义。
因为在SeCreateAccessState貌似没有值得你过滤的参数。
NTAPI
SeCreateAccessState(
PACCESS_STATE AccessState,
- PAUX_DATA AuxData,
+ PAUX_ACCESS_DATA AuxData,
ACCESS_MASK Access,
PGENERIC_MAPPING GenericMapping
);

ok100fen 发表于 2010-10-17 14:17:34

本帖最后由 ok100fen 于 2010-10-17 14:19 编辑

我的意思是说，从SeCreateAccessState 这里hook
然后跳到我自己的函数，而我自己的函数是MyObOpenObjectByPointer
你看这样行吗？

jzy1115 发表于 2012-5-26 19:12:55

ok100fen 发表于 2010-10-17 14:17 static/image/common/back.gif
我的意思是说，从SeCreateAccessState 这里hook
然后跳到我自己的函数，而我自己的函数是MyObOpenObjectByP ...

那你就等着蓝吧

页: [1]

紫水晶编程技术论坛 - 努力打造成全国最好的编程论坛's Archiver

TA,关于深度inline hook的又一个问题