Win32k(5) 相关逆向~参考文献~

这是很久前读ROS的一点笔记，最近没空搞这个，发上来备份~

百度越来越渣了，总说我 “文章内容包含不合适内容” 不让贴！———— PDF版本 115提取码 dpfi6iya

第七部分 一些相关应用

一、枚举消息钩子

二、遍历gditable/usertable查询隐藏进程

三、窗口保护

四、Hook KeUsermodeCallback防止全局钩子注入

 

可以过滤很多东西，比如防止注入。这里逆向了一个hookport.sys的，版本可能有点老

int __stdcall MyKeUsermodeCallback(ULONGApiNumber, PVOID InputBuffer, ULONG InputLength, PVOID *OutputBuffer, PULONGOutputLength)
{
int result; // eax@2http://hi.baidu.com/%B6%E9%C2%E4%B5%C4%C9%F1%C7%FA/blog/item/a87adf241fcd7021d5074229.html
 
if ( ApiNumber == dword_1CD8C )               // 0x42  #define LOAD_LIBRARY_API_NUM             66 ClientLoadLibrary
  {                                             //77d12a78  77d28023USER32!__ClientLoadLibrary
result = HookClientLoadLibrary(ApiNumber, InputBuffer,InputLength, OutputBuffer, OutputLength);// LOAD_LIBRARY_API_NUM 
  }
else
  {
if ( ApiNumber == dword_1CD90 )             // 0x54 ClientImmLoadLayout
    {                                           //77d12ac0  77d59266USER32!__ClientImmLoadLayout
result = OriginKeUserModeCallback(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);// 0
if ( result >= 0 )
result = HookClientImmLoadLayout(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
    }
else
    {
if ( ApiNumber == dword_1CD94 )           // 0x31 #defineEVENT_MSG_HOOK_API_NUM    49//WH_JOURNALRECORD fnHkOPTINLPEVENTMSG
     {                                        // kd>dds 0x77d12970+4*0x31
                                               // 77d12a34  77d4f065USER32!__fnHkOPTINLPEVENTMSG
result = OriginKeUserModeCallback(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
if ( result >= 0 )
result = HookfnHkOPTINLPEVENTMSG(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
      }
else
      {
result = OriginKeUserModeCallback(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
      }
    }
  }
return result;
}
 
int __stdcall HookClientLoadLibrary(ULONGApiNumber, PVOID InputBuffer, ULONG InputLength, PVOID *OutputBuffer, PULONGOutputLength)
{
  intresult; // eax@1
  intParamArry; // [sp+0h] [bp-18h]@1
  PVOIDv7; // [sp+4h] [bp-14h]@1
  ULONGv8; // [sp+8h] [bp-10h]@1
  PVOID*v9; // [sp+Ch] [bp-Ch]@1
  PULONGv10; // [sp+10h] [bp-8h]@1
  int v11;// [sp+14h] [bp-4h]@1
 
 ParamArry = ApiNumber;
  v7 =InputBuffer;
  v8 =InputLength;
  v9 =OutputBuffer;
  v10 =OutputLength;
  result =MyCallSelfProtectionRuleTable(0x4Bu, (int)&ParamArry, 0, 0, 0);
  v11 =result;
  if (result == 0xC0000503 )
  {
    result= 0;
  }
  else
  {
    if (result >= 0 )
     result = OriginKeUserModeCallback(ApiNumber, InputBuffer, InputLength,OutputBuffer, OutputLength);
  }
  returnresult;
}
int __stdcall FakeClientLoadLibrary(ULONGApiNumber, struct_InputBuffer *InputBuffer, ULONG InputLength, PVOID*OutputBuffer, PULONG OutputLength)
{
  pid =PsGetCurrentProcessId();
  result =IsPidSafe(pid);
  if (result )
  {
    if (InputBuffer->InputLength )
    {
      v7 =InputBuffer->InputBuffer;
     String2.MaximumLength = *(v7 + 26);
     String2.Buffer = (v7 + *(v7 + 28));
     String2.Length = 2 * wcslen(String2.Buffer);
      if (wcsnicmp((String2.Buffer + String2.Length - 18), L"msctf.dll", 5u) )
      {
        if( wcsnicmp((String2.Buffer + String2.Length - 24), L"prl_hook.dll",8u)
         || !RtlEqualUnicodeString(&String1, &String2, 1u)// C:\ProgramFiles\Parallels\Parallels Tools\Services\prl_hook.dll
         || !dword_2ADFC )
         return 0xC0000022u;
       goto LABEL_18;
      }
      if (wcschr(String2.Buffer, '\\') )       // 全路径
      {
        v9= ExAllocatePoolWithTag(0, String2.Length + 10, 0x206B6444u);
        v8= v9;
        if( v9 )
        {
         *&v9->Length = dword_28948;
         v9->Buffer = dword_2894C;
         memcpy(&v9[1], String2.Buffer, String2.Length);
         *(&v9[1].Length + String2.Length) = 0;
LABEL_9:
         RtlInitUnicodeString(&DestinationString, v8);
         v10 = GetFileInfo(&DestinationString, &v11);
         ExFreePool(v8);
         if ( v10 < 0 )
            return v10;
         if ( v12 != dword_2B194 || v11 != dword_2B190 || v13 != dword_2B198 )
           return 0xC0000022u;
         goto LABEL_18;
        }
      }
     else                                     // 不是全路径，添加相对路径
      {
        v8= ExAllocatePoolWithTag(0, String2.Length + 42, 0x206B6444u);
        if( v8 )
        {
         memcpy(v8, L"\\SystemRoot\\system32", 0x28u);
         memcpy(v8 + 40, String2.Buffer, String2.Length);
         *(v8 + String2.Length + 40) = 0;
          goto LABEL_9;
        }
      }
    }
LABEL_18:
    result= 0;
  }
  returnresult;
}

注入buffer的偏移，InputBuffer+28（XP）

WH_JOURNALPLAYBACK WH_JOURNALRECORD

关于图形界面的文章

 1. 枚举消息钩子（遍历user object table）

http://blog.csdn.net/yincheng01/article/details/6899305

http://hi.baidu.com/isreverse/blog/item/04f0b758ca02c383810a1856.html

http://debugman.com/forum.php?mod=viewthread&tid=1257

2. 窗口自保护(ssdt shadow hooks)

东辉主动防御相关代码可以参考

3.  Ring0to ring3（KeUserModeCallback）

    http://bbs.pediy.com/showthread.php?t=104918

4.  防止注入（KeUserModeCallback）

360保险箱反注入分析

http://bbs.pediy.com/showthread.php?t=102940

电脑管家

http://bbs.pediy.com/showthread.php?t=145687

5.  解析windows消息处理机制

http://hi.baidu.com/by__aihappy/blog/item/9f8a4e15f01d245720a4e9b5.html

6.用GDI Object Table 来找被 Rootkit 隐藏的进程

    http://debugman.com/forum.php?mod=viewthread&tid=4757&highlight=%E8%BF%9B%E7%A8%8B%2Bgdi

7.消息钩子注册解析

http://bbs.pediy.com/showthread.php?t=135702

8.探究 Windows 2003 终端服务实现内幕

http://attach3.bdwm.net/attach/0Announce/groups/GROUP_4/CPlusPlus/D79924F8B/D77E98BFF/D461E2C97/M.1054401315.A/ntrdp.pdf

9.解析Windows NT/2000窗口对象的组织

http://blog.csdn.net/freexploit/article/details/275330

 10. 钩子是怎样起作用的

         http://hi.baidu.com/uvbs/blog/item/3a538e129e0d578b6538dba6.html