这是很久前读ROS的一点笔记,最近没空搞这个,发上来备份~
百度越来越渣了,总说我 “文章内容包含不合适内容” 不让贴!———— PDF版本 115提取码 dpfi6iya
第七部分 一些相关应用
一、枚举消息钩子
二、遍历gditable/usertable查询隐藏进程
三、窗口保护
四、Hook KeUsermodeCallback防止全局钩子注入
可以过滤很多东西,比如防止注入。这里逆向了一个hookport.sys的,版本可能有点老
int __stdcall MyKeUsermodeCallback(ULONGApiNumber, PVOID InputBuffer, ULONG InputLength, PVOID *OutputBuffer, PULONGOutputLength)
{
int result; // eax@2http://hi.baidu.com/%B6%E9%C2%E4%B5%C4%C9%F1%C7%FA/blog/item/a87adf241fcd7021d5074229.html
if ( ApiNumber == dword_1CD8C ) // 0x42 #define LOAD_LIBRARY_API_NUM 66 ClientLoadLibrary
{ //77d12a78 77d28023USER32!__ClientLoadLibrary
result = HookClientLoadLibrary(ApiNumber, InputBuffer,InputLength, OutputBuffer, OutputLength);// LOAD_LIBRARY_API_NUM
}
else
{
if ( ApiNumber == dword_1CD90 ) // 0x54 ClientImmLoadLayout
{ //77d12ac0 77d59266USER32!__ClientImmLoadLayout
result = OriginKeUserModeCallback(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);// 0
if ( result >= 0 )
result = HookClientImmLoadLayout(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
}
else
{
if ( ApiNumber == dword_1CD94 ) // 0x31 #defineEVENT_MSG_HOOK_API_NUM 49//WH_JOURNALRECORD fnHkOPTINLPEVENTMSG
{ // kd>dds 0x77d12970+4*0x31
// 77d12a34 77d4f065USER32!__fnHkOPTINLPEVENTMSG
result = OriginKeUserModeCallback(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
if ( result >= 0 )
result = HookfnHkOPTINLPEVENTMSG(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
}
else
{
result = OriginKeUserModeCallback(ApiNumber,InputBuffer, InputLength, OutputBuffer, OutputLength);
}
}
}
return result;
}
int __stdcall HookClientLoadLibrary(ULONGApiNumber, PVOID InputBuffer, ULONG InputLength, PVOID *OutputBuffer, PULONGOutputLength)
{
intresult; // eax@1
intParamArry; // [sp+0h] [bp-18h]@1
PVOIDv7; // [sp+4h] [bp-14h]@1
ULONGv8; // [sp+8h] [bp-10h]@1
PVOID*v9; // [sp+Ch] [bp-Ch]@1
PULONGv10; // [sp+10h] [bp-8h]@1
int v11;// [sp+14h] [bp-4h]@1
ParamArry = ApiNumber;
v7 =InputBuffer;
v8 =InputLength;
v9 =OutputBuffer;
v10 =OutputLength;
result =MyCallSelfProtectionRuleTable(0x4Bu, (int)&ParamArry, 0, 0, 0);
v11 =result;
if (result == 0xC0000503 )
{
result= 0;
}
else
{
if (result >= 0 )
result = OriginKeUserModeCallback(ApiNumber, InputBuffer, InputLength,OutputBuffer, OutputLength);
}
returnresult;
}
int __stdcall FakeClientLoadLibrary(ULONGApiNumber, struct_InputBuffer *InputBuffer, ULONG InputLength, PVOID*OutputBuffer, PULONG OutputLength)
{
pid =PsGetCurrentProcessId();
result =IsPidSafe(pid);
if (result )
{
if (InputBuffer->InputLength )
{
v7 =InputBuffer->InputBuffer;
String2.MaximumLength = *(v7 + 26);
String2.Buffer = (v7 + *(v7 + 28));
String2.Length = 2 * wcslen(String2.Buffer);
if (wcsnicmp((String2.Buffer + String2.Length - 18), L"msctf.dll", 5u) )
{
if( wcsnicmp((String2.Buffer + String2.Length - 24), L"prl_hook.dll",8u)
|| !RtlEqualUnicodeString(&String1, &String2, 1u)// C:\ProgramFiles\Parallels\Parallels Tools\Services\prl_hook.dll
|| !dword_2ADFC )
return 0xC0000022u;
goto LABEL_18;
}
if (wcschr(String2.Buffer, '\\') ) // 全路径
{
v9= ExAllocatePoolWithTag(0, String2.Length + 10, 0x206B6444u);
v8= v9;
if( v9 )
{
*&v9->Length = dword_28948;
v9->Buffer = dword_2894C;
memcpy(&v9[1], String2.Buffer, String2.Length);
*(&v9[1].Length + String2.Length) = 0;
LABEL_9:
RtlInitUnicodeString(&DestinationString, v8);
v10 = GetFileInfo(&DestinationString, &v11);
ExFreePool(v8);
if ( v10 < 0 )
return v10;
if ( v12 != dword_2B194 || v11 != dword_2B190 || v13 != dword_2B198 )
return 0xC0000022u;
goto LABEL_18;
}
}
else // 不是全路径,添加相对路径
{
v8= ExAllocatePoolWithTag(0, String2.Length + 42, 0x206B6444u);
if( v8 )
{
memcpy(v8, L"\\SystemRoot\\system32", 0x28u);
memcpy(v8 + 40, String2.Buffer, String2.Length);
*(v8 + String2.Length + 40) = 0;
goto LABEL_9;
}
}
}
LABEL_18:
result= 0;
}
returnresult;
}
注入buffer的偏移,InputBuffer+28(XP)
WH_JOURNALPLAYBACK WH_JOURNALRECORD
关于图形界面的文章
1. 枚举消息钩子(遍历user object table)
http://blog.csdn.net/yincheng01/article/details/6899305
http://hi.baidu.com/isreverse/blog/item/04f0b758ca02c383810a1856.html
http://debugman.com/forum.php?mod=viewthread&tid=1257
2. 窗口自保护(ssdt shadow hooks)
东辉主动防御相关代码可以参考
3. Ring0to ring3(KeUserModeCallback)
http://bbs.pediy.com/showthread.php?t=104918
4. 防止注入(KeUserModeCallback)
360保险箱反注入分析
http://bbs.pediy.com/showthread.php?t=102940
电脑管家
http://bbs.pediy.com/showthread.php?t=145687
5. 解析windows消息处理机制
http://hi.baidu.com/by__aihappy/blog/item/9f8a4e15f01d245720a4e9b5.html
6.用GDI Object Table 来找被 Rootkit 隐藏的进程
http://debugman.com/forum.php?mod=viewthread&tid=4757&highlight=%E8%BF%9B%E7%A8%8B%2Bgdi
7.消息钩子注册解析
http://bbs.pediy.com/showthread.php?t=135702
8.探究 Windows 2003 终端服务实现内幕
9.解析Windows NT/2000窗口对象的组织
http://blog.csdn.net/freexploit/article/details/275330
10. 钩子是怎样起作用的
http://hi.baidu.com/uvbs/blog/item/3a538e129e0d578b6538dba6.html