如果仔细阅读前一篇文章的话,就知道只要PTE的write(bit 1)位置1,就废掉了Copy-On-Write机制(解释一下,因为不可能产生异常了嘛),为了不影响系统的运行,我找了ntdll的文件头(7c800000)做实验:
!process 0 0
.
.
PROCESS 811ae9e0 SessionId: 0 Cid: 015c Peb: 7ffde000 ParentCid: 036c
DirBase: 0997f000 ObjectTable: e15114b0 HandleCount: 126.
Image: svchost.exe
.
.
PROCESS ffa4fd88 SessionId: 0 Cid: 0258 Peb: 7ffd4000 ParentCid: 0104
DirBase: 0712c000 ObjectTable: e104d8e0 HandleCount: 28.
Image: EzDriverInstaller.exe
kd> !vtop 0712c000 7c800000 (随便找个进程,EzDriverInstaller.exe)
X86VtoP: Virt 7c800000, pagedir 712c000
X86VtoP: PDE 712c7c8 - 0b237867
X86VtoP: PTE b237000 - 0f7bd025
X86VtoP: Mapped phys f7bd000
Virtual address 7c800000 translates to physical address f7bd000.
kd> !ed b237000 0f7bd027 (关键,5改7)
kd> !vtop 0712c000 7c800000
X86VtoP: Virt 7c800000, pagedir 712c000
X86VtoP: PDE 712c7c8 - 0b237867
X86VtoP: PTE b237000 - 0f7bd027
X86VtoP: Mapped phys f7bd000
Virtual address 7c800000 translates to physical address f7bd000.
kd> g
有一个问题必须要注意,这时只有进程EzDriverInstaller.exe的7c800000页才失去了CopyOnWrite性质,因为各个进程PTE的地址不同,我才改了一个嘛!然后,随便写个程序向EzDriverInstaller.exe的7c800003写入62('b')
(!!注意千万不要用内核调试器eb 7c800003 62这样写,因为KWinDBG本来就是全局的!!还有也千万不用OD之类的调试器,因为它在修改前会先修改页的属性,这样之前的工作就白搭了!!)
kd> .process /p 811ae9e0 (随便找个进程,svchost.exe)
Implicit process is now 811ae9e0
.cache forcedecodeuser done
kd> db 7c800000
7c800000 4d 5a 61 62 03 00 00 00-04 00 00 00 ff ff 00 00 MZab............
7c800010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
7c800020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
7c800030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
7c800040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
7c800050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
7c800060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
7c800070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
可以看到无论哪个进程,7c800003处多了个'b',当然这时候可以用OD或其它工具验证!!
如果是修改系统dll代码的话一定要小心,当修改完成后最好改回只读属性(7改5)。如果你不幸找了个正在调试的进程下手,然后又在那代码页中下了个断点!@#¥%…&* 哈哈,那就不幸了O(∩_∩)O~
Copy-On-Write机制,全局hook(二)
最新推荐文章于 2023-11-26 14:03:46 发布