[2020]模拟整个kisystemCall64所需要的东西(win7-win10 1909) huoji kisystemCall64 2020-05-24 1412 次浏览 0 次点赞 用于msrhook ```cpp ULONGLONG GetKeServiceDescriptorTable64() { PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); PUCHAR EndSearchAddress = StartSearchAddress + 0x500; PUCHAR i = NULL; UCHAR b1 = 0, b2 = 0, b3 = 0; ULONG templong = 0; ULONGLONG addr = 0; for (i = StartSearchAddress; i < EndSearchAddress; i++) { if (MmIsAddressValid(i) && MmIsAddressValid(i + 1) && MmIsAddressValid(i + 2)) { b1 = *i; b2 = *(i + 1); b3 = *(i + 2); if (b1 == 0x4c && b2 == 0x8d && b3 == 0x15) //4c8d15 { memcpy(&templong, i + 3, 4); addr = (ULONGLONG)templong + (ULONGLONG)i + 7; return addr; } } } return 0; } ULONGLONG GetKiSystemServiceRepeat() { ULONG_PTR StartSearchAddress = (ULONG_PTR)__readmsr(0xC0000082); ULONG_PTR EndSearchAddress = StartSearchAddress + 0x500; ULONG_PTR i; ULONGLONG addr = 0; UCHAR g_Signature[17] = { 0x4d, 0x63, 0x1c, 0x82, 0x49, 0x8b, 0xc3, 0x49, 0xc1, 0xfb, 0x04, 0x4d, 0x03, 0xd3, 0x83, 0xff, 0x20 }; for (i = StartSearchAddress; i < EndSearchAddress; ++i) { if (*(PULONG_PTR)i == *(PULONG_PTR)g_Signature) { addr = i + 17; return addr; } } return 0; } CHAR pattern[] = "\x48\x89\x45\xB0\x48\x89\x4D\xB8\x48\x89\x55\xC0\x49"; status = UtilScanSection(".text", (PCUCHAR)pattern, 0xCC, sizeof(pattern) - 1, (PVOID*)&g_KiServiceCopyEndPtr); if (!NT_SUCCESS(status)) { DebugPrint("[DebugMessAge] KiSystemServiceCopyEnd not found! :( \n"); return status; } DebugPrint("[DebugMessage] KiSystemServiceCopyEnd: 0x%08X...\r\n", g_KiServiceCopyEndPtr); g_KeServiceDescriptorTable = GetKeServiceDescriptorTable64(); if (g_KeServiceDescriptorTable == 0) { status = STATUS_UNSUCCESSFUL; DebugPrint("[DebugMessAge] g_KeServiceDescriptorTable not found! :( \n"); return status; } g_KiSystemServiceRepeatPtr = GetKiSystemServiceRepeat(); if (g_KiSystemServiceRepeatPtr == 0) { status = STATUS_UNSUCCESSFUL; DebugPrint("[DebugMessAge] g_KiSystemServiceRepeatPtr not found! :( \n"); return status; } CHAR pattern2[] = "\x65\x4C\x8B\x0C\x25\x18\x00\x00\x00\x0F\x21\xC0"; status = UtilScanSection(".text", (PCUCHAR)pattern2, 0xCC, sizeof(pattern2) - 1, (PVOID*)&g_KiSaveDebugRegisterState); if (!NT_SUCCESS(status)) { status = STATUS_UNSUCCESSFUL; DebugPrint("[DebugMessAge] g_KiSaveDebugRegisterState not found! :( \n"); return status; } CHAR pattern_KiUmsCallEntry[] = "\x48\x81\xEC\xA8\x01\x00\x00\x0F\x29\xB4\x24\xA0\x00\x00\x00\x0F\x29\xBC\x24\xB0\x00\x00\x00\x44\x0F\x29\x84\x24\xC0\x00\x00\x00\x44\x0F\x29\x8C\x24\xD0\x00\x00\x00\x44\x0F\x29\x94\x24\xE0\x00\x00\x00\x44\x0F\x29\x9C\x24\xF0\x00\x00\x00\x44\x0F\x29\xA4\x24\x00\x01\x00\x00\x44\x0F\x29\xAC\x24\x10\x01\x00\x00\x44\x0F\x29\xB4\x24\x20\x01\x00\x00\x44\x0F\x29\xBC\x24\x30\x01\x00\x00\x4C\x89\xA4\x24\x88\x01\x00\x00\x4C\x89\xAC\x24\x90\x01\x00\x00\x4C\x89\xB4\x24\x98\x01\x00\x00\x4C\x89\xBC\x24\xA0\x01\x00\x00\x48\x8D\x85\x10\x01\x00\x00\x48\x89\x44\x24\x20"; status = UtilScanSection(".text", (PCUCHAR)pattern_KiUmsCallEntry, 0xCC, sizeof(pattern_KiUmsCallEntry) - 1, (PVOID*)&g_KiUmsCallEntry); if (!NT_SUCCESS(status)) { status = STATUS_UNSUCCESSFUL; DebugPrint("[DebugMessAge] g_KiUmsCallEntry not found! :( \n"); return status; } DebugPrint("[DebugMessage] g_KeServiceDescriptorTable: 0x%08X...\r\n", g_KeServiceDescriptorTable); DebugPrint("[DebugMessage] g_KiSystemServiceRepeatPtr: 0x%08X...\r\n", g_KiSystemServiceRepeatPtr); DebugPrint("[DebugMessage] g_KiSaveDebugRegisterState: 0x%08X...\r\n", g_KiSaveDebugRegisterState); DebugPrint("[DebugMessage] g_KiUmsCallEntry: 0x%08X...\r\n", g_KiUmsCallEntry); ``` ```cpp win7: KeBugCheckEx .text 0000000140080640 0000011B 00000038 00000029 . . . . . T . KeSynchronizeExecution .text 000000014007BE90 0000005B 00000038 00000018 R . . . . T . g_KiSaveDebugRegisterState = KeBugCheckEx+4b0 g_KiUmsCallEntry = 000000014007BE90+0x4390 win10 -1809: KeBugCheckEx .text 0000000140080640 0000011B 00000038 00000029 . . . . . T . KiSaveDebugRegisterState .text 00000001401B3C80 0000017D 00000000 00000000 R . . . . . . KiUmsCallEntry .text 00000001401C5940 000000F0 000001A8 00000000 R . . . . . . KeSynchronizeExecution .text 00000001401B48B0 00000070 00000038 00000018 R . . . . T . g_KiSaveDebugRegisterState = KeBugCheckEx + 0x133640 g_KiUmsCallEntry = KeSynchronizeExecution + 0x11090 win10-1903: KiSaveDebugRegisterState .text 00000001401C28E0 0000017D 00000000 00000000 R . . . . . . KeBugCheckEx .text 00000001401C2390 0000011E 00000018 00000029 . . . . . T . KiUmsCallEntry .text 00000001401D4D40 000000F0 000001A8 00000000 R . . . . . . KeSynchronizeExecution .text 00000001401C3590 00000070 00000038 00000018 R . . . . T . 00000001401D4D40 - 00000001401C3590 KiSaveDebugRegisterState = KeBugCheckEx + 0x550 KiUmsCallEntry = KeSynchronizeExecution + 0x117B0 win10-1909: KeBugCheckEx .text 00000001401C2390 0000011E 00000018 00000029 . . . . . T . KiSaveDebugRegisterState .text 00000001401C28E0 0000017D 00000000 00000000 R . . . . . . KiUmsCallEntry .text 00000001401D4D40 000000F0 000001A8 00000000 R . . . . . . KeSynchronizeExecution .text 00000001401C3590 00000070 00000038 00000018 R . . . . T . KiSaveDebugRegisterState = 550 KiUmsCallEntry = 00000001401D4D40 - 00000001401C3590 ``` ```cpp extern orig_system_call:dq extern g_iNtOpenProcess:dword extern g_ProtectPID:dword extern HookEnabled:DB extern ArgTble:DB extern HookTable:DQ extern g_KiServiceCopyEndPtr:DQ extern g_CountNumCheckPtr:DQ extern g_KeServiceDescriptorTable:DQ extern g_KiSystemServiceRepeatPtr:DQ extern g_KiSaveDebugRegisterState:DQ extern g_KiUmsCallEntry:DQ extern g_isWin7:DQ MAX_SYSCALL_INDEX = 1000h USERMD_STACK_GS = 10h KERNEL_STACK_GS = 1A8h .code asm_system_call proc swapgs mov gs:[USERMD_STACK_GS], rsp cmp rax, MAX_SYSCALL_INDEX jge KiSystemCall64 lea rsp, offset HookEnabled cmp byte ptr [rsp + rax], 0 jne KiSystemCall64_Emulate asm_system_call endp KiSystemCall64 PROC mov rsp, gs:[USERMD_STACK_GS] swapgs jmp [orig_system_call] KiSystemCall64 ENDP KiSystemCall64_Emulate PROC mov rsp, gs:[KERNEL_STACK_GS] ; set kernel stack pointer push 2Bh ; push dummy SS selector push qword ptr gs:[10h] ; push user stack pointer push r11 ; push previous EFLAGS push 33h ; push dummy 64-bit CS selector push rcx ; push return address mov rcx, r10 ; set first argument value sub rsp, 8h ; allocate dummy error code push rbp ; save standard register sub rsp, 158h ; allocate fixed frame lea rbp, [rsp+80h] ; set frame pointer mov [rbp+0C0h], rbx ; save nonvolatile registers mov [rbp+0C8h], rdi ; mov [rbp+0D0h], rsi ; mov byte ptr [rbp-55h], 2h ; set service active mov rbx, gs:[188h] ; get current thread address prefetchw byte ptr [rbx+90h] ; prefetch with write intent stmxcsr dword ptr [rbp-54h] ; save current MXCSR ldmxcsr dword ptr gs:[180h] ; set default MXCSR cmp byte ptr [rbx+3], 0 ; test if debug enabled mov word ptr [rbp+80h], 0 ; assume debug not enabled jz KiSS05 ; if z, debug not enabled mov [rbp-50h], rax ; save service argument registers mov [rbp-48h], rcx ; mov [rbp-40h], rdx ; mov [rbp-38h], r8 ; mov [rbp-30h], r9 ; je a2 call [g_KiSaveDebugRegisterState] align 10h a2: test byte ptr [rbx+3],80h je a3 mov ecx,0C0000102h rdmsr shl rdx,20h or rax,rdx a3: cmp qword ptr [rbx+0B8h],rax je B0 cmp qword ptr [rbx+1B0h],rax je B0 mov rdx,qword ptr [rbx+1B8h] bts dword ptr [rbx+4Ch],0Bh dec word ptr [rbx+1C4h] mov qword ptr [rdx+80h],rax sti call [g_KiUmsCallEntry] jmp FA0 B0: test byte ptr [rbx+3],40h je FA0 lock bts dword ptr [rbx+100h],8 FA0: mov rax,qword ptr [rbp-50h] mov rcx,qword ptr [rbp-48h] mov rdx,qword ptr [rbp-40h] mov r8,qword ptr [rbp-38h] mov r9,qword ptr [rbp-30h] xchg ax,ax KiSS05: sti cmp byte ptr [g_isWin7], 0 jne NO_WIN7; mov [rbx+88h], rcx mov [rbx+80h], eax jmp KiSystemServiceStart_Emulate NO_WIN7: mov qword ptr [rbx+1E0h],rcx mov dword ptr [rbx+1F8h],eax KiSystemCall64_Emulate ENDP KiSystemServiceStart_Emulate PROC mov [rbx+90h], rsp mov edi, eax shr edi, 7 and edi, 20h and eax, 0FFFh KiSystemServiceStart_Emulate ENDP KiSystemServiceRepeat_Emulate PROC lea r10,[g_KeServiceDescriptorTable] movsxd r11,dword ptr [r10+rax*4] lea r10, offset HookTable mov r10, qword ptr [r10 + rax * 8h] lea r11, offset ArgTble movzx rax, byte ptr [r11 + rax] cmp edi,20h push [g_KiSystemServiceRepeatPtr] ret KiSystemServiceRepeat_Emulate ENDP end ``` 注意 win10 1803以后你仍然需要过pg,pg通过TF位检测RIP指针.你需要捕获#DB然后手动注入异常 本文由 huoji 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。 点赞 0
还不快抢沙发