C/C++一线开发 [2022]逃离Windows注册表回调重定向与链接的地狱 如果你开发过Windows的注册表回调相关的内容,比如hips、edr.那你一定会被里面的各种由于历史造成的 软连接、重定向、wow64等等等措施折磨的无法脱身. 如WOW6432Node这个东西本来就是个WOW32兼容重定向假路径: https://learn.microsoft.com/zh-cn/windows/win32/winprog64/shared-registry-keys?redirectedfrom=MSDN 阅读全文 2022-12-05 huoji 0 条评论
C/C++一线开发 [2022] 人肉GRPC协议实现(一) tls协议实现 - client hello ### 0x0 简介 年尾了,发点存货吧.人肉实现GRPC.主要需求是windows内核实现GRPC的交互 GRPC是由三个部分组成的,继承了谷歌丧心病狂的设计.要实现GRPC,就要依次实现 > TLS 1.2 HTTP2 Protobuf payload (内核WSK我就不说了,烂大街了) 今天来介绍第一部分,TLS1.2握手 https://www.ietf.org/rfc/rfc5246.txt 阅读全文 2022-11-25 huoji 0 条评论
系统安全C/C++ [2018]一些代码片段 很早之前写的(4年了,时光飞逝). 代码风格可能不太好,而且可能有bug.凑合看.懒得改了 修改进程名字 ```cpp void FuckName(PUNICODE_STRING v1, WCHAR* ProcessName) { if (v1->Buffer != 0) { RtlZeroMemory(v1->Buffer, v1->MaximumLength); RtlCopyMemory(v1->Buffer, ProcessName, wcslen(ProcessName) * 2); v1->Length = wcslen(ProcessName) * 2; } } BOOLEAN PatchImageFileName(PEPROCESS Process, char* cName) { char szNameBuff[15] = { 0 }; UCHAR* szProcessBuff = NULL; size_t cNamelen = 0; cNamelen = strlen(cName); RtlZeroMemory(szNameBuff, sizeof(szNameBuff)); if (cNamelen > 15) RtlCopyMemory(szNameBuff, cName, sizeof(szNameBuff)); else RtlCopyMemory(szNameBuff, cName, cNamelen); szProcessBuff = PsGetProcessImageFileName(Process); RtlZeroMemory(szProcessBuff, sizeof(szNameBuff)); RtlCopyMemory(szProcessBuff, szNameBuff, sizeof(szNameBuff)); return TRUE; } void PatchPEB(PEPROCESS Process, WCHAR* ProcessName) { KeAttachProcess((PEPROCESS)Process); DWORD64 _peb = *(PDWORD64)((PUCHAR)Process + g_OsData.peb); DWORD64 peb_ProcessParameters = *(PDWORD64)((ULONG_PTR)_peb + g_OsData.peb_ProcessParameters); PUNICODE_STRING peb_ImagePathName = (PUNICODE_STRING)((ULONG_PTR)peb_ProcessParameters + g_OsData.peb_ImagePathName); PUNICODE_STRING peb_WindowTitle = (PUNICODE_STRING)((ULONG_PTR)peb_ProcessParameters + g_OsData.peb_WindowTitle); PUNICODE_STRING peb_CommandLine = (PUNICODE_STRING)((ULONG_PTR)peb_ProcessParameters + g_OsData.peb_CommandLine); FuckName(peb_ImagePathName, ProcessName); FuckName(peb_WindowTitle, ProcessName); FuckName(peb_CommandLine, ProcessName); KeDetachProcess(); } BOOLEAN PathSeAuditProcessCreationInfo(PEPROCESS Process, WCHAR* ProcessName) { PUNICODE_STRING Name; PUNICODE_STRING SelocateName; SeLocateProcessImageName(Process, &SelocateName); ExFreePool(SelocateName); Name = (PUNICODE_STRING)(*(PULONG_PTR)((ULONG_PTR)Process + g_OsData.SeAuditProcessCreationInfo));//+0x468 SeAuditProcessCreationInfo FuckName(Name, ProcessName); return TRUE; } ``` 启动的时候让processnotify/imageloadnotify暂时无效(会PG,所以要快速切换) ```cpp //参数1是启用或者关闭 treadcallbacks 参数2是启用或者关闭imageloadcallbacks ULONG64 g_PspNotifyEnableMaskAddr = 0; ULONG64 GetNotifyVarAddress() { if (g_PspNotifyEnableMaskAddr == 0) { ULONG64 i = 0; PULONG64 pAddrOfFnc = 0; UNICODE_STRING fncName; //8B 05 ?? ?? ?? ?? A8 01 75 09 F0 0F BA CHAR pattern_PspNotifyEnableMask[] = "\x8B\x05\xCC\xCC\xCC\xCC\xA8\x01\x75\x09\xF0\x0F\xBA"; NTSTATUS status = UtilScanSection(g_KernelBase, "PAGE", (PCUCHAR)pattern_PspNotifyEnableMask, 0xCC, sizeof(pattern_PspNotifyEnableMask) - 1, (PVOID*)&g_PspNotifyEnableMaskAddr); if (!NT_SUCCESS(status)) { //DebugPrint("[DebugMessAge] g_PspNotifyEnableMaskAddr not found! :( \n"); return 0; } else { //g_PspNotifyEnableMaskAddr = g_PspNotifyEnableMaskAddr + 5; LONG OffsetAddr = 0; memcpy(&OffsetAddr, (UCHAR*)(g_PspNotifyEnableMaskAddr + 2), 4); pAddrOfFnc = (ULONG64*)(OffsetAddr + g_PspNotifyEnableMaskAddr + 0x6); //DebugPrint("[DebugMessAge] g_PspNotifyEnableMaskAddr : %08X \n", pAddrOfFnc); g_PspNotifyEnableMaskAddr = (ULONG64)pAddrOfFnc; return (ULONG64)g_PspNotifyEnableMaskAddr; } } else { return (ULONG64)g_PspNotifyEnableMaskAddr; } } VOID ChangeNotifyAddress(BOOLEAN enableImage) { ULONG64 varaddress = GetNotifyVarAddress(); if (varaddress) { ULONG val = *(ULONG*)(varaddress); if (!enableImage) { g_InvalidationLoadImage = true; UNSETBIT(val, 0); } else { g_InvalidationLoadImage = false; SETBIT(val, 0); } *(ULONG*)(varaddress) = val; } } ``` 句柄降权 ```cpp BOOLEAN StripHandleCallback_win10( IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY HandleTableEntry, IN HANDLE Handle, IN PVOID EnumParameter ) { BOOLEAN result = FALSE; POBJECT_TYPE ObjectType = NULL; ULONG64 Object = 0; if (g_FlagProcessPid == (HANDLE)-1) return FALSE; if (ExpIsValidObjectEntry(HandleTableEntry)) { POBJECT_TYPE ObjectType = NULL; ULONG64 Object = 0; if (Handle == (HANDLE)EnumParameter) { HandleTableEntry->GrantedAccessBits = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION); //DebugPrint("Fuck Handle: %08X \n", Handle); goto _exit; } } else { return FALSE; } _exit: // Release implicit locks _InterlockedExchangeAdd8((char*)&HandleTableEntry->VolatileLowValue, 1); // Set Unlocked flag to 1 if (HandleTable != NULL && HandleTable->HandleContentionEvent) ExfUnblockPushLock(&HandleTable->HandleContentionEvent, NULL); return FALSE; } BOOLEAN StripHandleCallback_win7(PHANDLE_TABLE_ENTRY HandleTableEntry, HANDLE Handle, PVOID EnumParameter) { POBJECT_TYPE ObjectType = NULL; ULONG64 Object = 0; if (g_FlagProcessPid == (HANDLE)-1) return FALSE; if (ExpIsValidObjectEntry(HandleTableEntry)) { if (Handle == (HANDLE)EnumParameter) { HandleTableEntry->GrantedAccessBits = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION); //DebugPrint("Fuck Handle: %08X \n", Handle); return FALSE; } } return FALSE; } VOID StripHandlePermission() { PSYSTEM_HANDLE_INFORMATION_EX HandleInfo = QueryHandleTable(); if (HandleInfo) { for (int i = 0; i < HandleInfo->NumberOfHandles; i++) { //7 是 process 属性 if (HandleInfo->Information[i].ObjectTypeNumber == 7 || HandleInfo->Information[i].ObjectTypeNumber == OB_TYPE_INDEX_PROCESS || HandleInfo->Information[i].ObjectTypeNumber == OB_TYPE_INDEX_THREAD) { if (g_FlagProcessPid == (HANDLE)-1) break; if (HandleInfo->Information[i].ProcessId == (ULONG)g_FlagProcessPid || HandleInfo->Information[i].ProcessId == 4) continue; bool bCheck = ((HandleInfo->Information[i].GrantedAccess & PROCESS_VM_READ) == PROCESS_VM_READ || (HandleInfo->Information[i].GrantedAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION || (HandleInfo->Information[i].GrantedAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE); PEPROCESS pEprocess = (PEPROCESS)HandleInfo->Information[i].Object; if (pEprocess) { HANDLE handle_pid = *(PHANDLE)((PUCHAR)pEprocess + g_OsData.UniqueProcessId); HANDLE handle_pid2 = *(PHANDLE)((PUCHAR)pEprocess + g_OsData.InheritedFromUniqueProcessId); if (bCheck && (handle_pid == g_FlagProcessPid || handle_pid2 == g_FlagProcessPid)) { pEprocess = NULL; NTSTATUS status = PsLookupProcessByProcessId((HANDLE)HandleInfo->Information[i].ProcessId, &pEprocess); if (NT_SUCCESS(status)) { //DebugPrint("Full Acess Handle! pid: %d \n", HandleInfo->Information[i].ProcessId); PHANDLE_TABLE HandleTable = *(PHANDLE_TABLE*)((PUCHAR)pEprocess + g_OsData.ObjTable); ExEnumHandleTable(HandleTable, g_isWin7 ? (DWORD64*)&StripHandleCallback_win7 : (DWORD64*)&StripHandleCallback_win10, (PVOID)HandleInfo->Information[i].Handle, NULL); ObDereferenceObject(pEprocess); } } } } } ExFreePoolWithTag(HandleInfo, POOL_TAG); } DebugPrint("StripHandlePermission Success \n"); } ``` 阅读全文 2022-11-10 huoji 0 条评论
二进制安全C/C++ [2022]人肉实现CreateProcess 人肉实现CreateProcess https://github.com/helpsystems/CreateProcess 阅读全文 2022-11-04 huoji 0 条评论
