- #pragma once
- #include "common.h"
- #define PSP_MAX_CREATE_PROCESS_NOTIFY 8
- typedef
- VOID
- (*PCREATE_PROCESS_NOTIFY_ROUTINE)(
- IN HANDLE ParentId,
- IN HANDLE ProcessId,
- IN BOOLEAN Create
- );
- typedef PVOID
- (*PFN_ExReferenceCallBackBlock) (
- IN OUT PVOID CallBack
- );
- typedef PVOID
- (*PFN_ExGetCallBackBlockRoutine) (
- IN PVOID CallBackBlock
- );
- typedef PVOID
- (*PFN_ExDereferenceCallBackBlock) (
- IN OUT PVOID CallBack,
- IN PVOID CallBackBlock
- );
- ULONG GetPspCreateProcessNotifyRoutineAddr();
- ULONG GetExReferenceCallBackBlockAddr();
- ULONG GetExGetCallBackBlockRoutineAddr();
- ULONG GetExDereferenceCallBackBlockAddr();
- BOOLEAN EnumProcessCallBack();
复制代码- #include "StdAfx.h"
- #include "EnumCallback.h"
- ULONG g_PspCreateProcessNotifyRoutine = NULL;
- ULONG g_ExReferenceCallBackBlock = NULL;
- ULONG g_ExGetCallBackBlockRoutine = NULL;
- ULONG g_ExDereferenceCallBackBlock = NULL;
- ULONG GetPspCreateProcessNotifyRoutineAddr()
- {
- ULONG uPsSetCreateProcessNotifyRoutineAddr = (ULONG)PsSetCreateProcessNotifyRoutine;
- //nt!PsSetCreateProcessNotifyRoutine:
- //8062e77e 8bff mov edi,edi
- //8062e780 55 push ebp
- //8062e781 8bec mov ebp,esp
- //8062e783 53 push ebx
- //8062e784 33db xor ebx,ebx
- //8062e786 385d0c cmp byte ptr [ebp+0Ch],bl
- //8062e789 56 push esi
- //8062e78a 57 push edi
- //8062e78b 7465 je nt!PsSetCreateProcessNotifyRoutine+0x74 (8062e7f2)
- //8062e78d bfe0245680 mov edi,offset nt!PspCreateProcessNotifyRoutine (805624e0)
- //8062e792 57 push edi
- //8062e793 e8487d0100 call nt!ExReferenceCallBackBlock (806464e0)
- //8062e798 8bf0 mov esi,eax
- //8062e79a 85f6 test esi,esi
- PUCHAR pTemp = (PUCHAR)uPsSetCreateProcessNotifyRoutineAddr;
- for (int i = 0; i < 0x50; i++)
- {
- if (*(pTemp-3) == 0x74 &&
- *(pTemp-1) == 0xbf &&
- *(pTemp+4) == 0x57 &&
- *(pTemp+5) == 0xe8)
- {
- //DbgPrint("PspCreateProcessNotifyRoutine Addr: 0x%x\n", pTemp);
- g_PspCreateProcessNotifyRoutine = *(PULONG)pTemp;
- return *(PULONG)pTemp;
- }
- pTemp++;
- }
- return NULL;
- }
- ULONG GetExReferenceCallBackBlockAddr()
- {
- //8062e78b 7465 je nt!PsSetCreateProcessNotifyRoutine+0x74 (8062e7f2)
- //8062e78d bfe0245680 mov edi,offset nt!PspCreateProcessNotifyRoutine (805624e0)
- //8062e792 57 push edi
- //8062e793 e8487d0100 call nt!ExReferenceCallBackBlock (806464e0)
- //8062e798 8bf0 mov esi,eax
- //8062e79a 85f6 test esi,esi
- //8062e79c 741f je nt!PsSetCreateProcessNotifyRoutine+0x3f (8062e7bd)
- //8062e79e 56 push esi
- ULONG uPsSetCreateProcessNotifyRoutineAddr = (ULONG)PsSetCreateProcessNotifyRoutine;
- PUCHAR pTemp = (PUCHAR)uPsSetCreateProcessNotifyRoutineAddr;
- ULONG uAddr = NULL;
- for (int i = 0; i < 0x50; i++)
- {
- if (*(pTemp-2) == 0x57 &&
- *(pTemp-1) == 0xe8 &&
- *(pTemp+4) == 0x8b &&
- *(pTemp+5) == 0xf0)
- {
- uAddr = *(PULONG)pTemp + (ULONG)(pTemp-1) + 5;
- g_ExReferenceCallBackBlock = uAddr;
- DbgPrint("ExReferenceCallBackBlock Addr: 0x%x\n", uAddr);
- return uAddr;
- }
- pTemp++;
- }
- return NULL;
- }
- ULONG GetExGetCallBackBlockRoutineAddr()
- {
- //8062e798 8bf0 mov esi,eax
- //8062e79a 85f6 test esi,esi
- //8062e79c 741f je nt!PsSetCreateProcessNotifyRoutine+0x3f (8062e7bd)
- //8062e79e 56 push esi
- //8062e79f e8ec7b0100 call nt!IopGetRelationsTaggedCount (80646390) ExGetCallBackBlockRoutine
- //8062e7a4 3b4508 cmp eax,dword ptr [ebp+8]
- //8062e7a7 750d jne nt!PsSetCreateProcessNotifyRoutine+0x38 (8062e7b6)
- //8062e7a9 56 push esi
- //8062e7aa 6a00 push 0
- //8062e7ac 57 push edi
- ULONG uPsSetCreateProcessNotifyRoutineAddr = (ULONG)PsSetCreateProcessNotifyRoutine;
- PUCHAR pTemp = (PUCHAR)uPsSetCreateProcessNotifyRoutineAddr;
- ULONG uAddr = NULL;
- for (int i = 0; i < 0x50; i++)
- {
- if (*(pTemp-2) == 0x56 &&
- *(pTemp-1) == 0xe8 &&
- *(pTemp+4) == 0x3b &&
- *(pTemp+5) == 0x45 &&
- *(pTemp+6) == 0x08)
- {
- uAddr = *(PULONG)pTemp + (ULONG)(pTemp-1) + 5;
- g_ExGetCallBackBlockRoutine = uAddr;
- DbgPrint("ExGetCallBackBlockRoutine Addr: 0x%x\n", uAddr);
- return uAddr;
- }
- pTemp++;
- }
- return NULL;
- }
- ULONG GetExDereferenceCallBackBlockAddr()
- {
- //8062e7cd b8ffffffff mov eax,0FFFFFFFFh
- //8062e7d2 b900255680 mov ecx,offset nt!PspCreateProcessNotifyRoutineCount (80562500)
- //8062e7d7 0fc101 xadd dword ptr [ecx],eax
- //8062e7da 56 push esi
- //8062e7db 8d049de0245680 lea eax,nt!PspCreateProcessNotifyRoutine (805624e0)[ebx*4]
- //8062e7e2 50 push eax
- //8062e7e3 e82b7e0100 call nt!ExDereferenceCallBackBlock (80646613)
- //8062e7e8 56 push esi
- //8062e7e9 e8877b0100 call nt!ExWaitForCallBacks (80646375)
- //8062e7ee 33ff xor edi,edi
- ULONG uPsSetCreateProcessNotifyRoutineAddr = (ULONG)PsSetCreateProcessNotifyRoutine;
- PUCHAR pTemp = (PUCHAR)uPsSetCreateProcessNotifyRoutineAddr;
- ULONG uAddr = NULL;
- for (int i = 0; i < 0x100; i++)
- {
- if (*(pTemp-2) == 0x50 &&
- *(pTemp-1) == 0xe8 &&
- *(pTemp+4) == 0x56 &&
- *(pTemp+5) == 0xe8)
- {
- uAddr = *(PULONG)pTemp + (ULONG)(pTemp-1) + 5;
- g_ExDereferenceCallBackBlock = uAddr;
- DbgPrint("ExGetCallBackBlockRoutine Addr: 0x%x\n", uAddr);
- return uAddr;
- }
- pTemp++;
- }
- return NULL;
- }
- VOID InitNtFunction()
- {
- if (NULL == g_ExReferenceCallBackBlock ||
- NULL == g_ExGetCallBackBlockRoutine ||
- NULL == g_ExDereferenceCallBackBlock ||
- NULL == g_PspCreateProcessNotifyRoutine)
- {
- GetPspCreateProcessNotifyRoutineAddr();
- GetExReferenceCallBackBlockAddr();
- GetExGetCallBackBlockRoutineAddr();
- GetExDereferenceCallBackBlockAddr();
- }
- }
- BOOLEAN EnumProcessCallBack()
- {
- InitNtFunction();
- if (NULL == g_ExReferenceCallBackBlock ||
- NULL == g_ExGetCallBackBlockRoutine ||
- NULL == g_ExDereferenceCallBackBlock ||
- NULL == g_PspCreateProcessNotifyRoutine)
- {
- return FALSE;
- }
- PVOID CallBack = NULL;
- PVOID NotifyRoutine = NULL;
- for (int i = 0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++)
- {
- //
- // Reference the callback so we can check its routine address.
- //
- CallBack = ((PFN_ExReferenceCallBackBlock)g_ExReferenceCallBackBlock) (&((PULONG)g_PspCreateProcessNotifyRoutine)[i]);
- if (CallBack != NULL)
- {
- NotifyRoutine = ((PFN_ExGetCallBackBlockRoutine)g_ExGetCallBackBlockRoutine) (CallBack);
- DbgPrint("ProcessCallBack Addr: 0x%x\n", NotifyRoutine);
- ((PFN_ExDereferenceCallBackBlock)g_ExDereferenceCallBackBlock) (&((PULONG)g_PspCreateProcessNotifyRoutine)[i], CallBack);
- }
- }
- return TRUE;
- }
复制代码 |