nticedump.asm
来自「Cracker终结者——提供最优秀的软件保护技术」· 汇编 代码 · 共 1,191 行 · 第 1/2 页
ASM
1,191 行
jz near Parser.error
mov ebx, edi ; EBX: new EIP
lea eax, [edi+EntryPoint.i3-EntryPoint]; EAX: INT3 location
mov [ebp+dClient_ESP], edi ; adjust client stack
jmp short .setup
.ring0:
lea eax, [ebp+EntryPoint.i3] ; INT3 location for ring-0 code
lea ebx, [ebp+EntryPoint] ; Get EIP
.setup:
mov [ebp+oPAGEIN_INT3], eax ; register INT3 location
mov [ebp+dClient_EIP], ebx ; set new client EIP
xor eax, eax
inc eax
mov [ebp+fPAGEIN_InProgress], eax ; set PAGEIN internal var
mov [ebp+fExecuteMoreCommands], ah ; leave ntice
popad
retn
;-------------------------------------------------------------------------------
; Check if we are allowed to tweak client execution. In case of error, it
; will NOT return to the caller.
;-------------------------------------------------------------------------------
CanResume:
call pGetIRQLLevel ; Get current IRQL level
lea ebx, [ebp+irq_err]
cmp eax, byte 2 ; IRQL > Dispatch_Level ?
jnb .error
lea ebx, [ebp+int_err]
test byte [ebp+dClient_EFLAGS+1], 2 ; interrupts enabled
jz .error ; nope, bye
lea ebx, [ebp+ctx_err]
mov eax, [ebp+dCurrentContext]
cmp eax, [ebp+dPopupContext]
jnz .error
retn
.error:
pop eax ; Remove return address from stack
jmp Parser.error ; and branch command parser exit
; That's it, return to NTICE,
; nothing to be done
;------------------------------------------------------------------------------------
; client EAX: service ID
; client EBX: EFLAGS having original IOPL, only for V86 mode
;
; rest is service dependent
;------------------------------------------------------------------------------------
EntryPoint:
int 0xFF ; Initiate an extension call
.i3:
int3 ; Break back in NTICE
.end:
Icall_handler:
ExceptionFrame2KeTrapFrame HW_ERROR_CODE_OFF, PRIMARY
call .delta
.delta:
pop esi
sub esi, .delta
test byte [ebp+KeTrapFrame.EFLAGS+2], 2 ; EFLAGS.VM
jz .PM
mov eax, [ebp+KeTrapFrame.EBX] ; grab EFLAGS
mov [ebp+KeTrapFrame.EFLAGS], eax ; restore IOPL
.PM:
mov eax, [ebp+KeTrapFrame.EAX] ; grab service ID
mov [ebp+KeTrapFrame.EAX], esi ; Save ntice base in the trap frame
add esi, tInternalApiTable ; ESI: ptr to extension routines table
sti
call [esi+eax*4] ; call requested service
cli
KeTrapFrame2ExceptionFrame HW_ERROR_CODE_ON, PRIMARY
iretd
;-------------------------------------------------------------------------------
SrvVer:
retn
;-------------------------------------------------------------------------------
SrvDump:
mov eax, ebp ; EAX : trape frame ptr
push ebp ; save trape frame ptr
sub esp, 8+8+24+8+4
mov ebp, esp
mov esi, [eax+KeTrapFrame.EAX] ;
lea edi, [esi+CallTable] ; EDI: ntoskrnl import table
cmp dword [eax+KeTrapFrame.ESI], byte 0 ; Do we have a filename ptr ?
jz near .emulate ; If no , emulate old PAGEIN
; [ebp+52] == Trap frame ptr
; [ebp+48] == FileHandle
; EBP+40 == IoStatusBlock
; EBP+16 == Object Attributes
; EBP+8 == AnsiString
; EBP == UnicodeString
lea eax, [ebp+16] ; get ptr to Object Attributes
InitializeObjectAttributes ebp , dword 0x40 , dword 0 , dword 0
mov eax, [ebp+52] ; EAX: ptr Trap frame
push dword [eax+KeTrapFrame.ESI]
lea eax, [ebp+8] ; OUT PANSI_STRING
push eax
call [edi+RtlInitAnsiString]
push byte 1 ; Allocate Destination String Buffer
lea eax, [ebp+8] ; IN PANSI_STRING
push eax
push ebp ; OUT PUNICODE_STRING
call [edi+RtlAnsiStringToUnicodeString]
push byte 0
push byte 0
push dword 0x850
push byte 5 ; FILE_SUPERSEED
push byte 0 ; no sharing
push dword 0x80 ; FILE_ATTRIBUTE_NORMAL
push byte 0 ; allocation size 0
lea eax, [ebp+40] ; EAX: PIO_STATUS_BLOCK
push eax
lea eax, [ebp+16] ; EAX: POBJECT_ATTRIBUTES
push eax
push dword 0x120116 ; Desired Access
lea eax, [ebp+48] ; ptr File Handle
push eax
lea ebx, [esi+opn_err]
call [edi+ZwCreateFile]
test eax, eax
jl .free_string
push byte 0 ; No KEY
push byte 0 ; Null File Offset
mov eax, [ebp+52]
push dword [eax+KeTrapFrame.ECX] ; Length
push dword [eax+KeTrapFrame.EDI] ; buffer address
lea eax, [ebp+40] ; PIO_STATUS_BLOCK
push eax
push byte 0 ; null APC context
push byte 0 ; no APC
push byte 0 ; no completion Event
push dword [ebp+48] ; File handle
lea ebx, [esi+wrt_err]
call [edi+ZwWriteFile]
test eax, eax
jl .free_close
push ebp
call [edi+RtlFreeUnicodeString] ; Free temp unicode storage space
push dword [ebp+48]
call [edi+ZwClose] ; Close the file
jmp short .return
.emulate:
lea ebx, [esi+npr_err]
mov esi, [ebp+52] ; ESI = ptr trap frame
mov esi, [esi+KeTrapFrame.EDI] ; ESI: pagein address
push esi
call [edi+MmIsAddressValid] ; check if it is a valid address
test al, al
jz .error
mov eax, [esi] ; touch the page and bring it in
.return:
add esp, 8+8+24+8+4
pop ebp
retn ; return to Icall_Handler
.free_close:
push dword [ebp+48]
call [edi+ZwClose]
.free_string:
push ebp
call [edi+RtlFreeUnicodeString]
.error:
push ebx ; EBX: ptr to error msg
call [edi+DbgPrint] ; print error msg
pop eax ; DbgPrint follows C calling convention
jmp short .return
;-------------------------------------------------------------------------------
SrvDumpX:
retn
;-------------------------------------------------------------------------------
SrvSr:
retn
;-------------------------------------------------------------------------------
SrvBhr:
retn
;-------------------------------------------------------------------------------
SrvLoad:
mov eax, ebp ; EAX : trape frame ptr
push ebp ; save trape frame ptr
sub esp, 8+8+24+8+4
mov ebp, esp
mov esi, [eax+KeTrapFrame.EAX]
lea edi, [esi+CallTable] ; EDI: ntoskrnl import table
; [ebp+52] == Trap frame ptr
; [ebp+48] == FileHandle
; EBP+40 == IoStatusBlock
; EBP+16 == Object Attributes
; EBP+8 == AnsiString
; EBP == UnicodeString
lea eax, [ebp+16] ; get ptr to Object Attributes
InitializeObjectAttributes ebp , dword 0x40 , dword 0 , dword 0
mov eax, [ebp+52] ; EAX: ptr Trap frame
push dword [eax+KeTrapFrame.ESI]
lea eax, [ebp+8] ; OUT PANSI_STRING
push eax
call [edi+RtlInitAnsiString]
push byte 1 ; Allocate Destination String Buffer
lea eax, [ebp+8] ; IN PANSI_STRING
push eax
push ebp ; OUT PUNICODE_STRING
call [edi+RtlAnsiStringToUnicodeString]
push byte 0
push byte 0
push dword 0x850
push byte 1 ; FILE_OPEN
push byte 1 ; share: read
push byte 0 ; attribs don't apply
push byte 0 ; allocation size 0
lea eax, [ebp+40] ; EAX: PIO_STATUS_BLOCK
push eax
lea eax, [ebp+16] ; EAX: POBJECT_ATTRIBUTES
push eax
push dword 0x120109 ; Desired Access
lea eax, [ebp+48] ; ptr File Handle
push eax
lea ebx, [esi+opn_err]
call [edi+ZwCreateFile]
test eax, eax
jl .free_string
push byte 0 ; No KEY
push byte 0 ; Null File Offset
mov eax, [ebp+52]
push dword [eax+KeTrapFrame.ECX] ; Length
push dword [eax+KeTrapFrame.EDI] ; buffer address
lea eax, [ebp+40] ; PIO_STATUS_BLOCK
push eax
push byte 0 ; null APC context
push byte 0 ; no APC
push byte 0 ; no completion Event
push dword [ebp+48] ; File handle
lea ebx, [esi+wrt_err]
call [edi+ZwReadFile]
test eax, eax
jl .free_close
push ebp
call [edi+RtlFreeUnicodeString] ; Free temp unicode storage space
push dword [ebp+48]
call [edi+ZwClose] ; Close the file
.return:
add esp, 8+8+24+8+4
pop ebp
retn ; return to Icall_Handler
.free_close:
push dword [ebp+48]
call [edi+ZwClose]
.free_string:
push ebp
call [edi+RtlFreeUnicodeString]
.error:
push ebx ; EBX: ptr to error msg
call [edi+DbgPrint] ; print error msg
pop eax ; DbgPrint follows C calling convention
jmp short .return
;------------------------------------------------------------------------------
; The following call will be assembled only if target NTICE version is 322,
; which does not have a pGetIrqlLevel in the form we expect. This call can be
; guaranteed as safe only in NT 4.0, since it relies on the hardcoded value of
; KPCR base
%if NTICE_VERSION = 0x322
pGetIRQLLevel:
push edi
mov edi, KPCRSelfPointer+KPCR.Irql
call pMOV_AL_EDI_safe
pop edi
jc .error
movzx eax, al
retn
.error:
mov eax, 3
retn
%endif
;-------------------------------------------------------------------------------
; ecx: amount, esi: dataptr, ebp: ntice base
;
; eax: destination or 0 on error
;-------------------------------------------------------------------------------
CopyToUserLand:
xor eax,eax
cmp dword [ebp+UserLandBuffer.size],byte 0
jz .1
retn
.1:
cmp ecx,SAVEBUFFERSIZE
jb .2
retn
.2:
push edi
mov edi,[ebp+dClient_ESP]
and edi,0xFFFFF000
call pMOV_AL_EDI_safe ; is page present?
jnc .3
xor eax,eax
pop edi
retn
.3:
mov [ebp+UserLandBuffer.size],ecx
mov [ebp+UserLandBuffer.userptr],edi
mov eax,edi ; save 'cos we will return it
push ecx
push esi
mov esi,edi ; save user stack to temporary buffer
lea edi,[ebp+UserLandBuffer.data]
rep movsb
pop esi ; copy data to the user stack
pop ecx
mov edi,eax
rep movsb
pop edi
retn
;-------------------------------------------------------------------------------
; ebp: ntice base
;-------------------------------------------------------------------------------
RestoreUserLand:
cmp dword [ebp+UserLandBuffer.size],byte 0
jnz .1
retn
.1:
push ecx
push esi
push edi
pushfd
cld
mov edi,[ebp+UserLandBuffer.userptr]
lea esi,[ebp+UserLandBuffer.data] ; copy data to the user stack
mov ecx,[ebp+UserLandBuffer.size]
rep movsb
mov dword [ebp+UserLandBuffer.size],0
mov dword [ebp+UserLandBuffer.userptr],0
popfd
pop edi
pop esi
pop ecx
retn
; save buffer, should be smaller than 4k (x86 page size)
SAVEBUFFERSIZE equ 512
align 4
UserLandBuffer:
.data: times SAVEBUFFERSIZE db 0
.size: dd 0
.userptr: dd 0
;-------------------------------------------------------------------------------
; call RestoreUserLand while cleanup after a PAGEIN like int3
;-------------------------------------------------------------------------------
HookCleanupForPAGEIN:
push ebp
call .delta
.delta:
pop ebp
sub ebp,.delta
call RestoreUserLand
pop ebp
jmp pMemcopy
;-------------------------------------------------------------------------------
; resolve win32 api symbols
;-------------------------------------------------------------------------------
GetAPIs:
push esi
push ecx
push ebx
push eax
or ecx,byte -1
mov ebx,cr0
push ebx
btr ebx,16
mov cr0,ebx
.loop:
inc ecx
cmp dword [8*ecx+ebp+API+4],byte 0
jnz .1
pop ebx
mov cr0,ebx
pop eax
pop ebx
pop ecx
pop esi
clc
retn
.1:
cmp dword [8*ecx+ebp+API],byte 0
jnz .loop
mov esi,[8*ecx+ebp+API+4]
add esi,ebp
call pExpression2Integer
jnb .2
pop ebx
mov cr0,ebx
pop eax
pop ebx
pop ecx
pop esi
stc
retn
.2:
mov [8*ecx+ebp+API],eax
jmp short .loop
align 4
API:
.oGetCurrentProcessID: dd 0, .GetCurrentProcessID
.oFindWindowA: dd 0, .FindWindowA
.oSendMessageA: dd 0, .SendMessageA
;.oOpenProcess: dd 0, .OpenProcess
;.oResumeThread: dd 0, .ResumeThread
;.oSuspendThread: dd 0, .SuspendThread
;.oExitThread: dd 0, .ExitThread
;.oExitProcess: dd 0, .ExitProcess
;.oTerminateThread: dd 0, .TerminateThread
;.oTerminateProcess: dd 0, .TerminateProcess
; null record, do not remove
dd 0, 0
.GetCurrentProcessID: db 'GetCurrentProcessID',0
.FindWindowA: db 'FindWindowA',0
.SendMessageA: db 'SendMessageA',0
;.OpenProcess: db 'OpenProcess',0
;.ResumeThread: db 'ResumeThread',0
;.SuspendThread: db 'SuspendThread',0
;.ExitThread: db 'ExitThread',0
;.ExitProcess: db 'ExitProcess',0
;.TerminateThread: db 'TerminateThread',0
;.TerminateProcess: db 'TerminateProcess',0
tImportNameTable:
db 'ZwCreateFile',0
db 'ZwReadFile',0
db 'ZwWriteFile',0
db 'ZwClose',0
db 'RtlAnsiStringToUnicodeString',0
db 'RtlInitAnsiString',0
db 'DbgPrint',0
db 'RtlFreeUnicodeString',0
db 'MmIsAddressValid',0
db 'ZwSetInformationFile',0
db 'KeAttachProcess',0
db 'KeDetachProcess',0
db 'KeInitializeDpc',0
db 'KeInsertQueueDpc',0
tKernel32NameTable:
align 4
CallTable: TIMES MaxImportId db 'SRVC'
tInternalApiTable:
dd SrvVer ;0 - version
dd SrvDump ;1 - dump
dd SrvSr ;2 - suspend
dd SrvSr ;3 - resume
dd SrvBhr ;4 - bhrama
dd SrvDumpX ;5 - extended dump
dd SrvLoad ;6 - load
;-------------------------------------------------------------------------------
; flag variables
;-------------------------------------------------------------------------------
;-------------------------------------------------------------------------------
; Error strings
;-------------------------------------------------------------------------------
int_err db 'Interrupts must be enabled to use this extension.',0
irq_err db 'IRQL must be below DISPATCH_LEVEL to use this extension.',0
stk_err db 'Cannot use this extension because current thread`s stack is not present.',0
tss_err db 'Unable to determine TSS base',0
sel_err db 'Client SS is invalid???',0
ctx_err db 'Cannot dump from this context. Revert to pop-up context.',0
arg_err db 'Arguments required.',0
evl_err db 'Cannot evaluate expression.',0
prc_err db 'Cannot attach an invalid process. Check KPEB parameter.',0
opn_err db 'Failed to create output file. Possible reason: wrong path name.',CRLF_0
wrt_err db 'Failed to dump requested data. Possible reason: invalid memory range.',CRLF_0
npr_err db 'Page at specified address is either Reserved or Not Committed.',CRLF_0
msg_p0 db 'Path Expert mode is now on',0
msg_p1 db 'Path Expert mode is now off',0
nim_err db 'Command currently not implemented.',0
Error_V86: db 'EFLAGS.VM=1, only win32 clients are supported.',0
Error_PM16: db 'CS.D=0, only win32 clients are supported.',0
Error_PMR0: db 'CS.DPL=0, only win32 clients are supported.',0
Error_API: db 'unable to resolve some win32 APIs, check winice.dat.',0
Error_NoID: db 'specify PID/TID.',0
Error_NoWnd: db 'specify Bhrama server window name',0
Error_NoUser: db 'could not copy to user land',0
;-------------------------------------------------------------------------------
; Help strings
;-------------------------------------------------------------------------------
help_d db 'PAGEIN D <address> [ <length> <filename> ]',0
help_d1 db 'PAGEIN D',0
help_s db 'PAGEIN S <KTEB>',0
help_r db 'PAGEIN R <KTEB>',0
help_b db 'PAGEIN B <Bhrama window name>',0
help_l db 'PAGEIN L <address> <length> <filename>',0
help_v db 'nticedump Beta 1 build 0009 http://icedump.tsx.org.',0
End:
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?