📄 protect.cpp
字号:
push eax
mov eax, si_Pagein_InProgress
cmp byte ptr [eax], 0
pop eax
jz no_pagein_in_progress
call si_OnPageInProgress
push eax
mov eax, si_TraceFlag ; in trace mode
cmp byte ptr [eax], 0
pop eax
jne All_ok
no_pagein_in_progress:
cmp protect_INT3, 0
jz All_ok
cmp dword ptr [esp], NT_HIGHEST_USER_ADDRESS
ja All_ok
cmp si, 'FG'
jne not_BackDoor
cmp di, 'JM'
jne not_BackDoor
cmp cs:[OsInt3], 0FFh
jbe All_ok
jmp cs:[OsInt3]
not_BackDoor:
cmp ebp, 'BCHK'
jne All_ok
cmp cs:[OsInt3], 0FFh
jbe All_ok
jmp cs:[OsInt3]
All_ok:
jmp cs:[OldInt3] ; call ntice handler
}
}
///////////////////////////////////////////////////////////////////////
//
// Enable/Disable Unhandled Exception Filter Patching
//
///////////////////////////////////////////////////////////////////////
const PROT_UEF_PATCH_ENABLED = 1;
//////////////////////////////////////////////////////////////////////////////
// pUNH_Write
//////////////////////////////////////////////////////////////////////////////
unsigned char PAT_UNH_Write[] =
{
0x8B, 0x3D, _XX_, _XX_, _XX_, _XX_, // mov edi, UEF_addr
0x0B, 0xFF, // or edi, edi
0x74, _XX_, // jz short locret_57BA2
0x0A, 0xD2, // or dl, dl
0x74, _XX_, // jz short locret_57BA2
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00 // cmp byte_D3DA7, 0
};
ULONG protSetUEFPatchDS31(ULONG fUEFPatch)
{
BYTE *pUnhAddr = 0;
__asm
{
mov esi, offset aKernel32UnhandledExceptionFilter
call si_Expression2Integer
jb unh_error
mov pUnhAddr, eax
unh_error:
}
if (!pUnhAddr)
{
DbgPrint("Error: unable to resolve UnhandledExceptionFilter address.\n");
return FALSE;
}
InitSEH();
__try
{
if (fUEFPatch)
{
*pUnhAddr = 0xCC;
protect_UEF_Flag = 0;
}
else
{
*pUnhAddr = 0x68;
protect_UEF_Flag = 1;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("Error: unable to patch UnhandledExceptionFilter.\n");
}
CleanupSEH();
return TRUE;
}
ULONG protSetCR4_DE_Patch(ULONG fDisableProtection)
{
if (!si_Patch_DE_JZ) return FALSE;
if (fDisableProtection)
{
*si_Patch_DE_JZ = 0x74;
protect_CR4_DE = 0;
}
else
{
*si_Patch_DE_JZ = 0xEB;
protect_CR4_DE = 1;
}
return TRUE;
}
ULONG protSetUEFPatch(ULONG fUEFPatch)
{
if (si_IceBuild >= 1722) return protSetUEFPatchDS31(fUEFPatch);
if (protect_UEF_Flag)
{
PAT_UNH_Write[0] = 0xC3;
}
else
{
PAT_UNH_Write[0] = 0x8B;
}
//-------------------------------------------------------------------------
// si_UNH_Write
//-------------------------------------------------------------------------
BYTE *si_UNH_Write = (BYTE *)(RabSearch(PAT_UNH_Write, sizeof(PAT_UNH_Write),
si_CodeBase, si_CodeSize) + si_CodeBase);
if ((ULONG)si_UNH_Write < (ULONG)si_CodeBase)
{
DbgPrint("ERROR: Can't find si_UNH_Write address in memory.\n");
return FALSE;
}
// DbgPrint("si_UNH_Write: %08X\n", si_UNH_Write);
si_DeactivateBPs();
if (fUEFPatch)
{
*si_UNH_Write = 0x8B;
protect_UEF_Flag = 0;
}
else
{
*si_UNH_Write = 0xC3;
protect_UEF_Flag = 1;
}
si_ActivateBPs();
return TRUE;
}
///////////////////////////////////////////////////////////////////////
//
// ProtectInit
//
// Hooks some system services.
//
///////////////////////////////////////////////////////////////////////
NTSTATUS ProtectInit()
{
//-----------------------------------------------------------------------
// Hook NtCreateFile
//-----------------------------------------------------------------------
DbgPrint("ZwCreatFile: %08X\n", ZwCreateFile);
NtCreateFileServiceNum = *(PULONG)((PUCHAR)ZwCreateFile+1);
DbgPrint("NtCreateFileServiceNum: %08X\n", NtCreateFileServiceNum);
OldNtCreateFile=(NTCREATEFILE)(SYSTEMSERVICE(NtCreateFileServiceNum));
_asm cli
SYSTEMSERVICE(NtCreateFileServiceNum)=(ULONG)NewNtCreateFile;
_asm sti
//-----------------------------------------------------------------------
// Hook NtQuerySystemInformation
//-----------------------------------------------------------------------
DbgPrint("ZwQuerySystemInformation: %08X\n", ZwQuerySystemInformation);
NtQuerySystemInfoServiceNum = *(PULONG)((PUCHAR)ZwQuerySystemInformation+1);
DbgPrint("NtQuerySystemInfoServiceNum: %08X\n", NtQuerySystemInfoServiceNum);
OldNtQuerySystemInformation=(NTQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(NtQuerySystemInfoServiceNum));
_asm cli
SYSTEMSERVICE(NtQuerySystemInfoServiceNum)=(ULONG)NewNtQuerySystemInformation;
_asm sti
//-----------------------------------------------------------------------
// Hook NtQueryDirectoryObject
//-----------------------------------------------------------------------
DbgPrint("ZwQueryDirectoryObject: %08X\n", ZwQueryDirectoryObject);
if (ZwQueryDirectoryObject)
{
NtQueryDirObjectServiceNum = *(PULONG)((PUCHAR)ZwQueryDirectoryObject+1);
DbgPrint("NtQueryDirObjectServiceNum: %08X\n", NtQueryDirObjectServiceNum);
OldNtQueryDirectoryObject=(NTQUERYDIRECTORYOBJECT)(SYSTEMSERVICE(NtQueryDirObjectServiceNum));
_asm cli
SYSTEMSERVICE(NtQueryDirObjectServiceNum)=(ULONG)NewNtQueryDirectoryObject;
_asm sti
}
//-----------------------------------------------------------------------
// Hook NtContinue
//-----------------------------------------------------------------------
ULONG build = 0;
NtContinueServiceNum = 0;
PsGetVersion(NULL, NULL, &build, NULL);
switch (build)
{
case 2195 : //win 2k
NtContinueServiceNum = 0x1C;
break;
case 2600 : //win xp
NtContinueServiceNum = 0x20;
break;
default :
DbgPrint("Can't find NtContinue - unknown windows build !!!\n");
break;
}
if (NtContinueServiceNum)
{
OldNtContinue=(NTCONTINUE)(SYSTEMSERVICE(NtContinueServiceNum));
DbgPrint("OldNtContinue: %08X\n", OldNtContinue);
DbgPrint("NtContinueServiceNum: %08X\n", NtContinueServiceNum);
_asm cli
SYSTEMSERVICE(NtContinueServiceNum)=(ULONG)NewNtContinue;
_asm sti
}
//-----------------------------------------------------------------------
// Install int03 handler
//-----------------------------------------------------------------------
OsInt3 = (void*)si_OldIntTable[3];
OldInt3= SetInterruptHandler(0x03,Int03Handler, 0xee);
if ((ULONG_PTR)OsInt3 <= 0x000000FF)
{
InitSEH();
__try
{
OsInt3 = *(void**)((ULONG_PTR)OldInt3+1);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
OsInt3 = 0;
DbgPrint("Error: IceExt was unable to find original OS INT3 handler.\n");
DbgPrint("Error: INT3 BackDoor interface protection will not work.\n");
};
CleanupSEH();
}
DbgPrint("OsInt3: %08X\n", OsInt3);
DbgPrint("OldINT3: %08X\n", OldInt3);
//-----------------------------------------------------------------------
// Protect int01 handler
//-----------------------------------------------------------------------
SetInterruptFlags(0x01, 0x8e00); // Set DPL=0 as is at system startup
//-----------------------------------------------------------------------
// Protect int41 handler
//-----------------------------------------------------------------------
SetInterruptFlags(0x41, 0x8e00); // Set DPL=0 as is at system startup
//-----------------------------------------------------------------------
// Patch int0E handler
//-----------------------------------------------------------------------
if (si_INT_0E_Handler)
{
__asm
{
; pINT_0E:
; 6A 0E push 0Eh
; E8 2D 6E 00 00 call pGeneralProtectionFault
; 8D 64 24 04 lea esp, [esp+4]
; 81 64 24 0C FF FF FE FF and dword ptr [esp+12], 0FFFEFFFFh
; ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
; Patch this instruction
push eax
push ebx
push ecx
mov ebx, dword ptr [si_INT_0E_Handler]
add ebx, 11
mov ax, 6481h
mov cx, 06EBh
lock cmpxchg word ptr [ebx], cx
pop ecx
pop ebx
pop eax
}
}
//-----------------------------------------------------------------------
// Disable Unhandled Exception Filter Patching
//-----------------------------------------------------------------------
/*
protSetUEFPatch(FALSE);
*/
return STATUS_SUCCESS;
}
///////////////////////////////////////////////////////////////////////
//
// ProtectDone
//
// Unhooks hooked services.
//
///////////////////////////////////////////////////////////////////////
void ProtectDone()
{
// Delete NtCreateFile hook
if (OldNtCreateFile)
{
_asm cli
SYSTEMSERVICE(NtCreateFileServiceNum)=(ULONG)OldNtCreateFile;
_asm sti
}
// Delete NtQuerySystemInformation hook
if (OldNtQuerySystemInformation)
{
_asm cli
SYSTEMSERVICE(NtQuerySystemInfoServiceNum)=(ULONG)OldNtQuerySystemInformation;
_asm sti
}
// Delete NtQueryDirectoryObject hook
if (OldNtQueryDirectoryObject)
{
_asm cli
SYSTEMSERVICE(NtQueryDirObjectServiceNum)=(ULONG)OldNtQueryDirectoryObject;
_asm sti
}
// Delete NtContinue hook
if (OldNtContinue)
{
_asm cli
SYSTEMSERVICE(NtContinueServiceNum)=(ULONG)OldNtContinue;
_asm sti
}
// Uninstall INT3 handler
if (OldInt3)
{
SetInterruptHandler(0x03,OldInt3, 0xee);
OldInt3=0;
}
// Remove INT1 protection
SetInterruptFlags(0x01, 0xee00); // Set DPL=3
// Remove INT41 protection
SetInterruptFlags(0x41, 0xee00); // Set DPL=3
//-----------------------------------------------------------------------
// Patch int0E handler (restore original)
//-----------------------------------------------------------------------
if (si_INT_0E_Handler)
{
__asm
{
; pINT_0E:
; 6A 0E push 0Eh
; E8 2D 6E 00 00 call pGeneralProtectionFault
; 8D 64 24 04 lea esp, [esp+4]
; 81 64 24 0C FF FF FE FF and dword ptr [esp+12], 0FFFEFFFFh
; ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
; Patch this instruction
push eax
push ebx
push ecx
mov ebx, dword ptr [si_INT_0E_Handler]
add ebx, 11
mov ax, 06EBh
mov cx, 6481h
lock cmpxchg word ptr [ebx], cx
pop ecx
pop ebx
pop eax
}
}
//-----------------------------------------------------------------------
// Enable Unhandled Exception Filter Patching
//-----------------------------------------------------------------------
protSetUEFPatch(TRUE);
//-----------------------------------------------------------------------
// Enable CR4 DE Patching
//-----------------------------------------------------------------------
protSetCR4_DE_Patch(TRUE);
return;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -