MapViewOfSection驱动注入
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str);
VOID InjectEyeUnload(IN PDRIVER_OBJECT DriverObject);
BOOLEAN HookFunc(BOOLEAN IsHook);
7.使用 XDE 反汇编引擎——尽管 UrlMon!DllMainCp3
之后版本几乎是一致
*/
#include "InjectEye.h"
extern POBJECT_TYPE* static ULONG (>=5) PZwProtectVirtualMemory PZwWriteVirtualMemory PVOID PVOID UCHAR 口函数的头部的信息(>=5)
UrlmonDllMainCRTStartupHeadInfo[13];//Urlmon.DLL 的入
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) {
KdPrintEx((DPFLTR_IHVDRIVER_ID,DPFLTR_ERROR_LEVEL,"[InjectEye] Entry \n")); { UNICODE_STRING SystemRoutineName ; RtlInitUnicodeString(&SystemRoutineName, L"ZwYieldExecution"); ZwWriteVirtualMemory=(PZwWriteVirtualMemory)((ULONG)MmGetSystemRoutineAddress(& SystemRoutineName )-0x14);
NTSYSAPI NTSTATUS NTAPI NtAllocateVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect); //----------------------------------------------------------------------------------------------------------------------//ZwProtectVirtualMemory 未导出,需要编写专门的程序获取 typedef NTSTATUS (*PZwProtectVirtualMemory)(IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect);
;// Ptr32 _FILE_OBJECT
PVOID WaitingForDeletion ;// Ptr32 _EVENT_COUNTER
USHORT ModifiedWriteCount ;// Uint2B
USHORT FlushInProgressCount ;// Uint2B
ULONG WritableUserReferences ;// Uint4B
NTSYSAPI NTSTATUS NTAPI
NtMapViewOfSection(IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect);
ULONG NonExtendedPtes ;// Uint4B
ULONG Spare0
;// Uint4B
ULONG64 SizeOfSegment ;// Uint8B
ULONG64 SegmentPteTemplate ;// _MMPTE
ULONG NumberOfCommittedPages ;// Uint4B
//
[backcolor=#00ff00]//----------------------------------[/backcolor][backcolor=#00ff00]----[/backcolor]
[backcolor=#00ff00]-----[/backcolor][backcolor=#00ff00]-------
ULONG QuadwordPad
;// Uint4B
}CONTROL_AREA,*PCONTROL_AREA;
typedef struct _SEGMENT
{
PCONTROL_AREA ControlArea
;// Ptr32 _CONTROL_AREA
ULONG TotalNumberOfPtes ;// Uint4B
PVOID ExtendInfo
;// Ptr32 _MMEXTEND_INFO
ULONG SegmentFlags PVOID BasedAddress
;// _SEGMENT_FLAGS ;// Ptr32 Void——win7,小心
ULONG u1
;// __unnamed
ULONG u2
;// __unnamed
MmSectionObjectType; ulHeadLen1=0;//nt!NtMapViewOfSection 头部用于 Hook 的长度
ZwProtectVirtualMemory=NULL; ZwWriteVirtualMemory=NULL;
Kernel32LoadLibraryAAddr=NULL; UrlmonDllMainCRTStartupAddr=NULL ;
//ZwProtectVirtualMemory 未导出,需要编写专门的程序获取 typedef NTSTATUS (*PZwWriteVirtualMemory)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL);
PULONG
RetrieveFuncAddrFromKnownDLLs(IN WCHAR DllName[],IN CHAR
FuncName[],IN CHAR *FuncHeadInfo);
NTSTATUS DetourNtMapViewOfSection(IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect);
ULONG NumberOfMappedViews ;// Uint4B
ULONG NumberOfSystemCacheViews ;// Uint4B
ULONG NumberOfUserReferences ;// Uint4B
ULONG u
;// __unnamed
PFILE_OBJECT FilePointer
typedef struct _CONTROL_AREA
{
PVOID Segment
;//Ptr32 _SEGMENT
LIST_ENTRY DereferenceList ;// _LIST_ENTRY
ULONG NumberOfSectionReferences ;// Uint4B
ULONG NumberOfPfnReferences ;// Uint4B
//---------------------------------------------------------------------------------------------------------------------
---
//win7 和 win2003 的大部分内核数据结构系统
1. 本 程 序 在 WinXPSP3[2600.xpsp.080413-2111] 、
Win2003R2sp2[3790.srv03_sp2_gdr.090319-1204]
和
Win7Pro[ 7600.16385.x86fre.win7_rtm.090713-1255]测试通过;
2.本程序假设 Urlmon.dll 加载是首先执行 OEP 处的代码;第一个站进入, 快速成为做挂达人。
/* FileName: InjectEye.h Author : ejoyc Data : [03/05/2010]~[09/22/2010] Targer : Hook NtMapViewOfSection,Then watch any process to create */ #pragma once
50dll注射功能函数这部分完全是闲得慌没事多花力气asm这部分涉及大量的硬编码请慎重经过测试这份shellcode是安全的pushadpush65h
MapViewOfSection 驱动注入
这是一个这样的实现 DLL 注射驱动程序:当 UnserMode 进程加载 UrlMon.dll 时,抢先加载自 己的 DLL(UrlMonEye.dll):
PVOID PrototypePte ;// Ptr32 _MMPTE
PVOID ThePtes
;// [1] _MMPTE
}SEGMENT,*PSEGMENT;
typedef struct _SECTION_OBJECT { PVOID StartingVa;//Ptr32 Void PVOID EndingVa;//Ptr32 Void PVOID Parent;//Ptr32 Void PVOID LeftChild ;//Ptr32 Void PVOID RightChild ;//Ptr32 Void PSEGMENT Segment;//Ptr32 _SEGMENT }SECTION_OBJECT,*PSECTION_OBJECT;
#include <ntifs.h> #include <ntimage.h> #include "xde.h"
#define URLMONPATH #define URLMONPATHSIZE
L"\\WINDOWS\\SYSTEM32\\URLMON.DLL" (sizeof(URLMONPATH)-2)
分
割
线
-------------------------------------------------------[/backcolor]
//
/*
FileName: InjectEye.c
Author : ejoyc
Data : [03/05/2010]~[09/22/2010]
Caution
:
3.本程序涉及大量的硬编码,应该存在兼容性问题;
4.本程序参考 sudami 的《N 种内核注入 DLL 的思路及实现》——这是一篇相当不错的教程
5.本程序的部分代码相当的不安全,需要加强有效性可用性的检测;
6.感谢 L01(l01@)的帮助——没有它,我无法完成 InjectEye;