Hook示例及Syscall绕过

PSW2_PEB Peb = (PSW2_PEB)__readfsdword(0x30);  PSW2_PEB_LDR_DATA Ldr = Peb->Ldr;  PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;  PVOID DllBase = NULL;    // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second  // in the list, so it's safer to loop through the full list and find it.  PSW2_LDR_DATA_TABLE_ENTRY LdrEntry;  for (LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])  {      DllBase = LdrEntry->DllBase;      PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;      PIMAGE_NT_HEADERS NtHeaders = SW2_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);      PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;      DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;      if (VirtualAddress == 0) continue;        ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW2_RVA2VA(ULONG_PTR, DllBase, VirtualAddress);        // If this is NTDLL.dll, exit loop.      PCHAR DllName = SW2_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);        if ((*(ULONG*)DllName | 0x20202020) != 'ldtn') continue;      if ((*(ULONG*)(DllName + 4) | 0x20202020) == 'ld.l') break;  }

DWORD NumberOfNames = ExportDirectory->NumberOfNames;  PDWORD Functions = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions);  PDWORD Names = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames);  PWORD Ordinals = SW2_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals);    // Populate SW2_SyscallList with unsorted Zw* entries.  DWORD i = 0;  PSW2_SYSCALL_ENTRY Entries = SW2_SyscallList.Entries;  do  {      PCHAR FunctionName = SW2_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]);        // Is this a system call?      if (*(USHORT*)FunctionName == 'wZ')      {          Entries[i].Hash = SW2_HashSyscall(FunctionName);          Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]];            i++;          if (i == SW2_MAX_ENTRIES) break;      }  } while (--NumberOfNames);

// First opcodes should be ://    MOV R10, RCX//    MOV RCX, <syscall>if (*((PBYTE)pFunctionAddress + cw) == 0x4c && *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b && *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1 && *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8 && *((PBYTE)pFunctionAddress + 6 + cw) == 0x00 && *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) { BYTE high = *((PBYTE)pFunctionAddress + 5 + cw); BYTE low = *((PBYTE)pFunctionAddress + 4 + cw); pVxTableEntry->wSystemCall = (high << 8) | low; break;}

MOV R10, RCX MOV RCX, <syscall>

// Sort the list by address in ascending order.  for (DWORD i = 0; i < SW2_SyscallList.Count - 1; i++)  {      for (DWORD j = 0; j < SW2_SyscallList.Count - i - 1; j++)      {          if (Entries[j].Address > Entries[j + 1].Address)          {              // Swap entries.              SW2_SYSCALL_ENTRY TempEntry;                TempEntry.Hash = Entries[j].Hash;              TempEntry.Address = Entries[j].Address;                Entries[j].Hash = Entries[j + 1].Hash;              Entries[j].Address = Entries[j + 1].Address;                Entries[j + 1].Hash = TempEntry.Hash;              Entries[j + 1].Address = TempEntry.Address;          }      }  }

NtProtectVirtualMemory PROC push ebp mov ebp, esp push 001911B13h        ; Load function hash into ECX. call SW2_GetSyscallNumber  ;Number -> eax lea esp, [esp+4]     mov ecx, 5h      ;参数个数push_argument: dec ecx push [ebp + 08h + ecx * 4] jnz push_argument push ret_address_epilog ;ret address call do_sysenter_interupt lea esp, [esp+4]ret_address_epilog: mov esp, ebp pop ebp retdo_sysenter_interupt: mov edx, esp sysenter  retNtProtectVirtualMemory ENDP

NtProtectVirtualMemory PROC push ebp mov ebp, esp push 001911B13h        ; Load function hash into ECX. call SW2_GetSyscallNumber    ;Number -> eax lea esp, [esp+4] mov ecx, 5h          ;参数个数push_argument: dec ecx push [ebp + 08h + ecx * 4]  ;参数入栈 jnz push_argument push ret_address_epilog     ;ret address call dword ptr internal_cleancall_wow64_gate ; call KiFastSystemCall lea esp, [esp+4]ret_address_epilog: mov esp, ebp pop ebp ret

internal_cleancall_wow64_gate = (void*)__readfsdword(0xC0);