Author:cradiator
I read recover of FSD hook and SSDT hook these days, Past master already is tried of playing, So don't laughing me.
First is SDT hook.
Easy search 360superkiller of reverse by sudami, But mapping size calculate seem like wrong.
Recover paste my think.
1.ZwQuerySystermImformation is transmited 11 number's parameter.
2.Use attach to path to open disk files of ntfs.sys and fastfat.sys.
3.Depend PE format to get mapping base address on file(imageBase).
4.Search to set command of dispath path by condition code .
Disassemble ntfs.sys(fastfat.sys) with IDA, Watch code and opcode:
esi point structure of DriverObject, Opcode is:
c7 46 XX YY YY YY YY
c7 86 XX XX XX XX YY YY YY YY (XX is offset of esi ,YY is real function address)
c7 86 XX XX XX XX YY YY YY YY (XX is offset of esi ,YY is real function address)
So can search condition code for segment command:
After get command , Depend above structrue get dispatch index of IRP and original function of dispatch .
computational method of Real index :
Because ntfs.sys real loaded to place that different PE files stored, need relocate :
Come here get original path of dispatch function.
5. Part get with ObReferenceObjectByName,
L"\\FileSystem\\Ntfs"
L"\\FileSystem\\Fastfat"
Correspond to DriverObject.
Contrast address of DriverObject dispatch function and address of read pe file , If different to repair.
--------------------------------------------------------------------------------
SSDT HOOK
1.Identify ntoskrnl.exe or ntkrnlpa.exe is used by kernel file of driver .
When memory of computer than 512MB , Windows open PAE with ntkrnlpa.exe, Otherwise use ntoskrnl.exe, There isn't consider multi-core processor.
So we detect PAE whether open to confirm file name of kernel.
When 5 bit of cr4 is set to explain open PAE.
2. When map file of kernel , for example memoryg, Base address is krnlImgBase.
3. ZwQuerySystemInformation transmited 11 number parameter, Get structure array SYSTEM_MODULE_INFORMATION, Traversal array to get krnlBase of system kernel on memory base address .
4.Depend PE format to map to memory file, Get original SSDT.
The way: First get SSDT table address by system export, shave base address to get RVA of SSDT.
Seach section table of kernel file's memory map.
Seach where section is on rva of ssdt.
SSDT of memory mapping file = SSDT RVA 所在节 RVA + 所在节 RawOffset + krnlImgBase
5.Contrast original SSDT and current SSDT, Different to replace.
A question of relocate is must noticed on here.
code:
Come here get original path of dispatch function.
5. Part get with ObReferenceObjectByName,
L"\\FileSystem\\Ntfs"
L"\\FileSystem\\Fastfat"
Correspond to DriverObject.
Contrast address of DriverObject dispatch function and address of read pe file , If different to repair.
--------------------------------------------------------------------------------
SSDT HOOK
1.Identify ntoskrnl.exe or ntkrnlpa.exe is used by kernel file of driver .
When memory of computer than 512MB , Windows open PAE with ntkrnlpa.exe, Otherwise use ntoskrnl.exe, There isn't consider multi-core processor.
So we detect PAE whether open to confirm file name of kernel.
When 5 bit of cr4 is set to explain open PAE.
2. When map file of kernel , for example memoryg, Base address is krnlImgBase.
3. ZwQuerySystemInformation transmited 11 number parameter, Get structure array SYSTEM_MODULE_INFORMATION, Traversal array to get krnlBase of system kernel on memory base address .
4.Depend PE format to map to memory file, Get original SSDT.
The way: First get SSDT table address by system export, shave base address to get RVA of SSDT.
Seach section table of kernel file's memory map.
Seach where section is on rva of ssdt.
SSDT of memory mapping file = SSDT RVA 所在节 RVA + 所在节 RawOffset + krnlImgBase
5.Contrast original SSDT and current SSDT, Different to replace.
A question of relocate is must noticed on here.
code:
No comments:
Post a Comment