首页
论坛
课程
招聘
[原创]发一个可编译,可替换的hookport代码
2012-10-19 20:31 21926

[原创]发一个可编译,可替换的hookport代码

2012-10-19 20:31
21926
精华部分很久前就有人逆了,完整的逆向也无数人做了,只是都懒得放出来吧。搜索了一下,貌似只有人放了一个idb,完整的没人放过吧。今天抛块砖,把10年逆的一个放出来,完整度应该超过99%了,可编译,可替换那时候的,不论xp还是win7,均可正常替换工作,放码就行了吧,idb就不放了。
试了下wdk 7600.16385.1测试编译通过,以前貌似还是6000的wdk。

hookport.sys是这个版本



  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateKeyIndex] = (PULONG)Fake_ZwCreateKey;//sub_10F5E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQueryValueKeyIndex] = (PULONG)Fake_ZwQueryValueKey;//sub_1109E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeleteKeyIndex] = (PULONG)Fake_ZwDeleteKey;//sub_111D4;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeleteValueKeyIndex] = (PULONG)Fake_ZwDeleteValueKey;//sub_112DE;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwRenameKeyIndex] = (PULONG)Fake_ZwRenameKey;//sub_113F0;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwReplaceKeyIndex] = (PULONG)Fake_ZwReplaceKey;//sub_11502;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwRestoreKeyIndex] = (PULONG)Fake_ZwRestoreKey;//sub_1161E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetValueKeyIndex] = (PULONG)Fake_ZwSetValueKey;//sub_1173A;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateFileIndex] = (PULONG)Fake_ZwCreateFile;//sub_11870;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwFsControlFileIndex] = (PULONG)Fake_ZwFsControlFile;//sub_119CE;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetInformationFileIndex] = (PULONG)Fake_ZwSetInformationFile;//sub_11B28;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwWriteFileIndex] = (PULONG)Fake_ZwWriteFile;//sub_11C56;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateProcessIndex] = (PULONG)Fake_ZwCreateProcess;//sub_11D96;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateProcessExIndex] = (PULONG)Fake_ZwCreateProcessEx;//sub_11EE0;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateUserProcessIndex] = (PULONG)Fake_ZwCreateUserProcess;//sub_12032;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateThreadIndex] = (PULONG)Fake_ZwCreateThread;//sub_12196;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenThreadIndex] = (PULONG)Fake_ZwOpenThread;//sub_122E0;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeleteFileIndex] = (PULONG)Fake_ZwDeleteFile;//sub_12404;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenFileIndex] = (PULONG)Fake_ZwOpenFile;//sub_1250E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwReadVirtualMemoryIndex] = (PULONG)Fake_ZwReadVirtualMemory;//sub_1263E;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwTerminateProcessIndex] = (PULONG)Fake_ZwTerminateProcess;//sub_128A2;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQueueApcThreadIndex] = (PULONG)Fake_ZwQueueApcThread;//sub_129B4;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetContextThreadIndex] = (PULONG)Fake_ZwSetContextThread;//sub_12AE2;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetInformationThreadIndex] = (PULONG)Fake_ZwSetInformationThread;//sub_12BF4;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwProtectVirtualMemoryIndex] = (PULONG)Fake_ZwProtectVirtualMemory;//sub_12D18;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwWriteVirtualMemoryIndex] = (PULONG)Fake_ZwWriteVirtualMemory;//sub_12770;
  
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAdjustGroupsTokenIndex] = (PULONG)Fake_ZwAdjustGroupsToken;//sub_12E46;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAdjustPrivilegesTokenIndex] = (PULONG)Fake_ZwAdjustPrivilegesToken;//sub_12F7E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwRequestWaitReplyPortIndex] = (PULONG)Fake_ZwRequestWaitReplyPort;//sub_130B6;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateSectionIndex] = (PULONG)Fake_ZwCreateSection;//sub_131D2;


  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenSectionIndex] = (PULONG)Fake_ZwOpenSection;//sub_13312;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateSymbolicLinkObjectIndex] = (PULONG)Fake_ZwCreateSymbolicLinkObject;//sub_1342E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenSymbolicLinkObjectIndex] = (PULONG)Fake_ZwOpenSymbolicLinkObject;//sub_13552;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwLoadDriverIndex] = (PULONG)Fake_ZwLoadDriver;//sub_1366E;//sub_1377E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwUnloadDriverIndex] = (PULONG)Fake_ZwLoadDriver;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQuerySystemInformationIndex] = (PULONG)Fake_ZwQuerySystemInformation;//sub_1388C;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetSystemInformationIndex] = (PULONG)Fake_ZwSetSystemInformation;//sub_1973E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetSystemTimeIndex] = (PULONG)Fake_ZwSetSystemTime;//sub_139B0;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSystemDebugControlIndex] = (PULONG)Fake_ZwSystemDebugControl;//sub_13AC2;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserBuildHwndListIndex & 0xFFF] = (PULONG)Fake_ZwUserBuildHwndList;//sub_13BF8;

  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserQueryWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserQueryWindow;//sub_13D38;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserFindWindowExIndex & 0xFFF] = (PULONG)Fake_ZwUserFindWindowEx;//sub_13E48;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserWindowFromPointIndex & 0xFFF] = (PULONG)Fake_ZwUserWindowFromPoint;//sub_13F72;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserMessageCallIndex & 0xFFF] = (PULONG)Fake_ZwUserMessageCall;//sub_1408A;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserPostMessageIndex & 0xFFF] = (PULONG)Fake_ZwUserPostMessage;//sub_1426C;

  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowsHookExIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowsHookEx;//sub_14392;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserPostThreadMessageIndex & 0xFFF] = (PULONG)Fake_ZwUserPostThreadMessage;//sub_144C6;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenProcessIndex] = (PULONG)Fake_ZwOpenProcess;//sub_145EC;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeviceIoControlFileIndex] = (PULONG)Fake_ZwDeviceIoControlFile;//sub_14710;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetParentIndex & 0xFFF] = (PULONG)Fake_ZwUserSetParent;//sub_14C06;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenKeyIndex] = (PULONG)Fake_ZwOpenKey;//sub_1486A;
  

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDuplicateObjectIndex] = (PULONG)Fake_ZwDuplicateObject;//sub_14986;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwWriteFileGatherIndex] = (PULONG)Fake_ZwWriteFile;//sub_14AC6;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwResumeThreadIndex] = (PULONG)Fake_ZwResumeThread;//sub_10E4C;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserChildWindowFromPointExIndex & 0xFFF] = (PULONG)Fake_ZwUserChildWindowFromPointEx;//sub_14D16;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserDestroyWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserDestroyWindow;//sub_14E40;

  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserInternalGetWindowTextIndex & 0xFFF] = (PULONG)Fake_ZwUserInternalGetWindowText;//sub_14F4A;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserMoveWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserMoveWindow;//sub_15062;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserRealChildWindowFromPointIndex & 0xFFF] = (PULONG)Fake_ZwUserRealChildWindowFromPoint;//sub_1519A;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetInformationThreadIndex & 0xFFF] = (PULONG)Fake_ZwUserSetInformationThread;//sub_152BA;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetInternalWindowPosIndex & 0xFFF] = (PULONG)Fake_ZwUserSetInternalWindowPos;//sub_153DC;

  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowLongIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowLong;//sub_15502;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowPlacementIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowPlacement;//sub_15624;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowPosIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowPos;//sub_15738;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowRgnIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowRgn;//sub_15878;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserShowWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserShowWindow;//sub_15990;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserShowWindowAsyncIndex & 0xFFF] = (PULONG)Fake_ZwUserShowWindowAsync;//sub_15AA4;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQueryAttributesFileIndex] = (PULONG)Fake_ZwQueryAttributesFile;//sub_15BB8;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateThreadExIndex] = (PULONG)Fake_ZwCreateThreadEx;//sub_15CC8;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSendInputIndex & 0xFFF] = (PULONG)Fake_ZwUserSendInput;//sub_15E16;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAlpcSendWaitReceivePortIndex] = (PULONG)Fake_ZwAlpcSendWaitReceivePort;//sub_15F2E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwUnmapViewOfSectionIndex] = (PULONG)Fake_ZwUnmapViewOfSection;//sub_16074;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWinEventHookIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWinEventHook;//sub_16184;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetSecurityObjectIndex] = (PULONG)Fake_ZwSetSecurityObject;//sub_162CA;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserCallHwndParamLockIndex & 0xFFF] = (PULONG)Fake_ZwUserCallHwndParamLock;//sub_163E2;
  
  if ( (WORD)NtBuildNumber == 2600 )
	  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserRegisterUserApiHookIndex & 0xFFF] = (PULONG)Fake_ZwUserRegisterUserApiHookXp;//sub_164FA;
  else
	  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserRegisterUserApiHookIndex & 0xFFF] = (PULONG)Fake_ZwUserRegisterUserApiHook;//sub_165CA;

  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[HookportFilterFunc76 & 0xFFF] = (PULONG)Fake_HookportFilterFunc76;//sub_166A2;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[HookportFilterFunc77 & 0xFFF] = (PULONG)Fake_HookportFilterFunc77;//sub_167A8;
    
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAllocateVirtualMemoryIndex] = (PULONG)Fake_ZwAllocateVirtualMemory;//sub_168AE;
  g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[HookportFilterFunc79 & 0xFFF] = (PULONG)Fake_HookportFilterFunc79;//sub_169E2;

  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateMutantIndex] = (PULONG)Fake_ZwCreateMutant;//sub_16C0A;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenIoCompletionIndex] = (PULONG)Fake_ZwOpenIoCompletion;//sub_16AF2;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwVdmControlIndex] = (PULONG)Fake_ZwVdmControl;//sub_16D2E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwGetNextProcessIndex] = (PULONG)Fake_ZwGetNextProcess;//sub_16E3E;
  g_SS_Filter_Table->ProxySSDTServiceAddress[ZwGetNextThreadIndex] = (PULONG)Fake_ZwGetNextThread;//sub_16F68;

2021 KCTF 秋季赛 防守篇-征题倒计时(11月14日截止)!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (31)
雪    币: 2081
活跃值: 活跃值 (109)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
exile 活跃值 1 2012-10-19 20:35
2
0
沙发  预计会火
雪    币: 481
活跃值: 活跃值 (23)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
goddkiller 活跃值 2012-10-19 20:45
3
0
板凳,估计会火,LZ功力好深!!!
雪    币: 2140
活跃值: 活跃值 (404)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
zhouws 活跃值 2 2012-10-19 21:00
4
0
楼主是教主achillis的马甲吗?

记得以前他在debugman放过截图
雪    币: 208
活跃值: 活跃值 (17)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
何健hj 活跃值 2012-10-19 21:00
5
0
我一个月前刚逆完。。你就发了,咋不早看见我发的那个求hookport的帖子呢,对了,360SelfProtection驱动逆了没,交流下,470779368
雪    币: 276
活跃值: 活跃值 (15)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
淡定疯着 活跃值 2012-10-19 21:28
6
0
楼主,到底何方神圣啊, 天天爆猛料,我跟你混算啦...
雪    币: 101
活跃值: 活跃值 (11)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
ruoko 活跃值 2012-10-19 22:05
7
0
冯发帖必精华,坐等加精!。
雪    币: 7506
活跃值: 活跃值 (298)
能力值: ( LV9,RANK:610 )
在线值:
发帖
回帖
粉丝
achillis 活跃值 15 2012-10-19 22:20
8
0
非也非也,我已好久不问世事。。。
雪    币: 49
活跃值: 活跃值 (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
ndayo 活跃值 2012-10-19 22:46
9
0
膜拜大牛
雪    币: 101
活跃值: 活跃值 (11)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
ruoko 活跃值 2012-10-19 22:49
10
0
替换的目的在于什么?
为了借助360安装钩子?
雪    币: 1047
活跃值: 活跃值 (229)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
天涯一鸿 活跃值 2012-10-19 23:19
11
0
一两年前就开始逆了……主要是代理函数搞得有些烦……就一直搁着了……
雪    币: 208
活跃值: 活跃值 (17)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
何健hj 活跃值 2012-10-20 10:51
12
0
把SelfProtection还原C码来一份吧。。
雪    币: 211
活跃值: 活跃值 (273)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
惊电 活跃值 2012-10-20 13:45
13
0
学习,膜拜!
问一下:做这个的目的是什么?
说白了:这个有什么用?
雪    币: 134
活跃值: 活跃值 (35)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
流哥 活跃值 2012-10-20 14:22
14
0
应该是相当的火
雪    币: 34
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
蓝色妖女 活跃值 2012-10-20 20:05
15
0
确实下了大功夫了
雪    币: 163
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
sinmon 活跃值 2012-10-20 22:52
16
0
感觉好深哦,学习学习哦
雪    币: 35843
活跃值: 活跃值 (153788)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
linhanshi 活跃值 2012-10-21 00:54
17
0
Thanks for share.
上传的附件:
雪    币: 241
活跃值: 活跃值 (17)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
exediy 活跃值 1 2012-10-21 07:07
18
0
建议自己用的话还是重新写个,毕竟这个是数字公司为了各种安全考量写的,十分的硬编又很复杂。
雪    币: 4363
活跃值: 活跃值 (580)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
yimingqpa 活跃值 1 2012-10-21 08:12
19
0
逆了三个月捂了半年吧?
雪    币: 1619
活跃值: 活跃值 (61)
能力值: ( LV15,RANK:440 )
在线值:
发帖
回帖
粉丝
hackerlzc 活跃值 10 2012-10-21 11:00
20
0
LZ功力真是深厚啊。
雪    币: 130
活跃值: 活跃值 (219)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
Nermor 活跃值 1 2012-10-21 19:04
21
0
我的最爱~  
雪    币: 27
活跃值: 活跃值 (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
mszjk 活跃值 2012-10-21 23:21
22
0
顶.123456
雪    币: 346
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
YwdxY 活跃值 2012-10-22 09:34
23
0
感谢分享~
下载学习
雪    币: 282
活跃值: 活跃值 (40)
能力值: ( LV4,RANK:55 )
在线值:
发帖
回帖
粉丝
evilor 活跃值 2012-10-22 09:39
24
0
mark 谢谢分享
雪    币: 177
活跃值: 活跃值 (256)
能力值: (RANK:290 )
在线值:
发帖
回帖
粉丝
viphack 活跃值 4 2012-10-22 09:42
25
0
mark mark
游客
登录 | 注册 方可回帖
返回