首页
论坛
课程
招聘
[原创]Hide your InlineHook in Xuetr、Gmer、RKU、KD(技术解封专题)
2013-4-26 19:43 20850

[原创]Hide your InlineHook in Xuetr、Gmer、RKU、KD(技术解封专题)

2013-4-26 19:43
20850
隐藏inlinehook已经不是新鲜招数了,因为我们有隐藏更彻底的hook,木有ark能扫得到,so,这个老技术是时候解封了。

第一种老V已经说了,poolhack~吖把我正在用的方法给公布了,鄙视下 传送门:http://bbs.pediy.com/showthread.php?t=152884

第二种也是老v发布的http://bbs.pediy.com/showthread.php?t=154384

其实就是hook MmIsAddressValid(肯定会有N多人鄙视我了。)

//适用:gmer,rku,KD
BOOLEAN __stdcall NewMmIsAddressValid(
	__in PVOID VirtualAddress
	)
{
	MMISADDRESSVALID OldMmIsAddressValid;
	PEPROCESS EProcess;
	char *ProName = NULL;

	__try{
		if (KeGetCurrentIrql() != PASSIVE_LEVEL){
			__leave;
		}
		EProcess = PsGetCurrentProcess();
		ProName = PsGetProcessImageFileName(EProcess);
		if (!ProName){
			__leave;
		}
		if (strstr(ProName,"123123.exe") != 0)
		{
			KdPrint(("%s -> %08x\n",ProName,VirtualAddress));

			//
			if (VirtualAddress == 0x80511000 ||
				VirtualAddress == 0x805c8000)
			{
				return FALSE;
			}
		}
	}
	__except(EXCEPTION_EXECUTE_HANDLER){
		goto _FuncRet;
	}
_FuncRet:
	OldMmIsAddressValid = (MMISADDRESSVALID)MmIsAddressValidHookZone;
	return OldMmIsAddressValid(VirtualAddress);
}


你以为到此就完了吗?下面重点说说xuetr~~

xuetr自实现了一个MmIsxxxxxxx,难点在于怎么定位到xuetr的这个函数~~

如果你认认真真看过A盾的代码,就知道自己实现MmIsxxxxxxx会有一个特征码:
__inline ULONG CR4()
{
	// mov eax, cr4
	__asm _emit 0x0F __asm _emit 0x20 __asm _emit 0xE0
}


mov     eax, cr4  //机器码是:0F 20 E0 即可准确定位到xuetr自己实现的MmIsAddressValid函数了

lkd> dt_driver_object 82256030
	nt!_DRIVER_OBJECT
	+0x000 Type             : 4
	+0x002 Size             : 168
	+0x004 DeviceObject     : 0x82464cf0 _DEVICE_OBJECT
	+0x008 Flags            : 0x12
	+0x00c DriverStart      : 0xb2142000 
	+0x010 DriverSize       : 0x70000
	+0x014 DriverSection    : 0x81f70008 
	+0x018 DriverExtension  : 0x822560d8 _DRIVER_EXTENSION
	+0x01c DriverName       : _UNICODE_STRING "\Driver\XueTr"
	+0x024 HardwareDatabase : 0x80671b60 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
	+0x028 FastIoDispatch   : (null) 
	+0x02c DriverInit       : 0xb21a203e     long  +ffffffffb21a203e     <--------定位这里
	+0x030 DriverStartIo    : (null) 
	+0x034 DriverUnload     : 0xb2190e34     void  +ffffffffb2190e34
	+0x038 MajorFunction    : [28] 0xb2190f5e     long  +ffffffffb2190f5e

	//===================================================================

	lkd> u 0xb21a203e
	b21a203e 8bff            mov     edi,edi
	b21a2040 55              push    ebp
	b21a2041 8bec            mov     ebp,esp
	b21a2043 e8bdffffff      call    b21a2005
	b21a2048 5d              pop     ebp
	b21a2049 e9f8f9feff      jmp     b2191a46     <--------定位这里
	b21a204e cc              int     3
	b21a204f cc              int     3

	//=================================================

	lkd> u b2191a46 l 100
	b2191a46 8bff            mov     edi,edi
	b2191a48 55              push    ebp
	b2191a49 8bec            mov     ebp,esp
	b2191a4b 83ec20          sub     esp,20h
	b2191a4e 53              push    ebx
	b2191a4f 56              push    esi
	b2191a50 57              push    edi
	b2191a51 50              push    eax
	b2191a52 8b4504          mov     eax,dword ptr [ebp+4]
	b2191a55 8945f4          mov     dword ptr [ebp-0Ch],eax
	b2191a58 58              pop     eax
	b2191a59 8b750c          mov     esi,dword ptr [ebp+0Ch]
	b2191a5c 8b4604          mov     eax,dword ptr [esi+4]
	b2191a5f c745fc010000c0  mov     dword ptr [ebp-4],0C0000001h
	b2191a66 85c0            test    eax,eax
	b2191a68 0f8406020000    je      b2191c74
	b2191a6e 50              push    eax
	b2191a6f ff15285019b2    call    dword ptr ds:[0B2195028h]
	b2191a75 3c01            cmp     al,1
	b2191a77 0f85f7010000    jne     b2191c74
	b2191a7d 0fb73e          movzx   edi,word ptr [esi]
	b2191a80 33c0            xor     eax,eax
	b2191a82 663bc7          cmp     ax,di
	b2191a85 0f84e9010000    je      b2191c74
	b2191a8b e860ffffff      call    b21919f0
	b2191a90 3c01            cmp     al,1
	b2191a92 0f85dc010000    jne     b2191c74
	b2191a98 6a02            push    2
	b2191a9a 5b              pop     ebx
	b2191a9b 0fb7c7          movzx   eax,di
	b2191a9e 03c3            add     eax,ebx
	b2191aa0 50              push    eax
	b2191aa1 6a01            push    1
	b2191aa3 ff15fc5019b2    call    dword ptr ds:[0B21950FCh]
	b2191aa9 8bf8            mov     edi,eax
	b2191aab 897df0          mov     dword ptr [ebp-10h],edi
	b2191aae 85ff            test    edi,edi
	b2191ab0 0f84be010000    je      b2191c74
	b2191ab6 0fb706          movzx   eax,word ptr [esi]
	b2191ab9 03c3            add     eax,ebx
	b2191abb 50              push    eax
	b2191abc 6a00            push    0
	b2191abe 57              push    edi
	b2191abf e8822e0000      call    b2194946
	b2191ac4 0fb706          movzx   eax,word ptr [esi]
	b2191ac7 50              push    eax
	b2191ac8 ff7604          push    dword ptr [esi+4]
	b2191acb 57              push    edi
	b2191acc e8692e0000      call    b219493a
	b2191ad1 6a5c            push    5Ch
	b2191ad3 57              push    edi
	b2191ad4 ff15f45019b2    call    dword ptr ds:[0B21950F4h]
	b2191ada 83c420          add     esp,20h
	b2191add 85c0            test    eax,eax
	b2191adf 740c            je      b2191aed
	b2191ae1 03c3            add     eax,ebx
	b2191ae3 33c9            xor     ecx,ecx
	b2191ae5 89450c          mov     dword ptr [ebp+0Ch],eax
	b2191ae8 663b08          cmp     cx,word ptr [eax]
	b2191aeb 7503            jne     b2191af0
	b2191aed 897d0c          mov     dword ptr [ebp+0Ch],edi
	b2191af0 e87309fdff      call    b2162468
	b2191af5 ff750c          push    dword ptr [ebp+0Ch]
	b2191af8 e84bfeffff      call    b2191948
	b2191afd 33c0            xor     eax,eax
	b2191aff 0fb788a24d19b2  movzx   ecx,word ptr [eax-4DE6B25Eh]
	b2191b06 668988a0151ab2  mov     word ptr [eax-4DE5EA60h],cx
	b2191b0d 03c3            add     eax,ebx
	b2191b0f 6685c9          test    cx,cx
	b2191b12 75eb            jne     b2191aff
	b2191b14 bea0151ab2      mov     esi,0B21A15A0h
	b2191b19 8bc6            mov     eax,esi
	b2191b1b 8d5002          lea     edx,[eax+2]
	b2191b1e 668b08          mov     cx,word ptr [eax]
	b2191b21 03c3            add     eax,ebx
	b2191b23 6685c9          test    cx,cx
	b2191b26 75f6            jne     b2191b1e
	b2191b28 8b3df05019b2    mov     edi,dword ptr ds:[0B21950F0h]
	b2191b2e 2bc2            sub     eax,edx
	b2191b30 d1f8            sar     eax,1
	b2191b32 b900010000      mov     ecx,100h
	b2191b37 2bc8            sub     ecx,eax
	b2191b39 51              push    ecx
	b2191b3a ff750c          push    dword ptr [ebp+0Ch]
	b2191b3d 56              push    esi
	b2191b3e ffd7            call    edi
	b2191b40 83c40c          add     esp,0Ch
	b2191b43 e8b802fdff      call    b2161e00
	b2191b48 ff75f4          push    dword ptr [ebp-0Ch]
	b2191b4b 8b5d08          mov     ebx,dword ptr [ebp+8]
	b2191b4e 53              push    ebx
	b2191b4f e8bc46fdff      call    b2166210
	b2191b54 e8b715fbff      call    b2143110        <--------定位这里

	//====================
	lkd> u b2143110 l 100
	b2143110 8bff            mov     edi,edi
	b2143112 55              push    ebp
	b2143113 8bec            mov     ebp,esp
	b2143115 83ec14          sub     esp,14h
	b2143118 53              push    ebx
	b2143119 6a03            push    3
	b214311b c645ff00        mov     byte ptr [ebp-1],0
	b214311f e8c4300200      call    b21661e8
	b2143124 8bd8            mov     ebx,eax
	b2143126 6a02            push    2
	b2143128 895dec          mov     dword ptr [ebp-14h],ebx
	b214312b e8b8300200      call    b21661e8
	b2143130 8945f8          mov     dword ptr [ebp-8],eax
	b2143133 85db            test    ebx,ebx
	b2143135 0f84b6020000    je      b21433f1
	b214313b 85c0            test    eax,eax
	b214313d 0f84ae020000    je      b21433f1
	b2143143 56              push    esi
	b2143144 57              push    edi
	b2143145 8b7b14          mov     edi,dword ptr [ebx+14h]
	b2143148 8b37            mov     esi,dword ptr [edi]
	b214314a 685c005300      push    53005Ch
	b214314f 6a04            push    4
	b2143151 897df0          mov     dword ptr [ebp-10h],edi
	b2143154 e875300200      call    b21661ce
	b2143159 6879007300      push    730079h
	b214315e 6a05            push    5
	b2143160 e869300200      call    b21661ce
	b2143165 6874006500      push    650074h
	b214316a 6a06            push    6
	b214316c e85d300200      call    b21661ce
	b2143171 686d005200      push    52006Dh
	b2143176 6a07            push    7
	b2143178 e851300200      call    b21661ce
	b214317d 686f006f00      push    6F006Fh
	b2143182 6a08            push    8
	b2143184 e845300200      call    b21661ce
	b2143189 6874005c00      push    5C0074h
	b214318e 6a09            push    9
	b2143190 e839300200      call    b21661ce
	b2143195 6873007900      push    790073h
	b214319a 6a0a            push    0Ah
	b214319c e82d300200      call    b21661ce
	b21431a1 6873007400      push    740073h
	b21431a6 6a0b            push    0Bh
	b21431a8 e821300200      call    b21661ce
	b21431ad 6865006d00      push    6D0065h
	b21431b2 6a0c            push    0Ch
	b21431b4 e815300200      call    b21661ce
	b21431b9 6833003200      push    320033h
	b21431be 6a0d            push    0Dh
	b21431c0 e809300200      call    b21661ce
	b21431c5 3bfe            cmp     edi,esi
	b21431c7 0f841f010000    je      b21432ec
	b21431cd 8b4e18          mov     ecx,dword ptr [esi+18h]
	b21431d0 8b150c5119b2    mov     edx,dword ptr ds:[0B219510Ch]
	b21431d6 8b4620          mov     eax,dword ptr [esi+20h]
	b21431d9 8b12            mov     edx,dword ptr [edx]
	b21431db 03c1            add     eax,ecx
	b21431dd 894df4          mov     dword ptr [ebp-0Ch],ecx
	b21431e0 3bca            cmp     ecx,edx
	b21431e2 0f86ed000000    jbe     b21432d5
	b21431e8 3bc2            cmp     eax,edx
	b21431ea 0f86e5000000    jbe     b21432d5
	b21431f0 394df8          cmp     dword ptr [ebp-8],ecx
	b21431f3 0f86dc000000    jbe     b21432d5
	b21431f9 3945f8          cmp     dword ptr [ebp-8],eax
	b21431fc 0f83d3000000    jae     b21432d5
	b2143202 8b15145119b2    mov     edx,dword ptr ds:[0B2195114h]
	b2143208 3bd1            cmp     edx,ecx
	b214320a 0f86c5000000    jbe     b21432d5
	b2143210 3bd0            cmp     edx,eax
	b2143212 0f83bd000000    jae     b21432d5
	b2143218 81f900000090    cmp     ecx,90000000h
	b214321e 0f83b1000000    jae     b21432d5
	b2143224 66837e2404      cmp     word ptr [esi+24h],4
	b2143229 0f86a6000000    jbe     b21432d5
	b214322f 8b4628          mov     eax,dword ptr [esi+28h]
	b2143232 85c0            test    eax,eax
	b2143234 0f849b000000    je      b21432d5
	b214323a 6a01            push    1
	b214323c 50              push    eax
	b214323d e872ab0300      call    b217ddb4            <--------定位这里就是xuetr自己的MmIsAddressValid


然后没区别了:

//bypass xuetr
BOOLEAN __stdcall NewXuetrMmIsAddressValid(
	__in PVOID VirtualAddress,
	__in int Type
	)
{
	XUETRMMISADDRESSVALID OldXuetrMmIsAddressValid;

	KdPrint(("%08x\n",VirtualAddress));

	if (VirtualAddress == 0x804fe000)
	{
		return FALSE;
	}
	OldXuetrMmIsAddressValid = (XUETRMMISADDRESSVALID)XuetrMmIsAddressValidHookZone;
	return OldXuetrMmIsAddressValid(VirtualAddress,Type);
}


最后广告PS:反游戏保护论坛,专注各种游戏保护的反向研究~:
http://www.antigameprotect.com/

[注意] 欢迎加入看雪团队!base上海,招聘安全工程师、逆向工程师多个坑位等你投递!

收藏
点赞0
打赏
分享
最新回复 (42)
雪    币: 346
活跃值: 活跃值 (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
学雄 活跃值 1 2013-4-26 19:49
2
0
突然觉得,驱动什么的,不加vm,不加crc,不加动态生成代码,动态解密调用什么的,被人分析好危险啊~
雪    币: 481
活跃值: 活跃值 (23)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
goddkiller 活跃值 2013-4-26 19:53
3
0
mark ,thx for share it ~~awesome !!!
雪    币: 66
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
流逝时光 活跃值 2013-4-26 21:22
4
0
进来学习了!
雪    币: 728
活跃值: 活跃值 (131)
能力值: ( LV9,RANK:200 )
在线值:
发帖
回帖
粉丝
房有亮 活跃值 3 2013-4-26 22:05
5
0
顶起 A总 学习了
雪    币: 100
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
crackhell 活跃值 2013-4-26 22:31
6
0
学习了。多谢A总分享
雪    币: 34
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
蓝色妖女 活跃值 2013-4-27 01:45
7
0
A总+V 就是厉害
雪    币: 62
活跃值: 活跃值 (18)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
NianX 活跃值 2 2013-4-27 07:44
8
0
学习了,想起A盾的代码双机调试了几遍 学到不少东西 感谢!
雪    币: 2039
活跃值: 活跃值 (1081)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
caolinkai 活跃值 2013-4-27 08:41
9
0
支持盾哥。。。。。。。。。。。。。。。。。
雪    币: 753
活跃值: 活跃值 (446)
能力值: (RANK:400 )
在线值:
发帖
回帖
粉丝
莫灰灰 活跃值 9 2013-4-27 10:07
10
0
有bin吗?懒得自己写了,想试试我的AntiSpy,嘿嘿。
雪    币: 753
活跃值: 活跃值 (446)
能力值: (RANK:400 )
在线值:
发帖
回帖
粉丝
莫灰灰 活跃值 9 2013-4-27 10:09
11
0
话说其实poolhack的方法,早前在AGP里就看到过了~~
雪    币: 204
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
xrootkit 活跃值 2013-4-27 10:20
12
0
呃 多谢 分享
雪    币: 37
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
hkzlq 活跃值 2013-4-27 10:21
13
0
mark一下
雪    币: 421
活跃值: 活跃值 (19)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
guobing 活跃值 2013-4-27 10:35
14
0
不加vm,就等于把源码放出来了。。
雪    币: 727
活跃值: 活跃值 (60)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2013-4-27 11:06
15
0
  那是我告诉老v的。
雪    币: 727
活跃值: 活跃值 (60)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2013-4-27 11:09
16
0
  话说你是男是女~
雪    币: 728
活跃值: 活跃值 (131)
能力值: ( LV9,RANK:200 )
在线值:
发帖
回帖
粉丝
房有亮 活跃值 3 2013-4-27 11:15
17
0
A总又**了
雪    币: 35843
活跃值: 活跃值 (153787)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
linhanshi 活跃值 2013-4-27 12:16
18
0
Thanks for share.
雪    币: 177
活跃值: 活跃值 (256)
能力值: (RANK:290 )
在线值:
发帖
回帖
粉丝
viphack 活跃值 4 2013-4-27 13:51
19
0
AntiSpy拿出来给大伙看看
雪    币: 238
活跃值: 活跃值 (52)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
anticode 活跃值 2013-4-27 16:32
20
0
多谢楼主分享
雪    币: 43
活跃值: 活跃值 (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
cooop 活跃值 2013-4-27 16:36
21
0
楼主,我爱你~
雪    币: 36
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
qqzsxyz 活跃值 2013-4-27 21:00
22
0
好吧 学习啦
雪    币: 46
活跃值: 活跃值 (384)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
hrpirip 活跃值 1 2013-4-28 10:25
23
0
NewMmIsAddressValid 够贱啊。
雪    币: 610
活跃值: 活跃值 (241)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
ugvjewxf 活跃值 2013-4-28 10:31
24
0
跟随大神,努力顶起,
雪    币: 727
活跃值: 活跃值 (60)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2013-4-28 11:27
25
0
贱是猥琐的一个标准。不比ark贱你就干不过ark。
游客
登录 | 注册 方可回帖
返回