首页
论坛
课程
招聘
[求助]【已解决】这样inline hook IoAllocateMdl 为什么蓝屏了(已经能跳到我的代理函数了)
2017-10-25 21:40 5349

[求助]【已解决】这样inline hook IoAllocateMdl 为什么蓝屏了(已经能跳到我的代理函数了)

2017-10-25 21:40
5349
 

代码抄的Tesla.Angela 的win64驱动教程,能成功hook PsLookUpProcessByProcessId

但是 hook IoAllocateMdl 失败了。求助下大佬。感谢!!

已经修改了IoAllocateMdl 前面几个byte,能跳转到我的中继函数,但是在多执行几次IoAllocateMdl 之后就蓝了。

代码如下

PVOID add = GetFunctionAddr(L"IoAllocateMdl");
    pslp_head_n_byte = HookKernelApi(add,
        (PVOID)newIoAllocateMdl,
        &ori_mdl,
        &pslp_patch_size);
PMDL newIoAllocateMdl(
    __in_opt PVOID  VirtualAddress,
    __in ULONG  Length,
    __in BOOLEAN  SecondaryBuffer,
    __in BOOLEAN  ChargeQuota,
    __inout_opt PIRP  Irp  OPTIONAL)
{

    if (VirtualAddress == KdEnteredDebugger)
    {
        //DbgPrint("[KdEnteredDebugger] address: %p\n", KdEnteredDebugger);
        VirtualAddress = (PUCHAR)KdEnteredDebugger + 0x30;
    }


    return ((IOALLOCATEMDL)ori_mdl)
        (VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp);
}
//传入:待HOOK函数地址,代理函数地址,接收原始函数地址的指针,接收补丁长度的指针;返回:原来头N字节的数据
PVOID HookKernelApi(IN PVOID ApiAddress, IN PVOID Proxy_ApiAddress, OUT PVOID *Original_ApiAddress, OUT ULONG *PatchSize)
{
    DbgBreakPoint();
    KIRQL irql;
    UINT64 tmpv;
    PVOID head_n_byte, ori_func;
    UCHAR jmp_code[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
    UCHAR jmp_code_orifunc[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
    //How many bytes shoule be patch
    *PatchSize = GetPatchSize((PUCHAR)ApiAddress);
    //step 1: Read current data
    head_n_byte = kmalloc(*PatchSize);
    irql = WPOFFx64();
    memcpy(head_n_byte, ApiAddress, *PatchSize);
    WPONx64(irql);
    //step 2: Create ori function
    ori_func = kmalloc(*PatchSize + 14);    //原始机器码+跳转机器码
    RtlFillMemory(ori_func, *PatchSize + 14, 0x90);
    tmpv = (ULONG64)ApiAddress + *PatchSize;    //跳转到没被打补丁的那个字节
    memcpy(jmp_code_orifunc + 6, &tmpv, 8);
    memcpy((PUCHAR)ori_func, head_n_byte, *PatchSize);
    memcpy((PUCHAR)ori_func + *PatchSize, jmp_code_orifunc, 14);
    *Original_ApiAddress = ori_func;
    //step 3: fill jmp code
    tmpv = (UINT64)Proxy_ApiAddress;
    memcpy(jmp_code + 6, &tmpv, 8);
    DbgBreakPoint();
    //step 4: Fill NOP and hook
    irql = WPOFFx64();
    RtlFillMemory(ApiAddress, *PatchSize, 0x90);
    memcpy(ApiAddress, jmp_code, 14);
    WPONx64(irql);
    //return ori code
    return head_n_byte;
}

Dump如下

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000002bff428, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80003e67788, address which referenced memory

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  7601.23714.amd64fre.win7sp1_ldr.170307-1800

DUMP_TYPE:  0

BUGCHECK_P1: 2bff428

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80003e67788

READ_ADDRESS:  0000000002bff428 

CURRENT_IRQL:  2

FAULTING_IP: 
nt!IoBuildPartialMdl+58
fffff800`03e67788 418b5328                mov     edx,dword ptr [r11+28h]

CPU_COUNT: 2

CPU_MHZ: 63c

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 45

CPU_STEPPING: 1

CPU_MICROCODE: 6,45,1,0 (F,M,S,R)  SIG: 1D'00000000 (cache) 1D'00000000 (init)

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  csrss.exe

ANALYSIS_SESSION_HOST:  SU

ANALYSIS_SESSION_TIME:  10-25-2017 21:33:19.0216

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

DPC_STACK_BASE:  FFFFF80000BA0FB0

TRAP_FRAME:  fffff80000b9f8e0 -- (.trap 0xfffff80000b9f8e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000000e
rdx=fffffa8003f1b000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003e67788 rsp=fffff80000b9fa70 rbp=fffffa800510fd40
 r8=fffffa8003f1b018  r9=000000000000000e r10=fffffa8003f1c010
r11=0000000002bff400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
nt!IoBuildPartialMdl+0x58:
fffff800`03e67788 418b5328                mov     edx,dword ptr [r11+28h] ds:00000000`02bff428=????????
Resetting default scope

EXCEPTION_RECORD:  fffff880060a7390 -- (.exr 0xfffff880060a7390)
ExceptionAddress: 0000000000000161
   ExceptionCode: 00000000
  ExceptionFlags: 0000023b
NumberParameters: 223526
   Parameter[0]: fffff900c00ef280
   Parameter[1]: fffff960002070e5
   Parameter[2]: 000000000001003b
   Parameter[3]: fffffa8004342b50
   Parameter[4]: 0000000000000161
   Parameter[5]: fffff900c0196d60
   Parameter[6]: 0000000000000000
   Parameter[7]: fffff96000036628
   Parameter[8]: fffffa80041d9ef0
   Parameter[9]: 0000000000000161
   Parameter[10]: fffff900c00ef280
   Parameter[11]: 0000000000000000
   Parameter[12]: fffff900c00ef280
   Parameter[13]: fffff80003ed50a7
   Parameter[14]: fffffa80041d9ef0

LAST_CONTROL_TRANSFER:  from fffff80003f7b502 to fffff80003e81270

STACK_TEXT:  
fffff800`00b9f028 fffff800`03f7b502 : 00000000`02bff428 fffffa80`04342b50 00000000`00000065 fffff800`03ec5bfc : nt!DbgBreakPointWithStatus
fffff800`00b9f030 fffff800`03f7c2ee : 00000000`00000003 00000000`00000000 fffff800`03ec6460 00000000`0000000a : nt!KiBugCheckDebugBreak+0x12
fffff800`00b9f090 fffff800`03e89544 : 00000000`00000100 fffffa80`0433a780 fffffa80`00000001 fffff800`03f05952 : nt!KeBugCheck2+0x71e
fffff800`00b9f760 fffff800`03e889e9 : 00000000`0000000a 00000000`02bff428 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx+0x104
fffff800`00b9f7a0 fffff800`03e87660 : fffffa80`03f19024 00000000`00000000 fffffa80`0510fd40 fffffa80`03f1b018 : nt!KiBugCheckDispatch+0x69
fffff800`00b9f8e0 fffff800`03e67788 : 00000000`00000000 fffffa80`0510fe70 00000000`00000000 fffffa80`0400cb30 : nt!KiPageFault+0x260
fffff800`00b9fa70 fffff880`016d121c : fffffa80`03f1b018 fffffa80`0400cb30 00000000`000000c9 fffff880`0170b600 : nt!IoBuildPartialMdl+0x58
fffff800`00b9fab0 fffff880`0161895e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!NdisAllocateCloneNetBufferList+0x23c
fffff800`00b9fbc0 fffff880`018972d5 : 00000000`00000000 00000000`00000000 00000000`0000001c fffffa80`0400ca00 : NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+0x3e
fffff800`00b9fbf0 fffff880`018858b7 : 00000000`00000000 fffffa80`0400ca00 fffffa80`0400ca00 00000000`00000001 : tcpip!WfpPreprocessInboundMcastBcastIndication+0x35
fffff800`00b9fc20 fffff880`01860188 : fffffa80`00000011 fffff800`00ba0002 fffffa80`04fb6c07 00000000`000025f0 : tcpip!WfpProcessInTransportStackIndication+0x207
fffff800`00b9fdb0 fffff880`01889cc9 : 00000000`00000018 fffffa80`02ef42f0 00000000`00000000 fffff880`0188a9b4 : tcpip!InetInspectReceiveDatagram+0x1d8
fffff800`00b9fe50 fffff880`0188a3d4 : fffffa80`04aa13d0 fffffa80`039ab160 fffffa80`048b9a00 fffffa80`030cb080 : tcpip!UdpBeginMessageIndication+0x89
fffff800`00b9ff70 fffff880`018844de : fffffa80`0357b000 00000000`00000018 fffffa80`00000000 fffff800`00ba00a0 : tcpip!UdpDeliverDatagrams+0x2f4
fffff800`00ba0050 fffff880`0185ba57 : fffffa80`032806b0 fffffa80`0395b101 00000000`00000000 fffff880`00000005 : tcpip!UdpReceiveDatagrams+0x18f
fffff800`00ba0130 fffff880`0185b56a : 00000000`00000000 fffff880`0196ea10 fffff800`00ba02f0 00000000`00000000 : tcpip!IppDeliverListToProtocol+0xf7
fffff800`00ba01f0 fffff880`0185ab21 : fffff880`0196ea10 fffffa80`0400dd40 00000000`00000011 fffff800`00ba02e0 : tcpip!IppProcessDeliverList+0x5a
fffff800`00ba0290 fffff880`018587ff : fffffa80`faffffef fffff880`0196ea10 00000000`00000000 00000000`00000000 : tcpip!IppReceiveHeaderBatch+0x232
fffff800`00ba0390 fffff880`01844c42 : fffffa80`03b1c5a0 00000000`00000000 00000000`00000001 fffff880`00000004 : tcpip!IpFlcReceivePackets+0x64f
fffff800`00ba0590 fffff880`018567d2 : fffffa80`03b1c5a0 fffffa80`032806b0 00000000`00000011 00000000`00000011 : tcpip!IpFlcReceivePreValidatedPackets+0x992
fffff800`00ba06f0 fffff800`03e95e78 : fffffa80`0400d7f0 00000000`00004800 fffffa80`04342b50 00000000`00000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xa2
fffff800`00ba0740 fffff880`01856f02 : fffff880`01856730 00000000`00000000 00000000`00000002 fffff800`00bb8200 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff800`00ba0820 fffff880`017870eb : fffffa80`03b20010 00000000`00000000 fffffa80`0395b1a0 00000000`00026100 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff800`00ba0890 fffff880`01750ad6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
fffff800`00ba0900 fffff880`016c9aa1 : fffffa80`0395b1a0 00000000`00000003 00000000`00000040 fffffa80`0400ca00 : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff800`00ba0d80 fffff880`05200776 : 00000000`00000000 00000000`00000040 00000000`00000001 00000000`00000000 : ndis!NdisMIndicateReceiveNetBufferLists+0xc1
fffff800`00ba0dd0 fffff880`052003d1 : 07b407d0`07d00701 fffffa80`0401ea00 00000000`00000000 fffffa80`0363d000 : E1G6032E!RxProcessReceiveInterrupts+0x13a
fffff800`00ba0e40 fffff880`016c9986 : fffffa80`04023580 00000000`00000000 fffffa80`0395b1a0 fffff800`03ed4706 : E1G6032E!E1000HandleInterrupt+0x91
fffff800`00ba0e70 fffff800`03e948fc : fffffa80`040235a8 fffffa80`00000000 00000000`00000000 fffff800`04008e80 : ndis!ndisInterruptDpc+0x1b6
fffff800`00ba0f00 fffff800`03e8bf65 : 00000000`00000000 fffffa80`04342b50 00000000`00000000 fffff880`016c97d0 : nt!KiRetireDpcList+0x1bc
fffff800`00ba0fb0 fffff800`03e8bd7c : 00000000`00000010 00000000`00000282 fffff880`060a70c8 00000000`00000018 : nt!KyRetireDpcList+0x5
fffff880`060a70a0 fffff800`03ed54b3 : fffff800`03e859c0 fffff800`03e85a2c fffffa80`03896000 00000000`00000801 : nt!KiDispatchInterruptContinue
fffff880`060a70d0 fffff800`03e85a2c : fffffa80`03896000 00000000`00000801 00000001`0034f46f 20206f49`00310430 : nt!KiDpcInterruptBypass+0x13
fffff880`060a70e0 fffff880`05406476 : fffff880`060a7390 fffff880`052480d1 00000000`0000015e fffffa80`0465b000 : nt!KiInterruptDispatchNoLock+0x1fc
fffff880`060a7270 fffff880`0527bd54 : fffffa80`0465b000 00000000`00000000 fffff880`060a7390 00000000`00000000 : vm3dmp+0x6476
fffff880`060a72c0 fffff880`052aadb1 : fffffa80`0465b000 fffffa80`0465b000 00000000`00000b01 fffff880`060a7390 : dxgkrnl!DXGADAPTER::DdiSetPointerPosition+0x50
fffff880`060a72f0 fffff960`00670ac9 : 00000000`00000000 fffff900`c00cb020 00000000`0000023e fffff900`c00dccd8 : dxgkrnl!DxgkCddSetPointerPosition+0x151
fffff880`060a7370 fffff960`00036926 : fffff900`c00ef280 fffff960`002070e5 00000000`0001003b fffffa80`04342b50 : cdd!DrvMovePointer+0xf9
fffff880`060a73b0 fffff960`00036628 : fffffa80`041d9ef0 00000000`00000161 fffff900`c00ef280 00000000`00000000 : win32k!vMovePointer+0x76
fffff880`060a73f0 fffff960`0011e7ab : fffffa80`042d8ae0 fffffa80`04bf6a00 8fd2f78b`00000161 59cc907b`b0391094 : win32k!GreMovePointer+0x17c
fffff880`060a7480 fffff960`0011d11d : fffff900`c0196dec 00000000`00034c5a fffff900`c0196d60 00000000`00034c5a : win32k!xxxMoveEventAbsolute+0x203
fffff880`060a7510 fffff960`0011cf74 : fffff900`c0196d60 00000161`0000023e fffff880`060a7ae0 00000000`00000246 : win32k!ProcessMouseInput+0x195
fffff880`060a7580 fffff800`03e7d47d : fffffa80`042d8b10 00000000`00000000 00000000`20707249 00000000`57050884 : win32k!InputApc+0x7c
fffff880`060a75b0 fffff800`03e8e97d : fffffa80`04342c10 00000000`00000000 fffff960`0011cef8 00000000`00000000 : nt!KiDeliverApc+0x21d
fffff880`060a7630 fffff800`03e8dc8a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
fffff880`060a76c0 fffff960`000bb678 : fffff900`00000002 fffffa80`0324f390 fffff900`00000001 fffff880`0000000d : nt!KeWaitForMultipleObjects+0x272
fffff880`060a7980 fffff960`000bc69b : 00000000`00000000 fffff900`c0177010 fffff960`00317780 00000000`00000004 : win32k!xxxMsgWaitForMultipleObjects+0x108
fffff880`060a7a00 fffff960`00075278 : fffffa80`00000001 fffffa80`0000000c fffffa80`04342b50 fffff6fc`400302d8 : win32k!xxxDesktopThread+0x253
fffff880`060a7a80 fffff960`000f7c9a : fffffa80`00000001 fffff960`00317780 00000000`00000020 00000000`00000000 : win32k!xxxCreateSystemThreads+0x64
fffff880`060a7ab0 fffff800`03e886d3 : fffffa80`04342b50 00000000`00000004 000007ff`fff9e000 00000000`00000000 : win32k!NtUserCallNoParam+0x36
fffff880`060a7ae0 000007fe`fcc91f1a : 000007fe`fcc93759 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0111ff28 000007fe`fcc93759 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winsrv!ZwUserCallNoParam+0xa
00000000`0111ff30 00000000`7708241c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winsrv!StartCreateSystemThreads+0x19
00000000`0111ff60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x25


THREAD_SHA1_HASH_MOD_FUNC:  7b66b0083e9203ccb4f42707bdd12bb3265ba4f8

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  983f474a58bde96ea49ec6fa8321e5e0c2a10caf

THREAD_SHA1_HASH_MOD:  e5c79a5affd764a9470f67e8161db622376384a1

FOLLOWUP_IP: 
NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e
fffff880`0161895e 488bd8                  mov     rbx,rax

FAULT_INSTR_CODE:  48d88b48

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  577e6d2f

STACK_COMMAND:  .thread ; .cxr ; kb

FAILURE_BUCKET_ID:  X64_0xA_NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e

BUCKET_ID:  X64_0xA_NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e

PRIMARY_PROBLEM_CLASS:  X64_0xA_NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e

TARGET_TIME:  2017-10-25T13:23:14.000Z

OSBUILD:  7601

OSSERVICEPACK:  1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-03-07 20:58:06

BUILDDATESTAMP_STR:  170307-1800

第五届安全开发者峰会(SDC 2021)议题征集正式开启!

收藏
点赞0
打赏
分享
最新回复 (7)
雪    币: 2
活跃值: 活跃值 (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
woshidc 活跃值 2017-10-26 10:50
2
0
首先,我是菜鸟
第一,你可以windbg调试一下,在你hook成功之后,IoAllocateMdl这个函数被你hook位置之后的汇编代码是和原来一样吗?
比如一开始是:
mov eax,eax
add eax,eax.
Hook之后是:
jmp  xxxxx
add eax,eax
这就说明hook的没有问题啦。
如果不是这样的,你不小心修改了之后的汇编指令,可能会造成蓝屏吧....
第二,希望楼主给一个dump文件,光这样看,信息还是少的....
雪    币: 2
活跃值: 活跃值 (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
woshidc 活跃值 2017-10-26 10:57
3
0
如果解决了,请楼主说一下发生什么了
雪    币: 1138
活跃值: 活跃值 (77)
能力值: ( LV4,RANK:48 )
在线值:
发帖
回帖
粉丝
大只狼 活跃值 2017-10-26 11:58
4
0
woshidc 首先,我是菜鸟第一,你可以windbg调试一下,在你hook成功之后,IoAllocateMdl这个函数被你hook位置之后的汇编代码是和原来一样吗?比如一开始是:mov eax,eaxadd eax ...
hook成功了,有jmpxxx,原因是我的代理函数返回值定义错误
雪    币: 1138
活跃值: 活跃值 (77)
能力值: ( LV4,RANK:48 )
在线值:
发帖
回帖
粉丝
大只狼 活跃值 2017-10-26 11:58
5
0
woshidc 如果解决了,请楼主说一下发生什么了[em_4]
hook成功了,有jmpxxx,原因是我的代理函数返回值定义错误
雪    币: 1
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
别瞪我 活跃值 2018-1-13 22:03
6
0
我也是抄Tesla.Angela的代码hook的ioallocatemdl,但是卸载驱动的时候uninlinehook的时候会蓝屏,你是怎么卸载驱动恢复的吖
雪    币: 452
活跃值: 活跃值 (397)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
柒雪天尚 活跃值 2018-1-13 22:31
7
0
IRQL_NOT_LESS_OR_EQUAL  (a)

An  attempt  was  made  to  access  a  pageable  (or  completely  invalid)  address  at  an

interrupt  request  level  (IRQL)  that  is  too  high.    This  is  usually

caused  by  drivers  using  improper  addresses.

If  a  kernel  debugger  is  available  get  the  stack  backtrace.
有没有去调整过IRQL试试
雪    币: 1
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
nsyncxy 活跃值 2018-5-9 23:21
8
0
KdEnteredDebugger的值怎么获取啊,直接硬编码?
游客
登录 | 注册 方可回帖
返回