首页
论坛
专栏
课程

[原创]驱动层代码隐藏执行(有码)

2019-8-9 00:54 3445

[原创]驱动层代码隐藏执行(有码)

2019-8-9 00:54
3445

原理:

使用修改页面pte的方式,在执行被隐藏代码前切换pte至隐藏页面,执行完成后切换回初始页面。

使用方法及注意事项:

此方法局限性比较大,对代码的api调用等要求较高,且只适用于代码较少的情况。
其他注意事项见HiddenExecute.h

关键代码:

添加、删除隐藏页面记录:
NTSTATUS AddHiddenPageRecord(ULONG64 CR3, PVOID pHiddenPageBase, PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
	KIRQL		EntryIrql;
	NTSTATUS	Status = STATUS_UNSUCCESSFUL;
	//prevent mulit-thread change the page record count
	KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);

	//check count
	MyPrint(_TitleAndFunc"pHiddenPageRecord->Count:%16IX\n", pHiddenPageRecord->Count);
	if (pHiddenPageRecord->Count == MAX_HIDDEN_PAGE_COUNT)
		goto Lable_Error;

	//add pPTE record
	PSPECIFIC_HIDDEN_PAGE_RECORD	pCurrentRecord = &pHiddenPageRecord->Record[pHiddenPageRecord->Count];

	pCurrentRecord->pPTE = pGetSpecificAddresspPTEPhysical(CR3, pHiddenPageBase);
	MyPrint(_TitleAndFunc"pCurrentRecord->pPTE:%16IX\n", pCurrentRecord->pPTE);
	if (pCurrentRecord->pPTE == NULL)
		goto Lable_Error;
	
	//add hidden virtual address record
	pCurrentRecord->pHiddenBase = pHiddenPageBase;
	MyPrint(_TitleAndFunc"pCurrentRecord->pHiddenBase:%16IX\n", pCurrentRecord->pHiddenBase);

	//add original pfn record
	ContextVirtualToPhysical(&g_PhysicalOpCR3);
	pCurrentRecord->OriginalPfn = pCurrentRecord->pPTE->PageFrameNumber;
	ContextPhysicalToVirtual(&g_PhysicalOpCR3);

	MyPrint(_TitleAndFunc"pCurrentRecord->OriginalPfn:%16IX\n", pCurrentRecord->OriginalPfn);

	//add hidden pfn record 
	//allocate memory
	//record the physical address
	//then free the memory and mark it as bad
	PVOID	TemporaryVirtual = MmAllocateNonCachedMemory(PAGE_SIZE);
	if (TemporaryVirtual == NULL)
		goto Lable_Error;

	PHYSICAL_ADDRESS	TemporaryPhysical = MmGetPhysicalAddress(TemporaryVirtual);
	LARGE_INTEGER		PhysicalLength = { 0 };
	PhysicalLength.QuadPart = PAGE_SIZE;

	pCurrentRecord->HiddenPfn = pPhysicalAddresstoPTEPFN((PVOID)(TemporaryPhysical.QuadPart));
	MyPrint(_TitleAndFunc"pCurrentRecord->HiddenPfn:%16IX\n", pCurrentRecord->HiddenPfn);

	MmFreeNonCachedMemory(TemporaryVirtual, PAGE_SIZE);
	
	Status = MmMarkPhysicalMemoryAsBad(&TemporaryPhysical, &PhysicalLength);

	//copy codes to the new non-mapped physical address
	ContextVirtualToPhysical(&g_PhysicalOpCR3);
	RtlCopyMemory((PVOID)(TemporaryPhysical.QuadPart),
		pCurrentRecord->pHiddenBase,
		PAGE_SIZE
	);
	ContextPhysicalToVirtual(&g_PhysicalOpCR3);

	//check the mark state
	if (!NT_SUCCESS(Status))
		goto Lable_Error;

	//the last step:count +1
	pHiddenPageRecord->Count++;

	//release spin lock
	KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
	return STATUS_SUCCESS;

Lable_Error:
	KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
	return STATUS_UNSUCCESSFUL;
}
NTSTATUS RemoveAndRestoreAllHiddenPageRecord(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
	KIRQL		EntryIrql;
	NTSTATUS	Status = STATUS_UNSUCCESSFUL;
	//prevent mulit-thread change the page record count
	KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);

	//assert we have elements
	if (pHiddenPageRecord->Count == 0)
		goto Lable_Error;

	//restore all records and mark all the hidden physical memory as good
	PSPECIFIC_HIDDEN_PAGE_RECORD	pCurrentRecord = NULL;
	PHYSICAL_ADDRESS				CurrentHiddenPhysical = { 0 };
	LARGE_INTEGER					PhysicalLength = { 0 };

	PhysicalLength.QuadPart = PAGE_SIZE;

	for (int i = 0; i < pHiddenPageRecord->Count; i++)
	{
		pCurrentRecord = &pHiddenPageRecord->Record[i];
		CurrentHiddenPhysical.QuadPart = (ULONG64)pPTEPFNtoPhysicalAddress(pCurrentRecord->HiddenPfn);

		//mark it as good
		MmMarkPhysicalMemoryAsGood(&CurrentHiddenPhysical, &PhysicalLength);

		//restore all page mapping relations
		ContextVirtualToPhysical(&g_PhysicalOpCR3);
		pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->OriginalPfn;
		ContextPhysicalToVirtual(&g_PhysicalOpCR3);

		//invalid the TLB of current hidden address
		__invlpg(pCurrentRecord->pHiddenBase);
	}

	//set count to zero
	pHiddenPageRecord->Count = 0;

	//release spin lock
	KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
	return STATUS_SUCCESS;

Lable_Error:
	KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
	return STATUS_UNSUCCESSFUL;
}

彩蛋:

PhysicalMemoryOperation.h是个好玩的东西,想想还能怎么玩?

下载:



[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (5)
niuzuoquan 2019-8-9 11:25
2
0
mark
TopC 2019-8-9 13:39
3
0
感谢分享
萌克力 2019-8-9 19:52
4
0
我也实现过,但是对于某些ac来说会造成系统很卡的情况
yirucandy 4 2019-8-13 11:41
5
0
谢谢楼主!
鬼才zxy 1 2019-8-16 02:24
6
0
萌克力 我也实现过,但是对于某些ac来说会造成系统很卡的情况
哪些?
游客
登录 | 注册 方可回帖
返回