首页
论坛
课程
招聘
[原创]R3 R0 窗口句柄分析 对抗GetWindow 保护窗口~
2020-9-4 22:06 2751

[原创]R3 R0 窗口句柄分析 对抗GetWindow 保护窗口~

2020-9-4 22:06
2751

系统版本:Microsoft Windows [版本 10.0.18362.175]

//用户层========================
//本来以为移除就好!最后竟然无法修改内存!!!!!
struct tagWnd_r3
{
   __int64 h; //0x0000 
    __int64 offset; //0x0008 
    char pad_0x0010[0x38]; //0x0010
    __int64 nextOffset; //0x0048 
    __int64 piveOffset; //0x0050 
    char pad_0x0058[0xF8]; //0x0058
    PWCHAR name; //0x0150 
};

tagWnd_r3* ValidateHwnd(HWND hwnd)
{
   HMODULE hModule = GetModuleHandle(TEXT("user32.dll"));
   if(hModule!=0)
   {
      UINT_PTR ulGetMsgFunc = (UINT_PTR)GetProcAddress(hModule,"GetWindowTextA");
      if(ulGetMsgFunc !=0)
      {
         UINT_PTR ptr = (UINT_PTR)memchr((PVOID)ulGetMsgFunc,0xE8,100);
         UINT_PTR addr = *(PLONG)(ptr + 1) + ptr +5;
         tagWnd_r3* (__fastcall * _ValidateHwnd)(HWND hwnd) = (tagWnd_r3* (__fastcall *)(HWND)) addr;
         return _ValidateHwnd(hwnd);
      }
   }
   return nullptr;
}

//获取下一个窗口对象
tagWnd_r3* GetNextHwnd(tagWnd_r3* hwnd)
{
  tagWnd_r3* Next = nullptr;
  Next = (tagWnd_r3* )((INT_PTR)hwnd - hwnd->offset + hwnd->nextOffset);
   return Next;
}

//获取上一个窗口对象
tagWnd_r3* GetPrveHwnd(tagWnd_r3* hwnd)
{
  tagWnd_r3* Prve = nullptr;
  Prve = (tagWnd_r3* )((INT_PTR)hwnd - hwnd->offset + hwnd->piveOffset);
   return Prve;
}

void RemoveHwnd(tagWnd_r3* hwnd)
{
    tagWnd_r3* Next = GetNextHwnd(hwnd);
    tagWnd_r3* Prve = GetPrveHwnd(hwnd);

   Prve->nextOffset = hwnd->nextOffset;
   Next->piveOffset = hwnd->piveOffset;
}

int main(){
   tagWnd_r3* h =  ValidateHwnd((HWND)0x00070354);

   RemoveHwnd(h);//在共享表中移除 可是这块共享内存无法修改!暂时没有办法
}

//内核层r0===============================
//测试了下  窗口会卡死不能动  
typedef struct _tagWnd
{
    THRDESKHEAD hwnd; //0x0000 
    char pad_0x0008[0x40]; //0x0018
    _tagWnd* spwndNext; //0x0058 
    _tagWnd*  spwndPrev; //0x0060 
    _tagWnd*  spwndParent; //0x0068 
    _tagWnd*  spwndChild; //0x0070 
    _tagWnd*  spwndOwner; //0x0078 
    char pad_0x0080[0x38]; //0x0080
    PWCHAR strName; //0x00B8 
} tagWnd, *pTagWnd;

pTagWnd getWindowTagWnd(ULONG hwnd)
{
    ULONG cx = hwnd & 0xffff;

    ULONG_PTR gpKernelHandleTable = *(PULONG_PTR)g_gpKernelHandleTable;//g_gpKernelHandleTable这个可以根据符号找到或者特征码

    if(!MmIsAddressValid((PVOID)gpKernelHandleTable))
    {
        return nullptr;
    }
    ////g_gSharedInfo 这个可以根据符号找到或者特征码
    ULONG_PTR gSharedInfo = (ULONG_PTR)g_gSharedInfo + 0x10;
    gSharedInfo =  *(PULONG_PTR)gSharedInfo;

    gSharedInfo = gSharedInfo * cx;

    gSharedInfo = gSharedInfo >> 5;
    gSharedInfo = gSharedInfo * 0x18;

    gpKernelHandleTable = gpKernelHandleTable+ gSharedInfo;
     if(!MmIsAddressValid((PVOID)gpKernelHandleTable))
    {
        return nullptr;
    }
    pTagWnd tagWnd = (pTagWnd)( *(PULONG_PTR)gpKernelHandleTable);

    return tagWnd;
}

bool RemoveWnd(ULONG hwnd)
{
    // auto Wnd =  getWindowTagWnd(0x10010);
    auto removeWnd = getWindowTagWnd(hwnd);

    removeWnd->spwndPrev->spwndNext = removeWnd->spwndNext;
    removeWnd->spwndNext->spwndPrev = removeWnd->spwndPrev;

     return true;
}

【公告】看雪团队招聘安全工程师,将兴趣和工作融合在一起!看雪20年安全圈的口碑,助你快速成长!

最后于 2020-9-4 22:14 被~时光荏苒编辑 ,原因: 加入内核
收藏
点赞2
打赏
分享
最新回复 (4)
雪    币: 6593
活跃值: 活跃值 (2055)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
hhkqqs 活跃值 1 2020-9-4 22:54
2
1
ring3能直接改这种内存建议直接跟微软要钱
雪    币: 198
活跃值: 活跃值 (1241)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
yy虫子yy 活跃值 2020-9-5 02:05
3
0
隐藏窗口,移除总是会出各种问题,最稳定的方式还只能hook
雪    币: 72
活跃值: 活跃值 (424)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
killpy 活跃值 2 2020-9-5 19:42
4
0
雪    币: 192
活跃值: 活跃值 (399)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
编程小白 活跃值 2020-9-7 18:32
5
0
建议看看Intel 手册。 操作系统想在cpu上跑起来,必须遵循cpu的规矩。现在家用的基本都是x86架构的,直接看Intel手册会让你学到更多
游客
登录 | 注册 方可回帖
返回