• 1459阅读
  • 1回复

Win7 内核重载 1 ——内核版PELoader [复制链接]

上一主题 下一主题
离线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-02-04

重载重点,其实就是自己实现一个山寨版的Windows PELoader  ,重载其实就是将一个模块自己重新加载一份到别的内存,运行它。

所谓内核重载,则是将内核文件即:ntkrnlpa.exe 自己加载一份到内存,并运行它,这样的好处可以避免一切HOOK,如SSDT ,InLineHook 等等,原理就是HOOK继续
HOOK主原来内核,但是实际上Windows走的是我们自己的内核。

废话不多说,开始干起来,首先查找内核模块,遍历内核模块的方式很多种,这里我使用的是通过LDR链表:


[cpp] view plain copy

  1. // 查找内核模块  
  2. PLDR_DATA_TABLE_ENTRY SearchDriver(PDRIVER_OBJECT pDriverObject, wchar_t *strDriverName)  
  3. {  
  4.     LDR_DATA_TABLE_ENTRY    *pDataTableEntry, *pTempDataTableEntry;  
  5.     PLIST_ENTRY             pList;  
  6.     UNICODE_STRING          usModuleName;  
  7.   
  8.     RtlInitUnicodeString(&usModuleName, strDriverName);  
  9.   
  10.     pDataTableEntry = (LDR_DATA_TABLE_ENTRY*)pDriverObject->DriverSection;  
  11.     if (!pDataTableEntry)  
  12.     {  
  13.         return 0;  
  14.     }  
  15.   
  16.     pList = pDataTableEntry->InLoadOrderLinks.Flink;  
  17.   
  18.     while (pList != &pDataTableEntry->InLoadOrderLinks)  
  19.     {  
  20.         pTempDataTableEntry = (LDR_DATA_TABLE_ENTRY *)pList;  
  21.   
  22.         if (0 == RtlCompareUnicodeString(&pTempDataTableEntry->BaseDllName, &usModuleName, FALSE))  
  23.         {  
  24.             return pTempDataTableEntry;  
  25.         }  
  26.   
  27.         pList = pList->Flink;  
  28.     }  
  29.   
  30.     return 0;  
  31. }  
找到内核模块,就开始读文件到内存~



[cpp] view plain copy

  1. NTSTATUS ReadFileToMemory(LPWSTR lpFileName, PVOID* lpVirtualPoint, PVOID pOriImage)  
  2. {  
  3.     NTSTATUS                Status;  
  4.     HANDLE                  hFile;  
  5.     OBJECT_ATTRIBUTES       ObjAttr;  
  6.     UNICODE_STRING          usFileName;  
  7.     IO_STATUS_BLOCK         IoStatusBlock;  
  8.     LARGE_INTEGER           FileOffset;  
  9.     PVOID                   pVirtualAddress;  
  10.     ULONG                   uIndex;  
  11.     ULONG                   uSizeOfSection;  
  12.     ULONG                   uSectionAddress;  
  13.   
  14.     IMAGE_DOS_HEADER        ImageDosHeader;  
  15.     IMAGE_NT_HEADERS        ImageNtHeader;  
  16.     PIMAGE_SECTION_HEADER   pImageSectionHeader;  
  17.   
  18.   
  19.     RtlInitUnicodeString(&usFileName, lpFileName);  
  20.   
  21.     InitializeObjectAttributes(  
  22.         &ObjAttr,  
  23.         &usFileName,  
  24.         OBJ_CASE_INSENSITIVE,  
  25.         NULL,  
  26.         NULL);  
  27.   
  28.   
  29.     Status = ZwCreateFile(  
  30.         &hFile,  
  31.         FILE_ALL_ACCESS,  
  32.         &ObjAttr,  
  33.         &IoStatusBlock,  
  34.         NULL,  
  35.         FILE_ATTRIBUTE_NORMAL,  
  36.         FILE_SHARE_READ,  
  37.         FILE_OPEN,  
  38.         FILE_NON_DIRECTORY_FILE,  
  39.         NULL,  
  40.         0);  
  41.   
  42.     if (!NT_SUCCESS(Status))  
  43.     {  
  44.         DbgPrint("ZwCreateFile faild\n");  
  45.         return Status;  
  46.     }  
  47.   
  48.   
  49.     FileOffset.QuadPart = 0;  
  50.     Status = ZwReadFile(  
  51.         hFile,  
  52.         NULL,  
  53.         NULL,  
  54.         NULL,  
  55.         &IoStatusBlock,  
  56.         &ImageDosHeader,  
  57.         sizeof(IMAGE_DOS_HEADER),  
  58.         &FileOffset,  
  59.         NULL);  
  60.   
  61.     if (!NT_SUCCESS(Status))  
  62.     {  
  63.         DbgPrint("ZwReadFile ImageDosHeader faild\n");  
  64.         ZwClose(hFile);  
  65.         return Status;  
  66.     }  
  67.   
  68.     FileOffset.QuadPart = ImageDosHeader.e_lfanew;  
  69.   
  70.     Status = ZwReadFile(  
  71.         hFile,  
  72.         NULL,  
  73.         NULL,  
  74.         NULL,  
  75.         &IoStatusBlock,  
  76.         &ImageNtHeader,  
  77.         sizeof(IMAGE_NT_HEADERS),  
  78.         &FileOffset,  
  79.         NULL);  
  80.   
  81.     if (!NT_SUCCESS(Status))  
  82.     {  
  83.         DbgPrint("ZwReadFile ImageNtHeader faild\n");  
  84.         ZwClose(hFile);  
  85.         return Status;  
  86.     }  
  87.   
  88.     // 读节段  
  89.     pImageSectionHeader = (PIMAGE_SECTION_HEADER)ExAllocatePool(NonPagedPool,  
  90.         sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader.FileHeader.NumberOfSections);  
  91.   
  92.     if (NULL == pImageSectionHeader)  
  93.     {  
  94.         DbgPrint("ExAllocatePool pImageSectionHeader faild\n");  
  95.         ZwClose(hFile);  
  96.         return STATUS_UNSUCCESSFUL;  
  97.     }  
  98.   
  99.     FileOffset.QuadPart += sizeof(IMAGE_NT_HEADERS);  
  100.     Status = ZwReadFile(  
  101.         hFile,  
  102.         NULL,  
  103.         NULL,  
  104.         NULL,  
  105.         &IoStatusBlock,  
  106.         pImageSectionHeader,  
  107.         sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader.FileHeader.NumberOfSections,  
  108.         &FileOffset,  
  109.         NULL);  
  110.   
  111.     if (!NT_SUCCESS(Status))  
  112.     {  
  113.         DbgPrint("ZwReadFile pImageSectionHeader faild\n");  
  114.         ExFreePool(pImageSectionHeader);  
  115.         ZwClose(hFile);  
  116.         return Status;  
  117.     }  
  118.   
  119.   
  120.     // 复制内存  
  121.     pVirtualAddress = ExAllocatePool(NonPagedPool, ImageNtHeader.OptionalHeader.SizeOfImage);  
  122.   
  123.     if (NULL == pVirtualAddress)  
  124.     {  
  125.         DbgPrint("ExAllocatePool pVirtualAddress faild\n");  
  126.         ExFreePool(pImageSectionHeader);  
  127.         ZwClose(hFile);  
  128.         return STATUS_UNSUCCESSFUL;  
  129.     }  
  130.   
  131.     RtlZeroMemory(pVirtualAddress, ImageNtHeader.OptionalHeader.SizeOfImage);  
  132.   
  133.     RtlCopyMemory(pVirtualAddress, &ImageDosHeader, sizeof(IMAGE_DOS_HEADER));  
  134.     RtlCopyMemory(  
  135.         (PVOID)((ULONG)pVirtualAddress + ImageDosHeader.e_lfanew),  
  136.         &ImageNtHeader,  
  137.         sizeof(IMAGE_NT_HEADERS));  
  138.     RtlCopyMemory(  
  139.         (PVOID)((ULONG)pVirtualAddress + ImageDosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS)),  
  140.         pImageSectionHeader,  
  141.         sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader.FileHeader.NumberOfSections);  
  142.   
  143.     for (uIndex = 0; uIndex < ImageNtHeader.FileHeader.NumberOfSections; uIndex++)  
  144.     {  
  145.         uSectionAddress = pImageSectionHeader[uIndex].VirtualAddress;  
  146.         if (pImageSectionHeader[uIndex].Misc.VirtualSize > pImageSectionHeader[uIndex].SizeOfRawData)  
  147.             uSizeOfSection = pImageSectionHeader[uIndex].Misc.VirtualSize;  
  148.         else  
  149.             uSizeOfSection = pImageSectionHeader[uIndex].SizeOfRawData;  
  150.   
  151.         FileOffset.QuadPart = pImageSectionHeader[uIndex].PointerToRawData;  
  152.   
  153.         Status = ZwReadFile(  
  154.             hFile,  
  155.             NULL,  
  156.             NULL,  
  157.             NULL,  
  158.             &IoStatusBlock,  
  159.             (PVOID)((ULONG)pVirtualAddress + uSectionAddress),  
  160.             uSizeOfSection,  
  161.             &FileOffset,  
  162.             NULL);  
  163.   
  164.         if (!NT_SUCCESS(Status))  
  165.         {  
  166.             DbgPrint("ZwReadFile ImageSectionHeader faild\n");  
  167.             ExFreePool(pImageSectionHeader);  
  168.             ExFreePool(pVirtualAddress);  
  169.             ZwClose(hFile);  
  170.             return Status;  
  171.         }  
  172.     }  
  173.   
  174.     FixRelocTable(pVirtualAddress, pOriImage);  
  175.   
  176.     DbgPrint("OK\n");  
  177.     ExFreePool(pImageSectionHeader);  
  178.     *lpVirtualPoint = pVirtualAddress;  
  179.     ZwClose(hFile);  
  180.     return Status;  
  181. }  



接下来这步也是最关键一步,就是修复重定位表:


[cpp] view plain copy

  1. void FixRelocTable(PVOID pNewImage, PVOID pOriImage)  
  2. {  
  3.     PIMAGE_DOS_HEADER           pImageDosHeader;  
  4.     PIMAGE_NT_HEADERS           pImageNtHeadaers;  
  5.     IMAGE_DATA_DIRECTORY        ImageDataDirectory;  
  6.     PIMAGE_BASE_RELOCATION      pImageBaseRelocation;  
  7.   
  8.     ULONG                       uRelocTableSize;  
  9.     ULONG                       uCount;  
  10.     ULONG                       uIndex;  
  11.     USHORT                      *pwOffsetAddress;  
  12.     USHORT                      uTypeValue;  
  13.     ULONG                       uRelocOffset;  
  14.     ULONG                       uRelocAddress;  
  15.   
  16.   
  17.     pImageDosHeader = (PIMAGE_DOS_HEADER)pNewImage;  
  18.     pImageNtHeadaers = (PIMAGE_NT_HEADERS)(pImageDosHeader->e_lfanew + (ULONG)pNewImage);  
  19.     uRelocOffset = (ULONG)pOriImage - pImageNtHeadaers->OptionalHeader.ImageBase;  
  20.     ImageDataDirectory = pImageNtHeadaers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];  
  21.     pImageBaseRelocation = (PIMAGE_BASE_RELOCATION)(ImageDataDirectory.VirtualAddress + (ULONG)pNewImage);  
  22.     uRelocTableSize = ImageDataDirectory.Size;  
  23.   
  24.     while (uRelocTableSize)  
  25.     {  
  26.         uCount = (pImageBaseRelocation->SizeOfBlock - sizeof(ULONG)* 2) / sizeof(USHORT);  
  27.         pwOffsetAddress = pImageBaseRelocation->TypeOffset;  
  28.   
  29.         for (uIndex = 0; uIndex < uCount; uIndex++)  
  30.         {  
  31.             uTypeValue = pwOffsetAddress[uIndex];  
  32.             if ((uTypeValue >> 12) == IMAGE_REL_BASED_HIGHLOW)  
  33.             {  
  34.                 uRelocAddress = (uTypeValue & 0xfff) + pImageBaseRelocation->VirtualAddress + (ULONG)pNewImage;  
  35.                 if (!MmIsAddressValid((PVOID)uRelocAddress))  
  36.                 {  
  37.                     continue;  
  38.                 }  
  39.                 *(PULONG)uRelocAddress += uRelocOffset;  
  40.             }  
  41.         }  
  42.         uRelocTableSize -= pImageBaseRelocation->SizeOfBlock;  
  43.         pImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((ULONG)pImageBaseRelocation + pImageBaseRelocation->SizeOfBlock);  
  44.     }  
  45.   
  46. }  



通过上面步骤,我们成功的将内核文件完全复制了一遍。


之后就是如何让相关黑科技走我们的内核了,明天再继续!
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线v2680267313

只看该作者 沙发  发表于: 2016-04-30
用户被禁言,该主题自动屏蔽!
快速回复
限100 字节
如果您在写长篇帖子又不马上发表,建议存为草稿
 
上一个 下一个