因自己工作,可能后面会写ark工具.所以周六周日没事就逆向了一下进程回调数组. 虽然资料很多.但是自己动手自己明白.总比别人给的好.
所以记一下自己的分析思路以及逆向结果.
内核中 PsSetCreateProcessNotifyRoutine回调函数是用来设置进程监控的.
相应的还有一个Ex函数. ex函数没有逆向.简单的看了一下.这里说一下
进程回调的逆向把.
定位反汇编代码如下:
kd> uf PsSetCreateProcessNotifyRoutine nt!PsSetCreateProcessNotifyRoutine: 83fd87de 8bff mov edi,edi 83fd87e0 55 push ebp 83fd87e1 8bec mov ebp,esp 83fd87e3 6a00 push 0 83fd87e5 ff750c push dword ptr [ebp+0Ch] 参数2 ---------> 是否删除 83fd87e8 ff7508 push dword ptr [ebp+8] 参数1 ---------> 回调函数地址 83fd87eb e809000000 call nt!PspSetCreateProcessNotifyRoutine (83fd87f9) 83fd87f0 5d pop ebp 83fd87f1 c20800 ret 8
可以看到 里面调用的函数为: PspSetCreateProcessNotifyRoutine
总共三个参数
伪代码
PspSetCreateProcessNotifyRoutine(0,你自己的回调函数地址,是否删除标记)
而逆向Ex系列的函数.发现变得仅仅是第一个函数参数. 0变为1了.
底层函数调用的它,那么就逆向它.
kd> uf PspSetCreateProcessNotifyRoutine nt!PspSetCreateProcessNotifyRoutine: 83fd87f9 8bff mov edi,edi 83fd87fb 55 push ebp 83fd87fc 8bec mov ebp,esp 83fd87fe 807d0c00 cmp byte ptr [ebp+0Ch],0 //判断是设置回调还是清除回调. 83fd8802 53 push ebx 83fd8803 56 push esi //保存寄存器环境. 83fd8804 57 push edi 83fd8805 0f84fa000000 je nt!PspSetCreateProcessNotifyRoutine+0x10a (83fd8905) 是否删除回调 == 0 跳转.也就是设置回调. 删除回调走上边. ====================> 删除回调走的位置 nt!PspSetCreateProcessNotifyRoutine+0x12: 83fd880b 648b3524010000 mov esi,dword ptr fs:[124h] 83fd8812 66ff8e84000000 dec word ptr [esi+84h] 83fd8819 33db xor ebx,ebx 83fd881b c7450ce06cf883 mov dword ptr [ebp+0Ch],offset nt!PspCreateProcessNotifyRoutine (83f86ce0) //获得回调函数数组地址. nt!PspSetCreateProcessNotifyRoutine+0x29: 83fd8822 ff750c push dword ptr [ebp+0Ch] //数组地址压栈. 83fd8825 e88ea90d00 call nt!ExReferenceCallBackBlock (840b31b8) //逆向ExReferenceCallBackBlock 83fd882a 8bf8 mov edi,eax 83fd882c 85ff test edi,edi 83fd882e 7439 je nt!PspSetCreateProcessNotifyRoutine+0x6e (83fd8869) nt!PspSetCreateProcessNotifyRoutine+0x37: 83fd8830 8b4f08 mov ecx,dword ptr [edi+8] 83fd8833 e81b3cf2ff call nt!ExGetCallBackBlockRoutine (83efc453) 83fd8838 3b4508 cmp eax,dword ptr [ebp+8] 83fd883b 7522 jne nt!PspSetCreateProcessNotifyRoutine+0x64 (83fd885f) nt!PspSetCreateProcessNotifyRoutine+0x44: 83fd883d 85c9 test ecx,ecx 83fd883f 7509 jne nt!PspSetCreateProcessNotifyRoutine+0x4f (83fd884a) nt!PspSetCreateProcessNotifyRoutine+0x48: 83fd8841 384d10 cmp byte ptr [ebp+10h],cl 83fd8844 7519 jne nt!PspSetCreateProcessNotifyRoutine+0x64 (83fd885f) nt!PspSetCreateProcessNotifyRoutine+0x4d: 83fd8846 eb08 jmp nt!PspSetCreateProcessNotifyRoutine+0x55 (83fd8850) nt!PspSetCreateProcessNotifyRoutine+0x4f: 83fd884a 807d1000 cmp byte ptr [ebp+10h],0 83fd884e 740f je nt!PspSetCreateProcessNotifyRoutine+0x64 (83fd885f) nt!PspSetCreateProcessNotifyRoutine+0x55: 83fd8850 8b450c mov eax,dword ptr [ebp+0Ch] 83fd8853 57 push edi 83fd8854 33c9 xor ecx,ecx 83fd8856 e8abfeffff call nt!ExCompareExchangeCallBack (83fd8706) 83fd885b 84c0 test al,al 83fd885d 7547 jne nt!PspSetCreateProcessNotifyRoutine+0xab (83fd88a6) nt!PspSetCreateProcessNotifyRoutine+0x64: 83fd885f 8b450c mov eax,dword ptr [ebp+0Ch] 83fd8862 8bcf mov ecx,edi 83fd8864 e883aa0d00 call nt!ExDereferenceCallBackBlock (840b32ec) nt!PspSetCreateProcessNotifyRoutine+0x6e: 83fd8869 83450c04 add dword ptr [ebp+0Ch],4 83fd886d 43 inc ebx 83fd886e 83fb40 cmp ebx,40h 83fd8871 72af jb nt!PspSetCreateProcessNotifyRoutine+0x29 (83fd8822) nt!PspSetCreateProcessNotifyRoutine+0x78: 83fd8873 66ff8684000000 inc word ptr [esi+84h] 83fd887a 0fb78684000000 movzx eax,word ptr [esi+84h] 83fd8881 6685c0 test ax,ax 83fd8884 7516 jne nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fd889c) nt!PspSetCreateProcessNotifyRoutine+0x8b: 83fd8886 8d4640 lea eax,[esi+40h] 83fd8889 3900 cmp dword ptr [eax],eax 83fd888b 740f je nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fd889c) nt!PspSetCreateProcessNotifyRoutine+0x92: 83fd888d 6683be8600000000 cmp word ptr [esi+86h],0 83fd8895 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fd889c) nt!PspSetCreateProcessNotifyRoutine+0x9c: 83fd8897 e8fd3be9ff call nt!KiCheckForKernelApcDelivery (83e6c499) nt!PspSetCreateProcessNotifyRoutine+0xa1: 83fd889c b87a0000c0 mov eax,0C000007Ah 83fd88a1 e9c5000000 jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b) nt!PspSetCreateProcessNotifyRoutine+0xab: 83fd88a6 83c9ff or ecx,0FFFFFFFFh 83fd88a9 807d1000 cmp byte ptr [ebp+10h],0 83fd88ad b8e46df883 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (83f86de4) 83fd88b2 7405 je nt!PspSetCreateProcessNotifyRoutine+0xbe (83fd88b9) nt!PspSetCreateProcessNotifyRoutine+0xb9: 83fd88b4 b8e06df883 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (83f86de0) nt!PspSetCreateProcessNotifyRoutine+0xbe: 83fd88b9 f00fc108 lock xadd dword ptr [eax],ecx 83fd88bd 8d049de06cf883 lea eax,nt!PspCreateProcessNotifyRoutine (83f86ce0)[ebx*4] 83fd88c4 8bcf mov ecx,edi 83fd88c6 e821aa0d00 call nt!ExDereferenceCallBackBlock (840b32ec) 83fd88cb 66ff8684000000 inc word ptr [esi+84h] 83fd88d2 0fb78684000000 movzx eax,word ptr [esi+84h] 83fd88d9 6685c0 test ax,ax 83fd88dc 7516 jne nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fd88f4) nt!PspSetCreateProcessNotifyRoutine+0xe3: 83fd88de 8d4640 lea eax,[esi+40h] 83fd88e1 3900 cmp dword ptr [eax],eax 83fd88e3 740f je nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fd88f4) nt!PspSetCreateProcessNotifyRoutine+0xea: 83fd88e5 6683be8600000000 cmp word ptr [esi+86h],0 83fd88ed 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fd88f4) nt!PspSetCreateProcessNotifyRoutine+0xf4: 83fd88ef e8a53be9ff call nt!KiCheckForKernelApcDelivery (83e6c499) nt!PspSetCreateProcessNotifyRoutine+0xf9: 83fd88f4 8bcf mov ecx,edi 83fd88f6 e890f41600 call nt!ExWaitForCallBacks (84147d8b) 83fd88fb 57 push edi 83fd88fc e814780e00 call nt!SepFreeCapturedString (840c0115) nt!PspSetCreateProcessNotifyRoutine+0x106: 83fd8901 33c0 xor eax,eax 83fd8903 eb66 jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b) // 设置回调会走的路线. nt!PspSetCreateProcessNotifyRoutine+0x10a: 83fd8905 807d1000 cmp byte ptr [ebp+10h],0 //判断第三个参数是否为0 83fd8909 7413 je nt!PspSetCreateProcessNotifyRoutine+0x123 (83fd891e) nt!PspSetCreateProcessNotifyRoutine+0x110: 83fd890b ff7508 push dword ptr [ebp+8] 83fd890e e856affdff call nt!MmVerifyCallbackFunction (83fb3869) 83fd8913 85c0 test eax,eax 83fd8915 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x123 (83fd891e) nt!PspSetCreateProcessNotifyRoutine+0x11c: 83fd8917 b8220000c0 mov eax,0C0000022h 83fd891c eb4d jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b) //第三个参数是默认Push 0.会到这里. nt!PspSetCreateProcessNotifyRoutine+0x123: 83fd891e 33c0 xor eax,eax 83fd8920 384510 cmp byte ptr [ebp+10h],al 83fd8923 0f95c0 setne al // == 0 则设置al位. 如果比较滞后 ==0 相等.(zf=1) 则设置al位0 .如果不相等则al = 1. 83fd8926 50 push eax 0 83fd8927 ff7508 push dword ptr [ebp+8] 回调函数地址. 83fd892a e8a8fdffff call nt!ExAllocateCallBack (83fd86d7) 83fd892f 8bd8 mov ebx,eax 83fd8931 85db test ebx,ebx //判断ebx结果是否是0. 不是0 跳转. 83fd8933 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x141 (83fd893c) nt!PspSetCreateProcessNotifyRoutine+0x13a: 83fd8935 b89a0000c0 mov eax,0C000009Ah 83fd893a eb2f jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b) nt!PspSetCreateProcessNotifyRoutine+0x141: 83fd893c bee06cf883 mov esi,offset nt!PspCreateProcessNotifyRoutine (83f86ce0) //不是0跳转到此位置. 获取数组. 83fd8941 33ff xor edi,edi nt!PspSetCreateProcessNotifyRoutine+0x148: 83fd8943 6a00 push 0 83fd8945 8bcb mov ecx,ebx ecx = ExAllocateCallBack 返回值. 83fd8947 8bc6 mov eax,esi eax = 数组 83fd8949 e8b8fdffff call nt!ExCompareExchangeCallBack (83fd8706) //应该是遍历数组.进行比较.设置回调. 83fd894e 84c0 test al,al 83fd8950 7520 jne nt!PspSetCreateProcessNotifyRoutine+0x177 (83fd8972) nt!PspSetCreateProcessNotifyRoutine+0x157: 83fd8952 83c704 add edi,4 83fd8955 83c604 add esi,4 83fd8958 81ff00010000 cmp edi,100h 83fd895e 72e3 jb nt!PspSetCreateProcessNotifyRoutine+0x148 (83fd8943) nt!PspSetCreateProcessNotifyRoutine+0x165: 83fd8960 53 push ebx 83fd8961 e8af770e00 call nt!SepFreeCapturedString (840c0115) 83fd8966 b80d0000c0 mov eax,0C000000Dh nt!PspSetCreateProcessNotifyRoutine+0x170: 83fd896b 5f pop edi 83fd896c 5e pop esi 83fd896d 5b pop ebx 83fd896e 5d pop ebp 83fd896f c20c00 ret 0Ch nt!PspSetCreateProcessNotifyRoutine+0x177: 83fd8972 33c9 xor ecx,ecx 83fd8974 41 inc ecx 83fd8975 807d1000 cmp byte ptr [ebp+10h],0 83fd8979 7525 jne nt!PspSetCreateProcessNotifyRoutine+0x1a5 (83fd89a0) nt!PspSetCreateProcessNotifyRoutine+0x180: 83fd897b b8e46df883 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (83f86de4) 83fd8980 f00fc108 lock xadd dword ptr [eax],ecx 83fd8984 a1786bf883 mov eax,dword ptr [nt!PspNotifyEnableMask (83f86b78)] 83fd8989 a802 test al,2 83fd898b 0f8570ffffff jne nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901) nt!PspSetCreateProcessNotifyRoutine+0x196: 83fd8991 b8786bf883 mov eax,offset nt!PspNotifyEnableMask (83f86b78) 83fd8996 f00fba2801 lock bts dword ptr [eax],1 83fd899b e961ffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901) nt!PspSetCreateProcessNotifyRoutine+0x1a5: 83fd89a0 b8e06df883 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (83f86de0) 83fd89a5 f00fc108 lock xadd dword ptr [eax],ecx 83fd89a9 a1786bf883 mov eax,dword ptr [nt!PspNotifyEnableMask (83f86b78)] 83fd89ae a804 test al,4 83fd89b0 0f854bffffff jne nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901) nt!PspSetCreateProcessNotifyRoutine+0x1bb: 83fd89b6 b8786bf883 mov eax,offset nt!PspNotifyEnableMask (83f86b78) 83fd89bb f00fba2802 lock bts dword ptr [eax],2 83fd89c0 e93cffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901) <===================================================================================>
通过上面可以看到 获得的回调函数数组. 并且函数数组入栈. 那么就需要逆向一下新的函数了
首先看下回调函数数组里面的内容.
83f86ce0 = 回调函数数组
找到回调函数数组会发现这个值不是回调函数地址.
下面回调 ExReferenceCallBackBlock 传入回调函数地址.所以肯定有对 其的操作
kd> uf ExReferenceCallBackBlock nt!ExReferenceCallBackBlock: 840b31b8 8bff mov edi,edi 840b31ba 55 push ebp 840b31bb 8bec mov ebp,esp 840b31bd 8b5508 mov edx,dword ptr [ebp+8] edx = 数组地址 840b31c0 8b0a mov ecx,dword ptr [edx] ecx = 数组[0] 第一项. 840b31c2 53 push ebx 840b31c3 56 push esi 840b31c4 57 push edi 840b31c5 6a07 push 7 840b31c7 5b pop ebx ebx = 7 840b31c8 84cb test bl,cl 判断bl 跟 cl 肯定不等于 0 . 840b31ca 7417 je nt!ExReferenceCallBackBlock+0x2b (840b31e3) // bl cl 不会 = 0,所以走此位置. nt!ExReferenceCallBackBlock+0x14: 840b31cc 8d41ff lea eax,[ecx-1] 不相等的情况 eax = [ecx - 1] 的地址. eax = &(数组[0]+1)的地址 例如数组内容为: 8d408c3f 现在成了 8d408c3E 840b31cf 8bf0 mov esi,eax esi = [ecx - 1] 840b31d1 8bfa mov edi,edx edi = 数组地址 840b31d3 8bc1 mov eax,ecx eax = 数组[0] 840b31d5 f00fb137 lock cmpxchg dword ptr [edi],esi 数组[0] = &([数组[0] +1] 的值. 840b31d9 3bc1 cmp eax,ecx 数组[0] == 数组[0] 840b31db 7406 je nt!ExReferenceCallBackBlock+0x2b (840b31e3) nt!ExReferenceCallBackBlock+0x25: 840b31dd 8bc8 mov ecx,eax 840b31df 84c3 test bl,al 840b31e1 75e9 jne nt!ExReferenceCallBackBlock+0x14 (840b31cc) 都相等会跳转此处. nt!ExReferenceCallBackBlock+0x2b: 840b31e3 85c9 test ecx,ecx ecx = &(数组[0] + 1) 840b31e5 7507 jne nt!ExReferenceCallBackBlock+0x36 (840b31ee) //大部分情况下会跳转.因为数组内容可能不为0 nt!ExReferenceCallBackBlock+0x2f: 840b31e7 33c0 xor eax,eax 840b31e9 e9f2000000 jmp nt!ExReferenceCallBackBlock+0x122 (840b32e0) //跳转位置. nt!ExReferenceCallBackBlock+0x36: 840b31ee 8bc1 mov eax,ecx eax = 数组[0] 840b31f0 23c3 and eax,ebx eax = 数组[0] & 7; eax = 7; 840b31f2 0f859a000000 jne nt!ExReferenceCallBackBlock+0xd4 (840b3292) nt!ExReferenceCallBackBlock+0x40: 840b31f8 648b3524010000 mov esi,dword ptr fs:[124h] 840b31ff 66ff8e86000000 dec word ptr [esi+86h] 840b3206 6a11 push 11h 840b3208 b9d807f883 mov ecx,offset nt!ExpCallBackFlush (83f807d8) 840b320d 5f pop edi 840b320e 8bd9 mov ebx,ecx 840b3210 f00fb13b lock cmpxchg dword ptr [ebx],edi 840b3214 85c0 test eax,eax 840b3216 7408 je nt!ExReferenceCallBackBlock+0x68 (840b3220) nt!ExReferenceCallBackBlock+0x60: 840b3218 e80c56e4ff call nt!ExfAcquirePushLockShared (83ef8829) 840b321d 8b5508 mov edx,dword ptr [ebp+8] nt!ExReferenceCallBackBlock+0x68: 840b3220 8b3a mov edi,dword ptr [edx] 840b3222 83e7f8 and edi,0FFFFFFF8h 840b3225 7423 je nt!ExReferenceCallBackBlock+0x92 (840b324a) nt!ExReferenceCallBackBlock+0x6f: 840b3227 8b0f mov ecx,dword ptr [edi] 840b3229 83e1fe and ecx,0FFFFFFFEh 840b322c 8d4102 lea eax,[ecx+2] 840b322f 8bd0 mov edx,eax 840b3231 8bdf mov ebx,edi 840b3233 8bc1 mov eax,ecx 840b3235 f00fb113 lock cmpxchg dword ptr [ebx],edx 840b3239 3bc1 cmp eax,ecx 840b323b 740d je nt!ExReferenceCallBackBlock+0x92 (840b324a) nt!ExReferenceCallBackBlock+0x85: 840b323d 8bcf mov ecx,edi 840b323f e806a5e2ff call nt!ExfAcquireRundownProtection (83edd74a) 840b3244 84c0 test al,al 840b3246 7502 jne nt!ExReferenceCallBackBlock+0x92 (840b324a) nt!ExReferenceCallBackBlock+0x90: 840b3248 33ff xor edi,edi nt!ExReferenceCallBackBlock+0x92: 840b324a b9d807f883 mov ecx,offset nt!ExpCallBackFlush (83f807d8) 840b324f 6a11 push 11h 840b3251 33d2 xor edx,edx 840b3253 8bd9 mov ebx,ecx 840b3255 58 pop eax 840b3256 f00fb113 lock cmpxchg dword ptr [ebx],edx 840b325a 83f811 cmp eax,11h 840b325d 7405 je nt!ExReferenceCallBackBlock+0xac (840b3264) nt!ExReferenceCallBackBlock+0xa7: 840b325f e80a54e4ff call nt!ExfReleasePushLockShared (83ef866e) nt!ExReferenceCallBackBlock+0xac: 840b3264 66ff8686000000 inc word ptr [esi+86h] 840b326b 0fb78686000000 movzx eax,word ptr [esi+86h] 840b3272 6685c0 test ax,ax 840b3275 750c jne nt!ExReferenceCallBackBlock+0xcb (840b3283) nt!ExReferenceCallBackBlock+0xbf: 840b3277 83c640 add esi,40h 840b327a 3936 cmp dword ptr [esi],esi 840b327c 7405 je nt!ExReferenceCallBackBlock+0xcb (840b3283) nt!ExReferenceCallBackBlock+0xc6: 840b327e e81692dbff call nt!KiCheckForKernelApcDelivery (83e6c499) nt!ExReferenceCallBackBlock+0xcb: 840b3283 85ff test edi,edi 840b3285 0f845cffffff je nt!ExReferenceCallBackBlock+0x2f (840b31e7) nt!ExReferenceCallBackBlock+0xd3: 840b328b eb51 jmp nt!ExReferenceCallBackBlock+0x120 (840b32de) //跳转到此位置. nt!ExReferenceCallBackBlock+0xd4: 840b3292 83e1f8 and ecx,0FFFFFFF8h ecx = 数组[0] & 0xFFFFFFF8 结果得出是一个地址. 数组里面的值已经不是以前的值了. 8d408c3f 变成了 8d408c3E 840b3295 8bf9 mov edi,ecx 结果给 edi保存 840b3297 83f801 cmp eax,1 840b329a 7542 jne nt!ExReferenceCallBackBlock+0x120 (840b32de) nt!ExReferenceCallBackBlock+0xde: 840b329c 8bd3 mov edx,ebx 840b329e e8f1c4e1ff call nt!ExAcquireRundownProtectionEx (83ecf794) 840b32a3 84c0 test al,al 840b32a5 7437 je nt!ExReferenceCallBackBlock+0x120 (840b32de) nt!ExReferenceCallBackBlock+0xe9: 840b32a7 8b4508 mov eax,dword ptr [ebp+8] 840b32aa 8b08 mov ecx,dword ptr [eax] 840b32ac 8bc1 mov eax,ecx 840b32ae eb1d jmp nt!ExReferenceCallBackBlock+0x10f (840b32cd) nt!ExReferenceCallBackBlock+0xf2: 840b32b0 8bc1 mov eax,ecx 840b32b2 83e0f8 and eax,0FFFFFFF8h 840b32b5 3bf8 cmp edi,eax 840b32b7 751c jne nt!ExReferenceCallBackBlock+0x117 (840b32d5) nt!ExReferenceCallBackBlock+0xfb: 840b32b9 8b7508 mov esi,dword ptr [ebp+8] 840b32bc 8d4107 lea eax,[ecx+7] 840b32bf 8bd0 mov edx,eax 840b32c1 8bc1 mov eax,ecx 840b32c3 f00fb116 lock cmpxchg dword ptr [esi],edx 840b32c7 3bc1 cmp eax,ecx 840b32c9 7413 je nt!ExReferenceCallBackBlock+0x120 (840b32de) nt!ExReferenceCallBackBlock+0x10d: 840b32cb 8bc8 mov ecx,eax nt!ExReferenceCallBackBlock+0x10f: 840b32cd 23c3 and eax,ebx 840b32cf 03c3 add eax,ebx 840b32d1 3bc3 cmp eax,ebx 840b32d3 76db jbe nt!ExReferenceCallBackBlock+0xf2 (840b32b0) nt!ExReferenceCallBackBlock+0x117: 840b32d5 8bd3 mov edx,ebx 840b32d7 8bcf mov ecx,edi 840b32d9 e8f96cdcff call nt!ExReleaseRundownProtectionEx (83e79fd7) //eax = 7 不是1.所以直接跳转到结束位置 nt!ExReferenceCallBackBlock+0x120: 840b32de 8bc7 mov eax,edi 结果给eax.进行返回. nt!ExReferenceCallBackBlock+0x122: 840b32e0 5f pop edi 840b32e1 5e pop esi 840b32e2 5b pop ebx 840b32e3 5d pop ebp 840b32e4 c20400 ret 4
通过逆向次函数可以得知. 函数数组[0]的内容被修改了. 修改为 -1的值. 如上面看到的数组的内容为:
现在首内容 0x8d408c3f的值会变为 0x8d408c3e
往下有很多分支没有走. 最后会进行解密操作得出函数地址.
如: 0x8d408c3e & 0xFFFFFFF8 = 函数地址表.
如下:
这个函数地址表的第二项就是我们要找的函数地址.
现在是0x83f01d35 去pchunter中查看.
但是上面会有一个问题. 0x8d408c3f的值会变为 0x8d408c3e 直接用 0x8d408c3f & 0xFFFFFFF8 的结果也是一样的.
所以可以忽略上面修改值的事情.
可以得出一个公式 函数地址 = *((数组[n] & 0xFFFFFFF8) + 4);
可以套用一下公式.进行一次计算.
使用代码可以遍历出函数地址表. 表中第二项才是函数地址. 随便找一个举例
它的第二项是8c5f89d8 说明找对了.
通过逆向可以找到数组. 那么可以进行如下操作
1.摘除数组.传入函数地址.调用 PsSetCreateProcessNotifyRoutine 第二个参数为TRUE即可摘掉.你也可以自己摘.就是相当于自己实现了一下这个函数摘除钩子的代码
2.进程回调优先级.可以找到数组.将你的回调写入到数组第一项.这样你的就会优先到来. 这个没试过.算是一个思路吧.
后面逆向下64位的.然后合并到这个帖子里面. 内容会发送到自己博客
https://www.cnblogs.com/iBinary/
http://www.w1x8.com/
谢谢支持.
最后于 3小时前 被张新琪编辑 ,原因: