| Back to logs list
342006 2008 年 11 月 25 日 16:47 Reading (loading. ..) Comments (0) Category: Personal Diary
Anti- remote thread injection of ideas
2007-09-15 12:11
: [email = [ft = # 000099,,] churui] no@no.com [/ email]
One day, encountered a strange program (you may not care about its name, we tentatively call it the procedure A). This program is very high-handed, with my program (you certainly do not care about its name, so we called the program B) simultaneously when the total from the program B (where B is the process of a) data paragraph to read to some content. This makes me very unhappy, so I decided to join B of self-protection features, so A can not be easily read. It sounds a bit like \Oh, in short, is one such confrontation began,
handbag sale, the original intention is very simple, and the process of competition'd twists and turns.
before the start of the battle, it should be noted that, where A and B are GUI programs A and B always precedes execution. A read B
consider the data segment, that is, I can think of three ways:
1. read the image file
2. Use ReadProcessMemory
3. injection process B, and then read directly.
the first approach, as long as B plus a simple shell, A to do anything. It is more practical, or the latter two methods. Through observation, that A in the course of a process B into a DLL, so I judge A third method might be used.
A to B into the DLL, which is generally three ways. But Either way, I think the final total to call ntdll! LdrLoadDll. Thus, the most primitive way is in the process B, hook LdrLoadDll the API, to intercept suspicious DLL. Implementation process is not complicated, but unfortunately to no avail. In other words, A DLL in the process of injection, there has not been intercepted B.
I use IceSword, monitor A, the boot process. A start would be found in each process (of course, except for some special system processes, such as Idle, csrss, etc.) to create a remote thread. Therefore,
mulberry bag, I hope to be able to create far down the thread blocking. Taking into account the total general first before creating the thread by far kernel32! OpenProcess get the process handle, I try to use the hook api interception ring3 all OpenProcess. Unfortunately my efforts failed again. Originally hook OpenProcess work fine, but as long as A is started on the hook immediately OpenProcess failed. Taking into account the front hook ntdll! LdrLoadDll did not work, I think that A must take some means to prevent the hook api.
In this case, I intend to ring0 to solve the problem. Since I only have win32 before the development of experience, and driver is almost never done, the boss took Luoyun Bin Chinese translation Kmd cramming two days of tutorials, but also in driverdevelop find some source code and data, and finally piece together a barely running driver. Function is pretty simple, that is by modifying the SSDT (System Service Dispatch Table). Makes ntdll! NtOpenProcess when the implementation of the core states, can be blocked me down.
this fail, and fail exactly the same situation and ring3: Originally ntdll! NtOpenProcess can be blocked off, and if A starts, all at once failed to intercept . Let me ironic that I made another simple procedure C,
coach handbags, the only effect is to use kernel32! OpenProcess to open the B, the results when A started, even the C B can be successfully opened a. IceSword a look using the original A starts, SSDT will be automatically changed back to the original content, really let me speechless.
to the other on the driverdevelop bmyyyud, zhaock and several shrimp ask several times,
gucci bag, reached the following conclusions: ntdll export the NtOpenProcess and ZwOpenProcess,
gucci bag, the two were in fact the same thing. ntosknrl also derived NtOpenProcess and ZwOpenProces, but the two are completely different: ntosknrl! NtOpenProcess is actually \If you modify the SSDT, is easy to be found and broken (the entrance in exchange for NtOpenProcess on it.) Then there is no other way? Some of the information, said looking for int 2 e can interrupt handler, and since the use of xp in sysenter / syscall, it seems that this trick is not spirit. Finally, bmyyyud prawns prompted me to change the normal ntosknrl! NtOpenProcess the entrance code. (Non-entry ~~~~)
modify ntosknrl! NtOpenProcess SSDT entry more difficult than modifying the code bigger. First ntosknrl! NtOpenProcess code where the page has read-only attribute, the changes need to modify the page, CR0 registers before the first 16 bit,
handbag uk, otherwise the deal is definitely a blue screen for the novice like me, it really makes a bit confused. Secondly, in order to modify the entry code, the most convenient way is to use Microsoft's detours, unfortunately a lot of detours ring3 cited the API, not directly. Detours had used the source code, to cut off all unnecessary minutiae, all part of ring3 API used to remove as much as possible or to use ring0 the API instead. Leaving only the most crucial part, try to run the one, never thought to run.
done so, and found A program called ntosknrl! NtOpenProcess and was intercepted me, are pleased ... ... did not think hell is that in the A program calls ntosknrl! NtOpenProcess in case of failure, it is still far to B creates a thread. Tell me this time zhaock prawns, if not call NtOpenProcess, also can call PsLookupProcessByProcessId, ObOpenObjectByPointer to achieve the same purpose. It seems also need to intercept ntosknrl! NtCreateThread, insurance purposes, the ntosknrl! NtReadVirtualMemory also blocked off. All done, test run, and finally completely stopped the A, B, it can never read a single byte ... .. I suddenly thought of huyg brothers used to say \The most important \