Windows 回调监控 <二>

在之前的文章Windows 回调监控 <一> 总结了关于CreateProcessNotify,CreateProcessNotifyEx和LoadImageNotify一些用法,之后产生了一个思路,既然在进程创建的时候加载.exe文件会执行我们的回调函数,那么如果在我们回调函数之中对内存中的.exe文件的导入表增加一个项,这样进程会不会加载我们事先准备好的.dll文件,如果成功加载我们的dll话,就注入成功了。  

#pragma once

#include <ntifs.h>
#include <ntimage.h>
#include <WINDEF.H>

VOID WPOFF();
VOID WPON();
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
VOID LoadImageNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE  ProcessId,PIMAGE_INFO  ImageInfor);
extern CHAR*  PsGetProcessImageFileName(PEPROCESS EProcess);
VOID UnicodeToChar(PUNICODE_STRING uniSource, CHAR *szDest);

#include "LoadImage.h"


PIMAGE_IMPORT_DESCRIPTOR g_OldImportDesc;
KIRQL Irql;
PEPROCESS g_TargetProcess;
HANDLE    g_TargetProcessId;

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
{

    DbgPrint("驱动加载\r\n");
    DriverObject->DriverUnload = UnloadDriver;
    PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)LoadImageNotifyRoutine);
    return STATUS_SUCCESS;
}

VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)LoadImageNotifyRoutine);
    DbgPrint("驱动卸载\r\n");
}



VOID LoadImageNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE  ProcessId,PIMAGE_INFO  ImageInfor)
{
    NTSTATUS Status;
    PVOID DriverEntryAddress = NULL;
    char szFullImageName[260]={0};
    PEPROCESS TatgetProcess = NULL;
    KAPC_STATE apcState;
    BOOLEAN       bAttached =FALSE;
    HANDLE    hProcess;
    Status  = PsLookupProcessByProcessId(ProcessId,&TatgetProcess);
    if (!NT_SUCCESS(Status))
    {
        return ;
    }
    if (strstr(PsGetProcessImageFileName(TatgetProcess),"cc.exe")) //当前进程是cc.exe
    {
        UnicodeToChar(FullImageName,szFullImageName);

        if (strstr(szFullImageName,"cc.exe"))  //加载的是cc.exe
        {
            g_TargetProcessId = ProcessId;
            Status = ObOpenObjectByPointer(TatgetProcess, 
                OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 
                NULL, 
                GENERIC_ALL, 
                *PsProcessType, 
                KernelMode, 
                &hProcess
                );
            if (!NT_SUCCESS(Status))
            {
                ObDereferenceObject(TatgetProcess);
                return; 
            }
            g_TargetProcess = TatgetProcess;
            __try
            {
                //KeStackAttachProcess(TatgetProcess,&apcState);
                if (MmIsAddressValid(ImageInfor->ImageBase))
                {
                    PIMAGE_DOS_HEADER pDos;
                    PIMAGE_NT_HEADERS pHeader = NULL;
                    PIMAGE_IMPORT_DESCRIPTOR  pImportDesc;
                    //ZwUnmapViewOfSection(hProcess,ImageInfor->ImageBase);
                    ULONG nImportDllCount;
                    PVOID ulImageBase = ImageInfor->ImageBase;
                    ULONG nNewImportSize;
                    ULONG nNewDllNameSize = 0x20;
                    PIMAGE_IMPORT_DESCRIPTOR lpNewImportDesc = NULL;
                    PVOID lpDllName = NULL;
                    IMAGE_IMPORT_DESCRIPTOR Add_ImportDesc;
                    PIMAGE_THUNK_DATA        lpNewThunkData = NULL;
                    ULONG nNewThunkDataSize = 0x20;
                    PIMAGE_IMPORT_BY_NAME lpImportApi = NULL;
                    ULONG nNewImportApiSize  = 0x20;
                    pDos =(PIMAGE_DOS_HEADER) ulImageBase;

                    pHeader = (PIMAGE_NT_HEADERS)((ULONG)ulImageBase+(ULONG)pDos->e_lfanew);
                    pImportDesc  = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress \
                        + (ULONG)ulImageBase);
                    //导入表项个数
                    nImportDllCount = pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size / sizeof(IMAGE_IMPORT_DESCRIPTOR);

                    g_OldImportDesc = pImportDesc;//原始的导入表

                    nNewImportSize = sizeof(IMAGE_IMPORT_DESCRIPTOR)*(nImportDllCount+1);//加上自己的

                    Status = ZwAllocateVirtualMemory(NtCurrentProcess(), &lpNewImportDesc, 0, &nNewImportSize,
                        MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                    if (!NT_SUCCESS(Status))
                    {
                        ObDereferenceObject(TatgetProcess);
                        ObDereferenceObject(TatgetProcess);
                        return;
                    }
                    RtlZeroMemory(lpNewImportDesc,nNewImportSize);

                    Status = ZwAllocateVirtualMemory(hProcess, &lpDllName, 0, &nNewDllNameSize,
                        MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                    if (!NT_SUCCESS(Status))
                    {
                        ZwFreeVirtualMemory(hProcess,&lpNewImportDesc,0,MEM_RELEASE);
                        ObDereferenceObject(TatgetProcess);
                        ObDereferenceObject(TatgetProcess);
                        return;
                    }

                    RtlZeroMemory(lpDllName,nNewDllNameSize);

                    //ThunkData
                    Status = ZwAllocateVirtualMemory(hProcess, &lpNewThunkData, 0, &nNewThunkDataSize,
                        MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                    if (!NT_SUCCESS(Status))
                    {
                        ZwFreeVirtualMemory(hProcess,&lpNewImportDesc,0,MEM_RELEASE);
                        ZwFreeVirtualMemory(hProcess,&lpDllName,0,MEM_RELEASE);
                        ObDereferenceObject(TatgetProcess);
                        ObDereferenceObject(TatgetProcess);
                        return;
                    }
                    RtlZeroMemory(lpNewThunkData,nNewThunkDataSize);                    
                    //IMAGE_IMPORT_BY_NAME
                    Status = ZwAllocateVirtualMemory(hProcess, &lpImportApi, 0, &nNewImportApiSize,
                        MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
                    if (!NT_SUCCESS(Status))
                    {
                        ZwFreeVirtualMemory(hProcess,&lpNewImportDesc,0,MEM_RELEASE);
                        ZwFreeVirtualMemory(hProcess,&lpDllName,0,MEM_RELEASE);
                        ZwFreeVirtualMemory(hProcess,&lpNewThunkData,0,MEM_RELEASE);
                        ObDereferenceObject(TatgetProcess);
                        ObDereferenceObject(TatgetProcess);
                        return;
                    }
                    RtlZeroMemory(lpImportApi,nNewImportApiSize);
                    //原始的导入表,留出一个表项
                    RtlCopyMemory(lpNewImportDesc+1,pImportDesc,sizeof(IMAGE_IMPORT_DESCRIPTOR)*nImportDllCount);
                    lpImportApi->Hint = 0;
                    RtlCopyMemory(lpImportApi->Name,"DllMain",0x20);
                    lpNewThunkData->u1.AddressOfData = (ULONG)lpImportApi-(ULONG)ulImageBase;                
                    Add_ImportDesc.OriginalFirstThunk = (ULONG)lpNewThunkData-(ULONG)ulImageBase;
                    Add_ImportDesc.TimeDateStamp = 0;
                    Add_ImportDesc.ForwarderChain = 0;
                    RtlCopyMemory(lpDllName,"test.dll",0x20);
                    Add_ImportDesc.Name = (ULONG)lpDllName-(ULONG)ulImageBase;
                    Add_ImportDesc.FirstThunk = Add_ImportDesc.OriginalFirstThunk;                    
                    RtlCopyMemory(lpNewImportDesc,&Add_ImportDesc,sizeof(IMAGE_IMPORT_DESCRIPTOR));
                    WPOFF(); //修改Descriptor
                    pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size += sizeof(IMAGE_IMPORT_DESCRIPTOR);
                    pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (ULONG_PTR)lpNewImportDesc - (ULONG_PTR)ulImageBase;
                    WPON();

                }
                //KeUnstackDetachProcess(&apcState);
            }__except(EXCEPTION_EXECUTE_HANDLER){
            }
            ObDereferenceObject(TatgetProcess);
        }
    }

    ObDereferenceObject(TatgetProcess);
}

VOID WPOFF()
{
    ULONG_PTR cr0 = 0;
    Irql = KeRaiseIrqlToDpcLevel();
    cr0 =__readcr0();
    cr0 &= 0xfffffffffffeffff;
    __writecr0(cr0);

}


VOID WPON()
{

    ULONG_PTR cr0=__readcr0();
    cr0 |= 0x10000;
    __writecr0(cr0);
    KeLowerIrql(Irql);
}

VOID UnicodeToChar(PUNICODE_STRING uniSource, CHAR *szDest)
{                                                  
    ANSI_STRING ansiTemp;                                
    RtlUnicodeStringToAnsiString(&ansiTemp,uniSource,TRUE);   

    strcpy(szDest,ansiTemp.Buffer);
    RtlFreeAnsiString(&ansiTemp);
}

 

posted on 2015-08-15 17:04  _懒人  阅读(2432)  评论(1编辑  收藏  举报

导航