吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2980|回复: 24
上一主题 下一主题
收起左侧

[系统底层] 驱动挂钩所有内核导出函数来进行驱动逻辑分析

  [复制链接]
跳转到指定楼层
楼主
smallzhong 发表于 2025-4-27 20:34 回帖奖励
本帖最后由 smallzhong 于 2025-4-27 20:39 编辑

驱动挂钩所有内核导出函数来进行驱动逻辑分析

太长不看

引言

  • 三年前我写了一个用来在内核做 inlinehook 的项目 [原创]开源一个自己写的简易的windows内核hook框架 。写这个框架的初衷是我发现并没有一个很好用的在windows内核进行 inlinehook 的框架。米松大佬曾经把 detours 移植到了内核 https://github.com/MiroKaku/DetoursX ,这个框架很好用,但是 detours 本身是为了三环挂钩开发的,其设计之初好像并没有考虑内核挂钩的特殊情况,因此如果出现了4字节相对寻址,其还是会按照三环的逻辑来修复这个4字节寻址。而此时4字节寻址已经无论如何满足不了需求了,因为申请的内存在2GB开外。在该项目的issue区可以看到 https://github.com/MiroKaku/DetoursX/issues/2 挂钩 MmIsAddressValid 失败的情况。这里就是因为有一个E8 call,detoursX 修复相对地址失败了。如图是hook之前的情况

    hook之后,这个e8 call并没有被正确修复,导致跳到不存在的地址

事实上,对于这种有相对寻址的情况,并不能简单修复4字节的相对地址。因为内核是一个很宽广的空间,4字节只能寻址4GB内存,内核是申请不到离得这么近的内存地址用来存放 trampoline 的。为了解决这个问题,我写了一个hook框架,在框架中对相对寻址进行了特判,使得所有相对寻址都能正确找到对应的位置。

  • 三年前写的只是一个简单的框架,后来慢慢适配了很多特殊情况,并修改了一些存在的bug,慢慢提高了整个框架的鲁棒性。

KernelHook

在函数中没有任何相对寻址指令时的 hook 流程

  • 如图,假设未被hook的代码如黄色图块显示。代码顺序为ABCDE,假设ABC三条指令加起来长度大于14字节,可以放下 ff 25 00 00 00 00 00 00 00 00 00 00 00 00 这个跳转。本框架会自动识别这三条代码的长度,然后将其替换为一个 ff25 jmp。其跳到自己申请的一块空间。跳转完成之后首先进行环境的保存,将所有寄存器保存到栈中。然后call一个C语言写的callback函数。可以在这个函数中进行相应的操作。如果这个函数的返回值是 FALSE ,则跳转回原函数处进行执行。如果为 TRUE ,则直接return,不再执行原函数。如果需要执行原函数,则重新POP所有之前保存的寄存器,然后执行 A B C 三条语句,最后通过一个 ff25 jmp跳到原函数中的下一行处执行(在此示例中是D处)。

代码中存在相对寻址跳转的情况

  • 本框架适配了大量相对跳转的模式,如7X XX && E1 xx && E2 xx && E3 xx && EB xx一字节短跳,0F 8X XX XX XX XX四字节相对跳转,E8 E9四字节短跳和call等。这些情况的处理方法都如下图所示

    假设 ABC 三条语句中,只有B这一条语句是一个使用了相对跳转的语句。这里用 74 XX 这个JE跳转举例。

    如图,本框架会自动计算出来跳转的目的地的绝对地址,然后生成一条 FF25 无条件跳转语句放在 shellcode 的最末尾。然后把74跳转的目标改为这一条FF25跳转指令的相对地址。这样的话,如果这条JE跳转条件成立,会跳转到FF25指令处,然后FF25跳转到原先的绝对地址处。这样保证了逻辑的正确性。其他1字节、4字节的相对寻址跳转都使用了这样的思想来进行修正。

代码中存在使用4字节相对寻址的 test、lea、mov的情况

  • 这种情况比较复杂,因为这些代码并不像跳转指令那样可以简单使用FF25作为trampoline跳回真正的绝对地址。而且这些指令并不存在可以使用绝对地址寻址的指令版本,因此也不能将其特殊改造为绝对寻址版本。在本框架中,处理的方法如下:16字节对齐地查找被hook的模块中全0的地址,然后把相对寻址的代码复制过去,因为这时的地址在对应模块地址内部,因此可以完成相对寻址的执行。逻辑如图

特殊处理 48 8d 05 LEA
  • 内核中大量存在 48 8D 05这种相对寻址代码。主要出现在Zw函数中。如果所有的函数都使用寻找模块内空白地址进行跳转的方法,会出现模块内空白地址耗尽导致无法hook的问题,因此这里对这种情况做了一下特判。把这个LEA改成了一个 48 B8的 MOV RAX, IMM64。

  • 如下图所示

HOOK大部分导出函数,实现内核的详细监控

特殊情况处理

  • 有了上面的hook框架,就可以考虑对内核的一些函数进行hook来进行对特定驱动的系统函数调用流程分析了。首先需要专门处理一种特殊情况,在这种情况下,不能直接hook函数。那就是,如果有其他代码会跳转到开头需要覆盖的指令的中间,就不能直接对函数进行hook。说起来有点拗口,但是举一个例子就明白了,如下

  • 比如这个函数 RtlUnalignedStringCchLengthW ,可以看到

    在开头第12个字节有一个基本块,在其他地方有跳转到这个基本块的代码。在这种情况下,如果直接填入 ff25(14个字节),会覆盖这个位置。而后面的jnz还是有可能跳转到这个地址,这就会导致跳转到corrupted memory,而产生不可控的后果。

  • 解决这个问题的办法是写一个IDA脚本对这种情况进行特判,一旦函数开头前14个字节出现了可能被其他基本块跳转到的基本块,就标记为False,不处理这个函数。判断函数如下

    def has_xrefs_to_middle(start_ea, end_ea):
      instr_size = idc.get_item_size(start_ea)
      start_ea += instr_size
      while start_ea < end_ea:
          t = idautils.CodeRefsTo(start_ea, False)
          for i in t:
              return True
          instr_size = idc.get_item_size(start_ea)
          start_ea += instr_size
      return False

对调用地址的监控

  • 内核的导出函数都是一些调用非常频繁的函数,每时每刻都会有驱动程序对他们进行调用。全部记录下来是非常不现实的事情,会导致系统完全卡死。因此这里需要通过返回地址对调用来源进行选择性判断,只打印来自特定来源的函数调用。本监控框架封装了一个用于维护监控地址集合的singleton。可以通过以下三个宏

    #define ADD_MONITOR_RANGE(start, end) smallzhong::MonitorAddressManager::GetInstance().AddMonitorRange((start), (end))
    #define DEL_FROM_MONITOR_LIST(addr) smallzhong::MonitorAddressManager::GetInstance().DelFromMonitorList((addr))
    #define FILTER_RET_ADDR(ret_addr) smallzhong::MonitorAddressManager::GetInstance().FilterRetAddr((ret_addr))

    来添加、删除监控范围,以及判断某一个地址是否正在被监控。

  • 如下是IDA脚本自动生成的一个handler。可以看到使用了 FILTER_RET_ADDR 判断调用来源,只有返回地址是特定来源的调用,才进行打印四个参数和返回地址的记录。

    BOOLEAN handler_c4a77d9f(PGuestContext context)
    {
      ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
      if (FILTER_RET_ADDR(origin_ret_addr))
      {
          LOG_INFO("Function: ExAllocatePoolWithTag\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n", 
              context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
      }
      return FALSE;
    }

使用流程

  • 使用nuget导入米松哥封装的 Musa.Runtime  ,开始愉快地在内核编写C++代码

  • 把需要监控的驱动用IDA打开,打开 scripts\AutoGen.py ,ctrl + h 全局修改修改里面硬编码的保存路径后运行 AutoGen.py 脚本,得到 available_funcs.inchandlers.hhandlers.c 三个自动生成的文件,并将其导入vs项目中。

  • 在 DriverMain 中特定 Hook 自己感兴趣的函数。

  • 加载驱动,查看日志。

使用本框架对驱动进行分析,以2025腾讯游戏安全决赛题目为例

设置分析环境

  • DriverMain 中设置 ImageCallback

    EXTERN_C NTSTATUS DriverMain(const PDRIVER_OBJECT DriverObject, const PUNICODE_STRING Registry)
    {
          LOG_INFO("entry\r\n");
    
          NTSTATUS status = STATUS_SUCCESS;
          status = PsSetLoadImageNotifyRoutine(ImageLoadCallback);
          ...
    }

    在 callback 中检查是否为 ACEDriver.sys 被加载,如果是的话,添加相应监控范围。

    VOID ImageLoadCallback(
          PUNICODE_STRING FullImageName,
          HANDLE ProcessId,
          PIMAGE_INFO ImageInfo)
    {
    
          if (ProcessId == 0 && FullImageName != NULL)
          {
    
                  // 检查是否是 ACEDriver.sys 被加载
                  if (wcsstr(FullImageName->Buffer, L"\\ACEDriver.sys"))
                  {
                          LOG_INFO("ACEDriver.sys" " has been loaded!\n");
                          LOG_INFO("Image Base: %p\n", ImageInfo->ImageBase);
                          LOG_INFO("Image Size: %llx\n", ImageInfo->ImageSize);
    
                          ADD_MONITOR_RANGE((ULONG64)ImageInfo->ImageBase, (ULONG64)ImageInfo->ImageBase + ImageInfo->ImageSize);
                  }
          }
    }
  • 开启虚拟机,加载本分析框架。

​        成功自动 hook 所有导出函数中可以hook的函数。

加载 ACEDriver.sys

  • 加载后完整 log 如下

    [smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
    [smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044C9C0000
    [smallzhong][ImageLoadCallback():24] Image Size: 12ce000
    Function: ExAllocatePool
    RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35e7768
    Return Address: fffff8044d9eac91
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
    Return Address: fffff8044d7b062a
    
    Function: ExAllocatePool
    RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
    Return Address: fffff8044d796230
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
    Return Address: fffff8044d1259a8
    
    Function: ExFreePoolWithTag
    RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
    Return Address: fffff8044d7ace2a
    
    Function: IoAllocateMdl
    RCX: fffff8044c9c0000, RDX: 762537, R8: 0, R9: 0
    Return Address: fffff8044da92507
    
    Function: MmProbeAndLockPages
    RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: ffffbc84b35e7760
    Return Address: fffff8044dae65ef
    
    Function: MmMapLockedPagesSpecifyCache
    RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: 0
    Return Address: fffff8044db35827
    
    Function: ExAllocatePool
    RCX: 200, RDX: 3e6c, R8: ffffbc84b35e7768, R9: fffffff86df59f7a
    Return Address: fffff8044d97b359
    
    Function: ExFreePoolWithTag
    RCX: ffffd3842325f000, RDX: 0, R8: ffffbc84b35e7768, R9: 2
    Return Address: fffff8044d7dd486
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
    Return Address: fffff8044d7b062a
    
    Function: ExAllocatePool
    RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
    Return Address: fffff8044d796230
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
    Return Address: fffff8044d1259a8
    
    Function: ExFreePoolWithTag
    RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
    Return Address: fffff8044d7ace2a
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
    Return Address: fffff8044d7b062a
    
    Function: ExAllocatePool
    RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
    Return Address: fffff8044d796230
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
    Return Address: fffff8044d1259a8
    
    Function: ExFreePoolWithTag
    RCX: ffffd384236e6000, RDX: 0, R8: ffffbc84b35e766b, R9: ffffd384236e74d8
    Return Address: fffff8044d7ace2a
    
    Function: KeSetSystemAffinityThread
    RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35e7770
    Return Address: fffff8044d8c2bc1
    
    Function: KeSetSystemAffinityThread
    RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35e7770
    Return Address: fffff8044d8c2bc1
    
    Function: KeSetSystemAffinityThread
    RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35e7770
    Return Address: fffff8044d8c2bc1
    
    Function: KeSetSystemAffinityThread
    RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35e7770
    Return Address: fffff8044d8c2bc1
    
    Function: KeRevertToUserAffinityThread
    RCX: 0, RDX: 0, R8: ffffbc84b35e7778, R9: ffffffffe12f6b55
    Return Address: fffff8044d981c67
    
    Function: MmUnlockPages
    RCX: ffffd384269f0000, RDX: 8, R8: 0, R9: ffffbc84b35e7660
    Return Address: fffff8044d9a16ea
    
    Function: IoFreeMdl
    RCX: ffffd384269f0000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35e7660
    Return Address: fffff8044d9d0743
    
    Function: RtlCopyUnicodeString
    RCX: fffff8044ca2b518, RDX: ffffd38427abf000, R8: ffffbc84b35e6f60, R9: 10
    Return Address: fffff8044c9cde8c
    
    Function: ExIsProcessorFeaturePresent
    RCX: a, RDX: ffffd38427abf000, R8: ffffbe8a8e013084, R9: fffff8044c9d3210
    Return Address: fffff8044c9ce70b
    
    Function: RtlGetVersion
    RCX: ffffbc84b35e76f0, RDX: 7, R8: 2, R9: 1
    Return Address: fffff8044c9ce4d7
    
    Function: MmGetSystemRoutineAddress
    RCX: ffffbc84b35e76d8, RDX: 7, R8: 2, R9: 1
    Return Address: fffff8044c9ce4f7
    
    Function: NtQuerySystemInformation
    RCX: e3, RDX: ffffbc84b35e76d0, R8: 1, R9: 0
    Return Address: fffff8044c9ce516
    
    Function: ZwOpenSection
    RCX: ffffbc84b35e7800, RDX: 5, R8: ffffbc84b35e7770, R9: 0
    Return Address: fffff8044c9cdbf0
    
    Function: ZwQuerySection
    RCX: ffffffff80002114, RDX: 1, R8: ffffbc84b35e77a0, R9: 40
    Return Address: fffff8044c9cdc27
    
    Function: ObReferenceObjectByHandle
    RCX: ffffffff80002114, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
    Return Address: fffff8044c9cdc57
    
    Function: MmMapViewInSystemSpace
    RCX: ffffbe8a81ea2350, RDX: ffffbc84b35e7768, R8: ffffbc84b35e7760, R9: fffff80445e00000
    Return Address: fffff8044c9cdc6f
    
    Function: MmUnmapViewInSystemSpace
    RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35e74e0, R9: ffffbc84b35e7748
    Return Address: fffff8044c9cdc92
    
    Function: ObfDereferenceObject
    RCX: ffffbe8a81ea2350, RDX: 4b, R8: ffffd38420124134, R9: 4
    Return Address: fffff8044c9cdca1
    
    Function: ZwClose
    RCX: ffffffff80002114, RDX: 4b, R8: ffffd38420124134, R9: 4
    Return Address: fffff8044c9cdcb0
    
    Function: ExInitializeResourceLite
    RCX: fffff8044ca2b6e0, RDX: fffff8044ca2b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
    Return Address: fffff8044c9cebae
    
    Function: ExInitializeNPagedLookasideList
    RCX: fffff8044ca2b100, RDX: 0, R8: 0, R9: 200
    Return Address: fffff8044c9cb60c
    
    Function: RtlInitializeGenericTableAvl
    RCX: fffff8044ca2b180, RDX: fffff8044c9cb460, R8: fffff8044c9cb450, R9: fffff8044c9cb480
    Return Address: fffff8044c9cb640
    
    Function: PsGetCurrentThreadId
    RCX: ffffbc84b35e77e0, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044c9cb658
    
    Function: RtlInsertElementGenericTableAvl
    RCX: fffff8044ca2b180, RDX: ffffbc84b35e7760, R8: 90, R9: ffffbc84b35e7728
    Return Address: fffff8044c9cb4ba
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35e7728
    Return Address: fffff8044c9cb3ae
    
    Function: ExInitializeResourceLite
    RCX: fffff8044ca2b5a0, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
    Return Address: fffff8044c9ceafe
    
    Function: ExInitializeResourceLite
    RCX: fffff8044ca2b608, RDX: fffff8044ca2b5a0, R8: 8, R9: 0
    Return Address: fffff8044c9ceafe
    
    Function: ExInitializeResourceLite
    RCX: fffff8044ca2b670, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
    Return Address: fffff8044c9ceafe
    
    Function: ExInitializeNPagedLookasideList
    RCX: fffff8044ca2b200, RDX: 0, R8: 0, R9: 200
    Return Address: fffff8044c9cda88
    
    Function: RtlInitializeGenericTableAvl
    RCX: fffff8044ca2b280, RDX: fffff8044c9cd8c0, R8: fffff8044c9cd8b0, R9: fffff8044c9cd8e0
    Return Address: fffff8044c9cdabc
    
    Function: PsGetCurrentThreadId
    RCX: ffffbc84b35e77e8, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044c9cdad2
    
    Function: RtlInsertElementGenericTableAvl
    RCX: fffff8044ca2b280, RDX: ffffbc84b35e77a0, R8: 48, R9: ffffbc84b35e7768
    Return Address: fffff8044c9cd946
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35e7768
    Return Address: fffff8044c9cb3ae
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
    Return Address: fffff8044c9cd45f
    
    Function: RtlGetVersion
    RCX: ffffd3842409a84c, RDX: 11c, R8: 0, R9: fff
    Return Address: fffff8044c9c8cc7
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
    Return Address: fffff8044d122066
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
    Return Address: fffff8044d12206c
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
    Return Address: fffff8044d122074
    
    Function: ExFreePoolWithTag
    RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
    Return Address: fffff8044d122091
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
    Return Address: fffff8044d1220b9
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
    Return Address: fffff8044d1220bf
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
    Return Address: fffff8044d1220c5
    
    Function: ExFreePoolWithTag
    RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
    Return Address: fffff8044d1220d2
    
    Function: ExAllocatePoolWithTag
    RCX: 1, RDX: 1000, R8: 35384245, R9: 0
    Return Address: fffff8044d122252
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 20, R8: 44533143, R9: 0
    Return Address: fffff8044d121f98
    
    Function: ExQueueWorkItem
    RCX: ffffd384233ee550, RDX: 1, R8: ffffd384233ee550, R9: fff
    Return Address: fffff8044d121fef
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b28cab38, R9: 0
    Return Address: fffff8044d1209b1
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35e7808, R9: 2f
    Return Address: fffff8044d1209b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28cab38
    Return Address: fffff8044d1209e2
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca720
    Return Address: fffff8044d1209f4
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28cab38
    Return Address: fffff8044d1209fa
    
    Function: ExFreePoolWithTag
    RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca720
    Return Address: fffff8044d120a3f
    
    Function: KdRefreshDebuggerNotPresent
    RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
    Return Address: fffff8044d121634
    
    KDTARGET: Refreshing KD connection
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28caaa8
    Return Address: fffff8044d120bc2
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca690
    Return Address: fffff8044d120bdc
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28caaa8
    Return Address: fffff8044d120be2
    
    Function: ExFreePoolWithTag
    RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca690
    Return Address: fffff8044d120bfb
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: 40, R8: 41434520, R9: 882b074c4af83a16
    Return Address: fffff8044d121195
    
    Function: KeInitializeDpc
    RCX: ffffd3841cd025d0, RDX: fffff8044c9c78c0, R8: fffff80445fc14e0, R9: fff
    Return Address: fffff8044d1211d7
    
    Function: KeInsertQueueDpc
    RCX: ffffd3841cd025d0, RDX: 0, R8: 0, R9: fff
    Return Address: fffff8044d121205
    
    KDTARGET: Refreshing KD connection
    
    *** Fatal System Error: 0x00414345
                         (0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)
    
    Break instruction exception - code 80000003 (first chance)
    
    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.
    
    A fatal system error has occurred.
    
    For analysis of this file, run !analyze -v
    nt!DbgBreakPointWithStatus:
    fffff804`45fc9370 cc              int     3
    

    可以看到,中间出现了一次 KDTARGET: Refreshing KD connection 信息,再往上看,发现是 KdRefreshDebuggerNotPresent 函数被调用了。也就是说其使用了这个函数进行反调试。返回地址是 fffff8044d121634 ,imagebase是 FFFFF8044C9C0000 ,算出对这个函数进行调用的位置是 ACEDriver.sys + 0X761634 。直接通过dump的代码进入这个位置,发现这里是一个 ExQueueWorkItem 起来的线程,从log中也可以看出来调用了 ExQueueWorkItem 。最终分析得出结论:需要 hook KdDisableDebuggerKdRefreshDebuggerNotPresent 两个函数,并手动设置返回值。实现如下

    if (func.function_name == "KdDisableDebugger")
    {
      auto lambda = [](GuestContext* context) -> BOOLEAN {
          ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
          if (FILTER_RET_ADDR(origin_ret_addr))
          {
              LOG_INFO("Function: KdDisableDebugger\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
                  context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
          }
          context->mRax = STATUS_SUCCESS;
          return TRUE;
          };
    
      try {
          GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
          LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
      }
      catch (const std::exception& e) {
          LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
      }
    
    }
    else if (func.function_name == "KdRefreshDebuggerNotPresent")
    {
      //DbgBreakPoint();
    
      auto lambda = [](GuestContext* context) -> BOOLEAN {
          ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
          if (FILTER_RET_ADDR(origin_ret_addr))
          {
              LOG_INFO("Function: KdRefreshDebuggerNotPresent\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
                  context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
          }
          context->mRax = 1;
          return TRUE;
          };
      try {
          GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
          LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
      }
      catch (const std::exception& e) {
          LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
      }
    
    }

    在 handler 里面直接修改 mRax 返回值,并 return TRUE 。在本框架中, return TRUE 是不调用原始函数,设置寄存器后直接返回。因此效果是,调用 KdDisableDebugger 直接返回 STATUS_SUCCESS ,不调用原始函数。调用 KdRefreshDebuggerNotPresent 返回1,这个值表明当前没有挂上调试器。在加上这两个函数的hook后,重新加载驱动。

hook后再次加载 ACEDriver.sys

  • 把前文说到的相关hook加上后再次加载,这次不会蓝屏了。完整log如下

    [smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
    [smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044CFA0000
    [smallzhong][ImageLoadCallback():24] Image Size: 12ce000
    Function: ExAllocatePool
    RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35d2768
    Return Address: fffff8044dfcac91
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
    Return Address: fffff8044dd9062a
    
    Function: ExAllocatePool
    RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
    Return Address: fffff8044dd76230
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
    Return Address: fffff8044d7059a8
    
    Function: ExFreePoolWithTag
    RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
    Return Address: fffff8044dd8ce2a
    
    Function: IoAllocateMdl
    RCX: fffff8044cfa0000, RDX: 762537, R8: 0, R9: 0
    Return Address: fffff8044e072507
    
    Function: MmProbeAndLockPages
    RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: ffffbc84b35d2760
    Return Address: fffff8044e0c65ef
    
    Function: MmMapLockedPagesSpecifyCache
    RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: 0
    Return Address: fffff8044e115827
    
    Function: ExAllocatePool
    RCX: 200, RDX: 3e6c, R8: ffffbc84b35d2768, R9: fffffff86df59f7a
    Return Address: fffff8044df5b359
    
    Function: ExFreePoolWithTag
    RCX: ffffd38422dc8000, RDX: 0, R8: ffffbc84b35d2768, R9: 2
    Return Address: fffff8044ddbd486
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
    Return Address: fffff8044dd9062a
    
    Function: ExAllocatePool
    RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
    Return Address: fffff8044dd76230
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
    Return Address: fffff8044d7059a8
    
    Function: ExFreePoolWithTag
    RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
    Return Address: fffff8044dd8ce2a
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
    Return Address: fffff8044dd9062a
    
    Function: ExAllocatePool
    RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
    Return Address: fffff8044dd76230
    
    Function: NtQuerySystemInformation
    RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
    Return Address: fffff8044d7059a8
    
    Function: ExFreePoolWithTag
    RCX: ffffd384234c5000, RDX: 0, R8: ffffbc84b35d266b, R9: ffffd384234c64d8
    Return Address: fffff8044dd8ce2a
    
    Function: KeSetSystemAffinityThread
    RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35d2770
    Return Address: fffff8044dea2bc1
    
    Function: KeSetSystemAffinityThread
    RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35d2770
    Return Address: fffff8044dea2bc1
    
    Function: KeSetSystemAffinityThread
    RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35d2770
    Return Address: fffff8044dea2bc1
    
    Function: KeSetSystemAffinityThread
    RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35d2770
    Return Address: fffff8044dea2bc1
    
    Function: KeRevertToUserAffinityThread
    RCX: 0, RDX: 0, R8: ffffbc84b35d2778, R9: ffffffffe12f6b55
    Return Address: fffff8044df61c67
    
    Function: MmUnlockPages
    RCX: ffffd384233e2000, RDX: 8, R8: 0, R9: ffffbc84b35d2660
    Return Address: fffff8044df816ea
    
    Function: IoFreeMdl
    RCX: ffffd384233e2000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35d2660
    Return Address: fffff8044dfb0743
    
    Function: RtlCopyUnicodeString
    RCX: fffff8044d00b518, RDX: ffffd38423134000, R8: ffffbc84b35d1f60, R9: 10
    Return Address: fffff8044cfade8c
    
    Function: ExIsProcessorFeaturePresent
    RCX: a, RDX: ffffd38423134000, R8: ffffffffffff3fff, R9: fffff8044cfb3210
    Return Address: fffff8044cfae70b
    
    Function: RtlGetVersion
    RCX: ffffbc84b35d26f0, RDX: 7, R8: 2, R9: 1
    Return Address: fffff8044cfae4d7
    
    Function: MmGetSystemRoutineAddress
    RCX: ffffbc84b35d26d8, RDX: 7, R8: 2, R9: 1
    Return Address: fffff8044cfae4f7
    
    Function: NtQuerySystemInformation
    RCX: e3, RDX: ffffbc84b35d26d0, R8: 1, R9: 0
    Return Address: fffff8044cfae516
    
    Function: ZwOpenSection
    RCX: ffffbc84b35d2800, RDX: 5, R8: ffffbc84b35d2770, R9: 0
    Return Address: fffff8044cfadbf0
    
    Function: ZwQuerySection
    RCX: ffffffff80002b70, RDX: 1, R8: ffffbc84b35d27a0, R9: 40
    Return Address: fffff8044cfadc27
    
    Function: ObReferenceObjectByHandle
    RCX: ffffffff80002b70, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
    Return Address: fffff8044cfadc57
    
    Function: MmMapViewInSystemSpace
    RCX: ffffbe8a81ea2350, RDX: ffffbc84b35d2768, R8: ffffbc84b35d2760, R9: fffff80445e00000
    Return Address: fffff8044cfadc6f
    
    Function: MmUnmapViewInSystemSpace
    RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35d24e0, R9: ffffbc84b35d2748
    Return Address: fffff8044cfadc92
    
    Function: ObfDereferenceObject
    RCX: ffffbe8a81ea2350, RDX: ac, R8: ffffd3842323415a, R9: 2a
    Return Address: fffff8044cfadca1
    
    Function: ZwClose
    RCX: ffffffff80002b70, RDX: ac, R8: ffffd3842323415a, R9: 2a
    Return Address: fffff8044cfadcb0
    
    Function: ExInitializeResourceLite
    RCX: fffff8044d00b6e0, RDX: fffff8044d00b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
    Return Address: fffff8044cfaebae
    
    Function: ExInitializeNPagedLookasideList
    RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 200
    Return Address: fffff8044cfab60c
    
    Function: RtlInitializeGenericTableAvl
    RCX: fffff8044d00b180, RDX: fffff8044cfab460, R8: fffff8044cfab450, R9: fffff8044cfab480
    Return Address: fffff8044cfab640
    
    Function: PsGetCurrentThreadId
    RCX: ffffbc84b35d27e0, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044cfab658
    
    Function: RtlInsertElementGenericTableAvl
    RCX: fffff8044d00b180, RDX: ffffbc84b35d2760, R8: 90, R9: ffffbc84b35d2728
    Return Address: fffff8044cfab4ba
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35d2728
    Return Address: fffff8044cfab3ae
    
    Function: ExInitializeResourceLite
    RCX: fffff8044d00b5a0, RDX: fffff8044d00b5a0, R8: 0, R9: 0
    Return Address: fffff8044cfaeafe
    
    Function: ExInitializeResourceLite
    RCX: fffff8044d00b608, RDX: fffff8044d00b5a0, R8: 8, R9: 0
    Return Address: fffff8044cfaeafe
    
    Function: ExInitializeResourceLite
    RCX: fffff8044d00b670, RDX: fffff8044d00b5a0, R8: 0, R9: 0
    Return Address: fffff8044cfaeafe
    
    Function: ExInitializeNPagedLookasideList
    RCX: fffff8044d00b200, RDX: 0, R8: 0, R9: 200
    Return Address: fffff8044cfada88
    
    Function: RtlInitializeGenericTableAvl
    RCX: fffff8044d00b280, RDX: fffff8044cfad8c0, R8: fffff8044cfad8b0, R9: fffff8044cfad8e0
    Return Address: fffff8044cfadabc
    
    Function: PsGetCurrentThreadId
    RCX: ffffbc84b35d27e8, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044cfadad2
    
    Function: RtlInsertElementGenericTableAvl
    RCX: fffff8044d00b280, RDX: ffffbc84b35d27a0, R8: 48, R9: ffffbc84b35d2768
    Return Address: fffff8044cfad946
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35d2768
    Return Address: fffff8044cfab3ae
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
    Return Address: fffff8044cfad45f
    
    Function: RtlGetVersion
    RCX: ffffd3841de7b2bc, RDX: 11c, R8: 0, R9: fff
    Return Address: fffff8044cfa8cc7
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35d27d8
    Return Address: fffff8044d702066
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35d23c0
    Return Address: fffff8044d70206c
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35d27d8
    Return Address: fffff8044d702074
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35d2300, R9: ffffbc84b35d23c0
    Return Address: fffff8044d702091
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35d27d8
    Return Address: fffff8044d7020b9
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35d23c0
    Return Address: fffff8044d7020bf
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35d27d8
    Return Address: fffff8044d7020c5
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35d2300, R9: ffffbc84b35d23c0
    Return Address: fffff8044d7020d2
    
    Function: ExAllocatePoolWithTag
    RCX: 1, RDX: 1000, R8: 35384245, R9: 0
    Return Address: fffff8044d702252
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 20, R8: 44533143, R9: 0
    Return Address: fffff8044d701f98
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fff
    Return Address: fffff8044d701fef
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35d2808, R9: 2f
    Return Address: fffff8044d7009b1
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0b38
    Return Address: fffff8044d7009e2
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f0720
    Return Address: fffff8044d7009f4
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0b38
    Return Address: fffff8044d7009fa
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f0720
    Return Address: fffff8044d700a3f
    
    [smallzhong][DriverMain::<lambda_2>::operator ()():111] Function: KdRefreshDebuggerNotPresent
    RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
    Return Address: fffff8044d701634
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 188b5e66ecc8b28
    Return Address: fffff8044d7016c0
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b28c3af8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28c3af8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b28c36e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b28c3af8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b28c3600, R9: ffffbc84b28c36e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28c3af8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b28c36e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b28c3af8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b28c3600, R9: ffffbc84b28c36e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b28c3b80, R8: ffffbc84b28c3b78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
    Return Address: fffff8044d701e86
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b350eb38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
    Return Address: fffff8044d701e86
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b350eb38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
    Return Address: fffff8044d701e86
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
    Return Address: fffff8044d701e86
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b28c3b38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
    Return Address: fffff8044d701e86
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b28c3b38, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
    Return Address: fffff8044d701e86
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b27f0af8, R9: 0
    Return Address: fffff8044d7009b1
    
    Function: KeQueryActiveProcessorCount
    RCX: 0, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044d6ff80f
    
    Function: ExAllocatePoolWithTag
    RCX: 200, RDX: 9d4000, R8: 41316333, R9: 0
    Return Address: fffff8044d6ff85c
    
    Function: KeDelayExecutionThread
    RCX: 0, RDX: 0, R8: ffffbc84b35d2808, R9: 689
    Return Address: fffff8044d7009b1
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0af8
    Return Address: fffff8044d700a81
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f06e0
    Return Address: fffff8044d700a87
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0af8
    Return Address: fffff8044d700a8d
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f06e0
    Return Address: fffff8044d700b02
    
    [smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
    RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
    Return Address: fffff8044d7018fd
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0af8
    Return Address: fffff8044d700b37
    
    Function: ExAllocatePoolWithTag
    RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f06e0
    Return Address: fffff8044d700b3d
    
    Function: ZwQuerySystemInformation
    RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0af8
    Return Address: fffff8044d700b43
    
    Function: ExFreePoolWithTag
    RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f06e0
    Return Address: fffff8044d700b87
    
    Function: ZwProtectVirtualMemory
    RCX: ffffffffffffffff, RDX: ffffbc84b27f0b80, R8: ffffbc84b27f0b78, R9: 40
    Return Address: fffff8044d701b36
    
    Function: ExQueueWorkItem
    RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
    Return Address: fffff8044d701c02
    
    Function: ExFreePoolWithTag
    RCX: ffffd38420034940, RDX: 44533143, R8: 20, R9: 0
    Return Address: fffff8044d701e86
    
    Function: ExFreePoolWithTag
    RCX: ffffbe8a89381000, RDX: 35384245, R8: ffffd3841d269040, R9: fffff80445e00000
    Return Address: fffff8044d701f3d
    
    Function: ExFreePoolWithTag
    RCX: ffffd3841de7b290, RDX: 74726375, R8: ffffbc84b35d26b8, R9: ffffffff
    Return Address: fffff8044cfad885
    
    Function: ExEnterCriticalRegionAndAcquireResourceExclusive
    RCX: fffff8044d00b5a0, RDX: ffffbc84b35d2840, R8: ffffbc84b35d2848, R9: ffffbc84b35d2878
    Return Address: fffff8044cfae5ac
    
    Function: ExEnterCriticalRegionAndAcquireResourceExclusive
    RCX: fffff8044d00b5a0, RDX: ffffbc84b35d27c8, R8: ffffbc84b35d2790, R9: ffffbc84b35d27c0
    Return Address: fffff8044cfae895
    
    Function: ExReleaseResourceAndLeaveCriticalRegion
    RCX: fffff8044d00b5a0, RDX: fffff8044d00b568, R8: 641e7b808835, R9: ffffbc84b35d27c0
    Return Address: fffff8044cfae9c2
    
    Function: ExReleaseResourceAndLeaveCriticalRegion
    RCX: fffff8044d00b5a0, RDX: fffff8044cfb0240, R8: ffffbc84b35d26d0, R9: ffffbc84b35d27c0
    Return Address: fffff8044cfae5bd
    
    Function: RtlGetElementGenericTableAvl
    RCX: fffff8044d00b280, RDX: 0, R8: ffffbc84b35d27c0, R9: ffffbc84b35d27c0
    Return Address: fffff8044cfadb45
    
    Function: RtlDeleteElementGenericTableAvl
    RCX: fffff8044d00b280, RDX: ffffd384232486b0, R8: 0, R9: 0
    Return Address: fffff8044cfadb36
    
    Function: RtlGetElementGenericTableAvl
    RCX: fffff8044d00b280, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044cfadb45
    
    Function: ExDeleteNPagedLookasideList
    RCX: fffff8044d00b200, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044cfadb57
    
    Function: ExDeleteResourceLite
    RCX: fffff8044d00b670, RDX: 8f, R8: ffffd3842323415a, R9: 2a
    Return Address: fffff8044cfaeb66
    
    Function: ExDeleteResourceLite
    RCX: fffff8044d00b608, RDX: 0, R8: ffffd3842323415a, R9: 2a
    Return Address: fffff8044cfaeb66
    
    Function: ExDeleteResourceLite
    RCX: fffff8044d00b5a0, RDX: 0, R8: ffffd3842323415a, R9: 2a
    Return Address: fffff8044cfaeb66
    
    Function: RtlGetElementGenericTableAvl
    RCX: fffff8044d00b180, RDX: 0, R8: ffffd3842323415a, R9: 2a
    Return Address: fffff8044cfab6c9
    
    Function: RtlDeleteElementGenericTableAvl
    RCX: fffff8044d00b180, RDX: ffffd38422954f40, R8: 0, R9: 0
    Return Address: fffff8044cfab6ba
    
    Function: RtlGetElementGenericTableAvl
    RCX: fffff8044d00b180, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044cfab6c9
    
    Function: ExDeleteNPagedLookasideList
    RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 0
    Return Address: fffff8044cfab6db
    
    Function: ExDeleteResourceLite
    RCX: fffff8044d00b6e0, RDX: 27, R8: ffffd384229431ac, R9: 24
    Return Address: fffff8044cfaebf6
    
    Function: DbgPrintEx
    RCX: 4d, RDX: 0, R8: fffff8044cfb0840, R9: c0000001
    Return Address: fffff8044cfadf0c
    
    DriverEntry failed 0xc0000001 for driver \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ACEDriver
    Function: ExFreePoolWithTag
    RCX: ffffd38422ef9e00, RDX: 0, R8: 140d712a4, R9: 2
    Return Address: fffff8044e053193
    

    可以看到,会两个workitem互相调用,后面应该是 HV 的 EPT 相关信息的申请和保存,也可以通过这些函数的调用地点反推到关键函数。接下来的分析就不写了。因为找到关键算法位置之后就是令人头晕的逆向环节。本框架只能用来快速定位整个驱动的关键逻辑点,但是逆向工作还是需要自己手动通过打印出来的返回地址回溯并手工逆向。

免费评分

参与人数 15威望 +2 吾爱币 +119 热心值 +12 收起 理由
yp17792351859 + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
5omggx + 1 + 1 用心讨论,共获提升!
willJ + 2 + 100 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
arttnba3 + 3 + 1 好顶赞
outputlog + 1 谢谢@Thanks!
allspark + 1 + 1 用心讨论,共获提升!
BrutusScipio + 1 我很赞同!
杨辣子 + 1 + 1 谢谢@Thanks!
xuezhang18 + 1 我很赞同!
ADSL1980ADSL + 1 + 1 热心回复!
longxy001 + 1 + 1 热心回复!
shengruqing + 1 我很赞同!
DNLINYJ + 2 + 1 用心讨论,共获提升!
wtujoxk + 3 + 1 谢谢@Thanks!
鸠山一茶 + 2 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

沙发
489496 发表于 2025-4-27 22:46
学习,谢谢
3#
amwquhwqas128 发表于 2025-4-27 23:30
4#
laozhang4201 发表于 2025-4-28 05:06
5#
nihao3312 发表于 2025-4-28 05:13
楼主真厉害这都能搞定
6#
52soft 发表于 2025-4-28 06:50
好方法,学习
7#
ltgb 发表于 2025-4-28 07:26
开头的太长不看好评
8#
walykyy 发表于 2025-4-28 07:43
虽然看不懂,但是还是要支持一下
9#
ybss 发表于 2025-4-28 09:40
感谢分享
10#
younger4862 发表于 2025-4-28 10:45
科普类,但有点看不懂
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2025-5-26 04:03

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表