Ir para conteúdo
Fórum Script Brasil
  • 0

Erro bobo


caion90

Pergunta

pessoal, ainda estou na tentativa de fazer o PoC. seria mais ou menos o seguinte, o programa chama a função URLDownloadToFile da URLMON.DLL, isso é normal, e é bem conhecido, o que quero é redirecionar a função que abre as bibliotecas para quando ele tentar abrir uma biblioteca, ex. NOMLRU.DLL (que é urlmon) vou redirecionar para URLMON verdadeira. aqui esta o source, mas tem alguns erros, estão na comparação porque o hook que faço alguns parametros são opcionais e não consigo verificar se eles estão setados, aqui vai o codigo

#include <ntddk.h>

#define SYSTEMSERVICE(_name)  KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]

#define DEBUG
typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;

void hooking(void);
void Unhooking();
NTSTATUS DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING); // main() du driver
void Unload_driver(IN PDRIVER_OBJECT);

#pragma pack(1)
typedef struct ServiceDescriptorEntry 
{
    PDWORD ServiceTable;
    PDWORD CounterTableBase;
    DWORD  ServiceLimit;
    PBYTE  ArgumentTable;
} SDT;
#pragma pack()

__declspec(dllimport) SDT KeServiceDescriptorTable;

/*typedef NTSYSAPI NTSTATUS (*ZWCREATEFILE)
(

    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
    
);

typedef NTSYSAPI NTSTATUS (*ZWOPENFILE)
(
  OUT  PHANDLE FileHandle,
  IN   ACCESS_MASK DesiredAccess,
  IN   POBJECT_ATTRIBUTES ObjectAttributes,
  OUT  PIO_STATUS_BLOCK IoStatusBlock,
  IN   ULONG ShareAccess,
  IN   ULONG OpenOptions
);
*/

typedef NTSYSAPI NTSTATUS (*ZWCREATESECTION)
(
  OUT     PHANDLE SectionHandle,
  IN      ACCESS_MASK DesiredAccess,
  IN      POBJECT_ATTRIBUTES ObjectAttributes,
  IN      PLARGE_INTEGER MaximumSize,
  IN      ULONG SectionPageProtection,
  IN      ULONG AllocationAttributes,
  IN      HANDLE FileHandle
);

/*ZWCREATEFILE OrigZwCreateFile;
extern ZWCREATEFILE OrigZwCreateFile;

ZWOPENFILE OrigZwOpenFile;
extern ZWOPENFILE OrigZwOpenFile;
*/

ZWCREATESECTION OrigZwCreateSection;
extern ZWCREATESECTION OrigZwCreateSection;

/*
NTSTATUS RtlEqualUnicodeString(      

        IN PUNICODE_STRING String1, 
        IN PUNICODE_STRING String2, 
        IN BOOLEAN  CaseInSensitive  
    ); 
    
typedef struct _OBJECT_ATTRIBUTES {
    ULONG  Length;
    HANDLE  RootDirectory;
    PUNICODE_STRING  ObjectName;    
    ULONG  Attributes;
    PVOID  SecurityDescriptor;
    PVOID  SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;

NTSTATUS ZwCreateSection(
  __out     PHANDLE SectionHandle,
  __in      ACCESS_MASK DesiredAccess,
  __in_opt  POBJECT_ATTRIBUTES ObjectAttributes,
  __in_opt  PLARGE_INTEGER MaximumSize,
  __in      ULONG SectionPageProtection,
  __in      ULONG AllocationAttributes,
  __in_opt  HANDLE FileHandle
);
*/

NTSTATUS FakeZwCreateSection(
  OUT     PHANDLE SectionHandle,
  IN      ACCESS_MASK DesiredAccess,
  IN      POBJECT_ATTRIBUTES ObjectAttributes,
  IN      PLARGE_INTEGER MaximumSize,
  IN      ULONG SectionPageProtection,
  IN      ULONG AllocationAttributes,
  IN      HANDLE FileHandle
)

{
                        UNICODE_STRING KernelName;
                        UNICODE_STRING UrlmonName;
                        UNICODE_STRING RKernelName;
                        UNICODE_STRING RUrlmonName;                       
                        RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
                        RtlInitUnicodeString(&KernelName,  L"\\??\\C:\\windows\\system32\\lld.23lenrek");
                        RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");   
                        RtlInitUnicodeString(&UrlmonName,  L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");                    
                        
                                          
                        if (ObjectAttributes) {
                        if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){
                        DbgPrint("ZWCREATESECTION redirect acionado - KERNEL32\n");
//                        ObjectAttributes->ObjectName = &RKernelName;
                        return(((ZWCREATESECTION)(OrigZwCreateSection)) (
                                                            SectionHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            MaximumSize,
                                                            SectionPageProtection,
                                                            AllocationAttributes,
                                                            FileHandle));                                                                                          
                        }
                        else
                        if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){
                        DbgPrint("ZWCREATESECTION redirect acionado - URLMON\n");
//                        ObjectAttributes->ObjectName = &RUrlmonName;
                        return(((ZWCREATESECTION)(OrigZwCreateSection)) (
                                                            SectionHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            MaximumSize,
                                                            SectionPageProtection,
                                                            AllocationAttributes,
                                                            FileHandle));
                        }
                        else
                        return(((ZWCREATESECTION)(OrigZwCreateSection)) (
                                                            SectionHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            MaximumSize,
                                                            SectionPageProtection,
                                                            AllocationAttributes,
                                                            FileHandle));                                                                                          
}
                        else
                        return(((ZWCREATESECTION)(OrigZwCreateSection)) (
                                                            SectionHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            MaximumSize,
                                                            SectionPageProtection,
                                                            AllocationAttributes,
                                                            FileHandle));                                                                                          
}                                                            


/*
NTSTATUS FakeZwOpenFile(
  OUT  PHANDLE FileHandle,
  IN   ACCESS_MASK DesiredAccess,
  IN   POBJECT_ATTRIBUTES ObjectAttributes,
  OUT  PIO_STATUS_BLOCK IoStatusBlock,
  IN   ULONG ShareAccess,
  IN   ULONG OpenOptions
)
{                        
                        UNICODE_STRING KernelName;
                        UNICODE_STRING UrlmonName;
                        UNICODE_STRING RKernelName;
                        UNICODE_STRING RUrlmonName;                       
                        RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek");
                        RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");                    
                        RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
                        RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");                     
                        
                        if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){
                        DbgPrint("ZWOPENFILE redirect acionado - KERNEL32\n");
                        ObjectAttributes->ObjectName = &RKernelName;
                        return(((ZWOPENFILE)(OrigZwOpenFile)) (
                                                            FileHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            IoStatusBlock,
                                                            ShareAccess,
                                                            OpenOptions));                                                                                          
                        }
                        else
                        if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){
                        DbgPrint("ZWOPENFILE redirect acionado - URLMON\n");
                        ObjectAttributes->ObjectName = &RUrlmonName;
                        return(((ZWOPENFILE)(OrigZwOpenFile)) (
                                                            FileHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            IoStatusBlock,
                                                            ShareAccess,
                                                            OpenOptions));                                                                                                                                                                                  
                        }
                        else
                        return(((ZWOPENFILE)(OrigZwOpenFile)) (
                                                            FileHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            IoStatusBlock,
                                                            ShareAccess,
                                                            OpenOptions));                                                                                                                                                                                  
}
*/


void Hooking(void) {

    _asm{cli}
    OrigZwCreateSection = (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection));
    (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = FakeZwCreateSection;
    _asm{sti}
    
}

void Unhooking() 
{

    _asm{cli}
    (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = OrigZwCreateSection;
    _asm{sti}
}

void Unload_driver(IN PDRIVER_OBJECT DriverObject) {
    
    DbgPrint("And now, unhooking API :] \n");
    Unhooking();
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath) {
    
    driverObject->DriverUnload  = Unload_driver;
    
    DbgPrint("Hooking API!\n");
    Hooking();
    
    return(STATUS_SUCCESS);
}

/*
BUILD: Compile and Link for x86
BUILD: Loading c:\winddk\7600.16385.1\build.dat...
BUILD: Computing Include file dependencies:
BUILD: Start time: Sun Jan 08 17:22:49 2012
BUILD: Examining c:\zwcfhook(api) directory for files to compile.
    c:\zwcfhook(api) Invalidating OACR warning log for 'root:x86chk'
BUILD: Saving c:\winddk\7600.16385.1\build.dat...
BUILD: Compiling and Linking c:\zwcfhook(api) directory
Configuring OACR for 'root:x86chk' - <OACR on>
1>errors in directory c:\zwcfhook(api)
1>c:\winddk\7600.16385.1\bin\makefile.new(449) : error U1023: syntax error in ex
pression
1>nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKE
DIR_RELATIVE_TO_BASEDIR= failed - rc = 2

BUILD: Finish time: Sun Jan 08 17:22:53 2012
BUILD: Done

    0 files compiled - 2 Errors
*/

http://pastebin.com/LJ7gQajZ

o erro que esta no source já foi resolvido, agora o erro esta na linha 125, a estrutura (125) mostra os parametros opcionais.

ficaria muito feliz se alguém me ajudasse, obrigado.

Link para o comentário
Compartilhar em outros sites

0 respostass a esta questão

Posts Recomendados

Até agora não há respostas para essa pergunta

Participe da discussão

Você pode postar agora e se registrar depois. Se você já tem uma conta, acesse agora para postar com sua conta.

Visitante
Responder esta pergunta...

×   Você colou conteúdo com formatação.   Remover formatação

  Apenas 75 emoticons são permitidos.

×   Seu link foi incorporado automaticamente.   Exibir como um link em vez disso

×   Seu conteúdo anterior foi restaurado.   Limpar Editor

×   Você não pode colar imagens diretamente. Carregar ou inserir imagens do URL.



  • Estatísticas dos Fóruns

    • Tópicos
      152,3k
    • Posts
      652,5k
×
×
  • Criar Novo...