pessoal, ainda estou na tentativa de fazer o PoC. seria mais ou menos o seguinte, o programa chama a função URLDownloadToFile da URLMON.DLL, isso é normal, e é bem conhecido, o que quero é redirecionar a função que abre as bibliotecas para quando ele tentar abrir uma biblioteca, ex. NOMLRU.DLL (que é urlmon) vou redirecionar para URLMON verdadeira. aqui esta o source, mas tem alguns erros, estão na comparação porque o hook que faço alguns parametros são opcionais e não consigo verificar se eles estão setados, aqui vai o codigo
#include <ntddk.h>
#define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]
#define DEBUG
typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;
void hooking(void);
void Unhooking();
NTSTATUS DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING); // main() du driver
void Unload_driver(IN PDRIVER_OBJECT);
#pragma pack(1)
typedef struct ServiceDescriptorEntry
{
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDT;
#pragma pack()
__declspec(dllimport) SDT KeServiceDescriptorTable;
/*typedef NTSYSAPI NTSTATUS (*ZWCREATEFILE)
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
typedef NTSYSAPI NTSTATUS (*ZWOPENFILE)
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
*/
typedef NTSYSAPI NTSTATUS (*ZWCREATESECTION)
(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle
);
/*ZWCREATEFILE OrigZwCreateFile;
extern ZWCREATEFILE OrigZwCreateFile;
ZWOPENFILE OrigZwOpenFile;
extern ZWOPENFILE OrigZwOpenFile;
*/
ZWCREATESECTION OrigZwCreateSection;
extern ZWCREATESECTION OrigZwCreateSection;
/*
NTSTATUS RtlEqualUnicodeString(
IN PUNICODE_STRING String1,
IN PUNICODE_STRING String2,
IN BOOLEAN CaseInSensitive
);
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
NTSTATUS ZwCreateSection(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PLARGE_INTEGER MaximumSize,
__in ULONG SectionPageProtection,
__in ULONG AllocationAttributes,
__in_opt HANDLE FileHandle
);
*/
NTSTATUS FakeZwCreateSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle
)
{
UNICODE_STRING KernelName;
UNICODE_STRING UrlmonName;
UNICODE_STRING RKernelName;
UNICODE_STRING RUrlmonName;
RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek");
RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");
RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");
if (ObjectAttributes) {
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){
DbgPrint("ZWCREATESECTION redirect acionado - KERNEL32\n");
// ObjectAttributes->ObjectName = &RKernelName;
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
else
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){
DbgPrint("ZWCREATESECTION redirect acionado - URLMON\n");
// ObjectAttributes->ObjectName = &RUrlmonName;
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
else
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
else
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
/*
NTSTATUS FakeZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
)
{
UNICODE_STRING KernelName;
UNICODE_STRING UrlmonName;
UNICODE_STRING RKernelName;
UNICODE_STRING RUrlmonName;
RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek");
RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");
RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){
DbgPrint("ZWOPENFILE redirect acionado - KERNEL32\n");
ObjectAttributes->ObjectName = &RKernelName;
return(((ZWOPENFILE)(OrigZwOpenFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions));
}
else
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){
DbgPrint("ZWOPENFILE redirect acionado - URLMON\n");
ObjectAttributes->ObjectName = &RUrlmonName;
return(((ZWOPENFILE)(OrigZwOpenFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions));
}
else
return(((ZWOPENFILE)(OrigZwOpenFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions));
}
*/
void Hooking(void) {
_asm{cli}
OrigZwCreateSection = (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection));
(ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = FakeZwCreateSection;
_asm{sti}
}
void Unhooking()
{
_asm{cli}
(ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = OrigZwCreateSection;
_asm{sti}
}
void Unload_driver(IN PDRIVER_OBJECT DriverObject) {
DbgPrint("And now, unhooking API :] \n");
Unhooking();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath) {
driverObject->DriverUnload = Unload_driver;
DbgPrint("Hooking API!\n");
Hooking();
return(STATUS_SUCCESS);
}
/*
BUILD: Compile and Link for x86
BUILD: Loading c:\winddk\7600.16385.1\build.dat...
BUILD: Computing Include file dependencies:
BUILD: Start time: Sun Jan 08 17:22:49 2012
BUILD: Examining c:\zwcfhook(api) directory for files to compile.
c:\zwcfhook(api) Invalidating OACR warning log for 'root:x86chk'
BUILD: Saving c:\winddk\7600.16385.1\build.dat...
BUILD: Compiling and Linking c:\zwcfhook(api) directory
Configuring OACR for 'root:x86chk' - <OACR on>
1>errors in directory c:\zwcfhook(api)
1>c:\winddk\7600.16385.1\bin\makefile.new(449) : error U1023: syntax error in ex
pression
1>nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKE
DIR_RELATIVE_TO_BASEDIR= failed - rc = 2
BUILD: Finish time: Sun Jan 08 17:22:53 2012
BUILD: Done
0 files compiled - 2 Errors
*/
Question
caion90
pessoal, ainda estou na tentativa de fazer o PoC. seria mais ou menos o seguinte, o programa chama a função URLDownloadToFile da URLMON.DLL, isso é normal, e é bem conhecido, o que quero é redirecionar a função que abre as bibliotecas para quando ele tentar abrir uma biblioteca, ex. NOMLRU.DLL (que é urlmon) vou redirecionar para URLMON verdadeira. aqui esta o source, mas tem alguns erros, estão na comparação porque o hook que faço alguns parametros são opcionais e não consigo verificar se eles estão setados, aqui vai o codigo
http://pastebin.com/LJ7gQajZ
o erro que esta no source já foi resolvido, agora o erro esta na linha 125, a estrutura (125) mostra os parametros opcionais.
ficaria muito feliz se alguém me ajudasse, obrigado.
Link to comment
Share on other sites
0 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.