pessoal, ainda estou na tentativa de fazer o PoC. seria mais ou menos o seguinte, o programa chama a função URLDownloadToFile da URLMON.DLL, isso é normal, e é bem conhecido, o que quero é redirecionar a função que abre as bibliotecas para quando ele tentar abrir uma biblioteca, ex. NOMLRU.DLL (que é urlmon) vou redirecionar para URLMON verdadeira. aqui esta o source, mas tem alguns erros, estão na comparação porque o hook que faço alguns parametros são opcionais e não consigo verificar se eles estão setados, aqui vai o codigo
#include <ntddk.h>
#define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]
#define DEBUG
typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;
void hooking(void);
void Unhooking();
NTSTATUS DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING); // main() du driver
void Unload_driver(IN PDRIVER_OBJECT);
#pragma pack(1)
typedef struct ServiceDescriptorEntry
{
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDT;
#pragma pack()
__declspec(dllimport) SDT KeServiceDescriptorTable;
/*typedef NTSYSAPI NTSTATUS (*ZWCREATEFILE)
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
typedef NTSYSAPI NTSTATUS (*ZWOPENFILE)
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
*/
typedef NTSYSAPI NTSTATUS (*ZWCREATESECTION)
(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle
);
/*ZWCREATEFILE OrigZwCreateFile;
extern ZWCREATEFILE OrigZwCreateFile;
ZWOPENFILE OrigZwOpenFile;
extern ZWOPENFILE OrigZwOpenFile;
*/
ZWCREATESECTION OrigZwCreateSection;
extern ZWCREATESECTION OrigZwCreateSection;
/*
NTSTATUS RtlEqualUnicodeString(
IN PUNICODE_STRING String1,
IN PUNICODE_STRING String2,
IN BOOLEAN CaseInSensitive
);
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
NTSTATUS ZwCreateSection(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PLARGE_INTEGER MaximumSize,
__in ULONG SectionPageProtection,
__in ULONG AllocationAttributes,
__in_opt HANDLE FileHandle
);
*/
NTSTATUS FakeZwCreateSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle
)
{
UNICODE_STRING KernelName;
UNICODE_STRING UrlmonName;
UNICODE_STRING RKernelName;
UNICODE_STRING RUrlmonName;
RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek");
RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");
RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");
if (ObjectAttributes) {
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){
DbgPrint("ZWCREATESECTION redirect acionado - KERNEL32\n");
// ObjectAttributes->ObjectName = &RKernelName;
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
else
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){
DbgPrint("ZWCREATESECTION redirect acionado - URLMON\n");
// ObjectAttributes->ObjectName = &RUrlmonName;
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
else
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
else
return(((ZWCREATESECTION)(OrigZwCreateSection)) (
SectionHandle,
DesiredAccess,
ObjectAttributes,
MaximumSize,
SectionPageProtection,
AllocationAttributes,
FileHandle));
}
/*
NTSTATUS FakeZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
)
{
UNICODE_STRING KernelName;
UNICODE_STRING UrlmonName;
UNICODE_STRING RKernelName;
UNICODE_STRING RUrlmonName;
RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek");
RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");
RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){
DbgPrint("ZWOPENFILE redirect acionado - KERNEL32\n");
ObjectAttributes->ObjectName = &RKernelName;
return(((ZWOPENFILE)(OrigZwOpenFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions));
}
else
if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){
DbgPrint("ZWOPENFILE redirect acionado - URLMON\n");
ObjectAttributes->ObjectName = &RUrlmonName;
return(((ZWOPENFILE)(OrigZwOpenFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions));
}
else
return(((ZWOPENFILE)(OrigZwOpenFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions));
}
*/
void Hooking(void) {
_asm{cli}
OrigZwCreateSection = (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection));
(ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = FakeZwCreateSection;
_asm{sti}
}
void Unhooking()
{
_asm{cli}
(ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = OrigZwCreateSection;
_asm{sti}
}
void Unload_driver(IN PDRIVER_OBJECT DriverObject) {
DbgPrint("And now, unhooking API :] \n");
Unhooking();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath) {
driverObject->DriverUnload = Unload_driver;
DbgPrint("Hooking API!\n");
Hooking();
return(STATUS_SUCCESS);
}
/*
BUILD: Compile and Link for x86
BUILD: Loading c:\winddk\7600.16385.1\build.dat...
BUILD: Computing Include file dependencies:
BUILD: Start time: Sun Jan 08 17:22:49 2012
BUILD: Examining c:\zwcfhook(api) directory for files to compile.
c:\zwcfhook(api) Invalidating OACR warning log for 'root:x86chk'
BUILD: Saving c:\winddk\7600.16385.1\build.dat...
BUILD: Compiling and Linking c:\zwcfhook(api) directory
Configuring OACR for 'root:x86chk' - <OACR on>
1>errors in directory c:\zwcfhook(api)
1>c:\winddk\7600.16385.1\bin\makefile.new(449) : error U1023: syntax error in ex
pression
1>nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKE
DIR_RELATIVE_TO_BASEDIR= failed - rc = 2
BUILD: Finish time: Sun Jan 08 17:22:53 2012
BUILD: Done
0 files compiled - 2 Errors
*/
Pergunta
caion90
pessoal, ainda estou na tentativa de fazer o PoC. seria mais ou menos o seguinte, o programa chama a função URLDownloadToFile da URLMON.DLL, isso é normal, e é bem conhecido, o que quero é redirecionar a função que abre as bibliotecas para quando ele tentar abrir uma biblioteca, ex. NOMLRU.DLL (que é urlmon) vou redirecionar para URLMON verdadeira. aqui esta o source, mas tem alguns erros, estão na comparação porque o hook que faço alguns parametros são opcionais e não consigo verificar se eles estão setados, aqui vai o codigo
#include <ntddk.h> #define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)] #define DEBUG typedef unsigned long DWORD, *PDWORD; typedef unsigned char BYTE, *PBYTE; void hooking(void); void Unhooking(); NTSTATUS DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING); // main() du driver void Unload_driver(IN PDRIVER_OBJECT); #pragma pack(1) typedef struct ServiceDescriptorEntry { PDWORD ServiceTable; PDWORD CounterTableBase; DWORD ServiceLimit; PBYTE ArgumentTable; } SDT; #pragma pack() __declspec(dllimport) SDT KeServiceDescriptorTable; /*typedef NTSYSAPI NTSTATUS (*ZWCREATEFILE) ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); typedef NTSYSAPI NTSTATUS (*ZWOPENFILE) ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); */ typedef NTSYSAPI NTSTATUS (*ZWCREATESECTION) ( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PLARGE_INTEGER MaximumSize, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle ); /*ZWCREATEFILE OrigZwCreateFile; extern ZWCREATEFILE OrigZwCreateFile; ZWOPENFILE OrigZwOpenFile; extern ZWOPENFILE OrigZwOpenFile; */ ZWCREATESECTION OrigZwCreateSection; extern ZWCREATESECTION OrigZwCreateSection; /* NTSTATUS RtlEqualUnicodeString( IN PUNICODE_STRING String1, IN PUNICODE_STRING String2, IN BOOLEAN CaseInSensitive ); typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; NTSTATUS ZwCreateSection( __out PHANDLE SectionHandle, __in ACCESS_MASK DesiredAccess, __in_opt POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PLARGE_INTEGER MaximumSize, __in ULONG SectionPageProtection, __in ULONG AllocationAttributes, __in_opt HANDLE FileHandle ); */ NTSTATUS FakeZwCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PLARGE_INTEGER MaximumSize, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle ) { UNICODE_STRING KernelName; UNICODE_STRING UrlmonName; UNICODE_STRING RKernelName; UNICODE_STRING RUrlmonName; RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll"); RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek"); RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL"); RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU"); if (ObjectAttributes) { if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){ DbgPrint("ZWCREATESECTION redirect acionado - KERNEL32\n"); // ObjectAttributes->ObjectName = &RKernelName; return(((ZWCREATESECTION)(OrigZwCreateSection)) ( SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle)); } else if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){ DbgPrint("ZWCREATESECTION redirect acionado - URLMON\n"); // ObjectAttributes->ObjectName = &RUrlmonName; return(((ZWCREATESECTION)(OrigZwCreateSection)) ( SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle)); } else return(((ZWCREATESECTION)(OrigZwCreateSection)) ( SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle)); } else return(((ZWCREATESECTION)(OrigZwCreateSection)) ( SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle)); } /* NTSTATUS FakeZwOpenFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ) { UNICODE_STRING KernelName; UNICODE_STRING UrlmonName; UNICODE_STRING RKernelName; UNICODE_STRING RUrlmonName; RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek"); RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU"); RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll"); RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL"); if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){ DbgPrint("ZWOPENFILE redirect acionado - KERNEL32\n"); ObjectAttributes->ObjectName = &RKernelName; return(((ZWOPENFILE)(OrigZwOpenFile)) ( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions)); } else if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){ DbgPrint("ZWOPENFILE redirect acionado - URLMON\n"); ObjectAttributes->ObjectName = &RUrlmonName; return(((ZWOPENFILE)(OrigZwOpenFile)) ( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions)); } else return(((ZWOPENFILE)(OrigZwOpenFile)) ( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions)); } */ void Hooking(void) { _asm{cli} OrigZwCreateSection = (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)); (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = FakeZwCreateSection; _asm{sti} } void Unhooking() { _asm{cli} (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = OrigZwCreateSection; _asm{sti} } void Unload_driver(IN PDRIVER_OBJECT DriverObject) { DbgPrint("And now, unhooking API :] \n"); Unhooking(); } NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath) { driverObject->DriverUnload = Unload_driver; DbgPrint("Hooking API!\n"); Hooking(); return(STATUS_SUCCESS); } /* BUILD: Compile and Link for x86 BUILD: Loading c:\winddk\7600.16385.1\build.dat... BUILD: Computing Include file dependencies: BUILD: Start time: Sun Jan 08 17:22:49 2012 BUILD: Examining c:\zwcfhook(api) directory for files to compile. c:\zwcfhook(api) Invalidating OACR warning log for 'root:x86chk' BUILD: Saving c:\winddk\7600.16385.1\build.dat... BUILD: Compiling and Linking c:\zwcfhook(api) directory Configuring OACR for 'root:x86chk' - <OACR on> 1>errors in directory c:\zwcfhook(api) 1>c:\winddk\7600.16385.1\bin\makefile.new(449) : error U1023: syntax error in ex pression 1>nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKE DIR_RELATIVE_TO_BASEDIR= failed - rc = 2 BUILD: Finish time: Sun Jan 08 17:22:53 2012 BUILD: Done 0 files compiled - 2 Errors */http://pastebin.com/LJ7gQajZ
o erro que esta no source já foi resolvido, agora o erro esta na linha 125, a estrutura (125) mostra os parametros opcionais.
ficaria muito feliz se alguém me ajudasse, obrigado.
Link para o comentário
Compartilhar em outros sites
0 respostass a esta questão
Posts Recomendados
Participe da discussão
Você pode postar agora e se registrar depois. Se você já tem uma conta, acesse agora para postar com sua conta.