稳定性挂钩失败 #1

july0426 · 2020-11-19T02:12:53Z

我尝试了一下稳定性挂钩的代码,执行一个新的线程,有些时候成功了,可以执行,但是好像并没有修改主进程的运行,还是像原来一样很快的就退出了,甚至没有执行新线程就退出了

monoxgas · 2020-11-19T02:48:36Z

Appoligies for any miscommunication, I don't speak chinese and resorted to google translate. I hope I understand.

Testing of any entry point hooks has been limited. However, I'd be happy to look into any specific examples if you could provide a PoC/more info. It might be some edge case I hadn't considered.

july0426 · 2020-11-19T06:43:26Z

https://github.com/july0426/tags_count_pngtree/raw/master/set.7z这是我测试的2个例子,都没有成功,我只是弹出一个提示框,有一个弹出了但是很快就退出,另外一个没有弹出

july0426 · 2020-11-19T06:43:48Z

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"

#include <Windows.h>
#include <intrin.h>
#include
#include <TlHelp32.h>
#include <psapi.h>
#include

DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
MessageBoxA(NULL, "jj", "kkk", MB_OK);

ExitProcess(0);
return 1;

}

void DoNothing() {
while (true) Sleep(1000000 * 1000000);
}

void InstallHook(PVOID address, PVOID jump) {
BYTE Jump[12] = { 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xe0 };

DWORD old;
VirtualProtect(address, sizeof(Jump), 0x40, &old);

RtlCopyMemory(address, Jump, 12);
RtlCopyMemory(((PBYTE)address + 2), &jump, 8);

VirtualProtect(address, sizeof(Jump), old, &old);

}

BOOL HookTheStack() {

// Get primary module info

PBYTE baseAddress = NULL;
DWORD baseSize = 0;

WCHAR fileName[MAX_PATH];
GetProcessImageFileName((HANDLE)-1, fileName, MAX_PATH);
std::wstring pathString = std::wstring(fileName);

HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());

MODULEENTRY32 pEntry;
pEntry.dwSize = sizeof(pEntry);
BOOL hRes = Module32Next(hSnapShot, &pEntry);
while (hRes)
{
	if (pathString.find(pEntry.szModule) != std::wstring::npos) {
		baseAddress = pEntry.modBaseAddr;
		baseSize = pEntry.modBaseSize;
		break;
	}
	hRes = Module32Next(hSnapShot, &pEntry);
}
CloseHandle(hSnapShot);

if (!baseAddress || !baseSize)
	return FALSE;

// Hunt the stack

PBYTE ldrLoadDll = (PBYTE)GetProcAddress(GetModuleHandle(L"ntdll"), "LdrLoadDll");
PBYTE * stack = (PBYTE *)_AddressOfReturnAddress();
BOOL foundLoadDll = FALSE;

ULONG_PTR lowLimit, highLimit;
GetCurrentThreadStackLimits(&lowLimit, &highLimit);

for (; (ULONG_PTR)stack < highLimit; stack++) {
	if (*stack < (PBYTE)0x1000)
		continue;

	if (*stack > ldrLoadDll && *stack < ldrLoadDll + 0x1000) {
		// LdrLoadDll is in the stack, let's start looking for our module
		foundLoadDll = TRUE;
	}

	if (foundLoadDll && *stack > baseAddress && *stack < (baseAddress + baseSize)) {
		MEMORY_BASIC_INFORMATION mInfo = { 0 };
		VirtualQuery(*stack, &mInfo, sizeof(mInfo));

		if (!(mInfo.Protect & PAGE_EXECUTE_READ))
			continue;

		// Primary module is in the stack, let's hook there
		InstallHook(*stack, DoNothing);

		return TRUE;
	}
}

// No references found, let's just hook the entry point

PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress;
PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew);
PBYTE entryPoint = baseAddress + ntHeader->OptionalHeader.AddressOfEntryPoint;

InstallHook(entryPoint, &DoNothing);

return TRUE;

}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{

if (ul_reason_for_call != DLL_PROCESS_ATTACH)
	return TRUE;

if (!HookTheStack())
	return TRUE;

DWORD dwThread;
HANDLE hThread = CreateThread(NULL, 0, Thread, NULL, 0, &dwThread);

return TRUE;

}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

稳定性挂钩失败 #1

稳定性挂钩失败 #1

july0426 commented Nov 19, 2020

monoxgas commented Nov 19, 2020

july0426 commented Nov 19, 2020

july0426 commented Nov 19, 2020

稳定性挂钩失败 #1

稳定性挂钩失败 #1

Comments

july0426 commented Nov 19, 2020

monoxgas commented Nov 19, 2020

july0426 commented Nov 19, 2020

july0426 commented Nov 19, 2020