首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > 开发语言 > VB >

藏着掖着干啥 —— VB6实现Ring3下直接调用Ring0层函数,反一切R3下API Hook解决思路

2012-05-27 
藏着掖着干啥 —— VB6实现Ring3下直接调用Ring0层函数,反一切R3下API Hook一切爱好者喜欢玩ntdll那些Nt***、

藏着掖着干啥 —— VB6实现Ring3下直接调用Ring0层函数,反一切R3下API Hook
一切爱好者喜欢玩ntdll那些Nt***、Rtl***的函数,可毕竟那些东西也是能Hook的,而且大多数也就是Hook那些,这次给大家一个新玩法,直接通过Ring3去call到Ring0,此时R3下对ntdll那些R3下函数的“最终入口”的Hook都无法捕获到我们的调用,除非在R0下Hook了函数。(当然根据下面的原理我想某些人也知道该如何搞个万能Hook了)
小弟技术很菜,代码难免绕了很多圈子,而且下面的东西也不是什么新玩意,只不过是给VB6涨涨气焰罢了。。。大大们看到了不要嘲我。。。

添加一个Form1,一个Text1、一个Command1

VB code
Private Declare Function TabbedTextOut& Lib "user32 " Alias "TabbedTextOutA" (ByVal DC As Long, ByVal X As Long, ByVal Y As Long, ByVal Text As String, ByVal Size As Long, Optional ByVal TabPositions As Long, Optional TabStopPositions As Long, Optional ByVal Origin As Long)Private Declare Function RtlAdjustPrivilege& Lib "ntdll" (ByVal Privileges As Long, Optional ByVal NewValue As Long = 1, Optional ByVal Thread As Long, Optional Value As Long)Private Declare Function CallWindowProc& Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long)Private Declare Function GetModuleHandleA& Lib "kernel32" (ByVal n$)Private Declare Function GetProcAddress& Lib "kernel32" (ByVal m&, ByVal n$)Private Declare Function CloseHandle& Lib "kernel32" (ByVal h&)Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Dst&, ByVal Src&, ByVal Size&)Private Declare Sub GetMem4 Lib "msvbvm60" (ByVal Ptr As Long, ByVal RetVal As Long)Private KiFastSystemCall&Private Sub Command1_Click()Dim handle&handle = OpenProcess(Text1.Text, 2035711)TerminateProcess handle, 0CloseHandle handleMsgBox "Handle:" & handle & ",Have tried killed."End SubPrivate Sub Form_Load()RtlAdjustPrivilege 20KiFastSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiFastSystemCall")End SubPrivate Function ReadFunctionIndex&(ByVal Name$, Optional ByVal DllFile$ = "ntdll.dll")Dim pEntry&, dwIndex&pEntry = GetProcAddress(GetModuleHandleA(DllFile), Name)GetMem4 pEntry + 1, VarPtr(dwIndex)ReadFunctionIndex = dwIndexEnd FunctionPrivate Function OpenProcess&(ByVal dwPID&, ByVal dwAccess&)Dim hProcess&, ret&Dim objAttr&(5), cid&(1)cid(0) = dwPIDDim dwIndex&dwIndex = ReadFunctionIndex("ZwOpenProcess")Dim ASMCode(42) As ByteASMCode(0) = &H68 'push CLIENT_ID structRtlMoveMemory VarPtr(ASMCode(1)), VarPtr(VarPtr(cid(0))), 4ASMCode(5) = &H68 'push OBJ_ATTR structRtlMoveMemory VarPtr(ASMCode(6)), VarPtr(VarPtr(objAttr(0))), 4ASMCode(10) = &H68 'push dwAccessRtlMoveMemory VarPtr(ASMCode(11)), VarPtr(dwAccess), 4ASMCode(15) = &H68 'push hProcessRtlMoveMemory VarPtr(ASMCode(16)), VarPtr(VarPtr(hProcess)), 4ASMCode(20) = &H68 'push Return AddressRtlMoveMemory VarPtr(ASMCode(21)), VarPtr(VarPtr(ret)), 4ASMCode(25) = &HBA 'mov edx,KiFastSystemCall AddressRtlMoveMemory VarPtr(ASMCode(26)), VarPtr(KiFastSystemCall), 4ASMCode(30) = &HB8 'mox eax,Kernel Function IndexRtlMoveMemory VarPtr(ASMCode(31)), VarPtr(dwIndex), 4ASMCode(35) = &HFF 'call edxASMCode(36) = &HD2ASMCode(37) = &H59 'popASMCode(38) = &H59 'popASMCode(39) = &H59 'popASMCode(40) = &H59 'popASMCode(41) = &H59 'popASMCode(42) = &HC3 'retCallWindowProc VarPtr(ASMCode(0)), 0, 0, 0, 0OpenProcess = hProcessEnd FunctionPrivate Function TerminateProcess&(ByVal hProcess&, ByVal ExitStatus&)Dim ret&Dim dwIndex&dwIndex = ReadFunctionIndex("ZwTerminateProcess")Dim ASMCode(30) As ByteASMCode(0) = &H68 'push ExitStatusRtlMoveMemory VarPtr(ASMCode(1)), VarPtr(ExitStatus), 4ASMCode(5) = &H68 'push hProcessRtlMoveMemory VarPtr(ASMCode(6)), VarPtr(hProcess), 4ASMCode(10) = &H68 'push Return AddressRtlMoveMemory VarPtr(ASMCode(11)), VarPtr(VarPtr(ret)), 4ASMCode(15) = &HBA 'mov edx,KiFastSystemCall AddressRtlMoveMemory VarPtr(ASMCode(16)), VarPtr(KiFastSystemCall), 4ASMCode(20) = &HB8 'mox eax,Kernel Function IndexRtlMoveMemory VarPtr(ASMCode(21)), VarPtr(dwIndex), 4ASMCode(25) = &HFF 'call edxASMCode(26) = &HD2ASMCode(27) = &H59 'popASMCode(28) = &H59 'popASMCode(29) = &H59 'popASMCode(30) = &HC3 'retTerminateProcess = CallWindowProc(VarPtr(ASMCode(0)), 0, 0, 0, 0)End FunctionPrivate Function GetDC&(ByVal hWnd&)Dim ret&Dim dwIndex&dwIndex = ReadFunctionIndex("GetDC", "user32.dll")Dim ASMCode(24) As ByteASMCode(0) = &H68 'push hWndRtlMoveMemory VarPtr(ASMCode(1)), VarPtr(hWnd), 4ASMCode(5) = &H68 'push Return AddressRtlMoveMemory VarPtr(ASMCode(6)), VarPtr(VarPtr(ret)), 4ASMCode(10) = &HBARtlMoveMemory VarPtr(ASMCode(11)), VarPtr(KiFastSystemCall), 4ASMCode(15) = &HB8RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(dwIndex), 4ASMCode(20) = &HFF 'call edxASMCode(21) = &HD2ASMCode(22) = &H59 'popASMCode(23) = &H59 'popASMCode(24) = &HC3 'retGetDC = CallWindowProc(VarPtr(ASMCode(0)), 0, 0, 0, 0)End FunctionPrivate Sub Form_Paint()Form_ResizeEnd SubPrivate Sub Form_Resize()TabbedTextOut GetDC(Me.hWnd), 0, 0, "123", -1End Sub 



[解决办法]
Lz真高手也,我不会啊 :(
[解决办法]
Lz真高手也,我不会啊 :(
[解决办法]
mobaizhong^^^^^^^^^^
[解决办法]
实时错误,类型不匹配……
[解决办法]
看起来好厉害的样子
[解决办法]
呵呵,API活字典现身说法了?

我来顶帖!
[解决办法]
感谢分享。
[解决办法]
看起来好厉害的样子.还在加班的苦逼男前来顶贴。。。
[解决办法]
请问,适用于哪些版本的操作系统?
[解决办法]
他就是把ntdll的代码自己来执行


来自列宁大叔
[解决办法]
感觉很厉害的样子
[解决办法]
不错的说……
[解决办法]
顶起加支持!!
[解决办法]
高手啊,真的是高手
[解决办法]
好啊好啊好啊
[解决办法]
高手, 我看不明白,实际应用户能举个例子吗?
[解决办法]
顶起加支持!!
[解决办法]
好文章啊,佩服
[解决办法]
好东西!!
[解决办法]
在回复一下 看看网址的变化

热点排行