BE驱动抹除进场权限分析

上次说道PUBG,抹除权限的线程结束就好了。 上次链接
抽空仔细分析了一下。
代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
void EnumHandele()
{
	LIST_ENTRY le;
	PEPROCESS pep = NULL;
	ULONG csrss = GetProcessId("csrss.exe");
	//ULONG pid = GetProcessId("CE.exe");
	ULONG pid = 2588;

	NTSTATUS status = PsLookupProcessByProcessId(csrss, &pep);
	if (NT_SUCCESS(status))
	{
		KdPrint(("start\n"));
		HANDLE_TABLE ht = *(PHANDLE_TABLE)*(PULONG64)((PUCHAR)pep + 0x200);
		PLIST_ENTRY HandleTableList = ht.HandleTableList;
		PLIST_ENTRY ListEntry = NULL;

		for (ListEntry = HandleTableList->Flink; ListEntry != HandleTableList; ListEntry = ListEntry->Flink)
		{
			if (MmIsAddressValid((PUCHAR)ListEntry - 0x20) == FALSE)
			{
				continue;
			}
			PHANDLE_TABLE HandleTab = (PHANDLE_TABLE)((PUCHAR)ListEntry - 0x20);
			char *szName = PsGetProcessImageFileName(HandleTab->QuotaProcess);
			//KdPrint(("%p %s cont[%d]\n", HandleTab, szName, HandleTab->HandleCount));
			if (HandleTab->UniqueProcessId == pid && HandleTab->HandleCount < 0xFF)
			{
				KdPrint(("%p %s cont[%d]\n", HandleTab, szName, HandleTab->HandleCount));
				for (size_t i = 0; i < HandleTab->HandleCount; i++)
				{
					PHANDLE_TABLE_ENTRY HTE = (PHANDLE_TABLE_ENTRY)(HandleTab->TableCode + i * 0x10);
					
					ULONG64 Object = HTE->Object;
					Object = Object >> 3;
					Object = Object << 3;

					char *filename = PsGetProcessImageFileName(Object + 0x30);
					Object += 0x18;


					if (MmIsAddressValid(Object))
					{
						BYTE TypeIndex = *(BYTE *)(Object);
						//KdPrint(("object[%p][%x][%x]\n", HTE, HTE->GrantedAccess, TypeIndex));
						if (TypeIndex == OB_TYPE_INDEX_JOB)
						{
							KdPrint(("object[%p][%x][%x][%s]\n", HTE, HTE->GrantedAccess, TypeIndex, filename));
							
							HTE->GrantedAccess = 0x1f1fff;
						}
					}
					
					
				}

				
			}

		}
	}

}

这样 会得到我们对应的GrantedAccess在内核的地址。
object[FFFFF8A007762A30][1f1bc5][7][TslGame.exe]
ida+gdb可直接调试BE 对地址下访问断点。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

MEMORY:FFFFF88006212371 mov     [rbx+8], eax				//nop 完事  写入
MEMORY:FFFFF88006212374 setbe   bl
MEMORY:FFFFF88006212377
MEMORY:FFFFF88006212377 loc_FFFFF88006212377:                   ; CODE XREF: MEMORY:loc_FFFFF88006212363j
MEMORY:FFFFF88006212377 xor     al, al
MEMORY:FFFFF88006212379 cmp     r14b, 0E0h ; '
MEMORY:FFFFF8800621237D movsx   edi, r12w
MEMORY:FFFFF88006212381 mov     rbx, [rsp+30h]
MEMORY:FFFFF88006212386 add     rsp, 20h
MEMORY:FFFFF8800621238A movsxd  rdi, r15d
MEMORY:FFFFF8800621238D setns   dil
MEMORY:FFFFF88006212391 pop     rdi
MEMORY:FFFFF88006212392 retn


MEMORY:FFFFF880062122D3 jnz     loc_FFFFF88006212302
MEMORY:FFFFF880062122D9 mov     eax, [rbx+8]		//读取
MEMORY:FFFFF880062122DC cmp     r11d, ebx
MEMORY:FFFFF880062122DF test    dl, r10b
MEMORY:FFFFF880062122E2 test    ecx, offset unk_7E5F0EAD
MEMORY:FFFFF880062122E8 test    eax, 43Ah
MEMORY:FFFFF880062122ED jmp     $+5
MEMORY:FFFFF880062122F2 ; ---------------------------------------------------------------------------
MEMORY:FFFFF880062122F2
MEMORY:FFFFF880062122F2 loc_FFFFF880062122F2:                   ; CODE XREF: MEMORY:FFFFF880062122EDj
MEMORY:FFFFF880062122F2 jz      loc_FFFFF88006212377
MEMORY:FFFFF880062122F8 and     eax, offset unk_FFFFFBC5
MEMORY:FFFFF880062122FD jmp     loc_FFFFF88006212371

懒,简单粗暴 nop。

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
VOID PassBeThread(IN PVOID Nothing)
{
	while (!StopThread)
	{
		MySleep(3000);
		if (!isinstall)
		{
			continue;
		}
		ULONG besize = NULL;
		ULONGLONG bebase = (ULONGLONG)GetKernelModuleHandle(&besize, (PUCHAR)"BEDaisy.sys");
		if (bebase)
		{
			ULONGLONG writebe = bebase + 0x1E1371;
			ULONGLONG readbe = bebase + 0x1E12D9;
			if (MmIsAddressValid((PVOID)readbe) && MmIsAddressValid((PVOID)writebe))
			{
				BYTE isread = *(BYTE *)readbe;
				BYTE iswrite = *(BYTE *)writebe;
				if (isread == 0x8B)
				{
					Dedbg(("find be read\n"));
					KIRQL irq = WPOFFx64();
					BYTE data[] = { 0x90, 0x90, 0x90 };
					memcpy((PVOID)readbe, data, 3);
					WPONx64(irq);
				}
				if (iswrite == 0x89)
				{
					Dedbg(("find be write\n"));
					KIRQL irq = WPOFFx64();
					BYTE data[] = { 0x90, 0x90, 0x90 };
					memcpy((PVOID)writebe, data, 3);
					WPONx64(irq);
				}
			}
		}
		
	}

	PsTerminateSystemThread(STATUS_SUCCESS);
}

本想去hook读取的地方 想想算了。

至此即可做任何操作。

留言

2018-01-10
⬆︎TOP