8_InlineHook

By Unix

1 shellcode low 2Gb warning , Should use high 2GB stable:

inkernel hook:

Because the low 2gb data of each process is different; therefore, the code should be placed at the high 2gb in the kernel hook.

Method 1 (application):

For example, use the previous ExAllocatePool(0,size); to allocate non-paged memory, and then copy the shellcode to non-paged memory.

Method 2 (Stealing memory):

Note: Look at the page properties when stealing< span style="line-height: normal; box-sizing: border-box;" md-inline="strong">Whether it is readable, writable and executable

Put it where the kernel is not used Upload our shellcode;;

For example: the empty vector in gdtr.

1570272839541

In the beginning, none of the following are used and can be occupied:

1570272974943

Nude function note :

There is no automatic e in the bare function bp, esp open stack and flat stack operation; soTaboo to use local variables; Of course, you can manage the stack yourself and use local variables well.

Hook kifastcallentry

Key conclusion: Be careful

target address

Target address> current address; the offset of jmp should be target-current -5;

< font style="font-size: 12pt;">is the same; jmp offset base address is the end position of the current instruction.

jmp Registers and call registers do not need to calculate any offset; just jump to whatever the register is.

< span class="md-plain" style="line-height: normal; box-sizing: border-box;" md-inline="plain">push 0xAddr; ret also does not need to calculate the offset; but it needs 6 bytes; it needs 5 bytes to calculate the offset

Calculating the offset is the most important;

Note the steps:

  1. Calculate the offset to the target code (or directly use the register)

  2. change the opcode at the current position to the jump instruction char * [ ] = {0xe9,0x…..0x..}

    < /li>

  3. Then after the target address is processed, it’s better to exchange the execution flow with the original execution flow; so calculate the offset ( Or use register) jump back;

f7 single-step debugging triggers the first process in idt

< font style="font-size: 12pt;">Use pchunter to view the address of the vector number 1 in idt; then use ida to debug and view;

hook;

Roughly as follows:

< font style="font-size: 12pt;">Program 1: Hook gdt memory address toObjective function

1570289557113

Program 2: hook logic operation code :

< span class="md-image md-img-loaded" style="width: 580px; line-height: normal; vertical-align: top; display: inline-block; position: relative; -ms-word-break: break -all; min-height: 10px; min-width: 10px; box-sizing: border-box;" md-inline="image" data-src="/wp-content/uploadsE:%5C%E5%AD% A6%E4%B9%A0%E7%AC%94%E8%AE%B0%5C%E5%86%85%E6%A0%B8%5C%E5%91%A8%E5%A3%91%E5% 86%85%E6%A0%B8%5C%E4%B8%AA%E4%BA%BA%E5%90%AC%E5%90%8E%E7%AC%94%E8%AE%B0%5C1570289111758. png">1570289111758

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 5482 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.