当前位置：网站首页>Win64 driver kernel programming -31 Enumerating and deleting image callbacks

Win64 driver kernel programming -31 Enumerating and deleting image callbacks

2022-07-21 14:38:00 【51CTO】

Enumerate and delete image callback

Image callback can intercept RING3 and RING0 Image loading for . Some game protection will use this to block driver loading in the blacklist , such as XUETR、WIN64AST The driver . Empathy , In the process of anti game protection , You can also block the loading of game drivers .

Follow the process / Thread callback is similar , The image callback is also stored in the array . This array of “ Symbol name ” yes PspLoadImageNotifyRoutine. We can do it in PsSetLoadImageNotifyRoutine Found it in ：

Win64 Driver kernel programming -31. Enumerate and delete image callback _ Array

The code for the implementation is as follows ：

       
       ULONG64 
       
       FindPspLoadImageNotifyRoutine()
       
{
       
       ULONG64  
       
       i
       
       =
       
       0,
       
       pCheckArea
       
       =
       
       0;
       
       UNICODE_STRING  
       
       unstrFunc;
       
       RtlInitUnicodeString(
       
       &
       
       unstrFunc, 
       
       L
       
       "PsSetLoadImageNotifyRoutine");
       
       pCheckArea 
       
       = (
       
       ULONG64)
       
       MmGetSystemRoutineAddress (
       
       &
       
       unstrFunc);
       
       DbgPrint(
       
       "PsSetLoadImageNotifyRoutine: %llx",
       
       pCheckArea);
       
       for(
       
       i
       
       =
       
       pCheckArea;
       
       i
       
       <
       
       pCheckArea
       
       +
       
       0xff;
       
       i
       
       ++)
       
{
       
       if(
       
       *(
       
       PUCHAR)
       
       i
       
       ==
       
       0x48 
       
       && 
       
       *(
       
       PUCHAR)(
       
       i
       
       +
       
       1)
       
       ==
       
       0x8d 
       
       && 
       
       *(
       
       PUCHAR)(
       
       i
       
       +
       
       2)
       
       ==
       
       0x0d)  
       
       //lea rcx,xxxx
       
{
       
       LONG 
       
       OffsetAddr
       
       =
       
       0;
       
       memcpy(
       
       &
       
       OffsetAddr,(
       
       PUCHAR)(
       
       i
       
       +
       
       3),
       
       4);
       
       return 
       
       OffsetAddr
       
       +
       
       7
       
       +
       
       i;
       
}
       
}
       
       return 
       
       0;
       
}
       
       void 
       
       EnumLoadImageNotify()
       
{
       
       int 
       
       i
       
       =
       
       0;
       
       BOOLEAN 
       
       b;
       
       ULONG64  
       
       NotifyAddr
       
       =
       
       0,
       
       MagicPtr
       
       =
       
       0;
       
       ULONG64  
       
       PspLoadImageNotifyRoutine
       
       =
       
       FindPspLoadImageNotifyRoutine();
       
       DbgPrint(
       
       "PspLoadImageNotifyRoutine: %llx",
       
       PspLoadImageNotifyRoutine);
       
       if(
       
       !
       
       PspLoadImageNotifyRoutine)
       
       return;
       
       for(
       
       i
       
       =
       
       0;
       
       i
       
       <
       
       8;
       
       i
       
       ++)
       
{
       
       MagicPtr
       
       =
       
       PspLoadImageNotifyRoutine
       
       +
       
       i
       
       *
       
       8;
       
       NotifyAddr
       
       =*(
       
       PULONG64)(
       
       MagicPtr);
       
       if(
       
       MmIsAddressValid((
       
       PVOID)
       
       NotifyAddr) 
       
       && 
       
       NotifyAddr
       
       !=
       
       0)
       
{
       
       NotifyAddr
       
       =*(
       
       PULONG64)(
       
       NotifyAddr 
       
       & 
       
       0xfffffffffffffff8);
       
       DbgPrint(
       
       "[LoadImage]%llx",
       
       NotifyAddr);
       
}
       
}
       
}
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.

The results are as follows ：

Win64 Driver kernel programming -31. Enumerate and delete image callback _ Array _02

Use these three callbacks （CreateProcess、CreateThread、LoadImage） Monitoring is not very reliable , Because there is a switch in the system , be called PspNotifyEnableMask, If its value is set to 0, Then all related operations will not go through callback . let me put it another way , If PspNotifyEnableMask be equal to 0, Then all the processes 、 Threads 、 Image callbacks will fail . However, this variable does not appear directly in the exported function , So it's a little difficult to find it .

Song Bijian ,13

原网站

版权声明
本文为[51CTO]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/202/202207201959533881.html

当前位置：网站首页>Win64 driver kernel programming -31 Enumerating and deleting image callbacks

Win64 driver kernel programming -31 Enumerating and deleting image callbacks

Enumerate and delete image callback

边栏推荐

猜你喜欢

随机推荐