Logo

菜单

根据特征码搜索函数

selph
selph
发布于 2021-05-16 / 610 阅读
0
0

根据特征码搜索函数

分段特征码搜索

以搜索MiProcessLoaderEntry函数地址为例,搜索到两段该函数的特征码,然后记下它们之间的间隔

遍历这个函数所在的地址,暴力遍历即可。

typedef VOID(*FunMiProcessLoaderEntry)(ULONG ulEntry, LOGICAL lflag);

NTSTATUS GetMiProcessLoaderEntryAddr(ULONG ulStartAddress,ULONG ulEndAddress,ULONG * retFunAddr) {
    // 特征码
    CHAR szCodeFlag1[] = { 0xB1,0x1B,0x88,0x45,0x0b };
	CHAR szCodeFiag2[] = { 0x8B,0xCE,0xF0,0x0F,0xBA,0x29,0x1F };
	// 遍历
    for (size_t i = ulStartAddress; i < ulEndAddress; i++) {
		if (memcmp(i, szCodeFlag1, 5) == 0) {
			if (memcmp(i + 0x23, szCodeFiag2, 7) == 0) {
				*retFunAddr = i;
				return STATUS_SUCCESS;
			}
		}
	}
	return -1;
}

长特征码搜索

以搜索PspTerminateThreadByPointer函数地址为例,从该函数开头找到足够长的一段特征码,然后去范围内遍历即可。

获取特征码:

1: kd> U PspTerminateThreadByPointer
nt!PspTerminateThreadByPointer:
840a4fe7 8bff            mov     edi,edi
840a4fe9 55              push    ebp
840a4fea 8bec            mov     ebp,esp
840a4fec 83e4f8          and     esp,0FFFFFFF8h
840a4fef 51              push    ecx
840a4ff0 53              push    ebx
840a4ff1 56              push    esi
840a4ff2 8b7508          mov     esi,dword ptr [ebp+8]
1: kd> dd PspTerminateThreadByPointer L8
840a4fe7  8b55ff8b f8e483ec 8b565351 8d570875
840a4ff7  000280be 4007f600 868d2874 00000150

遍历寻找函数地址:

typedef NTSTATUS(*FunPspTerminateThreadByPointer)(PETHREAD pEThread,NTSTATUS ExitStatus,BOOLEAN DirectTerminate);

NTSTATUS GetPspTerminateThreadByPointerAddr(ULONG ulStartAddress, ULONG ulEndAddress, ULONG* retFunAddr) {
	// 8b55ff8b f8e483ec 8b565351 8d570875
	// 000280be 4007f600 868d2874 00000150
	ULONG ulCodeFlag0 = 0x8b55ff8b;
	ULONG ulCodeFlag1 = 0xf8e483ec;
	ULONG ulCodeFlag2 = 0x8b565351;
	ULONG ulCodeFlag3 = 0x8d570875;
	ULONG ulCodeFlag4 = 0x000280be;
	ULONG ulCodeFlag5 = 0x4007f600;
	ULONG ulCodeFlag6 = 0x868d2874;
	ULONG ulCodeFlag7 = 0x00000150;
	for (size_t i = ulStartAddress; i < ulEndAddress; i++)
	{
		if ((*(ULONG*)i == ulCodeFlag0) &&
			(*(ULONG*)(i + 4 * 1) == ulCodeFlag1) &&
			(*(ULONG*)(i + 4 * 2) == ulCodeFlag2) &&
			(*(ULONG*)(i + 4 * 3) == ulCodeFlag3) &&
			(*(ULONG*)(i + 4 * 4) == ulCodeFlag4) &&
			(*(ULONG*)(i + 4 * 5) == ulCodeFlag5) &&
			(*(ULONG*)(i + 4 * 6) == ulCodeFlag6) &&
			(*(ULONG*)(i + 4 * 7) == ulCodeFlag7)) {
			*retFunAddr = (PVOID*)i;
			return STATUS_SUCCESS;
		}
	}
	return -1;
}
探究security_cookie...
CrackMe[简单]-练习用CM-1

评论