According to MJ0011 chivalrous person's logic, examines CallStack upwardly from Rootkit Detector Hook. But inside CallStack is DWORDs, how judges where is the parameter, where is the return address?
My Goo two…Is the way which generally recalls with EBP.
Considers majority of __stdcall the form:
mov edi edi
push ebp
mov ebp esp
…
…
We may obtain the return address which from dword ptr [EBP] on inside call EBP, dword ptr [EBP+4] obtains needs to examine, then EBP = dword ptr [EBP], continues to look. Found up to the stack base address.
Each time obtains the return address, judges it whether in a legitimate module.
But, < the compilation bypasses Caba according to the gyzy chivalrous person the active defense a Shellcode> article enlightenment, we may know that the following one way, may cause such detection mode expiration.
1. in the legitimate system module (e.g ntoskrnl.exe), found one ' C3'(ret Opcode) the byte, its indicator was K.
2. use following way Hook function
HookedZwXxx (...)
{
//
// some parameter processing operation
//
jmp __pushrealretaddr
__trickstage:
push Arg[N]
push Arg[N-1]
…
push Arg[0]
push K
jmp ZwXxx; // transfers the primitive function
__pushrealretaddr:
call __trickstage
realretaddr:
//
// another some result reduction operation
//
}
Thus, in the ZwXxx deep place inspection transfer stack, dword ptr [EBP+4] is one is in the legitimate module address K.
I have written a following ring3 demonstration procedure.
Defines the following some functions:
int __stdcall Call_C (int a, int b)
{
check_callstack();
return a+b;
}
int __stdcall Call_B (int a, int b)
{
return Call_C(a, b);
}
int __stdcall Call_A (int a, int b)
{
return Call_B(a, b);
}
The transfer order is A->B->C, inside C carries out check_callstack() to examine whether to have the illegal return address.
void
__stdcall
check_callstack (void)
{
int saved_ebp;
int retaddr;
printf (“Check Call Stack Methord 1: \ n”);
__asm
{
mov eax, dword ptr [ebp+4]
mov retaddr, eax
mov eax, dword ptr [ebp]
mov saved_ebp, eax
}
printf (“retaddr = 0x%08X \ n”, retaddr);
while (saved_ebp < StackBase && saved_ebp > 0)
{
if (saved_ebp! = 0)
{
retaddr = * (int*)(saved_ebp+4);
printf (“retaddr = 0x%08X \ n”, retaddr);
saved_ebp = * (int*)saved_ebp;
}
}
}
In does not have in the Hook situation, we carry out Call_A(1,2), obtains the normal returns is 3.
check_callstack output:
retaddr = 0x00401008
retaddr = 0x00401030
retaddr = 0x00401050
retaddr = 0x00401126
retaddr = 0x0040149D
retaddr = 0x7C816FD7
We use function Hooked_Call_B to come now in Call_A to fall Call_B to Hook.
Hook falls Call_B does is only the returns value alters to 4.
__declspec (naked)
int Hooked_Call_B (int a, int b)
{
__asm
{
push ebp
mov ebp, esp
Other pages: : 1 * 2 * Next>>
|
You are here: hacking technology
> invades the examination
> Content
Category: Home
> invades the examination