Closed ashyerv closed 1 year ago
系统版本 win10 18362.30 (1903 专业版) (根据issues来说似乎目前支持的最高系统是 这个版本.) 直接下载最新源码,编译,扔到虚拟机测试, 跑了shark后提示 success,加载成功, 自写了个测试inline hook ntopenprocess ,初期工作正常,一段时间后蓝了(5-10分钟?) 代码 109 PG,驱动只写了一个测试hook,没有其他的功能.
NTSTATUS NTAPI Hooked_NtOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ) { mydbg("use here \r\n"); //可以正常打印 return ((fn_NtOpenProcess)ori_NtOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); }
reload /i Shark.sys=FFFF858BBA535000 < FFFF858BBA535000 - 00020000 > [SHARK] < 00000000000047BA > BuildNumber [SHARK] < FFFF858BBAA7C380 > PsInitialSystemProcess [SHARK] < 0000000000000002 > NumberProcessors [SHARK] < FFFFF80405AECC80 > KeEnterCriticalRegion [SHARK] < FFFFF80405AE78F0 > KeLeaveCriticalRegion [SHARK] < FFFFF80405AEDDF0 > ExAcquireSpinLockShared [SHARK] < FFFFF80405BC1760 > ExReleaseSpinLockShared [SHARK] < FFFFF80405BDDF30 > DbgPrint [SHARK] < FFFFF80405AE94A0 > KeWaitForSingleObject [SHARK] < FFFFF80405C7DE00 > RtlCompareMemory [SHARK] < FFFFF80405C7D9D0 > RtlRestoreContext [SHARK] < FFFFF80405B69060 > ExQueueWorkItem [SHARK] < FFFFF80405E230A0 > ExFreePoolWithTag [SHARK] < FFFFF80405C75810 > KeBugCheckEx [SHARK] < FFFFF80405BC8790 > ExInterlockedRemoveHeadList [SHARK] < FFFFF80405BBBE30 > ExAcquireRundownProtection [SHARK] < FFFFF80405BC3D50 > ExReleaseRundownProtection [SHARK] < FFFFF80405B0D550 > ExWaitForRundownProtectionRelease [SHARK] < FFFF858BBA5515C0 > Block [SHARK] < 00000000000000C0 > SizeCmpAppendDllSection [SHARK] < 0000000000000001 > BtcEnable [SHARK] < FFFF858BBA551F48 > OriginalCmpAppendDllSection [SHARK] < 00000000000007E8 > OffsetEntryPoint [SHARK] < 0000000000019000 > SizeINITKDBG [SHARK] < FFFF858BBA555000 > INITKDBG [SHARK] < FFFFF80405E230A0 > ntoskrnl.exe!ExGetPreviousMode [SHARK] < FFFFF804060E29E0 > ntoskrnl.exe!ObDereferenceSecurityDescriptor + 140 [SHARK] < FFFFF80405B69060 > ntoskrnl.exe!ExReInitializeRundownProtectionCacheAware [SHARK] < FFFFF80405AE52A0 > ntoskrnl.exe!ExReleaseSpinLockSharedFromDpcLevel [SHARK] < FFFFF80405BB9E90 > MmAllocateIndependentPages [SHARK] < FFFFF80405BD34A0 > MmFreeIndependentPages [SHARK] < FFFFF80405BE58F0 > MmSetPageProtection [SHARK] < FFFFC44E00E74D20 > test independent page < FFFF9C01CE9A4000 - 00001000 > [SHARK] < FFFFF80405C5E770 > KiScbQueueScanWorker [SHARK] < FFFFF80405C5E7C0 > KiScbQueueScanWorker end [SHARK] < FFFFF8040603F010 > PsInvertedFunctionTable [SHARK] < 0000000059006860 > BranchKey[10] [SHARK] < 00000000E0006CF1 > BranchKey[0] [SHARK] < 0000000020006B15 > BranchKey[1] [SHARK] < 0000000060006938 > BranchKey[2] [SHARK] < 00000000160068D0 > BranchKey[3] [SHARK] < 000000007E006894 > BranchKey[4] [SHARK] < 0000000000007730 > BranchKey[5] [SHARK] < 0000000000000000 > BranchKey[6] [SHARK] < 0000000080007376 > BranchKey[7] [SHARK] < 00000000280069EB > BranchKey[8] [SHARK] < 0000000000006FBD > BranchKey[9] [SHARK] < 0000000000095486 > BranchKey[11] [SHARK] < FFFFF80405C7CD3E > KiStartSystemThread [SHARK] < FFFFF80405BE98D0 > PspSystemThreadStartup [SHARK] < FFFFF804060286F8 > KiWaitNever [SHARK] < FFFFF804060288E0 > KiWaitAlways [SHARK] < FFFFF80405D7B310 > MmIsNonPagedSystemAddressValid [SHARK] < FFFFF80405EE5410 > PoolBigPageTable [SHARK] < FFFFF80405EE7C28 > PoolBigPageTableSize [SHARK] < 0000000000E95000 > NumberOfPtes [SHARK] < FFFFC44E00000000 > BasePte [SHARK] < FFFFF80405D7B2F0 > MmIsAddressValid [SHARK] < FFFFF80405B70450 > RtlLookupFunctionEntry [SHARK] < FFFFF80405BEEB20 > RtlVirtualUnwind [SHARK] < FFFFF80405B69060 > ExQueueWorkItem [SHARK] < FFFF858BBA547B10 > CaptureContext [SHARK] < FFFF858BBA53D0B0 > FreeWorker [SHARK] < FFFF858BBA53AEA0 > ClearCallback [SHARK] < 00000000000006E4 > OffsetSameThreadPassive [SHARK] < 0000000000000001 > BigPool < FFFF858BBC010000 - 00008000 > [SHARK] < 0000000000000001 > scan < FFFF858BBA555000 - 00019000 > < CCCCCCCCCCCCCCCC, CCCCCCCCCCCCCCCC, 56535508244C8948, 4156415541544157...> [SHARK] < 0000000000000001 > SystemPtes < FFFFC44E00000000 - FFFFC44E074A8000 > [SHARK] < FFFF858BBA534000 > shark load success
dump: 022823-13078-01.zip
系统版本 win10 18362.30 (1903 专业版) (根据issues来说似乎目前支持的最高系统是 这个版本.) 直接下载最新源码,编译,扔到虚拟机测试, 跑了shark后提示 success,加载成功, 自写了个测试inline hook ntopenprocess ,初期工作正常,一段时间后蓝了(5-10分钟?) 代码 109 PG,驱动只写了一个测试hook,没有其他的功能.
NTSTATUS NTAPI Hooked_NtOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ) { mydbg("use here \r\n"); //可以正常打印 return ((fn_NtOpenProcess)ori_NtOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); }
reload /i Shark.sys=FFFF858BBA535000 < FFFF858BBA535000 - 00020000 > [SHARK] < 00000000000047BA > BuildNumber [SHARK] < FFFF858BBAA7C380 > PsInitialSystemProcess [SHARK] < 0000000000000002 > NumberProcessors [SHARK] < FFFFF80405AECC80 > KeEnterCriticalRegion [SHARK] < FFFFF80405AE78F0 > KeLeaveCriticalRegion [SHARK] < FFFFF80405AEDDF0 > ExAcquireSpinLockShared [SHARK] < FFFFF80405BC1760 > ExReleaseSpinLockShared [SHARK] < FFFFF80405BDDF30 > DbgPrint [SHARK] < FFFFF80405AE94A0 > KeWaitForSingleObject [SHARK] < FFFFF80405C7DE00 > RtlCompareMemory [SHARK] < FFFFF80405C7D9D0 > RtlRestoreContext [SHARK] < FFFFF80405B69060 > ExQueueWorkItem [SHARK] < FFFFF80405E230A0 > ExFreePoolWithTag [SHARK] < FFFFF80405C75810 > KeBugCheckEx [SHARK] < FFFFF80405BC8790 > ExInterlockedRemoveHeadList [SHARK] < FFFFF80405BBBE30 > ExAcquireRundownProtection [SHARK] < FFFFF80405BC3D50 > ExReleaseRundownProtection [SHARK] < FFFFF80405B0D550 > ExWaitForRundownProtectionRelease [SHARK] < FFFF858BBA5515C0 > Block [SHARK] < 00000000000000C0 > SizeCmpAppendDllSection [SHARK] < 0000000000000001 > BtcEnable [SHARK] < FFFF858BBA551F48 > OriginalCmpAppendDllSection [SHARK] < 00000000000007E8 > OffsetEntryPoint [SHARK] < 0000000000019000 > SizeINITKDBG [SHARK] < FFFF858BBA555000 > INITKDBG [SHARK] < FFFFF80405E230A0 > ntoskrnl.exe!ExGetPreviousMode [SHARK] < FFFFF804060E29E0 > ntoskrnl.exe!ObDereferenceSecurityDescriptor + 140 [SHARK] < FFFFF80405B69060 > ntoskrnl.exe!ExReInitializeRundownProtectionCacheAware [SHARK] < FFFFF80405AE52A0 > ntoskrnl.exe!ExReleaseSpinLockSharedFromDpcLevel [SHARK] < FFFFF80405BB9E90 > MmAllocateIndependentPages [SHARK] < FFFFF80405BD34A0 > MmFreeIndependentPages [SHARK] < FFFFF80405BE58F0 > MmSetPageProtection [SHARK] < FFFFC44E00E74D20 > test independent page < FFFF9C01CE9A4000 - 00001000 > [SHARK] < FFFFF80405C5E770 > KiScbQueueScanWorker [SHARK] < FFFFF80405C5E7C0 > KiScbQueueScanWorker end [SHARK] < FFFFF8040603F010 > PsInvertedFunctionTable [SHARK] < 0000000059006860 > BranchKey[10] [SHARK] < 00000000E0006CF1 > BranchKey[0] [SHARK] < 0000000020006B15 > BranchKey[1] [SHARK] < 0000000060006938 > BranchKey[2] [SHARK] < 00000000160068D0 > BranchKey[3] [SHARK] < 000000007E006894 > BranchKey[4] [SHARK] < 0000000000007730 > BranchKey[5] [SHARK] < 0000000000000000 > BranchKey[6] [SHARK] < 0000000080007376 > BranchKey[7] [SHARK] < 00000000280069EB > BranchKey[8] [SHARK] < 0000000000006FBD > BranchKey[9] [SHARK] < 0000000000095486 > BranchKey[11] [SHARK] < FFFFF80405C7CD3E > KiStartSystemThread [SHARK] < FFFFF80405BE98D0 > PspSystemThreadStartup [SHARK] < FFFFF804060286F8 > KiWaitNever [SHARK] < FFFFF804060288E0 > KiWaitAlways [SHARK] < FFFFF80405D7B310 > MmIsNonPagedSystemAddressValid [SHARK] < FFFFF80405EE5410 > PoolBigPageTable [SHARK] < FFFFF80405EE7C28 > PoolBigPageTableSize [SHARK] < 0000000000E95000 > NumberOfPtes [SHARK] < FFFFC44E00000000 > BasePte [SHARK] < FFFFF80405D7B2F0 > MmIsAddressValid [SHARK] < FFFFF80405B70450 > RtlLookupFunctionEntry [SHARK] < FFFFF80405BEEB20 > RtlVirtualUnwind [SHARK] < FFFFF80405B69060 > ExQueueWorkItem [SHARK] < FFFF858BBA547B10 > CaptureContext [SHARK] < FFFF858BBA53D0B0 > FreeWorker [SHARK] < FFFF858BBA53AEA0 > ClearCallback [SHARK] < 00000000000006E4 > OffsetSameThreadPassive [SHARK] < 0000000000000001 > BigPool < FFFF858BBC010000 - 00008000 > [SHARK] < 0000000000000001 > scan < FFFF858BBA555000 - 00019000 > < CCCCCCCCCCCCCCCC, CCCCCCCCCCCCCCCC, 56535508244C8948, 4156415541544157...> [SHARK] < 0000000000000001 > SystemPtes < FFFFC44E00000000 - FFFFC44E074A8000 > [SHARK] < FFFF858BBA534000 > shark load success
dump: 022823-13078-01.zip