Usermode api hook removal

最新推荐文章于 2015-08-19 00:18:46 发布

转载最新推荐文章于 2015-08-19 00:18:46 发布 · 1.6k 阅读

文章标签：

#hook #api #module #header #null #function

windows底层核心編程专栏收录该内容

743 篇文章

订阅专栏

本文介绍了一种方法来修复被恶意修改的防火墙用户模式钩子，防止病毒或恶意软件通过修改导出表或扩展代码覆盖来绕过安全检测。

By: akcom

Firewall's implementing usermode hooks to detect (shock) viral/malicious hooks is both idiotic and easy to bypass, the code to do it follows. This protected against Export Table Patching & extended/simple code overwrite (inline hooking).


#define makeptr( Base, Increment, Typecast ) ((Typecast)( (ULONG)(Base) + (ULONG)(Increment) ))
#define incptr( Base, Increment, Typecast ) ((Typecast)RVAToVA( (ULONG)(Base), (ULONG)(Increment) ))

ULONG RVAToVA( ULONG Base, ULONG Increment );

void Unhook( HMODULE Module, LPSTR Function )
{
char MFileName[MAX_PATH];
GetModuleFileName( Module, MFileName, sizeof(MFileName) );

HANDLE hFile = CreateFile( MFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL );
SetFilePointer( hFile, 0, NULL, FILE_BEGIN );

ULONG dwTemp;

dwTemp = GetFileSize( hFile, NULL );
BYTE *Base = new BYTE[dwTemp];
ReadFile( hFile, Base, dwTemp, &dwTemp, NULL );
CloseHandle( hFile );

PIMAGE_NT_HEADERS  Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );
PIMAGE_EXPORT_DIRECTORY Exports =
incptr( Base, Nt->OptionalHeader.DataDirectory[0].VirtualAddress, PIMAGE_EXPORT_DIRECTORY );

PBYTE FuncHooked = (PBYTE)GetProcAddress( Module, Function );
PBYTE FuncOriginal = NULL;

char **Names = incptr( Base, Exports->AddressOfNames, char ** );
ULONG *Functions = incptr( Base, Exports->AddressOfFunctions, ULONG * );

ULONG RVA;
ULONG VA;
for ( ULONG i = 0; i < Exports->NumberOfNames;i++ )
{
if ( _stricmp( incptr( Base, Names[i], char * ), Function ) == 0 )
{
  //protection against export table patching
  RVA = Functions[i];
  VA = (ULONG)GetProcAddress( Module, Function ) - (ULONG)Module;
  if ( VA != RVA )
  {
   ULONG *EATFunc =
    makeptr(
     Module,
     makeptr(
      Module,
      makeptr( Module, ((PIMAGE_DOS_HEADER)Module)->e_lfanew, PIMAGE_NT_HEADERS )->OptionalHeader.DataDirectory[0].VirtualAddress,
      PIMAGE_EXPORT_DIRECTORY )->AddressOfFunctions,
     PULONG
     );
   EATFunc[i] = RVA;
  }
  FuncOriginal = incptr( Base, Functions[i], PBYTE );

  break;
}
}

//protection against extended code overwriting
MEMORY_BASIC_INFORMATION Info;
VirtualQuery( FuncHooked, &Info, sizeof(Info) );
ULONG OldProtection;
VirtualProtect( FuncHooked, Info.RegionSize, PAGE_EXECUTE_READWRITE, &OldProtection );

i = 0;
while ( FuncHooked[i] != FuncOriginal[i] )
{
FuncHooked[i] = FuncOriginal[i];
i++;
}
delete []Base;
VirtualProtect( FuncHooked, Info.RegionSize, OldProtection, NULL );

}

ULONG RVAToVA( ULONG Base, ULONG Increment )
{
PIMAGE_NT_HEADERS  Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );
USHORT     SCount = Nt->FileHeader.NumberOfSections;
PIMAGE_SECTION_HEADER Sections = makeptr( Nt, sizeof(*Nt), PIMAGE_SECTION_HEADER );

for ( USHORT i = 0; i < SCount; i++ )
{
if ( (Increment >= Sections[i].VirtualAddress ) && (Increment <= (Sections[i].VirtualAddress + Sections[i].SizeOfRawData)) )
{
  return ( (Increment - Sections[i].VirtualAddress) + Sections[i].PointerToRawData + Base);
}
}
return Base + Increment;
}