W32pServiceTable 원복하기 ( Win32K Hooking 무력화 )
KeServiceDescriptorTableShadow를 통해, 보면,
80552140 80501030 nt!KiServiceTable
80552144 00000000
80552148 0000011c
8055214c 805014a4 nt!KiArgumentTable
80552150 bf997600 win32k!W32pServiceTable
80552154 00000000
80552158 0000029b
8055215c bf998310 win32k!W32pArgumentTable
win32k!W32pServiceTable 이 보이고~ 내용을 확인해봅니다.
bf997600 ????????
bf997604 ????????
bf997608 ????????
bf99760c ????????
orz;;; 젠장.. 안그래도 요새 되는일도 없는데, 내용까지 없네요...
페이징 문제인건가...
일단 GDI 관련된 프로세스를 만들어서 붙혀봅니다.
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
...
PROCESS 81d45bd0 SessionId: 0 Cid: 0430 Peb: 7ffdb000 ParentCid: 05a8
DirBase: 072c0260 ObjectTable: e10e1d18 HandleCount: 13.
Image: S****ge2.exe
kd> .process /i 81d45bd0
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80526da8 cc int 3
다시 win32k!W32pServiceTable 내용을 확인해보면,
bf997600 bf934ffe win32k!NtGdiAbortDoc
bf997604 bf946a92 win32k!NtGdiAbortPath
bf997608 bf8bf295 win32k!NtGdiAddFontResourceW
bf99760c bf93e718 win32k!NtGdiAddRemoteFontToDC
bf997610 bf9480a9 win32k!NtGdiAddFontMemResourceEx
bf997614 bf935262 win32k!NtGdiRemoveMergeFont
bf997618 bf935307 win32k!NtGdiAddRemoteMMInstanceToDC
bf99761c bf839cb5 win32k!NtGdiAlphaBlend
bf997620 bf9479d0 win32k!NtGdiAngleArc
bf997624 bf933a9d win32k!NtGdiAnyLinkedFonts
bf997628 bf947fc8 win32k!NtGdiFontIsLinked
bf99762c bf90e7e0 win32k!NtGdiArcInternal
bf997630 bf88e5fe win32k!NtGdiBeginPath
나옵니다. 낄낄...
좀전에 걸려있던 쓰레드는, GDI 를 안쓰나 봅니다. 확인은 귀찮아서 패스하고...
nt 모듈에서 그랬던 것처럼, W32pServiceTable 이라는 변수를 파일에서 확인해보면,
.data:BF999B80 ; DATA XREF: DriverEntry(x,x)+F6o
.data:BF999B80 ; NtGdiAbortDoc(x)
.data:BF999B84 dd offset _NtGdiAbortPath@4 ; NtGdiAbortPath(x)
.data:BF999B88 dd offset _NtGdiAddFontResourceW@24 ; NtGdiAddFontResourceW(x,x,x,x,x,x)
.data:BF999B8C dd offset _NtGdiAddRemoteFontToDC@16 ; NtGdiAddRemoteFontToDC(x,x,x,x)
.data:BF999B90 dd offset _NtGdiAddFontMemResourceEx@20 ; NtGdiAddFontMemResourceEx(x,x,x,x,x)
.data:BF999B94 dd offset _NtGdiRemoveMergeFont@8 ; NtGdiRemoveMergeFont(x,x)
.data:BF999B98 dd offset _NtGdiAddRemoteMMInstanceToDC@12 ; NtGdiAddRemoteMMInstanceToDC(x,x,x)
.data:BF999B9C dd offset _NtGdiAlphaBlend@48 ; NtGdiAlphaBlend(x,x,x,x,x,x,x,x,x,x,x,x)
.data:BF999BA0 dd offset _NtGdiAngleArc@24 ; NtGdiAngleArc(x,x,x,x,x,x)
.data:BF999BA4 dd offset _NtGdiAnyLinkedFonts@0 ; NtGdiAnyLinkedFonts()
.data:BF999BA8 dd offset _NtGdiFontIsLinked@4 ; NtGdiFontIsLinked(x)
.data:BF999BAC dd offset _NtGdiArcInternal@40 ; NtGdiArcInternal(x,x,x,x,x,x,x,x,x,x)
.data:BF999BB0 dd offset _NtGdiBeginPath@4 ; NtGdiBeginPath(x)
.data:BF999BB4 dd offset _NtGdiBitBlt@44 ; NtGdiBitBlt(x,x,x,x,x,x,x,x,x,x,x)
.data:BF999BB8 dd offset _NtGdiCancelDC@4 ; NtGdiCancelDC(x)
.data:BF999BBC dd offset _NtGdiCheckBitmapBits@32 ; NtGdiCheckBitmapBits(x,x,x,x,x,x,x,x)
.data:BF999BC0 dd offset _NtGdiCloseFigure@4 ; NtGdiCloseFigure(x)
.data:BF999BC4 dd offset _NtGdiClearBitmapAttributes@8 ; NtGdiClearBitmapAttributes(x,x)
.data:BF999BC8 dd offset _NtGdiClearBrushAttributes@8 ; NtGdiClearBrushAttributes(x,x)
우왕ㅋ 굿~
DriverEntry 에서 셋팅하나봅니다.
INIT:BF9AFD0F _DriverEntry@8 proc near ; DATA XREF: DriverEntry(x,x)+1CEo
INIT:BF9AFD0F
....
INIT:BF9AFDF2 push edi
INIT:BF9AFDF3 push offset _W32pArgumentTable
INIT:BF9AFDF8 push _W32pServiceLimit
INIT:BF9AFDFE mov _countTable, esi
INIT:BF9AFE04 push esi
INIT:BF9AFE05 push offset _W32pServiceTable
INIT:BF9AFE0A call ds:__imp__KeAddSystemServiceTable@20 ; KeAddSystemServiceTable(x,x,x,x,x)
코드를 보니, W32pServiceTable 변수를 인자로,
KeAddSystemServiceTable 함수를 호출하여, SST를 등록하는 것 같습니다.
뭐... 끝 났네요...
win32k.sys 의 DriverEntry 로부터,
KeAddSystemServiceTable 의 주소를 호출하는 CALL 문을 찾는,
소스 코드 작성하면 되겠군요.
orz;;;
