zjjmj2002 - 2007-3-12 16:19:00
icesword是一比较酷的软件,用任务管理器看不见它的用户名,而且任务管理器也无法结束它的进程,ntsd也无法结束它的进程。特别是在使用用了icesword.exe /c参数后,想要结束icesword变得十分困难!
但事实上icesword防被结束进程并没有用什么太变态的办法,只是inline Hook了NtOpenProcess和NtTeminateProcess两个函数而已(注意是inline Hook,不是修改SSDT)。所以要破掉也很简单,只需要把ntoskrnl.exe模块中相关数据恢复回去就行了!不过由于ntoskrnl可不是阿猫阿狗都能改的,还是得进内核,呵呵。
使用方法:使用icesword.exe /c命令运行icesword,再运行本软件。然后就可以打开任务管理器结束icesword进程了!
附件地址:http://b.py99.net/zip/f?v=20073/121610106.zip
源代码:
.386p
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include advapi32.inc
include macros.asm
include masm32.inc
include debug.inc
includelib debug.lib
includelib masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib advapi32.lib
.data
hFile dd 0
hMemory dd 0
pMemory dd 0
FunOpen dd 09cc96h
FunClose dd 0abc2bh
szExceptionCaused db 'Exception Caused - could not switch to ring 0',0
szError db 'Error',0
MsgCaption db 'Test',0
MsgBoxText db "cr3=%8x",0
tmp db 50 dup(90)
Callgt dd 0
dw 353h
.data?
.code
ExceptCallBack PROC
invoke MessageBoxA, 0, addr szExceptionCaused,addr szError, 0
invoke ExitProcess, -1
ret
ExceptCallBack ENDP
OpenSys proc
local hSCManager:HANDLE
local hService:HANDLE
local acDriverPath[MAX_PATH]:CHAR
; Open a handle to the SC Manager database
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax
push eax
invoke GetFullPathName, CTXT("sys.sys",0), sizeof acDriverPath, addr acDriverPath, esp
pop eax
; Register driver in SCM active database
invoke CreateService, hSCManager, CTXT("sys"), CTXT("System"), \
SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
; Here driver beeper.sys plays its nice melody
; and reports error to be removed from memory
; Remove driver from SCM database
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, CTXT("Can't register driver."), NULL, MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, CTXT("Can't connect to Service Control Manager."), \
NULL, MB_ICONSTOP
.endif
ret
OpenSys endp
start:
push offset ExceptCallBack
call SetUnhandledExceptionFilter
invoke OpenSys
invoke GlobalAlloc,GMEM_MOVEABLE or GMEM_ZEROINIT,2178944
mov hMemory,eax
invoke GlobalLock,hMemory
mov pMemory,eax
invoke CreateFile, CTXT("C:\WINDOWS\system32\ntoskrnl.exe",0), GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
.if eax == INVALID_HANDLE_VALUE
invoke MessageBox, NULL, CTXT("打开文件失败!请确认你的操作系统安装在C盘",0), CTXT("失败!",0), MB_OK or MB_ICONHAND
jmp Exit
.endif
mov hFile, eax
invoke ReadFile, hFile, pMemory, 2178944, esp, 0
call fword ptr [Callgt] ;use callgate to Ring0!
mov eax,esp ;save ring0 esp
mov esp,[esp+4];->ring3 esp
push eax
cli
mov edi,0804d8000h ;copy MyIntCode to End Idt+1
add edi,FunOpen
mov esi,pMemory
add esi,FunOpen
mov ecx,010h ;恢复inlinehook
cld
rep movsb
mov edi,0804d8000h ;copy MyIntCode to End Idt+1
add edi,FunClose
mov esi,pMemory
add esi,FunClose
mov ecx,010h ;恢复inlinehook
cld
rep movsb
sti
pop esp ;restore ring0 esp
push offset Exit
retf
Exit:
invoke MessageBox, NULL, CTXT("已成功恢复ntoskrnl模块,现在可以结束icesword了!",0), CTXT("Success",0), MB_OK
invoke CloseHandle,hFile
invoke GlobalUnlock,pMemory
invoke GlobalFree,hMemory
invoke ExitProcess,NULL
end start
© 2000 - 2024 Rising Corp. Ltd.