自己实现读写内存API和OpenProcess躲过Ring3层的HOOK(win10 1903)

自己实现读写内存API和OpenProcess躲过Ring3层的HOOK(win10 1903)

想躲过ring3层的某些API的HOOK,不想恢复钩子,自己写,百度一搜半天都找不到,只能自己动手了...

OpenProcess和ReadProcessMemory和WriteProcessMemory都在KernelBase.dll里

NtOpenProcess和NtReadVirtualMemory和NtWriteProcessMemory在ntdll.dll里

用IDA进行逆向即可得到它们的汇编代码,嫌麻烦的话可以不用去逆向KernelBase.dll里的,自己用Nt式的API和用KernelBase.dll的差不多,反正KernelBase.dll里的也只是对参数做些安全检查,到后面还是调用了ntdll.dll的函数

 

(WriteProcessMemory代码太长了,所以直接搞NtWriteVirtualMemory了,SetLastError也算了,不返回错误代码也无所谓,asm文件咋用,自己百度)

.asm文件:

.CODE
MyNtOpenProcess PROCmov     r10, rcxmov     eax, 26hsyscallret
MyNtOpenProcess ENDPMyOpenProcess PROCmov     r11, rspsub     rsp, 68hand     qword ptr [r11-40h], 0lea     r9, [r11-48h]movsxd  rax, r8dxorps   xmm0, xmm0mov     r12,30hmov     [rsp + 68h - 38h], r12lea     r8, [r11-38h]and     qword ptr [r11-30h], 0neg     edxmov     [r11-48h], raxmov     edx, ecxlea     rcx, [r11+20h]sbb     eax, eaxand     eax, 2mov     [rsp+68h-20h], eaxand     qword ptr [r11-28h], 0movdqu  [rsp+68h-18h], xmm0call    MyNtOpenProcessnop     dword ptr [rax+rax+00h]mov     rax, [rsp+68h+20h]add     rsp,68hret
MyOpenProcess ENDPMyZwReadVirtualMemory PROCmov     r10, rcxmov     eax, 3Fhsyscallret
MyZwReadVirtualMemory ENDPMyReadProcessMemory PROCsub     rsp, 48hlea     rax, [rsp+48h-18h]mov     [rsp+48h-28h], raxcall    MyZwReadVirtualMemorynop     dword ptr [rax+rax+00h]mov     rdx, [rsp+48h+28h]test    rdx, rdxjnz     short JS:mov     eax, 1add     rsp, 48hretJ:mov     rcx, [rsp+48h-18h]mov     [rdx], rcxjmp     short S
MyReadProcessMemory ENDPMyNtWriteVirtualMemory PROCmov     r10, rcxmov     eax, 3Ahsyscallret
MyNtWriteVirtualMemory ENDP
END

 

自己实现读写内存API和OpenProcess躲过Ring3层的HOOK(win10 1903)

想躲过ring3层的某些API的HOOK,不想恢复钩子,自己写,百度一搜半天都找不到,只能自己动手了...

OpenProcess和ReadProcessMemory和WriteProcessMemory都在KernelBase.dll里

NtOpenProcess和NtReadVirtualMemory和NtWriteProcessMemory在ntdll.dll里

用IDA进行逆向即可得到它们的汇编代码,嫌麻烦的话可以不用去逆向KernelBase.dll里的,自己用Nt式的API和用KernelBase.dll的差不多,反正KernelBase.dll里的也只是对参数做些安全检查,到后面还是调用了ntdll.dll的函数

 

(WriteProcessMemory代码太长了,所以直接搞NtWriteVirtualMemory了,SetLastError也算了,不返回错误代码也无所谓,asm文件咋用,自己百度)

.asm文件:

.CODE
MyNtOpenProcess PROCmov     r10, rcxmov     eax, 26hsyscallret
MyNtOpenProcess ENDPMyOpenProcess PROCmov     r11, rspsub     rsp, 68hand     qword ptr [r11-40h], 0lea     r9, [r11-48h]movsxd  rax, r8dxorps   xmm0, xmm0mov     r12,30hmov     [rsp + 68h - 38h], r12lea     r8, [r11-38h]and     qword ptr [r11-30h], 0neg     edxmov     [r11-48h], raxmov     edx, ecxlea     rcx, [r11+20h]sbb     eax, eaxand     eax, 2mov     [rsp+68h-20h], eaxand     qword ptr [r11-28h], 0movdqu  [rsp+68h-18h], xmm0call    MyNtOpenProcessnop     dword ptr [rax+rax+00h]mov     rax, [rsp+68h+20h]add     rsp,68hret
MyOpenProcess ENDPMyZwReadVirtualMemory PROCmov     r10, rcxmov     eax, 3Fhsyscallret
MyZwReadVirtualMemory ENDPMyReadProcessMemory PROCsub     rsp, 48hlea     rax, [rsp+48h-18h]mov     [rsp+48h-28h], raxcall    MyZwReadVirtualMemorynop     dword ptr [rax+rax+00h]mov     rdx, [rsp+48h+28h]test    rdx, rdxjnz     short JS:mov     eax, 1add     rsp, 48hretJ:mov     rcx, [rsp+48h-18h]mov     [rdx], rcxjmp     short S
MyReadProcessMemory ENDPMyNtWriteVirtualMemory PROCmov     r10, rcxmov     eax, 3Ahsyscallret
MyNtWriteVirtualMemory ENDP
END