不知道我理解的對否,關於SuperBpm...的 (10千字)

comment /*
你知道SuperBpm的erase和monitor的區別嗎?如果不知道,可以往下看.
最近看了一點老掉牙的VxD,才看明白superBpm的工作原理,我用masm改寫了一下,未經充分測試,只是比EliCZ這win32 ASM Pioneer更煩瑣了寫可能好理解點,有興趣的看看.Loader部分十分簡單,主要是根據使用者選擇用deviceIoControl向驅動VxD發出命令,VxD則執行相應動作.

對於VxD部分,則是透過攔截_VWIN32_Set_Thread_Context服務(即所謂的hook)來實現對程式擦除或改變Drx暫存器的監視和恢復,Erase模式僅僅是禁止應用程式用context改寫Drx暫存器,這樣Seh或者用SetThreadContext等把戲就不好用了,因為VxD工作在最地層,這種攔截是有效的.Monitor模式是為了阻止那些比如直接修改中斷等進入ring0修改暫存器的把戲的(我想是這樣的...可能錯誤).
但是這個版本明顯對Cr4沒有進行處理,因為BPIO指令是否有效與CR4的DE位有關,如果你聰明應該知道如何利用這一點.而且在monitor模式下對Dr7為0才恢復這一判斷也是有問題的,等你的改進了.EliCZ源程式中用到的從VWIN32服務函式表來直接查詢_VWIN32_Set_Thread_Context地址的方法我也沒有找到詳細資料,反正VxD快死了,我想知道也就足夠了.

VxD部分我改寫了一下,沒有處理TERMINATE_THREAD訊息,但有問題,如果不怕當機,可以試試.僅供理解關鍵點參考.

錯誤難免,如有發現,請指出:QQ:8709369(經常線上)

*/
;===============================Rc檔案
#include <d:\masm32\include\resource.h>

100 DIALOG DISCARDABLE 0, 0, 113, 17
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU |DS_CENTER
CAPTION "SuperBPM,Rewrite in Masm32,hume"
FONT 9, "System"
BEGIN
CONTROL "擦除恢復",101,"Button",BS_AUTORADIOBUTTON | WS_GROUP,
2,3,45,10
CONTROL "監視恢復",102,"Button",BS_AUTORADIOBUTTON,58,3,50,10
END

;===============================superBpm.exe.asm
.586
.model flat, stdcall
option casemap :none ; case sensitive
include c:\hd\hd.h
include c:\hd\mac.h
DlgP       proto :DWORD,:DWORD,:DWORD,:DWORD
CallDriver proto :DWORD
;;--------------
  .DATA
DrxUnHook equ 800h
DrxHook equ 801h
DrxMonitor equ 802h

SuperbpmDevice db "\\.\superbpm.vxd",0
Traceflg dd 0
.DATA?
hVxD dd ?
hResume dd ?
hStop dd ?
;;-----------------------------------------
  .CODE
__Start:
hTemplate EQU 0
  invoke   CreateFile,addr SuperbpmDevice,GENERIC_READ+GENERIC_WRITE,\
FILE_SHARE_READ+FILE_SHARE_WRITE,\
0,\
OPEN_EXISTING,FILE_FLAG_DELETE_ON_CLOSE,\
hTemplate
inc eax
jne CrSuccess
;開啟驅動(.vxd)失敗,出錯
invoke   MessageBox,0,CTEXT("Can't Load superbpm.vxd"),CTEXT("Err report:"),30h+1000h
jmp __Quit
  ;-----------------------------------------

CrSuccess:
dec eax
mov hVxD,eax ;儲存控制程式碼
invoke   GetModuleHandle,0
invoke   DialogBoxParam,eax,100,0,offset DlgP,0
invoke   CloseHandle,hVxD ;要關閉

;-----------------------------------------
__Quit:
invoke   ExitProcess,0
;################################################################################
DlgP   proc uses esi edi ebx hWnd:DWORD,wMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,wMsg
.IF eax==WM_INITDIALOG
invoke   GetDlgItem,hWnd,101
mov hResume,eax
invoke   SendMessage,eax,BM_SETCHECK,BST_CHECKED,0
invoke   SendMessage,hResume,WM_COMMAND,101,0
invoke   GetDlgItem,hWnd,102
mov hStop,eax

invoke   SetWindowPos,hWnd,HWND_TOPMOST,0,0,0,0,SWP_NOMOVE or SWP_NOSIZE
;以上是初始化

.ELSEIF eax==WM_CLOSE
invoke   EndDialog,hWnd,0
invoke   CallDriver,DrxUnHook

.ELSEIF eax==WM_COMMAND
mov edx,wParam
.if dx==101
test Traceflg,1
jnz @f
mov Traceflg,1
invoke   CallDriver,DrxHook ;擦除及恢復drx功能開啟

@@:
.elseif dx==102
cmp Traceflg,0
je @f
mov Traceflg,0
invoke   CallDriver,DrxMonitor ;監視及恢復Drx 功能
@@:
.endif

.ELSE
sub eax,eax
ret
.ENDIF
mov eax,1
  ret
DlgP   endp
;;------------------------------------------------_
CallDriver PROC DrvFunc:DWORD ;DeviceIoControl包裝
mov edx,DrvFunc
sub eax,eax
invoke   DeviceIoControl, hVxD, edx, eax, eax, eax,eax,eax,eax
ret
CallDriver ENDP
END   __Start
;==========================superbpm.vxd.asm僅供參考,執行當機別找我
.586p
include C:\98DDK\inc\win98\vmm.inc
include C:\98DDK\inc\win98\vwin32.inc

DrxUnHook equ 800h
DrxErase equ 801h
DrxMonitor equ 802h

CmdUnhook EQU 0
CmdErase EQU 1
CmdMonit EQU 2

;------------------------------------
VxD_LOCKED_DATA_SEG
orgEntry dd 0
orgSTC dd 0
TheThread DWORD 0
SavedDRx DWORD 6 DUP (?)
PreserveMode BYTE CmdErase
Saved BYTE 0
installed db 0
VxD_LOCKED_DATA_ENDS

VxD_LOCKED_CODE_SEG

DECLARE_VIRTUAL_DEVICE SUPERBPM,1,0, MESSAGE_Control, UNDEFINED_DEVICE_ID, UNDEFINED_INIT_ORDER

Begin_Control_Dispatch MESSAGE
  Control_Dispatch W32_DEVICEIOCONTROL , OnDeviceIoControl ;處理相應發來的訊息
End_Control_Dispatch MESSAGE
;-----------------------------------------DeviceIoControl
BeginProc OnDeviceIoControl
Assume esi:ptr DIOCParams
.IF [esi].dwIoControlCode==DIOC_OPEN
sub eax,eax
clc
.ELSEIF [esi].dwIoControlCode==DrxUnHook ;退出解除安裝恢復原來的入口
mov ecx,orgEntry
mov dword ptr [ecx],OFFSET32 HookedSTC
@@:
and TheThread,0
and Saved,0
sub eax,eax
clc

.ELSEIF [esi].dwIoControlCode==DrxErase

cmp installed,1
je @f
mov eax, VWIN32_DEVICE_ID
VMMCall Get_DDB ;VWIn32的DDB

mov ecx, [ecx+38H] ;得到引出服務表的地址
add ecx, 8+8*15H ;第16項?我沒找到詳細資料,但確實是
cmp byte ptr [ecx+4],2 ;後面儲存的引數個數為2?
jnz @f
mov eax,[ecx]
mov orgSTC,eax
mov dword ptr [ecx],OFFSET32 HookedSTC
mov orgEntry,ecx ;替換入口,實現hook功能
mov installed,1
@@:
mov PreserveMode, CmdErase ;模式是CmdErase
;-----------------------------------------
xor eax,eax
clc
.ELSEIF [esi].dwIoControlCode==DrxMonitor
mov PreserveMode, CmdMonit
@@:
xor eax,eax
clc
.ENDIF

ret
EndProc OnDeviceIoControl

HookedSTC PROC
PUSHFD
PUSH EAX
PUSH ECX
PUSH ESI
PUSH EDI
MOV ECX, [ESP+5*4 +4 +3*4] ;ecx->CONTEXT
CMP PreserveMode, CmdErase
JE HackContext

@@:
VMMCall Get_Cur_Thread_Handle ;如果是Monitor模式就得到當前有非法企圖的Thread控制程式碼
;看看dr7,dr7是第7項
CMP BYTE PTR [ECX+4*5+4], 0 ;dr7=0?看看Seh資料的Context結構
JE Restore ;就恢復?

CMP Saved, 1
JE Done

MOV TheThread, EDI ;儲存控制程式碼

CLD
MOV EDI, OFFSET SavedDRx ;儲存Drx
MOV EAX, DR0
STOSD
MOV EAX, DR1
STOSD
MOV EAX, DR2
STOSD
MOV EAX, DR3
STOSD
MOV EAX, DR6
STOSD
MOV EAX, DR7
STOSD
MOV Saved, 1
JMP Done

Restore:
CMP EDI, TheThread
JNE Done

CMP Saved, 1
JE HackContext

CLD
MOV ESI, OFFSET SavedDRx ;恢復Drx....
LODSD
MOV DR0, EAX
LODSD
MOV DR1, EAX
LODSD
MOV DR2, EAX
LODSD
MOV DR3, EAX
LODSD
MOV DR6, EAX
LODSD
MOV DR7, EAX
MOV Saved, 1

HackContext:
AND BYTE PTR [ECX], NOT 10H ;這個標誌是不更新除Drx系列暫存器外
;恢復所有的暫存器,以此有些Seh把戲就無效了
Done:
POP EDI
POP ESI
POP ECX
POP EAX
POPFD
JMP orgSTC
HookedSTC ENDP
VxD_LOCKED_CODE_ENDS

end
;-----------------Over-------------------
; Hume 2002.3

不知道我理解的對否,關於SuperBpm...的 (10千字)

相關文章