admin/DuckMemoryScan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VirtualQueryEx改为底层API ZwQueryVirtualMemoryEx

Browse Source
This commit is contained in:
Huoji's
2021-02-25 16:26:53 +08:00
parent b5dd8f4ba1
commit 0fbbe988f6
2 changed files with 35 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
DuckMemoryScan/CdigitalSig.h
View File

@@ -10,6 +10,13 @@
#include <mscat.h> #include <mscat.h>
#pragma comment (lib, "wintrust") #pragma comment (lib, "wintrust")
#pragma comment (lib, "crypt32.lib") #pragma comment (lib, "crypt32.lib")
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* _ZwQueryVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength);
static GUID WINTRUST_ACTION_GENERIC_VERIFY_V2 = {0xaac56b, 0xcd44, 0x11d0, 0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee}; static GUID WINTRUST_ACTION_GENERIC_VERIFY_V2 = {0xaac56b, 0xcd44, 0x11d0, 0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee};
enum SignState enum SignState

54
DuckMemoryScan/main.cpp
View File

@@ -11,6 +11,8 @@
#pragma comment(lib,"dbghelp.lib") #pragma comment(lib,"dbghelp.lib")
#include "tlhelp32.h" #include "tlhelp32.h"
#include "CdigitalSig.h" #include "CdigitalSig.h"
_ZwQueryVirtualMemory fnZwQueryVirtualMemory = NULL;
BOOL Is64BitPorcess(HANDLE hProcess) BOOL Is64BitPorcess(HANDLE hProcess)
{ {
BOOL bIsWow64 = false; BOOL bIsWow64 = false;
@@ -107,19 +109,16 @@ DWORD64 GetProcessMoudleHandle(DWORD pid) {
} while (Module32Next(handle, &moduleEntry)); } while (Module32Next(handle, &moduleEntry));
return 0; return 0;
} }
bool CheckThreadAddressIsExcute(DWORD64 pAddress,HANDLE pHandle, HANDLE pID, HANDLE Tid) {
bool CheckThreadAddressIsExcute(DWORD64 pAddress,HANDLE pHandle, HANDLE pID, HANDLE Tid, BOOL isRipBackTrack) {
DWORD64 ReadNum = 0; DWORD64 ReadNum = 0;
MEMORY_BASIC_INFORMATION mbi = { 0 }; MEMORY_BASIC_INFORMATION mbi = { 0 };
if (fnZwQueryVirtualMemory(pHandle, (PVOID)pAddress, MemoryBasicInformation, &mbi, sizeof(mbi), &ReadNum) >= 0) {
if (VirtualQueryEx(pHandle, (LPCVOID)pAddress, &mbi, sizeof(mbi)))
{
if (mbi.AllocationBase) { if (mbi.AllocationBase) {
if (mbi.Type != MEM_IMAGE) { if (mbi.Type != MEM_IMAGE) {
if (mbi.AllocationProtect & PAGE_EXECUTE || BOOL CheckExcuteFlag = mbi.AllocationProtect & PAGE_EXECUTE || mbi.AllocationProtect & PAGE_EXECUTE_READ || mbi.AllocationProtect & PAGE_EXECUTE_READWRITE || mbi.AllocationProtect & PAGE_EXECUTE_WRITECOPY;
mbi.AllocationProtect & PAGE_EXECUTE_READ || if (CheckExcuteFlag)
mbi.AllocationProtect & PAGE_EXECUTE_READWRITE ||
mbi.AllocationProtect & PAGE_EXECUTE_WRITECOPY)
{ {
printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD>⵽δ֪<CEB4>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD>[VirtualAlloc<6F><63>ɱ?] <20><>ַ %p PID %d TID %d \n", pAddress, pID, Tid); printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD>⵽δ֪<CEB4>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD>[VirtualAlloc<6F><63>ɱ?] <20><>ַ %p PID %d TID %d \n", pAddress, pID, Tid);
char PEStack[0x2]; char PEStack[0x2];
@@ -130,6 +129,10 @@ bool CheckThreadAddressIsExcute(DWORD64 pAddress,HANDLE pHandle, HANDLE pID, HAN
} }
return true; return true;
} }
else if (isRipBackTrack && mbi.AllocationProtect & PAGE_READONLY && mbi.AllocationProtect & PAGE_NOACCESS) {
printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD><EFBFBD>߳<EFBFBD><DFB3><EFBFBD><EFBFBD>ڲ<EFBFBD><DAB2><EFBFBD>ִ<EFBFBD>еĴ<D0B5><C4B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>й<EFBFBD>[<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD>Rootkit<69><74><EFBFBD>ڻ<EFBFBD><DABB><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD>Hook] <20><>ַ %p PID %d TID %d \n", pAddress, pID, Tid);
return true;
}
} }
} }
} }
@@ -169,7 +172,7 @@ void ThreadStackWalk() {
//hwbp hook //hwbp hook
printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD>⵽HWBP Hook PID %d TID %d \n", te32.th32OwnerProcessID, te32.th32ThreadID); printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD>⵽HWBP Hook PID %d TID %d \n", te32.th32OwnerProcessID, te32.th32ThreadID);
} }
CheckThreadAddressIsExcute(context.Rip, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID); CheckThreadAddressIsExcute(context.Rip, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, TRUE);
StackFarmeEx.AddrPC.Offset = context.Rip; StackFarmeEx.AddrPC.Offset = context.Rip;
StackFarmeEx.AddrPC.Mode = AddrModeFlat; StackFarmeEx.AddrPC.Mode = AddrModeFlat;
StackFarmeEx.AddrStack.Offset = context.Rsp; StackFarmeEx.AddrStack.Offset = context.Rsp;
@@ -183,7 +186,9 @@ void ThreadStackWalk() {
break; break;
if (StackFarmeEx.AddrFrame.Offset == 0) if (StackFarmeEx.AddrFrame.Offset == 0)
break; break;
CheckThreadAddressIsExcute(StackFarmeEx.AddrPC.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID); CheckThreadAddressIsExcute(StackFarmeEx.AddrPC.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, TRUE);
CheckThreadAddressIsExcute(StackFarmeEx.AddrReturn.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, FALSE);
CheckThreadAddressIsExcute(StackFarmeEx.AddrStack.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, FALSE);
} }
} }
} else { } else {
@@ -197,7 +202,7 @@ void ThreadStackWalk() {
printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD>⵽HWBP Hook PID %d TID %d \n", te32.th32OwnerProcessID, te32.th32ThreadID); printf("\t => [<5B>̶߳<DFB3>ջ<EFBFBD><D5BB><EFBFBD><EFBFBD>] <20><><EFBFBD>⵽HWBP Hook PID %d TID %d \n", te32.th32OwnerProcessID, te32.th32ThreadID);
} }
CheckThreadAddressIsExcute(context.Eip, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID); CheckThreadAddressIsExcute(context.Eip, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, TRUE);
StackFarmeEx.AddrPC.Offset = context.Eip; StackFarmeEx.AddrPC.Offset = context.Eip;
StackFarmeEx.AddrPC.Mode = AddrModeFlat; StackFarmeEx.AddrPC.Mode = AddrModeFlat;
StackFarmeEx.AddrStack.Offset = context.Esp; StackFarmeEx.AddrStack.Offset = context.Esp;
@@ -211,7 +216,9 @@ void ThreadStackWalk() {
break; break;
if (StackFarmeEx.AddrFrame.Offset == 0) if (StackFarmeEx.AddrFrame.Offset == 0)
break; break;
CheckThreadAddressIsExcute(StackFarmeEx.AddrPC.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID); CheckThreadAddressIsExcute(StackFarmeEx.AddrPC.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, TRUE);
CheckThreadAddressIsExcute(StackFarmeEx.AddrReturn.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, FALSE);
CheckThreadAddressIsExcute(StackFarmeEx.AddrStack.Offset, hProcess, (HANDLE)te32.th32OwnerProcessID, (HANDLE)te32.th32ThreadID, FALSE);
} }
} }
} }
@@ -244,20 +251,6 @@ void WalkProcessMoudle(DWORD pID,HANDLE pHandle,WCHAR* pMoudleName) {
if (AllocBuff[0] == 'M' && AllocBuff[1] == 'Z') { if (AllocBuff[0] == 'M' && AllocBuff[1] == 'Z') {
PIMAGE_DOS_HEADER CopyDosHead = (PIMAGE_DOS_HEADER)AllocBuff; PIMAGE_DOS_HEADER CopyDosHead = (PIMAGE_DOS_HEADER)AllocBuff;
PIMAGE_NT_HEADERS CopyNthead = (PIMAGE_NT_HEADERS)((LPBYTE)AllocBuff + CopyDosHead->e_lfanew); PIMAGE_NT_HEADERS CopyNthead = (PIMAGE_NT_HEADERS)((LPBYTE)AllocBuff + CopyDosHead->e_lfanew);
/*
DWORD64 BaseOfCode = 0;
DWORD64 SizeOfCode = 0;
if (CopyNthead->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) {
PIMAGE_NT_HEADERS64 CopyNthead64 = (PIMAGE_NT_HEADERS64)CopyNthead;
BaseOfCode = CopyNthead64->OptionalHeader.BaseOfCode;
SizeOfCode = CopyNthead64->OptionalHeader.SizeOfCode;
}
else {
PIMAGE_NT_HEADERS32 CopyNthead32 = (PIMAGE_NT_HEADERS32)CopyNthead;
BaseOfCode = CopyNthead32->OptionalHeader.BaseOfCode;
SizeOfCode = CopyNthead32->OptionalHeader.SizeOfCode;
}
*/
PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)CopyNthead + sizeof(CopyNthead->Signature) + sizeof(CopyNthead->FileHeader) + CopyNthead->FileHeader.SizeOfOptionalHeader); PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)CopyNthead + sizeof(CopyNthead->Signature) + sizeof(CopyNthead->FileHeader) + CopyNthead->FileHeader.SizeOfOptionalHeader);
int FoundNum = 0; int FoundNum = 0;
for (WORD i = 0; i < CopyNthead->FileHeader.NumberOfSections; i++) for (WORD i = 0; i < CopyNthead->FileHeader.NumberOfSections; i++)
@@ -368,6 +361,15 @@ int main()
system("pause"); system("pause");
return 0; return 0;
} }
if (fnZwQueryVirtualMemory == NULL) {
fnZwQueryVirtualMemory = (_ZwQueryVirtualMemory)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryVirtualMemory");
if (fnZwQueryVirtualMemory == NULL)
{
printf("û<EFBFBD><EFBFBD><EFBFBD>ҵ<EFBFBD>ZwQueryVirtualMemory<EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD>޸<EFBFBD>Դ<EFBFBD><D4B4>ZwQueryVirtualMemory => VirtualQueryEx \n");
system("pause");
return 0;
}
}
printf("<EFBFBD>̶߳<EFBFBD>ջ<EFBFBD><EFBFBD><EFBFBD>ݼ<EFBFBD><EFBFBD><EFBFBD> ... \n"); printf("<EFBFBD>̶߳<EFBFBD>ջ<EFBFBD><EFBFBD><EFBFBD>ݼ<EFBFBD><EFBFBD><EFBFBD> ... \n");
ThreadStackWalk(); ThreadStackWalk();
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... \n"); printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... \n");