先简单介绍下PatchGuard ,摘自百度百科

PatchGuard就是Windows Vista的内核保护系统,防止任何非授权软件试图“修改”Windows内核,也就是说,Vista内核的新型金钟罩。
PatchGuard为Windows Vista加入一个新安全操作层,此前我们为您介绍过的ASLR(Address Space Layout Randomization)亦在这个安全层之下。
PatchGuard能够有效防止内核驱动模式改动或替换Windows内核的任何内容,第三方软件将无法再给Windows Vista内核添加任何“补丁”。
 
就是微软从x64结构体系开始加的一层保护技术,对内核关键位置进行检测,如果发现内核关键位置被修改就直接蓝屏,而且在x64下还引入了DES,即驱动的加载需要数字签名。我们在x64下就无法在像x86下那样"为所欲为"了。比如x86下玩的超级Happy的重载内核在x64下基本不可能了,SSDT不能hook了,DebugPort不能清零了等等。但是在Win7 x64出来没多久 国外的大牛FYYRE就放出了内核破解工具,这里给出链接 http://fyyre.ivory-tower.de/   随后就有大牛公布了源代码,我也只是学习大牛的源代码,记录自己的学习历程。
 
先贴上FYYRE的原文
//Disable PatchGuard - the easy/lazy way.

//for Vista SP2 & Windows 7 (X64)

//

//by Fyyre (thank you Roxaz for helping me to test)

//http://fyyre.l2-fashion.de/

//http://twitter.com/Fyyre

last update: //

This txt file provides a general overview/outline for bypassing signature validation of critical system files (ntoskrnl, mainly) during

the Vista/Win  boot phase.  It is documentation of the steps taken from start to finish, to reach the desired goal of removing

kernel patch protection "PatchGuard" without use of a driver.  We will call this the 'lazy/easy' way to kill PatchGuard.

We cannot modify ntoskrnl without winload taking up issue...

winload.exe is the Windows loader for Vista & Windows .  Along with this, he makes some verification of digital signatures and

checking to make sure the files have not been modified.  If modification of ntoskrnl is detected, the result is winload *refusing*

to boot Windows and launching a WinPE looking "Recovery Mode".

PART I { additional }: new way for patch of winload.exe

Function ImgpValidateImageHash - signature we locate: 8B C3  8B 5B   8B    8B 7B  4D 8B -- you may play with this one to make him smaller.  as for this

patching, use of dUP2... size of not a concern.  First bytes replaced with xor eax, eax (STATUS_SUCCESS) .. all validations successful.

PART I: disassembly and modification of winload.exe

Starting from OslpMain, after loading the System registry hives(registry)... occurs a call to OslInitializeCodeIntegrity:

.text:00000000004016C3                 call    OslpLoadSystemHive

.text:00000000004016C3

.text:00000000004016C8                 cmp     eax, ebx

.text:00000000004016CA                 mov     edi, eax

.text:00000000004016CC                 jl      loc_401A08

.text:00000000004016CC

.text:00000000004016D2                 mov     ecx, ebp

.text:00000000004016D4                 call    OslInitializeCodeIntegrity <<-- =(

.text:00000000004057E8 OslInitializeCodeIntegrity proc near

original code -->>

We will replace four bytes here:

 8B C4

.text:00000000004057E8                 mov     rax, rsp

.text:00000000004057EB                 push    rbx

.text:00000000004057EC                 push    rbp

with: 0B0h, 01h, 0C3h, 090h ... which produce:

mov al,

ret

nop

Save as winload.exe as osloader.exe (or whatever..) & correct PE checksum (LordPE and/or CFF_Explorer will do).  Copy osloader.exe to \Windows\System32

PART II - new BCD entry:

bcdedit /copy {current} /d "PatchGuard Disabled"

"The entry was successfully copied to {01234567-89ab-cdef-00ff-fff000ffffff}" <<-- GUID of new entry.  each is different!

bcdedit /timeout  <<-- number of seconds to show boot menu.

bcdedit /set {-89ab-cdef-00ff-fff000ffffff} nointegritychecks  <<-- no validation of winload

bcdedit /set {-89ab-cdef-00ff-fff000ffffff} recoveryenabled  <<-- optional... i dislike this feature, therefore disable.

bcdedit /set {-89ab-cdef-00ff-fff000ffffff} path \Windows\system32\osloader.exe

bcdedit /set {-89ab-cdef-00ff-fff000ffffff} kernel ntkrnlmp.exe (name of modified ntos... =))

Part III: Skip Initialization of PatchGuard - - (driver not required)

As for this .txt, and PatchGuard... we are concerned with one function KiInitializePatchGuard(*) which is called by KiFilterFiberContext.

KiInitializePatchGuard is a very large function located in the INIT section of ntoskrnl, you can easily locate him via two calls from

KiFilterFiberContext, by examination xrefs to exported dword InitSafeBootMode, searching for db 20h dup(90h) + db 044h ... or   EC  0F   to

name a few...

PatchGuard does not initialize if we boot into safe mode.  So to disable we just patch one conditional jxx

KiInitializePatchGuard:

original code -->>

INIT:000000014055D359 sub     rsp, 0F58h

INIT:000000014055D360 xor     edi, edi

INIT:000000014055D362 cmp     cs:InitSafeBootMode, edi

INIT:000000014055D368 jz      short loc_14055D371

INIT:000000014055D368

INIT:000000014055D36A mov     al,

INIT:000000014055D36C jmp     loc_1405600D9

modified code -->>

INIT:000000014055D359                 sub     rsp, 0F58h

INIT:000000014055D360                 xor     edi, edi

INIT:000000014055D362                 cmp     cs:InitSafeBootMode, edi

INIT:000000014055D368                 nop

INIT:000000014055D369                 nop

INIT:000000014055D36A                 mov     al,

INIT:000000014055D36C                 jmp     loc_1405600D9 <<-- to end of KiInitializePatchGuard

and back to KiFilterFiberContext... and important detail:

The first jxx in KiInitializePatchGuard must not be taken & al == .  When we return to KiFilterFiberContext, the jxx must be taken,

and EBX must not be xor'd ... (unless enjoy BSOD).

INIT: loc_140567110:

INIT:                 test    al, al

INIT:                 jnz     short loc_140567116

INIT:

INIT:

INIT: loc_140567114:

INIT:                 xor     ebx, ebx <<-- bad

INIT:

Anyways... nop the first jxx in KiInitializePatchGuard... save modified ntoskrnl.exe with a different name (i.e. ntkrnlmp.exe) ... fix checksum (PE header).

Then copy your modified kernel to \Windows\system32 -- with bcdedit -->>

bcdedit /set {guid-of-new-entry} kernel ntkrnlmp.exe

When you reboot the system, loading your modified kernel should be a success... He will load without PatchGuard initializing, which will allow you to

once again play in kernel mode without receiving BSOD as result...

This could be worked into mbr bootkit code as well... this is beyond the scope of our intention.

-Fyyre

references:

*: Bypassing PatchGuard on Windows x64, by Skywing //

根据文章我们先将winload.exe放入ida中,根据文章中定位到OslpMain函数(这里我已经导入了winload.exe的符号表)

.text:00000000004016BE 4C 8B C6          mov     r8, rsi

.text:00000000004016C1 8B CD             mov     ecx, ebp

.text:00000000004016C3 E8        call    OslpLoadSystemHive      //加载注册表单元

.text:00000000004016C8 3B C3             cmp     eax, ebx

.text:00000000004016CA 8B F8             mov     edi, eax

.text:00000000004016CC 0F 8C     jl      loc_401A08

.text:00000000004016D2 8B CD             mov     ecx, ebp

.text:00000000004016D4 E8        call    OslInitializeCodeIntegrity

发现加载了注册表单元之后调用了OslInitializeCodeIntegrity函数,我们继续跟进

原来的代码

.text:00000000004057DC                   OslInitializeCodeIntegrity proc near

.text:00000000004057DC  8B C4          mov     rax, rsp

.text:00000000004057DF                 push    rbx

.text:00000000004057E0                 push    rbp

.text:00000000004057E1                 push    rdi

.text:00000000004057E2               push    r12

我们要做的就是替换掉最开始的一个字节,让整个函数不再向下执行,因为在接下来会调用BlImgQueryCodeIntegrityBootOptions,因为BlImgQueryCodeIntegrityBootOptioins会校验Ntoskrnl.exe的数字签名的有效性,如果非法的话就拒绝加载Ntoskrnl.exe,我们需要绕过这个函数

.text:00000000004057FB  8D         lea     rdx, [rax+10h]

.text:00000000004057FF 4C          mov     [rax+20h], r13

.text:  8B FD          mov     rdi, r13

.text: 4C   C8       mov     [rax-38h], r13

.text:000000000040580A E8  B6      call    BlImgQueryCodeIntegrityBootOptions

所以在OllInitializeCodeIntegrity 函数开始部分就直接返回,跳过BlImgQueryCodeIntegrityBootOptioins

将           8B C4          mov     rax, rsp 

替换成       B0 01             mov al ,

            C3                ret

接下来就是Ntoskrnl.exe了

根据文章中的说明,定位到KiFilterFiberContext函数,发现对KiInitializePatchGuard的调用

INIT: 8B D1             mov     edx, ecx

INIT:  8B C9          mov     ecx, r9d

INIT:000000014057710B E8   FF FF    call    KiInitializePatchGuard     //这里是我自己重命名了,本来的只是一个地址,符号表中没有
 在KiInitializePathcGuard函数开始的地方就对启动模式进行了检测
NIT:000000014056D360  FF             xor     edi, edi

INIT:000000014056D362  3D   D1 FF cmp     cs:InitSafeBootMode, edi   //检测是否以安全模式启动,如果以安全模式启动PatchGuard就不会被初始化

INIT:000000014056D368               jz      short loc_14056D371        //这里的跳转才是对PatchGuard就行正在初始化,我们将其nop掉

INIT:000000014056D36A B0              mov     al, 1
INIT:000000014056D36C E9 68 2D 00 00    jmp     loc_1405700D9              //直接跳转到KiInitilizePatchGuard函数的结尾,不初始化

然后就是保存,然后在启动项中添加我们自己的“内核”。

Windows X64 Patch Guard的更多相关文章

  1. Bypassing PatchGuard on Windows x64

    [说明] 1.  本文是意译,加之本人英文水平有限.windows底层技术属菜鸟级别,本文与原文存在一定误差,请多包涵. 2.  由于内容较多,从word拷贝过来排版就乱了.故你也可以下载附件. 3. ...

  2. Oracle Fusion Applications (11.1.8) Media Pack and Oracle Application Development Framework 11g (11.1.1.7.2) for Microsoft Windows x64 (64-bit)

    Oracle Fusion Applications (11.1.8) Media Pack for Microsoft Windows x64 (64-bit) 重新搜索   常见问题    提示  ...

  3. [转]判断程序是否运行在 Windows x64 系统下

    以下功能代码判断是否运行在 Windows x64 下.本例使用 Windows API 函数 IsWow64Process,具体请参考MSDN文档:http://msdn.microsoft.com ...

  4. 深入理解Windows X64调试

    随着64位操作系统的普及,都开始大力进军x64,X64下的调试机制也发生了改变,与x86相比,添加了许多自己的新特性,之前学习了Windows x64的调试机制,这里本着“拿来主义”的原则与大家分享. ...

  5. OGG-00782 - OGG 11.2.1.0.2 FOR Windows x64 Microsoft SQL Server

    OS ENV:主机名:           WIN-NO42QRNPMFAOS 名称:          Microsoft Windows Server 2008 R2 Datacenter OS ...

  6. mpusher 源码编译 for windows X64

    mpusher 源码编译 for windows X64 对于java我是小白,通过一步步的摸索,将经验总结下来,给更多码友提供入门的帮助.一个人的摸索是很困难的,本教程感谢 [MPush开源消息推送 ...

  7. Windows X64汇编入门(1)

    最近断断续续接触了些64位汇编的知识,这里小结一下,一是阶段学习的回顾,二是希望对64位汇编新手有所帮助.我也是刚接触这方面知识,文中肯定有错误之处,大家多指正.文章的标题包含了本文的四方面主要内容: ...

  8. 如何下载Oracle E-Business Suite (12.2.6) for Microsoft Windows x64 (64-bit)

    下载地址:https://edelivery.oracle.com/ 使用您的 Oracle 账户进行登录.如果您没有该账户, 请注册 Oracle 账户.     Oracle Software D ...

  9. windows x64安装与测试redis

    说明:安装与测试的系统为windows X64: 1.下载redis:https://github.com/microsoftarchive/redis/releases 2.解压Redis-x64- ...

随机推荐

  1. 1.Knockout.Js(简介)

    前言 最近一段时间在网上经常看到关于Knockout.js文章,于是自己就到官网看了下,不过是英文的,自己果断搞不来,借用google翻译了一下.然后刚刚发现在建立asp.net mvc4.0的应用程 ...

  2. 关于如何将Excel数据导入到SQL Server中

    面对大量的Excel数据我们可能会非常苦恼,如果一条一条的插入到数据库:不仅会耗大量的时间,而且还可能会发生错误,现在我来说一下如何导入数据! 1.准备工作 首先要在Excel中建立数据表对应的数据字 ...

  3. Easy-UI 动态添加DataGrid的Toolbar按钮

    在前人的基础上进行的修改,不知道他是从哪里引用来的,所以没有粘贴引用地址. 原代码不支持1.3.6. 修改功能: 1.如果之前没有添加过工具,用这个方法不能添加(已修复): 2.估计是不支持1.3.6 ...

  4. QT实现软件重启

    //重启软件 void MainWindow::on_pushButton_UI_reboot_clicked() { //方式1 需要主函数中事件循环判断 //qApp->exit(773); ...

  5. iTween基础之Shake(摆动)

    一.基础介绍:二.基础属性 原文地址 :http://blog.csdn.net/dingkun520wy/article/details/50836780 一.基础介绍 ShakePosition: ...

  6. 用MSBuild和Jenkins搭建持续集成环境(2)

    http://www.infoq.com/cn/articles/MSBuild-2   作者 Mustafa Saeed Haji Ali ,译者 李剑 发布于 2012年10月23日 | 注意:  ...

  7. 典型用户 persona

    persona 典型用户 1.姓名:王涛 2.年龄:22 3.收入:基本无收入 4.代表用户在市场上的比例和重要性:王涛为铁道学生.本软件的用户主要是学生和老师,尤其是广大的铁大学子,所以此典型用户的 ...

  8. JS中的apply,call,bind深入理解

    在Javascript中,Function是一种对象.Function对象中的this指向决定于函数被调用的方式.使用apply,call 与 bind 均可以改变函数对象中this的指向,在说区别之 ...

  9. 或许你不知道:ArrayList

    ArrayList 底层以一个transient 线性数组来存储数据,它提供了无参构造方法,和有参构造方法,用户可以通过有参构造方法来初始化长度.如果不传参数,则默认调用无参构造器,数组默认长度为10 ...

  10. 在云服务器搭建WordPress博客(六)发布和管理文章

    <( ̄︶ ̄)↗[GO!] 发布文章是一个网站后台最重要的功能之一,WordPress的文章发布功能是比较强大的,系统简单地介绍一下. 访问后台 – 文章 – 写文章 ,就可以看到如下图所示的界面 ...