论坛 › 技巧探讨 › 关于360 hookport.sys模块名加密

元始天尊 发表于 2015-10-6 15:11:29

关于360 hookport.sys模块名加密

hookport用于hook nt*，其中会获取竞品模块地址。在ZwQuerySystemInformation => SystemModuleInformation得到模块文件名后，HookPort会将文件名经过加密与预先存储在程序中的加密过的模块名(一个4字节整数)作对比

以下程序可以根据整数求出文件名：
0x07848DA1        knbdrv.sys                猎豹安全浏览器
0x42503C81        bd0001.sys                百度安全
0x4D71E020        tsfltmgr.sys                qq管家
0xB8178767        kisknl.sys                金山毒霸


unsigned int __declspec(naked) encode(char* str)
{
        _asm
        {
                mov   esi,
                mov   ebx,
                mov   edi,
                xor   al, al
loc_17E37:
                scasb
                jnz   short loc_17E37
                sub   edi, ebx
                cld
                xor   ecx, ecx
                dec   ecx
                mov   edx, ecx
loc_17E42:
                xor   eax, eax
                xor   ebx, ebx
                lodsb
                xor   al, cl
                mov   cl, ch
                mov   ch, dl
                mov   dl, dh
                mov   dh, 8
loc_17E51:
                shr   bx, 1
                rcr   ax, 1
                jnb   short loc_17E62
                xor   ax, 0xC6B4
                xor   bx, 0xCE96
loc_17E62:
                dec   dh
                jnz   short loc_17E51
                xor   ecx, eax
                xor   edx, ebx
                dec   edi
                jnz   short loc_17E42
                not   edx
                not   ecx
                mov   eax, edx
                rol   eax, 10h
                mov   ax, cx
                ret
        }
}

#include <stdio.h>

void main(int argc, char* argv[])
{
        char n={0};
        n='s';
        n='y';
        n='s';
        n='.';
        for(int len=1;len<=7;len++)
        {
                int cf=0;
                for(int j=0;j<len;j++)
                {
                        n='a';
                }
                while(!cf)
                {
                        unsigned int obj=encode(n+11-len);
                        if(obj == 0x42503C81)
                        {
                                printf("%s\n",n+11-len);
                                break;
                        }
                        n++;
                        for(int j=0;j<len;j++)
                        {
                                if(n > 'z')
                                {
                                        n='0';
                                }
                                if(n > '9' && n < 'a')
                                {
                                        n = 'a';
                                        if(j!=len-1)
                                                n++;
                                        else
                                                cf=1;
                                }
                        }
                }
        }

        getchar();
}

元始天尊 发表于 2015-10-15 21:06:40

调用他人函数的模板：

#include <Ntddk.h>
#include "DriverMonitor.h"
extern "C"
{
        int __security_cookie;
        extern POBJECT_TYPE *IoDriverObjectType;
        NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
        NTSTATUS __stdcall NtQuerySystemInformation (SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);

};


VOID __stdcall unload(PDRIVER_OBJECT)
{

}

ULONG GetModuleBase(PCHAR modulename);


PWCHAR str[]=
{


};

extern "C"
{
        NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
        {               

                int ret=0;
                pdr->DriverUnload=unload;
                ULONG Base=GetModuleBase("tsksp.sys");
                if(Base)
                {
                        for(int i=0;i<sizeof(str)/sizeof(str);i++)
                        {
                                ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(str);
                                if(ret)
                                {
                                        __debugbreak();
                                }
                        }
                        ret=0;
                }
                __debugbreak();


                return STATUS_SUCCESS;
        }
};

ULONG GetModuleBase(PCHAR modulename)
{
        PVOID Buffer = NULL;
        ULONG ReturnLength = 0;
        NTSTATUS status;
        PRTL_PROCESS_MODULES modules = NULL;
        ULONG BaseAddr = NULL;
        NtQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
        if(ReturnLength)
                Buffer = ExAllocatePool(PagedPool,ReturnLength);
        if(Buffer)
                status = NtQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
        modules = (PRTL_PROCESS_MODULES)Buffer;
        if(NT_SUCCESS(status))
        {
                for(int i=0;i<modules->NumberOfModules;i++)
                {
                        int offset = modules->Modules.OffsetToFileName;
                        if(!_stricmp((const char*)(modules->Modules.FullPathName+offset),modulename))
                        {
                                BaseAddr = (ULONG)modules->Modules.ImageBase;
                        }
                }
        }
        if(Buffer)
                ExFreePool(Buffer);
        return BaseAddr;
}

元始天尊 发表于 2015-10-16 01:28:57

        NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
        {
                int ret=0;
                pdr->DriverUnload=unload;
                ULONG Base=GetModuleBase("tsksp.sys");
                __debugbreak();
                if(Base)
                {
                        WCHAR n={0};
                        n='l';
                        n='l';
                        n='d';
                        n='.';
                        for(int len=1;len<=7;len++)
                        {
                                int cf=0;
                                for(int j=0;j<len;j++)
                                {
                                        n='0';
                                }
                                n='\\';
                                while(!cf)
                                {
                                        ret=((int (__stdcall*)(PWCHAR))(Base+0xecba))(n+10-len);
                                        if(ret)
                                        {
                                                __debugbreak();
                                        }
                                        n++;
                                        for(int j=0;j<len;j++)
                                        {
                                                if(n > 'z')
                                                {
                                                        n='0';
                                                        if(j!=len-1)
                                                                n++;
                                                        else
                                                                cf=1;
                                                }
                                                else if(n == '\\')
                                                        n = '\\'+1;
                                        }
                                }
                        }
                }
                __debugbreak();
                return STATUS_SUCCESS;
        }

元始天尊 发表于 2015-10-28 09:05:21

#include <windows.h>
#include <stdio.h>


void func(wchar_t* path)
{
        unsigned char data1[]={
                0x83,0x60,0x14,0x0,0x83,0x60,0x10,0x0,0xc7,0x0,0x1,0x23,0x45,0x67,0xc7,0x40,0x4,0x89,0xab,0xcd,
                0xef,0xc7,0x40,0x8,0xfe,0xdc,0xba,0x98,0xc7,0x40,0xc,0x76,0x54,0x32,0x10,0xc3,0x55,0x8b,0xec,0x51,
                0x53,0x56,0x8b,0xf1,0x8b,0x4e,0x10,0x8b,0xd8,0x8b,0xc1,0xc1,0xe8,0x3,0x8b,0xd3,0x8d,0xc,0xd9,0xc1,
                0xe2,0x3,0x83,0xe0,0x3f,0x3b,0xca,0x57,0x89,0x4e,0x10,0x73,0x3,0xff,0x46,0x14,0x6a,0x40,0x8b,0xcb,
                0xc1,0xe9,0x1d,0x1,0x4e,0x14,0x5f,0x2b,0xf8,0x3b,0xdf,0x72,0x4b,0x33,0xc9,0x85,0xff,0x76,0x12,0x8d,
                0x44,0x30,0x18,0x8b,0x55,0x8,0x8a,0x14,0x11,0x88,0x14,0x8,0x41,0x3b,0xcf,0x72,0xf2,0x8d,0x4e,0x18,
                0x56,0xe8,0xb0,0x0,0x0,0x0,0x8d,0x47,0x3f,0x3b,0xc3,0x73,0x1f,0x89,0x45,0xfc,0x8b,0x45,0x8,0x8b,
                0x4d,0xfc,0x8d,0x4c,0x8,0xc1,0x56,0xe8,0x96,0x0,0x0,0x0,0x83,0x45,0xfc,0x40,0x83,0xc7,0x40,0x39,
                0x5d,0xfc,0x72,0xe4,0x33,0xc0,0xeb,0x2,0x33,0xff,0x33,0xc9,0x2b,0xdf,0x74,0x14,0x8b,0x55,0x8,0x3,
                0xd7,0x8d,0x74,0x30,0x18,0x8a,0x4,0xa,0x88,0x4,0xe,0x41,0x3b,0xcb,0x72,0xf5,0x5f,0x5e,0x5b,0xc9,
                0xc2,0x4,0x0,0x55,0x8b,0xec,0x51,0x51,0x56,0x6a,0x8,0x8d,0x77,0x10,0x5a,0x8b,0xc6,0x8d,0x4d,0xf8,
                0xe8,0xe3,0x6,0x0,0x0,0x8b,0xe,0xc1,0xe9,0x3,0x6a,0x38,0x58,0x83,0xe1,0x3f,0x3b,0xc8,0x5e,0x72,
                0x3,0x6a,0x78,0x58,0x2b,0xc1,0x68,0xf8,0x5b,0x3,0x0,0x8b,0xcf,0xe8,0x22,0xff,0xff,0xff,0x8d,0x45,
                0xf8,0x50,0x6a,0x8,0x58,0x8b,0xcf,0xe8,0x14,0xff,0xff,0xff,0x8b,0x4d,0x8,0x6a,0x10,0x5a,0x8b,0xc7,
                0xe8,0xa7,0x6,0x0,0x0,0x6a,0x58,0x6a,0x0,0x57,0xe8,0x61,0x28,0x1,0x0,0x83,0xc4,0xc,0xc9,0xc2,
                0x4,0x0,0x55,0x8b,0xec,0x8b,0x45,0x8,0x83,0xec,0x48,0x53,0x56,0x57,0x6a,0x10,0x83,0xc1,0x2,0x8d,
                0x75,0xb8,0x5f,0xf,0xb6,0x59,0xff,0x33,0xd2,0x8a,0x71,0x1,0x8a,0x11,0x83,0xc1,0x4,0xc1,0xe2,0x8,
                0xb,0xd3,0xf,0xb6,0x59,0xfa,0xc1,0xe2,0x8,0xb,0xd3,0x89,0x16,0x83,0xc6,0x4,0x4f,0x75,0xdc,0x8b,
                0x70,0x4,0x8b,0x50,0x8,0x8b,0x48,0xc,0x8b,0x0,0x8b,0xfe,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xde,
                0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xde,0x8d,0x84,0x7,0x78,0xa4,0x6a,0xd7,0xc1,0xc0,0x7,0x3,0xc6,0x23,
                0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0x56,0xb7,0xc7,0xe8,0xc1,
                0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8b,
                0xd9,0x8d,0x94,0x17,0xdb,0x70,0x20,0x24,0xc1,0xca,0xf,0x3,0xd1,0x23,0xda,0x8b,0xfa,0xf7,0xd7,0x23,
                0xf8,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0xb4,0x37,0xee,0xce,0xbd,0xc1,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,
                0xfc,0x8b,0xfa,0x23,0x7d,0xfc,0xf7,0xd6,0x23,0xf1,0xb,0xf7,0x3,0x75,0xc8,0x8d,0x84,0x6,0xaf,0xf,
                0x7c,0xf5,0x8b,0x75,0xfc,0xc1,0xc0,0x7,0x3,0xc6,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0x8b,0xde,0x23,0xd8,
                0xb,0xfb,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x2a,0xc6,0x87,0x47,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,
                0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd0,0x8b,0xd9,0x8d,0x94,0x17,0x13,0x46,0x30,
                0xa8,0xc1,0xca,0xf,0x3,0xd1,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0x23,0xda,0xb,0xfb,0x3,0x7d,0xd4,0x8d,
                0xb4,0x37,0x1,0x95,0x46,0xfd,0xc1,0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,
                0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,0xd8,0x8d,0x84,0x6,0xd8,0x98,0x80,0x69,0x8b,0x75,0xfc,0x8b,0xde,
                0xc1,0xc0,0x7,0x3,0xc6,0x23,0xd8,0x8b,0xf8,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,0xdc,0x8d,0x8c,
                0xf,0xaf,0xf7,0x44,0x8b,0xc1,0xc1,0xc,0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x23,0xfe,0x8b,0xd9,0x23,0xd8,
                0xb,0xfb,0x3,0x7d,0xe0,0x8b,0xd9,0x8d,0x94,0x17,0xb1,0x5b,0xff,0xff,0xc1,0xca,0xf,0x3,0xd1,0x23,
                0xda,0x8b,0xfa,0xf7,0xd7,0x23,0xf8,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0xb4,0x37,0xbe,0xd7,0x5c,0x89,0xc1,
                0xce,0xa,0x3,0xf2,0x89,0x75,0xfc,0xf7,0xd6,0x23,0xf1,0x8b,0xfa,0x23,0x7d,0xfc,0xb,0xf7,0x3,0x75,
                0xe8,0x8b,0x7d,0xfc,0x8d,0x84,0x6,0x22,0x11,0x90,0x6b,0xc1,0xc0,0x7,0x3,0x45,0xfc,0x23,0xf8,0x8b,
                0xf0,0xf7,0xd6,0x23,0xf2,0xb,0xf7,0x3,0x75,0xec,0x8d,0x8c,0xe,0x93,0x71,0x98,0xfd,0xc1,0xc1,0xc,
                0x3,0xc8,0x8b,0xf9,0xf7,0xd7,0x8b,0xf7,0x23,0x75,0xfc,0x8b,0xd9,0x23,0xd8,0xb,0xf3,0x3,0x75,0xf0,
                0x8b,0xd9,0x8d,0x94,0x16,0x8e,0x43,0x79,0xa6,0xc1,0xca,0xf,0x3,0xd1,0x89,0x55,0xf8,0xf7,0x55,0xf8,
                0x8b,0x75,0xf8,0x23,0xf0,0x23,0xfa,0x23,0xda,0xb,0xf3,0x3,0x75,0xf4,0x8b,0x5d,0xfc,0x8d,0xb4,0x1e,
                0x21,0x8,0xb4,0x49,0xc1,0xce,0xa,0x3,0xf2,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xbc,0x8b,0xda,
                0x8d,0x84,0x7,0x62,0x25,0x1e,0xf6,0x8b,0x7d,0xf8,0x23,0xfe,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0xb,
                0xfb,0x3,0x7d,0xd0,0x8d,0x8c,0xf,0x40,0xb3,0x40,0xc0,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,
                0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x51,0x5a,0x5e,0x26,0xc1,0xc2,
                0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xb8,0x8b,0xd9,
                0x8d,0xb4,0x37,0xaa,0xc7,0xb6,0xe9,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,
                0xb,0xfb,0x3,0x7d,0xcc,0x8b,0xda,0x8d,0x84,0x7,0x5d,0x10,0x2f,0xd6,0xc1,0xc0,0x5,0x3,0xc6,0x8b,
                0xfa,0xf7,0xd7,0x23,0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xe0,0x8d,0x8c,0xf,0x53,0x14,0x44,0x2,0xc1,
                0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xf4,0x8d,
                0x94,0x17,0x81,0xe6,0xa1,0xd8,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,
                0xd8,0xb,0xfb,0x3,0x7d,0xc8,0x8d,0xb4,0x37,0xc8,0xfb,0xd3,0xe7,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,
                0xf7,0xd7,0x23,0xfa,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xdc,0x8b,0xda,0x8d,0x84,0x7,0xe6,0xcd,
                0xe1,0x21,0xc1,0xc0,0x5,0x3,0xc6,0x23,0xd8,0x8b,0xfa,0xf7,0xd7,0x23,0xfe,0xb,0xfb,0x3,0x7d,0xf0,
                0x8d,0x8c,0xf,0xd6,0x7,0x37,0xc3,0xc1,0xc1,0x9,0x3,0xc8,0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,
                0x23,0xde,0xb,0xfb,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x87,0xd,0xd5,0xf4,0xc1,0xc2,0xe,0x3,0xd1,0x8b,
                0xf8,0xf7,0xd7,0x23,0xf9,0x8b,0xda,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xd8,0x8b,0xd9,0x8d,0xb4,0x37,0xed,
                0x14,0x5a,0x45,0xc1,0xce,0xc,0x3,0xf2,0x23,0xde,0x8b,0xf9,0xf7,0xd7,0x23,0xfa,0xb,0xfb,0x3,0x7d,
                0xec,0x8b,0xda,0x8d,0x84,0x7,0x5,0xe9,0xe3,0xa9,0xc1,0xc0,0x5,0x3,0xc6,0x8b,0xfa,0xf7,0xd7,0x23,
                0xfe,0x23,0xd8,0xb,0xfb,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0xf8,0xa3,0xef,0xfc,0xc1,0xc1,0x9,0x3,0xc8,
                0x8b,0xfe,0xf7,0xd7,0x23,0xf8,0x8b,0xd9,0x23,0xde,0xb,0xfb,0x3,0x7d,0xd4,0x8d,0x94,0x17,0xd9,0x2,
                0x6f,0x67,0xc1,0xc2,0xe,0x3,0xd1,0x8b,0xf8,0xf7,0xd7,0x8b,0xda,0x23,0xf9,0x23,0xd8,0xb,0xfb,0x3,
                0x7d,0xe8,0x8d,0xb4,0x37,0x8a,0x4c,0x2a,0x8d,0xc1,0xce,0xc,0x3,0xf2,0x8b,0xf9,0x33,0xfa,0x33,0xfe,
                0x3,0x7d,0xcc,0x8d,0x84,0x7,0x42,0x39,0xfa,0xff,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,0xfe,0x33,
                0xf8,0x3,0x7d,0xd8,0x8d,0x8c,0xf,0x81,0xf6,0x71,0x87,0xc1,0xc1,0xb,0x3,0xc8,0x8b,0xf9,0x33,0xfe,
                0x33,0xf8,0x3,0x7d,0xe4,0x8d,0x94,0x17,0x22,0x61,0x9d,0x6d,0xc1,0xc2,0x10,0x3,0xd1,0x8b,0xf9,0x33,
                0xfa,0x8b,0xdf,0x33,0xd8,0x3,0x5d,0xf0,0x8d,0xb4,0x33,0xc,0x38,0xe5,0xfd,0xc1,0xce,0x9,0x3,0xf2,
                0x33,0xfe,0x3,0x7d,0xbc,0x8d,0x84,0x7,0x44,0xea,0xbe,0xa4,0xc1,0xc0,0x4,0x3,0xc6,0x8b,0xfa,0x33,
                0xfe,0x33,0xf8,0x3,0x7d,0xc8,0x8d,0xbc,0xf,0xa9,0xcf,0xde,0x4b,0xc1,0xc7,0xb,0x3,0xf8,0x8b,0xcf,
                0x33,0xce,0x33,0xc8,0x3,0x4d,0xd4,0x8b,0xdf,0x8d,0x94,0x11,0x60,0x4b,0xbb,0xf6,0xc1,0xc2,0x10,0x3,
                0xd7,0x33,0xda,0x8b,0xcb,0x33,0xc8,0x3,0x4d,0xe0,0x8d,0x8c,0x31,0x70,0xbc,0xbf,0xbe,0xc1,0xc9,0x9,
                0x3,0xca,0x33,0xd9,0x3,0x5d,0xec,0x8b,0xf2,0x8d,0x84,0x3,0xc6,0x7e,0x9b,0x28,0x33,0xf1,0xc1,0xc0,
                0x4,0x3,0xc1,0x33,0xf0,0x3,0x75,0xb8,0x8d,0xb4,0x3e,0xfa,0x27,0xa1,0xea,0xc1,0xc6,0xb,0x3,0xf0,
                0x8b,0xfe,0x33,0xf9,0x33,0xf8,0x3,0x7d,0xc4,0x8d,0xbc,0x17,0x85,0x30,0xef,0xd4,0xc1,0xc7,0x10,0x3,
                0xfe,0x8b,0xd6,0x33,0xd7,0x8b,0xda,0x33,0xd8,0x3,0x5d,0xd0,0x8d,0x8c,0xb,0x5,0x1d,0x88,0x4,0xc1,
                0xc9,0x9,0x3,0xcf,0x33,0xd1,0x3,0x55,0xdc,0x8d,0x84,0x2,0x39,0xd0,0xd4,0xd9,0x8b,0xd7,0x33,0xd1,
                0xc1,0xc0,0x4,0x3,0xc1,0x33,0xd0,0x3,0x55,0xe8,0x8d,0x94,0x32,0xe5,0x99,0xdb,0xe6,0xc1,0xc2,0xb,
                0x3,0xd0,0x8b,0xf2,0x33,0xf1,0x33,0xf0,0x3,0x75,0xf4,0x8d,0xb4,0x3e,0xf8,0x7c,0xa2,0x1f,0xc1,0xc6,
                0x10,0x3,0xf2,0x8b,0xfa,0x33,0xfe,0x33,0xf8,0x3,0x7d,0xc0,0x8d,0x8c,0xf,0x65,0x56,0xac,0xc4,0xc1,
                0xc9,0x9,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xb8,0x8d,0x84,0x7,0x44,0x22,
                0x29,0xf4,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xd4,0x8d,0x94,
                0x17,0x97,0xff,0x2a,0x43,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xf9,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,
                0xf0,0x8d,0xb4,0x37,0xa7,0x23,0x94,0xab,0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,
                0xfa,0x3,0x7d,0xcc,0x8d,0x8c,0xf,0x39,0xa0,0x93,0xfc,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,
                0xb,0xf9,0x33,0xfe,0x3,0x7d,0xe8,0x8d,0x84,0x7,0xc3,0x59,0x5b,0x65,0xc1,0xc0,0x6,0x3,0xc1,0x8b,
                0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,0x7d,0xc4,0x8d,0x94,0x17,0x92,0xcc,0xc,0x8f,0xc1,0xc2,0xa,
                0x8b,0xf9,0x3,0xd0,0xf7,0xd7,0xb,0xfa,0x33,0xf8,0x3,0x7d,0xe0,0x8d,0xb4,0x37,0x7d,0xf4,0xef,0xff,
                0xc1,0xc6,0xf,0x3,0xf2,0x8b,0xf8,0xf7,0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xbc,0x8d,0x8c,0xf,0xd1,
                0x5d,0x84,0x85,0xc1,0xc9,0xb,0x3,0xce,0x8b,0xfa,0xf7,0xd7,0xb,0xf9,0x33,0xfe,0x3,0x7d,0xd8,0x8d,
                0x84,0x7,0x4f,0x7e,0xa8,0x6f,0xc1,0xc0,0x6,0x3,0xc1,0x8b,0xfe,0xf7,0xd7,0xb,0xf8,0x33,0xf9,0x3,
                0x7d,0xf4,0x8d,0x94,0x17,0xe0,0xe6,0x2c,0xfe,0x8b,0xf9,0xc1,0xc2,0xa,0x3,0xd0,0xf7,0xd7,0xb,0xfa,
                0x33,0xf8,0x3,0x7d,0xd0,0x8d,0xb4,0x37,0x14,0x43,0x1,0xa3,0x8b,0xf8,0xc1,0xc6,0xf,0x3,0xf2,0xf7,
                0xd7,0xb,0xfe,0x33,0xfa,0x3,0x7d,0xec,0x8d,0xbc,0xf,0xa1,0x11,0x8,0x4e,0xc1,0xcf,0xb,0x3,0xfe,
                0x8b,0xca,0xf7,0xd1,0xb,0xcf,0x33,0xce,0x3,0x4d,0xc8,0x8d,0x84,0x1,0x82,0x7e,0x53,0xf7,0xc1,0xc0,
                0x6,0x3,0xc7,0x8b,0xce,0xf7,0xd1,0xb,0xc8,0x33,0xcf,0x3,0x4d,0xe4,0x8d,0x94,0x11,0x35,0xf2,0x3a,
                0xbd,0xc1,0xc2,0xa,0x3,0xd0,0x8b,0xcf,0xf7,0xd1,0xb,0xca,0x33,0xc8,0x3,0x4d,0xc0,0x8d,0xb4,0x31,
                0xbb,0xd2,0xd7,0x2a,0x8b,0x4d,0x8,0x8b,0x19,0x3,0xd8,0xf7,0xd0,0xc1,0xc6,0xf,0x3,0xf2,0xb,0xc6,
                0x33,0xc2,0x3,0x45,0xdc,0x89,0x19,0x8d,0x84,0x38,0x91,0xd3,0x86,0xeb,0xc1,0xc8,0xb,0x3,0x41,0x4,
                0x3,0xc6,0x89,0x41,0x4,0x8b,0x41,0x8,0x3,0xc6,0x89,0x41,0x8,0x8b,0x41,0xc,0x5f,0x3,0xc2,0x5e,
                0x89,0x41,0xc,0x5b,0xc9,0xc2,0x4,0x0,0x85,0xd2,0x76,0x2c,0x56,0x8d,0x72,0xff,0xc1,0xee,0x2,0x41,
                0x83,0xc0,0x2,0x46,0x8a,0x50,0xfe,0x88,0x51,0xff,0x8a,0x50,0xff,0x88,0x11,0x8a,0x10,0x88,0x51,0x1,
                0x8a,0x50,0x1,0x88,0x51,0x2,0x83,0xc0,0x4,0x83,0xc1,0x4,0x4e,0x75,0xe1,0x5e,0xc3
        };//0x19d18~0x1A50D
        unsigned char* md5_encrypt_20=data1;
        unsigned char* md5_encrypt_21=data1+0x24;
        unsigned char* md5_encrypt_22=data1+0xcb;

        unsigned char data2={0x80,0};
        *(long*)(data1+0xf7)=(long)data2;
        *(long*)(data1+0x123)=(long)memset-(long)(data1+0x127);

        unsigned char md5_data[]={
                {0x15,0xd1,0x26,0xd0,0xa5,0xa3,0x64,0xe3,0x1b,0x58,0x4,0xe5,0x8,0x5f,0x3,0x9,          },
                {0x61,0xf7,0xd,0x82,0x48,0x54,0xe8,0x77,0xc2,0x38,0x84,0x50,0xfe,0x3a,0xe3,0xd2,},
                {0x88,0x9b,0xa2,0x4e,0x4a,0xfb,0xd6,0x9b,0x32,0x73,0xfe,0xda,0x3a,0x4e,0x4d,0xe8, },
                {0x74,0x8a,0xc3,0x52,0x68,0x3e,0x1e,0x7,0x0,0x53,0xe9,0x9b,0xb9,0xc1,0x3f,0x28,          },
                {0xd9,0xab,0xea,0xfe,0x1f,0x7f,0x4b,0x5c,0x63,0x94,0x8e,0x5d,0x13,0xf2,0x53,0xbf, },
                {0xc9,0xae,0xea,0x20,0x18,0xe8,0x3d,0x49,0xa6,0x11,0x7c,0xb1,0xd8,0xac,0x31,0x94, },
                {0xa4,0x56,0x73,0xf7,0x14,0xb4,0xf6,0x58,0x25,0x85,0x5c,0x32,0xee,0x9c,0x82,0x27, },
                {0x31,0x26,0x22,0x9a,0xd6,0xfc,0x81,0x4e,0x8e,0x9e,0xaf,0x9,0xaf,0x4b,0x94,0x9e,},
                {0xcc,0xba,0xc4,0x42,0xfc,0x59,0xe5,0x32,0x40,0x21,0xd2,0x6b,0x30,0xb4,0x52,0xe3, },
                {0x20,0x77,0xbb,0xcd,0x70,0x80,0xde,0xf0,0x2b,0x5c,0x78,0x3c,0x47,0xcf,0xc3,0xf9, },
                {0x3,0xe,0xd0,0xc9,0xaa,0x3d,0xb,0xc6,0x57,0x9f,0x75,0x94,0x72,0xfc,0x53,0x15,          },
                {0x90,0x6c,0xb1,0xc1,0x13,0xef,0x25,0xeb,0x4,0x0,0x26,0xa1,0x4,0xba,0xc8,0xda,          },
                {0x1b,0x66,0x98,0xcf,0xbe,0x9d,0xf1,0x89,0xe4,0x5a,0xa5,0xd8,0x1f,0xda,0xd7,0x97, },
        };
        const int max=sizeof(md5_data)/sizeof(md5_data);

        unsigned char key1={0};
        unsigned char key2={0};
        int len=2*wcslen(path);
        _asm
        {
                lea eax,key1;
                call md5_encrypt_20;
                mov eax,len;
                lea ecx,key1;
                mov esi,path;
                push esi;
                call md5_encrypt_21;
                lea eax,key2;
                push eax;
                lea edi,key1;
                call md5_encrypt_22;
        }
        for(int i=0;i<max;i++)
        {
                if(!memcmp(md5_data,key2,16))
                {
                        printf("%d touched :%ws\n",i,path);
                }
        }
}



void main()
{
        wchar_t n={0};
        for(int len=1;len<=7;len++)
        {
                int cf=0;
                for(int j=0;j<len;j++)
                {
                        n='0';
                }
                while(!cf)
                {
                        n='l';
                        n='l';
                        n='d';
                        n='.';
                        func(n+11-len);
                        n='e';
                        n='x';
                        n='e';
                        n='.';
                        func(n+11-len);
                        n++;
                        for(int j=0;j<len;j++)
                        {
                                if(n > 'z')
                                {
                                        n='0';
                                        if(j!=len-1)
                                                n++;
                                        else
                                                cf=1;
                                }
                                else if(n == '\\')
                                        n = '\\'+1;
                        }
                }
        }
}

7KY6 发表于 2018-1-14 15:25:41

可以可以!!

查看完整版本: 关于360 hookport.sys模块名加密