360 safemon模塊監控CreateProcess函數的方法

一、CreateProcess函數

7C802332 > 8BFF mov edi, edi ; CreateProcessW

7C802334 55 push ebp

7C802335 8BEC mov ebp, esp

7C802337 6A 00 push 0

7C802339 FF75 2C push dword ptr [ebp+2C]

7C80233C FF75 28 push dword ptr [ebp+28]

7C80233F FF75 24 push dword ptr [ebp+24]

7C802342 FF75 20 push dword ptr [ebp+20]

7C802345 FF75 1C push dword ptr [ebp+1C]

7C802348 FF75 18 push dword ptr [ebp+18]

7C80234B FF75 14 push dword ptr [ebp+14]

7C80234E FF75 10 push dword ptr [ebp+10]

7C802351 FF75 0C push dword ptr [ebp+C]

7C802354 FF75 08 push dword ptr [ebp+8]

7C802357 6A 00 push 0

7C802359 E8 C9710100 call CreateProcessInternalW

7C80235E 5D pop ebp

7C80235F C2 2800 retn 28

二、CreateProcessInternalW函數

7C819527 >- E9 2C017F93 jmp safemon.10009658

該處指令已被360作了修改，原指令應該爲：push 0A08

從這裏跳轉到safemon模塊中。

7C81952C 68 F897817C push 7C8197F8

7C819531 E8 908FFEFF call 7C8024C6

7C819536 A1 CC46887C mov eax, dword ptr [7C8846CC]

7C81953B 8945 E4 mov dword ptr [ebp-1C], eax

7C81953E 8B45 08 mov eax, dword ptr [ebp+8]

7C819541 8985 C4F7FFFF mov dword ptr [ebp-83C], eax

7C819547 8B45 0C mov eax, dword ptr [ebp+C]

7C81954A 8985 E4F8FFFF mov dword ptr [ebp-71C], eax

7C819550 8B45 10 mov eax, dword ptr [ebp+10]

7C819553 8985 E0F8FFFF mov dword ptr [ebp-720], eax

7C819559 8B45 14 mov eax, dword ptr [ebp+14]

7C81955C 8985 4CF7FFFF mov dword ptr [ebp-8B4], eax

7C819562 8B45 18 mov eax, dword ptr [ebp+18]

7C819565 8985 38F7FFFF mov dword ptr [ebp-8C8], eax

7C81956B 8B45 24 mov eax, dword ptr [ebp+24]

7C81956E 8985 B0F8FFFF mov dword ptr [ebp-750], eax

7C819574 8B45 28 mov eax, dword ptr [ebp+28]

7C819577 8985 A4F7FFFF mov dword ptr [ebp-85C], eax

7C81957D 8B45 2C mov eax, dword ptr [ebp+2C]

7C819580 8985 ECF6FFFF mov dword ptr [ebp-914], eax

7C819586 8B75 30 mov esi, dword ptr [ebp+30]

7C819589 89B5 40F7FFFF mov dword ptr [ebp-8C0], esi

7C81958F 8B55 34 mov edx, dword ptr [ebp+34]

7C819592 8995 FCF6FFFF mov dword ptr [ebp-904], edx

7C819598 33DB xor ebx, ebx

7C81959A 899D 8CF9FFFF mov dword ptr [ebp-674], ebx

7C8195A0 899D 24F8FFFF mov dword ptr [ebp-7DC], ebx

7C8195A6 899D 80F9FFFF mov dword ptr [ebp-680], ebx

7C8195AC 899D ACF8FFFF mov dword ptr [ebp-754], ebx

7C8195B2 899D 30F8FFFF mov dword ptr [ebp-7D0], ebx

7C8195B8 899D 28F7FFFF mov dword ptr [ebp-8D8], ebx

7C8195BE 8B45 20 mov eax, dword ptr [ebp+20]

7C8195C1 25 00000008 and eax, 8000000

7C8195C6 8985 F4F6FFFF mov dword ptr [ebp-90C], eax

7C8195CC 889D B7F8FFFF mov byte ptr [ebp-749], bl

7C8195D2 899D 30F7FFFF mov dword ptr [ebp-8D0], ebx

7C8195D8 899D 74F9FFFF mov dword ptr [ebp-68C], ebx

7C8195DE 899D 6CF9FFFF mov dword ptr [ebp-694], ebx

7C8195E4 889D EBF8FFFF mov byte ptr [ebp-715], bl

7C8195EA 899D 78F9FFFF mov dword ptr [ebp-688], ebx

7C8195F0 899D 68F9FFFF mov dword ptr [ebp-698], ebx

7C8195F6 899D 70F9FFFF mov dword ptr [ebp-690], ebx

7C8195FC 899D B4F7FFFF mov dword ptr [ebp-84C], ebx

7C819602 8D85 4CFDFFFF lea eax, dword ptr [ebp-2B4]

7C819608 8985 D0F6FFFF mov dword ptr [ebp-930], eax

7C81960E 8D85 94FDFFFF lea eax, dword ptr [ebp-26C]

7C819614 8985 D4F6FFFF mov dword ptr [ebp-92C], eax

7C81961A 8D85 B8FDFFFF lea eax, dword ptr [ebp-248]

7C819620 8985 D8F6FFFF mov dword ptr [ebp-928], eax

7C819626 8D85 28FDFFFF lea eax, dword ptr [ebp-2D8]

7C81962C 8985 DCF6FFFF mov dword ptr [ebp-924], eax

7C819632 8D85 70FDFFFF lea eax, dword ptr [ebp-290]

7C819638 8985 E0F6FFFF mov dword ptr [ebp-920], eax

7C81963E 899D 9CF8FFFF mov dword ptr [ebp-764], ebx

7C819644 33C0 xor eax, eax

7C819646 8DBD A0F8FFFF lea edi, dword ptr [ebp-760]

7C81964C AB stos dword ptr es:[edi]

7C81964D AB stos dword ptr es:[edi]

7C81964E AB stos dword ptr es:[edi]

7C81964F 899D 7CF8FFFF mov dword ptr [ebp-784], ebx

7C819655 33C0 xor eax, eax

7C819657 8DBD 80F8FFFF lea edi, dword ptr [ebp-780]

7C81965D AB stos dword ptr es:[edi]

7C81965E AB stos dword ptr es:[edi]

7C81965F AB stos dword ptr es:[edi]

7C819660 8D85 38F9FFFF lea eax, dword ptr [ebp-6C8]

7C819666 8985 08F9FFFF mov dword ptr [ebp-6F8], eax

7C81966C 8D85 10F9FFFF lea eax, dword ptr [ebp-6F0]

7C819672 8985 0CF9FFFF mov dword ptr [ebp-6F4], eax

7C819678 8D85 4CFDFFFF lea eax, dword ptr [ebp-2B4]

7C81967E 8985 F8F8FFFF mov dword ptr [ebp-708], eax

7C819684 8D85 28FDFFFF lea eax, dword ptr [ebp-2D8]

7C81968A 8985 FCF8FFFF mov dword ptr [ebp-704], eax

7C819690 8D85 94FDFFFF lea eax, dword ptr [ebp-26C]

7C819696 8985 00F9FFFF mov dword ptr [ebp-700], eax

7C81969C 8D85 70FDFFFF lea eax, dword ptr [ebp-290]

7C8196A2 8985 04F9FFFF mov dword ptr [ebp-6FC], eax

7C8196A8 899D 6CF8FFFF mov dword ptr [ebp-794], ebx

7C8196AE 33C0 xor eax, eax

7C8196B0 8DBD 70F8FFFF lea edi, dword ptr [ebp-790]

7C8196B6 AB stos dword ptr es:[edi]

7C8196B7 AB stos dword ptr es:[edi]

7C8196B8 AB stos dword ptr es:[edi]

7C8196B9 899D 04F8FFFF mov dword ptr [ebp-7FC], ebx

7C8196BF 899D 1CF7FFFF mov dword ptr [ebp-8E4], ebx

7C8196C5 899D C0F7FFFF mov dword ptr [ebp-840], ebx

7C8196CB 899D BCF7FFFF mov dword ptr [ebp-844], ebx

7C8196D1 899D 34F7FFFF mov dword ptr [ebp-8CC], ebx

7C8196D7 899D D4F8FFFF mov dword ptr [ebp-72C], ebx

7C8196DD 33C0 xor eax, eax

7C8196DF 8DBD D8F8FFFF lea edi, dword ptr [ebp-728]

7C8196E5 AB stos dword ptr es:[edi]

7C8196E6 AB stos dword ptr es:[edi]

7C8196E7 899D C8F8FFFF mov dword ptr [ebp-738], ebx

7C8196ED 33C0 xor eax, eax

7C8196EF 8DBD CCF8FFFF lea edi, dword ptr [ebp-734]

7C8196F5 AB stos dword ptr es:[edi]

7C8196F6 AB stos dword ptr es:[edi]

7C8196F7 889D 67F8FFFF mov byte ptr [ebp-799], bl

7C8196FD 6A 18 push 18

7C8196FF 59 pop ecx

7C819700 33C0 xor eax, eax

7C819702 8DBD B8FCFFFF lea edi, dword ptr [ebp-348]

7C819708 F3:AB rep stos dword ptr es:[edi]

7C81970A 8BFE mov edi, esi

7C81970C AB stos dword ptr es:[edi]

7C81970D AB stos dword ptr es:[edi]

7C81970E AB stos dword ptr es:[edi]

7C81970F AB stos dword ptr es:[edi]

7C819710 3BD3 cmp edx, ebx

7C819712 0F85 174E0100 jnz 7C82E52F

7C819718 8B45 20 mov eax, dword ptr [ebp+20]

7C81971B 25 FFFFFFF7 and eax, F7FFFFFF

7C819720 8945 20 mov dword ptr [ebp+20], eax

7C819723 8BC8 mov ecx, eax

7C819725 83E1 18 and ecx, 18

7C819728 80F9 18 cmp cl, 18

7C81972B 0F84 3D8F0200 je 7C84266E

7C819731 899D 2CF9FFFF mov dword ptr [ebp-6D4], ebx

7C819737 899D 24F9FFFF mov dword ptr [ebp-6DC], ebx

7C81973D A8 40 test al, 40

7C81973F 0F85 358F0200 jnz 7C84267A

7C819745 F6C4 40 test ah, 40

7C819748 0F85 388F0200 jnz 7C842686

7C81974E A8 20 test al, 20

7C819750 0F85 4B320100 jnz 7C82C9A1

7C819756 84E4 test ah, ah

7C819758 0F88 348F0200 js 7C842692

7C81975E 84C0 test al, al

7C819760 0F88 388F0200 js 7C84269E

7C819766 F6C4 01 test ah, 1

7C819769 0F85 3B8F0200 jnz 7C8426AA

7C81976F 889D 99F9FFFF mov byte ptr [ebp-667], bl

7C819775 889D 98F9FFFF mov byte ptr [ebp-668], bl

7C81977B 66:8165 20 1F3E and word ptr [ebp+20], 3E1F

7C819781 BF 00080000 mov edi, 800

7C819786 BE 00100000 mov esi, 1000

7C81978B 857D 20 test dword ptr [ebp+20], edi

7C81978E 0F85 2E8F0200 jnz 7C8426C2

7C819794 8575 20 test dword ptr [ebp+20], esi

7C819797 75 11 jnz short 7C8197AA

7C819799 A1 3C40887C mov eax, dword ptr [7C88403C]

7C81979E 3898 F4190000 cmp byte ptr [eax+19F4], bl

7C8197A4 0F85 228F0200 jnz 7C8426CC

7C8197AA 857D 20 test dword ptr [ebp+20], edi

7C8197AD 75 1E jnz short 7C8197CD

7C8197AF 53 push ebx

7C8197B0 6A 04 push 4

7C8197B2 8D85 08F6FFFF lea eax, dword ptr [ebp-9F8]

7C8197B8 50 push eax

7C8197B9 6A 04 push 4

7C8197BB 53 push ebx

7C8197BC FF15 5814807C call dword ptr [<&ntdll.NtQueryInform>; ntdll.ZwQueryInformationJobObject

7C8197C2 3D 220000C0 cmp eax, C0000022

7C8197C7 0F85 078F0200 jnz 7C8426D4

7C8197CD 8B8D B0F8FFFF mov ecx, dword ptr [ebp-750]

7C8197D3 3BCB cmp ecx, ebx

7C8197D5 ^ 0F84 ACF5FFFF je 7C818D87

7C8197DB F645 21 04 test byte ptr [ebp+21], 4

7C8197DF ^ 0F85 A2F5FFFF jnz 7C818D87

7C8197E5 8BC1 mov eax, ecx

7C8197E7 898D 18F7FFFF mov dword ptr [ebp-8E8], ecx

7C8197ED 3818 cmp byte ptr [eax], bl

7C8197EF ^ 0F84 05F5FFFF je 7C818CFA

7C8197F5 40 inc eax

7C8197F6 ^ EB F5 jmp short 7C8197ED

三、safemon中的HookProcess函數

10009658 55 push ebp

10009659 8BEC mov ebp, esp

1000965B 51 push ecx

1000965C 56 push esi

1000965D 33F6 xor esi, esi

1000965F 8D4D FC lea ecx, dword ptr [ebp-4]

10009662 8975 FC mov dword ptr [ebp-4], esi

10009665 E8 87F7FFFF call 10008DF1

1000966A 85C0 test eax, eax

1000966C 74 25 je short 10009693

1000966E 6A 01 push 1

10009670 8D45 08 lea eax, dword ptr [ebp+8]

10009673 FF75 10 push dword ptr [ebp+10]

10009676 83E8 04 sub eax, 4

10009679 FF75 0C push dword ptr [ebp+C]

1000967C FF30 push dword ptr [eax]

1000967E E8 19D5FFFF call 10006B9C

10009683 83C4 10 add esp, 10

10009686 85C0 test eax, eax

10009688 74 09 je short 10009693

1000968A 56 push esi

1000968B FF15 6C620310 call dword ptr [<&KERNEL32.SetLastErr>; ntdll.RtlSetLastWin32Error

10009691 EB 2B jmp short 100096BE

10009693 FF75 34 push dword ptr [ebp+34]

10009696 FF75 30 push dword ptr [ebp+30]

10009699 FF75 2C push dword ptr [ebp+2C]

1000969C FF75 28 push dword ptr [ebp+28]

1000969F FF75 24 push dword ptr [ebp+24]

100096A2 FF75 20 push dword ptr [ebp+20]

100096A5 FF75 1C push dword ptr [ebp+1C]

100096A8 FF75 18 push dword ptr [ebp+18]

100096AB FF75 14 push dword ptr [ebp+14]

100096AE FF75 10 push dword ptr [ebp+10]

100096B1 FF75 0C push dword ptr [ebp+C]

100096B4 FF75 08 push dword ptr [ebp+8]

100096B7 E8 91F6FFFF call 10008D4D

100096BC 8BF0 mov esi, eax

100096BE 8D4D FC lea ecx, dword ptr [ebp-4]

100096C1 E8 64F7FFFF call 10008E2A

100096C6 8BC6 mov eax, esi

100096C8 5E pop esi

100096C9 C9 leave

100096CA C2 3000 retn 30

四、call 10008D4D

10008D4D 68 080A0000 push 0A08 這裏就是被替換掉的指令。

10008D52 - E9 D507816C jmp kernel32.7C81952C

五、注意

要順利的完成這項工作，由於這個過程中沒有執行正常的函數調用過程，需要注意堆棧平衡的問題，

六、加料不加價

Safemon實現hookRcv函數的模塊：

.text:10013A91 ;=============== S U B R O U T I N E ================

.text:10013A91

.text:10013A91 ; Attributes: bp-based frame

.text:10013A91

.text:10013A91 Hook_WSOCK32_Recv proc near ; DATA XREF: sub_10013704+150o

.text:10013A91 ; sub_100138E3+62o

.text:10013A91

.text:10013A91 arg_0 = dword ptr 8

.text:10013A91 arg_4 = dword ptr 0Ch

.text:10013A91 arg_8 = dword ptr 10h

.text:10013A91 arg_C = dword ptr 14h

.text:10013A91

.text:10013A91 55 push ebp

.text:10013A92 8B EC mov ebp, esp

.text:10013A94 A1 C4 7B 04+ mov eax, dword_10047BC4

.text:10013A99 85 C0 test eax, eax

.text:10013A9B 74 3B jz short loc_10013AD8

.text:10013A9D 6A 01 push 1 ; ucb

.text:10013A9F 50 push eax ; lp

.text:10013AA0 FF 15 BC 60+ call ds:IsBadReadPtr

.text:10013AA6 85 C0 test eax, eax

.text:10013AA8 75 2E jnz short loc_10013AD8

.text:10013AAA 56 push esi

.text:10013AAB FF 75 14 push [ebp+arg_C]

.text:10013AAE FF 75 10 push [ebp+arg_8]

.text:10013AB1 FF 75 0C push [ebp+arg_4]

.text:10013AB4 FF 75 08 push [ebp+arg_0]

.text:10013AB7 FF 15 C4 7B+ call dword_10047BC4

.text:10013ABD 8B F0 mov esi, eax

.text:10013ABF 83 FE FF cmp esi, 0FFFFFFFFh

.text:10013AC2 74 0F jz short loc_10013AD3

.text:10013AC4 56 push esi

.text:10013AC5 FF 75 0C push [ebp+arg_4]

.text:10013AC8 FF 75 08 push [ebp+arg_0]

.text:10013ACB E8 0F 00 00+ call sub_10013ADF

.text:10013AD0 83 C4 0C add esp, 0Ch

.text:10013AD3

.text:10013AD3 loc_10013AD3: ; CODE XREF: Hook_WSOCK32_Recv+31j

.text:10013AD3 8B C6 mov eax, esi

.text:10013AD5 5E pop esi

.text:10013AD6 EB 03 jmp short loc_10013ADB

.text:10013AD8 ; ---------------------------------------------------------------------------

.text:10013AD8

.text:10013AD8 loc_10013AD8: ; CODE XREF: Hook_WSOCK32_Recv+Aj

.text:10013AD8 ; Hook_WSOCK32_Recv+17j

.text:10013AD8 83 C8 FF or eax, 0FFFFFFFFh

.text:10013ADB

.text:10013ADB loc_10013ADB: ; CODE XREF: Hook_WSOCK32_Recv+45j

.text:10013ADB 5D pop ebp

.text:10013ADC C2 10 00 retn 10h

.text:10013ADC Hook_WSOCK32_Recv endp

.text:10013ADC

通過這個函數回到CreateProcessInternalW中

360 safemon模塊監控CreateProcess函數的方法