|
|
Posted on 2009-04-05 17:31 besterChen 閱讀(951) 評(píng)論(0) 編輯 收藏 引用 所屬分類: 軟件安全中的JJXX
本人收集與網(wǎng)絡(luò),不知原作者是誰…… 一:序言
下列情況不在討論之中(沒進(jìn)程)
1 通過CreateRemoteThread Inject代碼到另一個(gè)進(jìn)程(有種病毒就用這種方法,實(shí)現(xiàn)內(nèi)存感染的;其實(shí)還有更多應(yīng)用)
2 通過CreateRemoteThread LoadLibray一dll到另一個(gè)進(jìn)程(屏蔽Ctrl+Alt+Del,就是通過這種方法和SetWindowLog實(shí)現(xiàn))
二:進(jìn)程隱藏
1 Hook/InlineHook Api NtQuerySystemInformation(taskmgr.exe就是用這個(gè)函數(shù)得到Process list)
2 Hook/InlineHook Api Process32Next
3 把要隱藏的進(jìn)程的EPROCESS從LIST_ENTRY中摘除
a)ring0下驅(qū)動(dòng)實(shí)現(xiàn),注意:Nt/2000/xp/2003中PID和FLINK在EPROCESS中的offset不盡相同
b)ring3下利用call gate結(jié)合\Device\PhysicalMemory內(nèi)核對(duì)象實(shí)現(xiàn)
三:檢測(cè)進(jìn)程隱藏
我們重要討論一下殺毒軟件Kaspersky和rootkit檢測(cè)工具Icesword的兩種方法:
1 kaspersky的方法:kaspersky從6.0中加入了主動(dòng)防御功能,它detour了SwapContext.
lkd> u KiSwapThread L20
nt!KiSwapThread:
804dd66e 8bff mov edi,edi
804dd670 56 push esi
804dd671 57 push edi
804dd672 3ea120f0dfff mov eax,ds:[ffdff020]
804dd678 8bf0 mov esi,eax
804dd67a 8b4608 mov eax,[esi+0x8]
804dd67d 85c0 test eax,eax
804dd67f 8b7e04 mov edi,[esi+0x4]
804dd682 0f8557ba0000 jne nt!KiSwapThread+0x16 (804e90df)
804dd688 53 push ebx
804dd689 0fbe5e10 movsx ebx,byte ptr [esi+0x10]
804dd68d 33d2 xor edx,edx
804dd68f 8bcb mov ecx,ebx
804dd691 e86bffffff call nt!KiFindReadyThread (804dd601)
804dd696 85c0 test eax,eax
804dd698 0f843e990000 je nt!KiSwapThread+0x2e (804e6fdc)
804dd69e 5b pop ebx
804dd69f 8bc8 mov ecx,eax
804dd6a1 e80cf7ffff call nt!KiSwapContext (804dcdb2)
804dd6a6 84c0 test al,al
804dd6a8 8a4f58 mov cl,[edi+0x58]
804dd6ab 8b7f54 mov edi,[edi+0x54]
804dd6ae 8b3570864d80 mov esi,[nt!_imp_KfLowerIrql (804d8670)]
804dd6b4 0f85d10a0100 jne nt!KiSwapThread+0x56 (804ee18b)
804dd6ba ffd6 call esi
804dd6bc 8bc7 mov eax,edi
804dd6be 5f pop edi
804dd6bf 5e pop esi
804dd6c0 c3 ret
lkd> u KiSwapContext L20
nt!KiSwapContext:
804dcdb2 83ec10 sub esp,0x10
804dcdb5 895c240c mov [esp+0xc],ebx
804dcdb9 89742408 mov [esp+0x8],esi
804dcdbd 897c2404 mov [esp+0x4],edi
804dcdc1 892c24 mov [esp],ebp
804dcdc4 8b1d1cf0dfff mov ebx,[ffdff01c]
804dcdca 8bf1 mov esi,ecx
804dcdcc 8bbb24010000 mov edi,[ebx+0x124]
804dcdd2 89b324010000 mov [ebx+0x124],esi
804dcdd8 8a4f58 mov cl,[edi+0x58]
804dcddb e8d9000000 call nt!SwapContext (804dceb9)
804dcde0 8b2c24 mov ebp,[esp]
804dcde3 8b7c2404 mov edi,[esp+0x4]
804dcde7 8b742408 mov esi,[esp+0x8]
804dcdeb 8b5c240c mov ebx,[esp+0xc]
804dcdef 83c410 add esp,0x10
804dcdf2 c3 ret
lkd> u SwapContext L10
nt!SwapContext:
804dceb9 0ac9 or cl,cl
804dcebb 26c6462d02 mov byte ptr es:[esi+0x2d],0x2
804dcec0 9c pushfd
804dcec1 8b0b mov ecx,[ebx]
804dcec3 e948cfa077 jmp f7ee9e10(注意:這個(gè)地址不在NTOSKRNL.EXE范圍中,落在klif.sys范圍中,<它用了相對(duì)轉(zhuǎn)跳,這樣可以節(jié)約兩個(gè)字節(jié),cs:08>)
804dcec8 90 nop
804dcec9 90 nop
804dceca 51 push ecx
804dcecb 0f8534010000 jne nt!SwapContext+0x14d (804dd005)
804dced1 833d8c29568000 cmp dword ptr [nt!PPerfGlobalGroupMask (8056298c)],0x0
804dced8 0f85fe000000 jne nt!SwapContext+0x124 (804dcfdc)
804dcede 0f20c5 mov ebp,cr0
804dcee1 8bd5 mov edx,ebp
804dcee3 8a4e2c mov cl,[esi+0x2c]
804dcee6 884b50 mov [ebx+0x50],cl
804dcee9 fa cli
考慮到機(jī)器的效率,SwapContext是用匯編代碼實(shí)現(xiàn)的,看看它具體功能(實(shí)現(xiàn)自己看代碼吧:)):
;++
;
; Routine Description:
;
; This routine is called to swap context from one thread to the next.
; It swaps context, flushes the data, instruction, and translation
; buffer caches, restores nonvolatile integer registers, and returns
; to its caller.
;
; N.B. It is assumed that the caller (only caller's are within this
; module) saved the nonvolatile registers, ebx, esi, edi, and
; ebp. This enables the caller to have more registers available.
;
; Arguments:
;
; cl - APC interrupt bypass disable (zero enable, nonzero disable).
; edi - Address of previous thread.
; esi - Address of next thread.
; ebx - Address of PCR.
;
; Return value:
;
; al - Kernel APC pending.
; ebx - Address of PCR.
; esi - Address of current thread object.
;
;--
(雖然懸掛或等待的線程,不會(huì)獲得cpu時(shí)間,但在SwapContext的時(shí)候仍然要檢測(cè),知道Thread了,得到對(duì)應(yīng)Process也就容易了)
注:這個(gè)方法最初是J. Butler提出的,參見:http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1232409
2 IceSword的方法:以前的方法是檢測(cè)EPRCOESS,后來改成了PspCidTable
a)全局變量PspCidTable是一個(gè)HANDLE_TABLE的指針,這個(gè)變量并沒有被NTOSKRNL導(dǎo)出,這個(gè)HANDLE_TABLE的表保存著所有進(jìn)程和線程對(duì)象的指針.
b)PID(進(jìn)程ID)和 ThreadID(線程ID)就是在這個(gè)句柄表中的索引,這個(gè)HANDLE_TABLE不屬于任何進(jìn)程,也沒有鏈在HANDLE_TABLE鏈上.
c)PspCidTable在PsLookupProcessByProcessId中被用到,所以可以在此函數(shù)中搜索PspCidTalbe變量以定位其地址.
d)得到PspCidTable這個(gè)句柄表地址后,IceSword調(diào)用ExEnumHandleTable.
這個(gè)函數(shù)的函數(shù)原形是:
BOOLEAN ExEnumHandleTable(
IN PHANDLE_TABLE HandleTable,
IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
IN PVOID EnumParameter,
OUT PHANDLE Handle OPTIONAL)
參數(shù)說明:
HandleTable : 句柄表,可以用PspCidTable做參數(shù).
EnumHandleProcedure: 類型為BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(HANDLE_TALBE_ENTRY*,DWORD PID,PVOID Param)函數(shù)指針.
EnumParameter : 傳送給EnumHandleProcedure函數(shù)的參數(shù).
Handle : 此函數(shù)返回True時(shí)此參數(shù)才有效,為停止枚舉前所枚舉的句柄(可選).
功能說明:
調(diào)用ExEnumHandleTable函數(shù)的時(shí),在每次枚舉到表中的一個(gè)句柄時(shí)都會(huì)調(diào)用一次回調(diào)函數(shù);
回調(diào)函數(shù)返回值為FALSE時(shí)繼續(xù)枚舉句柄表,返回TRUE時(shí)則停止枚舉.
我們來看看他的具體實(shí)現(xiàn)吧!
BOOLEAN
ExEnumHandleTable(
IN PHANDLE_TABLE HandleTable,
IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
IN PVOID EnumParameter,
OUT PHANDLE Handle OPTIONAL
)
/*++
Routine Description:
This function enumerates all the valid handles in a handle table.
For each valid handle in the handle table, the specified eumeration
function is called. If the enumeration function returns TRUE, then
the enumeration is stopped, the current handle is returned to the
caller via the optional Handle parameter, and this function returns
TRUE to indicated that the enumeration stopped at a specific handle.
Arguments:
HandleTable - Supplies a pointer to a handle table.
EnumHandleProcedure - Supplies a pointer to a fucntion to call for
each valid handle in the enumerated handle table.
EnumParameter - Supplies an uninterpreted 32-bit value that is passed
to the EnumHandleProcedure each time it is called.
Handle - Supplies an optional pointer a variable that receives the
Handle value that the enumeration stopped at. Contents of the
variable only valid if this function returns TRUE.
Return Value:
If the enumeration stopped at a specific handle, then a value of TRUE
is returned. Otherwise, a value of FALSE is returned.
--*/
{
PHANDLE_ENTRY HandleEntry;
BOOLEAN ResultValue;
PHANDLE_ENTRY TableEntries;
PHANDLE_ENTRY TableBound;
ULONG TableIndex;
PAGED_CODE();
ASSERT(HandleTable != NULL);
//
// Lock the handle table exclusive and enumerate the handle entries.
//
ResultValue = FALSE;
ExLockHandleTableShared(HandleTable);
TableBound = HandleTable->TableBound;
TableEntries = HandleTable->TableEntries;
HandleEntry = &TableEntries[1];
while (HandleEntry < TableBound) {
if (ExIsEntryUsed(TableEntries, TableBound, HandleEntry)) {
TableIndex = HandleEntry - TableEntries;
if ((*EnumHandleProcedure)(HandleEntry,
INDEX_TO_HANDLE(TableIndex),
EnumParameter)) {
if (ARGUMENT_PRESENT(Handle)) {
*Handle = INDEX_TO_HANDLE(TableIndex);
}
ResultValue = TRUE;
break;
}
}
HandleEntry += 1;
}
ExUnlockHandleTableShared(HandleTable);
return ResultValue;
}
(PS:IceSword的檢測(cè)方法部分參見匿名用戶的文章,非常感謝!)
|