Rootkit 1: Detection Hide Process 收藏
Rootkit 1: Detection Hide Process
什么叫rootkit?
? 它是由有用的小型程序組成的工具包,使得攻擊者能夠保持訪問計(jì)算機(jī)上具有最高權(quán)限的用戶“root”.rootkit是能夠持久或可靠地、無法檢測(cè)地存在于計(jì)算機(jī)上的一組程序和代碼.
rootkit主要分為下列大類:
1 進(jìn)程隱藏
2 文件隱藏
3 端口隱藏
4 注冊(cè)表隱藏
5 驅(qū)動(dòng)服務(wù)隱藏
Part I: 進(jìn)程隱藏
一:序言
? 下列情況不在討論之中(沒進(jìn)程)
? 1 通過CreateRemoteThread Inject代碼到另一個(gè)進(jìn)程(有種病毒就用這種方法,實(shí)現(xiàn)內(nèi)存感染的;其實(shí)還有更多應(yīng)用)
? 2 通過CreateRemoteThread LoadLibray一dll到另一個(gè)進(jìn)程(屏蔽Ctrl+Alt+Del,就是通過這種方法和SetWindowLog實(shí)現(xiàn))
二:進(jìn)程隱藏
? 1 Hook/InlineHook Api NtQuerySystemInformation(taskmgr.exe就是用這個(gè)函數(shù)得到Process list)
? 2 Hook/InlineHook Api Process32Next
? 3 把要隱藏的進(jìn)程的EPROCESS從LIST_ENTRY中摘除
??? a)ring0下驅(qū)動(dòng)實(shí)現(xiàn),注意:Nt/2000/xp/2003中PID和FLINK在EPROCESS中的offset不盡相同
??? b)ring3下利用call gate結(jié)合\Device\PhysicalMemory內(nèi)核對(duì)象實(shí)現(xiàn)
?
二:檢測(cè)進(jìn)程隱藏
? 我們重要討論一下殺毒軟件Kaspersky和rootkit檢測(cè)工具Icesword的兩種方法:
?
? 1 kaspersky的方法:kaspersky從6.0中加入了主動(dòng)防御功能,它detour了SwapContext.
lkd> u KiSwapThread L20
nt!KiSwapThread:
804dd66e 8bff???????????? mov???? edi,edi
804dd670 56?????????????? push??? esi
804dd671 57?????????????? push??? edi
804dd672 3ea120f0dfff???? mov???? eax,ds:[ffdff020]
804dd678 8bf0???????????? mov???? esi,eax
804dd67a 8b4608?????????? mov???? eax,[esi+0x8]
804dd67d 85c0???????????? test??? eax,eax
804dd67f 8b7e04?????????? mov???? edi,[esi+0x4]
804dd682 0f8557ba0000???? jne???? nt!KiSwapThread+0x16 (804e90df)
804dd688 53?????????????? push??? ebx
804dd689 0fbe5e10???????? movsx?? ebx,byte ptr [esi+0x10]
804dd68d 33d2???????????? xor???? edx,edx
804dd68f 8bcb???????????? mov???? ecx,ebx
804dd691 e86bffffff?????? call??? nt!KiFindReadyThread (804dd601)
804dd696 85c0???????????? test??? eax,eax
804dd698 0f843e990000???? je????? nt!KiSwapThread+0x2e (804e6fdc)
804dd69e 5b?????????????? pop???? ebx
804dd69f 8bc8???????????? mov???? ecx,eax
804dd6a1 e80cf7ffff?????? call??? nt!KiSwapContext (804dcdb2)
804dd6a6 84c0???????????? test??? al,al
804dd6a8 8a4f58?????????? mov???? cl,[edi+0x58]
804dd6ab 8b7f54?????????? mov???? edi,[edi+0x54]
804dd6ae 8b3570864d80???? mov???? esi,[nt!_imp_KfLowerIrql (804d8670)]
804dd6b4 0f85d10a0100???? jne???? nt!KiSwapThread+0x56 (804ee18b)
804dd6ba ffd6???????????? call??? esi
804dd6bc 8bc7???????????? mov???? eax,edi
804dd6be 5f?????????????? pop???? edi
804dd6bf 5e?????????????? pop???? esi
804dd6c0 c3?????????????? ret
lkd> u KiSwapContext L20
nt!KiSwapContext:
804dcdb2 83ec10?????????? sub???? esp,0x10
804dcdb5 895c240c???????? mov???? [esp+0xc],ebx
804dcdb9 89742408???????? mov???? [esp+0x8],esi
804dcdbd 897c2404???????? mov???? [esp+0x4],edi
804dcdc1 892c24?????????? mov???? [esp],ebp
804dcdc4 8b1d1cf0dfff???? mov???? ebx,[ffdff01c]
804dcdca 8bf1???????????? mov???? esi,ecx
804dcdcc 8bbb24010000???? mov???? edi,[ebx+0x124]
804dcdd2 89b324010000???? mov???? [ebx+0x124],esi
804dcdd8 8a4f58?????????? mov???? cl,[edi+0x58]
804dcddb e8d9000000?????? call??? nt!SwapContext (804dceb9)
804dcde0 8b2c24?????????? mov???? ebp,[esp]
804dcde3 8b7c2404???????? mov???? edi,[esp+0x4]
804dcde7 8b742408???????? mov???? esi,[esp+0x8]
804dcdeb 8b5c240c???????? mov???? ebx,[esp+0xc]
804dcdef 83c410?????????? add???? esp,0x10
804dcdf2 c3?????????????? ret
lkd> u SwapContext L10
nt!SwapContext:
804dceb9 0ac9???????????? or????? cl,cl
804dcebb 26c6462d02?????? mov???? byte ptr es:[esi+0x2d],0x2
804dcec0 9c?????????????? pushfd
804dcec1 8b0b???????????? mov???? ecx,[ebx]
804dcec3 e948cfa077?????? jmp???? f7ee9e10(注意:這個(gè)地址不在NTOSKRNL.EXE范圍中,落在klif.sys范圍中,<它用了相對(duì)轉(zhuǎn)跳,這樣可以節(jié)約兩個(gè)字節(jié),cs:08>)
804dcec8 90?????????????? nop
804dcec9 90?????????????? nop
804dceca 51?????????????? push??? ecx
804dcecb 0f8534010000???? jne???? nt!SwapContext+0x14d (804dd005)
804dced1 833d8c29568000 cmp dword ptr [nt!PPerfGlobalGroupMask (8056298c)],0x0
804dced8 0f85fe000000???? jne???? nt!SwapContext+0x124 (804dcfdc)
804dcede 0f20c5?????????? mov???? ebp,cr0
804dcee1 8bd5???????????? mov???? edx,ebp
804dcee3 8a4e2c?????????? mov???? cl,[esi+0x2c]
804dcee6 884b50?????????? mov???? [ebx+0x50],cl
804dcee9 fa?????????????? cli
考慮到機(jī)器的效率,SwapContext是用匯編代碼實(shí)現(xiàn)的,看看它具體功能(實(shí)現(xiàn)自己看代碼吧:)):
;++
;
; Routine Description:
;
;??? This routine is called to swap context from one thread to the next.
;??? It swaps context, flushes the data, instruction, and translation
;??? buffer caches, restores nonvolatile integer registers, and returns
;??? to its caller.
;
;??? N.B. It is assumed that the caller (only caller's are within this
;???????? module) saved the nonvolatile registers, ebx, esi, edi, and
;???????? ebp. This enables the caller to have more registers available.
;
; Arguments:
;
;??? cl - APC interrupt bypass disable (zero enable, nonzero disable).
;??? edi - Address of previous thread.
;??? esi - Address of next thread.
;??? ebx - Address of PCR.
;
; Return value:
;
;??? al - Kernel APC pending.
;??? ebx - Address of PCR.
;??? esi - Address of current thread object.
;
;--
(雖然懸掛或等待的線程,不會(huì)獲得cpu時(shí)間,但在SwapContext的時(shí)候仍然要檢測(cè),知道Thread了,得到對(duì)應(yīng)Process也就容易了)
注:這個(gè)方法最初是J. Butler提出的,參見:http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1232409
?
? 2 IceSword的方法:以前的方法是檢測(cè)EPRCOESS,后來改成了PspCidTable
?
? a)全局變量PspCidTable是一個(gè)HANDLE_TABLE的指針,這個(gè)變量并沒有被NTOSKRNL導(dǎo)出,這個(gè)HANDLE_TABLE的表保存著所有進(jìn)程和線程對(duì)象的指針.
? b)PID(進(jìn)程ID)和 ThreadID(線程ID)就是在這個(gè)句柄表中的索引,這個(gè)HANDLE_TABLE不屬于任何進(jìn)程,也沒有鏈在HANDLE_TABLE鏈上.
? c)PspCidTable在PsLookupProcessByProcessId中被用到,所以可以在此函數(shù)中搜索PspCidTalbe變量以定位其地址.
? d)得到PspCidTable這個(gè)句柄表地址后,IceSword調(diào)用ExEnumHandleTable.
這個(gè)函數(shù)的函數(shù)原形是:
BOOLEAN ExEnumHandleTable(
IN PHANDLE_TABLE HandleTable,
IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
IN PVOID EnumParameter,
OUT PHANDLE Handle OPTIONAL)
參數(shù)說明:
HandleTable??????? : 句柄表,可以用PspCidTable做參數(shù).
EnumHandleProcedure: 類型為BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(HANDLE_TALBE_ENTRY*,DWORD PID,PVOID Param)函數(shù)指針.
EnumParameter????? : 傳送給EnumHandleProcedure函數(shù)的參數(shù).
Handle???????????? : 此函數(shù)返回True時(shí)此參數(shù)才有效,為停止枚舉前所枚舉的句柄(可選).
功能說明:
調(diào)用ExEnumHandleTable函數(shù)的時(shí),在每次枚舉到表中的一個(gè)句柄時(shí)都會(huì)調(diào)用一次回調(diào)函數(shù);
回調(diào)函數(shù)返回值為FALSE時(shí)繼續(xù)枚舉句柄表,返回TRUE時(shí)則停止枚舉.
我們來看看他的具體實(shí)現(xiàn)吧!
BOOLEAN
ExEnumHandleTable(
??? IN PHANDLE_TABLE HandleTable,
??? IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
??? IN PVOID EnumParameter,
??? OUT PHANDLE Handle OPTIONAL
??? )
/*++
Routine Description:
??? This function enumerates all the valid handles in a handle table.
??? For each valid handle in the handle table, the specified eumeration
??? function is called. If the enumeration function returns TRUE, then
??? the enumeration is stopped, the current handle is returned to the
??? caller via the optional Handle parameter, and this function returns
??? TRUE to indicated that the enumeration stopped at a specific handle.
Arguments:
??? HandleTable - Supplies a pointer to a handle table.
??? EnumHandleProcedure - Supplies a pointer to a fucntion to call for
??????? each valid handle in the enumerated handle table.
??? EnumParameter - Supplies an uninterpreted 32-bit value that is passed
??????? to the EnumHandleProcedure each time it is called.
??? Handle - Supplies an optional pointer a variable that receives the
??????? Handle value that the enumeration stopped at. Contents of the
??????? variable only valid if this function returns TRUE.
Return Value:
??? If the enumeration stopped at a specific handle, then a value of TRUE
??? is returned. Otherwise, a value of FALSE is returned.
--*/
{
??? PHANDLE_ENTRY HandleEntry;
??? BOOLEAN ResultValue;
??? PHANDLE_ENTRY TableEntries;
??? PHANDLE_ENTRY TableBound;
??? ULONG TableIndex;
??? PAGED_CODE();
??? ASSERT(HandleTable != NULL);
??? //
??? // Lock the handle table exclusive and enumerate the handle entries.
??? //
??? ResultValue = FALSE;
??? ExLockHandleTableShared(HandleTable);
??? TableBound = HandleTable->TableBound;
??? TableEntries = HandleTable->TableEntries;
??? HandleEntry = &TableEntries[1];
??? while (HandleEntry < TableBound) {
??????? if (ExIsEntryUsed(TableEntries, TableBound, HandleEntry)) {
??????????? TableIndex = HandleEntry - TableEntries;
??????????? if ((*EnumHandleProcedure)(HandleEntry,
??????????????????????????????????????? INDEX_TO_HANDLE(TableIndex),
??????????????????????????????????????? EnumParameter)) {
??????????????? if (ARGUMENT_PRESENT(Handle)) {
??????????????????? *Handle = INDEX_TO_HANDLE(TableIndex);
??????????????? }
??????????????? ResultValue = TRUE;
??????????????? break;
??????????? }
??????? }
??????? HandleEntry += 1;
??? }
??? ExUnlockHandleTableShared(HandleTable);
??? return ResultValue;
}
(PS:IceSword的檢測(cè)方法部分參見匿名用戶的文章,非常感謝!)
原文: http://blog.vckbase.com/windowssky/archive/2007/07/16/27457.aspx
本文來自CSDN博客,轉(zhuǎn)載請(qǐng)標(biāo)明出處:http://blog.csdn.net/syf442/archive/2009/07/13/4345216.aspx