Rootkit 1: Detection Hide Process 收藏
Rootkit 1: Detection Hide Process
什么叫rootkit?
? 它是由有用的小型程序組成的工具包,使得攻擊者能夠保持訪問計算機上具有最高權限的用戶“root”.rootkit是能夠持久或可靠地、無法檢測地存在于計算機上的一組程序和代碼.

rootkit主要分為下列大類：
1 進程隱藏
2 文件隱藏
3 端口隱藏
4 注冊表隱藏
5 驅動服務隱藏

Part I： 進程隱藏
一：序言
? 下列情況不在討論之中(沒進程)
? 1 通過CreateRemoteThread Inject代碼到另一個進程(有種病毒就用這種方法,實現內存感染的;其實還有更多應用)
? 2 通過CreateRemoteThread LoadLibray一dll到另一個進程(屏蔽Ctrl+Alt+Del,就是通過這種方法和SetWindowLog實現)

二：進程隱藏
? 1 Hook/InlineHook Api NtQuerySystemInformation(taskmgr.exe就是用這個函數得到Process list)
? 2 Hook/InlineHook Api Process32Next
? 3 把要隱藏的進程的EPROCESS從LIST_ENTRY中摘除
??? a)ring0下驅動實現,注意:Nt/2000/xp/2003中PID和FLINK在EPROCESS中的offset不盡相同
??? b)ring3下利用call gate結合\Device\PhysicalMemory內核對象實現
?

二：檢測進程隱藏
? 我們重要討論一下殺毒軟件Kaspersky和rootkit檢測工具Icesword的兩種方法：
?
? 1 kaspersky的方法：kaspersky從6.0中加入了主動防御功能,它detour了SwapContext.

lkd> u KiSwapThread L20
nt!KiSwapThread:
804dd66e 8bff???????????? mov???? edi,edi
804dd670 56?????????????? push??? esi
804dd671 57?????????????? push??? edi
804dd672 3ea120f0dfff???? mov???? eax,ds:[ffdff020]
804dd678 8bf0???????????? mov???? esi,eax
804dd67a 8b4608?????????? mov???? eax,[esi+0x8]
804dd67d 85c0???????????? test??? eax,eax
804dd67f 8b7e04?????????? mov???? edi,[esi+0x4]
804dd682 0f8557ba0000???? jne???? nt!KiSwapThread+0x16 (804e90df)
804dd688 53?????????????? push??? ebx
804dd689 0fbe5e10???????? movsx?? ebx,byte ptr [esi+0x10]
804dd68d 33d2???????????? xor???? edx,edx
804dd68f 8bcb???????????? mov???? ecx,ebx
804dd691 e86bffffff?????? call??? nt!KiFindReadyThread (804dd601)
804dd696 85c0???????????? test??? eax,eax
804dd698 0f843e990000???? je????? nt!KiSwapThread+0x2e (804e6fdc)
804dd69e 5b?????????????? pop???? ebx
804dd69f 8bc8???????????? mov???? ecx,eax
804dd6a1 e80cf7ffff?????? call??? nt!KiSwapContext (804dcdb2)
804dd6a6 84c0???????????? test??? al,al
804dd6a8 8a4f58?????????? mov???? cl,[edi+0x58]
804dd6ab 8b7f54?????????? mov???? edi,[edi+0x54]
804dd6ae 8b3570864d80???? mov???? esi,[nt!_imp_KfLowerIrql (804d8670)]
804dd6b4 0f85d10a0100???? jne???? nt!KiSwapThread+0x56 (804ee18b)
804dd6ba ffd6???????????? call??? esi
804dd6bc 8bc7???????????? mov???? eax,edi
804dd6be 5f?????????????? pop???? edi
804dd6bf 5e?????????????? pop???? esi
804dd6c0 c3?????????????? ret

lkd> u KiSwapContext L20
nt!KiSwapContext:
804dcdb2 83ec10?????????? sub???? esp,0x10
804dcdb5 895c240c???????? mov???? [esp+0xc],ebx
804dcdb9 89742408???????? mov???? [esp+0x8],esi
804dcdbd 897c2404???????? mov???? [esp+0x4],edi
804dcdc1 892c24?????????? mov???? [esp],ebp
804dcdc4 8b1d1cf0dfff???? mov???? ebx,[ffdff01c]
804dcdca 8bf1???????????? mov???? esi,ecx
804dcdcc 8bbb24010000???? mov???? edi,[ebx+0x124]
804dcdd2 89b324010000???? mov???? [ebx+0x124],esi
804dcdd8 8a4f58?????????? mov???? cl,[edi+0x58]
804dcddb e8d9000000?????? call??? nt!SwapContext (804dceb9)
804dcde0 8b2c24?????????? mov???? ebp,[esp]
804dcde3 8b7c2404???????? mov???? edi,[esp+0x4]
804dcde7 8b742408???????? mov???? esi,[esp+0x8]
804dcdeb 8b5c240c???????? mov???? ebx,[esp+0xc]
804dcdef 83c410?????????? add???? esp,0x10
804dcdf2 c3?????????????? ret

lkd> u SwapContext L10
nt!SwapContext:
804dceb9 0ac9???????????? or????? cl,cl
804dcebb 26c6462d02?????? mov???? byte ptr es:[esi+0x2d],0x2
804dcec0 9c?????????????? pushfd
804dcec1 8b0b???????????? mov???? ecx,[ebx]
804dcec3 e948cfa077?????? jmp???? f7ee9e10（注意：這個地址不在NTOSKRNL.EXE范圍中,落在klif.sys范圍中,<它用了相對轉跳,這樣可以節約兩個字節,cs:08>）
804dcec8 90?????????????? nop
804dcec9 90?????????????? nop
804dceca 51?????????????? push??? ecx
804dcecb 0f8534010000???? jne???? nt!SwapContext+0x14d (804dd005)
804dced1 833d8c29568000 cmp dword ptr [nt!PPerfGlobalGroupMask (8056298c)],0x0
804dced8 0f85fe000000???? jne???? nt!SwapContext+0x124 (804dcfdc)
804dcede 0f20c5?????????? mov???? ebp,cr0
804dcee1 8bd5???????????? mov???? edx,ebp
804dcee3 8a4e2c?????????? mov???? cl,[esi+0x2c]
804dcee6 884b50?????????? mov???? [ebx+0x50],cl
804dcee9 fa?????????????? cli

考慮到機器的效率,SwapContext是用匯編代碼實現的,看看它具體功能(實現自己看代碼吧:))：
;++
;
; Routine Description:
;
;??? This routine is called to swap context from one thread to the next.
;??? It swaps context, flushes the data, instruction, and translation
;??? buffer caches, restores nonvolatile integer registers, and returns
;??? to its caller.
;
;??? N.B. It is assumed that the caller (only caller's are within this
;???????? module) saved the nonvolatile registers, ebx, esi, edi, and
;???????? ebp. This enables the caller to have more registers available.
;
; Arguments:
;
;??? cl - APC interrupt bypass disable (zero enable, nonzero disable).
;??? edi - Address of previous thread.
;??? esi - Address of next thread.
;??? ebx - Address of PCR.
;
; Return value:
;
;??? al - Kernel APC pending.
;??? ebx - Address of PCR.
;??? esi - Address of current thread object.
;
;--

(雖然懸掛或等待的線程,不會獲得cpu時間,但在SwapContext的時候仍然要檢測,知道Thread了,得到對應Process也就容易了)
注：這個方法最初是J. Butler提出的,參見：http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1232409

?
? 2 IceSword的方法：以前的方法是檢測EPRCOESS,后來改成了PspCidTable
?
? a)全局變量PspCidTable是一個HANDLE_TABLE的指針,這個變量并沒有被NTOSKRNL導出,這個HANDLE_TABLE的表保存著所有進程和線程對象的指針.

? b)PID（進程ID）和 ThreadID（線程ID）就是在這個句柄表中的索引,這個HANDLE_TABLE不屬于任何進程,也沒有鏈在HANDLE_TABLE鏈上.

? c)PspCidTable在PsLookupProcessByProcessId中被用到,所以可以在此函數中搜索PspCidTalbe變量以定位其地址.

? d)得到PspCidTable這個句柄表地址后,IceSword調用ExEnumHandleTable.

這個函數的函數原形是:
BOOLEAN ExEnumHandleTable(
IN PHANDLE_TABLE HandleTable,
IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
IN PVOID EnumParameter,
OUT PHANDLE Handle OPTIONAL)

參數說明:
HandleTable??????? : 句柄表,可以用PspCidTable做參數.
EnumHandleProcedure: 類型為BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(HANDLE_TALBE_ENTRY*,DWORD PID,PVOID Param)函數指針.
EnumParameter????? : 傳送給EnumHandleProcedure函數的參數.
Handle???????????? : 此函數返回True時此參數才有效,為停止枚舉前所枚舉的句柄(可選).

功能說明:
調用ExEnumHandleTable函數的時,在每次枚舉到表中的一個句柄時都會調用一次回調函數;
回調函數返回值為FALSE時繼續枚舉句柄表,返回TRUE時則停止枚舉.

我們來看看他的具體實現吧！

BOOLEAN
ExEnumHandleTable(
??? IN PHANDLE_TABLE HandleTable,
??? IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
??? IN PVOID EnumParameter,
??? OUT PHANDLE Handle OPTIONAL
??? )

/*++

Routine Description:

??? This function enumerates all the valid handles in a handle table.
??? For each valid handle in the handle table, the specified eumeration
??? function is called. If the enumeration function returns TRUE, then
??? the enumeration is stopped, the current handle is returned to the
??? caller via the optional Handle parameter, and this function returns
??? TRUE to indicated that the enumeration stopped at a specific handle.

Arguments:

??? HandleTable - Supplies a pointer to a handle table.

??? EnumHandleProcedure - Supplies a pointer to a fucntion to call for
??????? each valid handle in the enumerated handle table.

??? EnumParameter - Supplies an uninterpreted 32-bit value that is passed
??????? to the EnumHandleProcedure each time it is called.

??? Handle - Supplies an optional pointer a variable that receives the
??????? Handle value that the enumeration stopped at. Contents of the
??????? variable only valid if this function returns TRUE.

Return Value:

??? If the enumeration stopped at a specific handle, then a value of TRUE
??? is returned. Otherwise, a value of FALSE is returned.

--*/

{

??? PHANDLE_ENTRY HandleEntry;
??? BOOLEAN ResultValue;
??? PHANDLE_ENTRY TableEntries;
??? PHANDLE_ENTRY TableBound;
??? ULONG TableIndex;

??? PAGED_CODE();

??? ASSERT(HandleTable != NULL);

??? //
??? // Lock the handle table exclusive and enumerate the handle entries.
??? //

??? ResultValue = FALSE;
??? ExLockHandleTableShared(HandleTable);
??? TableBound = HandleTable->TableBound;
??? TableEntries = HandleTable->TableEntries;
??? HandleEntry = &TableEntries[1];
??? while (HandleEntry < TableBound) {
??????? if (ExIsEntryUsed(TableEntries, TableBound, HandleEntry)) {
??????????? TableIndex = HandleEntry - TableEntries;
??????????? if ((*EnumHandleProcedure)(HandleEntry,
??????????????????????????????????????? INDEX_TO_HANDLE(TableIndex),
??????????????????????????????????????? EnumParameter)) {

??????????????? if (ARGUMENT_PRESENT(Handle)) {
??????????????????? *Handle = INDEX_TO_HANDLE(TableIndex);
??????????????? }

??????????????? ResultValue = TRUE;
??????????????? break;
??????????? }
??????? }

??????? HandleEntry += 1;
??? }

??? ExUnlockHandleTableShared(HandleTable);
??? return ResultValue;
}

(PS:IceSword的檢測方法部分參見匿名用戶的文章,非常感謝！)

原文： http://blog.vckbase.com/windowssky/archive/2007/07/16/27457.aspx

本文來自CSDN博客，轉載請標明出處：http://blog.csdn.net/syf442/archive/2009/07/13/4345216.aspx