Posted on 2010-02-06 04:38
S.l.e!ep.¢% 閱讀(1744)
評論(2) 編輯 收藏 引用 所屬分類:
RootKit
Injection 的主要流程
1. 進程啟動
2. 如果在 vista 以上的系統,確保
ShutdownBlockReasonCreate &&
ShutdownBlockReasonDestroy (詳見 ShutdownBlockReasonCreate Function )
3.調用? SetProcessShutdownParameters (詳見 SetProcessShutdownParameters Function )確保系統關機先詢問本程序 (這里似乎有漏洞,如果其它程序調用了 SetProcessShutdownParameters 就可以搶在 ShutdownGuard 前面接收到 WM_QUERYENDSESSION 消息)
4.??PatchApps(0);
5.??開啟定時器,定時檢查并inject DLL?SetTimer(hwnd, PATCHTIMER, PATCHINTERVAL, NULL);
PatchApps() 函數主要流程 (傳0表示 inject dll, 傳1表示 unload dll)
1. 確保 LoadLibraryA 和 FreeLibrary 這兩個函數存在
2.?獲取 SeDebugPrivilege?(詳見SeDebugPrivilege 特權 ) 確保能夠訪問到所有進程(調用了函數 OpenProcessToken和????
??? AdjustTokenPrivileges)? (這里為了提升權限,如果這里沒有提升權限,那么下面調用 VirtualAllocEx 分配內存 或
?? WriteProcessMemory 寫入內存將返回失敗)
3. 調用 EnumProcesses? 枚舉所有進程
4. 采用 OpenProcess 函數打開進程,權限為 PROCESS_QUERY_INFORMATION 和 PROCESS_VM_READ
5. 獲取 打開進程的全路徑 GetModuleFileNameEx
??? 注入csrss.exe會藍屏 / smss.exe 是注入不了的 / ShutdownGuard.exe 這個是我們的程序不需要注入
6. 檢查下目標進程是否已經被注入過,如果是的話,忽略它 (它這里的判斷好像有BUG,是根據 GetModuleFileNameEx 全路徑的結果進行判斷的, 如果寫一個關機程序,啟動兩次,第二次啟動的那個進程可以成功關閉?)
7. 判斷下系統是不是? 64 位的系統,如果是, 加載DLL也需要加載 64位的 (使用 IsWow64Process 來判斷)
8. 使用 EnumProcessModules 函數來獲取目標進程已經加載的模塊
9. 判斷下我們的 injection dll 是不是已經被目標進程加載,如果是,就忽略它(這個判斷是否是多余的?)
10. 判斷下傳進來的參數, 決定是否 inject dll 還是 unload dll
11.?屏蔽 SeDebugPrivilege 權限(使用 AdjustTokenPrivileges 函數)
InjectDLL() 的主要流程
1. 打開進程 OpenProcess(),權限為 ?PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ
PROCESS_CREATE_THREAD 為了 CreateRemoteThread
PROCESS_VM_OPERATION?? 為了 VirtualAllocEx
PROCESS_VM_WRITE|PROCESS_VM_READ 為了可以讀寫對方的內存
2. VirtualAllocEx 分配內存
3. WriteProcessMemory 寫入內存
4. CreateRemoteThread 創建遠程線程 (線程函數是 pfnLoadLibrary, injection dll)
加載injection dll 的主要流程
1. 修改目標進程 IAT 表中的?user32.dll? 中的 ExitWindowsEx 函數, 將其代替為 ShutdownBlocked()
ShutdownBlocked() 的主要流程
1. 找到 ShutdownGuard 的窗口
2. 并發送 WM_SHUTDOWNBLOCKED 消息(通過 PostMessage() )
當收到? WM_QUERYENDSESSION 消息時
1. 如果是 vista 以上系統,需要調用 ShutdownBlockReasonCreate 和 ShutdownBlockReasonDestroy
作了下實驗,直接寫個程序調用 ExitWindowsEx ,居然可以成功 Shut down,寒!!!
似乎只能阻止到 Explorer.exe
基本流程已經出來,收工
給我一個DLL,給我一個進程ID,我插,我插,我插插插。。。
bool?InjectDLLToOtherProcess(DWORD?dwProcessID,?const?char*?pszDLLPath)
{
????HANDLE?TokenHandle?=?NULL;
????//?
????if?(?FALSE?==?::OpenProcessToken(?GetCurrentProcess(),?TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,?&TokenHandle)?)
????{
????????return?false;
????}
????
????TOKEN_PRIVILEGES?tkp;
????
????//?Get?LUID?for?SeDebugPrivilege
????if(?FALSE?==?::LookupPrivilegeValue(NULL,?SE_DEBUG_NAME,?&tkp.Privileges[0].Luid)?)
????{
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????tkp.PrivilegeCount?=?1;
????tkp.Privileges[0].Attributes?=?SE_PRIVILEGE_ENABLED;
????
????if?(?FALSE?==?AdjustTokenPrivileges(TokenHandle,?FALSE,?&tkp,?0,?NULL,?NULL)?)?
????{
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????HANDLE?process?=?::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ,?TRUE,?dwProcessID);
????if?(?process?==?NULL?)
????{
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????typedef?HMODULE?(WINAPI?*LoadLibraryPointor)(LPCTSTR);
????LoadLibraryPointor?pfnLoadLibrary?=?NULL;
????HMODULE?kernel32?=?NULL;
????
????//Get?address?to?LoadLibrary?and?FreeLibrary
????if?(pfnLoadLibrary?==?NULL)?
????{
????????kernel32?=?::GetModuleHandle("kernel32.dll");
????????
????????if?(?kernel32?==?NULL?)
????????{
????????????::CloseHandle(process);
????????????::CloseHandle(TokenHandle);
????????????return?false;????????????
????????}
????????
????????pfnLoadLibrary?=?(LoadLibraryPointor)GetProcAddress(kernel32,?"LoadLibraryA");
????????
????????if?(pfnLoadLibrary?==?NULL)
????????{
????????????::FreeLibrary(kernel32);
????????????::CloseHandle(process);
????????????::CloseHandle(TokenHandle);
????????????return?false;
????????}
????}
????PVOID?memory?=?::VirtualAllocEx(process,?NULL,?strlen(pszDLLPath)+1,?MEM_COMMIT,?PAGE_READWRITE);
????
????if?(?memory?==?NULL?)
????{
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????if?(?FALSE?==?::WriteProcessMemory(process,?memory,?(void*)pszDLLPath,?strlen(pszDLLPath)+1,?NULL)?)
????{
????????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????//?Inject?dll
????DWORD?dwThreadID?=?0;
????HANDLE?hRemoteHandle?=?::CreateRemoteThread(process,?NULL,?0,?(LPTHREAD_START_ROUTINE)pfnLoadLibrary,?memory,?0,?&dwThreadID);
????if?(?hRemoteHandle?==?NULL?)?
????{
????????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????::WaitForSingleObject(hRemoteHandle,?INFINITE);
????DWORD?dwReturn?=?0;
????if(?FALSE?==?::GetExitCodeThread(hRemoteHandle,?&dwReturn)?)
????{
????????::CloseHandle(hRemoteHandle);
????????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????::CloseHandle(hRemoteHandle);
????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????::FreeLibrary(kernel32);
????::CloseHandle(process);
????::CloseHandle(TokenHandle);
????return?true;
}
目前存在的已知問題:1. 未考慮 64 位機器
2. 未考慮 DLL 加載失敗的處理 (2010.02.05-23:38 已經 Fixed)
3. 提權后沒有恢復
一天就這么過去了~