• <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>
    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>
            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>

            S.l.e!ep.¢%

            像打了激速一樣,以四倍的速度運轉,開心的工作
            簡單、開放、平等的公司文化;尊重個性、自由與個人價值;
            posts - 1098, comments - 335, trackbacks - 0, articles - 1
              C++博客 :: 首頁 :: 新隨筆 :: 聯系 :: 聚合  :: 管理

            Rootkit 1: Detection Hide Process

            Posted on 2009-10-24 20:50 S.l.e!ep.¢% 閱讀(274) 評論(0)  編輯 收藏 引用 所屬分類: RootKit

            Rootkit 1: Detection Hide Process 收藏
            Rootkit 1: Detection Hide Process
            什么叫rootkit?
            ? 它是由有用的小型程序組成的工具包,使得攻擊者能夠保持訪問計算機上具有最高權限的用戶“root”.rootkit是能夠持久或可靠地、無法檢測地存在于計算機上的一組程序和代碼.

            rootkit主要分為下列大類:
            1 進程隱藏
            2 文件隱藏
            3 端口隱藏
            4 注冊表隱藏
            5 驅動服務隱藏


            Part I: 進程隱藏
            一:序言
            ? 下列情況不在討論之中(沒進程)
            ? 1 通過CreateRemoteThread Inject代碼到另一個進程(有種病毒就用這種方法,實現內存感染的;其實還有更多應用)
            ? 2 通過CreateRemoteThread LoadLibray一dll到另一個進程(屏蔽Ctrl+Alt+Del,就是通過這種方法和SetWindowLog實現)


            二:進程隱藏
            ? 1 Hook/InlineHook Api NtQuerySystemInformation(taskmgr.exe就是用這個函數得到Process list)
            ? 2 Hook/InlineHook Api Process32Next
            ? 3 把要隱藏的進程的EPROCESS從LIST_ENTRY中摘除
            ??? a)ring0下驅動實現,注意:Nt/2000/xp/2003中PID和FLINK在EPROCESS中的offset不盡相同
            ??? b)ring3下利用call gate結合\Device\PhysicalMemory內核對象實現
            ?

            二:檢測進程隱藏
            ? 我們重要討論一下殺毒軟件Kaspersky和rootkit檢測工具Icesword的兩種方法:
            ?
            ? 1 kaspersky的方法:kaspersky從6.0中加入了主動防御功能,它detour了SwapContext.

            lkd> u KiSwapThread L20
            nt!KiSwapThread:
            804dd66e 8bff???????????? mov???? edi,edi
            804dd670 56?????????????? push??? esi
            804dd671 57?????????????? push??? edi
            804dd672 3ea120f0dfff???? mov???? eax,ds:[ffdff020]
            804dd678 8bf0???????????? mov???? esi,eax
            804dd67a 8b4608?????????? mov???? eax,[esi+0x8]
            804dd67d 85c0???????????? test??? eax,eax
            804dd67f 8b7e04?????????? mov???? edi,[esi+0x4]
            804dd682 0f8557ba0000???? jne???? nt!KiSwapThread+0x16 (804e90df)
            804dd688 53?????????????? push??? ebx
            804dd689 0fbe5e10???????? movsx?? ebx,byte ptr [esi+0x10]
            804dd68d 33d2???????????? xor???? edx,edx
            804dd68f 8bcb???????????? mov???? ecx,ebx
            804dd691 e86bffffff?????? call??? nt!KiFindReadyThread (804dd601)
            804dd696 85c0???????????? test??? eax,eax
            804dd698 0f843e990000???? je????? nt!KiSwapThread+0x2e (804e6fdc)
            804dd69e 5b?????????????? pop???? ebx
            804dd69f 8bc8???????????? mov???? ecx,eax
            804dd6a1 e80cf7ffff?????? call??? nt!KiSwapContext (804dcdb2)
            804dd6a6 84c0???????????? test??? al,al
            804dd6a8 8a4f58?????????? mov???? cl,[edi+0x58]
            804dd6ab 8b7f54?????????? mov???? edi,[edi+0x54]
            804dd6ae 8b3570864d80???? mov???? esi,[nt!_imp_KfLowerIrql (804d8670)]
            804dd6b4 0f85d10a0100???? jne???? nt!KiSwapThread+0x56 (804ee18b)
            804dd6ba ffd6???????????? call??? esi
            804dd6bc 8bc7???????????? mov???? eax,edi
            804dd6be 5f?????????????? pop???? edi
            804dd6bf 5e?????????????? pop???? esi
            804dd6c0 c3?????????????? ret

            lkd> u KiSwapContext L20
            nt!KiSwapContext:
            804dcdb2 83ec10?????????? sub???? esp,0x10
            804dcdb5 895c240c???????? mov???? [esp+0xc],ebx
            804dcdb9 89742408???????? mov???? [esp+0x8],esi
            804dcdbd 897c2404???????? mov???? [esp+0x4],edi
            804dcdc1 892c24?????????? mov???? [esp],ebp
            804dcdc4 8b1d1cf0dfff???? mov???? ebx,[ffdff01c]
            804dcdca 8bf1???????????? mov???? esi,ecx
            804dcdcc 8bbb24010000???? mov???? edi,[ebx+0x124]
            804dcdd2 89b324010000???? mov???? [ebx+0x124],esi
            804dcdd8 8a4f58?????????? mov???? cl,[edi+0x58]
            804dcddb e8d9000000?????? call??? nt!SwapContext (804dceb9)
            804dcde0 8b2c24?????????? mov???? ebp,[esp]
            804dcde3 8b7c2404???????? mov???? edi,[esp+0x4]
            804dcde7 8b742408???????? mov???? esi,[esp+0x8]
            804dcdeb 8b5c240c???????? mov???? ebx,[esp+0xc]
            804dcdef 83c410?????????? add???? esp,0x10
            804dcdf2 c3?????????????? ret


            lkd> u SwapContext L10
            nt!SwapContext:
            804dceb9 0ac9???????????? or????? cl,cl
            804dcebb 26c6462d02?????? mov???? byte ptr es:[esi+0x2d],0x2
            804dcec0 9c?????????????? pushfd
            804dcec1 8b0b???????????? mov???? ecx,[ebx]
            804dcec3 e948cfa077?????? jmp???? f7ee9e10(注意:這個地址不在NTOSKRNL.EXE范圍中,落在klif.sys范圍中,<它用了相對轉跳,這樣可以節約兩個字節,cs:08>)
            804dcec8 90?????????????? nop
            804dcec9 90?????????????? nop
            804dceca 51?????????????? push??? ecx
            804dcecb 0f8534010000???? jne???? nt!SwapContext+0x14d (804dd005)
            804dced1 833d8c29568000 cmp dword ptr [nt!PPerfGlobalGroupMask (8056298c)],0x0
            804dced8 0f85fe000000???? jne???? nt!SwapContext+0x124 (804dcfdc)
            804dcede 0f20c5?????????? mov???? ebp,cr0
            804dcee1 8bd5???????????? mov???? edx,ebp
            804dcee3 8a4e2c?????????? mov???? cl,[esi+0x2c]
            804dcee6 884b50?????????? mov???? [ebx+0x50],cl
            804dcee9 fa?????????????? cli

            考慮到機器的效率,SwapContext是用匯編代碼實現的,看看它具體功能(實現自己看代碼吧:)):
            ;++
            ;
            ; Routine Description:
            ;
            ;??? This routine is called to swap context from one thread to the next.
            ;??? It swaps context, flushes the data, instruction, and translation
            ;??? buffer caches, restores nonvolatile integer registers, and returns
            ;??? to its caller.
            ;
            ;??? N.B. It is assumed that the caller (only caller's are within this
            ;???????? module) saved the nonvolatile registers, ebx, esi, edi, and
            ;???????? ebp. This enables the caller to have more registers available.
            ;
            ; Arguments:
            ;
            ;??? cl - APC interrupt bypass disable (zero enable, nonzero disable).
            ;??? edi - Address of previous thread.
            ;??? esi - Address of next thread.
            ;??? ebx - Address of PCR.
            ;
            ; Return value:
            ;
            ;??? al - Kernel APC pending.
            ;??? ebx - Address of PCR.
            ;??? esi - Address of current thread object.
            ;
            ;--

            (雖然懸掛或等待的線程,不會獲得cpu時間,但在SwapContext的時候仍然要檢測,知道Thread了,得到對應Process也就容易了)
            注:這個方法最初是J. Butler提出的,參見:http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1232409

            ?
            ? 2 IceSword的方法:以前的方法是檢測EPRCOESS,后來改成了PspCidTable
            ?
            ? a)全局變量PspCidTable是一個HANDLE_TABLE的指針,這個變量并沒有被NTOSKRNL導出,這個HANDLE_TABLE的表保存著所有進程和線程對象的指針.

            ? b)PID(進程ID)和 ThreadID(線程ID)就是在這個句柄表中的索引,這個HANDLE_TABLE不屬于任何進程,也沒有鏈在HANDLE_TABLE鏈上.

            ? c)PspCidTable在PsLookupProcessByProcessId中被用到,所以可以在此函數中搜索PspCidTalbe變量以定位其地址.

            ? d)得到PspCidTable這個句柄表地址后,IceSword調用ExEnumHandleTable.

            這個函數的函數原形是:
            BOOLEAN ExEnumHandleTable(
            IN PHANDLE_TABLE HandleTable,
            IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
            IN PVOID EnumParameter,
            OUT PHANDLE Handle OPTIONAL)

            參數說明:
            HandleTable??????? : 句柄表,可以用PspCidTable做參數.
            EnumHandleProcedure: 類型為BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(HANDLE_TALBE_ENTRY*,DWORD PID,PVOID Param)函數指針.
            EnumParameter????? : 傳送給EnumHandleProcedure函數的參數.
            Handle???????????? : 此函數返回True時此參數才有效,為停止枚舉前所枚舉的句柄(可選).

            功能說明:
            調用ExEnumHandleTable函數的時,在每次枚舉到表中的一個句柄時都會調用一次回調函數;
            回調函數返回值為FALSE時繼續枚舉句柄表,返回TRUE時則停止枚舉.

            我們來看看他的具體實現吧!

            BOOLEAN
            ExEnumHandleTable(
            ??? IN PHANDLE_TABLE HandleTable,
            ??? IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
            ??? IN PVOID EnumParameter,
            ??? OUT PHANDLE Handle OPTIONAL
            ??? )

            /*++

            Routine Description:

            ??? This function enumerates all the valid handles in a handle table.
            ??? For each valid handle in the handle table, the specified eumeration
            ??? function is called. If the enumeration function returns TRUE, then
            ??? the enumeration is stopped, the current handle is returned to the
            ??? caller via the optional Handle parameter, and this function returns
            ??? TRUE to indicated that the enumeration stopped at a specific handle.

            Arguments:

            ??? HandleTable - Supplies a pointer to a handle table.

            ??? EnumHandleProcedure - Supplies a pointer to a fucntion to call for
            ??????? each valid handle in the enumerated handle table.

            ??? EnumParameter - Supplies an uninterpreted 32-bit value that is passed
            ??????? to the EnumHandleProcedure each time it is called.

            ??? Handle - Supplies an optional pointer a variable that receives the
            ??????? Handle value that the enumeration stopped at. Contents of the
            ??????? variable only valid if this function returns TRUE.

            Return Value:

            ??? If the enumeration stopped at a specific handle, then a value of TRUE
            ??? is returned. Otherwise, a value of FALSE is returned.

            --*/

            {

            ??? PHANDLE_ENTRY HandleEntry;
            ??? BOOLEAN ResultValue;
            ??? PHANDLE_ENTRY TableEntries;
            ??? PHANDLE_ENTRY TableBound;
            ??? ULONG TableIndex;

            ??? PAGED_CODE();

            ??? ASSERT(HandleTable != NULL);

            ??? //
            ??? // Lock the handle table exclusive and enumerate the handle entries.
            ??? //

            ??? ResultValue = FALSE;
            ??? ExLockHandleTableShared(HandleTable);
            ??? TableBound = HandleTable->TableBound;
            ??? TableEntries = HandleTable->TableEntries;
            ??? HandleEntry = &TableEntries[1];
            ??? while (HandleEntry < TableBound) {
            ??????? if (ExIsEntryUsed(TableEntries, TableBound, HandleEntry)) {
            ??????????? TableIndex = HandleEntry - TableEntries;
            ??????????? if ((*EnumHandleProcedure)(HandleEntry,
            ??????????????????????????????????????? INDEX_TO_HANDLE(TableIndex),
            ??????????????????????????????????????? EnumParameter)) {

            ??????????????? if (ARGUMENT_PRESENT(Handle)) {
            ??????????????????? *Handle = INDEX_TO_HANDLE(TableIndex);
            ??????????????? }

            ??????????????? ResultValue = TRUE;
            ??????????????? break;
            ??????????? }
            ??????? }

            ??????? HandleEntry += 1;
            ??? }

            ??? ExUnlockHandleTableShared(HandleTable);
            ??? return ResultValue;
            }

            (PS:IceSword的檢測方法部分參見匿名用戶的文章,非常感謝!)


            原文: http://blog.vckbase.com/windowssky/archive/2007/07/16/27457.aspx


            本文來自CSDN博客,轉載請標明出處:http://blog.csdn.net/syf442/archive/2009/07/13/4345216.aspx

            久久精品国产亚洲沈樵| 99久久婷婷国产一区二区| 亚洲人成无码久久电影网站| a级毛片无码兔费真人久久| 国产精品日韩欧美久久综合| 日批日出水久久亚洲精品tv| 思思久久99热免费精品6| 亚洲国产精品无码久久SM| 日本精品久久久久中文字幕| 久久亚洲中文字幕精品一区| 久久精品亚洲精品国产色婷| 国产香蕉97碰碰久久人人| 狠狠色丁香久久婷婷综合| 国产叼嘿久久精品久久| 蜜臀av性久久久久蜜臀aⅴ| 国产一区二区精品久久凹凸| 亚洲va久久久噜噜噜久久 | 狠狠色丁香婷婷久久综合不卡| 久久久91精品国产一区二区三区| 久久精品成人欧美大片| 久久久无码人妻精品无码| 香港aa三级久久三级老师2021国产三级精品三级在 | 国产精品久久久久天天影视| 超级碰碰碰碰97久久久久| 久久精品毛片免费观看| 777午夜精品久久av蜜臀| 婷婷久久精品国产| 精品久久国产一区二区三区香蕉 | 奇米影视7777久久精品| 天天综合久久一二三区| 国内精品久久久久久久coent| 久久国产精品成人片免费| 一本一本久久a久久综合精品蜜桃| 亚洲国产成人久久综合一| 国产成人久久精品一区二区三区| 国产精品久久久香蕉| 久久久亚洲裙底偷窥综合 | 国产成人综合久久综合| 久久久噜噜噜久久熟女AA片| 久久亚洲美女精品国产精品| 伊人久久大香线焦AV综合影院|