Posted on 2010-02-06 04:38
S.l.e!ep.¢% 閱讀(1740)
評(píng)論(2) 編輯 收藏 引用 所屬分類:
RootKit
Injection 的主要流程
1. 進(jìn)程啟動(dòng)
2. 如果在 vista 以上的系統(tǒng),確保
ShutdownBlockReasonCreate &&
ShutdownBlockReasonDestroy (詳見 ShutdownBlockReasonCreate Function )
3.調(diào)用? SetProcessShutdownParameters (詳見 SetProcessShutdownParameters Function )確保系統(tǒng)關(guān)機(jī)先詢問本程序 (這里似乎有漏洞,如果其它程序調(diào)用了 SetProcessShutdownParameters 就可以搶在 ShutdownGuard 前面接收到 WM_QUERYENDSESSION 消息)
4.??PatchApps(0);
5.??開啟定時(shí)器,定時(shí)檢查并inject DLL?SetTimer(hwnd, PATCHTIMER, PATCHINTERVAL, NULL);
PatchApps() 函數(shù)主要流程 (傳0表示 inject dll, 傳1表示 unload dll)
1. 確保 LoadLibraryA 和 FreeLibrary 這兩個(gè)函數(shù)存在
2.?獲取 SeDebugPrivilege?(詳見SeDebugPrivilege 特權(quán) ) 確保能夠訪問到所有進(jìn)程(調(diào)用了函數(shù) OpenProcessToken和????
??? AdjustTokenPrivileges)? (這里為了提升權(quán)限,如果這里沒有提升權(quán)限,那么下面調(diào)用 VirtualAllocEx 分配內(nèi)存 或
?? WriteProcessMemory 寫入內(nèi)存將返回失敗)
3. 調(diào)用 EnumProcesses? 枚舉所有進(jìn)程
4. 采用 OpenProcess 函數(shù)打開進(jìn)程,權(quán)限為 PROCESS_QUERY_INFORMATION 和 PROCESS_VM_READ
5. 獲取 打開進(jìn)程的全路徑 GetModuleFileNameEx
??? 注入csrss.exe會(huì)藍(lán)屏 / smss.exe 是注入不了的 / ShutdownGuard.exe 這個(gè)是我們的程序不需要注入
6. 檢查下目標(biāo)進(jìn)程是否已經(jīng)被注入過(guò),如果是的話,忽略它 (它這里的判斷好像有BUG,是根據(jù) GetModuleFileNameEx 全路徑的結(jié)果進(jìn)行判斷的, 如果寫一個(gè)關(guān)機(jī)程序,啟動(dòng)兩次,第二次啟動(dòng)的那個(gè)進(jìn)程可以成功關(guān)閉?)
7. 判斷下系統(tǒng)是不是? 64 位的系統(tǒng),如果是, 加載DLL也需要加載 64位的 (使用 IsWow64Process 來(lái)判斷)
8. 使用 EnumProcessModules 函數(shù)來(lái)獲取目標(biāo)進(jìn)程已經(jīng)加載的模塊
9. 判斷下我們的 injection dll 是不是已經(jīng)被目標(biāo)進(jìn)程加載,如果是,就忽略它(這個(gè)判斷是否是多余的?)
10. 判斷下傳進(jìn)來(lái)的參數(shù), 決定是否 inject dll 還是 unload dll
11.?屏蔽 SeDebugPrivilege 權(quán)限(使用 AdjustTokenPrivileges 函數(shù))
InjectDLL() 的主要流程
1. 打開進(jìn)程 OpenProcess(),權(quán)限為 ?PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ
PROCESS_CREATE_THREAD 為了 CreateRemoteThread
PROCESS_VM_OPERATION?? 為了 VirtualAllocEx
PROCESS_VM_WRITE|PROCESS_VM_READ 為了可以讀寫對(duì)方的內(nèi)存
2. VirtualAllocEx 分配內(nèi)存
3. WriteProcessMemory 寫入內(nèi)存
4. CreateRemoteThread 創(chuàng)建遠(yuǎn)程線程 (線程函數(shù)是 pfnLoadLibrary, injection dll)
加載injection dll 的主要流程
1. 修改目標(biāo)進(jìn)程 IAT 表中的?user32.dll? 中的 ExitWindowsEx 函數(shù), 將其代替為 ShutdownBlocked()
ShutdownBlocked() 的主要流程
1. 找到 ShutdownGuard 的窗口
2. 并發(fā)送 WM_SHUTDOWNBLOCKED 消息(通過(guò) PostMessage() )
當(dāng)收到? WM_QUERYENDSESSION 消息時(shí)
1. 如果是 vista 以上系統(tǒng),需要調(diào)用 ShutdownBlockReasonCreate 和 ShutdownBlockReasonDestroy
作了下實(shí)驗(yàn),直接寫個(gè)程序調(diào)用 ExitWindowsEx ,居然可以成功 Shut down,寒!!!
似乎只能阻止到 Explorer.exe
基本流程已經(jīng)出來(lái),收工
給我一個(gè)DLL,給我一個(gè)進(jìn)程ID,我插,我插,我插插插。。。
bool?InjectDLLToOtherProcess(DWORD?dwProcessID,?const?char*?pszDLLPath)
{
????HANDLE?TokenHandle?=?NULL;
????//?
????if?(?FALSE?==?::OpenProcessToken(?GetCurrentProcess(),?TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,?&TokenHandle)?)
????{
????????return?false;
????}
????
????TOKEN_PRIVILEGES?tkp;
????
????//?Get?LUID?for?SeDebugPrivilege
????if(?FALSE?==?::LookupPrivilegeValue(NULL,?SE_DEBUG_NAME,?&tkp.Privileges[0].Luid)?)
????{
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????tkp.PrivilegeCount?=?1;
????tkp.Privileges[0].Attributes?=?SE_PRIVILEGE_ENABLED;
????
????if?(?FALSE?==?AdjustTokenPrivileges(TokenHandle,?FALSE,?&tkp,?0,?NULL,?NULL)?)?
????{
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????HANDLE?process?=?::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ,?TRUE,?dwProcessID);
????if?(?process?==?NULL?)
????{
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????typedef?HMODULE?(WINAPI?*LoadLibraryPointor)(LPCTSTR);
????LoadLibraryPointor?pfnLoadLibrary?=?NULL;
????HMODULE?kernel32?=?NULL;
????
????//Get?address?to?LoadLibrary?and?FreeLibrary
????if?(pfnLoadLibrary?==?NULL)?
????{
????????kernel32?=?::GetModuleHandle("kernel32.dll");
????????
????????if?(?kernel32?==?NULL?)
????????{
????????????::CloseHandle(process);
????????????::CloseHandle(TokenHandle);
????????????return?false;????????????
????????}
????????
????????pfnLoadLibrary?=?(LoadLibraryPointor)GetProcAddress(kernel32,?"LoadLibraryA");
????????
????????if?(pfnLoadLibrary?==?NULL)
????????{
????????????::FreeLibrary(kernel32);
????????????::CloseHandle(process);
????????????::CloseHandle(TokenHandle);
????????????return?false;
????????}
????}
????PVOID?memory?=?::VirtualAllocEx(process,?NULL,?strlen(pszDLLPath)+1,?MEM_COMMIT,?PAGE_READWRITE);
????
????if?(?memory?==?NULL?)
????{
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????if?(?FALSE?==?::WriteProcessMemory(process,?memory,?(void*)pszDLLPath,?strlen(pszDLLPath)+1,?NULL)?)
????{
????????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????//?Inject?dll
????DWORD?dwThreadID?=?0;
????HANDLE?hRemoteHandle?=?::CreateRemoteThread(process,?NULL,?0,?(LPTHREAD_START_ROUTINE)pfnLoadLibrary,?memory,?0,?&dwThreadID);
????if?(?hRemoteHandle?==?NULL?)?
????{
????????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????::WaitForSingleObject(hRemoteHandle,?INFINITE);
????DWORD?dwReturn?=?0;
????if(?FALSE?==?::GetExitCodeThread(hRemoteHandle,?&dwReturn)?)
????{
????????::CloseHandle(hRemoteHandle);
????????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????????::FreeLibrary(kernel32);
????????::CloseHandle(process);
????????::CloseHandle(TokenHandle);
????????return?false;
????}
????::CloseHandle(hRemoteHandle);
????::VirtualFreeEx(process,?memory,?strlen(pszDLLPath)+1,?MEM_RELEASE);
????::FreeLibrary(kernel32);
????::CloseHandle(process);
????::CloseHandle(TokenHandle);
????return?true;
}
目前存在的已知問題:1. 未考慮 64 位機(jī)器
2. 未考慮 DLL 加載失敗的處理 (2010.02.05-23:38 已經(jīng) Fixed)
3. 提權(quán)后沒有恢復(fù)
一天就這么過(guò)去了~