HRSword_v5.0.1.1 sysdiag.sys
HRSword_v5.0.1.1 sysdiag.sys
sysdiag.sys 通过rsa 验证验证用户层程序
__int64 __fastcall check_file_140031E40(
_UNICODE_STRING *path,
unsigned __int64 *fsize,
_QWORD *a3,
_DWORD *a4,
void *p_index,
__int64 sha1_digest)
{
_DWORD *p_index_1; // r14
WCHAR *v11; // rcx
unsigned int v13; // ebx
struct _IO_STATUS_BLOCK IoStatusBlock; // [rsp+60h] [rbp-48h] BYREF
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+70h] [rbp-38h] BYREF
p_index_1 = p_index;
*fsize = 0i64;
*a3 = 0i64;
*a4 = 0;
*p_index_1 = 0xFFFFFFFF;
if ( path->Length > 8u )
{
v11 = &path->Buffer[(unsigned __int64)path->Length >> 1];
if ( v11[-4u] == '.' && (v11[-3u] | 0x20) == 'e' && (v11[-2u] | 0x20) == 'x' && (v11[-1u] | 0x20) == 'e' )
*a4 |= 0x10u;
}
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Length = 0x30;
ObjectAttributes.Attributes = 0x200;
ObjectAttributes.ObjectName = path;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
if ( ZwCreateFile(&p_index, 0x80100000, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 3u, 1u, 0x60u, 0i64, 0) < 0 )
return 0xFFFFFFF3i64;
v13 = check_140031810(p_index, fsize, a3, a4, (__int64)p_index_1, sha1_digest);
ZwClose(p_index);
return v13;
}
__int64 __fastcall check_140031810(
HANDLE Handle,
unsigned __int64 *fsize,
_QWORD *a3,
_DWORD *a4,
__int64 big_numb_index,
__int64 sha1_digest)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v8 = 0xFFFFFFEA;
if ( ZwQueryInformationFile(Handle, &IoStatusBlock, &FileInformation, 0x28u, FileBasicInformation) >= 0 )
{
FileAttributes = FileInformation.FileAttributes;
if ( (FileInformation.FileAttributes & 4) != 0 )
*a4 |= 1u;
if ( (FileAttributes & 2) != 0 )
*a4 |= 2u;
}
if ( ZwQueryInformationFile(Handle, &IoStatusBlock, &FileInformation_, 0x18u, FileStandardInformation) < 0 )
return 0xFFFFFFF2i64;
Length = FileInformation_.EndOfFile;
*fsize = FileInformation_.EndOfFile.QuadPart;
if ( Length.QuadPart < 0x40ui64 )
return 0xFFFFFFF8i64;
if ( Length.QuadPart > 0x4000000ui64 )
Length.QuadPart = 0x4000000i64;
v13 = 0;
sec = 0i64;
sec_end = 0;
filedata = (__int64)xalloc_140009B80(NonPagedPool, Length.QuadPart, 0);
filedata_1 = (void *)filedata;
if ( filedata )
{
if ( ZwReadFile(Handle, 0i64, 0i64, 0i64, &IoStatusBlock, (PVOID)filedata, Length.LowPart, 0i64, 0i64) >= 0 )
{
ZwWaitForSingleObject(Handle, 0, 0i64);
if ( Length.QuadPart <= 0x1000000ui64 )
{
sha1_init_140008E40(&Dst);
sha1_update_1400090C0(&Dst, (void *)filedata, Length.QuadPart);
sha1_final_140008D50(&Dst, sha1_digest);
}
if ( *(_WORD *)filedata == 0x5A4D
&& (nt_header = (_IMAGE_NT_HEADERS64 *)*(unsigned int *)(filedata + 0x3C),
(unsigned int)nt_header < Length.LowPart)
&& (nt_header_1 = (unsigned int)nt_header,
(unsigned __int64)&nt_header->OptionalHeader.DataDirectory[0xE] <= Length.LowPart)
&& *(_DWORD *)((unsigned int)nt_header + filedata) == 0x4550
&& ((n0x20B = *(_WORD *)((unsigned int)nt_header + filedata + offsetof(_IMAGE_NT_HEADERS64, OptionalHeader)),
n0x20B != 0x20B)
|| (unsigned __int64)(unsigned int)nt_header + 0x108 <= Length.LowPart) )
{
// DWORD CheckSum
*(_DWORD *)((unsigned int)nt_header + filedata + 0x58) = 0;
if ( n0x20B == 0x20B )
{
// x64
if ( *(_DWORD *)((unsigned int)nt_header + filedata + 0x98)
&& *(_DWORD *)((unsigned int)nt_header + filedata + 0x9C) )
{
*a4 |= 8u;
}
if ( *(_DWORD *)((unsigned int)nt_header + filedata + 0xA8)
&& *(_DWORD *)((unsigned int)nt_header + filedata + 0xAC) )
{
*a4 |= 4u;
}
if ( *(_DWORD *)((unsigned int)nt_header + filedata + 0xF8)
&& *(_DWORD *)((unsigned int)nt_header + filedata + 0xFC) )
{
*a4 |= 0x20u;
}
else if ( *(_DWORD *)((unsigned int)nt_header + filedata + 8) == 0x2A425E19 )
{
*a4 |= 0x40u;
}
else if ( *(_DWORD *)(filedata + 0x3C) == 0x80 && *(_BYTE *)((unsigned int)nt_header + filedata + 0x1A) == 2 )
{
*a4 |= 0x100u;
}
// struct IMAGE_DATA_DIRECTORY Security
*(_QWORD *)((unsigned int)nt_header + filedata + 0xA8) = 0i64;
}
else
{
// x86
if ( *(_DWORD *)((unsigned int)nt_header + filedata + 0x88)
&& *(_DWORD *)((unsigned int)nt_header + filedata + 0x8C) )
{
*a4 |= 8u;
}
if ( *(_DWORD *)((unsigned int)nt_header + filedata + 0x98)
&& *(_DWORD *)((unsigned int)nt_header + filedata + 0x9C) )
{
*a4 |= 4u;
}
// struct IMAGE_DATA_DIRECTORY COMRuntimedescriptor
if ( *(_DWORD *)((unsigned int)nt_header + filedata + 0xE8)
&& *(_DWORD *)((unsigned int)nt_header + filedata + 0xEC) )
{
*a4 |= 0x20u;
// struct IMAGE_DATA_DIRECTORY Security
*(_QWORD *)((unsigned int)nt_header + filedata + 0x98) = 0i64;
}
// time_t TimeDateStamp
else if ( *(_DWORD *)((unsigned int)nt_header + filedata + 8) == 0x2A425E19 )
{
*a4 |= 0x40u;
// struct IMAGE_DATA_DIRECTORY Security
*(_QWORD *)((unsigned int)nt_header + filedata + 0x98) = 0i64;
}
else
{
if ( *(_DWORD *)(filedata + 0x3C) == 0x80 && *(_BYTE *)((unsigned int)nt_header + filedata + 0x1A) == 2 )
*a4 |= 0x100u;
// struct IMAGE_DATA_DIRECTORY Security
*(_QWORD *)((unsigned int)nt_header + filedata + 0x98) = 0i64;
}
}
// WORD SizeOfOptionalHeader
hd_size = (unsigned int)*(unsigned __int16 *)((unsigned int)nt_header + filedata + 0x14)
+ *(_DWORD *)(filedata + 0x3C)
+ 0x18;
if ( (unsigned int)hd_size < Length.LowPart )
{
// WORD NumberOfSections
NumberOfSections = *(unsigned __int16 *)((unsigned int)nt_header + filedata + 6);
v22 = 0x28 * NumberOfSections;
LowPart = hd_size + 0x28 * NumberOfSections;
if ( LowPart < Length.LowPart )
{
sec_1 = filedata + hd_size;
if ( (unsigned int)NumberOfSections <= 3
&& LowPart + 0x1D < Length.LowPart
// MSVBVM60.DLL
&& *(_QWORD *)(v22 + sec_1 + 0x10) == '06MVBVSM'
&& *(_DWORD *)(v22 + sec_1 + 0x18) == 'LLD.'
&& !*(_BYTE *)(v22 + sec_1 + 0x1C) )
{
*a4 |= 0x80u;
}
v8 = 0;
if ( *(_WORD *)(nt_header_1 + filedata + 6) )
{
ptr = (DWORD *__shifted(_IMAGE_SECTION_HEADER,0x10))(sec_1 + 0x10);
sec_count = *(unsigned __int16 *)(nt_header_1 + filedata + 6);
do
{
if ( ADJ(ptr)->SizeOfRawData + ADJ(ptr)->PointerToRawData > sec_end )
{
sec_end = ADJ(ptr)->SizeOfRawData + ADJ(ptr)->PointerToRawData;
sec = sec_1;
}
sec_1 += 0x28i64;
ptr += 0xA;
--sec_count;
}
while ( sec_count );
if ( sec )
{
*a3 = sec_end;
if ( sec_end > Length.LowPart || *(_DWORD *)(sec + 0x10) < 0x94u )
goto LABEL_90;
n0x20 = 0;
// 0D 90 0D 90 0D 90 0D 90 0D 90 0D 90 0D 90 0D 90
si128 = _mm_load_si128(&stru_140042EA0);
exdata = (const __m128i *)(sec_end + filedata - 0x84);
exdata_1 = exdata;
do
{
v31 = _mm_loadu_si128(exdata_1);
exdata_1 += 2;
n0x20 += 8;
exdata_1[-2] = _mm_xor_si128(v31, si128);
exdata_1[-1] = _mm_xor_si128(si128, _mm_loadu_si128(exdata_1 + 0xFFFFFFFF));
}
while ( n0x20 < 0x20 );
if ( n0x20 < 0x21 )
{
v32 = &exdata->m128i_i32[n0x20];
do
{
*v32++ ^= 0x900D900D;
++n0x20;
}
while ( n0x20 < 0x21 );
}
if ( RtlCompareMemory(exdata, "HRBR", 4ui64) != 4 )
goto LABEL_90;
n4 = 0;
v34 = exdata + 0xFFFFFFFF;
do
{
v35 = _mm_loadu_si128(v34++);
n4 += 4;
v34[0xFFFFFFFFi64] = _mm_xor_si128(si128, v35);
}
while ( n4 < 4 );
// -0x10
// 48 52 4F 48 00 00 00 00 E6 D2 E2 5E 00 00 00 00
// 48 52 42 52
if ( RtlCompareMemory(&exdata[0xFFFFFFFF], "HROH", 4ui64) == 4 )
{
n4_1 = 0;
v37 = exdata + 0xFFFFFFFF;
do
{
v38 = _mm_loadu_si128(v37);
n4_1 += 4;
++v37;
v37[0xFFFFFFFFi64] = _mm_xor_si128(v38, si128);
}
while ( n4_1 < 4 );
sha1_init_140008E40(&Dst);
filedata_1 = (void *)filedata;
sha1_update_1400090C0(&Dst, (void *)filedata, sec_end - 0x84i64);
sha1_final_140008D50(&Dst, sha1_digest_1);// 23AD3786BF864607C38AE4903F4156075A7EE351
if ( big_number_14004FC88[0] )
{
v39 = 0i64;
N_big_number_14004FC88 = big_number_14004FC88;
while ( 1 )
{
v8 = rsa_140006F20(
Source2,
&v42,
(__int64)exdata->m128i_i64 + 4,
((unsigned int)(unsigned __int16)**N_big_number_14004FC88 + 7) >> 3,
(__int64)*N_big_number_14004FC88);
if ( v8 >= 0 && RtlCompareMemory(sha1_digest_1, Source2, 0x14ui64) == 0x14 )
break;
++v39;
++v13;
N_big_number_14004FC88 = &big_number_14004FC88[v39];
if ( !*N_big_number_14004FC88 )
goto LABEL_91;
}
*(_DWORD *)big_numb_index = v13;
}
}
else
{
LABEL_90:
filedata_1 = (void *)filedata;
}
}
}
}
}
}
else
{
v8 = 0xFFFFFFF8;
}
}
else
{
v8 = 0xFFFFFFF2;
}
LABEL_91:
memset(filedata_1, 0, Length.LowPart);
x_free_withtag_140009A60(filedata_1, 0);
}
else
{
return 0xFFFFFFF4;
}
return (unsigned int)v8;
}
py
from datetime import datetime
import hashlib
import os
from Crypto.Util.number import long_to_bytes,bytes_to_long
import lief
def parse_pe(filepath):
if not os.path.exists(filepath):
print(f'[!]{filepath} not exists!')
return None,None
print('[#]',filepath)
# Using filepath
pe: lief.PE.Binary = lief.PE.parse(filepath)
sec_end=0
for sec in pe.sections:
end=sec.pointerto_raw_data+sec.sizeof_raw_data
if end>sec_end:
sec_end=end
if pe.optional_header.magic==lief.PE.PE_TYPE.PE32_PLUS:
# x64
t:lief.PE.DataDirectory=pe.data_directories[lief.PE.DataDirectory.TYPES.CERTIFICATE_TABLE]
if t.has_section:
t.rva=0
t.size=0
else:
t:lief.PE.DataDirectory=pe.data_directories[lief.PE.DataDirectory.TYPES.CLR_RUNTIME_HEADER]
if t.has_section:
t.rva=0
t.size=0
t:lief.PE.DataDirectory=pe.data_directories[lief.PE.DataDirectory.TYPES.CERTIFICATE_TABLE]
if t.has_section :
t.rva=0
t.size=0
pe.dos_header.copy()
print('[-]sec_end:',hex(sec_end))
pe.optional_header.checksum=0
builder_config = lief.PE.Builder.config_t()
builder_config.imports = False
builder_config.exports=False
builder_config.debug=False
builder_config.relocations=False
builder_config.resources=False
builder_config.load_configuration=False
builder_config.overlay=True
out=pe.write_to_bytes(builder_config)
magic1=out[sec_end-0x84:sec_end-0x80]
if magic1!=bytes.fromhex('45 C2 4F C2'):# xor(0d 90) =='HRBR'
print('[!]no HRBR !')
return None,None
magic2=out[sec_end-0x84-0x10:sec_end-0x84]
if magic2[:4]!=bytes.fromhex('45 C2 42 D8'):#xor(0d 90) =='HROH'
print('[!]no HROH !')
return None,None
xkey=b'\x0d\x90'
temp=bytearray(magic2[8:0xc])
for i in range(len(temp)):
temp[i]^=xkey[i%2]
time_t=int.from_bytes(temp,'little')
dt_local = datetime.fromtimestamp(time_t)
print(f'[+]??compile time:{dt_local}')
fhash=hashlib.sha1(out[:sec_end-0x84]).digest()
print('[+]original_file sha1:',fhash.hex())
return out[sec_end-0x84:sec_end],fhash
def rsa_pubk_check(n:int,sigdata:bytes,e=65537):
out=pow(bytes_to_long(sigdata),e,n)
# bs=out.to_bytes(0x80,'little')
bs=long_to_bytes(out)
print('[-]rsa pubkey_enc:',bs.hex())
print('[-]rsa verify:',bs[-0x14:].hex())
return bs[-0x14:]
def test():
# filepath=r'D:\work\HRSword_v5.0.1.1\HRSword.exe'
filepath=r'D:\work\HRSword_v5.0.1.1\Drivers\x64\usysdiag.exe'
exdata,fsha1=parse_pe(filepath)
if not exdata or not fsha1:
print('[!]file error!')
return
#exdata=exdata[-0x84:]
sigdata=bytearray(exdata[4:])
xkey=b'\x0d\x90'
for i in range(len(sigdata)):
sigdata[i]^=xkey[i%2]
'''
.data:000000014004FC88 big_number_14004FC88 dq offset word_14004F960
.data:000000014004FC88 ; DATA XREF: check_140031810+54F↑r
.data:000000014004FC88 ; check_140031810+55C↑o
.data:000000014004FC90 dq offset word_14004FA70
.data:000000014004FC98 dq offset word_14004FB80
.data:000000014004F960 word_14004F960 dw 400h ; DATA XREF: .data:big_number_14004FC88↓o
.data:000000014004F962 dd 8C9F28B4h, 199F8348h, 83C1A539h, 0E0D8A4FDh, 261E4FAFh
.data:000000014004F962 dd 464E7C9Bh, 376478BDh, 4D0CB7F7h, 0E184097Dh, 76AD71A2h
.data:000000014004F962 dd 46AC9AEAh, 0CF88B884h, 0E8B311D8h, 8F04CD7Fh, 0C3ED34C2h
.data:000000014004F962 dd 0EE311D10h, 0D10C6F11h, 0A2857C20h, 2AD2E3A0h, 2E461CA1h
.data:000000014004F962 dd 1F27DD65h, 681BAE86h, 32583D14h, 0EA7132A3h, 7AD342A4h
.data:000000014004F962 dd 0B44FDF62h, 60CDEF6Bh, 68444DD0h, 72242F40h, 0C7940BBCh
.data:000000014004F962 dd 21628254h, 0B980C5A0h
.data:000000014004F9E2 dd 1Fh dup(0), 1000100h
.data:000000014004FA70 word_14004FA70 dw 400h ; DATA XREF: .data:000000014004FC90↓o
.data:000000014004FA72 dd 35B0A0ACh, 0A24D575Ch, 4509F3AFh, 88205D44h, 7FC2194Dh
.data:000000014004FA72 dd 0EA49EF2Ah, 56788ADDh, 663F907Eh, 5A3F34E9h, 0C1123ED8h
.data:000000014004FA72 dd 58F331FFh, 65859D7Ch, 0AA09D08Ch, 29B49931h, 357766Bh
.data:000000014004FA72 dd 9FE04EB4h, 59E42792h, 0CC65FCC9h, 47AEAFDDh, 0A40D090Bh
.data:000000014004FA72 dd 3CBB17D3h, 85757830h, 3F526905h, 3B9ED70Ch, 0D02C50DAh
.data:000000014004FA72 dd 3814A6B8h, 5DBA0B63h, 0EF7AEFD9h, 0D1AD9DF6h, 2270BC16h
.data:000000014004FA72 dd 156C8EB9h, 3589E2FFh
.data:000000014004FAF2 dd 1Fh dup(0), 1000100h
.data:000000014004FB80 word_14004FB80 dw 400h ; DATA XREF: .data:000000014004FC98↓o
.data:000000014004FB82 dd 0EFC0EEAFh, 19B7CB09h, 1E26527Ah, 9C9A1D72h, 0FB4D76FEh
.data:000000014004FB82 dd 9FB11476h, 0B6F67B1Ah, 4EB74E28h, 63B5ED3Dh, 0FAFDFD49h
.data:000000014004FB82 dd 0B0B73BB9h, 0E32F3A01h, 0BBE367A8h, 136B78CCh, 0B64D4D3Bh
.data:000000014004FB82 dd 0DD3FCAA8h, 274E8CE5h, 8B8657B0h, 0F45A4F4Fh, 25B83359h
.data:000000014004FB82 dd 2B3A299Bh, 5FDC8311h, 0FD226D59h, 7959C75Ah, 0ACCB1B3h
.data:000000014004FB82 dd 0FAD1FAACh, 0D062B4ADh, 908CF9Fh, 0F211729Ah, 0A61485h
.data:000000014004FB82 dd 8FE2B384h, 0FB88F57Bh
.data:000000014004FC02 dd 1Fh dup(0), 1000100h
'''
n1=bytes_to_long(bytes.fromhex('B4289F8C48839F1939A5C183FDA4D8E0AF4F1E269B7C4E46BD786437F7B70C4D7D0984E1A271AD76EA9AAC4684B888CFD811B3E87FCD048FC234EDC3101D31EE116F0CD1207C85A2A0E3D22AA11C462E65DD271F86AE1B68143D5832A33271EAA442D37A62DF4FB46BEFCD60D04D4468402F2472BC0B94C754826221A0C580B9'))
# print(n1)
n2=bytes_to_long(bytes.fromhex('ACA0B0355C574DA2AFF30945445D20884D19C27F2AEF49EADD8A78567E903F66E9343F5AD83E12C1FF31F3587C9D85658CD009AA3199B4296B765703B44EE09F9227E459C9FC65CCDDAFAE470B090DA4D317BB3C307875850569523F0CD79E3BDA502CD0B8A61438630BBA5DD9EF7AEFF69DADD116BC7022B98E6C15FFE28935'))
# print(n2)
n3=bytes_to_long(bytes.fromhex('AFEEC0EF09CBB7197A52261E721D9A9CFE764DFB7614B19F1A7BF6B6284EB74E3DEDB56349FDFDFAB93BB7B0013A2FE3A867E3BBCC786B133B4D4DB6A8CA3FDDE58C4E27B057868B4F4F5AF45933B8259B293A2B1183DC5F596D22FD5AC75979B3B1CC0AACFAD1FAADB462D09FCF08099A7211F28514A60084B3E28F7BF588FB'))
# print(n3)
n=[n1,n2,n3]
for i, x in enumerate(n) :
out=rsa_pubk_check(x,sigdata)
if out==fsha1:
print(f'[{i}]####ok####')
break
pass
if __name__=='__main__':
test()
pass
'''
[#] D:\work\HRSword_v5.0.1.1\Drivers\x64\usysdiag.exe
[-]sec_end: 0x71000
[+]??compile time:2020-05-15 14:18:59
[+]original_file sha1: be4dfc886e42105a3039513d9dcf664c9451dc78
[-]rsa pubkey_enc: 01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00be4dfc886e42105a3039513d9dcf664c9451dc78
[-]rsa verify: be4dfc886e42105a3039513d9dcf664c9451dc78
[0]####ok####
'''
killprocess
device L"\??\HR::ActMon"
//NTSTATUS __stdcall ActMon_control_14000BC30(void *a1, _DEVICE_OBJECT *DeviceObject, _IRP *Irp)
case 0x2200B8u:
if ( !SystemBuffer || (unsigned int)InputBufferLength < 0x10 || OutputBufferLength < 0x10 )
return Complete_14000A990(Irp, v7, OutputBufferLength_1);
*(_DWORD *)(SystemBuffer + 8) = j_kill_process_140025A70(*(void **)SystemBuffer);
__int64 __fastcall kill_process_140025A70(void *pid)
{
NTSTATUS v1; // ebx
BOOL v3; // ebx
PEPROCESS Process; // [rsp+58h] [rbp+10h] BYREF
HANDLE ProcessHandle; // [rsp+60h] [rbp+18h] BYREF
if ( PsLookupProcessByProcessId(pid, &Process) < 0 || !Process )
return 0xFFFFFFF2i64;
v1 = ObOpenObjectByPointer(Process, 0x200u, 0i64, 0, (POBJECT_TYPE)PsProcessType, 0, &ProcessHandle);
ObfDereferenceObject(Process);
if ( v1 < 0 )
return 0xFFFFFFF2i64;
v3 = ZwTerminateProcess(ProcessHandle, 0) >= 0;
ZwClose(ProcessHandle);
return (unsigned int)(v3 - 1);
}
ps
利用思路:
- 1、创建调试进程,目标为可通过验证的huorong程序,(如:HRSword.exe、usysdiag.exe)
- 2、远程分配内存,写入shellcode
- 3、线程劫持,(GetThreadContext、SetThreadContext)
- 4、在目标进程下执行DeviceIoControl
仅作演示
浙公网安备 33010602011771号