对抗杀毒软件Kick the Heuristic Anti-virus out of the Rootkit
新客网 XKER.COM 2006-04-27 来源: 收藏本文
Recently, Some friend complained to me that their rootkit driver had been killed by anti-virus software like McAfee and Nod32.So I began to find why.
I found that these "heuristic anti-virus" based on the export function mentioned in one of Jonna's article(BTW:Give my respect to Jonna).
First I take a look at McAfee, It has a strange heuristic strategy. if it found an export symbol "KeServiceDescriptorTable" ,while it didn`t found some normal driver function like "IoCreateDevice", It report the virus. So I think the first method is to find the KeServiceDescriptorTable dynamically.
With 90210's article "A more stable way to locate real KiServiceTable"(http://www.rootkit.com/newsread.php?newsid=176) and his help, I can find the KeServiceDescriptorTable's ServiceTableBase, it is enough.(Thank you 90210).
But I find NOD32 is more restrice, it will detect ZW* function and reported your driver as virus. So I must find a more common ways to locate export functions and symbols. Fortunately I found some pieces in from SVEN B. SCHREIBER. This book is cool!! The code is here:
PVOID SpyMemoryCreate (DWORD dSize)
{
return ExAllocatePoolWithTag (PagedPool, max (dSize, 1),
SPY_TAG);
}
// -----------------------------------------------------------------
PVOID SpyMemoryDestroy (PVOID pData)
{
if (pData != NULL) ExFreePool (pData);
return NULL;
}
// ==============================================================
// MODULE INFO MANAGEMENT
// =================================================================
PMODULE_LIST SpyModuleList (PDWORD pdData,
PNTSTATUS pns)
{
DWORD dSize;
DWORD dData = 0;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PMODULE_LIST pml = NULL;
for (dSize = PAGE_SIZE; (pml == NULL) && dSize; dSize <<= 1)
{
if ((pml = SpyMemoryCreate (dSize)) == NULL)
{
ns = STATUS_NO_MEMORY;
break;
}
ns = ZwQuerySystemInformation (SystemModuleInformation,
pml, dSize, &dData);
if (ns != STATUS_SUCCESS)
{
pml = SpyMemoryDestroy (pml);
dData = 0;
if (ns != STATUS_INFO_LENGTH_MISMATCH) break;
}
}
if (pdData != NULL) *pdData = dData;
if (pns != NULL) *pns = ns;
return pml;
}
// -----------------------------------------------------------------
PMODULE_LIST SpyModuleFind (PBYTE pbModule,
PDWORD pdIndex,
PNTSTATUS pns)
{
DWORD i;
DWORD dIndex = -1;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PMODULE_LIST pml = NULL;
if ((pml = SpyModuleList (NULL, &ns)) != NULL)
{
for (i = 0; i < pml->dModules; i++)
{
if (!_stricmp (pml->aModules [i].abPath +
pml->aModules [i].wNameOffset,
pbModule))
{
dIndex = i;
break;
}
}
if (dIndex == -1)
{
pml = SpyMemoryDestroy (pml);
ns = STATUS_NO_SUCH_FILE;
}
}
if (pdIndex != NULL) *pdIndex = dIndex;
if (pns != NULL) *pns = ns;
return pml;
}
// -----------------------------------------------------------------
PVOID SpyModuleBase (PBYTE pbModule,
PNTSTATUS pns)
{
PMODULE_LIST pml;
DWORD dIndex;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PVOID pBase = NULL;
if ((pml = SpyModuleFind (pbModule, &dIndex, &ns)) != NULL)
{
pBase = pml->aModules [dIndex].pBase;
SpyMemoryDestroy (pml);
}
if (pns != NULL) *pns = ns;
return pBase;
}
// -----------------------------------------------------------------
PIMAGE_NT_HEADERS SpyModuleHeader (PBYTE pbModule,
PVOID *ppBase,
PNTSTATUS pns)
{
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PIMAGE_NT_HEADERS pinh = NULL;
if (((pBase = SpyModuleBase (pbModule, &ns)) != NULL) &&
((pinh = RtlImageNtHeader (pBase)) == NULL))
{
ns = STATUS_INVALID_IMAGE_FORMAT;
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pinh;
}
// -----------------------------------------------------------------
PIMAGE_EXPORT_DIRECTORY SpyModuleExport (PBYTE pbModule,
PVOID *ppBase,
PNTSTATUS pns)
{
PIMAGE_NT_HEADERS pinh;
PIMAGE_DATA_DIRECTORY pidd;
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PIMAGE_EXPORT_DIRECTORY pied = NULL;
if ((pinh = SpyModuleHeader (pbModule, &pBase, &ns)) != NULL)
{
pidd = pinh->OptionalHeader.DataDirectory
+ IMAGE_DIRECTORY_ENTRY_EXPORT;
if (pidd->VirtualAddress &&
(pidd->Size >= IMAGE_EXPORT_DIRECTORY_))
{
pied = PTR_ADD (pBase, pidd->VirtualAddress);
}
else
{
ns = STATUS_DATA_ERROR;
}
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pied;
}
// -----------------------------------------------------------------
PVOID SpyModuleSymbol (PBYTE pbModule,
PBYTE pbName,
PVOID *ppBase,
PNTSTATUS pns)
{
PIMAGE_EXPORT_DIRECTORY pied;
PDWORD pdNames, pdFunctions;
WORD *pwOrdinals;
DWORD i, j;
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PVOID pAddress = NULL;
if ((pied = SpyModuleExport (pbModule, &pBase, &ns)) != NULL)
{
pdNames = PTR_ADD (pBase, pied->AddressOfNames);
pdFunctions = PTR_ADD (pBase, pied->AddressOfFunctions);
pwOrdinals = PTR_ADD (pBase, pied->AddressOfNameOrdinals);
for (i = 0; i < pied->NumberOfNames; i++)
{
j = pwOrdinals [i];
if (!strcmp (PTR_ADD (pBase, pdNames [i]), pbName))
{
if (j < pied->NumberOfFunctions)
{
pAddress = PTR_ADD (pBase, pdFunctions [j]);
}
break;
}
}
if (pAddress == NULL)
{
ns = STATUS_PROCEDURE_NOT_FOUND;
}
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pAddress;
}
// -----------------------------------------------------------------
PVOID SpyModuleSymbolEx (PBYTE pbSymbol,
PVOID *ppBase,
PNTSTATUS pns)
{
DWORD i;
BYTE abModule [MAXIMUM_FILENAME_LENGTH] = "ntoskrnl.exe";
PBYTE pbName = pbSymbol;
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PVOID pAddress = NULL;
for (i = 0; pbSymbol [i] && (pbSymbol [i] != '!'); i++);
if (pbSymbol [i++])
{
if (i <= MAXIMUM_FILENAME_LENGTH)
{
memcpy (abModule, pbSymbol, i);
pbName = pbSymbol + i;
}
else
{
pbName = NULL;
}
}
if (pbName != NULL)
{
pAddress = SpyModuleSymbol (abModule, pbName, &pBase, &ns);
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pAddress;
}
So Now we can get symbol like this:
pKeServiceDescriptorTable = SpyModuleSymbolEx("KeServiceDescriptorTable", NULL, &ns);
cool!
I found that these "heuristic anti-virus" based on the export function mentioned in one of Jonna's article(BTW:Give my respect to Jonna).
First I take a look at McAfee, It has a strange heuristic strategy. if it found an export symbol "KeServiceDescriptorTable" ,while it didn`t found some normal driver function like "IoCreateDevice", It report the virus. So I think the first method is to find the KeServiceDescriptorTable dynamically.
With 90210's article "A more stable way to locate real KiServiceTable"(http://www.rootkit.com/newsread.php?newsid=176) and his help, I can find the KeServiceDescriptorTable's ServiceTableBase, it is enough.(Thank you 90210).
But I find NOD32 is more restrice, it will detect ZW* function and reported your driver as virus. So I must find a more common ways to locate export functions and symbols. Fortunately I found some pieces in from SVEN B. SCHREIBER. This book is cool!! The code is here:
PVOID SpyMemoryCreate (DWORD dSize)
{
return ExAllocatePoolWithTag (PagedPool, max (dSize, 1),
SPY_TAG);
}
// -----------------------------------------------------------------
PVOID SpyMemoryDestroy (PVOID pData)
{
if (pData != NULL) ExFreePool (pData);
return NULL;
}
// ==============================================================
// MODULE INFO MANAGEMENT
// =================================================================
PMODULE_LIST SpyModuleList (PDWORD pdData,
PNTSTATUS pns)
{
DWORD dSize;
DWORD dData = 0;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PMODULE_LIST pml = NULL;
for (dSize = PAGE_SIZE; (pml == NULL) && dSize; dSize <<= 1)
{
if ((pml = SpyMemoryCreate (dSize)) == NULL)
{
ns = STATUS_NO_MEMORY;
break;
}
ns = ZwQuerySystemInformation (SystemModuleInformation,
pml, dSize, &dData);
if (ns != STATUS_SUCCESS)
{
pml = SpyMemoryDestroy (pml);
dData = 0;
if (ns != STATUS_INFO_LENGTH_MISMATCH) break;
}
}
if (pdData != NULL) *pdData = dData;
if (pns != NULL) *pns = ns;
return pml;
}
// -----------------------------------------------------------------
PMODULE_LIST SpyModuleFind (PBYTE pbModule,
PDWORD pdIndex,
PNTSTATUS pns)
{
DWORD i;
DWORD dIndex = -1;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PMODULE_LIST pml = NULL;
if ((pml = SpyModuleList (NULL, &ns)) != NULL)
{
for (i = 0; i < pml->dModules; i++)
{
if (!_stricmp (pml->aModules [i].abPath +
pml->aModules [i].wNameOffset,
pbModule))
{
dIndex = i;
break;
}
}
if (dIndex == -1)
{
pml = SpyMemoryDestroy (pml);
ns = STATUS_NO_SUCH_FILE;
}
}
if (pdIndex != NULL) *pdIndex = dIndex;
if (pns != NULL) *pns = ns;
return pml;
}
// -----------------------------------------------------------------
PVOID SpyModuleBase (PBYTE pbModule,
PNTSTATUS pns)
{
PMODULE_LIST pml;
DWORD dIndex;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PVOID pBase = NULL;
if ((pml = SpyModuleFind (pbModule, &dIndex, &ns)) != NULL)
{
pBase = pml->aModules [dIndex].pBase;
SpyMemoryDestroy (pml);
}
if (pns != NULL) *pns = ns;
return pBase;
}
// -----------------------------------------------------------------
PIMAGE_NT_HEADERS SpyModuleHeader (PBYTE pbModule,
PVOID *ppBase,
PNTSTATUS pns)
{
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PIMAGE_NT_HEADERS pinh = NULL;
if (((pBase = SpyModuleBase (pbModule, &ns)) != NULL) &&
((pinh = RtlImageNtHeader (pBase)) == NULL))
{
ns = STATUS_INVALID_IMAGE_FORMAT;
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pinh;
}
// -----------------------------------------------------------------
PIMAGE_EXPORT_DIRECTORY SpyModuleExport (PBYTE pbModule,
PVOID *ppBase,
PNTSTATUS pns)
{
PIMAGE_NT_HEADERS pinh;
PIMAGE_DATA_DIRECTORY pidd;
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PIMAGE_EXPORT_DIRECTORY pied = NULL;
if ((pinh = SpyModuleHeader (pbModule, &pBase, &ns)) != NULL)
{
pidd = pinh->OptionalHeader.DataDirectory
+ IMAGE_DIRECTORY_ENTRY_EXPORT;
if (pidd->VirtualAddress &&
(pidd->Size >= IMAGE_EXPORT_DIRECTORY_))
{
pied = PTR_ADD (pBase, pidd->VirtualAddress);
}
else
{
ns = STATUS_DATA_ERROR;
}
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pied;
}
// -----------------------------------------------------------------
PVOID SpyModuleSymbol (PBYTE pbModule,
PBYTE pbName,
PVOID *ppBase,
PNTSTATUS pns)
{
PIMAGE_EXPORT_DIRECTORY pied;
PDWORD pdNames, pdFunctions;
WORD *pwOrdinals;
DWORD i, j;
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PVOID pAddress = NULL;
if ((pied = SpyModuleExport (pbModule, &pBase, &ns)) != NULL)
{
pdNames = PTR_ADD (pBase, pied->AddressOfNames);
pdFunctions = PTR_ADD (pBase, pied->AddressOfFunctions);
pwOrdinals = PTR_ADD (pBase, pied->AddressOfNameOrdinals);
for (i = 0; i < pied->NumberOfNames; i++)
{
j = pwOrdinals [i];
if (!strcmp (PTR_ADD (pBase, pdNames [i]), pbName))
{
if (j < pied->NumberOfFunctions)
{
pAddress = PTR_ADD (pBase, pdFunctions [j]);
}
break;
}
}
if (pAddress == NULL)
{
ns = STATUS_PROCEDURE_NOT_FOUND;
}
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pAddress;
}
// -----------------------------------------------------------------
PVOID SpyModuleSymbolEx (PBYTE pbSymbol,
PVOID *ppBase,
PNTSTATUS pns)
{
DWORD i;
BYTE abModule [MAXIMUM_FILENAME_LENGTH] = "ntoskrnl.exe";
PBYTE pbName = pbSymbol;
PVOID pBase = NULL;
NTSTATUS ns = STATUS_INVALID_PARAMETER;
PVOID pAddress = NULL;
for (i = 0; pbSymbol [i] && (pbSymbol [i] != '!'); i++);
if (pbSymbol [i++])
{
if (i <= MAXIMUM_FILENAME_LENGTH)
{
memcpy (abModule, pbSymbol, i);
pbName = pbSymbol + i;
}
else
{
pbName = NULL;
}
}
if (pbName != NULL)
{
pAddress = SpyModuleSymbol (abModule, pbName, &pBase, &ns);
}
if (ppBase != NULL) *ppBase = pBase;
if (pns != NULL) *pns = ns;
return pAddress;
}
So Now we can get symbol like this:
pKeServiceDescriptorTable = SpyModuleSymbolEx("KeServiceDescriptorTable", NULL, &ns);
cool!
最新相关文章- ·身份证函数 查看身份证地区信息
- ·VS2008 第一次安装心得及使用
- ·ASP.NET 2.0跨网页提交的三法
- ·编程实例 WebGroupBox(Aspx控件)
- ·asp.net mvc脚手架代码生成工具
- ·用独立的DLL来存储图片(资源文件)
- ·ASP.NET中多国语言的实现方法
- ·实例 .net生成静态页方法总结
- ·ASP.NET控件学习笔记之ViewState
- ·用递归在TreeView价节点
- ·经验总结 关于.NET 中的Event机制
- ·.NET应用程序开发标准化(z)
- ·在DataTable中查询应该注意的问题
- ·LINQ 中调用存储过程自动绑定列名
- ·如何用.NET技术在线生成网站LOGO
- ·对于访问IIS元数据库失败的解决
发表评论
评论内容:不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
阅读排行
- Asp.net Ajax 中的脚本错误: Sys未定义 的解决方
- 身份证号码15位升18位(C#)
- asp.net ajax学习系列功能强大的UpdatePanel控件
- Web Service描述语言 WSDL 详解(1)--为什么使用WS
- Asp.Net Unleashed 2nd Edition 学习笔记 第三部
- UpdatePanel与UrlRewrite
- DataGridView 的分页处理
- 从资源文件里加载文件(C#)
- Javascript与asp.net 实现Ajax多文件无刷新上传
- 关于ASP.NET调用JavaScript的实现
- asp.net面试试题收集
- 基于ASP.NET AJAX的WebPart开发与部署
- 在VC++应用程序中读取文本数据
- Huffman 编码简介(讲解的更好一些,有C的分析)
- 技巧 .NET如何访问MySQL数据库
随机推荐
- Visual Basic .NET中的语言创新
- XML和数据库之间相互的映射
- ADO.NET 基础教程(一)
- Common ASP.NET Code Techniques (DPC&DWC Re
- ASP.NET中利用存储过程实现模糊查询
- 利用ASP.NET服务器端自定义控件实现XML文件中还原
- ASP.NET发送ICQ消息DIY
- 使用ADO.NET下的SqlBulkCopy类执行批量复制操作
- ASP.NET 2.0的异步页面刷新
- 实战 .Net 数据访问层 - 6
- 轻松加密ASP.NET 2.0 Web程序配置信息
- VB是如何做到无所不能的
- 可用来显示空值的时间选择控件3
- 解读ASP.NET TimeTracker Starter Kit(1)——数
- 整理一下运算符资料
实用信息推荐