对抗杀毒软件Kick the Heuristic Anti-virus out of the Rootkit

王朝other·作者佚名  2006-04-26
窄屏简体版  字體: |||超大  

By: drizt

Recently, Some friend complained to me that their rootkit driver had been killed by anti-virus software like McAfee and Nod32.So I began to find why.

I found that these "heuristic anti-virus" based on the export function mentioned in one of Jonna's article(BTW:Give my respect to Jonna).

First I take a look at McAfee, It has a strange heuristic strategy. if it found an export symbol "KeServiceDescriptorTable" ,while it didn`t found some normal driver function like "IoCreateDevice", It report the virus. So I think the first method is to find the KeServiceDescriptorTable dynamically.

With 90210's article "A more stable way to locate real KiServiceTable"(http://www.rootkit.com/newsread.php?newsid=176) and his help, I can find the KeServiceDescriptorTable's ServiceTableBase, it is enough.(Thank you 90210).

But I find NOD32 is more restrice, it will detect ZW* function and reported your driver as virus. So I must find a more common ways to locate export functions and symbols. Fortunately I found some pieces in from SVEN B. SCHREIBER. This book is cool!! The code is here:

PVOID SpyMemoryCreate (DWORD dSize)

{

return ExAllocatePoolWithTag (PagedPool, max (dSize, 1),

SPY_TAG);

}

// -----------------------------------------------------------------

PVOID SpyMemoryDestroy (PVOID pData)

{

if (pData != NULL) ExFreePool (pData);

return NULL;

}

// ==============================================================

// MODULE INFO MANAGEMENT

// =================================================================

PMODULE_LIST SpyModuleList (PDWORD pdData,

PNTSTATUS pns)

{

DWORD dSize;

DWORD dData = 0;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PMODULE_LIST pml = NULL;

for (dSize = PAGE_SIZE; (pml == NULL) && dSize; dSize <<= 1)

{

if ((pml = SpyMemoryCreate (dSize)) == NULL)

{

ns = STATUS_NO_MEMORY;

break;

}

ns = ZwQuerySystemInformation (SystemModuleInformation,

pml, dSize, &dData);

if (ns != STATUS_SUCCESS)

{

pml = SpyMemoryDestroy (pml);

dData = 0;

if (ns != STATUS_INFO_LENGTH_MISMATCH) break;

}

}

if (pdData != NULL) *pdData = dData;

if (pns != NULL) *pns = ns;

return pml;

}

// -----------------------------------------------------------------

PMODULE_LIST SpyModuleFind (PBYTE pbModule,

PDWORD pdIndex,

PNTSTATUS pns)

{

DWORD i;

DWORD dIndex = -1;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PMODULE_LIST pml = NULL;

if ((pml = SpyModuleList (NULL, &ns)) != NULL)

{

for (i = 0; i < pml->dModules; i++)

{

if (!_stricmp (pml->aModules [i].abPath +

pml->aModules [i].wNameOffset,

pbModule))

{

dIndex = i;

break;

}

}

if (dIndex == -1)

{

pml = SpyMemoryDestroy (pml);

ns = STATUS_NO_SUCH_FILE;

}

}

if (pdIndex != NULL) *pdIndex = dIndex;

if (pns != NULL) *pns = ns;

return pml;

}

// -----------------------------------------------------------------

PVOID SpyModuleBase (PBYTE pbModule,

PNTSTATUS pns)

{

PMODULE_LIST pml;

DWORD dIndex;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PVOID pBase = NULL;

if ((pml = SpyModuleFind (pbModule, &dIndex, &ns)) != NULL)

{

pBase = pml->aModules [dIndex].pBase;

SpyMemoryDestroy (pml);

}

if (pns != NULL) *pns = ns;

return pBase;

}

// -----------------------------------------------------------------

PIMAGE_NT_HEADERS SpyModuleHeader (PBYTE pbModule,

PVOID *ppBase,

PNTSTATUS pns)

{

PVOID pBase = NULL;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PIMAGE_NT_HEADERS pinh = NULL;

if (((pBase = SpyModuleBase (pbModule, &ns)) != NULL) &&

((pinh = RtlImageNtHeader (pBase)) == NULL))

{

ns = STATUS_INVALID_IMAGE_FORMAT;

}

if (ppBase != NULL) *ppBase = pBase;

if (pns != NULL) *pns = ns;

return pinh;

}

// -----------------------------------------------------------------

PIMAGE_EXPORT_DIRECTORY SpyModuleExport (PBYTE pbModule,

PVOID *ppBase,

PNTSTATUS pns)

{

PIMAGE_NT_HEADERS pinh;

PIMAGE_DATA_DIRECTORY pidd;

PVOID pBase = NULL;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PIMAGE_EXPORT_DIRECTORY pied = NULL;

if ((pinh = SpyModuleHeader (pbModule, &pBase, &ns)) != NULL)

{

pidd = pinh->OptionalHeader.DataDirectory

+ IMAGE_DIRECTORY_ENTRY_EXPORT;

if (pidd->VirtualAddress &&

(pidd->Size >= IMAGE_EXPORT_DIRECTORY_))

{

pied = PTR_ADD (pBase, pidd->VirtualAddress);

}

else

{

ns = STATUS_DATA_ERROR;

}

}

if (ppBase != NULL) *ppBase = pBase;

if (pns != NULL) *pns = ns;

return pied;

}

// -----------------------------------------------------------------

PVOID SpyModuleSymbol (PBYTE pbModule,

PBYTE pbName,

PVOID *ppBase,

PNTSTATUS pns)

{

PIMAGE_EXPORT_DIRECTORY pied;

PDWORD pdNames, pdFunctions;

WORD *pwOrdinals;

DWORD i, j;

PVOID pBase = NULL;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PVOID pAddress = NULL;

if ((pied = SpyModuleExport (pbModule, &pBase, &ns)) != NULL)

{

pdNames = PTR_ADD (pBase, pied->AddressOfNames);

pdFunctions = PTR_ADD (pBase, pied->AddressOfFunctions);

pwOrdinals = PTR_ADD (pBase, pied->AddressOfNameOrdinals);

for (i = 0; i < pied->NumberOfNames; i++)

{

j = pwOrdinals [i];

if (!strcmp (PTR_ADD (pBase, pdNames [i]), pbName))

{

if (j < pied->NumberOfFunctions)

{

pAddress = PTR_ADD (pBase, pdFunctions [j]);

}

break;

}

}

if (pAddress == NULL)

{

ns = STATUS_PROCEDURE_NOT_FOUND;

}

}

if (ppBase != NULL) *ppBase = pBase;

if (pns != NULL) *pns = ns;

return pAddress;

}

// -----------------------------------------------------------------

PVOID SpyModuleSymbolEx (PBYTE pbSymbol,

PVOID *ppBase,

PNTSTATUS pns)

{

DWORD i;

BYTE abModule [MAXIMUM_FILENAME_LENGTH] = "ntoskrnl.exe";

PBYTE pbName = pbSymbol;

PVOID pBase = NULL;

NTSTATUS ns = STATUS_INVALID_PARAMETER;

PVOID pAddress = NULL;

for (i = 0; pbSymbol [i] && (pbSymbol [i] != '!'); i++);

if (pbSymbol [i++])

{

if (i <= MAXIMUM_FILENAME_LENGTH)

{

memcpy (abModule, pbSymbol, i);

pbName = pbSymbol + i;

}

else

{

pbName = NULL;

}

}

if (pbName != NULL)

{

pAddress = SpyModuleSymbol (abModule, pbName, &pBase, &ns);

}

if (ppBase != NULL) *ppBase = pBase;

if (pns != NULL) *pns = ns;

return pAddress;

}

So Now we can get symbol like this:

pKeServiceDescriptorTable = SpyModuleSymbolEx("KeServiceDescriptorTable", NULL, &ns);

cool!

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航