任何主动防御产品是少不了各种hook的
最近听说微点比较不错了
偶也来看看把
分析版本为
mp.090212.1.2.10580.0171.r1.zip
mp.090212.1.2.10580.0171.r1.zip
mp.090212.1.2.10580.0171.r1.exe
| 3b8b0b715a69dec10798e70c00d79d91
ea1c667ec4ca4d1480959971a895cf27
|
|
并且升级到今天的最新版本
1.微点没有使用SSDT table的hook
shadow ssdt的table也一样没有hook,
使用的是inline hook,这样增加了绕过难度,当然不是不可以绕过
以下只是部分hook,这是最容易被发现的
ntfs.sys-->ntoskrnl.exe-->MmFlushImageSection, Type: IAT modification 0xF98B6CD0 [mp110003.sys]
ntfs.sys-->ntoskrnl.exe-->IoCheckShareAccess, Type: IAT modification 0xF98B6D10 [mp110003.sys]
ntoskrnl.exe-->IoRegisterDriverReinitialization, Type: EAT modification 0x80684964 [mp110003.sys]
ntoskrnl.exe-->IofCallDriver, Type: EAT modification 0x8068434C [mp110003.sys]
ntoskrnl.exe-->KeInsertQueueApc, Type: EAT modification 0x80684B78 [mp110003.sys]
ntoskrnl.exe-->MmGetSystemRoutineAddress, Type: EAT modification 0x80684D48 [mp110003.sys]
ntoskrnl.exe-->MmUnmapViewOfSection, Type: EAT modification 0x80684E0C [mp110003.sys]
ntoskrnl.exe-->ObReferenceObjectByName, Type: EAT modification 0x80684F68 [mp110003.sys]
ntoskrnl.exe-->PsCreateSystemThread, Type: EAT modification 0x80684FEC [mp110003.sys]
ntoskrnl.exe-->PsSetCreateProcessNotifyRoutine, Type: EAT modification 0x806850EC [mp110003.sys]
ntoskrnl.exe-->PsSetCreateThreadNotifyRoutine, Type: EAT modification 0x806850F0 [mp110003.sys]
ntoskrnl.exe-->PsSetLoadImageNotifyRoutine, Type: EAT modification 0x806850FC [mp110003.sys]
2.微点增加了object hook部分
Key object-->CloseProcedure, Type: Kernel Object [mp110009.sys]
3.用户模式下hook了
[728]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802378 [kernel32.dll]
[728]lsass.exe-->advapi32.dll-->OpenServiceW, Type: Inline - DirectCall 0x77DB6FDD [unknown_code_page]
[728]lsass.exe-->advapi32.dll-->OpenServiceA, Type: Inline - DirectCall 0x77DC4C36 [unknown_code_page]
下面就是微点的hook比较有意思的部分了,对于函数使用深处inline hook替换其call的地址
这里只能使用yas的antirootkit才能识别出被hook的原始函数
虽然icesword可以显示出hook,但是对应函数无法取得
随便取一个ntsuspendthread来查看
805e145e 6a20 push 20h
805e1460 6850925180 push offset nt!ObWatchHandles+0x79c (80519250)
805e1465 e8d11ff0ff call nt!_SEH_prolog (804e343b)
805e146a 33db xor ebx,ebx
805e146c 895dfc mov dword ptr [ebp-4],ebx
805e146f 64a124010000 mov eax,dword ptr fs:[00000124h]
805e1475 8945d0 mov dword ptr [ebp-30h],eax
805e1478 8a8040010000 mov al,byte ptr [eax+140h]
805e147e 8845e0 mov byte ptr [ebp-20h],al
805e1481 8b750c mov esi,dword ptr [ebp+0Ch]
805e1484 3ac3 cmp al,bl
805e1486 7415 je nt!NtSuspendThread+0x3d (805e149d)
805e1488 3bf3 cmp esi,ebx
805e148a 7411 je nt!NtSuspendThread+0x3d (805e149d)
805e148c a1d40b5680 mov eax,dword ptr [nt!MmUserProbeAddress (80560bd4)]
805e1491 3bf0 cmp esi,eax
805e1493 0f83e7ad0100 jae nt!NtSuspendThread+0x37 (805fc280)
805e1499 8b06 mov eax,dword ptr [esi]
805e149b 8906 mov dword ptr [esi],eax
805e149d 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805e14a1 53 push ebx
805e14a2 8d45e4 lea eax,[ebp-1Ch]
805e14a5 50 push eax
805e14a6 ff75e0 push dword ptr [ebp-20h]
805e14a9 ff355c245680 push dword ptr [nt!PsThreadType (8056245c)]
805e14af 6a02 push 2
805e14b1 ff7508 push dword ptr [ebp+8]
805e14b4 e8933d0501 call 8163524c
805e14b9 3bc3 cmp eax,ebx
805e14bb 7c2c jl nt!NtSuspendThread+0xb9 (805e14e9)
805e14bd 8d45dc lea eax,[ebp-24h]
805e14c0 50 push eax
805e14c1 ff75e4 push dword ptr [ebp-1Ch]
805e14c4 e82d000000 call nt!PsSuspendThread (805e14f6)
805e14c9 8bf8 mov edi,eax
805e14cb 8b4de4 mov ecx,dword ptr [ebp-1Ch]
805e14ce e87d8befff call nt!ObfDereferenceObject (804da050)
805e14d3 c745fc01000000 mov dword ptr [ebp-4],1
805e14da 3bf3 cmp esi,ebx
805e14dc 7405 je nt!NtSuspendThread+0x99 (805e14e3)
805e14de 8b45dc mov eax,dword ptr [ebp-24h]
805e14e1 8906 mov dword ptr [esi],eax
805e14e3 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805e14e7 8bc7 mov eax,edi
805e14e9 e8881ff0ff call nt!_SEH_epilog (804e3476)
805e14ee c20800 ret 8
805e14f1 90 nop
805e14f2 90 nop
805e14b4 e8933d0501 call 8163524c
这儿就是hook部分
查看
8163524c 55 push ebp
8163524d 8bec mov ebp,esp
8163524f 83ec10 sub esp,10h
81635252 bdc4c496f9 mov ebp,0F996C4C4h
81635257 892c24 mov dword ptr [esp],ebp
8163525a 8b6c2410 mov ebp,dword ptr [esp+10h]
8163525e c21000 ret 10h
81635261 55 push ebp
81635262 8bec mov ebp,esp
81635264 83ec10 sub esp,10h
81635267 bd24c496f9 mov ebp,0F996C424h
8163526c 892c24 mov dword ptr [esp],ebp
8163526f 8b6c2410 mov ebp,dword ptr [esp+10h]
81635273 c21000 ret 10h
81635276 55 push ebp
81635277 8bec mov ebp,esp
81635279 83ec10 sub esp,10h
8163527c bdc4c496f9 mov ebp,0F996C4C4h
81635281 892c24 mov dword ptr [esp],ebp
81635284 8b6c2410 mov ebp,dword ptr [esp+10h]
81635288 c21000 ret 10h
8163528b 55 push ebp
8163528c 8bec mov ebp,esp
8163528e 83ec10 sub esp,10h
81635291 bd10c596f9 mov ebp,0F996C510h
81635296 892c24 mov dword ptr [esp],ebp
81635299 8b6c2410 mov ebp,dword ptr [esp+10h]
8163529d c21000 ret 10h
816352a0 55 push ebp
816352a1 8bec mov ebp,esp
816352a3 83ec10 sub esp,10h
816352a6 bd80c596f9 mov ebp,0F996C580h
816352ab 892c24 mov dword ptr [esp],ebp
816352ae 8b6c2410 mov ebp,dword ptr [esp+10h]
816352b2 c21000 ret 10h
816352b5 55 push ebp
816352b6 8bec mov ebp,esp
816352b8 83ec10 sub esp,10h
816352bb bd80c596f9 mov ebp,0F996C580h
816352c0 892c24 mov dword ptr [esp],ebp
816352c3 8b6c2410 mov ebp,dword ptr [esp+10h]
816352c7 c21000 ret 10h
816352ca 55 push ebp
816352cb 8bec mov ebp,esp
816352cd 83ec10 sub esp,10h
816352d0 bd80c596f9 mov ebp,0F996C580h
816352d5 892c24 mov dword ptr [esp],ebp
816352d8 8b6c2410 mov ebp,dword ptr [esp+10h]
816352dc c21000 ret 10h
816352df 55 push ebp
816352e0 8bec mov ebp,esp
816352e2 83ec10 sub esp,10h
816352e5 bd80c596f9 mov ebp,0F996C580h
816352ea 892c24 mov dword ptr [esp],ebp
816352ed 8b6c2410 mov ebp,dword ptr [esp+10h]
816352f1 c21000 ret 10h
816352f4 55 push ebp
816352f5 8bec mov ebp,esp
816352f7 83ec10 sub esp,10h
816352fa bda2c696f9 mov ebp,0F996C6A2h
816352ff 892c24 mov dword ptr [esp],ebp
81635302 8b6c2410 mov ebp,dword ptr [esp+10h]
81635306 c21000 ret 10h
81635309 55 push ebp
8163530a 8bec mov ebp,esp
8163530c 83ec10 sub esp,10h
8163530f bd788e96f9 mov ebp,0F9968E78h
81635314 892c24 mov dword ptr [esp],ebp
81635317 8b6c2410 mov ebp,dword ptr [esp+10h]
8163531b c21000 ret 10h
可以看见是整齐的hook转发表
另外 微点有一个有意思的功能,如果你的驱动中包含以下函数,他会把你驱动的
IAT指向微点的hook
IoRegisterDriverReinitialization,
IofCallDriver,
KeInsertQueueApc,
MmGetSystemRoutineAddress,
MmUnmapViewOfSection,
ObReferenceObjectByName,
PsCreateSystemThread,
PsSetCreateProcessNotifyRoutine,
PsSetCreateThreadNotifyRoutine,
总体上 微点的hook做到还是不错了,虽然不能说完美无缺
开始做到object hook部分了,貌似是比较领先的?
不过偶不能绝对的说inline hook比table方式好
当然这是需要大大增加编程功力的说。。
差点忘记了。有一个奇怪的问题,微点会挂接icesword的设备?
挂接disk的设备不奇怪。。挂接isdrv122干嘛?
可见IRP的各种dispatch只要原始驱动中没有填充成NULL的全部进入了微点。
无语,监控irp偶不知道有啥作用。
文件系统和网络,还有键盘
AttachedDevice \FileSystem\Ntfs \Ntfs mp110010.sys (mp110010/Micropoint Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mp110006.sys (mp110006/Micropoint Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mp110006.sys (mp110006/Micropoint Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mp110006.sys (mp110006/Micropoint Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp mp110006.sys (mp110006/Micropoint Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mp110003.sys (mp110003/Micropoint Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 mp110003.sys (mp110003/Micropoint Corporation)
[ 本帖最后由 zhuwg 于 2009-2-18 12:38 编辑 ] |
发表于 2009-2-18 12:25:39
