本帖最后由 lifan88 于 2019-9-7 21:13 编辑
球楼主置顶!
关键词解释:
REG_openkey:打开注册表项
REG_getval:获取注册表键值
FILE_open:打开文件
FILE_touch:创建文件
FILE_truncate:截断文件
FILE_write:写文件
SYS_load_kmod:加载内核模块
NET_connect:网络连接
NET_send:发送数据包
NET_http:HTTP请求
REG_mkkey:创建注册表项
REG_setval:设置注册表项值
驱动加载后能被捕获的操作:
17:00:13:776, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
17:00:13:776, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
17:00:13:776, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
17:00:13:776, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:00:13:776, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
17:00:13:776, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:776, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:776, System, 4:256, 0, FILE_open, C:\Users\j8qq_000\Desktop\0Q0.sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
17:00:13:819, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\0Q0.sys, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:00:13:819, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\0Q0.sys, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
17:00:13:819, System, 4:256, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
17:00:13:819, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:843, System, 4:256, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
17:00:13:859, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x000F003F , 0x00000000 [操作成功完成。 ],
17:00:13:859, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:859, System, 4:256, 0, FILE_open, C:\Users\j8qq_000\Desktop\0Q0.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_open, C:\Users\j8qq_000\Desktop\0Q0.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wjxpuimmx, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wjxpuimmx, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。 ],
17:00:13:865, System, 4:256, 0, FILE_touch, C:\Windows\System32\drivers\wjxpuimmx.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_truncate, C:\Windows\System32\drivers\wjxpuimmx.sys, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_write, C:\Windows\System32\drivers\wjxpuimmx.sys, offset:0x00000000 datalen:0x00022618 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_modified, C:\Windows\System32\drivers\wjxpuimmx.sys, , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。 ],
17:00:13:865, System, 4:256, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:00:13:865, System, 4:256, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys, access:0x000F003F , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\DisplayName, type:0x00000001 datalen:28 data:'69 78 7A 62 6C 66 7A 73 6B 2E 73 79 73 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\ErrorControl, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\ImagePath, type:0x00000001 datalen:92 data:'5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 ' , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\Group, type:0x00000001 datalen:8 data:'54 44 49 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_touch, C:\Windows\System32\drivers\ixzblfzsk.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_truncate, C:\Windows\System32\drivers\ixzblfzsk.sys, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_write, C:\Windows\System32\drivers\ixzblfzsk.sys, offset:0x00000000 datalen:0x00001E20 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:256, 0, FILE_modified, C:\Windows\System32\drivers\ixzblfzsk.sys, , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:00:13:865, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
17:00:13:865, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, access:0x000F003F , 0x00000000 [操作成功完成。 ],
17:00:13:865, 加驱用.exe, 804:1060, 804, SYS_load_kmod, C:\Users\j8qq_000\Desktop\0Q0.sys, , 0x00000000 [操作成功完成。 ],
以上为文件注册表预操作,以下为rootkit实现的功能
17:01:14:537, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
17:01:14:537, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters, access:0x00020019 , 0x00000000 [操作成功完成。 ],
17:01:14:537, System, 4:3416, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname, type:0x00000001 datalen:8 data:'68 00 68 00 68 00 00 00 ' , 0x00000000 [操作成功完成。 ],
17:01:14:537, System, 4:3416, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
17:01:14:537, System, 4:3416, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:36 data:'4C E8 01 00 00 01 00 00 00 00 00 00 04 73 79 74 ' , 0x00000000 [操作成功完成。 ],
17:01:14:599, System, 4:3416, 0, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\PCID, access:0x000F003F , 0x00000000 [操作成功完成。 ],
17:01:14:599, System, 4:3416, 0, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\PCID\id, type:0x00000001 datalen:76 data:'7B 35 38 66 66 64 31 61 31 2D 64 31 34 63 2D 31 ' , 0x00000000 [操作成功完成。 ],
17:01:14:599, System, 4:3416, 0, NET_connect, 103.97.228.94:8019, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
17:01:14:634, System, 4:3416, 0, NET_http, syte.xudaowang.com:8019/no008/jspc.ashx, protocol:(TCP)0 cmd:'POST' datalen:220 , 0x00000000 [操作成功完成。 ],
17:01:14:634, System, 4:3416, 0, NET_send, 103.97.228.94:8019, protocol:(TCP)0 datalen:220 data:'50 4F 53 54 20 2F 6E 6F 30 30 38 2F 6A 73 70 63 ' , 0x00000000 [操作成功完成。 ],
17:01:15:321, System, 4:3416, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
17:01:15:321, System, 4:3416, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:37 data:'4C E8 01 00 00 01 00 00 00 00 00 00 05 73 79 74 ' , 0x00000000 [操作成功完成。 ],
17:01:15:337, System, 4:3416, 0, NET_connect, 103.97.228.94:8020, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
17:01:15:368, System, 4:3416, 0, NET_http, sytqq.xudaowang.com:8020/HelloWorld.html, protocol:(TCP)0 cmd:'GET' datalen:162 , 0x00000000 [操作成功完成。 ],
17:01:15:368, System, 4:3416, 0, NET_send, 103.97.228.94:8020, protocol:(TCP)0 datalen:162 data:'47 45 54 20 2F 48 65 6C 6C 6F 57 6F 72 6C 64 2E ' , 0x00000000 [操作成功完成。 ],
17:01:15:399, System, 4:3416, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
17:01:15:399, System, 4:3416, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:34 data:'4C E8 01 00 00 01 00 00 00 00 00 00 06 69 6D 67 ' , 0x00000000 [操作成功完成。 ],
17:01:15:415, System, 4:3416, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
17:01:15:415, System, 4:3416, 0, NET_http, imgsrc.baidu.com /tieba/pic/item/5bafa40f4bfbfbed1b4d375177f0f736afc31f83.jpg, protocol:(TCP)0 cmd:'GET' datalen:214 , 0x00000000 [操作成功完成。 ],
17:01:15:415, System, 4:3416, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:214 data:'47 45 54 20 2F 74 69 65 62 61 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。 ],
17:01:15:431, System, 4:3416, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
17:01:15:446, System, 4:3416, 0, NET_http, imgsrc.baidu.com /tieba/pic/item/b7003af33a87e95029ddf5421f385343faf2b4d1.jpg, protocol:(TCP)0 cmd:'GET' datalen:214 , 0x00000000 [操作成功完成。 ],
17:01:15:446, System, 4:3416, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:214 data:'47 45 54 20 2F 74 69 65 62 61 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。 ],
17:01:15:693, System, 4:3416, 0, FILE_touch, C:\Windows\System32\r6lstmp4.dat, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
17:01:15:693, System, 4:3416, 0, FILE_truncate, C:\Windows\System32\r6lstmp4.dat, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
17:01:15:693, System, 4:3416, 0, FILE_write, C:\Windows\System32\r6lstmp4.dat, offset:0x00000000 datalen:0x001BD0E3 , 0x00000000 [操作成功完成。 ],
17:01:15:693, System, 4:3416, 0, FILE_modified, C:\Windows\System32\r6lstmp4.dat, , 0x00000000 [操作成功完成。 ],
17:01:38:163, System, 4:256, 0, FILE_write, C:\ProgramData\Microsoft\Windows\AppRepository\edb.chk, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ],
下面是挂钩/不可视操作的概述:
1,驱动只在系统回调了挂了一个Shutdown,猜测为重启删除自身文件及原注册表项;
2,建了几个内核线程,联网的,创建文件的都有
3,第一次加载时,自身变成隐藏驱动,并且抹除了自己的真实地址,做了两个新驱动和一个DAT。由此可推断这个ROOTKIT不需要母体,自身就是母体,只需要一个能加载驱动的东西/或者白名单加载驱动的东西即可。
4,重启后,两个新驱动都加载了,也都挂了自己的shutdown回调,原驱动消失了,而且WIN8.1-x64没有内核欺骗操作,这个驱动作者可能是在WIN10系统下了功夫。。。
5,未联网时,火绒剑里一直看到System在读取用户模式下需要的DLL,而且还打开了Svchost,不知道是系统的正常操作还是内核线程控制的。。。
|