本帖最后由 lifan88 于 2019-11-12 23:50 编辑
希望楼主顶置!
火绒4.0的监控被过掉了,注册表的写入过火绒 ,加载驱动过掉火绒和火绒剑的防御
新的rootkit加载后不需要重启直接就复制了一个TCPIP.sys,然后加载并劫持。。
1,测试条件:Vmware-win8.1x64-pro
2,测试方法:直接加载即可
3,关键词解释
SYS_regsrv:注册服务
SYS_load_kmod:加载内核模块
SYS_enumproc:枚举进程
SYS_opendev:打开设备
REG_openkey:打开注册表项
REG_getval:获取注册表键值
REG_mkkey:创建注册表项
REG_setval:设置注册表项值
REG_rmval:删除注册表键值
REG_rmkey:删除注册表键
FILE_open:打开文件
FILE_touch:创建文件
FILE_truncate:截断文件
FILE_write:写文件
FILE_chmod:设置文件属性
FILE_modified:文件被修改BA_exec_extratedfile:启动自释放文件
PROC_exec:创建进程
PROC_open:打开进程
PROC_readvm:跨进程读内存
PROC_writevm:跨进程写内存
PROC_pgprot:跨进程修改内存属性
THRD_setctxt:跨进程设置线程上下文
THRD_resume:跨进程恢复线程EXEC_create:进程启动
EXEC_destroy:进程退出
NET_connect:网络连接
NET_send:发送数据包
NET_http:HTTP请求
4,火绒剑抓动作
15:25:13:683, 简单挂免费版.exe, 2336:0, 2780, EXEC_create, C:\Users\j8qq_000\Desktop\简单挂免费版.exe, parent_pid:2780 cmdline:'"C:\Users\j8qq_000\Desktop\简单挂免费版.exe" ' image_base:0x0000000000A20000 image_size:0x022EE000 , 0x00000000 [操作成功完成。 ],
15:25:28:372, 简单挂免费版.exe, 2336:2712, 2780, FILE_touch, C:\Users\j8qq_000\Desktop\简单挂免费版.lnk, access:0x0012019F alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:25:29:336, 简单挂免费版.exe, 2336:2712, 2780, FILE_write, C:\Users\j8qq_000\Desktop\简单挂免费版.lnk, offset:0x00000000 datalen:0x000001EB , 0x00000000 [操作成功完成。 ],
15:25:29:336, 简单挂免费版.exe, 2336:2712, 2780, FILE_modified, C:\Users\j8qq_000\Desktop\简单挂免费版.lnk, , 0x00000000 [操作成功完成。 ],
15:25:29:336, 简单挂免费版.exe, 2336:2712, 2780, PROC_open, C:\Windows\Explorer.EXE, target_pid:2904 access:0x00000040 , 0x00000000 [操作成功完成。 ],
15:25:29:383, 简单挂免费版.exe, 2336:2712, 2780, FILE_touch, C:\Program Files (x86)\BCL Technologies\J9CE8BF, access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000002 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:25:29:383, 简单挂免费版.exe, 2336:2712, 2780, FILE_truncate, C:\Program Files (x86)\BCL Technologies\J9CE8BF, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
15:25:29:383, 简单挂免费版.exe, 2336:2712, 2780, FILE_write, C:\Program Files (x86)\BCL Technologies\J9CE8BF, offset:0x00000000 datalen:0x0000CAC8 , 0x00000000 [操作成功完成。 ],
15:25:29:383, 简单挂免费版.exe, 2336:2712, 2780, FILE_modified, C:\Program Files (x86)\BCL Technologies\J9CE8BF, , 0x00000000 [操作成功完成。 ],
15:25:29:383, 简单挂免费版.exe, 2336:2712, 2780, FILE_open, C:\Program Files (x86)\BCL Technologies\J9CE8BF, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00200000 , 0x00000000 [操作成功完成。 ],
15:25:29:401, 简单挂免费版.exe, 2336:2712, 2780, FILE_open, C:\Program Files (x86)\BCL Technologies\J9CE8BF, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:25:29:414, 简单挂免费版.exe, 2336:0, 2780, PROC_exec, C:\Program Files (x86)\BCL Technologies\J9CE8BF, target_pid:2916 , 0x00000000 [操作成功完成。 ],
15:25:29:414, 简单挂免费版.exe, 2336:0, 2780, BA_exec_extratedfile, C:\Program Files (x86)\BCL Technologies\J9CE8BF, , 0x00000000 [操作成功完成。 ],
15:25:29:570, 简单挂免费版.exe, 2336:2712, 2780, SYS_opendev, \Device\Nsi, devtype:18 access:0x00100080 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:29:586, 简单挂免费版.exe, 2336:2696, 2780, SYS_opendev, \Device\NetBT_Tcpip_{BE64D43C-A4AB-4BAB-94A7-3EAF64B87C45}, devtype:18 access:0x00100001 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:29:586, 简单挂免费版.exe, 2336:2696, 2780, SYS_opendev, \Device\NetBT_Tcpip_{3BC837FC-63F3-4FFA-9A1A-C5A239D314FC}, devtype:18 access:0x00100001 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:29:586, 简单挂免费版.exe, 2336:2696, 2780, SYS_opendev, \Device\Afd, devtype:17 access:0xC0140000 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:29:617, svchost.exe, 772:1044, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
15:25:29:617, svchost.exe, 772:1044, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:36 data:'1A 03 01 00 00 01 00 00 00 00 00 00 03 63 72 6C ' , 0x00000000 [操作成功完成。 ],
15:25:29:639, 简单挂免费版.exe, 2336:2584, 2780, SYS_opendev, \Device\Afd, devtype:17 access:0xC0140000 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:31:607, 简单挂免费版.exe, 2336:3788, 2780, NET_http, crl.globalsign.net/root-r3.crl, protocol:(TCP)0 cmd:'GET' datalen:129 , 0x00000000 [操作成功完成。 ],
15:25:31:607, 简单挂免费版.exe, 2336:3788, 2780, NET_send, 58.218.208.14:80, protocol:(TCP)0 datalen:129 data:'47 45 54 20 2F 72 6F 6F 74 2D 72 33 2E 63 72 6C ' , 0x00000000 [操作成功完成。 ],
15:25:31:648, 简单挂免费版.exe, 2336:3596, 2780, SYS_opendev, \Device\NetBT_Tcpip_{BE64D43C-A4AB-4BAB-94A7-3EAF64B87C45}, devtype:18 access:0x00100001 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:31:648, 简单挂免费版.exe, 2336:3596, 2780, SYS_opendev, \Device\NetBT_Tcpip_{3BC837FC-63F3-4FFA-9A1A-C5A239D314FC}, devtype:18 access:0x00100001 share:0x00000003 , 0x00000000 [操作成功完成。 ],
15:25:31:683, 简单挂免费版.exe, 2336:2104, 2780, NET_http, ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY%2F%2Ft2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc%2BoCMMmsCEhEhtwDAvcCDp%2B4THnIkJBLN5w%3D%3D, protocol:(TCP)0 cmd:'GET' datalen:265 , 0x00000000 [操作成功完成。 ],
15:25:31:683, 简单挂免费版.exe, 2336:2104, 2780, NET_send, 180.153.105.140:80, protocol:(TCP)0 datalen:265 data:'47 45 54 20 2F 67 73 63 6F 64 65 73 69 67 6E 73 ' , 0x00000000 [操作成功完成。 ],
15:25:31:820, 简单挂免费版.exe, 2336:2712, 2780, FILE_open, C:\Program Files (x86)\BCL Technologies\J9CE8BF, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00200000 , 0x00000000 [操作成功完成。 ],
15:25:31:842, 简单挂免费版.exe, 2336:2712, 2780, PROC_readvm, C:\Program Files (x86)\BCL Technologies\J9CE8BF, target_pid:2916 base:0x000000007FFDE000 bytes_read:0x000001D8 datalen:0x000001D8 data:'00 00 00 00 FF FF FF FF 00 00 40 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:25:31:868, 简单挂免费版.exe, 2336:2712, 2780, PROC_pgprot, C:\Program Files (x86)\BCL Technologies\J9CE8BF, target_pid:2916 base:0x0000000000400000 count:0x00000400 attrib:0x00000040 bytes_changed:0x00001000 , 0x00000000 [操作成功完成。 ],
15:25:31:914, 简单挂免费版.exe, 2336:2712, 2780, THRD_setctxt, C:\Program Files (x86)\BCL Technologies\J9CE8BF, target_pid:2916 target_tid:3700 , 0x00000000 [操作成功完成。 ],
15:25:31:914, 简单挂免费版.exe, 2336:2712, 2780, THRD_resume, C:\Program Files (x86)\BCL Technologies\J9CE8BF, target_pid:2916 target_tid:3700 , 0x00000000 [操作成功完成。 ],
15:25:32:007, 简单挂免费版.exe, 2336:0, 2780, EXEC_destroy, C:\Users\j8qq_000\Desktop\简单挂免费版.exe, parent_pid:2780 cmdline:'"C:\Users\j8qq_000\Desktop\简单挂免费版.exe" ' , 0x00000000 [操作成功完成。 ],
接下来是“更新模块”J9CE8BF的表演(实际J9CE8BF上是一个exe,创建的时候无后缀!表演过火绒和火绒剑,而且驱动和生成的母体不是同一个东西!驱动是一个连exeinfo都分析不清楚的玩意)
15:27:21:187, J9CE8BF, 2916:3308, 2780, NET_connect, 183.60.187.58:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
15:27:21:220, J9CE8BF, 2916:3308, 2780, NET_http, sinacloud.net/question/B64d.rar, protocol:(TCP)0 cmd:'GET' datalen:236 , 0x00000000 [操作成功完成。 ],
15:27:31:321, svchost.exe, 772:1124, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
15:27:32:453, J9CE8BF, 2916:3308, 2780, FILE_touch, C:\Windows\SysWOW64\F80CLCJlM.sys
access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:27:32:453, J9CE8BF, 2916:3308, 2780, FILE_truncate, C:\Windows\SysWOW64\F80CLCJlM.sys, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
15:27:41:727, J9CE8BF, 2916:3700, 2780, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\KnownClasses, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
15:27:52:414, J9CE8BF, 2916:0, 2780, NET_send, 8.8.8.8:53, protocol:(UDP)1 datalen:32 data:'01 00 01 00 00 01 00 00 00 00 00 00 0B 73 69 6E ' , 0x00000000 [操作成功完成。 ],
15:27:52:461, J9CE8BF, 2916:2140, 2780, NET_http, sinastorage.cn/question/PrsProt64.rar, protocol:(TCP)0 cmd:'GET' datalen:242 , 0x00000000 [操作成功完成。 ],
15:27:52:461, J9CE8BF, 2916:2140, 2780, NET_send, 121.14.32.187:80, protocol:(TCP)0 datalen:242 data:'47 45 54 20 2F 71 75 65 73 74 69 6F 6E 2F 50 72 ' , 0x00000000 [操作成功完成。 ],
15:27:55:565, J9CE8BF, 2916:3308, 2780, FILE_write, C:\Windows\SysWOW64\F80CLCJlM.sys, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ],
15:27:55:961, J9CE8BF, 2916:3308, 2780, FILE_modified, C:\Windows\SysWOW64\F80CLCJlM.sys, , 0x00000000 [操作成功完成。 ],
此处注册表火绒没有记录,但是PCH,加驱工具,TDSSKILLER的注册驱动注册表行为都会记录和拦截!
15:27:56:024, services.exe, 580:2840, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x0002001F , 0x00000000 [操作成功完成。 ],
15:27:56:024, services.exe, 580:2840, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:024, services.exe, 580:2840, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:024, services.exe, 580:2840, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\StartOverride, access:0x02000000 , 0xC0000034 [系统找不到指定的文件。 ],
15:27:56:024, services.exe, 580:2840, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ErrorControl, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:041, services.exe, 580:2840, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath, type:0x00000002 datalen:76 data:'5C 3F 3F 5C 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 ' , 0x00000000 [操作成功完成。 ],
15:27:56:041, services.exe, 580:2840, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\DisplayName, type:0x00000001 datalen:20 data:'46 38 30 43 4C 43 4A 6C 4D 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:041, services.exe, 580:2840, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\WOW64, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:041, services.exe, 580:2840, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:070, services.exe, 580:2840, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:070, services.exe, 580:2840, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000000 [操作成功完成。 ],
此处为加载驱动!!!火绒毫无反应!!!导致System开始读取驱动的注册表(加载前读取注册表配置)!
15:27:56:070, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:070, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:070, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:070, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:070, System, 4:3268, 0, FILE_open, C:\Windows\SysWOW64\F80CLCJlM.sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
15:27:56:122, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\F80CLCJlM.sys, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:122, System, 4:3268, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
15:27:56:122, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\F80CLCJlM.sys, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
15:27:56:133, System, 4:3268, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
15:27:56:122, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x02020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x02020019 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName, type:0x00000001 datalen:8 data:'48 00 48 00 48 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x02020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x02020019 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName, type:0x00000001 datalen:8 data:'48 00 48 00 48 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00000001 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00000001 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00000001 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00000001 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath, type:0x00000002 datalen:76 data:'5C 3F 3F 5C 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Group, type:0x00000001 datalen:32 data:'53 79 73 74 65 6D 20 52 65 73 65 72 76 65 64 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:180, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\mark, type:0x00000001 datalen:14 data:'3F 00 0B 00 0C 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\Select, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\SYSTEM\Select\Current, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\SYSTEM\Select\Default, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\SYSTEM\Select\LastKnownGood, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:180, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:227, System, 4:3268, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:227, System, 4:3268, 0, REG_rmval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Tag, keyname:'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM' , 0xC0000034 [系统找不到指定的文件。 ],
15:27:56:227, System, 4:3268, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\Select, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:227, System, 4:3268, 0, REG_getval, HKEY_LOCAL_MACHINE\SYSTEM\Select\Current, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
此处ROOTKIT已经在System中开始起作用!
15:27:56:227, System, 4:3268, 0, FILE_open, C:\Windows\System32\ntdll.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
15:27:56:289, System, 4:3268, 0, FILE_open, C:\Windows\System32\drivers\usbhub.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:27:56:289, System, 4:3268, 0, FILE_open, C:\Windows\System32\drivers\usbhub.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:27:56:312, services.exe, 580:2840, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:320, System, 4:3432, 0, FILE_open, C:\Windows\SysWOW64\F80CLCJlM.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:27:56:320, System, 4:3432, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\Setup, access:0x00020019 , 0x00000000 [操作成功完成。 ],
15:27:56:320, System, 4:3432, 0, REG_getval, HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition, type:0x00000001 datalen:48 data:'5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 ' , 0x00000000 [操作成功完成。 ],
复制一个Tcpip.sys,并且在System中加载之,然而还是没有记录!
15:27:56:320, System, 4:3432, 0, FILE_open, C:\Windows\System32\drivers\tcpip.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000001 options:0x00000040 , 0x00000000 [操作成功完成。 ],
15:27:56:320, System, 4:3432, 0, FILE_open, C:\Windows\System32\drivers\tcpip.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000003 options:0x00000860 , 0x00000000 [操作成功完成。 ],
Tcpip.sys被复制出来了
15:27:56:352, System, 4:3432, 0, FILE_touch, C:\Windows\System32\drivers\LEMJewCg.sys, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000003 options:0x00000860 , 0x00000000 [操作成功完成。 ],
15:27:56:352, System, 4:3432, 0, FILE_write, C:\Windows\System32\drivers\LEMJewCg.sys, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ],
15:27:56:685, System, 4:2864, 0, FILE_open, C:\Windows\System32\drivers\usbhub.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:27:56:695, System, 4:2864, 0, FILE_open, C:\Windows\System32\drivers\usbhub.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:27:56:711, System, 4:2864, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:711, System, 4:2864, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies, access:0x00020006 , 0x00000000 [操作成功完成。 ],
15:27:56:711, System, 4:2864, 0, REG_rmval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies\, keyname:'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies' , 0xC0000034 [系统找不到指定的文件。 ],
15:27:56:711, System, 4:2864, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
15:27:56:711, System, 4:2864, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder\List, type:0x00000007 datalen:2234 data:'53 00 79 00 73 00 74 00 65 00 6D 00 20 00 52 00 ' , 0x00000000 [操作成功完成。 ],
15:27:56:711, System, 4:2380, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\, access:0x000F003F , 0x00000000 [操作成功完成。 ],
15:27:56:711, System, 4:2380, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2463246743-3882878456-3851148573-1001, access:0x02020019 , 0x00000000 [操作成功完成。 ],
15:27:56:711, System, 4:1748, 0, NET_connect, 101.201.172.229:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
15:27:56:773, System, 4:3432, 0, FILE_modified, C:\Windows\System32\drivers\LEMJewCg.sys, , 0x00000000 [操作成功完成。 ],
文件工作结束后,ROOTKIT开始工作。。。
15:27:58:713, System, 4:3224, 0, NET_connect, 8.8.8.8:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
15:28:01:748, System, 4:3904, 0, NET_connect, 122.246.20.200:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
15:28:01:763, System, 4:3904, 0, NET_http, go.gengxinsys.com/data.php?t=l&m=0, protocol:(TCP)0 cmd:'GET' datalen:185 , 0x00000000 [操作成功完成。 ],
15:28:01:763, System, 4:3904, 0, NET_send, 122.246.20.200:80, protocol:(TCP)0 datalen:185 data:'47 45 54 20 2F 64 61 74 61 2E 70 68 70 3F 74 3D ' , 0x00000000 [操作成功完成。 ],
15:28:02:369, System, 4:3868, 0, FILE_open, C:\Windows\System32\drivers\usbhub.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
15:28:03:822, System, 4:2864, 0, NET_http, go.gengxinsys.com/data.php?t=l&m=0, protocol:(TCP)0 cmd:'GET' datalen:185 , 0x00000000 [操作成功完成。 ],
15:28:03:822, System, 4:2864, 0, NET_send, 122.246.20.200:80, protocol:(TCP)0 datalen:185 data:'47 45 54 20 2F 64 61 74 61 2E 70 68 70 3F 74 3D ' , 0x00000000 [操作成功完成。 ],
|
楼主: zay365
[复制链接]
楼主
发表于 2019-11-12 14:30:20
考完试了
@360主动防御 