传奇私-Fu rootkit2x及释放程序

显示全部楼层 · 发表于 2022-7-29 15:44:35

tdsskiller 发表于 2022-7-29 15:26
VMP的WHQL的话是的，wowocock在好几个帖子中讲过原理

发下帖子地址？

显示全部楼层 · 发表于 2022-7-29 15:52:33

ANY.LNK 发表于 2022-7-29 15:44
发下帖子地址？

https://bbs.pediy.com/thread-226660.htm

还有一个是在卡饭里面回复我的，没找到，那个大肉鸡讲得更详细

显示全部楼层 · 发表于 2022-7-29 16:01:53

ANY.LNK 发表于 2022-7-29 15:44
发下帖子地址？

仔细看大肉鸡给我的回复

找到了：https://bbs.kafan.cn/forum.php?mod=viewthread&tid=2233206&page=5#pid50841731wowowcock:

tdsskiller 发表于 2022-4-22 10:54
那些很多vmp驱动貌似都兼容了内核隔离了吧？这个私-Fu没兼容我很意外

内核隔离WIN10早期是在NTOS里MiValidateStrongCodeDriverImage处理，参考https://bbs.pediy.com/thread-226660-1.htm，不过今天看了下19041下的，貌似又变了，验证代码移到了CI.DLL里。
1: kd> kv
# Child-SP       RetAddr          : Args to Child                                                          : Call Site
00 fffffb04`4bd94c80 fffff804`38c74dd3 : 00000000`00000028 00000000`00000001 fffffb04`4bd94e70 00000000`00000000 : CI!CiHvciSetValidationContextForHvci+0x6f
01 fffffb04`4bd94cf0 fffff804`38c6fbb2 : 00000000`00000088 00000000`00000000 ffffbe03`26d10380 fffff804`36600000 : CI!CipAllocateValidationContext+0x1a7
02 fffffb04`4bd94d70 fffff804`37f025fd : fffffb04`4bd94fb0 fffff804`36600000 00000000`0000000f fffff804`36600000 : CI!CiValidateImageHeader+0x602
03 fffffb04`4bd94ef0 fffff804`37f02108 : 00000000`00000000 ffffbe03`1f909700 00000000`00000000 00000000`0020d000 : nt!SeValidateImageHeader+0xd9
04 fffffb04`4bd94fa0 fffff804`37e1c3a0 : 00000000`00000000 fffff804`37f13182 ffffb4d9`b3fe37b3 00000000`01000000 : nt!MiValidateSectionCreate+0x438
05 fffffb04`4bd95180 fffff804`37e2423e : fffffb04`4bd954b0 00000000`00000001 00000000`00000000 00000000`00000000 : nt!MiValidateSectionSigningPolicy+0xac
06 fffffb04`4bd951e0 fffff804`37e1181b : ffffbe03`26d10380 fffffb04`4bd954b0 fffffb04`4bd954b0 00000000`00000000 : nt!MiCreateNewSection+0x59a
07 fffffb04`4bd95340 fffff804`37e10e64 : fffffb04`4bd95370 ffffe604`d1ea8590 ffffbe03`26d10380 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2db
08 fffffb04`4bd95430 fffff804`37b85028 : 00000000`00000000 00000000`ffffffff ffffffff`80001518 00000000`00000000 : nt!MiCreateSection+0xf4
09 fffffb04`4bd955b0 fffff804`37f5fe32 : 00000000`00000000 fffffb04`4bd956c9 ffffffff`80001518 00000000`00000000 : nt!MiCreateSystemSection+0xa4
0a fffffb04`4bd95650 fffff804`37f5d70e : fffff804`3843f230 ffffffff`80001518 fffffb04`4bd957e8 00000000`00000000 : nt!MiCreateSectionForDriver+0x126
0b fffffb04`4bd95730 fffff804`37f5cf62 : 00000000`00000000 fffffb04`4bd95880 00000000`00000000 00000000`000009c8 : nt!MiObtainSectionForDriver+0xa6
0c fffffb04`4bd95780 fffff804`37f5cdf6 : fffffb04`4bd959b8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmLoadSystemImageEx+0x156
0d fffffb04`4bd95920 fffff804`37f4023c : fffffb04`4bd95a60 00000000`00000000 fffff804`3845a820 00000000`00000000 : nt!MmLoadSystemImage+0x26
0e fffffb04`4bd95960 fffff804`37f84e77 : 00000000`00000000 00000000`00000000 fffff804`3853a440 ffffbe03`21feea50 : nt!IopLoadDriver+0x23c
0f fffffb04`4bd95b30 fffff804`37acd6d5 : ffffbe03`00000000 ffffffff`800033d0 ffffbe03`2187c040 fffff804`00000000 : nt!IopLoadUnloadDriver+0x57
10 fffffb04`4bd95b70 fffff804`37b6aa15 : ffffbe03`2187c040 00000000`00000080 ffffbe03`1c087040 00000101`00000000 : nt!ExpWorkerThread+0x105
11 fffffb04`4bd95c10 fffff804`37c13ef8 : fffff804`361a3180 ffffbe03`2187c040 fffff804`37b6a9c0 00000101`00000000 : nt!PspSystemThreadStartup+0x55
这个函数里验证
__int64 __fastcall CiHvciSetValidationContextForHvci(_QWORD *a1, int a2, __int64 a3, void *a4, ULONGLONG Size)
{
  __int64 v5; // r15
  int v10; // ebx
  __int64 result; // rax
  __int64 peheader; // [rsp+40h] [rbp-28h] BYREF
  __int64 v13; // [rsp+48h] [rbp-20h] BYREF
  int v14; // [rsp+70h] [rbp+8h] BYREF

  v5 = a1[360];
  v13 = 0i64;
  v14 = 0;
  peheader = 0i64;
  v10 = CiValidateImageHeaderMapping(a4, (unsigned int)Size, &peheader, 0i64);
  if ( v10 < 0
|| (v10 = CiCheckNtHeaderForHvciCompliance(peheader, &v14), v10 < 0)
|| (v10 = CiCreateHvciComplianceStatusCode((unsigned int *)&v14), v10 < 0) )
  {
CiHvciLogIncompatibility(0, 0, a3, a2, v5, (__int64)&v14, v10);
if ( v10 < 0 )
   return (unsigned int)v10;
  }
  result = CiAllocateImageDataForHvci(a3, a4, (unsigned int)Size, &v13);
  if ( (int)result >= 0 )
  {
a1[328] = v13;
a1[325] = g_HvciImageValidateInterface;
  }
  return result;
}
在 CiCheckNtHeaderForHvciCompliance里
if ( (SectionCharacteristics & 0xA0000000) == 0xA0000000 )
   {
      v21 = RetCode | 8;
      if ( (SectionCharacteristics & 0x2000000) != 0 )
      v21 = RetCode;
      RetCode = v21;
      if ( _bittest(&SectionCharacteristics, 0x1Cu) )
      RetCode = v21 | 0x10;
   }
返回了0X28,到
__int64 __fastcall CiCreateHvciComplianceStatusCode(unsigned int *a1)
{
  __int64 result; // rax

  result = *a1;
  if ( (_DWORD)result )
  {
if ( (result & 6) != 0 )
   result = 0xC0000220i64;
else
   result = (result & 0x18) != 0 ? 0xC000004E : 0xC00000BB;
  }
  return result;
}
返回0xC000004E，#define STATUS_SECTION_PROTECTION       ((NTSTATUS)0xC000004EL)
禁止了任何带有可写可执行节属性的驱动加载，基本所有的加壳驱动都躲不过这个，导致类似的无法在内核隔离下加载驱动。

显示全部楼层 · 发表于 2022-7-29 16:07:18

本帖最后由 00006666 于 2022-7-29 16:08 编辑

编辑，回复错了

[病毒样本] 传奇私-Fu rootkit2x及释放程序

评分

评分