天琊(ya)V1.0 0228(增强保险箱)

显示全部楼层 · 发表于 2009-3-1 20:54:32

结束进程蓝屏

kd> !analyze -v
*******************************************************************************
*                                                                            *
*                      Bugcheck Analysis                                  *
*                                                                            *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: e1cd1420, Memory contents of the pool block
Arg4: e1ed1d20, Address of the block of pool being deallocated

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffde00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffde00c).  Type ".hh dbgerr001" for details

POOL_ADDRESS:  e1ed1d20 Paged pool

FREED_POOL_TAG:  ObSq

BUGCHECK_STR:  0xc2_7_ObSq

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

PROCESS_NAME:  spoolsv.exe

LAST_CONTROL_TRANSFER:  from 81341b06 to 812f5cc5

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
b27a5550 81341b06 000000c2 00000007 00000cd4 0x812f5cc5
b27a55c8 80545ef7 821f0074 821f0070 e17f5df8 0x81341b06
b27a5664 b20a9b85 00000000 00000000 b27a56c4 nt!ExFreePool+0xf
b27a5674 804feaf1 820960d8 b27a56c0 b27a56b4 Ch000001+0x11b85
b27a56c4 80501d04 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
b27a56dc 804fad72 81d0ad08 81d0acc8 81d0ad0c nt!KiSwapThread+0x64
b27a5704 80575390 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2
b27a5730 80579d2d 81d0ad08 00000000 00000000 nt!IopAcquireFileObjectLock+0x4e
b27a5774 805b31e0 820db9f8 81d8c710 0012019f nt!IopCloseFile+0x1ed
b27a57a4 805b2b0d 820db9f8 00000001 821eb040 nt!ObpDecrementHandleCount+0xd4
b27a57cc 805b9451 e1760f08 81d0acc8 0000006c nt!ObpCloseHandleTableEntry+0x14d
b27a57ec 814014c9 e18770d8 0000006c b27a583c nt!ObpCloseHandleProcedure+0x1f
b27a5908 b20a9b85 00000000 00000000 b27a5968 0x814014c9
b27a5918 804feaf1 81b0b1c8 b27a5964 b27a5958 Ch000001+0x11b85
b27a5968 80501d04 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
b27a5980 804faaf2 81d86a90 00000002 00000004 nt!KiSwapThread+0x64
b27a59b8 805b74a4 00000002 b27a5bec 00000001 nt!KeWaitForMultipleObjects+0x284
b27a5d48 8053e648 00000002 00b2f804 00000001 nt!NtWaitForMultipleObjects+0x2a2
b27a5d48 7c92e4f4 00000002 00b2f804 00000001 nt!KiFastCallEntry+0xf8
00b2f878 00000000 00000000 00000000 00000000 0x7c92e4f4

STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804f891c-804f891f  4 bytes - nt!KeAttachProcess+40
[ b8 fe ff ff:c0 2b bb 31 ]
804f8a3c-804f8a3f  4 bytes - nt!KeStackAttachProcess+64 (+0x120)
[ 98 fd ff ff:a0 2a bb 31 ]
804fbaf4-804fbaf7  4 bytes - nt!KeInsertQueueApc+3c (+0x30b8)
[ 5e 31 00 00:78 f4 ba 31 ]
80502c30-80502c33  4 bytes - nt!KiServiceTable+94 (+0x713c)
[ fc f2 56 80:30 0b 0b b2 ]
80502c5c-80502c5f  4 bytes - nt!KiServiceTable+c0 (+0x2c)
[ f6 83 5c 80:20 11 0b b2 ]
80502c70-80502c73  4 bytes - nt!KiServiceTable+d4 (+0x14)
[ 94 82 5c 80:70 2e 0b b2 ]
80502cac-80502caf  4 bytes - nt!KiServiceTable+110 (+0x3c)
[ da 48 5b 80:20 c0 0a b2 ]
80502d4c-80502d4f  4 bytes - nt!KiServiceTable+1b0 (+0xa0)
[ 00 85 5a 80:80 18 0a b2 ]
80502e6c-80502e6f  4 bytes - nt!KiServiceTable+2d0 (+0x120)
[ f2 84 5c 80:50 35 0b b2 ]
80502e78-80502e7b  4 bytes - nt!KiServiceTable+2dc (+0x0c)
[ 2a 28 57 80:e0 16 0a b2 ]
80502e84-80502e87  4 bytes - nt!KiServiceTable+2e8 (+0x0c)
[ 92 a7 5a 80:a0 3d 0b b2 ]
80502ef0-80502ef3  4 bytes - nt!KiServiceTable+354 (+0x6c)
[ b6 89 5c 80:c0 16 0b b2 ]
80502f98-80502f9b  4 bytes - nt!KiServiceTable+3fc (+0xa8)
[ 66 f2 60 80:70 3b 0b b2 ]
80502fc8-80502fcb  4 bytes - nt!KiServiceTable+42c (+0x30)
[ 16 93 5a 80:e0 c0 0a b2 ]
80502ff0-80502ff3  4 bytes - nt!KiServiceTable+454 (+0x28)
[ 9c a8 5a 80:90 40 0b b2 ]
8053e62c-8053e630  5 bytes - nt!KiFastCallEntry+dc (+0x3b63c)
[ 8b 3f 8b 1c 87:e8 df 55 00 00 ]
8056ce97-8056ce9d  7 bytes - nt!NtCancelIoFile+141
[ cc cc cc cc cc 8b ff:e9 50 55 78 32 eb f9 ]
8056f2f7-8056f2fd  7 bytes - nt!NtRemoveIoCompletion+1a5 (+0x2460)
[ cc cc cc cc cc 8b ff:e9 c4 79 78 32 eb f9 ]
805700ef-805700f5  7 bytes - nt!BuildQueryDirectoryIrp+4ab (+0xdf8)
[ cc cc cc cc cc 8b ff:e9 3a 73 78 32 eb f9 ]
80570415-8057041b  7 bytes - nt!NtNotifyChangeDirectoryFile+2bb (+0x326)
[ cc cc cc cc cc 8b ff:e9 c4 69 78 32 eb f9 ]
80571304-80571308  5 bytes - nt!NtSetInformationFile (+0xeef)
[ 68 8c 00 00 00:e9 33 11 78 32 ]
8057a603-8057a609  7 bytes - nt!IopGetSetSecurityObject+3fb (+0x92ff)
[ cc cc cc cc cc 6a 54:e9 06 d4 77 32 eb f9 ]
805b1b42-805b1b46  5 bytes - nt!ObReferenceObjectByHandle (+0x3753f)
[ 8b ff 55 8b ec:e9 49 a1 af 31 ]
805b2476-805b2479  4 bytes - nt!ObOpenObjectByPointer+a0 (+0x934)
[ de 18 00 00:b6 8d af 31 ]
805c2322-805c2323  2 bytes - nt!NtOpenProcess (+0xfeac)
[ 68 c4:e9 17 ]
805c2325-805c2326  2 bytes - nt!NtOpenProcess+3 (+0x03)
[ 00 00:73 32 ]
805c9b8e-805c9b92  5 bytes - nt!PspTerminateThreadByPointer (+0x7869)
[ 8b ff 55 8b ec:e9 7d 26 ae 31 ]
80608bd4-80608bd8  5 bytes - nt!NtQuerySystemInformation (+0x3f046)
[ 68 10 02 00 00:e9 07 ea 6e 32 ]
80619893 - nt!NtQueryValueKey+349 (+0x10cbf)
[ cc:e9 ]
80619895-80619899  5 bytes - nt!NtQueryValueKey+34b (+0x02)
[ cc cc cc 6a 5c:8c 6d 32 eb f9 ]
8061b79d-8061b7a3  7 bytes - nt!NtCreateKey+48b (+0x1f08)
[ cc cc cc cc cc 6a 38:e9 dc 71 6d 32 eb f9 ]
8061b96d-8061b973  7 bytes - nt!NtDeleteKey+1cb (+0x1d0)
[ cc cc cc cc cc 6a 48:e9 0c 6e 6d 32 eb f9 ]
8061bb4d-8061bb53  7 bytes - nt!NtDeleteValueKey+1db (+0x1e0)
[ cc cc cc cc cc 6a 54:e9 36 b6 6d 32 eb f9 ]
8061bdb7-8061bdbd  7 bytes - nt!NtEnumerateKey+265 (+0x26a)
[ cc cc cc cc cc 6a 54:e9 22 b1 6d 32 eb f9 ]
8061ca05-8061ca0b  7 bytes - nt!NtOpenKey+321 (+0xc4e)
[ cc cc cc cc cc 6a 60:e9 f4 b2 6d 32 eb f9 ]
169 errors : !nt (804f891c-8061ca0b)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------

显示全部楼层 · 发表于 2009-3-1 22:11:44

看图吧，有点问题

显示全部楼层 · 发表于 2009-3-1 23:09:20

被限制了吧

显示全部楼层 · 发表于 2009-3-1 23:54:53

估计是那个病毒使用了和天琊类似的Inline Hook，而病毒在加载前没有检测是否已经被HOOK了造成了这样的情况

显示全部楼层 · 发表于 2009-3-2 00:02:03

那个病毒在没开启天琊的情况下自己都要蓝

显示全部楼层 · 发表于 2009-3-2 20:15:49

其实我更加喜欢你的

病毒诊断分析程序

因为天琊的同类产品太多了..

病毒诊断分析程序不同.很少同类产品..

不过目前这个程序蓝屏现象还挺严重的

希望早日改进啦

显示全部楼层 · 发表于 2009-3-2 21:25:59

等段时间吧
现在还不能发出来

显示全部楼层 · 发表于 2009-3-2 22:36:27

http://bbs.kafan.cn/viewthread.p ... p;extra=&page=1
刚发现运行上面这个样本后，天琊照样防不住appinit_dlls。
见截图：
XP SP3-2009-03-02-22-34-36.png

显示全部楼层 · 发表于 2009-3-2 22:46:18

晕，上面的病毒感染了内核文件ntkrnlpa.exe（双核），怪不得这么轻易注入dll。

显示全部楼层 · 发表于 2009-3-2 23:17:54

天琊可以拦截到，是我过滤稍微有了点问题。
我得修改下。我识别完整路径去了

[原创工具] 天琊(ya)V1.0 0228(增强保险箱)