楼主: chenhui530
收起左侧

[原创工具] 天琊(ya)V1.0 0228(增强保险箱)

  [复制链接]
dl123100
发表于 2009-3-1 20:51:07 | 显示全部楼层
我这点“端口”会假死很长时间,点“关联”、“劫持”提示“加载驱动失败”,结束隐藏进程spoolsv.exe时会蓝屏,恢复ch000001.sys的一行inline hook也蓝屏。
当然那个sr***.sys本身很不稳定。
dl123100
发表于 2009-3-1 20:54:32 | 显示全部楼层
结束进程蓝屏

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: e1cd1420, Memory contents of the pool block
Arg4: e1ed1d20, Address of the block of pool being deallocated

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffde00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffde00c).  Type ".hh dbgerr001" for details

POOL_ADDRESS:  e1ed1d20 Paged pool

FREED_POOL_TAG:  ObSq

BUGCHECK_STR:  0xc2_7_ObSq

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

PROCESS_NAME:  spoolsv.exe

LAST_CONTROL_TRANSFER:  from 81341b06 to 812f5cc5

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
b27a5550 81341b06 000000c2 00000007 00000cd4 0x812f5cc5
b27a55c8 80545ef7 821f0074 821f0070 e17f5df8 0x81341b06
b27a5664 b20a9b85 00000000 00000000 b27a56c4 nt!ExFreePool+0xf
b27a5674 804feaf1 820960d8 b27a56c0 b27a56b4 Ch000001+0x11b85
b27a56c4 80501d04 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
b27a56dc 804fad72 81d0ad08 81d0acc8 81d0ad0c nt!KiSwapThread+0x64
b27a5704 80575390 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2
b27a5730 80579d2d 81d0ad08 00000000 00000000 nt!IopAcquireFileObjectLock+0x4e
b27a5774 805b31e0 820db9f8 81d8c710 0012019f nt!IopCloseFile+0x1ed
b27a57a4 805b2b0d 820db9f8 00000001 821eb040 nt!ObpDecrementHandleCount+0xd4
b27a57cc 805b9451 e1760f08 81d0acc8 0000006c nt!ObpCloseHandleTableEntry+0x14d
b27a57ec 814014c9 e18770d8 0000006c b27a583c nt!ObpCloseHandleProcedure+0x1f
b27a5908 b20a9b85 00000000 00000000 b27a5968 0x814014c9
b27a5918 804feaf1 81b0b1c8 b27a5964 b27a5958 Ch000001+0x11b85
b27a5968 80501d04 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
b27a5980 804faaf2 81d86a90 00000002 00000004 nt!KiSwapThread+0x64
b27a59b8 805b74a4 00000002 b27a5bec 00000001 nt!KeWaitForMultipleObjects+0x284
b27a5d48 8053e648 00000002 00b2f804 00000001 nt!NtWaitForMultipleObjects+0x2a2
b27a5d48 7c92e4f4 00000002 00b2f804 00000001 nt!KiFastCallEntry+0xf8
00b2f878 00000000 00000000 00000000 00000000 0x7c92e4f4


STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    804f891c-804f891f  4 bytes - nt!KeAttachProcess+40
        [ b8 fe ff ff:c0 2b bb 31 ]
    804f8a3c-804f8a3f  4 bytes - nt!KeStackAttachProcess+64 (+0x120)
        [ 98 fd ff ff:a0 2a bb 31 ]
    804fbaf4-804fbaf7  4 bytes - nt!KeInsertQueueApc+3c (+0x30b8)
        [ 5e 31 00 00:78 f4 ba 31 ]
    80502c30-80502c33  4 bytes - nt!KiServiceTable+94 (+0x713c)
        [ fc f2 56 80:30 0b 0b b2 ]
    80502c5c-80502c5f  4 bytes - nt!KiServiceTable+c0 (+0x2c)
        [ f6 83 5c 80:20 11 0b b2 ]
    80502c70-80502c73  4 bytes - nt!KiServiceTable+d4 (+0x14)
        [ 94 82 5c 80:70 2e 0b b2 ]
    80502cac-80502caf  4 bytes - nt!KiServiceTable+110 (+0x3c)
        [ da 48 5b 80:20 c0 0a b2 ]
    80502d4c-80502d4f  4 bytes - nt!KiServiceTable+1b0 (+0xa0)
        [ 00 85 5a 80:80 18 0a b2 ]
    80502e6c-80502e6f  4 bytes - nt!KiServiceTable+2d0 (+0x120)
        [ f2 84 5c 80:50 35 0b b2 ]
    80502e78-80502e7b  4 bytes - nt!KiServiceTable+2dc (+0x0c)
        [ 2a 28 57 80:e0 16 0a b2 ]
    80502e84-80502e87  4 bytes - nt!KiServiceTable+2e8 (+0x0c)
        [ 92 a7 5a 80:a0 3d 0b b2 ]
    80502ef0-80502ef3  4 bytes - nt!KiServiceTable+354 (+0x6c)
        [ b6 89 5c 80:c0 16 0b b2 ]
    80502f98-80502f9b  4 bytes - nt!KiServiceTable+3fc (+0xa8)
        [ 66 f2 60 80:70 3b 0b b2 ]
    80502fc8-80502fcb  4 bytes - nt!KiServiceTable+42c (+0x30)
        [ 16 93 5a 80:e0 c0 0a b2 ]
    80502ff0-80502ff3  4 bytes - nt!KiServiceTable+454 (+0x28)
        [ 9c a8 5a 80:90 40 0b b2 ]
    8053e62c-8053e630  5 bytes - nt!KiFastCallEntry+dc (+0x3b63c)
        [ 8b 3f 8b 1c 87:e8 df 55 00 00 ]
    8056ce97-8056ce9d  7 bytes - nt!NtCancelIoFile+141
        [ cc cc cc cc cc 8b ff:e9 50 55 78 32 eb f9 ]
    8056f2f7-8056f2fd  7 bytes - nt!NtRemoveIoCompletion+1a5 (+0x2460)
        [ cc cc cc cc cc 8b ff:e9 c4 79 78 32 eb f9 ]
    805700ef-805700f5  7 bytes - nt!BuildQueryDirectoryIrp+4ab (+0xdf8)
        [ cc cc cc cc cc 8b ff:e9 3a 73 78 32 eb f9 ]
    80570415-8057041b  7 bytes - nt!NtNotifyChangeDirectoryFile+2bb (+0x326)
        [ cc cc cc cc cc 8b ff:e9 c4 69 78 32 eb f9 ]
    80571304-80571308  5 bytes - nt!NtSetInformationFile (+0xeef)
        [ 68 8c 00 00 00:e9 33 11 78 32 ]
    8057a603-8057a609  7 bytes - nt!IopGetSetSecurityObject+3fb (+0x92ff)
        [ cc cc cc cc cc 6a 54:e9 06 d4 77 32 eb f9 ]
    805b1b42-805b1b46  5 bytes - nt!ObReferenceObjectByHandle (+0x3753f)
        [ 8b ff 55 8b ec:e9 49 a1 af 31 ]
    805b2476-805b2479  4 bytes - nt!ObOpenObjectByPointer+a0 (+0x934)
        [ de 18 00 00:b6 8d af 31 ]
    805c2322-805c2323  2 bytes - nt!NtOpenProcess (+0xfeac)
        [ 68 c4:e9 17 ]
    805c2325-805c2326  2 bytes - nt!NtOpenProcess+3 (+0x03)
        [ 00 00:73 32 ]
    805c9b8e-805c9b92  5 bytes - nt!PspTerminateThreadByPointer (+0x7869)
        [ 8b ff 55 8b ec:e9 7d 26 ae 31 ]
    80608bd4-80608bd8  5 bytes - nt!NtQuerySystemInformation (+0x3f046)
        [ 68 10 02 00 00:e9 07 ea 6e 32 ]
    80619893 - nt!NtQueryValueKey+349 (+0x10cbf)
        [ cc:e9 ]
    80619895-80619899  5 bytes - nt!NtQueryValueKey+34b (+0x02)
        [ cc cc cc 6a 5c:8c 6d 32 eb f9 ]
    8061b79d-8061b7a3  7 bytes - nt!NtCreateKey+48b (+0x1f08)
        [ cc cc cc cc cc 6a 38:e9 dc 71 6d 32 eb f9 ]
    8061b96d-8061b973  7 bytes - nt!NtDeleteKey+1cb (+0x1d0)
        [ cc cc cc cc cc 6a 48:e9 0c 6e 6d 32 eb f9 ]
    8061bb4d-8061bb53  7 bytes - nt!NtDeleteValueKey+1db (+0x1e0)
        [ cc cc cc cc cc 6a 54:e9 36 b6 6d 32 eb f9 ]
    8061bdb7-8061bdbd  7 bytes - nt!NtEnumerateKey+265 (+0x26a)
        [ cc cc cc cc cc 6a 54:e9 22 b1 6d 32 eb f9 ]
    8061ca05-8061ca0b  7 bytes - nt!NtOpenKey+321 (+0xc4e)
        [ cc cc cc cc cc 6a 60:e9 f4 b2 6d 32 eb f9 ]
169 errors : !nt (804f891c-8061ca0b)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------
annybaby
发表于 2009-3-1 22:11:44 | 显示全部楼层
看图吧,有点问题
333.gif
chenhui530
头像被屏蔽
 楼主| 发表于 2009-3-1 23:09:20 | 显示全部楼层
被限制了吧
chenhui530
头像被屏蔽
 楼主| 发表于 2009-3-1 23:54:53 | 显示全部楼层
估计是那个病毒使用了和天琊类似的Inline Hook,而病毒在加载前没有检测是否已经被HOOK了造成了这样的情况
chenhui530
头像被屏蔽
 楼主| 发表于 2009-3-2 00:02:03 | 显示全部楼层
那个病毒在没开启天琊的情况下自己都要蓝
405942873
发表于 2009-3-2 20:15:49 | 显示全部楼层
其实我更加喜欢你的

病毒诊断分析程序

因为天琊的同类产品太多了..

病毒诊断分析程序不同.很少同类产品..

不过目前这个程序蓝屏现象还挺严重的 希望早日改进啦
chenhui530
头像被屏蔽
 楼主| 发表于 2009-3-2 21:25:59 | 显示全部楼层
等段时间吧
现在还不能发出来
dl123100
发表于 2009-3-2 22:36:27 | 显示全部楼层
http://bbs.kafan.cn/viewthread.p ... p;extra=&page=1
刚发现运行上面这个样本后,天琊照样防不住appinit_dlls。
见截图:
XP SP3-2009-03-02-22-34-36.png
dl123100
发表于 2009-3-2 22:46:18 | 显示全部楼层
晕,上面的病毒感染了内核文件ntkrnlpa.exe(双核),怪不得这么轻易注入dll。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-28 03:46 , Processed in 0.112915 second(s), 16 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表