RKdemo12.sys分析

这次和文件一起的还有一README文本文件，说这是一个驻留驱动，它会创建一个不停止运行的系统线程。用IDA打开看看,下面是DriverEntry的反汇编代码：

                               sub     esp, 18h.text:00010B73                 push    esi.text:00010B74                 mov     esi, [esp+1Ch+DriverObject].text:00010B78                 push    edi.text:00010B79                 mov     dword_10E80, esi.text:00010B7F                 call    ds:IoGetCurrentProcess.text:00010B85                 mov     dword_10E94, eax.text:00010B8A                 call    sub_10930.text:00010B8F                 xor     edi, edi.text:00010B91                 push    edi             ; StartContext.text:00010B92                 push    offset StartRoutine ; StartRoutine.text:00010B97                 push    edi             ; ClientId.text:00010B98                 push    edi             ; ProcessHandle.text:00010B99                 lea     eax, [esp+30h+ObjectAttributes].text:00010B9D                 push    eax             ; ObjectAttributes.text:00010B9E                 push    1F03FFh         ; DesiredAccess.text:00010BA3                 lea     ecx, [esp+38h+DriverObject].text:00010BA7                 push    ecx             ; ThreadHandle.text:00010BA8                 mov     [esp+3Ch+ObjectAttributes.Length], 18h.text:00010BB0                 mov     [esp+3Ch+ObjectAttributes.RootDirectory], edi.text:00010BB4                 mov     [esp+3Ch+ObjectAttributes.ObjectName], edi.text:00010BB8                 mov     [esp+3Ch+ObjectAttributes.Attributes], 200h.text:00010BC0                 mov     [esp+3Ch+ObjectAttributes.SecurityDescriptor], edi.text:00010BC4                 mov     [esp+3Ch+ObjectAttributes.SecurityQualityOfService], edi.text:00010BC8                 call    ds:PsCreateSystemThread.text:00010BCE                 mov     edx, [esp+20h+DriverObject].text:00010BD2                 push    edi             ; HandleInformation.text:00010BD3                 push    offset Object   ; Object.text:00010BD8                 push    edi             ; AccessMode.text:00010BD9                 push    edi             ; ObjectType.text:00010BDA                 push    edi             ; DesiredAccess.text:00010BDB                 push    edx             ; Handle.text:00010BDC                 call    ds:ObReferenceObjectByHandle.text:00010BE2                 mov     eax, [esp+20h+DriverObject].text:00010BE6                 push    eax             ; Handle.text:00010BE7                 call    ds:ZwClose.text:00010BED                 push    offset aDeviceDemo_rk1 ; "\\Device\\demo_rk12".text:00010BF2                 push    offset DeviceName ; DestinationString.text:00010BF7                 call    ds:RtlInitUnicodeString.text:00010BFD                 push    offset DeviceObject ; DeviceObject.text:00010C02                 push    edi             ; Exclusive.text:00010C03                 push    edi             ; DeviceCharacteristics.text:00010C04                 push    22h             ; DeviceType.text:00010C06                 push    offset DeviceName ; DeviceName.text:00010C0B                 push    edi             ; DeviceExtensionSize.text:00010C0C                 push    esi             ; DriverObject.text:00010C0D                 call    ds:IoCreateDevice.text:00010C13                 cmp     eax, edi.text:00010C15                 jnz     short loc_10C30.text:00010C17                 mov     ecx, offset loc_10B50.text:00010C1C                 mov     dword ptr [esi+34h], offset loc_10B30.text:00010C23                 mov     [esi+38h], ecx.text:00010C26                 mov     [esi+40h], ecx.text:00010C29                 mov     dword ptr [esi+70h], offset sub_10AD0

PEPROCESS IoGetCurrentProcess(VOID); 返回一个指向当前进程的指针，它与PsGetCurrentProcess 等价。
PsCreateSystemThread()创建一个运行在内核模式下的线程，返回一个线程句柄。它有个参数StartRoutine指向线程的工作例程。下面是它的反汇编代码:

                               sub     esp, 8.text:000108B3                 mov     eax, ds:RtlInitUnicodeString.text:000108B8                 mov     ecx, Object.text:000108BE                 push    ebx.text:000108BF                 mov     ebx, ds:IoDeleteDevice.text:000108C5                 push    esi.text:000108C6                 mov     esi, ds:KeDelayExecutionThread.text:000108CC                 add     eax, 230h.text:000108D1                 push    edi.text:000108D2                 mov     edi, ds:DbgPrint.text:000108D8                 mov     dword ptr [esp+14h+Interval], 0FF676980h.text:000108E0                 mov     dword ptr [esp+14h+Interval+4], 0FFFFFFFFh.text:000108E8                 mov     [ecx+224h], eax.text:000108EE                 mov     edi, edi.text:000108F0.text:000108F0 loc_108F0:                              ; CODE XREF: StartRoutine+5Fj.text:000108F0                                         ; StartRoutine+74j.text:000108F0                 lea     edx, [esp+14h+Interval].text:000108F4                 push    edx             ; Interval.text:000108F5                 push    0               ; Alertable.text:000108F7                 push    0               ; WaitMode.text:000108F9                 call    esi ; KeDelayExecutionThread.text:000108FB                 push    offset aRkdemo1_2OwnsY ; "rkdemo 1.2 owns your system }=)".text:00010900                 call    edi.text:00010902                 mov     eax, dword_10E80.text:00010907                 mov     eax, [eax+4].text:0001090A                 add     esp, 4.text:0001090D                 test    eax, eax.text:0001090F                 jz      short loc_108F0.text:00010911                 push    eax             ; DeviceObject.text:00010912                 call    ebx ; IoDeleteDevice.text:00010914                 mov     ecx, dword_10E80.text:0001091A                 mov     edx, 0A8h.text:0001091F                 call    sub_10C38.text:00010924                 jmp     short loc_108F0   ;从这里有跳loc_108f0形成死循环

可以看到前面部分对要用到的函数地址进行了保存以便调用。变量Interval是结构体LARGE_INTEGER类型，对LowPart和HigPart进行了赋值。KeDelayExecutioThread()将线程‘挂起’Interval这么长的时间。接着打印一句话。dword_10e80指向什么呢？不好找，通过交叉引用可以看到，只在DriverEntry中对它进行了赋值，其它的都是引用；它保存了结构体DriverObject的地址。后面接着判断驱动对象结构里设备对象是否为空，实际上这没有什么用。因为当设备存在时它会删掉设备，返回到前面条件判断就形成了死循环(和前面说的一样)。
在DriverEntry后面还创建了一个设备。到这里没有发现它是一个常驻驱动，但是和它一起的还有一个RKSTART.exe文件，我想应该是在那里实现的。