x64 - reject driver loading
来源:互联网 发布:网络电话录音 编辑:程序博客网 时间:2024/05/01 06:00
前言
在有对抗的情况下,有些程序加载.dll或.sys后,如果失败了,会将PE文件改名,尝试重新加载.
这时,就不能按照映像名称的黑名单作为主防的依据. 需要在PE映像中找特征码, 如果特征码匹配,就拒绝加载.
试验环境
Win7X64SP1 + WDK7600 + x64 Checked Build Environment试验记录
只是验证,没有加检查代码, 试验没蓝屏.// @file RejectDriverLoading\test.cpp// @brief x64 - 阻止指定映像加载// 当驱动加载失败后, 加载映像的管理程序,可能会改变映像的名称,尝试重新加载// 这里判断目标映像用的是特定的节名. e.g. PCHunter64.exe 's section .pchunt0// 如果样本不带特定节名,那就去PE中找特征码// 将驱动改名,尝试重新加载的方法, 被正向开发者采纳的机率很高(最容易想到的方法)// 可以绕过按照黑名单操作的主防// 正好PCHunter64有这种特性(驱动加载失败后, 驱动改名重新加载), 就拿她来做实验.// 虚拟机测试驱动时,可能用共享文件夹方便些// 用完之后的共享文件夹的删除,用命令行操作// 命令行 - 列出共享文件夹// >net share// 命令行 - 删除共享文件夹// >net share D:\testDir\DriverTest /DELETE#include <Ntddk.h>#include <ntimage.h>// 要阻止的映像中的特殊节名#define BLACK_SECTION_NAME ".pchunt0"typedef unsigned long DWORD;IMAGE_SECTION_HEADER* GetSectionHeader(PIMAGE_INFO ImageInfo, int& iSecCnt){ IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)ImageInfo->ImageBase; IMAGE_NT_HEADERS64* pNtHeader = (IMAGE_NT_HEADERS64*)((char*)ImageInfo->ImageBase + pDosHeader->e_lfanew); DWORD dwSizeOfImage = 0; DWORD dwSections = 0; IMAGE_SECTION_HEADER* pSectionHeaderAry = NULL; dwSizeOfImage = pNtHeader->OptionalHeader.SizeOfImage; dwSections = pNtHeader->FileHeader.NumberOfSections; pSectionHeaderAry = (IMAGE_SECTION_HEADER*)((char*)ImageInfo->ImageBase + pDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64)); iSecCnt = pNtHeader->FileHeader.NumberOfSections; return pSectionHeaderAry; return NULL;}VOID ProcLoadImageNotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo){ wchar_t* pFind = NULL; IMAGE_SECTION_HEADER* pSectionHeader = NULL; int iSecCnt = 0; int iIndex = 0; pFind = wcsstr(FullImageName->Buffer, L".sys"); if (NULL != pFind) { // 只打印 "*.sys" KdPrint(("Load Driver:%p PID:%d ImageName:%wZ\n", ProcLoadImageNotifyRoutine, ProcessId, FullImageName)); pSectionHeader = GetSectionHeader(ImageInfo, iSecCnt); pFind = NULL; for (iIndex = 0; iIndex < iSecCnt; iIndex++) { if (NULL == pSectionHeader) { break; } pFind = (wchar_t*)strstr((const char*)pSectionHeader->Name, BLACK_SECTION_NAME); if (NULL != pFind) { break; } pSectionHeader++; } if (NULL != pFind) { // mov eax, 0xC0000001L // ret unsigned char szCode[] = {0xb8, 0x01, 0x00, 0x00, 0xc0, 0xc3}; IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)ImageInfo->ImageBase; IMAGE_NT_HEADERS64* pNtHeader = (IMAGE_NT_HEADERS64*)((char*)pDosHeader + pDosHeader->e_lfanew); char* pOEP = (char*)pDosHeader + pNtHeader->OptionalHeader.AddressOfEntryPoint; RtlCopyMemory(pOEP, szCode, sizeof(szCode)); KdPrint(("let image quit : [%wZ] \r\n", FullImageName)); } }}VOID fnDrvUnLoad (__in struct _DRIVER_OBJECT *DriverObject){ KdPrint((">> fnDrvUnLoad")); PsRemoveLoadImageNotifyRoutine(ProcLoadImageNotifyRoutine); KdPrint(("PsRemoveLoadImageNotifyRoutine:%p\n", ProcLoadImageNotifyRoutine));}extern "C"NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT *DriverObject, __in PUNICODE_STRING RegistryPath){ KdPrint((">> DriverEntry")); DriverObject->DriverUnload = fnDrvUnLoad; PsSetLoadImageNotifyRoutine(ProcLoadImageNotifyRoutine); KdPrint(("PsSetLoadImageNotifyRoutine:%p\n", ProcLoadImageNotifyRoutine)); return STATUS_SUCCESS;} 试验效果
可以看出, PCHunter64尝试改名重新加载驱动的动作还挺激烈的.
>> DriverEntryPsSetLoadImageNotifyRoutine:FFFFF880032820C0Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\PCHunter64ak.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\PCHunter64ak.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\PCHunter64.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\PCHunter64.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\xtwofhygymiudwtm.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\xtwofhygymiudwtm.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\xtwofhygymiudwtm.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\xtwofhygymiudwtm.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\ifejxbbhylfeyvsxm.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\ifejxbbhylfeyvsxm.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\ifejxbbhylfeyvsxm.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\ifejxbbhylfeyvsxm.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\rozkndthcctbig.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\rozkndthcctbig.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\rozkndthcctbig.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\rozkndthcctbig.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\axtmefeootgyarf.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\axtmefeootgyarf.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\axtmefeootgyarf.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\axtmefeootgyarf.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\ihwwdhwnakuwkdql.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\ihwwdhwnakuwkdql.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\ihwwdhwnakuwkdql.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\ihwwdhwnakuwkdql.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\jqrytjpmmjhtuo.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\jqrytjpmmjhtuo.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\jqrytjpmmjhtuo.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\jqrytjpmmjhtuo.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\ccrslesnminvpf.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\ccrslesnminvpf.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\ccrslesnminvpf.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\ccrslesnminvpf.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\kluubgkvxzashqd.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\kluubgkvxzashqd.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\kluubgkvxzashqd.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\kluubgkvxzashqd.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\tuowaivujqoprbfsi.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\tuowaivujqoprbfsi.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\tuowaivujqoprbfsi.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\tuowaivujqoprbfsi.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\uejgqkntnhbubm.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\uejgqkntnhbubm.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\uejgqkntnhbubm.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\uejgqkntnhbubm.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\cneihmgbzxortxb.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\cneihmgbzxortxb.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\cneihmgbzxortxb.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\cneihmgbzxortxb.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\vymcygjbzwutfoa.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\vymcygjbzwutfoa.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\vymcygjbzwutfoa.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\vymcygjbzwutfoa.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\eigexiublvhryzdzp.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\eigexiublvhryzdzp.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\eigexiublvhryzdzp.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\eigexiublvhryzdzp.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\erbfokmaxmvoik.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\erbfokmaxmvoik.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\erbfokmaxmvoik.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\erbfokmaxmvoik.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\nawheuehjdilsvq.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\nawheuehjdilsvq.sys] Load Driver:FFFFF880032820C0 PID:0 ImageName:\??\C:\Users\LostSpeed\Desktop\nawheuehjdilsvq.syslet image quit : [\??\C:\Users\LostSpeed\Desktop\nawheuehjdilsvq.sys] PCHunter64 最后显示提示框"加载驱动失败!"---------------------------PCHunter64---------------------------加载驱动失败!---------------------------确定 --------------------------- 0 0
- x64 - reject driver loading
- X64 调试 ERR(1275) This driver has been blocked from loading
- Synchronize with Driver loading/Unloading
- Error loading driver:java.lang.ClassNotFoundException: com.mysql.jdbc.Driver
- Enumerable#reject
- How to install Windows device driver, Vista, Vista x64, WinXP, WinXP x64 Window
- How to install Windows device driver, Vista, Vista x64, WinXP, WinXP x64 Window
- win7下error1275(driver blocked from loading)solution
- 20.1.3.Loading a JDBC Driver: Using Class.forName()[用Class.forName()]来加载JDBC Driver
- Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdb
- Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdb
- Loading.....
- loading...
- Loading
- loading
- loading
- loading
- Loading...
- 设计模式六大原则(1):单一职责原则(转载)
- 【贪心】CODE[VS] 3377 [Mz]接水问题2 (模拟+优先队列(堆))
- 第八周训练a题 Balance
- Cydia安装插件出现Size Mismatch的解决方法
- win10 mysql服务无法启动,提示“服务在启动后停止”
- x64 - reject driver loading
- 迪杰斯特拉算法
- git还原所有修改
- Subline3常用的插件
- windows
- 常见DoS攻击
- sql注入探索
- 关于MSN的一个脚本
- LeetCode 387. First Unique Character in a String
