首页
社区
课程
招聘
[求助]Conficker HOOK NtQueryInformationProcess
发表于: 2012-8-17 19:59 6563

[求助]Conficker HOOK NtQueryInformationProcess

2012-8-17 19:59
6563
最近看了下Conficker,发现HOOK了NtQueryInformationProcess,但是他的目的搞不明白,Google了一下,基本都说是for thread obfuscation,仅此一句话而已。
seg000:009AADCD fnFakeNtQueryInformationProcess proc near
seg000:009AADCD
seg000:009AADCD arg_0           = dword ptr  8
seg000:009AADCD arg_4           = dword ptr  0Ch
seg000:009AADCD arg_8           = dword ptr  10h
seg000:009AADCD arg_C           = dword ptr  14h
seg000:009AADCD arg_10          = dword ptr  18h
seg000:009AADCD
seg000:009AADCD                 push    ebp
seg000:009AADCE                 mov     ebp, esp
seg000:009AADD0                 mov     eax, ds:dword_9BB190
seg000:009AADD5                 test    eax, eax
seg000:009AADD7                 jz      short loc_9AAE16
seg000:009AADD9                 push    esi
seg000:009AADDA                 push    [ebp+arg_10]
seg000:009AADDD                 add     eax, 4
seg000:009AADE0                 push    [ebp+arg_C]
seg000:009AADE3                 push    [ebp+arg_8]
seg000:009AADE6                 push    [ebp+arg_4]
seg000:009AADE9                 push    [ebp+arg_0]
seg000:009AADEC                 call    eax ; dwRealNtQueryInformationProcess
seg000:009AADEE                 [COLOR="Red"]cmp     [ebp+arg_4], 34 
seg000:009AADF2                 mov     esi, eax
seg000:009AADF4                 jnz     short loc_9AAE11
seg000:009AADF6                 cmp     [ebp+arg_0], 0FFFFFFFFh
seg000:009AADFA                 jnz     short loc_9AAE11
seg000:009AADFC                 cmp     [ebp+arg_8], 0
seg000:009AAE00                 jz      short loc_9AAE11
seg000:009AAE02                 cmp     [ebp+arg_C], 0
seg000:009AAE06                 jz      short loc_9AAE11
seg000:009AAE08                 [COLOR="red"]push    [ebp+arg_8]
seg000:009AAE0B                 [COLOR="red"]call    sub_9AADA0
seg000:009AAE10                 pop     ecx
seg000:009AAE11
seg000:009AAE11 loc_9AAE11:                             
seg000:009AAE11                                         
seg000:009AAE11                 mov     eax, esi
seg000:009AAE13                 pop     esi
seg000:009AAE14                 jmp     short loc_9AAE19
seg000:009AAE16 ; ---------------------------------------------------------------------------
seg000:009AAE16
seg000:009AAE16 loc_9AAE16:                             
seg000:009AAE16                 push    57h ; 'W'       ; ERROR_INVALID_PARAMETER
seg000:009AAE18                 pop     eax
seg000:009AAE19
seg000:009AAE19 loc_9AAE19:                             
seg000:009AAE19                 pop     ebp
seg000:009AAE1A                 retn    14h
seg000:009AAE1A fnFakeNtQueryInformationProcess endp

seg000:009AADA0 sub_9AADA0      proc near               
seg000:009AADA0
seg000:009AADA0 ms_exc          = CPPEH_RECORD ptr -18h
seg000:009AADA0 arg_0           = dword ptr  8
seg000:009AADA0
seg000:009AADA0                 push    8
seg000:009AADA2                 push    offset unk_9A4080
seg000:009AADA7                 call    __SEH_prolog
seg000:009AADAC                 mov     eax, [ebp+arg_0]
seg000:009AADAF                 and     [ebp+ms_exc.disabled], 0
seg000:009AADB3                 mov     cl, [eax]
seg000:009AADB5                 [COLOR="Red"]or      cl, 70h
seg000:009AADB8                 mov     [eax], cl
seg000:009AADBA                 jmp     short loc_9AADC3
seg000:009AADBC ; ---------------------------------------------------------------------------
seg000:009AADBC                 xor     eax, eax
seg000:009AADBE                 inc     eax
seg000:009AADBF                 retn
seg000:009AADC0 ; ---------------------------------------------------------------------------
seg000:009AADC0                 mov     esp, [ebp+ms_exc.old_esp]
seg000:009AADC3
seg000:009AADC3 loc_9AADC3:                             
seg000:009AADC3                 or      [ebp+ms_exc.disabled], 0FFFFFFFFh
seg000:009AADC7                 call    __SEH_epilog
seg000:009AADCC                 retn
seg000:009AADCC sub_9AADA0      endp

函数原型:
NTSTATUS WINAPI NtQueryInformationProcess(
  __in          HANDLE ProcessHandle,
  __in          PROCESSINFOCLASS ProcessInformationClass,
  __out         PVOID ProcessInformation,
  __in          ULONG ProcessInformationLength,
  __out_opt     PULONG ReturnLength
);

ProcessInformationClass为34表示ProcessExecuteFlags
typedef struct _KEXECUTE_OPTIONS {
    UCHAR ExecuteDisable : 1;
    UCHAR ExecuteEnable : 1;
    UCHAR DisableThunkEmulation : 1;
    UCHAR Permanent : 1;
    UCHAR ExecuteDispatchEnable : 1;
    UCHAR ImageDispatchEnable : 1;
    UCHAR Spare : 2;
} KEXECUTE_OPTIONS, PKEXECUTE_OPTIONS;

在《0day安全:软件漏洞分析技术(第2版)》中有提到:

这些标识位中前4个bit与DEP相关,当前进程DEP开启时ExecuteDisable位被置1,当进程DEP关闭时ExecuteEnable位被置1,DisableThunkEmulation 是为了兼容ATL程序设置的,Permanent被置1后表示这些标志都不能再被修改。真正影响DEP状态是前两位,所以我们只要将_KEXECUTE_OPTIONS的值设置为0x02(二进制为00000010)就可以将ExecuteEnable置为1。

没有讲解后面三个成员是干什么的,Conficker挂钩函数在查询之后把后面三个成员设置为1是为了什么?

向各位牛请教,先谢过了

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 316
活跃值: (128)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
2
消灭0回复,纯支持.不懂.
2012-8-19 13:01
0
雪    币: 270
活跃值: (97)
能力值: ( LV8,RANK:140 )
在线值:
发帖
回帖
粉丝
3

顶一下 知道的指点下哈
2012-8-19 17:09
0
游客
登录 | 注册 方可回帖
返回
//