-
-
[求助]Conficker HOOK NtQueryInformationProcess
-
发表于: 2012-8-17 19:59
-
最近看了下Conficker,发现HOOK了NtQueryInformationProcess,但是他的目的搞不明白,Google了一下,基本都说是for thread obfuscation,仅此一句话而已。
函数原型:
ProcessInformationClass为34表示ProcessExecuteFlags
在《0day安全:软件漏洞分析技术(第2版)》中有提到:
没有讲解后面三个成员是干什么的,Conficker挂钩函数在查询之后把后面三个成员设置为1是为了什么?
向各位牛请教,先谢过了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | seg000:009AADCD fnFakeNtQueryInformationProcess proc nearseg000:009AADCDseg000:009AADCD arg_0 = dword ptr 8seg000:009AADCD arg_4 = dword ptr 0Chseg000:009AADCD arg_8 = dword ptr 10hseg000:009AADCD arg_C = dword ptr 14hseg000:009AADCD arg_10 = dword ptr 18hseg000:009AADCDseg000:009AADCD push ebpseg000:009AADCE mov ebp, espseg000:009AADD0 mov eax, ds:dword_9BB190seg000:009AADD5 test eax, eaxseg000:009AADD7 jz short loc_9AAE16seg000:009AADD9 push esiseg000:009AADDA push [ebp+arg_10]seg000:009AADDD add eax, 4seg000:009AADE0 push [ebp+arg_C]seg000:009AADE3 push [ebp+arg_8]seg000:009AADE6 push [ebp+arg_4]seg000:009AADE9 push [ebp+arg_0]seg000:009AADEC call eax ; dwRealNtQueryInformationProcessseg000:009AADEE [COLOR="Red"]cmp [ebp+arg_4], 34 seg000:009AADF2 mov esi, eaxseg000:009AADF4 jnz short loc_9AAE11seg000:009AADF6 cmp [ebp+arg_0], 0FFFFFFFFhseg000:009AADFA jnz short loc_9AAE11seg000:009AADFC cmp [ebp+arg_8], 0seg000:009AAE00 jz short loc_9AAE11seg000:009AAE02 cmp [ebp+arg_C], 0seg000:009AAE06 jz short loc_9AAE11seg000:009AAE08 [COLOR="red"]push [ebp+arg_8]seg000:009AAE0B [COLOR="red"]call sub_9AADA0seg000:009AAE10 pop ecxseg000:009AAE11seg000:009AAE11 loc_9AAE11: seg000:009AAE11 seg000:009AAE11 mov eax, esiseg000:009AAE13 pop esiseg000:009AAE14 jmp short loc_9AAE19seg000:009AAE16 ; ---------------------------------------------------------------------------seg000:009AAE16seg000:009AAE16 loc_9AAE16: seg000:009AAE16 push 57h ; 'W' ; ERROR_INVALID_PARAMETERseg000:009AAE18 pop eaxseg000:009AAE19seg000:009AAE19 loc_9AAE19: seg000:009AAE19 pop ebpseg000:009AAE1A retn 14hseg000:009AAE1A fnFakeNtQueryInformationProcess endp |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | seg000:009AADA0 sub_9AADA0 proc near seg000:009AADA0seg000:009AADA0 ms_exc = CPPEH_RECORD ptr -18hseg000:009AADA0 arg_0 = dword ptr 8seg000:009AADA0seg000:009AADA0 push 8seg000:009AADA2 push offset unk_9A4080seg000:009AADA7 call __SEH_prologseg000:009AADAC mov eax, [ebp+arg_0]seg000:009AADAF and [ebp+ms_exc.disabled], 0seg000:009AADB3 mov cl, [eax]seg000:009AADB5 [COLOR="Red"]or cl, 70hseg000:009AADB8 mov [eax], clseg000:009AADBA jmp short loc_9AADC3seg000:009AADBC ; ---------------------------------------------------------------------------seg000:009AADBC xor eax, eaxseg000:009AADBE inc eaxseg000:009AADBF retnseg000:009AADC0 ; ---------------------------------------------------------------------------seg000:009AADC0 mov esp, [ebp+ms_exc.old_esp]seg000:009AADC3seg000:009AADC3 loc_9AADC3: seg000:009AADC3 or [ebp+ms_exc.disabled], 0FFFFFFFFhseg000:009AADC7 call __SEH_epilogseg000:009AADCC retnseg000:009AADCC sub_9AADA0 endp |
函数原型:
1 2 3 4 5 6 7 | NTSTATUS WINAPI NtQueryInformationProcess( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength); |
ProcessInformationClass为34表示ProcessExecuteFlags
1 2 3 4 5 6 7 8 9 | typedef struct _KEXECUTE_OPTIONS { UCHAR ExecuteDisable : 1; UCHAR ExecuteEnable : 1; UCHAR DisableThunkEmulation : 1; UCHAR Permanent : 1; UCHAR ExecuteDispatchEnable : 1; UCHAR ImageDispatchEnable : 1; UCHAR Spare : 2;} KEXECUTE_OPTIONS, PKEXECUTE_OPTIONS; |
在《0day安全:软件漏洞分析技术(第2版)》中有提到:
这些标识位中前4个bit与DEP相关,当前进程DEP开启时ExecuteDisable位被置1,当进程DEP关闭时ExecuteEnable位被置1,DisableThunkEmulation 是为了兼容ATL程序设置的,Permanent被置1后表示这些标志都不能再被修改。真正影响DEP状态是前两位,所以我们只要将_KEXECUTE_OPTIONS的值设置为0x02(二进制为00000010)就可以将ExecuteEnable置为1。
没有讲解后面三个成员是干什么的,Conficker挂钩函数在查询之后把后面三个成员设置为1是为了什么?
向各位牛请教,先谢过了
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
