最近看了下Conficker,发现HOOK了NtQueryInformationProcess,但是他的目的搞不明白,Google了一下,基本都说是for thread obfuscation,仅此一句话而已。
seg000:009AADCD fnFakeNtQueryInformationProcess proc near
seg000:009AADCD
seg000:009AADCD arg_0 = dword ptr 8
seg000:009AADCD arg_4 = dword ptr 0Ch
seg000:009AADCD arg_8 = dword ptr 10h
seg000:009AADCD arg_C = dword ptr 14h
seg000:009AADCD arg_10 = dword ptr 18h
seg000:009AADCD
seg000:009AADCD push ebp
seg000:009AADCE mov ebp, esp
seg000:009AADD0 mov eax, ds:dword_9BB190
seg000:009AADD5 test eax, eax
seg000:009AADD7 jz short loc_9AAE16
seg000:009AADD9 push esi
seg000:009AADDA push [ebp+arg_10]
seg000:009AADDD add eax, 4
seg000:009AADE0 push [ebp+arg_C]
seg000:009AADE3 push [ebp+arg_8]
seg000:009AADE6 push [ebp+arg_4]
seg000:009AADE9 push [ebp+arg_0]
seg000:009AADEC call eax ; dwRealNtQueryInformationProcess
seg000:009AADEE [COLOR="Red"]cmp [ebp+arg_4], 34
seg000:009AADF2 mov esi, eax
seg000:009AADF4 jnz short loc_9AAE11
seg000:009AADF6 cmp [ebp+arg_0], 0FFFFFFFFh
seg000:009AADFA jnz short loc_9AAE11
seg000:009AADFC cmp [ebp+arg_8], 0
seg000:009AAE00 jz short loc_9AAE11
seg000:009AAE02 cmp [ebp+arg_C], 0
seg000:009AAE06 jz short loc_9AAE11
seg000:009AAE08 [COLOR="red"]push [ebp+arg_8]
seg000:009AAE0B [COLOR="red"]call sub_9AADA0
seg000:009AAE10 pop ecx
seg000:009AAE11
seg000:009AAE11 loc_9AAE11:
seg000:009AAE11
seg000:009AAE11 mov eax, esi
seg000:009AAE13 pop esi
seg000:009AAE14 jmp short loc_9AAE19
seg000:009AAE16 ; ---------------------------------------------------------------------------
seg000:009AAE16
seg000:009AAE16 loc_9AAE16:
seg000:009AAE16 push 57h ; 'W' ; ERROR_INVALID_PARAMETER
seg000:009AAE18 pop eax
seg000:009AAE19
seg000:009AAE19 loc_9AAE19:
seg000:009AAE19 pop ebp
seg000:009AAE1A retn 14h
seg000:009AAE1A fnFakeNtQueryInformationProcess endp
seg000:009AADA0 sub_9AADA0 proc near
seg000:009AADA0
seg000:009AADA0 ms_exc = CPPEH_RECORD ptr -18h
seg000:009AADA0 arg_0 = dword ptr 8
seg000:009AADA0
seg000:009AADA0 push 8
seg000:009AADA2 push offset unk_9A4080
seg000:009AADA7 call __SEH_prolog
seg000:009AADAC mov eax, [ebp+arg_0]
seg000:009AADAF and [ebp+ms_exc.disabled], 0
seg000:009AADB3 mov cl, [eax]
seg000:009AADB5 [COLOR="Red"]or cl, 70h
seg000:009AADB8 mov [eax], cl
seg000:009AADBA jmp short loc_9AADC3
seg000:009AADBC ; ---------------------------------------------------------------------------
seg000:009AADBC xor eax, eax
seg000:009AADBE inc eax
seg000:009AADBF retn
seg000:009AADC0 ; ---------------------------------------------------------------------------
seg000:009AADC0 mov esp, [ebp+ms_exc.old_esp]
seg000:009AADC3
seg000:009AADC3 loc_9AADC3:
seg000:009AADC3 or [ebp+ms_exc.disabled], 0FFFFFFFFh
seg000:009AADC7 call __SEH_epilog
seg000:009AADCC retn
seg000:009AADCC sub_9AADA0 endp
函数原型:
NTSTATUS WINAPI NtQueryInformationProcess(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
ProcessInformationClass为34表示ProcessExecuteFlags
typedef struct _KEXECUTE_OPTIONS {
UCHAR ExecuteDisable : 1;
UCHAR ExecuteEnable : 1;
UCHAR DisableThunkEmulation : 1;
UCHAR Permanent : 1;
UCHAR ExecuteDispatchEnable : 1;
UCHAR ImageDispatchEnable : 1;
UCHAR Spare : 2;
} KEXECUTE_OPTIONS, PKEXECUTE_OPTIONS;
在《0day安全:软件漏洞分析技术(第2版)》中有提到:
这些标识位中前4个bit与DEP相关,当前进程DEP开启时ExecuteDisable位被置1,当进程DEP关闭时ExecuteEnable位被置1,DisableThunkEmulation 是为了兼容ATL程序设置的,Permanent被置1后表示这些标志都不能再被修改。真正影响DEP状态是前两位,所以我们只要将_KEXECUTE_OPTIONS的值设置为0x02(二进制为00000010)就可以将ExecuteEnable置为1。
没有讲解后面三个成员是干什么的,Conficker挂钩函数在查询之后把后面三个成员设置为1是为了什么?
向各位牛请教,先谢过了
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)