-
-
[求助]Conficker HOOK NtQueryInformationProcess
-
发表于: 2012-8-17 19:59
-
最近看了下Conficker,发现HOOK了NtQueryInformationProcess,但是他的目的搞不明白,Google了一下,基本都说是for thread obfuscation,仅此一句话而已。
函数原型:
ProcessInformationClass为34表示ProcessExecuteFlags
在《0day安全:软件漏洞分析技术(第2版)》中有提到:
没有讲解后面三个成员是干什么的,Conficker挂钩函数在查询之后把后面三个成员设置为1是为了什么?
向各位牛请教,先谢过了
seg000:009AADCD fnFakeNtQueryInformationProcess proc near seg000:009AADCD seg000:009AADCD arg_0 = dword ptr 8 seg000:009AADCD arg_4 = dword ptr 0Ch seg000:009AADCD arg_8 = dword ptr 10h seg000:009AADCD arg_C = dword ptr 14h seg000:009AADCD arg_10 = dword ptr 18h seg000:009AADCD seg000:009AADCD push ebp seg000:009AADCE mov ebp, esp seg000:009AADD0 mov eax, ds:dword_9BB190 seg000:009AADD5 test eax, eax seg000:009AADD7 jz short loc_9AAE16 seg000:009AADD9 push esi seg000:009AADDA push [ebp+arg_10] seg000:009AADDD add eax, 4 seg000:009AADE0 push [ebp+arg_C] seg000:009AADE3 push [ebp+arg_8] seg000:009AADE6 push [ebp+arg_4] seg000:009AADE9 push [ebp+arg_0] seg000:009AADEC call eax ; dwRealNtQueryInformationProcess seg000:009AADEE [COLOR="Red"]cmp [ebp+arg_4], 34 seg000:009AADF2 mov esi, eax seg000:009AADF4 jnz short loc_9AAE11 seg000:009AADF6 cmp [ebp+arg_0], 0FFFFFFFFh seg000:009AADFA jnz short loc_9AAE11 seg000:009AADFC cmp [ebp+arg_8], 0 seg000:009AAE00 jz short loc_9AAE11 seg000:009AAE02 cmp [ebp+arg_C], 0 seg000:009AAE06 jz short loc_9AAE11 seg000:009AAE08 [COLOR="red"]push [ebp+arg_8] seg000:009AAE0B [COLOR="red"]call sub_9AADA0 seg000:009AAE10 pop ecx seg000:009AAE11 seg000:009AAE11 loc_9AAE11: seg000:009AAE11 seg000:009AAE11 mov eax, esi seg000:009AAE13 pop esi seg000:009AAE14 jmp short loc_9AAE19 seg000:009AAE16 ; --------------------------------------------------------------------------- seg000:009AAE16 seg000:009AAE16 loc_9AAE16: seg000:009AAE16 push 57h ; 'W' ; ERROR_INVALID_PARAMETER seg000:009AAE18 pop eax seg000:009AAE19 seg000:009AAE19 loc_9AAE19: seg000:009AAE19 pop ebp seg000:009AAE1A retn 14h seg000:009AAE1A fnFakeNtQueryInformationProcess endp
seg000:009AADA0 sub_9AADA0 proc near seg000:009AADA0 seg000:009AADA0 ms_exc = CPPEH_RECORD ptr -18h seg000:009AADA0 arg_0 = dword ptr 8 seg000:009AADA0 seg000:009AADA0 push 8 seg000:009AADA2 push offset unk_9A4080 seg000:009AADA7 call __SEH_prolog seg000:009AADAC mov eax, [ebp+arg_0] seg000:009AADAF and [ebp+ms_exc.disabled], 0 seg000:009AADB3 mov cl, [eax] seg000:009AADB5 [COLOR="Red"]or cl, 70h seg000:009AADB8 mov [eax], cl seg000:009AADBA jmp short loc_9AADC3 seg000:009AADBC ; --------------------------------------------------------------------------- seg000:009AADBC xor eax, eax seg000:009AADBE inc eax seg000:009AADBF retn seg000:009AADC0 ; --------------------------------------------------------------------------- seg000:009AADC0 mov esp, [ebp+ms_exc.old_esp] seg000:009AADC3 seg000:009AADC3 loc_9AADC3: seg000:009AADC3 or [ebp+ms_exc.disabled], 0FFFFFFFFh seg000:009AADC7 call __SEH_epilog seg000:009AADCC retn seg000:009AADCC sub_9AADA0 endp
函数原型:
NTSTATUS WINAPI NtQueryInformationProcess( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength );
ProcessInformationClass为34表示ProcessExecuteFlags
typedef struct _KEXECUTE_OPTIONS {
UCHAR ExecuteDisable : 1;
UCHAR ExecuteEnable : 1;
UCHAR DisableThunkEmulation : 1;
UCHAR Permanent : 1;
UCHAR ExecuteDispatchEnable : 1;
UCHAR ImageDispatchEnable : 1;
UCHAR Spare : 2;
} KEXECUTE_OPTIONS, PKEXECUTE_OPTIONS;
在《0day安全:软件漏洞分析技术(第2版)》中有提到:
这些标识位中前4个bit与DEP相关,当前进程DEP开启时ExecuteDisable位被置1,当进程DEP关闭时ExecuteEnable位被置1,DisableThunkEmulation 是为了兼容ATL程序设置的,Permanent被置1后表示这些标志都不能再被修改。真正影响DEP状态是前两位,所以我们只要将_KEXECUTE_OPTIONS的值设置为0x02(二进制为00000010)就可以将ExecuteEnable置为1。
没有讲解后面三个成员是干什么的,Conficker挂钩函数在查询之后把后面三个成员设置为1是为了什么?
向各位牛请教,先谢过了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
