能力值:
(RANK:650 )
|
-
-
2 楼
因为不清楚写物理内存和ZwSystemDebugControl 算0环方法还是3还方法
所以我很老实的写了个驱动方法
//killhb.sys
#include "ntddk.h"
__declspec(dllimport) NTSTATUS __stdcall
ZwQuerySystemInformation(
ULONG SysInformatoinClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength OPTIONAL
);
BOOLEAN __stdcall GetHBBaseAndSize(PULONG KrnlBase, PULONG KrnlSize)
{
BOOLEAN rt;
ULONG PoolSize;
PVOID Pool;
NTSTATUS status;
PVOID ModuleStart;
ULONG i;
ULONG j;
PUCHAR Name;
PoolSize = 0x1000;
Name = NULL;
rt = FALSE;
Pool = ExAllocatePoolWithTag(NonPagedPool, PoolSize, ' kdD');
if (Pool == NULL)
return FALSE;
do
{
status = ZwQuerySystemInformation(0x0B, Pool, PoolSize, NULL);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
if (Pool != NULL)
ExFreePool(Pool);
PoolSize = PoolSize * 2;
Pool = ExAllocatePoolWithTag(NonPagedPool, PoolSize, ' kdD');
continue ;
}
break ;
}while(1);
if (!NT_SUCCESS(status))
{
if (Pool != NULL)
{
ExFreePool(Pool);
}
return FALSE;
}
ModuleStart = (PVOID)((PUCHAR)Pool+4);
for (i=0; i<*(PULONG)Pool; i++)
{
if (rt == TRUE)
break ;
Name = strrchr((PUCHAR)ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = (PUCHAR)ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (_stricmp(Name, "HBKernel32.sys") == 0)
{
*KrnlBase = *(PULONG)((PUCHAR)ModuleStart + i*0x11C + 0x08);
*KrnlSize = *(PULONG)((PUCHAR)ModuleStart + i*0x11C + 0x0C);
rt = TRUE;
break ;
}
}
}
if (Pool != NULL)
ExFreePool(Pool);
return rt;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
BOOLEAN rt;
ULONG base = 0;
ULONG size = 0;
rt = GetHBBaseAndSize(&base, &size);
DbgPrint("%08X, %08X, %08X", rt, base, size);
if (rt)
{
if (*(PUSHORT)(base+0x2D6D) == 0x3D83)
{
*(PULONG)(base+0x3F20) = 1;
DbgPrint("fuck");
}
}
return STATUS_UNSUCCESSFUL;
} 专杀程序
//3.cpp
#include <windows.h>
#include <shlwapi.h>
#pragma comment (lib, "shlwapi.lib")
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
void s0()
{
HMODULE mod;
CreateMutex(NULL, FALSE, "HBInjectMutex");
mod = GetModuleHandle("HBQQXX.dll");
if (mod != NULL)
{
GetProcAddress(mod, "StopServiceEx");
__asm call eax
FreeLibrary(mod);
}
}
int s1()
{
HANDLE hFile;
DWORD Input;
DWORD Output;
DWORD tmp;
hFile = CreateFile("\\\\.\\slHBkernel32", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
return 0;
}
Input = 0;
Output = 0;
DeviceIoControl(hFile, 0x22E00F, &Input, 4, NULL, 0, &tmp, NULL);
DeviceIoControl(hFile, 0x22E00B, &Input, 4, &Output, 4, &tmp, NULL);
CloseHandle(hFile);
return 1;
}
int s2()
{
SC_HANDLE schService;
SC_HANDLE schSCManager;
char szFileName[MAX_PATH];
GetSystemDirectory(szFileName, MAX_PATH);
lstrcat(szFileName, "\\drivers\\killhb.sys");
CopyFile("killhb.sys", szFileName, FALSE);
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (NULL == schSCManager)
{
return 0;
}
schService = OpenService(schSCManager, "killhb", SC_MANAGER_ALL_ACCESS);
if (NULL == schService)
{
schService = CreateService(schSCManager,
"killhb",
"killhb",
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
szFileName,
NULL,
NULL,
NULL,
NULL,
NULL
);
Sleep(200);
}
if (NULL == schService)
{
CloseServiceHandle(schSCManager);
return 0;
}
StartService(schService, 0, NULL);
Sleep(200);
DeleteService(schService);
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
DeleteFile(szFileName);
return 1;
}
int s3()
{
HWND hWnd;
hWnd = FindWindow(NULL, "HBInject32");
if (hWnd == NULL)
{
return 0;
}
SendMessage(hWnd, WM_CLOSE, 0, 0);
SendMessage(hWnd, WM_QUERYENDSESSION, 0, 0);
return 1;
}
int s4()
{
SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "AppInit_Dlls");
SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HBService32");
SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet\\Services\\HBKernel32");
SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\HBKernel32");
SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet002\\Services\\HBKernel32");
SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet003\\Services\\HBKernel32");
SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\HBKernel32");
return 1;
}
int s5()
{
char src[MAX_PATH];
char dst[MAX_PATH];
GetTempPath(MAX_PATH, dst);
lstrcat(dst, "\\2132378.sh");
DeleteFile(dst);
GetSystemDirectory(src, MAX_PATH);
lstrcat(src, "\\system.exe");
MoveFile(src, dst);
DeleteFile(dst);
GetTempPath(MAX_PATH, dst);
lstrcat(dst, "\\9345834.sh");
DeleteFile(dst);
GetSystemDirectory(src, MAX_PATH);
lstrcat(src, "\\HBQQXX.dll");
MoveFile(src, dst);
DeleteFile(dst);
GetTempPath(MAX_PATH, dst);
lstrcat(dst, "\\5475451.sh");
DeleteFile(dst);
GetSystemDirectory(src, MAX_PATH);
lstrcat(src, "\\drivers\\HBKernel32.sys");
MoveFile(src, dst);
DeleteFile(dst);
return 1;
}
void start()
{
s0();
if (s1() == 0)
{
MessageBox(0, "HBkernel32可能不存在", "killhb", 0);
goto home;
}
if (s2() == 0)
{
MessageBox(0, "加载killhb驱动失败", "killhb", 0);
goto home;
}
if (s3() == 0)
{
MessageBox(0, "清理system.exe失败", "killhb", 0);
goto home;
}
if (s4() == 0)
{
MessageBox(0, "清理注册表失败", "killhb", 0);
goto home;
}
if (s5() == 0)
{
MessageBox(0, "清理尸体失败", "killhb", 0);
goto home;
}
MessageBox(0, "完成", "killhb", 0);
home:
ExitProcess(0);
}
附件是编译好的
执行驱动线程停了,system.exe进程杀了,注册表干净了,尸体都放到temp目录了,即木马功能都没了。 重启后更健康
|
能力值:
(RANK:650 )
|
-
-
5 楼
贴一个纯3环的方法,应该nt各平台通用的
驱动文件删掉, 注册表清掉,垃圾文件清掉, 不需要重启
p.s. 物理内存, ZwSystemDebugControl, gdt之流都是旁门左道,我就不贴这些了
主要代码片断
int s2()
{
//提权
HANDLE hToken;
TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}};
if (!LookupPrivilegeValue(NULL, "SeDebugPrivilege", &priv.Privileges[0].Luid))
{
return -1;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
return -2;
}
if (!AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof(priv), 0, 0))
{
return -3;
}
CloseHandle(hToken);
//找system
HANDLE hC;
DWORD dwPid;
BOOL bNext;
dwPid = 0;
PROCESSENTRY32 p32 = {sizeof(p32)};
hC = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
bNext = Process32First(hC, &p32);
while (bNext)
{
if (lstrcmpi(p32.szExeFile, "SYSTEM") == 0)
{
dwPid = p32.th32ProcessID;
break ;
}
bNext = Process32Next(hC, &p32);
}
CloseHandle(hC);
if (dwPid == 0)
{
return -4;
}
//找到HB驱动的基址和大小
DWORD HBBase;
DWORD HBSize;
char *offset;
int Status;
LPBYTE buf;
DWORD dwSize;
DWORD i;
buf = NULL;
dwSize = 0x2000;
do
{
dwSize *= 2;
if (buf)
{
VirtualFree(buf, 0, MEM_RELEASE);
}
buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
Status = ZwQuerySystemInformation(11, buf, dwSize, NULL);
} while (Status == 0xC0000004);
HBBase = 0;
HBSize = 0;
for (i=0; i<*(LPDWORD)buf; i++)
{
offset = strrchr((char *)buf+4+i*0x11C+0x1C, '\\');
if (offset != NULL)
offset = offset + 1;
else
offset = (char *)buf+4+i*0x11C+0x1C;
if (offset != NULL)
{
if (lstrcmpi(offset, "HBKernel32.sys") == 0)
{
HBBase = *(PULONG)(buf + 4 + i*0x11C + 0x08);
HBSize = *(PULONG)(buf + 4 + i*0x11C + 0x0C);
break ;
}
}
}
VirtualFree(buf, 0, MEM_RELEASE);
if (HBBase == 0)
{
return -5;
}
//打开system
HANDLE hProcess;
hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwPid);
if (hProcess == NULL)
{
return -6;
}
//找HB线程ID
DWORD StartAddress;
DWORD dwTid;
buf = NULL;
dwSize = 0x2000;
do
{
dwSize *= 2;
if (buf)
{
VirtualFree(buf, 0, MEM_RELEASE);
}
buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
Status = ZwQuerySystemInformation(5, buf, dwSize, NULL);
} while (Status == 0xC0000004);
dwTid = 0;
offset = (char *)buf;
while (1)
{
if (*(LPDWORD)(offset+0x44) != dwPid)
{
offset += *(LPDWORD)offset;
continue ;
}
for (i=0; i<*(LPDWORD)(offset+0x04); i++)
{
StartAddress = *(LPDWORD)(offset+0xB8+i*0x40+0x1C);
if (StartAddress>HBBase && StartAddress<(HBBase+HBSize))
{
dwTid = *(LPDWORD)(offset+0xB8+i*0x40+0x24);
break ;
}
}
break ;
}
VirtualFree(buf, 0, MEM_RELEASE);
if (dwTid == 0)
{
CloseHandle(hProcess);
return -7;
}
HANDLE hThread;
DWORD OpenThread;
hThread = NULL;
OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
__asm
{
push dwTid
push 0
push THREAD_ALL_ACCESS
call OpenThread
mov hThread, eax
}
if (hThread == NULL)
{
CloseHandle(hProcess);
return -8;
}
SuspendThread(hThread);
CloseHandle(hThread);
//枚举句柄
HANDLE hHandle;
HANDLE hFile;
IO_STATUS_BLOCK io;
LPBYTE FileName;
wchar_t *wname;
buf = NULL;
dwSize = 0x2000;
do
{
dwSize *= 2;
if (buf)
{
VirtualFree(buf, 0, MEM_RELEASE);
}
buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
Status = ZwQuerySystemInformation(16, buf, dwSize, NULL);
} while (Status == 0xC0000004);
FileName = (LPBYTE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
for (i=0; i<*(LPDWORD)buf; i++)
{
if (*(LPDWORD)(buf+4+i*0x10+0x00) != dwPid)
continue ;
hHandle = 0;
hHandle = (HANDLE)*(LPWORD)(buf+4+i*0x10+0x06);
if (*(LPBYTE)(buf+4+i*0x10+0x04) == 0x1C)
{
hFile = INVALID_HANDLE_VALUE;
DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS);
if (hFile == INVALID_HANDLE_VALUE)
continue ;
memset(FileName, 0, 0x1000);
Status = ZwQueryInformationFile(hFile, &io, FileName, 0x1000, 9);
if (Status == 0)
{
wname = wcsrchr((wchar_t *)(FileName+4), L'\\');
if (wname != NULL)
{
wname++;
if (wcsicmp(wname, L"HBkernel32.sys") == 0)
{
CloseHandle(hFile);
hFile = INVALID_HANDLE_VALUE;
DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE);
if (hFile != INVALID_HANDLE_VALUE)
{
CloseHandle(hFile);
VirtualFree(FileName, 0, MEM_RELEASE);
VirtualFree(buf, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
}
}
}
CloseHandle(hFile);
hFile = INVALID_HANDLE_VALUE;
}
}
VirtualFree(FileName, 0, MEM_RELEASE);
VirtualFree(buf, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 0;
}
|