首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 4)腾讯公司2008软件安全竞赛
    3. 发新帖
[原创]第三轮
2008-10-29 11:37 2890

[原创]第三轮

shoooo 活跃值
16
2008-10-29 11:37
2890
一楼贴分析

外面的exe
1. 把资源100这个驱动放到system32\drivers\HBKernel32.sys 并起来
2. 驱动0x22E007
3. 把资源102这个dll放到system32\HBQQXX.dll
4. 驱动0x22E00F 4 0 
5. 创建一个临时批处理,把system32\HBQQXX.dll改成system32\X.tmp
6. 驱动0x22E00F 4 1 
7. 向HBInject32窗口发送 WM_COPYDATA: HBQQXX.dll 让这个dll启动
8. 打开HBInjectMutex mutex, 不在的话,则把101放到system32\system.exe, 并起来
9. 注册设置自启动system.exe
10. 批处理自删除

00401200     55                 push ebp
00401201     8BEC               mov ebp,esp
00401203     81C4 5CFDFFFF      add esp,-2A4
00401209     6A 00              push 0
0040120B     E8 30090000        call a.00401B40                   ; jmp to kernel32.GetModuleHandleA
00401210     8985 90FDFFFF      mov dword ptr ss:[ebp-270],eax
00401216     68 A0000000        push 0A0
0040121B     68 00304000        push a.00403000                   ; ASCII "my.exe"
00401220     68 00304000        push a.00403000                   ; ASCII "my.exe"
00401225     E8 6F080000        call a.00401A99                   解码进程名表
0040122A     C745 FC FFFFFFFF   mov dword ptr ss:[ebp-4],-1
00401231     E8 0E050000        call a.00401744                   如果my.exe存在,则杀掉进程
00401236     6A 00              push 0
00401238     68 E1204000        push a.004020E1                   ; ASCII "AskTao"
0040123D     E8 7E080000        call a.00401AC0                   ;向AskTao发送0x01-0x10000的消息
00401242     E8 8A030000        call a.004015D1                   注册表干坏事,灭360
00401247     6A 00              push 0
00401249     6A 00              push 0
0040124B     6A 03              push 3
0040124D     6A 00              push 0
0040124F     6A 00              push 0
00401251     68 000000C0        push C0000000
00401256     68 E8204000        push a.004020E8                   ; ASCII "\\.\slHBKernel32"
0040125B     E8 AA080000        call a.00401B0A                   ; jmp to kernel32.CreateFileA
00401260     83F8 FF            cmp eax,-1
00401263     0F85 EF000000      jnz a.00401358
00401269     68 04010000        push 104
0040126E     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401274     50                 push eax
00401275     E8 D8080000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
0040127A     68 F9204000        push a.004020F9                   ; ASCII "\drivers\HBKernel32.sys"
0040127F     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401285     50                 push eax
00401286     E8 27090000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
0040128B     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401291     50                 push eax
00401292     6A 64              push 64
00401294     6A 0A              push 0A
00401296     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
0040129C     E8 AF050000        call a.00401850                   把资源100这个驱动放到system32\drivers\HBKernel32.sys
004012A1     0BC0               or eax,eax
004012A3     0F84 B2000000      je a.0040135B
004012A9     68 3F000F00        push 0F003F
004012AE     6A 00              push 0
004012B0     6A 00              push 0
004012B2     E8 37090000        call a.00401BEE                   ; jmp to advapi32.OpenSCManagerA
004012B7     0BC0               or eax,eax
004012B9     0F84 97000000      je a.00401356
004012BF     8985 F0FDFFFF      mov dword ptr ss:[ebp-210],eax
004012C5     6A 10              push 10
004012C7     68 11214000        push a.00402111                   ; ASCII "HBKernel32"
004012CC     FFB5 F0FDFFFF      push dword ptr ss:[ebp-210]
004012D2     E8 1D090000        call a.00401BF4                   ; jmp to advapi32.OpenServiceA
004012D7     0BC0               or eax,eax
004012D9     75 31              jnz short a.0040130C
004012DB     6A 00              push 0
004012DD     6A 00              push 0
004012DF     6A 00              push 0
004012E1     6A 00              push 0
004012E3     68 2E214000        push a.0040212E                   ; ASCII "Boot Bus Extender"
004012E8     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004012EE     50                 push eax
004012EF     6A 00              push 0
004012F1     6A 00              push 0
004012F3     6A 01              push 1
004012F5     6A 10              push 10
004012F7     68 1C214000        push a.0040211C                   ; ASCII "HBKernel32 Driver"
004012FC     68 11214000        push a.00402111                   ; ASCII "HBKernel32"
00401301     FFB5 F0FDFFFF      push dword ptr ss:[ebp-210]
00401307     E8 DC080000        call a.00401BE8                   ; jmp to advapi32.CreateServiceA
0040130C     0BC0               or eax,eax
0040130E     74 3B              je short a.0040134B
00401310     8985 ECFDFFFF      mov dword ptr ss:[ebp-214],eax
00401316     6A 00              push 0
00401318     6A 00              push 0
0040131A     50                 push eax
0040131B     E8 EC080000        call a.00401C0C                   ; jmp to advapi32.StartServiceA
00401320     0BC0               or eax,eax
00401322     74 1C              je short a.00401340
00401324     6A 00              push 0
00401326     6A 00              push 0
00401328     6A 03              push 3
0040132A     6A 00              push 0
0040132C     6A 00              push 0
0040132E     68 000000C0        push C0000000
00401333     68 E8204000        push a.004020E8                   ; ASCII "\\.\slHBKernel32"
00401338     E8 CD070000        call a.00401B0A                   ; jmp to kernel32.CreateFileA
0040133D     8945 FC            mov dword ptr ss:[ebp-4],eax
00401340     FFB5 ECFDFFFF      push dword ptr ss:[ebp-214]
00401346     E8 97080000        call a.00401BE2                   ; jmp to advapi32.CloseServiceHandle
0040134B     FFB5 F0FDFFFF      push dword ptr ss:[ebp-210]
00401351     E8 8C080000        call a.00401BE2                   ; jmp to advapi32.CloseServiceHandle
00401356     EB 03              jmp short a.0040135B
00401358     8945 FC            mov dword ptr ss:[ebp-4],eax
0040135B     837D FC FF         cmp dword ptr ss:[ebp-4],-1
0040135F     74 1E              je short a.0040137F
00401361     6A 00              push 0
00401363     8D85 E8FDFFFF      lea eax,dword ptr ss:[ebp-218]
00401369     50                 push eax
0040136A     6A 00              push 0
0040136C     6A 00              push 0
0040136E     6A 00              push 0
00401370     6A 00              push 0
00401372     68 07E02200        push 22E007
00401377     FF75 FC            push dword ptr ss:[ebp-4]
0040137A     E8 A3070000        call a.00401B22                   ; jmp to kernel32.DeviceIoControl
0040137F     68 04010000        push 104
00401384     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
0040138A     50                 push eax
0040138B     E8 C2070000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
00401390     68 40214000        push a.00402140
00401395     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
0040139B     50                 push eax
0040139C     E8 11080000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
004013A1     68 AE314000        push a.004031AE                   ; ASCII "HBQQXX.dll"
004013A6     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004013AC     50                 push eax
004013AD     E8 00080000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
004013B2     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004013B8     50                 push eax
004013B9     6A 66              push 66
004013BB     6A 0A              push 0A
004013BD     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
004013C3     E8 88040000        call a.00401850                   把资源102这个dll放到system32\HBQQXX.dll
004013C8     0BC0               or eax,eax
004013CA     0F85 DB000000      jnz a.004014AB
004013D0     68 04010000        push 104
004013D5     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013DB     50                 push eax
004013DC     E8 71070000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
004013E1     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013E7     50                 push eax
004013E8     6A 00              push 0
004013EA     6A 00              push 0
004013EC     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013F2     50                 push eax
004013F3     E8 60070000        call a.00401B58                   ; jmp to kernel32.GetTempFileNameA
004013F8     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
004013FE     50                 push eax
004013FF     E8 18070000        call a.00401B1C                   ; jmp to kernel32.DeleteFileA
00401404     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
0040140A     50                 push eax
0040140B     6A 20              push 20
0040140D     8D85 5CFDFFFF      lea eax,dword ptr ss:[ebp-2A4]
00401413     50                 push eax
00401414     E8 2B060000        call a.00401A44
00401419     8D85 5CFDFFFF      lea eax,dword ptr ss:[ebp-2A4]
0040141F     50                 push eax
00401420     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401426     50                 push eax
00401427     FF75 FC            push dword ptr ss:[ebp-4]
0040142A     E8 79040000        call a.004018A8                    4.5.6.
0040142F     6A 04              push 4
00401431     6A 00              push 0
00401433     8D85 F4FDFFFF      lea eax,dword ptr ss:[ebp-20C]
00401439     50                 push eax
0040143A     E8 3D070000        call a.00401B7C                   ; jmp to kernel32.MoveFileExA
0040143F     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401445     50                 push eax
00401446     6A 66              push 66
00401448     6A 0A              push 0A
0040144A     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
00401450     E8 FB030000        call a.00401850
00401455     0BC0               or eax,eax
00401457     74 52              je short a.004014AB
00401459     68 42214000        push a.00402142                   ; ASCII "HBInject32"
0040145E     6A 00              push 0
00401460     E8 6B070000        call a.00401BD0                   ; jmp to user32.FindWindowA
00401465     0BC0               or eax,eax
00401467     74 42              je short a.004014AB
00401469     8985 8CFDFFFF      mov dword ptr ss:[ebp-274],eax
0040146F     C785 80FDFFFF 0000>mov dword ptr ss:[ebp-280],0
00401479     68 AE314000        push a.004031AE                   ; ASCII "HBQQXX.dll"
0040147E     E8 41070000        call a.00401BC4                   ; jmp to kernel32.lstrlenA
00401483     8985 84FDFFFF      mov dword ptr ss:[ebp-27C],eax
00401489     8D05 AE314000      lea eax,dword ptr ds:[4031AE]
0040148F     8985 88FDFFFF      mov dword ptr ss:[ebp-278],eax
00401495     8D85 80FDFFFF      lea eax,dword ptr ss:[ebp-280]
0040149B     50                 push eax
0040149C     6A 00              push 0
0040149E     6A 4A              push 4A
004014A0     FFB5 8CFDFFFF      push dword ptr ss:[ebp-274]
004014A6     E8 31070000        call a.00401BDC                   ; jmp to user32.SendMessageA
004014AB     68 4D214000        push a.0040214D                   ; ASCII "HBInjectMutex"
004014B0     6A 00              push 0
004014B2     68 03001F00        push 1F0003
004014B7     E8 C6060000        call a.00401B82                   ; jmp to kernel32.OpenMutexA
004014BC     0BC0               or eax,eax
004014BE     0F85 A4000000      jnz a.00401568
004014C4     E8 6B060000        call a.00401B34                   ; jmp to ntdll.RtlGetLastWin32Error
004014C9     83F8 02            cmp eax,2
004014CC     0F85 9C000000      jnz a.0040156E
004014D2     68 04010000        push 104
004014D7     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004014DD     50                 push eax
004014DE     E8 6F060000        call a.00401B52                   ; jmp to kernel32.GetSystemDirectoryA
004014E3     68 5B214000        push a.0040215B                   ; ASCII "\System.exe"
004014E8     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004014EE     50                 push eax
004014EF     E8 BE060000        call a.00401BB2                   ; jmp to kernel32.lstrcatA
004014F4     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
004014FA     50                 push eax
004014FB     6A 65              push 65
004014FD     6A 0A              push 0A
004014FF     FFB5 90FDFFFF      push dword ptr ss:[ebp-270]       ; a.00400000
00401505     E8 46030000        call a.00401850
0040150A     0BC0               or eax,eax
0040150C     74 58              je short a.00401566
0040150E     C785 A4FDFFFF 4400>mov dword ptr ss:[ebp-25C],44
00401518     8D85 A4FDFFFF      lea eax,dword ptr ss:[ebp-25C]
0040151E     50                 push eax
0040151F     E8 28060000        call a.00401B4C                   ; jmp to kernel32.GetStartupInfoA
00401524     8D85 94FDFFFF      lea eax,dword ptr ss:[ebp-26C]
0040152A     50                 push eax
0040152B     8D85 A4FDFFFF      lea eax,dword ptr ss:[ebp-25C]
00401531     50                 push eax
00401532     6A 00              push 0
00401534     6A 00              push 0
00401536     6A 00              push 0
00401538     6A 00              push 0
0040153A     6A 00              push 0
0040153C     6A 00              push 0
0040153E     8D85 F8FEFFFF      lea eax,dword ptr ss:[ebp-108]
00401544     50                 push eax
00401545     6A 00              push 0
00401547     E8 C4050000        call a.00401B10                   ; jmp to kernel32.CreateProcessA
0040154C     0BC0               or eax,eax
0040154E     74 16              je short a.00401566
00401550     FFB5 94FDFFFF      push dword ptr ss:[ebp-26C]
00401556     E8 A9050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
0040155B     FFB5 98FDFFFF      push dword ptr ss:[ebp-268]
00401561     E8 9E050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
00401566     EB 06              jmp short a.0040156E
00401568     50                 push eax
00401569     E8 96050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
0040156E     837D FC FF         cmp dword ptr ss:[ebp-4],-1
00401572     74 08              je short a.0040157C
00401574     FF75 FC            push dword ptr ss:[ebp-4]
00401577     E8 88050000        call a.00401B04                   ; jmp to kernel32.CloseHandle
0040157C     8D85 7CFDFFFF      lea eax,dword ptr ss:[ebp-284]
00401582     50                 push eax
00401583     68 3F000F00        push 0F003F
00401588     6A 00              push 0
0040158A     68 67214000        push a.00402167                   ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040158F     68 02000080        push 80000002
00401594     E8 67060000        call a.00401C00                   ; jmp to advapi32.RegOpenKeyExA
00401599     0BC0               or eax,eax
0040159B     75 26              jnz short a.004015C3
0040159D     6A 0B              push 0B
0040159F     68 A1214000        push a.004021A1                   ; ASCII "System.exe"
004015A4     6A 01              push 1
004015A6     6A 00              push 0
004015A8     68 95214000        push a.00402195                   ; ASCII "HBService32"
004015AD     FFB5 7CFDFFFF      push dword ptr ss:[ebp-284]
004015B3     E8 4E060000        call a.00401C06                   ; jmp to advapi32.RegSetValueExA
004015B8     FFB5 7CFDFFFF      push dword ptr ss:[ebp-284]
004015BE     E8 37060000        call a.00401BFA                   ; jmp to advapi32.RegCloseKey
004015C3     E8 38FAFFFF        call a.00401000
004015C8     6A 00              push 0
004015CA     E8 59050000        call a.00401B28                   ; jmp to kernel32.ExitProcess
004015CF     C9                 leave
004015D0     C3                 retn

------------------------------------------------------------------------
system.exe
1. 创建 HBInjectMutex mutex
2. 打开驱动\\.\slHBKernel32, 没有就先起驱动
3. 驱动0x22E007
4. 驱动0x22E00B 4 PID  ?
5. 创建隐藏窗口HBInject32
   WM_CREATE: 解码dll表, 建定时器
   WM_CLOSE: 把当前的dll给StopServiceEx
   WM_QUERYENDSESSION: 把当前的dll给StopServiceEx 
   WM_COPYDATA: 收到dll名字后(这个版本是HBQQXX.dll), 先把当前的这个dll给StopServiceEx, 再加载新的,StartSeviceEx
   WM_TIMER: 1. "Software\Microsoft\Windows NT\CurrentVersion\Windows" AppInit_Dlls
                "Software\Microsoft\Windows\CurrentVersion\Run" system.exe
             2. 一个一个加载上面那些dll(其实是N个版本), 调用他们的StartServiceEx
             3. 杀360

   

------------------------------------------------------------------------
HBQQXX.dll
StartServiceEx: setwindowshook
StopServiceEx: stophook
dllmain: 只搞tty3d.exe和qqlogin.exe 怎么盗的没兴趣

------------------------------------------------------------------------
HBKernel32.sys
idb

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界

收藏
点赞0
打赏
分享
最新回复 (9)
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
shoooo 16 2008-10-29 11:40
2
0
因为不清楚写物理内存和ZwSystemDebugControl 算0环方法还是3还方法
所以我很老实的写了个驱动方法

//killhb.sys
#include "ntddk.h"

__declspec(dllimport) NTSTATUS __stdcall
ZwQuerySystemInformation(
    ULONG   SysInformatoinClass,
    PVOID   SystemInformation,
    ULONG   SystemInformationLength,
    PULONG  ReturnLength OPTIONAL
    );

BOOLEAN __stdcall GetHBBaseAndSize(PULONG KrnlBase, PULONG KrnlSize) 
{
	BOOLEAN		rt;
	ULONG		PoolSize;
	PVOID		Pool;
	NTSTATUS	status;
	PVOID		ModuleStart;
	ULONG		i;
	ULONG		j;
	PUCHAR		Name;

	PoolSize = 0x1000;
	Name = NULL;
	rt = FALSE;
	Pool = ExAllocatePoolWithTag(NonPagedPool, PoolSize, ' kdD');
	if (Pool == NULL)
		return FALSE;
	do
	{
		status = ZwQuerySystemInformation(0x0B, Pool, PoolSize, NULL);
		if (status == STATUS_INFO_LENGTH_MISMATCH)
		{
			if (Pool != NULL)
				ExFreePool(Pool);
			PoolSize = PoolSize * 2;
			Pool = ExAllocatePoolWithTag(NonPagedPool, PoolSize, ' kdD');
			continue ;
		}
		break ;
	}while(1);
	if (!NT_SUCCESS(status))
	{
		if (Pool != NULL)
		{
			ExFreePool(Pool);
		}
		return FALSE;
	}
	ModuleStart = (PVOID)((PUCHAR)Pool+4); 
	for (i=0; i<*(PULONG)Pool; i++)
	{
		if (rt == TRUE)
			break ;
		Name = strrchr((PUCHAR)ModuleStart+0x1C+i*0x11C, '\\');
		if (Name != NULL)
			Name = Name + 1;
		else
			Name = (PUCHAR)ModuleStart+0x1C+i*0x11C;
		if (Name != NULL)
		{
			if (_stricmp(Name, "HBKernel32.sys") == 0)
			{
				*KrnlBase = *(PULONG)((PUCHAR)ModuleStart + i*0x11C + 0x08);
				*KrnlSize = *(PULONG)((PUCHAR)ModuleStart + i*0x11C + 0x0C);
				rt = TRUE;
				break ;
			}
		}
	}
	if (Pool != NULL)
		ExFreePool(Pool);

	return rt;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	BOOLEAN rt;
	ULONG	base = 0;
	ULONG size = 0;
	rt = GetHBBaseAndSize(&base, &size);
	DbgPrint("%08X, %08X, %08X", rt, base, size);
	if (rt)
	{
		if (*(PUSHORT)(base+0x2D6D) == 0x3D83)
		{
				*(PULONG)(base+0x3F20) = 1;
				DbgPrint("fuck");
		}
	}

	return STATUS_UNSUCCESSFUL;
}


专杀程序
//3.cpp
#include <windows.h>
#include <shlwapi.h>
#pragma comment (lib, "shlwapi.lib")
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")

void s0()
{
	HMODULE	mod;
	CreateMutex(NULL, FALSE, "HBInjectMutex");
	mod = GetModuleHandle("HBQQXX.dll");
	if (mod != NULL)
	{
		GetProcAddress(mod, "StopServiceEx");
		__asm call eax
		FreeLibrary(mod);
	}
}

int s1()
{
	HANDLE	hFile;
	DWORD	Input;
	DWORD	Output;
	DWORD	tmp;
	hFile = CreateFile("\\\\.\\slHBkernel32", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
	{
		return 0;
	}
	Input = 0;
	Output = 0;
	DeviceIoControl(hFile, 0x22E00F, &Input, 4, NULL, 0, &tmp, NULL);
	DeviceIoControl(hFile, 0x22E00B, &Input, 4, &Output, 4, &tmp, NULL);
	CloseHandle(hFile);
	return 1;
}

int s2()
{
    SC_HANDLE	schService;
	SC_HANDLE	schSCManager;
	char	szFileName[MAX_PATH];

	GetSystemDirectory(szFileName, MAX_PATH);
	lstrcat(szFileName, "\\drivers\\killhb.sys");
	CopyFile("killhb.sys", szFileName, FALSE);
    schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (NULL == schSCManager)
	{
		return 0;
	}
	schService = OpenService(schSCManager, "killhb", SC_MANAGER_ALL_ACCESS);
    if (NULL == schService)
	{
		schService = CreateService(schSCManager, 
								"killhb", 
								"killhb", 
								SERVICE_ALL_ACCESS,
								SERVICE_KERNEL_DRIVER, 
								SERVICE_DEMAND_START,  
								SERVICE_ERROR_NORMAL,   
								szFileName,             
								NULL,
								NULL,
								NULL,
								NULL,
								NULL
								);  
		Sleep(200);
	}
	if (NULL == schService)
	{
		CloseServiceHandle(schSCManager);
		return 0;
	}
	StartService(schService, 0, NULL);
	Sleep(200);
	DeleteService(schService);
	CloseServiceHandle(schService);
	CloseServiceHandle(schSCManager);
	DeleteFile(szFileName);

	return 1;
}

int s3()
{
	HWND	hWnd;
	hWnd = FindWindow(NULL, "HBInject32");
	if (hWnd == NULL)
	{
		return 0;
	}
	SendMessage(hWnd, WM_CLOSE, 0, 0);
	SendMessage(hWnd, WM_QUERYENDSESSION, 0, 0);
	return 1;
}

int s4()
{
	SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "AppInit_Dlls");
	SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HBService32");
	SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet\\Services\\HBKernel32");
	SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\HBKernel32");
	SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet002\\Services\\HBKernel32");
	SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet003\\Services\\HBKernel32");
	SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\HBKernel32");
	return 1;
}

int s5()
{
	char src[MAX_PATH];
	char dst[MAX_PATH];
	GetTempPath(MAX_PATH, dst);
	lstrcat(dst, "\\2132378.sh");
	DeleteFile(dst);
	GetSystemDirectory(src, MAX_PATH);
	lstrcat(src, "\\system.exe");
	MoveFile(src, dst);
	DeleteFile(dst);

	GetTempPath(MAX_PATH, dst);
	lstrcat(dst, "\\9345834.sh");
	DeleteFile(dst);
	GetSystemDirectory(src, MAX_PATH);
	lstrcat(src, "\\HBQQXX.dll");
	MoveFile(src, dst);
	DeleteFile(dst);

	GetTempPath(MAX_PATH, dst);
	lstrcat(dst, "\\5475451.sh");
	DeleteFile(dst);
	GetSystemDirectory(src, MAX_PATH);
	lstrcat(src, "\\drivers\\HBKernel32.sys");
	MoveFile(src, dst);
	DeleteFile(dst);

	return 1;
}



void start()
{
	s0();
	if (s1() == 0)
	{
		MessageBox(0, "HBkernel32可能不存在", "killhb", 0);
		goto home;
	}
	if (s2() == 0)
	{
		MessageBox(0, "加载killhb驱动失败", "killhb", 0);
		goto home;
	}
	if (s3() == 0)
	{
		MessageBox(0, "清理system.exe失败", "killhb", 0);
		goto home;
	}
	if (s4() == 0)
	{
		MessageBox(0, "清理注册表失败", "killhb", 0);
		goto home;
	}
	if (s5() == 0)
	{
		MessageBox(0, "清理尸体失败", "killhb", 0);
		goto home;
	}
	MessageBox(0, "完成", "killhb", 0);

home:
	ExitProcess(0);
}


附件是编译好的
执行驱动线程停了,system.exe进程杀了,注册表干净了,尸体都放到temp目录了,即木马功能都没了。 重启后更健康
上传的附件:
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
kangaroo 6 2008-10-29 17:21
3
0
shooo多来几种方法
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
shoooo 16 2008-10-29 17:54
4
0
不着急, 等你们出了详细规则再做不迟
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
shoooo 16 2008-10-30 10:42
5
0
贴一个纯3环的方法,应该nt各平台通用的
驱动文件删掉, 注册表清掉,垃圾文件清掉, 不需要重启

p.s. 物理内存, ZwSystemDebugControl, gdt之流都是旁门左道,我就不贴这些了

主要代码片断
int s2()
{
	//提权
	HANDLE hToken;
    TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}};
    if (!LookupPrivilegeValue(NULL, "SeDebugPrivilege", &priv.Privileges[0].Luid))
	{
		return -1;
	}
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
	{
		return -2;
	}
	if (!AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof(priv), 0, 0))
	{
		return -3;
	}
    CloseHandle(hToken);

	//找system
	HANDLE	hC;
	DWORD	dwPid;
	BOOL	bNext;
	dwPid = 0;
	PROCESSENTRY32 p32 = {sizeof(p32)};
	hC = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 
	bNext = Process32First(hC, &p32); 
	while (bNext) 
	{ 
		if (lstrcmpi(p32.szExeFile, "SYSTEM") == 0)
		{
			dwPid = p32.th32ProcessID;
			break ;
		}
		bNext = Process32Next(hC, &p32); 
	} 
	CloseHandle(hC); 
	if (dwPid == 0)
	{
		return -4;
	}

	//找到HB驱动的基址和大小
	DWORD	HBBase;
	DWORD	HBSize;
	char	*offset;
	int		Status; 
	LPBYTE	buf;
	DWORD	dwSize;
	DWORD	i;
	buf = NULL;
	dwSize = 0x2000;
	do
	{
		dwSize *= 2;
		if (buf)
		{
			VirtualFree(buf, 0, MEM_RELEASE);
		}
		buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
		Status = ZwQuerySystemInformation(11, buf, dwSize, NULL); 
	} while (Status == 0xC0000004);
	HBBase = 0;
	HBSize = 0;
	for (i=0; i<*(LPDWORD)buf; i++)
	{
		offset = strrchr((char *)buf+4+i*0x11C+0x1C, '\\');
		if (offset != NULL)
			offset = offset + 1;
		else
			offset = (char *)buf+4+i*0x11C+0x1C;
		if (offset != NULL)
		{
			if (lstrcmpi(offset, "HBKernel32.sys") == 0) 
			{
				HBBase = *(PULONG)(buf + 4 + i*0x11C + 0x08);
				HBSize = *(PULONG)(buf + 4 + i*0x11C + 0x0C);
				break ;
			}
		}
	}
	VirtualFree(buf, 0, MEM_RELEASE);
	if (HBBase == 0)
	{
		return -5;
	}

	//打开system
	HANDLE	hProcess;
	hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwPid);
	if (hProcess == NULL)
	{
		return -6;
	}

	//找HB线程ID
	DWORD	StartAddress;
	DWORD	dwTid;
	buf = NULL;
	dwSize = 0x2000;
	do
	{
		dwSize *= 2;
		if (buf)
		{
			VirtualFree(buf, 0, MEM_RELEASE);
		}
		buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
		Status = ZwQuerySystemInformation(5, buf, dwSize, NULL); 
	} while (Status == 0xC0000004);
	dwTid = 0;
	offset = (char *)buf;
	while (1)
	{
		if (*(LPDWORD)(offset+0x44) != dwPid)
		{
			offset += *(LPDWORD)offset;
			continue ;
		}
		for (i=0; i<*(LPDWORD)(offset+0x04); i++)
		{
			StartAddress = *(LPDWORD)(offset+0xB8+i*0x40+0x1C);
			if (StartAddress>HBBase && StartAddress<(HBBase+HBSize))
			{
				dwTid = *(LPDWORD)(offset+0xB8+i*0x40+0x24);
				break ;
			}
		}
		break ;
	}
	VirtualFree(buf, 0, MEM_RELEASE);
	if (dwTid == 0)
	{
		CloseHandle(hProcess);
		return -7;
	}

	HANDLE	hThread;
	DWORD	OpenThread;
	hThread = NULL;
	OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
	__asm
	{
		push dwTid
		push 0
		push THREAD_ALL_ACCESS
		call OpenThread
		mov hThread, eax
	}
	if (hThread == NULL)
	{
		CloseHandle(hProcess);
		return -8;
	}
	SuspendThread(hThread);
	CloseHandle(hThread);

	//枚举句柄
	HANDLE	hHandle;
	HANDLE	hFile;
	IO_STATUS_BLOCK io;
	LPBYTE	FileName;
	wchar_t *wname;
	buf = NULL;
	dwSize = 0x2000;
	do
	{
		dwSize *= 2;
		if (buf)
		{
			VirtualFree(buf, 0, MEM_RELEASE);
		}
		buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
		Status = ZwQuerySystemInformation(16, buf, dwSize, NULL); 
	} while (Status == 0xC0000004);

	FileName = (LPBYTE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
	for (i=0; i<*(LPDWORD)buf; i++)
	{
		if (*(LPDWORD)(buf+4+i*0x10+0x00) != dwPid)
			continue ;
		hHandle = 0;
		hHandle = (HANDLE)*(LPWORD)(buf+4+i*0x10+0x06);
		if (*(LPBYTE)(buf+4+i*0x10+0x04) == 0x1C)
		{
			hFile = INVALID_HANDLE_VALUE;
			DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS);
			if (hFile == INVALID_HANDLE_VALUE)
				continue ;
			memset(FileName, 0, 0x1000);
			Status = ZwQueryInformationFile(hFile, &io, FileName, 0x1000, 9);
			if (Status == 0)
			{
				wname = wcsrchr((wchar_t *)(FileName+4), L'\\');
				if (wname != NULL)
				{
					wname++;
					if (wcsicmp(wname, L"HBkernel32.sys") == 0)
					{
						CloseHandle(hFile);
						hFile = INVALID_HANDLE_VALUE;
						DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE);
						if (hFile != INVALID_HANDLE_VALUE)
						{
							CloseHandle(hFile);
							VirtualFree(FileName, 0, MEM_RELEASE);
							VirtualFree(buf, 0, MEM_RELEASE);
							CloseHandle(hProcess);
							return 1;
						}
					}
				}
			}
			CloseHandle(hFile);
			hFile = INVALID_HANDLE_VALUE;
		}
	}

	VirtualFree(FileName, 0, MEM_RELEASE);
	VirtualFree(buf, 0, MEM_RELEASE);
	CloseHandle(hProcess);

	return 0;
}
上传的附件:
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
shoooo 16 2008-10-30 11:51
6
0
shoooo 第三轮得分
方法: 2种
基础方法 ring3: 90分
ring3方法不需要重启: +10分
ring0方法: +10分
ring0方法不需要重启 +10分
文档的质量和代码规范性 + 4分

总得分 124分
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
kangaroo 6 2008-10-30 23:22
7
0
计算的相当完美,争取得满分
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
kangaroo 6 2008-11-11 22:56
8
0
基础方法 ring3: 90分
ring3方法不需要重启: +5分(驱动还在内存中)
ring0方法: +10分
ring0方法不需要重启 +5分(驱动还在内存中)
文档的质量和代码规范性 + 10分

总得分 120分
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
shoooo 16 2008-11-12 19:34
9
0
楼上裁判
文档中说删除驱动文件,删除注册表,删除木马exe,dll是+10 分吧,并没有说 "驱动还在内存中只得5分"
kangaroo
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
kangaroo 6 2008-11-12 19:40
10
0
4、如果不需要重起的情况下,能完美删除驱动等释放文件,卸载驱动及dll模块,删除注册表,在上面的基础上,再加10分,加满150分为止;其余对重起没有要求。

有个卸载驱动!!!!
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回