首页
社区
课程
招聘
[原创]一种Windows CE 平台AutoRun程序的实现方法
发表于: 2008-12-28 21:00 18555

[原创]一种Windows CE 平台AutoRun程序的实现方法

2008-12-28 21:00
18555

一种Windows CE 平台AutoRun程序的实现方法

    在PC平台有一类通过移动存储介质传播的自动运行病毒。当移动存储介质插入PC之后,如果用户双击设备就会自动运行病毒。

    在Windows CE平台也有类似的自动运行程序。而且根据实验发现Windows CE平台的AutoRun程序甚至比PC平台更危险。只要用户插入染毒SD卡就会启动病毒不需要用户点击!

操作方法:
01、在用户SD卡根目录下建立一个名为2577的目录。(2577同当前系统CPU类型相关,如果是ARM CPU就是2577。)
02、将希望自动运行的程序拷贝到2577目录下改名为AutoRun.exe

将这个SD卡插入Windows CE系统时,AutoRun.exe程序就会运行。这个实验可以在模拟器和真机上做成功。

本人声明:
这项技术可以用于编写手机病毒。本人发布这项技术的研究成果只是提高大家的开发兴趣,同大家交流进行技术交流并不是鼓励编写病毒做坏事。

实验效果图及示例程序:


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 7
支持
分享
最新回复 (28)
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
恐怖,这个目录是cpu的补丁目录?
2008-12-28 21:21
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
3
不是。这是Windows CE系统提供的自动播放功能的目录。和补丁无关。
2008-12-28 21:41
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
4
我认为微软设计这个功能的初衷是方便开发和用户使用。
当然了,黑客也是用户。只是目的不同罢了。
2008-12-28 21:56
0
雪    币: 5
活跃值: (47)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
是系统提供的?
------------
操作方法:
01、在用户SD卡根目录下建立一个名为2577的目录。(2577同当前系统CPU类型相关,如果是ARM CPU就是2577。)
------------
为什么要跟着CPU走?
2008-12-29 10:00
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
6
是系统提供的功能。

ARM是2577.

MIPS,SH,PPC等CPU各不相同。一般手机、PDA等平台绝大多数使用ARM芯片。

为什么会这样就不清楚了。问微软吧。
2008-12-29 12:47
0
雪    币: 101
活跃值: (88)
能力值: ( LV2,RANK:140 )
在线值:
发帖
回帖
粉丝
7
My God!

我的手机上真的是插卡就运行啊~~~
2008-12-29 15:55
0
雪    币: 101
活跃值: (88)
能力值: ( LV2,RANK:140 )
在线值:
发帖
回帖
粉丝
8
加总,来几篇ARM汇编教程吧~~~
2008-12-29 16:02
0
雪    币: 155
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
9
开始担心自己的手机了,呵呵,什么时候出手机杀毒软件,防火墙呢
2008-12-29 16:15
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
10
5月份查到的资料是使用Windows Mobile平台的手机超过300个型号。

宏达(多普达)、摩托罗拉、三星、联想等等都有WM生产线。

所以攻击范围还是蛮广的。

Blitz Force的一些朋友用导航仪做了实验同样可以感染。

国内绝大多数导航仪厂商都是使用的WINCE做基础平台。
2008-12-29 16:36
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
11
ARM汇编的资料还是比较多。应该可以借到这方面的教程或者下载到电子档吧?
因为我们不是硬件工程师,所以重点是掌握ARM CPU的基本原理,结构特点和指令集系统。
2008-12-29 17:23
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
12
现在手机病毒还比较少。主要是开发者还比较少,而且即使是同一个操作系统不同型号手机之间差距都很大所以感染传播往往会遇到比较多的问题。

卡巴、金山、江民都有手机杀毒软件产品。并且细分成很多大类:Windows Mobile , 塞班等。
2008-12-29 17:27
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
楼主,在wince5.0下试过不行,硬件是三星的S3C2443
2008-12-29 17:36
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
14
并不是WINCE 5.0下就不行。
我在WM SDK 5.0中用模拟器实验可以成功。

你是用手机做的实验?同品牌不同型号的手机差距比较大,这也是阻碍手机病毒广泛传播的一个小障碍。不过在未来这种差距会逐步减小。

差距产生的原因很多,其中一个重要原因可能是制造商设置的系统安全级别不同。
2008-12-29 18:17
0
雪    币: 6051
活跃值: (1441)
能力值: ( LV15,RANK:1473 )
在线值:
发帖
回帖
粉丝
15
跟品牌无关,跟ARM核心和WINCE系统相关,所有用ARM和WINCE的设备,比如PDA,WM5,WM6,等等,当卡插入设备时就会自动运行的

这个在WM SDK里可以查到的,还讲了其他CPU类型的自动运行目录名,我记不太清了

记得好像解释留这个AUTORUN的目的好像是做测试还是什么的?

我就曾经用过,刚接触WM编程时还不会把模拟器挂载到ActiveSync上调试,就开模拟器挂载2577目录自动运行,省点事,呵呵~
2008-12-29 22:00
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
16
早期的SP系统没有自带文件浏览器,我做实验时也用过这个方法启动程序。所以很喜欢用PPC实验。

如此来看,这个自启动方法有比较广的适应性可以有效的用于传染病毒。

杀毒软件必须在插卡时,抢在AutoRun.exe运行前拦截住才行!
2008-12-29 22:24
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
17
不是手机,自己做的GPS
2008-12-30 09:08
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
18
这正是嵌入式平台和桌面平台的一个重要区别。嵌入式平台的操作系统可以让设计者在很大程度上设置和调整。用过Platform Builder就知道了。同样是WINCE系统,手机、超市收银机、医疗设备可能会有很大的差别。

前面提到“不同品牌、型号手机差距很大”主要是指手机生产厂商的设置。

市面上一些GPS设备也可以插卡后启动,一些朋友做过这方面的实验。
2008-12-30 10:01
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
19
看看ARM的原版文章很有用的。

ARM Architecture Reference Manual这个不错,很多国内的都是直接翻译它的
2009-1-13 10:41
0
雪    币: 190
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
est
20
收藏啦。感谢师兄 :-)

MSDN原始地址:http://msdn.microsoft.com/en-us/library/bb159776.aspx
2009-1-17 00:44
0
雪    币: 220
活跃值: (35)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
21
这么老的东西还叫原创啊。
http://www.informit.com/guides/content.aspx?g=security&seqNum=91
Windows Mobile Autorun

Last updated Nov 25, 2004.

Almost any user, from the most experienced to the complete beginner, knows that when you place a game or application CD in the computer it will automatically launch a program that allows you to interact with the data on the disk. This is a result of a magically concept known as the autorun.

The autorun has some definite advantages. It simplifies the installation routine by automating the necessary steps to unpack and execute files on the inserted media. By doing this, the user is kept at an abstract level from the actual data, which is arguably a good thing for many of the computer users in the world. In general, the more the computer automagically operates, the happier the user.

Unfortunately, the simple fact that an autorun process executes a program WITHOUT user interaction is a security nightmare. There is no guarantee that the programs processed by the autorun are actually safe. They could just as easily contain malicious code as they could the launcher for Doom 3. Not to mention the program executed by the autorun may run hidden and give no indication it has executed. This is where the true danger lies.

To compound the autorun threat even more, CD-ROMs are not the only form of media that can automatically trigger a program to launch. External hard drives, USB thumb drives, DVDs, and more can elicit a program execution. So, thanks to the combination of providing the end user with a brainless computer experience with the increasingly connected and integrated computer, we now have yet another vector by which viruses, trojans, and other forms of malware can be transmitted. Oh, and all this not only applies to the desktop PC, but it also applies to mobile devices, such as PDAs and cell phones.
The PDA Threat

The PDA is a great tool. However, it is one of the most highly underestimated computer devices on the market. Most people see a PDA and think of a digital day timer. They recognize it is a mini-computer of sorts, but fail to realize that though the size of the device might be small, the computing power contained inside is basically the same of a computer purchased in 1996-1998, and in some cases more powerful.

In today's PDA, you can find up to 256MB of built in memory, a 624mhz processor, built-in 802.11 & Bluetooth wireless connectivity, plus the ability to plug in external drives, run multiple operating systems, and more. While the resources available on the PDA speak to their potential, the programs these devices can run further illustrate their power. Word, Excel, games, Power Point, FTP servers, web servers, email server, full ssh daemons and more run on these devices. In fact, with the Familiar Linux operating system installed, it is hard to tell a PDA from a regular computer when connected remotely (granted data space, memory allocation, and other hardware specifics will give it away to the curious user).

With all this power and storage ability, an attacker may consider the PDA a target too good to pass up. The question is then, how can an attacker gain access to and install any malicious programs that can help achieve their goal. This is where the power of the autorun can come in handy.

To illustrate, how often do you see a PDA user on a subway or in a coffee shop? What would happen if you sat next to this user, pulled out your PDA and started up a conversation about how your PDA rocks. Next pull out your Atari games SD card, and show the victim the games your PDA can play, and then offer it to them to try. Congratulations, you now own their PDA. What the victim didn't realize is when the SD card was inserted into the PDA, it automatically executed a file on the PDA that placed a trojan/backdoor in their startup folder, replaced their keyboard with a version that logs everything typed, copied out everything in their My Documents folder to the SD card. All this by simply inserting the innocent looking SD card into their PDA.
The Detailed Threat

Autorun on a PDA is not as simply to execute as it is on a desktop PC. As per the MSDN, each major brand of PDA processor is associated with a particular numerical value as defined by the winnt.h file. The number is then used as a folder naming convention, in which that processor would expect to find its personal executable. This is due to the simple fact that each processor understands a different assembly language, which means a program compiled for a StrongARM will not execute on a MIPS processor. The following list provides you with the association table.

HITACHI_SH3          10003          // Windows CE
HITACHI_SH3E             10004          // Windows CE
HITACHI_SH4              10005         // Windows CE
MOTOROLA_821               821   // Windows CE
SH3                              103          // Windows CE
SH4                              104   // Windows CE
STRONGARM                2577          // Windows CE - 0xA11
ARM720                         1824          // Windows CE - 0x720
ARM820                         2080          // Windows CE - 0x820
ARM920                         2336          // Windows CE - 0x920
ARM_7TDMI                70001

In other words, if you obtain a SD card, create this folder structure on the card, and drop a file called AUTORUN.exe inside each folder that is compiled for the appropriate processor, you can be fairly certain your AUTORUN program will be executed. To make it even more simple, the folder 2577 covers all versions of the ARM processor, from the XScale used in the newest releases from Dell and HP, to the older StrongARM used in the original iPAQs.

When the media card is inserted, the autorun.exe file is actually copied to the \Windows directory on the PDA. It is then 'installed' (I.E. executed). When the media card is removed, the program is 'uninstalled', and then deleted from the \Windows folder. This has several indirect affects. One, your PDA must have the memory space needed for this program to launch, and there must not be another 'autorun.exe' program in the \Windows startup folder or it will be deleted.

To demonstrate, we created the following simple program that can easily be placed on a SD card. This program can be compiled by placing the autorun.s file, make.bat file, two programs from the EVC++ package named armasm.exe and link.exe, and coredll.lib into a folder. Then double click on make.bat and autorun.s should compile and create two new files; autorun.obj and autorun.exe. Place the autorun.exe file in a folder named 2577 on your SD card, remove it and reinsert the card. You should be greeted with a popup box similar to the one in figure 10.

Make.bat:
armasm.exe autorun.s
link.exe coredll.lib /entry:"start" /subsystem:windowsce /machine:arm autorun.obj
pause

autorun.s:
                IMPORT MessageBoxW                ;Calls MessageBox function
                IMPORT ExitThread                        ;Calls ExitThread function
                EXPORT        start                        ;Exports start code
                AREA        .text, CODE
start
                eor        R0, R0, R0                        ;Sets 1st parameter = 0
                ldr        R1, =message                        ;Sets 2nd parameter = message
                ldr         R2, =msgtit                        ;Sets 3rd parameter = mestit
                mov        R3, #0                                ;Sets 4th parameter = MB_OK
                eor         R4, R4, R4                        ;Sets 5th parameter = 0
                bl        MessageBoxW                ;Calls message box function
                eor        R0, R0, R0                        ;Sets R0 = 0
                bl        ExitThread                        ;Calls ExitThread
                ALIGN
message                dcb        "A",0,"u",0,"t",0,"o",0,"r",0,"u",0,"n",0,0,0
msgtit                dcb        "A",0,"u",0,"t",0,"o",0,"r",0,"u",0,"n",0,0,0

                END
2009-1-17 16:06
0
雪    币: 53
活跃值: (280)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
22
方法很多,写注册表自启动比较常见,
另外,WINCE,MOBILE都支持多语言,写个mui的多语言dll,放到exe同目录下,在DLL入口中加入代码。。。还有很多。。。
2009-2-7 19:12
0
雪    币: 232
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
23
危险啊。。。!
2009-2-14 17:09
0
雪    币: 104
活跃值: (73)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
24
快点开发手机杀毒软件占领市场
2009-5-17 21:01
0
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
25
实际上卡巴、江民、网秦等公司,早有WM的杀毒软件了。

目前这个平台的斗争正在逐步加剧。慢慢来....
2009-5-17 22:03
0
游客
登录 | 注册 方可回帖
返回
//