文章作者:Eros412
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
文章备注:逆向MJ0011的drvdet,通过暴力搜索内存寻找隐藏的驱动
复制内容到剪贴板
代码:
//By:Eros412
#include<ntddk.h>
typedef ULONG DWORD;
typedef void * PVOID ;
typedef unsigned char BYTE;
typedef unsigned short WORD;
typedef struct _SYSTEM_MODULE_INFORMATION {
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[255];
ULONG reserved[2];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct
{
DWORD dwUnknown1;
ULONG uKeMaximumIncrement;
ULONG uPageSize;
ULONG uMmNumberOfPhysicalPages;
ULONG uMmLowestPhysicalPage;
ULONG uMmHighestPhysicalPage;
ULONG uAllocationGranularity;
PVOID pLowestUserAddress;
PVOID pMmHighestUserAddress;
ULONG uKeActiveProcessors;
BYTE bKeNumberProcessors;
BYTE bUnknown2;
WORD wUnknown3;
} SYSTEM_BASIC_INFORMATION,*PSYSTEM_BASIC_INFORMATION;
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
ULONG num,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
PSYSTEM_MODULE_INFORMATION moduleinfo;
DWORD ReturnLength,count,status;
PVOID memory;
ULONG n,j;
int address_check(ULONG addr_in){
count=0;
j=0;
ZwQuerySystemInformation(11,&n,0x0A,&ReturnLength);
memory=(PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(0,ReturnLength,0x206B6444);
if(memory==NULL)
return 0;
status=ZwQuerySystemInformation(11,memory,ReturnLength,&ReturnLength);
n=*(DWORD*)memory;
if(status||!n)
{
ExFreePool(memory);
return 0;
}
moduleinfo = (PSYSTEM_MODULE_INFORMATION)((PULONG )memory + 3 );
while(1)
{
if(addr_in>(ULONG)moduleinfo[j].Base&&addr_in<(ULONG)moduleinfo[j].Base+moduleinfo[j].Size)
return 1;
j++;
count++;
if(count>n)
{
ExFreePool(memory);
return 0;
}
}
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
){
PHYSICAL_ADDRESS physical_address;
PSYSTEM_BASIC_INFORMATION systeminfo;
DWORD pagesize,physicalpage;
ULONG addr,limit,check,inloop,tmp,sizeofimage,MZminustwo,i,searchaddr,searchagain,startrange;
BOOLEAN bol;
LARGE_INTEGER largeint;
char imagename[255];
systeminfo=(PSYSTEM_BASIC_INFORMATION)ExAllocatePool(NonPagedPool,sizeof(SYSTEM_BASIC_INFORMATION)+1);
ZwQuerySystemInformation(0,systeminfo,0x2C,&ReturnLength);
physicalpage=systeminfo->uMmNumberOfPhysicalPages;
pagesize=systeminfo->uPageSize;
largeint.QuadPart=physicalpage*pagesize;
startrange=*(ULONG*)MmSystemRangeStart;
for(addr=startrange,limit=addr+0x140;limit<0xFFFF0140;limit+=0x1000,addr+=0x1000){
if(!MmIsAddressValid((PVOID)addr))
continue;
physical_address=MmGetPhysicalAddress((PVOID)addr);
if(physical_address.HighPart>largeint.HighPart)
continue;
if(physical_address.HighPart==largeint.HighPart&&physical_address.LowPart>largeint.LowPart)
continue;
tmp=(DWORD)MmGetVirtualForPhysical(physical_address);
check=limit-0x100;
for(inloop=check;inloop<limit;inloop++){
if(*(BYTE*)inloop==0x44&&
*(BYTE*)(inloop+1)==0x4f&&
*(BYTE*)(inloop+2)==0x53&&
*(BYTE*)(inloop+3)==0x20&&
*(BYTE*)(inloop+4)==0x6d&&
*(BYTE*)(inloop+5)==0x6f&&
*(BYTE*)(inloop+6)==0x64&&
*(BYTE*)(inloop+7)==0x65 //寻找"DOS mode"字符串
)
if(*(DWORD*)(limit-0x104)<0x1000)//比较PE offset
if(*(BYTE*)(addr+*(DWORD*)(limit-0x104)+0x5C)==1)//subsystem,1=驱动程序
{
sizeofimage=*(DWORD*)(addr+*(DWORD*)(limit-0x104)+0x50);
MZminustwo=limit-0x13E;
if(!address_check(MZminustwo))//找到隐藏驱动
{
bol=0;
if(addr>=addr+sizeofimage)
{
goto printout;
continue;
}
searchaddr=addr;
do{
if(MmIsAddressValid((PVOID)searchaddr)){
if(*(DWORD*)searchaddr==0x6264702E){//寻找".pdb"字符串
searchagain=searchaddr;
while(1)
{
if(MmIsAddressValid((PVOID)searchagain))
{
if(!*(BYTE*)searchagain)
goto printout2;
if(*(BYTE*)searchagain==92)
break;
}
searchagain--;
if(searchagain<searchaddr-256)
goto here;
}
printout2:
DbgPrint("Find Hidden Module:%s , ImageBase = %08x ImageSize = %08x",searchagain+1, addr, sizeofimage);
bol=1;
}
}
here:
searchaddr++;
}while(searchaddr<addr+sizeofimage);
if(!bol)
printout:
DbgPrint("Find Hidden Module:Unknow Image Name , ImageBase = %08x ImageSize = %08x", addr, sizeofimage);
}
}
}
}
return STATUS_SUCCESS;
}[
本帖最后由 eros412 于 2008-5-13 15:21 编辑 ]
