|
阅读:4224回复:13
一个小型的用于监视进程产生和撤销驱动逆向分析
一个小型的用于监视进程产生和撤销驱动逆向分析
前两天,闪电狼兄给了一个Themida_1.0.0.5加壳的新版绝影凯旋vip1.65, 狼把它目录中一个驱动NTProcDrv.sys让偶分析分析,注意这不是Themida_1.0.0.5驱动,不过它也保护这Themida加壳的主程序.早前错认了! 由于偶是菜鸟加壳盲.只好"雾"里看花去捏裸笨的NTProcDrv.sys. 作者声明: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! 由于我误解了狼兄错认它是Themida的驱动.错误改过来了! 西裤兄,不过代码全部是自己逆地.原来有开源的. 逆向一下: 1:设备对象自定义扩展结构体如下: typedef struct _DeviceExtension { ULONG size; //0x0 PHANDLE EventHandle; //0x04 PRKEVENT KernelEvent; //+0x08 HANDLE ParentId; //+0x0C HANDLE ProcessId; //+0x010 ULONG IsCreate; //+0x014 } NTProcDrvDeviceExtension; 2:IRP_MJ_DEVICE_CONTROL中是点关键东东. 3:IoCreateNotificationEvent 建立事件通知与下面的回调和exe交互 4:PsSetCreateProcessNotifyRoutine 进程事件回调 由于偶是菜鸟加壳盲,不敢碰Themida_1.0.0.5加壳的EXE.只好找软肋逆. 代码如下: ////////////////////////////////////////////////////////////////////////////// // * NTProcDrv.sys * // * be reversed by qiweixue[BCG] * // * CopyRight:http:\\www.pediy.com * ///////////////////////////////////////////////////////////////////////////// #include <ntddk.h> #define NTProcDrv_IOCTL_METHOD_BUFFERED 0x22E000 typedef struct _DeviceExtension { ULONG size; //0x0 PHANDLE EventHandle; //0x04 PRKEVENT KernelEvent; //+0x08 HANDLE ParentId; //+0x0C HANDLE ProcessId; //+0x010 ULONG IsCreate; //+0x014 } NTProcDrvDeviceExtension; VOID NTProcDrvUnloadDriver( IN PDRIVER_OBJECT DriverObject ); NTSTATUS NTProcDrvCreateClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS NTProcDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); VOID NTProcDrvNotifyRoutine ( IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create ); UNICODE_STRING DeviceNameString; UNICODE_STRING LinkDeviceNameString; UNICODE_STRING EventDeviceNameString; PDEVICE_OBJECT GloalDeviceObject; NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { HANDLE HEventHandle; PKEVENT PEnvent; PDEVICE_OBJECT deviceObject = NULL; NTSTATUS ntStatus; NTProcDrvDeviceExtension *DevExt=NULL; RtlInitUnicodeString( &DeviceNameString, L"\\Device\\NTProcDrv" ); RtlInitUnicodeString( &LinkDeviceNameString,L"\\DosDevices\\NTProcDrv"); ntStatus = IoCreateDevice( DriverObject, sizeof(NTProcDrvDeviceExtension), &DeviceNameString, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject ); if (!NT_SUCCESS( ntStatus )) { return ntStatus; } ntStatus = IoCreateSymbolicLink( (PUNICODE_STRING) &LinkDeviceNameString, (PUNICODE_STRING) &DeviceNameString ); if (!NT_SUCCESS(ntStatus)) { IoDeleteDevice(deviceObject); return ntStatus; } GloalDeviceObject=deviceObject; DriverObject->DriverUnload =NTProcDrvUnloadDriver; DriverObject->MajorFunction[IRP_MJ_CREATE] = NTProcDrvCreateClose; DriverObject->MajorFunction[IRP_MJ_CLOSE] = NTProcDrvCreateClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = NTProcDeviceControl; RtlInitUnicodeString(&EventDeviceNameString,L"\\BaseNamedObjects\\NTProcDrvProcessEvent"); PEnvent=IoCreateNotificationEvent( &EventDeviceNameString, DevExt->EventHandle ); DevExt=(NTProcDrvDeviceExtension*)(deviceObject->DeviceExtension); DevExt->KernelEvent=PEnvent; KeClearEvent(DevExt->KernelEvent); ntStatus= PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)NTProcDrvNotifyRoutine,0); return ntStatus; } void NTProcDrvUnloadDriver( IN PDRIVER_OBJECT DriverObject ) { PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; IoDeleteSymbolicLink( &LinkDeviceNameString ); if ( deviceObject != NULL ) { IoDeleteDevice( deviceObject ); } } NTSTATUS NTProcDrvCreateClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } NTSTATUS NTProcDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS ntStatus; ULONG IoCtlCode; PIO_STACK_LOCATION IrpStack; ULONG inBufLength; ULONG outBufLength; PVOID InOutBuf; NTProcDrvDeviceExtension *DevExt=NULL; ntStatus=STATUS_UNSUCCESSFUL; IrpStack = IoGetCurrentIrpStackLocation(Irp);//+60 outBufLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;//+4 inBufLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;//+8 IoCtlCode =IrpStack->Parameters.DeviceIoControl.IoControlCode; //C InOutBuf = Irp->AssociatedIrp.SystemBuffer; switch(IoCtlCode) { case NTProcDrv_IOCTL_METHOD_BUFFERED: if(outBufLength<0x0C)break; DevExt=(NTProcDrvDeviceExtension*)DeviceObject->DeviceExtension; *((PLONG)InOutBuf)=(ULONG) (DevExt->ParentId); *((PLONG)InOutBuf+1)=(ULONG)(DevExt->ProcessId); *((PLONG)InOutBuf+2)=(char)(DevExt->IsCreate); ntStatus=STATUS_SUCCESS; break; default: Irp->IoStatus.Status = ntStatus; if(!NT_SUCCESS(ntStatus)) { Irp->IoStatus.Information = outBufLength; } Irp->IoStatus.Information = outBufLength; } IofCompleteRequest(Irp,IO_NO_INCREMENT); return ntStatus; } void NTProcDrvNotifyRoutine ( IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create ) { PDEVICE_OBJECT deviceObject=NULL; NTProcDrvDeviceExtension *DevExt=NULL; deviceObject=GloalDeviceObject; DevExt=deviceObject->DeviceExtension; DevExt->ParentId=ParentId; DevExt->ProcessId=ProcessId; DevExt->IsCreate=(char)Create; KeSetEvent(DevExt->KernelEvent,0,0); KeClearEvent(DevExt->KernelEvent); return ; } 欢迎找bug.idb文件.c文件,源驱动都在附件中. -------------------------------------------------------- 我是阿赖耶识 |
|
|
|
沙发#
发布于:2007-01-23 09:07
不错,支持一下,鼓励逆向......
 |
|
|
|
板凳#
发布于:2007-01-23 09:44
一年高会表示感谢:)
|
|
|
|
地板#
发布于:2007-01-23 10:00
一年高会哦
下一位会是谁呢?  |
|
|
地下室#
发布于:2007-01-23 10:17
多谢 znsoft,binjo,wowocock各个老大
 |
|
|
5楼#
发布于:2007-01-23 10:28
驱网的宗旨就是有钱出钱,有力出力,资源大家共享:)
|
|
|
|
6楼#
发布于:2007-01-23 11:39
哈哈。不错~ 鼓励 |
|
|
7楼#
发布于:2007-01-23 12:06
顶~
|
|
|
8楼#
发布于:2007-01-23 12:14
doskey 兄和prince兄被偶抓主了...
偶向你们牛学习! |
|
|
9楼#
发布于:2007-01-23 16:19
这个版都被你占了
|
|
|
10楼#
发布于:2007-02-01 10:20
南京赛孚科技 寻觅驱动开发人才
yang先生,你好:我们在 中国驱动网上看到你的帖子后,想和你联系。我先简单介绍一下我们公司的情况: 南京赛孚科技有限公司专业从事计算机数据安全系统的研发。公司坐落在江宁区高新技术创业中心,是享受地方政府高新技术创业资金支持的软件公司。公司开发的Safe Soft数据安全管理系统被广泛应用到企业、机关、研究所、IT公司等所有具有要保密的文件、图纸、代码等的场合,具有广阔的应用前景。目前为了支持公司的快速发展,急需各类人才加盟。 作为一个成长型的软件公司,我们求贤心切,招聘开发、测试、技术支持等岗位人员。我们为员工提供有竞争力的薪资和充分的职业成长空间。公司希望能与员工共同成长、双赢。 我们对你的驱动开发经验很感兴趣。如果可以,请电话或邮件回复。jliaolf@126.com.025-52162432 南京赛孚科技有限公司 |
|
|
11楼#
发布于:2007-04-29 16:43
不错。虽然网上已经有开源的相关代码了。
|
|
|
|
12楼#
发布于:2007-07-09 10:22
能逆向的都是高人。
|
|
|
|
13楼#
发布于:2007-07-15 09:18
小齐真不错,
|
|
|
