QQ登录

只需一步,快速开始

搜索
查看: 310|回复: 1

[分享] 学习编程,写了一个监控木马的小驱动

[复制链接]

7

积分

1

主题

0

精华

普通会员

违规
0 点
JmPoint
15 点
声望
1 点
赏金币
0 枚
发单信誉
0
接单信誉
0
注册时间
2016-12-22
最后登录
2016-12-26
在线时间
1 小时
QQ
发表于 2016-12-22 16:38:49 | 显示全部楼层 |阅读模式
本帖最后由 oeuoeu 于 2016-12-22 16:49 编辑

测试步骤
1、copy img_monitor.sys到c盘根目录
2、copy mon_settings.ini到c:\windows目录
3、启动start32.bat启动驱动
4、配置文件
    LOG_LEVEL = 0
    使用默认检查规则检查系统文件,如果检查未通过,则拒绝加载该文件
    LOG_LEVEL = 1
    除黑白名单外使用规则外,只记录加载的文件
    ONLY_WLIST = 1
    只允许白名单中的文件加载,其余均禁止
    [WLIST]白名单
    [BLIST]黑名单   
5、日志文件在c:\windows\mon_log.log


刚刚接触,写的很一般,希望给个正式,和大家一起学习。@B1nGzL






部分代码
[C] 纯文本查看 复制代码
#include <ntddk.h>
#include "nt_help.h"

DRIVER_INITIALIZE DriverEntry;

typedef struct _OBJECT_TYPE_INITIALIZER {
    USHORT Length;
    BOOLEAN UseDefaultObject;
    BOOLEAN CaseInsensitive;
#if WINVER>=0x0600
    ULONG ObjectTypeCode;
#endif
    ULONG InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ULONG ValidAccessMask;
    BOOLEAN SecurityRequired;
    BOOLEAN MaintainHandleCount;
    BOOLEAN MaintainTypeList;
    POOL_TYPE PoolType;
    ULONG DefaultPagedPoolCharge;
    ULONG DefaultNonPagedPoolCharge;
    PVOID DumpProcedure;
    PVOID OpenProcedure;
    PVOID CloseProcedure;
    PVOID DeleteProcedure;
    PVOID ParseProcedure;
    PVOID SecurityProcedure;
    PVOID QueryNameProcedure;
    PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE {
#if WINVER<0x0600
    ERESOURCE Mutex;
#endif
    LIST_ENTRY TypeList;
    UNICODE_STRING Name;            // Copy from object header for convenience
    PVOID DefaultObject;
    ULONG Index;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;

extern POBJECT_TYPE* MmSectionObjectType;
PVOID pNtCreateSection = NULL;
SYSTEM_MODULE_INFORMATION ntModInfo = {0};

#pragma alloc_text(INIT, DriverEntry)

NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
        NTSTATUS status = STATUS_SUCCESS;
        PIO_STACK_LOCATION  irpSp;
        
        irpSp = IoGetCurrentIrpStackLocation(Irp);
        Irp->IoStatus.Status = status;
        IoCompleteRequest(Irp, IO_NO_INCREMENT);
        return status;
}

VOID DriverUnload (IN PDRIVER_OBJECT DriverObject)
{
        (*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL;
        KdPrint(("DriverUnload Done!\n"));
}

#if WINVER>=0x0600
NTSTATUS HookSectionOpen(
    IN ULONG OpenReason,
    IN ULONG AccessMode,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK* GrantedAccess,
    IN ULONG HandleCount
    )
#else
NTSTATUS HookSectionOpen(
    IN ULONG OpenReason,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK GrantedAccess,
    IN ULONG HandleCount
    )
#endif
{
        PVOID* esp = (PVOID*)&esp;
        PVOID* esp_end = (PVOID*)((((DWORD64)esp>>12) + 1)<<12);        //4k round up
        PVOID* p = esp;
        ULONG SectionPageProtection, AllocationAttributes;
        HANDLE FileHandle;
        NTSTATUS Status;

        /* 
         * do stack walk back to NtCreateSection function
         */
        while (p < esp_end && 
                (*p < pNtCreateSection || 
                 *p > (PVOID)((PBYTE)pNtCreateSection + 0x300)))
                p++;

        if (p >= esp_end){
                //KdPrint(("no found NtCreateSection %p -> %p\n", esp, esp_end));
                return STATUS_SUCCESS;
        }

        //KdPrint(("%p HookSectionOpen-Object:%p esp:%p %p\n", pNtCreateSection, Object, esp, *p));
#ifdef _WIN64
        /* 
         * esp layout look likes[2003 X64 DUMP]:
         fffff800`0104113d nt!KiSystemServiceCopyEnd+0x3 retaddr <-------call nt!NtCreateSection
         fffffadf`f662ec00  00000000`00000000 param1
         fffffadf`f662ec08  00000000`000f001f param2 DesiredAccess
         fffffadf`f662ec10  00000000`00000000
         fffffadf`f662ec18  00000000`00000000
         fffffadf`f662ec20  00000100`00000010 SectionPageProtection
         fffffadf`f662ec28  00000000`01000000 AllocationAttributes
         fffffadf`f662ec30  00000000`0000054c FileHandle
         * - ... 
         */
        p++;
        /*
         * search retaddr -> nt!KiSystemServiceCopyEnd
         */
        while (p < esp_end &&
                (*p < ntModInfo.ImageBase || 
                 *p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize)))
                p++;

        if (p >= esp_end){
                //KdPrint(("no found nt!KiSystemxxxx %p -> %p\n", esp, esp_end));
                return STATUS_SUCCESS;
        }
#else
        /* stack DUMP from 2003/x86 
         * ebp = p - 1
         fa06f4d8  fa06f540
         fa06f4dc  80908715 nt!NtCreateSection+0x15c
         ...
         fa06f540  fa06f564
         fa06f544  808234cb nt!KiFastCallEntry+0xf8
         fa06f548  fa06f668 param1
         */
        p = (PVOID*)*(p - 1);
        p++;
#endif

        SectionPageProtection = (ULONG)*(p + 5);
        AllocationAttributes = (ULONG)*(p + 6);
        FileHandle = *(p + 7); 

        //KdPrint(("%x %x %p\n", SectionPageProtection, AllocationAttributes, FileHandle));

        if (FileHandle 
                && SectionPageProtection == PAGE_EXECUTE
                && (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){
                /* windows7 AllocationAttributes = 0x100000 to LoadDriver */
                PFILE_OBJECT File;

                Status = ObReferenceObjectByHandle (FileHandle, 
                                0, 
                                NULL,
                                KernelMode,
                                (PVOID *)&File,
                                NULL);

                if (!NT_SUCCESS(Status)) {
                        return STATUS_SUCCESS;
                }
                KdPrint(("FileName:%wZ\n", &File->FileName));
                ObDereferenceObject(File);
        }

        return STATUS_SUCCESS;
}

BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo)
{
        PSYSMODULELIST sysModuleList = NULL;
        ULONG size, i;

        NtQuerySystemInformation(SystemModuleInformation, &size, 0, &size);
        sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm');

        if (sysModuleList){
                NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL);
                /* nt module should be the first one */
                *modInfo = *sysModuleList->Modules;
                ExFreePool(sysModuleList);
                return TRUE;
        }
        return FALSE;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
        DWORD i;
        UNICODE_STRING sFuncName;
        
        RtlInitUnicodeString(&sFuncName, L"NtCreateSection");
        pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName);

        if (!GetNtImgBase(&ntModInfo)){
                KdPrint(("EnumSysModule nt base failed!\n"));
                return STATUS_UNSUCCESSFUL;
        }

        KdPrint(("nt:%p pNtCreateSection:%p\nMmSectionObjectType:%p %p %p\n", 
                                ntModInfo.ImageBase, 
                                pNtCreateSection, 
                                *MmSectionObjectType,
                                (*MmSectionObjectType)->TypeInfo.OpenProcedure,
                                (*MmSectionObjectType)->TypeInfo.DeleteProcedure));
        
        (*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen;

        for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
                DriverObject->MajorFunction[i] = DevicePassthrough;

        DriverObject->DriverUnload = DriverUnload;

        return STATUS_SUCCESS;
} 


[C] 纯文本查看 复制代码
const char buf[] = 
"[1]"
"0x111ssdad = \\windows\\xxxx\\ddd.dll;      path=dddd;       xxx = ddasd;\n"
"[2ddddsd ]\n"
"heeeel = xxxxxxdasdasdasdsasdasdsadxx;"
"xxxx= ???;"
"A=B;"
;

#include "ini_parser.h"

int main(int argc, char** argv)
{
        PINI_FILE testIni;
        int i;
        char tbuf[32];
        
        testIni = ini_open(buf, sizeof(buf));

        for (i=0; i<ini_get_expr_num(testIni); i++){
                PINI_EXPRESSION expr = ini_get_expr(testIni, i);
                ini_str2s(&expr->section->name, tbuf, sizeof(tbuf));
                printf("[%s]-", tbuf);
                ini_str2s(&expr->key_name, tbuf, sizeof(tbuf));
                printf("%s:", tbuf);
                ini_str2s(&expr->value_name, tbuf, sizeof(tbuf));
                printf("%s\n", tbuf);
        }

        ini_get_value(testIni, "2ddddsd", "xxxx", tbuf, sizeof(tbuf));
        printf("%s\n", tbuf);

        ini_close(testIni);

        return 0;
}



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即加入

x

评分

参与人数 1JmPoint +5 声望 +1 收起 理由
BambooQJ + 5 + 1 厉害了.

查看全部评分

回复

使用道具 举报

18

积分

4

主题

0

精华

普通会员

违规
0 点
JmPoint
271 点
声望
1 点
赏金币
0 枚
发单信誉
0
接单信誉
0
注册时间
2016-6-10
最后登录
2017-6-28
在线时间
37 小时
QQ
发表于 2017-1-11 17:09:44 | 显示全部楼层
很像文件过滤驱动啊。
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即加入

本版积分规则

关闭

站长推荐上一条 /2 下一条

QQ|Archiver|手机版|小黑屋|零日安全论坛 ( 吉ICP备15004039号 点击这里给我发消息

GMT+8, 2017-6-28 20:22 , Processed in 0.087266 second(s), 36 queries .

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表