三个nop的玄机

2014-2-10 Nie.Meining Debug

最近百度卫士宣传力度挺大,春节在家闲来无事下载了一个看看。第一印象感觉界面简约,功能干净不臃肿,是我喜欢的风格。首先在x86环境下看看hook点:

1.png

跟360、金山卫士、QQ管家等其它主动防御一样,hook点选择了系统调用的分发函数KiSystemServiceRepeat。而且hook方式跟QQ管家很像,将mov edi, esp; cmp esi, xxx; 这两条指令替换成了三个nop和一个jmp,但是他们之间的区别是,QQ管家是先nop再jmp,百度卫士是先jmp再nop。其实这个顺序是有玄机的!(以前逆向过QQ管家,感谢sysnap大牛点拨)

我们先看看hook前的原始指令截图如下:

2.png

我们现在来考虑一个小概率的特殊情况,假如某个内核线程正好执行完图中的mov edi, esp指令(即将执行下一条指令cmp esi, xxx)时,hook操作发生了。在这种情况下,按照QQ管家的hook方式,该内核线程可以安全着陆(下一条指令变成了nop而已),但是百度卫士的hook方式可能会导致蓝屏。因此从hook安全的角度上来讲还是先nop后jmp好一些。不过这是个小概率事件。

接着看了看jmp到的地址,在bd0001.sys驱动中:

3.png

各种需要的信息压栈后,call过滤函数。过滤函数部分截图如下:

4.png

感觉跟其它主动防御的处理方式也差不多。由于曾经逆向过QQ管家(QQ电脑管家中的TsFltMgr Hook框架分析》、QQ电脑管家中的 Hook 过程分析》),这里就没再继续了。另外由于这种处理框架在现有的主动防御软件中非常流行,我曾经也自己手痒仿照这种框架完成过一个主动防御的雏形,开源放到了看雪上了:《发一个主动防御的代码》。

接下来用64位的win8系统也做了一下测试。由于PatchGuard的原因,64位主动防御目前主要采用对象钩子实现。测试的截图如下:

5.png

图中 CallbackDetect.sys 中的钩子是我的检测模块注册的假钩子;bd0001.sys 中的钩子是百度卫士注册的钩子;其它是360注册的钩子。对象钩子的检测方法可以参考我前几天写的《ObCallback 回调钩子检测》。不过该文章中有些结构逆向得不太精确,感谢FlowerCode大牛的讨论和补充,两个关键结构精确描述如下:

typedef struct _CALLBACK_BODY {
	LIST_ENTRY                  CallbackList;
	OB_OPERATION                Operations;
	ULONG                       Active;
	OB_HANDLE                   Handle;
	POBJECT_TYPE                ObjectType;
	POB_PRE_OPERATION_CALLBACK  PreOperation;
	POB_POST_OPERATION_CALLBACK PostOperation;
	EX_RUNDOWN_REF              RundownProtection;
} CALLBACK_BODY, *PCALLBACK_BODY;

typedef struct _CALLBACK_NODE {
	USHORT         Version;
	USHORT         OperationRegistrationCount;
	PVOID          RegistrationContext;
	UNICODE_STRING Altitude;
	CALLBACK_BODY  Entries[1];
} CALLBACK_NODE, *PCALLBACK_NODE;

评论:

ZarlosFrows
约 19 小时前
buy levitra online
[url=http://levitragtx.com]where can i buy generic levitra in the usa
[/url]  levitra manufacturer
<a href="http://levitragtx.com">levitra cheap
</a> - young men taking levitra
levitra 10mg or 20mg who is online
ZarlosFrows
约 19 小时前
levitra advice
[url=http://levitragtx.com]does generic levitra really work
[/url]  levitra pills last post
<a href="http://levitragtx.com">is buying generic levitra online safe
</a> - buy levitra online no prescription
levitra and maestro
Ziltiampen
2019-10-09 10:31
viagra levitra viagra
[url=http://xlviagravfs.com]viagra for sale 100mg
[/url]  viagra 10mg or 20mg delete all board cookies
<a href="http://xlviagravfs.com">generic viagra usa
</a> - viagra from canada with a prescription reply #6 on
viagra knowledge base
Tzomaschope
2019-10-06 11:37
viagra from canada online search
[url=http://gtviagragen.com]cheap generic soft viagra
[/url]  does viagra work with alcohol gstbk_add.php?sid=
<a href="http://gtviagragen.com">low cost viagra generic
</a> - illiterate viagra hotmail spam
viagra for daily use rss
ZobertBic
2019-10-04 11:51
viagra online usa report
[url=http://viagrawithoutdoctorbest.com]generic viagra for men
[/url]  viagra e cardura
<a href="http://viagrawithoutdoctorbest.com">order generic viagra
</a> - viagra online fast delivery france
ed treatment review
Zerricklip
2019-10-04 04:21
buy viagra doctor online
[url=http://viagforsale.com]generic viagra tab
[/url]  viagra and alcohol use users browsing this forum
<a href="http://viagforsale.com">legit generic viagra
</a> - viagra to buy were
viagra for women login with username password and session length
itaBom
2019-09-28 20:45
Ciao a tutti vengo dall'italia
rardfor
2019-09-28 11:29
Hello. And Bye.
Romaliyskiyknoca
2019-09-10 08:21
online at usa is

     57d6 precio is costa rica
trantyRurdyspusty
2019-08-06 05:04
cialis y disfuncion erectil http://cialisrol.com cialis online pharmacy, tomo cialis y no funciona
trantyRurdyspusty
2019-07-24 02:09
cialis soft tabs sublingual http://viagrarow.com viagra generic availability, treating high blood pressure with viagra
mullihvdky
2019-07-21 17:51
Hello!
trantyRurdyspusty
2019-07-12 01:10
before and after using sildenafil http://buyscialisrx.com/ cialis, can you take viagra with percocet
abbakAmorm
2019-07-06 18:46
test
Efferma
2019-06-20 06:04
<a href="http://paydayonlineexpress.com/#">payday loans<a>

发表评论:

Powered by emlog