三个nop的玄机

2014-2-10 Nie.Meining Debug

最近百度卫士宣传力度挺大,春节在家闲来无事下载了一个看看。第一印象感觉界面简约,功能干净不臃肿,是我喜欢的风格。首先在x86环境下看看hook点:

1.png

跟360、金山卫士、QQ管家等其它主动防御一样,hook点选择了系统调用的分发函数KiSystemServiceRepeat。而且hook方式跟QQ管家很像,将mov edi, esp; cmp esi, xxx; 这两条指令替换成了三个nop和一个jmp,但是他们之间的区别是,QQ管家是先nop再jmp,百度卫士是先jmp再nop。其实这个顺序是有玄机的!(以前逆向过QQ管家,感谢sysnap大牛点拨)

我们先看看hook前的原始指令截图如下:

2.png

我们现在来考虑一个小概率的特殊情况,假如某个内核线程正好执行完图中的mov edi, esp指令(即将执行下一条指令cmp esi, xxx)时,hook操作发生了。在这种情况下,按照QQ管家的hook方式,该内核线程可以安全着陆(下一条指令变成了nop而已),但是百度卫士的hook方式可能会导致蓝屏。因此从hook安全的角度上来讲还是先nop后jmp好一些。不过这是个小概率事件。

接着看了看jmp到的地址,在bd0001.sys驱动中:

3.png

各种需要的信息压栈后,call过滤函数。过滤函数部分截图如下:

4.png

感觉跟其它主动防御的处理方式也差不多。由于曾经逆向过QQ管家(QQ电脑管家中的TsFltMgr Hook框架分析》、QQ电脑管家中的 Hook 过程分析》),这里就没再继续了。另外由于这种处理框架在现有的主动防御软件中非常流行,我曾经也自己手痒仿照这种框架完成过一个主动防御的雏形,开源放到了看雪上了:《发一个主动防御的代码》。

接下来用64位的win8系统也做了一下测试。由于PatchGuard的原因,64位主动防御目前主要采用对象钩子实现。测试的截图如下:

5.png

图中 CallbackDetect.sys 中的钩子是我的检测模块注册的假钩子;bd0001.sys 中的钩子是百度卫士注册的钩子;其它是360注册的钩子。对象钩子的检测方法可以参考我前几天写的《ObCallback 回调钩子检测》。不过该文章中有些结构逆向得不太精确,感谢FlowerCode大牛的讨论和补充,两个关键结构精确描述如下:

typedef struct _CALLBACK_BODY {
	LIST_ENTRY                  CallbackList;
	OB_OPERATION                Operations;
	ULONG                       Active;
	OB_HANDLE                   Handle;
	POBJECT_TYPE                ObjectType;
	POB_PRE_OPERATION_CALLBACK  PreOperation;
	POB_POST_OPERATION_CALLBACK PostOperation;
	EX_RUNDOWN_REF              RundownProtection;
} CALLBACK_BODY, *PCALLBACK_BODY;

typedef struct _CALLBACK_NODE {
	USHORT         Version;
	USHORT         OperationRegistrationCount;
	PVOID          RegistrationContext;
	UNICODE_STRING Altitude;
	CALLBACK_BODY  Entries[1];
} CALLBACK_NODE, *PCALLBACK_NODE;

评论:

EugeneaBrack
约 19 小时前
using half cialis
http://cialisle.com - generic cialis
will cialis cause a failed drug test
EugeneaBrack
约 19 小时前
how much alcohol can you drink with cialis
http://cialisle.com - cialis
can i drink orange juice with cialis
EugeneaBrack
2018-07-18 05:23
can you get cialis over the counter
http://cialisle.com - cialis online
where to buy cialis pills
EugeneaBrack
2018-07-18 03:17
cialis and sore legs
http://cialisle.com - generic cialis online
blood pressure medications and cialis
GeorgeoAdedo
2018-07-13 00:34
splitting cialis
http://cialisle.com - cialis online
puedo tomar alcohol si tomo cialis
GeorgeoAdedo
2018-07-12 23:58
can you crush cialis tablets
http://cialisle.com - cialis online
how to get cialis in toronto
GeorgeoAdedo
2018-07-12 22:27
cialis take food
http://cialisle.com - buy cialis
what is the significance of the bathtubs in the cialis commercials
GeorgeoAdedo
2018-07-12 19:17
what is the main ingredient in cialis
http://cialisle.com - cialis online
cialis and viagra at same time
bdxUnden
2018-07-10 16:06
http://footstepsunltd.com/  prednisone every 4 hours http://saresltd.com/prednisone/ cialis over the counter http://ouarzazatefilmcommission.com/cialis/ levitra 20 mg pricing http://footstepsunltd.com/levitra/
vnhchorp
2018-07-10 11:21
http://saresltd.com/kamagra/  provigil manufacturer http://footstepsunltd.com/provigil/ tadalafil recreational dose http://saresltd.com/tadalafil/ cialis black box warning http://ouarzazatefilmcommission.com/cialis/
GeorgeoAdedo
2018-07-08 16:11
what is the highest dose of cialis you can take
http://cialisle.com - cialis online
cialis considered blood thinner
GeorgeoAdedo
2018-07-08 15:49
can you take cialis and extenze at the same time
http://cialisle.com - generic cialis online
how long does it take for cialis to start to work
GeorgeoAdedo
2018-07-08 10:53
cialis levitra staxyn and viagra
http://cialisle.com - cialis
cialis and psychological impotence
GeorgeoAdedo
2018-07-08 10:24
order brand name cialis online
http://cialisle.com - buy generic cialis
cialis and testicle pain
GeorgeoAdedo
2018-07-04 04:51
how to cure cialis headache
http://cialisle.com - generic cialis online
sporanox and cialis

发表评论:

Powered by emlog