连载：国外高手谈卡巴斯基存隐患（六）

时间:2007-06-23 02:29:06 来源:赛迪网作者:杜莉

真正的镜像补丁会保护 kernel32的输出表，它将输出地址表的入口改成LoadLibrary* 函数族，指向thunk，该thunk被写进Kernel32 镜像的空闲空间，并将真正的thunk代码写出：

.text:F8221680 ; int __stdcall KavPatchImage(PUCHAR ImageBase)
.text:F8221680 KavPatchImage   proc near               ; CODE XREF: KavPatchImageForNewProcess+21p
.text:F8221680
.text:F8221680 var_C           = dword ptr -0Ch
.text:F8221680 FunctionVa      = dword ptr -8
.text:F8221680 var_4           = dword ptr -4
.text:F8221680 ImageBase       = dword ptr  4
.text:F8221680
.text:F8221680    mov     eax, [esp+ImageBase]
.text:F8221684    sub     esp, 0Ch
.text:F8221687    push    ebp
.text:F8221688    push    3Ch
.text:F822168A    push    eax
.text:F822168B    call    KavReprotectExportTable
.text:F8221690    mov     ebp, eax
.text:F8221692    test    ebp, ebp
.text:F8221694    jnz     short loc_F822169F
.text:F8221696    xor     al, al
.text:F8221698    pop     ebp
.text:F8221699    add     esp, 0Ch
.text:F822169C    retn    4
.text:F822169F ; ---------------------------------------------------------------------------
.text:F822169F
.text:F822169F loc_F822169F:              ; CODE XREF: KavPatchImage+14j
.text:F822169F    push    ebx
.text:F82216A0    push    esi
.text:F82216A1    push    edi
.text:F82216A2    xor     ebx, ebx
.text:F82216A4    mov     edi, ebp
.text:F82216A6    mov     esi, offset ExportedFunctionsToCheckTable
.text:F82216AB
.text:F82216AB CheckNextFunctionInTable:               ; CODE XREF: KavPatchImage+B4j
.text:F82216AB    mov     edx, [esi+0Ch]
.text:F82216AE    mov     eax, [esp+1Ch+ImageBase]
.text:F82216B2    lea     ecx, [esp+1Ch+var_C]
.text:F82216B6    push    ecx
.text:F82216B7    push    edx
.text:F82216B8    push    eax
.text:F82216B9    call    LookupExportedFunction
.text:F82216BE    test    eax, eax
.text:F82216C0    mov     [esp+1Ch+FunctionVa], eax
.text:F82216C4    jz      short loc_F8221725
.text:F82216C6    mov     edx, [esp+1Ch+var_C]
.text:F82216CA    lea     ecx, [esp+1Ch+var_4]
.text:F82216CE    push    ecx
.text:F82216CF    push    40h
.text:F82216D1    push    4
.text:F82216D3    push    edx
.text:F82216D4    call    KavExecuteNtProtectVirtualMemoryInt2E
.text:F82216D9    test    al, al
.text:F82216DB    jz      short loc_F8221725
.text:F82216DD    cmp     dword ptr [esi], 0
.text:F82216E0    jnz     short loc_F82216EF
.text:F82216E2    mov     eax, [esp+1Ch+FunctionVa]
.text:F82216E6    mov     ecx, [esp+1Ch+var_C]
.text:F82216EA    mov     [esi], eax
.text:F82216EC    mov     [esi+8], ecx
.text:F82216EF
.text:F82216EF loc_F82216EF:              ; CODE XREF: KavPatchImage+60j
.text:F82216EF    mov     eax, edi
.text:F82216F1    mov     edx, 90909090h
.text:F82216F6    mov     [eax], edx
.text:F82216F8    mov     [eax+4], edx
.text:F82216FB    mov     [eax+8], edx
.text:F82216FE    mov     [eax+0Ch], dx
.text:F8221702    mov     [eax+0Eh], dl
.text:F8221705    mov     byte ptr [edi], 0E9h
.text:F8221708    mov     ecx, [esi+4]
.text:F822170B    mov     edx, ebx
.text:F822170D    sub     ecx, ebx
.text:F822170F    sub     ecx, ebp
.text:F8221711    sub     ecx, 5
.text:F8221714    mov     [edi+1], ecx
.text:F8221717    mov     ecx, [esp+1Ch+ImageBase]
.text:F822171B    mov     eax, [esp+1Ch+var_C]
.text:F822171F    sub     edx, ecx
.text:F8221721    add     edx, ebp
.text:F8221723    mov     [eax], edx      ;
.text:F8221723               ; Patching Export Table here
.text:F8221723               ; e.g. write to 7c802f58
.text:F8221723               ; (kernel32 EAT entry for LoadLibraryA)
.text:F8221723               ;
.text:F8221723               ;         578  241 00001D77 LoadLibraryA = _LoadLibraryA@4
.text:F8221723               ;         579  242 00001D4F LoadLibraryExA = _LoadLibraryExA@12
.text:F8221723               ;         580  243 00001AF1 LoadLibraryExW = _LoadLibraryExW@12
.text:F8221723               ;         581  244 0000ACD3 LoadLibraryW = _LoadLibraryW@4
.text:F8221723               ;
.text:F8221723               ; KAV在这写入一个新的RVA指向它自己的钩子代码。
.text:F8221725
.text:F8221725 loc_F8221725:              ; CODE XREF: KavPatchImage+44j
.text:F8221725               ; KavPatchImage+5Bj
.text:F8221725    add     esi, 10h
.text:F8221728    add     ebx, 0Fh
.text:F822172B    add     edi, 0Fh
.text:F822172E    cmp     esi, offset byte_F82357E0
.text:F8221734    jb      CheckNextFunctionInTable
.text:F822173A    pop     edi
.text:F822173B    pop     esi
.text:F822173C    pop     ebx
.text:F822173D    mov     al, 1
.text:F822173F    pop     ebp
.text:F8221740    add     esp, 0Ch
.text:F8221743    retn    4
.text:F8221743 KavPatchImage   endp

KAV的输出表保护代码做了这样一个假设：用户层的PE页头是形式正确的并且不包含指向内核层地址的偏移地址：

.text:F8221360 KavReprotectExportTable proc near       ; CODE XREF: KavPatchImage+Bp
.text:F8221360
.text:F8221360 var_10          = dword ptr -10h
.text:F8221360 var_C           = dword ptr -0Ch
.text:F8221360 var_8           = dword ptr -8
.text:F8221360 var_4           = dword ptr -4
.text:F8221360 arg_0           = dword ptr  4
.text:F8221360 arg_4           = dword ptr  8
.text:F8221360
.text:F8221360    mov     eax, [esp+arg_0]
.text:F8221364    sub     esp, 10h
.text:F8221367    cmp     word ptr [eax], 'ZM'
.text:F822136C    push    ebx
.text:F822136D    push    ebp
.text:F822136E    push    esi
.text:F822136F    push    edi
.text:F8221370    jnz     loc_F8221442
.text:F8221376    mov     esi, [eax+3Ch]
.text:F8221379    add     esi, eax
.text:F822137B    mov     [esp+20h+var_C], esi
.text:F822137F    cmp     dword ptr [esi], 'EP'
.text:F8221385    jnz     loc_F8221442
.text:F822138B    lea     eax, [esp+20h+var_8]
.text:F822138F    xor     edx, edx
.text:F8221391    mov     dx, [esi+14h]
.text:F8221395    push    eax
.text:F8221396    xor     eax, eax
.text:F8221398    push    40h
.text:F822139A    mov     ax, [esi+6]
.text:F822139E    lea     ecx, [eax+eax*4]
.text:F82213A1    lea     eax, [edx+ecx*8+18h]
.text:F82213A5    push    eax
.text:F82213A6    push    esi
.text:F82213A7    call    KavExecuteNtProtectVirtualMemoryInt2E ; NtProtectVirtualMemory
.text:F82213AC    test    al, al
.text:F82213AE    jz      loc_F8221442
.text:F82213B4    mov     ecx, [esi+8]
.text:F82213B7    mov     [esp+20h+var_10], 0
.text:F82213BF    inc     ecx
.text:F82213C0    mov     [esi+8], ecx
.text:F82213C3    xor     ecx, ecx
.text:F82213C5    mov     cx, [esi+14h]
.text:F82213C9    cmp     word ptr [esi+6], 0
.text:F82213CE    lea     edi, [ecx+esi+18h]
.text:F82213D2    jbe     short loc_F8221442
.text:F82213D4    mov     ebp, [esp+20h+arg_4]
.text:F82213D8
.text:F82213D8 loc_F82213D8:              ; CODE XREF: KavReprotectExportTable+E0j
.text:F82213D8    mov     ebx, [edi+10h]
.text:F82213DB    test    ebx, 0FFFh
.text:F82213E1    jz      short loc_F82213EA
.text:F82213E3    or      ebx, 0FFFh
.text:F82213E9    inc     ebx
.text:F82213EA
.text:F82213EA loc_F82213EA:              ; CODE XREF: KavReprotectExportTable+81j
.text:F82213EA    mov     ecx, [edi+8]
.text:F82213ED    mov     edx, ebx
.text:F82213EF    sub     edx, ecx
.text:F82213F1    cmp     edx, ebp
.text:F82213F3    jle     short loc_F822142C
.text:F82213F5    mov     esi, [edi+0Ch]
.text:F82213F8    mov     ecx, [esp+20h+arg_0]
.text:F82213FC    sub     esi, ebp
.text:F82213FE    push    ebp
.text:F82213FF    add     esi, ebx
.text:F8221401    add     esi, ecx
.text:F8221403    push    esi
.text:F8221404    call    KavFindSectionName
.text:F8221409    test    al, al
.text:F822140B    jz      short loc_F8221428
.text:F822140D    cmp     dword ptr [edi+1], 'TINI'
.text:F8221414    jz      short loc_F8221428
.text:F8221416    lea     eax, [esp+20h+var_4]
.text:F822141A    push    eax
.text:F822141B    push    40h
.text:F822141D    push    ebp
.text:F822141E    push    esi
.text:F822141F    call    KavExecuteNtProtectVirtualMemoryInt2E ; NtProtectVirtualMemory
.text:F8221424    test    al, al
.text:F8221426    jnz     short loc_F822144E
.text:F8221428
.text:F8221428 loc_F8221428:              ; CODE XREF: KavReprotectExportTable+ABj
.text:F8221428               ; KavReprotectExportTable+B4j
.text:F8221428    mov     esi, [esp+20h+var_C]
.text:F822142C
.text:F822142C loc_F822142C:              ; CODE XREF: KavReprotectExportTable+93j
.text:F822142C    mov     eax, [esp+20h+var_10]
.text:F8221430    xor     ecx, ecx
.text:F8221432    mov     cx, [esi+6]
.text:F8221436    add     edi, 28h
.text:F8221439    inc     eax
.text:F822143A    cmp     eax, ecx
.text:F822143C    mov     [esp+20h+var_10], eax
.text:F8221440    jb      short loc_F82213D8
.text:F8221442
.text:F8221442 loc_F8221442:              ; CODE XREF: KavReprotectExportTable+10j
.text:F8221442               ; KavReprotectExportTable+25j ...
.text:F8221442    pop     edi
.text:F8221443    pop     esi
.text:F8221444    pop     ebp
.text:F8221445    xor     eax, eax
.text:F8221447    pop     ebx
.text:F8221448    add     esp, 10h
.text:F822144B    retn    8
.text:F822144E ; ---------------------------------------------------------------------------
.text:F822144E
.text:F822144E loc_F822144E:              ; CODE XREF: KavReprotectExportTable+C6j
.text:F822144E    mov     eax, [edi+8]
.text:F8221451    mov     [edi+10h], ebx
.text:F8221454    add     eax, ebp
.text:F8221456    mov     [edi+8], eax
.text:F8221459    mov     eax, esi
.text:F822145B    pop     edi
.text:F822145C    pop     esi
.text:F822145D    pop     ebp
.text:F822145E    pop     ebx
.text:F822145F    add     esp, 10h
.text:F8221462    retn    8
.text:F8221462 KavReprotectExportTable endp