连载：国外高手谈卡巴斯基存隐患（六）

时间:2007-06-23 02:29:06 来源:赛迪网作者:杜莉

KAV用来保护用户层代码的机制也是一种黑客机制。KAV动态地判定系统调用NtProtectVirtualMemory系统服务的序数，然后用它自己的int 2e thunk来调用该服务。

.text:F8221320 KavExecuteNtProtectVirtualMemoryInt2E proc near
.text:F8221320               ; CODE XREF: KavReprotectExportTable+47p
.text:F8221320               ; KavReprotectExportTable+BFp ...
.text:F8221320
.text:F8221320 arg_0           = dword ptr  4
.text:F8221320 arg_4           = dword ptr  8
.text:F8221320 arg_8           = dword ptr  0Ch
.text:F8221320 arg_C           = dword ptr  10h
.text:F8221320
.text:F8221320    mov     eax, [esp+arg_0]
.text:F8221324    mov     ecx, [esp+arg_C]
.text:F8221328    mov     edx, [esp+arg_8]
.text:F822132C    push    ebx
.text:F822132D    mov     [esp+4+arg_0], eax
.text:F8221331    push    ecx
.text:F8221332    lea     eax, [esp+8+arg_4]
.text:F8221336    push    edx
.text:F8221337    mov     edx, NtProtectVirtualMemoryOrdinal
.text:F822133D    lea     ecx, [esp+0Ch+arg_0]
.text:F8221341    push    eax
.text:F8221342    push    ecx
.text:F8221343    push    0FFFFFFFFh
.text:F8221345    push    edx
.text:F8221346    xor     bl, bl
.text:F8221348    call    KavInt2E
.text:F822134D    test    eax, eax
.text:F822134F    mov     al, 1
.text:F8221351    jge     short loc_F8221355
.text:F8221353    mov     al, bl
.text:F8221355
.text:F8221355 loc_F8221355:              ; CODE XREF: KavExecuteNtProtectVirtualMemoryInt2E+31j
.text:F8221355    pop     ebx
.text:F8221356    retn    10h
.text:F8221356 KavExecuteNtProtectVirtualMemoryInt2E endp


.user:F8231090 KavInt2E        proc near               ; CODE XREF: KavExecuteNtProtectVirtualMemoryInt2E+28p
.user:F8231090
.user:F8231090 arg_0           = dword ptr  8
.user:F8231090 arg_4           = dword ptr  0Ch
.user:F8231090
.user:F8231090    push    ebp
.user:F8231091    mov     ebp, esp
.user:F8231093    mov     eax, [ebp+arg_0]
.user:F8231096    lea     edx, [ebp+arg_4]
.user:F823109C    int     2Eh             
.user:F823109C               
.user:F823109E    pop     ebp
.user:F823109F    retn    18h
.user:F823109F KavInt2E        endp
.user:F823109F

KAV的输出查询代码没有正确地验证就使用从PE页头储存的那些偏移地址：

.text:F8220CA0 LookupExportedFunction proc near        ; CODE XREF: sub_F8217A60+C9p
.text:F8220CA0               ; sub_F82181D0+Dp ...
.text:F8220CA0
.text:F8220CA0 var_20          = dword ptr -20h
.text:F8220CA0 var_1C          = dword ptr -1Ch
.text:F8220CA0 var_18          = dword ptr -18h
.text:F8220CA0 var_14          = dword ptr -14h
.text:F8220CA0 var_10          = dword ptr -10h
.text:F8220CA0 var_C           = dword ptr -0Ch
.text:F8220CA0 var_8           = dword ptr -8
.text:F8220CA0 var_4           = dword ptr -4
.text:F8220CA0 arg_0           = dword ptr  4
.text:F8220CA0 arg_4           = dword ptr  8
.text:F8220CA0 arg_8           = dword ptr  0Ch
.text:F8220CA0
.text:F8220CA0    mov     edx, [esp+arg_0]
.text:F8220CA4    sub     esp, 20h
.text:F8220CA7    cmp     word ptr [edx], 'ZM'
.text:F8220CAC    push    ebx
.text:F8220CAD    push    ebp
.text:F8220CAE    push    esi
.text:F8220CAF    push    edi
.text:F8220CB0    jnz     loc_F8220DE1
.text:F8220CB6    mov     eax, [edx+3Ch]
.text:F8220CB9    add     eax, edx
.text:F8220CBB    cmp     dword ptr [eax], 'EP'
.text:F8220CC1    jnz     loc_F8220DE1
.text:F8220CC7    mov     eax, [eax+78h]
.text:F8220CCA    mov     edi, [esp+30h+arg_4]
.text:F8220CCE    add     eax, edx
.text:F8220CD0    mov     [esp+30h+var_14], eax
.text:F8220CD4    mov     esi, [eax+1Ch]
.text:F8220CD7    mov     ebx, [eax+24h]
.text:F8220CDA    mov     ecx, [eax+20h]
.text:F8220CDD    add     esi, edx
.text:F8220CDF    add     ebx, edx
.text:F8220CE1    add     ecx, edx
.text:F8220CE3    cmp     edi, 1000h
.text:F8220CE9    mov     [esp+30h+var_4], esi
.text:F8220CED    mov     [esp+30h+var_C], ebx
.text:F8220CF1    mov     [esp+30h+var_18], ecx
.text:F8220CF5    jnb     short loc_F8220D27
.text:F8220CF7    mov     ecx, [eax+10h]
.text:F8220CFA    mov     eax, edi
.text:F8220CFC    sub     eax, ecx
.text:F8220CFE    mov     eax, [esi+eax*4]
.text:F8220D01    add     eax, edx
.text:F8220D03    mov     edx, [esp+30h+arg_8]
.text:F8220D07    test    edx, edx
.text:F8220D09    jz      loc_F8220DE3
.text:F8220D0F    mov     ebx, ecx
.text:F8220D11    shl     ebx, 1Eh
.text:F8220D14    sub     ebx, ecx
.text:F8220D16    add     ebx, edi
.text:F8220D18    pop     edi
.text:F8220D19    lea     ecx, [esi+ebx*4]
.text:F8220D1C    pop     esi
.text:F8220D1D    pop     ebp
.text:F8220D1E    mov     [edx], ecx
.text:F8220D20    pop     ebx
.text:F8220D21    add     esp, 20h
.text:F8220D24    retn    0Ch
.text:F8220D27 ; ---------------------------------------------------------------------------
.text:F8220D27
.text:F8220D27 loc_F8220D27:              ; CODE XREF: LookupExportedFunction+55j
.text:F8220D27    mov     edi, [eax+14h]
.text:F8220D2A    mov     [esp+30h+arg_0], 0
.text:F8220D32    test    edi, edi
.text:F8220D34    mov     [esp+30h+var_8], edi
.text:F8220D38    jbe     loc_F8220DE1
.text:F8220D3E    mov     [esp+30h+var_1C], esi
.text:F8220D42
.text:F8220D42 loc_F8220D42:              ; CODE XREF: LookupExportedFunction+13Bj
.text:F8220D42    cmp     dword ptr [esi], 0
.text:F8220D45    jz      short loc_F8220DC5
.text:F8220D47    mov     ecx, [eax+18h]
.text:F8220D4A    xor     ebp, ebp
.text:F8220D4C    test    ecx, ecx
.text:F8220D4E    mov     [esp+30h+var_10], ecx
.text:F8220D52    jbe     short loc_F8220DC5
.text:F8220D54    mov     edi, [esp+30h+var_18]
.text:F8220D58    mov     [esp+30h+var_20], ebx
.text:F8220D5C
.text:F8220D5C loc_F8220D5C:              ; CODE XREF: LookupExportedFunction+11Bj
.text:F8220D5C    mov     ebx, [esp+30h+var_20]
.text:F8220D60    xor     esi, esi
.text:F8220D62    mov     si, [ebx]
.text:F8220D65    mov     ebx, [esp+30h+arg_0]
.text:F8220D69    cmp     esi, ebx
.text:F8220D6B    jnz     short loc_F8220DAA
.text:F8220D6D    mov     eax, [edi]
.text:F8220D6F    mov     esi, [esp+30h+arg_4]
.text:F8220D73    add     eax, edx
.text:F8220D75
.text:F8220D75 loc_F8220D75:              ; CODE XREF: LookupExportedFunction+F3j
.text:F8220D75    mov     bl, [eax]
.text:F8220D77    mov     cl, bl
.text:F8220D79    cmp     bl, [esi]
.text:F8220D7B    jnz     short loc_F8220D99
.text:F8220D7D    test    cl, cl
.text:F8220D7F    jz      short loc_F8220D95
.text:F8220D81    mov     bl, [eax+1]
.text:F8220D84    mov     cl, bl
.text:F8220D86    cmp     bl, [esi+1]
.text:F8220D89    jnz     short loc_F8220D99
.text:F8220D8B    add     eax, 2
.text:F8220D8E    add     esi, 2
.text:F8220D91    test    cl, cl
.text:F8220D93    jnz     short loc_F8220D75
.text:F8220D95
.text:F8220D95 loc_F8220D95:              ; CODE XREF: LookupExportedFunction+DFj
.text:F8220D95    xor     eax, eax
.text:F8220D97    jmp     short loc_F8220D9E
.text:F8220D99 ; ---------------------------------------------------------------------------
.text:F8220D99
.text:F8220D99 loc_F8220D99:              ; CODE XREF: LookupExportedFunction+DBj
.text:F8220D99               ; LookupExportedFunction+E9j
.text:F8220D99    sbb     eax, eax
.text:F8220D9B    sbb     eax, 0FFFFFFFFh
.text:F8220D9E
.text:F8220D9E loc_F8220D9E:              ; CODE XREF: LookupExportedFunction+F7j
.text:F8220D9E    test    eax, eax
.text:F8220DA0    jz      short loc_F8220DED
.text:F8220DA2    mov     eax, [esp+30h+var_14]
.text:F8220DA6    mov     ecx, [esp+30h+var_10]
.text:F8220DAA
.text:F8220DAA loc_F8220DAA:              ; CODE XREF: LookupExportedFunction+CBj
.text:F8220DAA    mov     esi, [esp+30h+var_20]
.text:F8220DAE    inc     ebp
.text:F8220DAF    add     esi, 2
.text:F8220DB2    add     edi, 4
.text:F8220DB5    cmp     ebp, ecx
.text:F8220DB7    mov     [esp+30h+var_20], esi
.text:F8220DBB    jb      short loc_F8220D5C
.text:F8220DBD    mov     ebx, [esp+30h+var_C]
.text:F8220DC1    mov     edi, [esp+30h+var_8]
.text:F8220DC5
.text:F8220DC5 loc_F8220DC5:              ; CODE XREF: LookupExportedFunction+A5j
.text:F8220DC5               ; LookupExportedFunction+B2j
.text:F8220DC5    mov     ecx, [esp+30h+arg_0]
.text:F8220DC9    mov     esi, [esp+30h+var_1C]
.text:F8220DCD    inc     ecx
.text:F8220DCE    add     esi, 4
.text:F8220DD1    cmp     ecx, edi
.text:F8220DD3    mov     [esp+30h+arg_0], ecx
.text:F8220DD7    mov     [esp+30h+var_1C], esi
.text:F8220DDB    jb      loc_F8220D42
.text:F8220DE1
.text:F8220DE1 loc_F8220DE1:              ; CODE XREF: LookupExportedFunction+10j
.text:F8220DE1               ; LookupExportedFunction+21j ...
.text:F8220DE1    xor     eax, eax
.text:F8220DE3
.text:F8220DE3 loc_F8220DE3:              ; CODE XREF: LookupExportedFunction+69j
.text:F8220DE3               ; LookupExportedFunction+162j
.text:F8220DE3    pop     edi
.text:F8220DE4    pop     esi
.text:F8220DE5    pop     ebp
.text:F8220DE6    pop     ebx
.text:F8220DE7    add     esp, 20h
.text:F8220DEA    retn    0Ch
.text:F8220DED ; ---------------------------------------------------------------------------
.text:F8220DED
.text:F8220DED loc_F8220DED:              ; CODE XREF: LookupExportedFunction+100j
.text:F8220DED    mov     eax, [esp+30h+var_4]
.text:F8220DF1    mov     ecx, [esp+30h+arg_0]
.text:F8220DF5    lea     ecx, [eax+ecx*4]
.text:F8220DF8    mov     eax, [ecx]
.text:F8220DFA    add     eax, edx
.text:F8220DFC    mov     edx, [esp+30h+arg_8]
.text:F8220E00    test    edx, edx
.text:F8220E02    jz      short loc_F8220DE3
.text:F8220E04    pop     edi
.text:F8220E05    pop     esi
.text:F8220E06    pop     ebp
.text:F8220E07    mov     [edx], ecx
.text:F8220E09    pop     ebx
.text:F8220E0A    add     esp, 20h
.text:F8220E0D    retn    0Ch
.text:F8220E0D LookupExportedFunction endp

未经过 ring 0 转换就在用户模式下直接调用 KAV 核心代码：

kd> bp f824d820
kd> g
Breakpoint 0 hit
klif!sub_F8231820:
001b:f824d820 83ec08      sub     esp,0x8
kd> kv
ChildEBP RetAddr  Args to Child    
          
WARNING: Stack unwind information not available. Following frames may be wrong.

0006f4ec 7432f69c 74320000 00000001 00000000 klif!sub_F8231820
0006f50c 7c9011a7 74320000 00000001 00000000 0x7432f69c
0006f52c 7c91cbab 7432f659 74320000 00000001 ntdll!LdrpCallInitRoutine+0x14
0006f634 7c916178 00000000 c0150008 00000000 ntdll!LdrpRunInitializeRoutines+0x344 (FPO: [Non-Fpo])
0006f8e0 7c9162da 00000000 0007ced0 0006fbd4 ntdll!LdrpLoadDll+0x3e5 (FPO: [Non-Fpo])
0006fb88 7c801bb9 0007ced0 0006fbd4 0006fbb4 ntdll!LdrLoadDll+0x230 (FPO: [Non-Fpo])
0006fc20 f824d749 0106c0f0 0000000e 0107348c 0x7c801bb9
0006fd14 7c918dfa 7c90d625 7c90eacf 00000000 klif!loc_F823173D+0xc
0006fe00 7c910551 000712e8 00000044 0006ff0c ntdll!_LdrpInitialize+0x246 (FPO: [Non-Fpo])
0006fecc 00000000 00072368 00000000 00078c48 ntdll!RtlFreeHeap+0x1e9 (FPO: [Non-Fpo])
kd> t
klif!sub_F8231820+0x3:
001b:f824d823 53          push    ebx
kd> r
eax=0006f3cc ebx=00000000 ecx=00005734 edx=0006f3ea esi=7c882fd3 edi=7432f608
eip=f824d823 esp=0006ef00 ebp=0006f4ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
klif!sub_F8231820+0x3:
001b:f824d823 53          push    ebx
kd> dg 1b
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
001B 00000000 ffffffff Code RE    3 Bg Pg P  Nl 00000cfa
kd> !pte eip
               VA f824d823
PDE at   C0300F80        PTE at C03E0934
contains 01010067      contains 06B78065
pfn 1010 ---DA--UWEV    pfn 6b78 ---DA--UREV