首页
论坛
课程
招聘
[分享]BE内核线程分析
2022-5-12 09:39 2571

[分享]BE内核线程分析

2022-5-12 09:39
2571

众所周知BE有一个内核线程

1.首先他加了VMP,我们直接回收站

2.经过仔细的分析

打开ARK看下线程入口就完事,好的经典push call直接GG。

3.线程行为简述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
VOID CheckNtApi(int index, const char* pApiName, PVOID pApiAddress);
 
ULONG64 FindProcess(const char* pProcessName);
 
VOID CheckDriver(ULONG64 unknow0, ULONG64 unknow1, const char* path, const char* name);
 
ULONG64 g_DriverInfo = 0;
 
 
//VOID BeThread()
//{
//    /*
//    * 首先BE对几个内核API进行了校验 类似如下
//    */
//
//    CheckNtApi(0,0, MmGetSystemRoutineAddress); MmGetSystemRoutineAddress是IAT的地址
//    CheckNtApi(1,"MmIsAddressValid", MmIsAddressValid);
//    CheckNtApi(2, "ZwQuerySystemInformation", ZwQuerySystemInformation);
//    CheckNtApi(3, "NtQuerySystemInformation", NtQuerySystemInformation);
//    CheckNtApi(4, "NtReadVirtualMemory", NtReadVirtualMemory);
//
//    /*
//    * BE操作的一些驱动
//    */
//    const char* DrivrStrArr[] =
//    { "win32k.sys","hal.dll","clipsp.sys","CI.dll" ,"CI.dll",
//    "tpm.sys","ks.sys","ks.sys","TSDDD.dll","TSDDD.dll","TSDDD.dll" };
//    const char* csrss = "csrss.exe";
//
//    /*
//    * 首先BE进行了友好的遍历大概是这样子的
//    */
//    auto LocalDriverInfo = g_DriverInfo;
//    while (LocalDriverInfo)
//    {
//        for (size_t i = 0; i < sizeof(DrivrStrArr) / sizeof(DrivrStrArr[0]); i++)
//        {
//            if (strcmp((char*)(LocalDriverInfo + *(PULONG64)LocalDriverInfo + 2), DrivrStrArr[0]) == 0)//win32k.sys
//            {
//                ULONG64 eprocess_csrss = FindProcess(csrss);
//
//                if (eprocess_csrss)
//                {
//                    KeStackAttachProcess(eprocess_csrss, &ApcState);
//
//                    Check win32k.sys等 (直接读了驱动的物理内存,检测了一些常规的跳板 E8 E9 FF15 。。。等)
//
//                    KeUnstackDetachProcess(&ApcState);
//                    ObDereferenceProcessHandleTable(eprocess_csrss);
//                    ObfDereferenceObject((PVOID)eprocess_csrss);
//                }
//
//                continue;
//            }
//
//            if (strcmp((char*)(LocalDriverInfo + *(PULONG64)LocalDriverInfo + 2), DrivrStrArr[i]) == 0)
//            {
//                Check DriverFile
//                RtlInitAnsiString
//                RtlAnsiStringToUnicodeString
//               
//                CheckDriver(*((ULONG64*)LocalDriverInfo + 161),
//                    *((unsigned int*)LocalDriverInfo + 324),DriverPath, DrivrStrArr[i]);
//                 (获取文件和驱动的物理内存检测了一些常规的跳板 E8 E9 FF15 。。。等)
//
//                RtlFreeUnicodeString
//            }
//        }
//
//        LocalDriverInfo = *((ULONG64*)LocalDriverInfo + 165);
//    }
//
//    do
//    {
//        g_check_driverfunc(); 检查BE驱动的io接口是否被劫持
//
//        auto Result = ZwQuerySystemInformation(SystemProcessInformation, v5, SystemInformationLength, ReturnLength);
//        if (Result == 0xC0000004)
//        {
//            if (g_ProcInfo)
//            {
//                ExFreePoolWithTag(g_ProcInfo, 0);
//            }
//            SystemInformationLength = *ReturnLength + 1024;
//
//            g_ProcInfo = ExAllocatePoolWithTag(PagedPool, SystemInformationLength, 'EB');
//
//            do
//            {
//                Result = ZwQuerySystemInformation(
//                    SystemProcessInformation,
//                    g_ProcInfo,
//                    SystemInformationLength,
//                    ReturnLength);
//
//                if (Result != 0xC0000004)
//                {
//                    break;
//                }
//                ExFreePoolWithTag(g_ProcInfo, 0);
//                SystemInformationLength = *ReturnLength + 1024;
//                g_ProcInfo = ExAllocatePoolWithTag(PagedPool, SystemInformationLength, 'EB');
//            } while (g_ProcInfo);
//
//            ProcessId = PsGetProcessId(*(PEPROCESS*)PsInitialSystemProcess);
//
//            pProcIndex = (PSYSTEM_PROCESSES)g_ProcInfo;
//            do
//            {
//                if (ProcessId != pProcIndex.ProcessId &&
//                    PsLookupProcessByProcessId(UniqueProcessId, (PEPROCESS*)&process))//这边还有很多其他的判断
//                {
//                   
//                    枚举句柄表
//                    {
//                        ObGetObjectType
//                        auto HnadleFunc = []()->VOID
//                        {
//                            大概的行为是
//                            if (ObGetObjectType(v7) != *PsThreadType)
//                            {
//                                return;
//                            }
//                            if (PsGetThreadProcess(v7) != (PEPROCESS)qword_140016210)
//                            {
//                                return;
//                            }
//
//                            v10 = *(_DWORD*)(a1 + 8);
//                            if ((v10 & 0x18) == 0)
//                                return;
//                            v9 = v10 & 0xFFFFFFE7;
//
//                            if (ObGetObjectType(v5 + 48) == *IoFileObjectType &&
//                                *(_DWORD*)(*(_QWORD*)(v5 + 56) + 72i64) == 64)
//                            {
//                                sub_xxxxxxx((_QWORD*)(v5 + 48));//一部分的文件操作
//                            }
//
//                        }
//                        ExEnumHandleTable(v5, HnadleFunc, v2, 0i64);
//                        ObfDereferenceObject(*(PVOID*)process);
//                    }
//
//                }
//                pProcIndex = (PSYSTEM_PROCESSES)((char*)pProcIndex + pProcIndex->NextEntryDelta);
//            } while (pProcIndex->NextEntryDelta != 0);
//        }
//
//
//
//        if (1/*某个全局变量*/)
//        {
//            CheckNtApi(7, 0, KeInitializeEvent);
//            CheckNtApi(8, 0, KeInitializeApc);
//            CheckNtApi(9, 0, KeInsertQueueApc);
//            CheckNtApi(10, 0, RtlWalkFrameChain);
//            CheckNtApi(11, 0, KeSetEvent);
//            CheckNtApi(12, 0, KeWaitForSingleObject);
//        }
//
//        Check Thread
//        auto CheckThread = []()
//        {
//            这里只是部分功能简述
//            ZwQuerySystemInformation SystemProcessInformation
//            先遍历进程 照例排除PsInitialSystemProcess在外
//           
//            0x10000为结束 以4为线程id起始 每次线程di+4 调用PsLookupThreadByThreadId获取线程对象
//
//            当获取线程对象成功后判断
//            if(PsGetThreadProcessId(EThread) == ProcessInformation->UniqueProcessId)
//            {
//                NumberOfThreads = ProcessInformation->NumberOfThreads;
//                if (NumberOfThreads)
//                {
//                    p_KernelTime = &ProcessInformation[1].KernelTime;
//                    do
//                    {
//                        if (p_KernelTime->QuadPart == i)
//                            break;
//                        ++v18;
//                        p_KernelTime += 10;
//                    } while (v18 < NumberOfThreads);
//                }
//            }
//
//            if (ObOpenObjectByPointer(EThread, 0x200u, 0i64, 0, *PsThreadType, 0, &v41) >= 0)
//            {
//                ZwQueryInformationThread(
//                    v41,
//                    ThreadQuerySetWin32StartAddress,
//                    &ProcessInformation[1].CreateTime,
//                    8u,
//                    0i64);
//                if (ZwQueryInformationThread(v41, ThreadTimes, v46, 0x20u, 0i64) >= 0)
//                    *(_LARGE_INTEGER*)&ProcessInformation[1].HardFaultCount = v46[0];
//                ZwClose(v41);
//            }
//
//            KeInitializeEvent((PRKEVENT)&Pool[1], NotificationEvent, 0);
//            KeInitializeApc(Apc, Thread, 0i64, j_g_apc_call, 0i64);
//            if ( ((BOOLEAN (__stdcall *)(PRKAPC, PVOID, PVOID, KPRIORITY))KeInsertQueueApc)(Apc, Apc, 0i64, 2) )
//            {
//                ...
//            }
//        };
//
//        CheckThread();
//    } while (1/*KeWaitForSingleObject(&Object, Executive, 0, 0, &Timeout)*/);
//
//  if ( qword_xxxxx )
//    ExFreePoolWithTag(qword_xxxxx, 0);
//  return PsTerminateSystemThread(0);
//}

以上就是BE内核线程的功能代码简述,如果有分析错误,欢迎评论区指正。


【公告】 [2022大礼包]《看雪论坛精华22期》发布!收录近1000余篇精华优秀文章!

最后于 2022-5-12 09:48 被杰克王编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (9)
雪    币: 1018
活跃值: 活跃值 (1024)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
killleer 活跃值 2022-5-12 11:15
2
0

be?做个人吧,请停止你们的迫害行为

雪    币: 3
活跃值: 活跃值 (1291)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
咖啡_741298 活跃值 2022-5-12 18:41
3
0
牛逼,学习了
雪    币: 9
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
mb_punpkihu 活跃值 2022-5-12 19:07
4
0
be不是加壳vm了吗  求大佬指点名录
雪    币: 4777
活跃值: 活跃值 (1071)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
syser 活跃值 2022-5-12 23:16
5
0
mb_punpkihu be不是加壳vm了吗 求大佬指点名录
这块是变异 不是VM
雪    币: 4783
活跃值: 活跃值 (2549)
能力值: ( LV7,RANK:150 )
在线值:
发帖
回帖
粉丝
淡然他徒弟 活跃值 1 2022-5-13 06:13
6
1
killleer be?做个人吧,请停止你们的迫害行为
不懂就问 你发的是什么鬼东西 杀毒后台?
雪    币: 1018
活跃值: 活跃值 (1024)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
killleer 活跃值 2022-5-14 01:22
7
0
淡然他徒弟 不懂就问 你发的是什么鬼东西 杀毒后台?

virustotal了解一下,上面啥都有,一开始是世界杀毒网,现在变成世界各类文件集合与关联网站。

最后于 2022-5-14 01:26 被killleer编辑 ,原因:
雪    币: 5077
活跃值: 活跃值 (470)
能力值: ( LV12,RANK:220 )
在线值:
发帖
回帖
粉丝
yirucandy 活跃值 4 2022-5-14 11:47
8
1
大佬,牛逼啊,赞个!
雪    币: 202
活跃值: 活跃值 (1107)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
杰克王 活跃值 2022-5-17 06:04
9
0
syser 这块是变异 不是VM
我分析的都是虚拟化的代码
雪    币: 5927
活跃值: 活跃值 (1736)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
黑洛 活跃值 1 5天前
10
1
be好菜一个,一个好菜。喂?
游客
登录 | 注册 方可回帖
返回