ARK相关技术PPT

mallocfree:linxer,ARK相关技术(一),1,2,目录,进程线程进程模块进程其他项目驱动模块SSDTShadowSSDTFSD,2,2020/4/26,一.进程,1.进程枚举2.EPROCESS识别3.TerminateProcess,3,2020/4/26,1.进程枚举,A.Ring3枚举进程1.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS)/Process32First/Process32NextZwQuerySystemInformation(SystemProcessesAndThreadsInformation)EnumWindows/GetWindowThreadProcessIdfor(;)OpenProcess,4,2020/4/26,B.PspCidTable查找PspCidTableExEnumHandleTable解析PspCidTableHANDLE_TABLEHANDLE_TABLE_ENTRYKPCR.KdVersionBlock-PspCidTable(wdbgexts.h),5,2020/4/26,2000_HANDLE_TABLEtypedefstruct_HANDLE_TABLEULONGFlags;LONGHandleCount;PHANDLE_TABLE_ENTRY*Table;=PEPROCESSQuotaProcess;HANDLEUniqueProcessId;LONGFirstFreeTableEntry;LONGNextIndexNeedingPool;ERESOURCEHandleTableLock;LIST_ENTRYHandleTableList;KEVENTHandleContentionEvent;_HANDLE_TABLE,*PHANDLE_TABLE;,6,2020/4/26,XPWin7HANDLE_TABLEnt!_HANDLE_TABLE+0 x000TableCode:Uint8B=+0 x008QuotaProcess:Ptr64_EPROCESS+0 x010UniqueProcessId:Ptr64Void+0 x018HandleLock:_EX_PUSH_LOCK+0 x020HandleTableList:_LIST_ENTRY+0 x030HandleContentionEvent:_EX_PUSH_LOCK+0 x038DebugInfo:Ptr64_HANDLE_TRACE_DEBUG_INFO+0 x040ExtraInfoPages:Int4B+0 x044Flags:Uint4B+0 x044StrictFIFO:Pos0,1Bit+0 x048FirstFreeHandle:Uint4B+0 x050LastFreeHandleEntry:Ptr64_HANDLE_TABLE_ENTRY+0 x058HandleCount:Uint4B+0 x05cNextHandleNeedingPool:Uint4B+0 x060HandleCountHighWatermark:Uint4B,7,2020/4/26,Win8_HANDLE_TABLEnt!_HANDLE_TABLE+0 x000NextHandleNeedingPool:Uint4B+0 x004ExtraInfoPages:Int4B+0 x008TableCode:Uint4B=+0 x00cQuotaProcess:Ptr32_EPROCESS+0 x010HandleTableList:_LIST_ENTRY+0 x018UniqueProcessId:Uint4B+0 x01cFlags:Uint4B+0 x01cStrictFIFO:Pos0,1Bit+0 x01cEnableHandleExceptions:Pos1,1Bit+0 x01cRundown:Pos2,1Bit+0 x01cDuplicated:Pos3,1Bit+0 x020HandleContentionEvent:_EX_PUSH_LOCK+0 x024HandleTableLock:_EX_PUSH_LOCK+0 x028FreeLists:1_HANDLE_TABLE_FREE_LIST+0 x028ActualEntry:20UChar+0 x03cDebugInfo:Ptr32_HANDLE_TRACE_DEBUG_INFO,8,2020/4/26,2kWin7nt!_HANDLE_TABLE_ENTRY+0 x000Object:Ptr64去掉最低位，Object合法？+0 x000ObAttributes:Uint4B+0 x000InfoTable:Ptr64+0 x000Value:Uint8B+0 x008GrantedAccess:Uint4B+0 x008GrantedAccessIndex:Uint2B+0 x00aCreatorBackTraceIndex:Uint2B+0 x008NextFreeTableEntry:Uint4B,9,2020/4/26,Win8nt!_HANDLE_TABLE_ENTRY+0 x000VolatileLowValue:Int4B+0 x000LowValue:Int4B去掉低位，合法Object？+0 x000InfoTable:Ptr32_HANDLE_TABLE_ENTRY_INFO+0 x000Unlocked:Pos0,1Bit+0 x000Attributes:Pos1,2Bits+0 x000ObjectPointerBits:Pos3,29Bits+0 x004HighValue:Int4B+0 x004NextFreeHandleEntry:Ptr32_HANDLE_TABLE_ENTRY+0 x004LeafHandleValue:_EXHANDLE+0 x004GrantedAccessBits:Pos0,25Bits+0 x004ProtectFromClose:Pos25,1Bit+0 x004RefCnt:Pos26,6Bits,10,2020/4/26,Win8X86ExpLookupHandleTableEntry,11,2020/4/26,Win8X64ExpLookupHandleTableEntry,12,2020/4/26,13,2020/4/26,C.PsActiveProcessHeadSystem进程ActiveProcessLinks.BlinkKPCR.KdVersionBlock-PsActiveProcessHead,14,2020/4/26,D.KiWaitInListHead/KiWaitOutListHead/KiDispatcherReadyListHead前2者是链表，通过ETHREAD.WaitListEntry串联后者是在非2000系统中是LIST_ENTRY32，也是通过ETHREAD.WaitListEntry串联查找三个列表XP:KeDelayExecutionThreadKiWaitInListHeadKiWaitOutListHead2600:KeGetCurrentPrcb()-KiWaitInListHeadXP:KiReadyThread-KiDispatcherReadyListHead2600:KeGetCurrentPrcb()-KiDispatcherReadyListHead,15,2020/4/26,E.搜索内存搜索范围EPROCESS识别F.CSRSS.EXE句柄csrss.exe识别（WindowsApiPort）NtQuerySystemInformation（SystemHandleInformation）收集句柄对象EPROCESS识别（或ObjectTypeNumber）G.SwapContext查找SwapContextKiDispatchInterruptInlinehook上下文保护、EDI/ESI是ETHREAD,=DPC,16,2020/4/26,H.EPROCESS中其它链表I,17,2020/4/26,2.EPROCESS识别,ObjectTypePEBVADRootObjectTable几个ThreadListHead结合ETHREAD信息？,18,2020/4/26,3.TerminateProcess,A.NtTerminateProcessB.涂改内存C.卸载模块D.窗口攻击E.CreateJobObject/AssignProcessToJobObject/TerminateJobObjectF.注入代码，ExitProcessG.SetThreadContext,19,2020/4/26,H.调试器吸附,退出I.对每个线程(GetNextProcessThread)PspTerminateThreadByPointerJ.,20,2020/4/26,二.线程,1.线程枚举2.ETHREAD识别3.TerminateThread,21,2020/4/26,1.线程枚举,A.PspCidTableB.SwapContextC.搜索内存搜索范围ETHREAD识别D.ThreadListEntryEPROCESS.ThreadListEntryKPROCESS.ThreadListEntryE,22,2020/4/26,2.ETHREAD识别,ObjectTypeTEBETHREAD.ThreadListHeadKTHREAD.ThreadListHead定位EPROCESS,检测EPROCESS的一些信息,23,2020/4/26,3.TerminateThread,NtTerminateThreadPspTerminateThreadByPointerInsertAPC杀线程,24,2020/4/26,三.进程模块,1.PEB枚举进程模块X86情况X64情况X64程序X86程序Ring3路径重定位问题,25,2020/4/26,2.LdrpHashTable枚举进程模块(LIST_ENTRY32)X86情况X64情况X64程序X86程序路径问题3.Vad枚举进程模块避免误报？,26,2020/4/26,lkddt_CONTROL_AREA-bnt!_CONTROL_AREA+0 x000Segment:Ptr32+0 x004DereferenceList:_LIST_ENTRY+0 x000Flink:Ptr32+0 x004Blink:Ptr32+0 x00cNumberOfSectionReferences:Uint4B+0 x010NumberOfPfnReferences:Uint4B+0 x014NumberOfMappedViews:Uint4B+0 x018NumberOfSubsections:Uint2B+0 x01aFlushInProgressCount:Uint2B+0 x01cNumberOfUserReferences:Uint4B+0 x020u:_unnamed+0 x000LongFlags:Uint4B+0 x000Flags:_MMSECTION_FLAGS+0 x000BeingDeleted:Pos0,1Bit+0 x000BeingCreated:Pos1,1Bit+0 x000BeingPurged:Pos2,1Bit+0 x000NoModifiedWriting:Pos3,1Bit+0 x000FailAllIo:Pos4,1Bit+0 x000Image:Pos5,1Bit+0 x000Based:Pos6,1Bit+0 x000File:Pos7,1Bit,27,2020/4/26,4.搜索内存枚举进程模块搜索范围PE识别5.模块卸载远线程FreeLibraryNtUnmapViewOfSection不足：通过PEB、LdrpHashTable还可枚举到,28,2020/4/26,四.进程其他项目,1.进程快捷键枚举NtUserRegisterHotKey里查找gphkFirst/gphkHashTablegphkFirst是单项链表(2k/xp)gphkHashTable0 x7f数组(2k3win8),29,2020/4/26,五.驱动模块,1.PsLoadModuleListDriverObject-DriverSectionKPCR.KdVersionBlock-PsLoadModuleList2.ObjectDirectoryZwOpenDirectoryObject(L”),30,2020/4/26,3.利用IoDriver(Device)ObjectType:TypeList通过_OBJECT_HEADER_CREATOR_INFO:TypeList相连NtGlobalFlag:FLG_MAINTAIN_OBJECT_TYPELIST是1,31,2020/4/