歡迎來到 黑吧安全網 聚焦網絡安全前沿資訊,精華內容,交流技術心得!

如何繞過殺毒軟件自我保護

來源:本站整理 作者:佚名 時間:2020-01-23 TAG: 我要投稿

0×0 -自我保護原理
在WIN7 X64位系統后殺毒軟件的自我保護一般都是通過OBOperationRegistration實現:
VOID InstallCallBacks()
{
 NTSTATUS NtHandleCallback = STATUS_UNSUCCESSFUL;
 NTSTATUS NtThreadCallback = STATUS_UNSUCCESSFUL;
 OB_OPERATION_REGISTRATION OBOperationRegistration[2];
 OB_CALLBACK_REGISTRATION OBOCallbackRegistration;
 REG_CONTEXT regContext;
 UNICODE_STRING usAltitude;
 memset(&OBOperationRegistration, 0, sizeof(OB_OPERATION_REGISTRATION));
 memset(&OBOCallbackRegistration, 0, sizeof(OB_CALLBACK_REGISTRATION));
 memset(®Context, 0, sizeof(REG_CONTEXT));
 regContext.ulIndex = 1;
 regContext.Version = 120;
 RtlInitUnicodeString(&usAltitude, L"1000");
 if ((USHORT)ObGetFilterVersion() == OB_FLT_REGISTRATION_VERSION)
 {
  OBOperationRegistration[1].ObjectType = PsProcessType;
  OBOperationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
  OBOperationRegistration[1].PreOperation = ProcessHandleCallbacks;
  OBOperationRegistration[1].PostOperation = HandleAfterCreat;
  OBOperationRegistration[0].ObjectType = PsThreadType;
  OBOperationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
  OBOperationRegistration[0].PreOperation = ThreadHandleCallbacks;
  OBOperationRegistration[0].PostOperation = HandleAfterCreat;
  OBOCallbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
  OBOCallbackRegistration.OperationRegistrationCount = 2;
  OBOCallbackRegistration.RegistrationContext = ®Context;
  OBOCallbackRegistration.OperationRegistration = OBOperationRegistration;
  NtHandleCallback = ObRegisterCallbacks(&OBOCallbackRegistration, &g_CallbacksHandle); // Register The CallBack
  if (!NT_SUCCESS(NtHandleCallback))
  {
   if (g_CallbacksHandle)
   {
    ObUnRegisterCallbacks(g_CallbacksHandle);
    g_CallbacksHandle = NULL;
   }
   DebugPrint("[DebugMessage] Failed to install ObRegisterCallbacks: 0x%08X.\n", NtHandleCallback);
  }
  else
   DebugPrint("[DebugMessage] Success: ObRegisterCallbacks Was Be Install\n");
 }
 PsSetCreateProcessNotifyRoutine(CreateProcessNotify, FALSE);
}
OB_PREOP_CALLBACK_STATUS ProcessHandleCallbacks(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{
 UNREFERENCED_PARAMETER(RegistrationContext);
 if (g_MyPorcess == -1)
  return OB_PREOP_SUCCESS;
 if (OperationInformation->KernelHandle)
  return OB_PREOP_SUCCESS;
 PEPROCESS ProtectedProcessPEPROCESS;
 PEPROCESS ProtectedUserModeACPEPROCESS;
 PEPROCESS OpenedProcess = (PEPROCESS)OperationInformation->Object, CurrentProcess = PsGetCurrentProcess();
 ULONG ulProcessId = (ULONG)PsGetProcessId(OpenedProcess);
 ULONG myProcessId = (ULONG)PsGetProcessId(CurrentProcess);
 if (ulProcessId == g_MyPorcess) //如果進程我們的進程
 {
  if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) // 句柄降權
  {
   if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
   {
    //移除殺死進程的權限
    OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
   }
   if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
   {
    OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
   }
   if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
   {
    OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
   }
   if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
   {
    OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
   }
  }
 }
 return OB_PREOP_SUCCESS;

[1] [2] [3] [4] [5] [6]  下一頁

【聲明】:黑吧安全網(http://www.zjtpzs.live)登載此文出于傳遞更多信息之目的,并不代表本站贊同其觀點和對其真實性負責,僅適于網絡安全技術愛好者學習研究使用,學習中請遵循國家相關法律法規。如有問題請聯系我們,聯系郵箱[email protected],我們會在最短的時間內進行處理。
  • 最新更新
    • 相關閱讀
      • 本類熱門
        • 最近下載
        神秘东方电子游艺 极速11选5是真的吗 中山股票配资 天妃棋牌游戏? 河北20选5开奖结果今天 两波中特公式 心悦麻将有挂吗收费多少 360山东11选5 188蓝球即时比分 羚锐制药股票股吧 四川熊猫麻将如何开 山东老11选5开奖结果 浙江快乐彩走势图手机 下载大唐麻将手机下 老快3规律 排列五开奖结果5 18岁少女为钱拍a片