中文亚洲精品无码_熟女乱子伦免费_人人超碰人人爱国产_亚洲熟妇女综合网

當前位置: 首頁 > news >正文

甘肅省衛(wèi)健委網(wǎng)站官網(wǎng)今天國際新聞

news 2025/7/10 2:23:23
甘肅省衛(wèi)健委網(wǎng)站官網(wǎng),今天國際新聞,云教育科技網(wǎng)站建設,制作網(wǎng)頁可以用什么軟件01 — 殺軟或EDR內(nèi)核回調(diào)簡介 Windows x64 系統(tǒng)中,由于 PatchGuard 的限制,殺軟或EDR正常情況下,幾乎不能通過 hook 的方式,完成其對惡意軟件的監(jiān)控和查殺。那怎么辦呢?別急,微軟為我們提供了其他的方法&a…

01

殺軟或EDR內(nèi)核回調(diào)簡介

Windows x64 系統(tǒng)中,由于 PatchGuard 的限制,殺軟或EDR正常情況下,幾乎不能通過 hook 的方式,完成其對惡意軟件的監(jiān)控和查殺。那怎么辦呢?別急,微軟為我們提供了其他的方法,完成此類功能,那就是系統(tǒng)回調(diào)機制。比如本文提到的“創(chuàng)建進程通知回調(diào)”、“創(chuàng)建線程通知回調(diào)”、“加載鏡像通知回調(diào)”、“注冊表通知回調(diào)”等等。

在惡意軟件和殺軟 攻與防的對抗中,二者經(jīng)過激烈的較量,完成了螺旋式的上升變革,給我們的感覺是,殺軟越來越強大了,我們的網(wǎng)絡環(huán)境越來越安全了。

02

刪除殺軟回調(diào)項目簡介

github 上有兩個比較經(jīng)典的項目,可以完成刪除殺軟回調(diào)的功能,項目如下所示:

https://github.com/br-sn/CheekyBlinder

https://github.com/lawiet47/STFUEDR

這些項目主要完成了三大功能:

  1. 利用合法驅(qū)動讀取或修改內(nèi)核數(shù)據(jù);

  2. 尋找“創(chuàng)建進程通知回調(diào)”、“創(chuàng)建線程通知回調(diào)”、“加載鏡像通知回調(diào)”、“注冊表通知回調(diào)”內(nèi)核數(shù)組地址;

  3. 將殺軟或EDR驅(qū)動對應的回調(diào)數(shù)組中的某個元素,置?0 或刪除;

這里需要注意的是,“創(chuàng)建進程通知回調(diào)”、“創(chuàng)建線程通知回調(diào)”、“加載鏡像通知回調(diào)”是正常的數(shù)組,而“注冊表通知回調(diào)”是一個雙向循環(huán)鏈表。

下面簡單介紹一下,上述四大回調(diào)數(shù)組內(nèi)核地址的尋找方法和刪除殺軟回調(diào)的方法。

使用工具:windbg preview

系統(tǒng)環(huán)境:Windows 1809 x64

03

創(chuàng)建進程回調(diào)數(shù)組定位

//?1.?由?PsSetCreateProcessNotifyRoutine?定位?nt!PspSetCreateProcessNotifyRoutine?地址
0:?kd>?uf?PsSetCreateProcessNotifyRoutine
nt!PsSetCreateProcessNotifyRoutine:
fffff802`6ca90570?4883ec28????????sub?????rsp,28h
fffff802`6ca90574?8ac2????????????mov?????al,dl
fffff802`6ca90576?33d2????????????xor?????edx,edx
fffff802`6ca90578?84c0????????????test????al,al
fffff802`6ca9057a?0f95c2??????????setne???dl
fffff802`6ca9057d?e80e010000??????call????nt!PspSetCreateProcessNotifyRoutine?(fffff802`6ca90690)
fffff802`6ca90582?4883c428????????add?????rsp,28h
fffff802`6ca90586?c3??????????????ret//?2.?定位?nt!PspCreateProcessNotifyRoutine?數(shù)組地址
0:?kd>?uf?nt!PspSetCreateProcessNotifyRoutine
nt!PspSetCreateProcessNotifyRoutine:
fffff802`6ca90690?48895c2408??????mov?????qword?ptr?[rsp+8],rbx
fffff802`6ca90695?48896c2410??????mov?????qword?ptr?[rsp+10h],rbp
fffff802`6ca9069a?4889742418??????mov?????qword?ptr?[rsp+18h],rsi
fffff802`6ca9069f?57??????????????push????rdi
fffff802`6ca906a0?4154????????????push????r12
fffff802`6ca906a2?4155????????????push????r13
fffff802`6ca906a4?4156????????????push????r14
fffff802`6ca906a6?4157????????????push????r15...?...nt!PspSetCreateProcessNotifyRoutine+0x49:
fffff802`6ca906d9?488bd7??????????mov?????rdx,rdi
fffff802`6ca906dc?498bcf??????????mov?????rcx,r15
fffff802`6ca906df?e8a4000000??????call????nt!ExAllocateCallBack?(fffff802`6ca90788)
fffff802`6ca906e4?488bf8??????????mov?????rdi,rax
fffff802`6ca906e7?4885c0??????????test????rax,rax
fffff802`6ca906ea?0f845b890c00????je??????nt!PspSetCreateProcessNotifyRoutine+0xc89bb?(fffff802`6cb5904b)??Branchnt!PspSetCreateProcessNotifyRoutine+0x60:
fffff802`6ca906f0?33db????????????xor?????ebx,ebx
fffff802`6ca906f2?4c8d2d375dddff??lea?????r13,[nt!PspCreateProcessNotifyRoutine?(fffff802`6c866430)]nt!PspSetCreateProcessNotifyRoutine+0x69:
fffff802`6ca906f9?488d0cdd00000000?lea?????rcx,[rbx*8]
fffff802`6ca90701?4533c0??????????xor?????r8d,r8d
fffff802`6ca90704?4903cd??????????add?????rcx,r13
fffff802`6ca90707?488bd7??????????mov?????rdx,rdi
fffff802`6ca9070a?e86dd5aeff??????call????nt!ExCompareExchangeCallBack?(fffff802`6c57dc7c)
fffff802`6ca9070f?84c0????????????test????al,al
fffff802`6ca90711?750c????????????jne?????nt!PspSetCreateProcessNotifyRoutine+0x8f?(fffff802`6ca9071f)??Branch//?3.?顯示回調(diào)數(shù)組
0:?kd>?dq?fffff802`6c866430
fffff802`6c866430??ffffbb83`fc851a8f?ffffbb83`fc9febaf
fffff802`6c866440??ffffbb83`fe0e8b7f?ffffbb83`fe0e8def
fffff802`6c866450??ffffbb83`fe413f0f?ffffbb83`fe43612f
fffff802`6c866460??ffffbb83`fe436bdf?ffffbb83`fc9feccf
fffff802`6c866470??ffffbb83`fe4366cf?ffffbb83`fe436b7f
fffff802`6c866480??ffffbb83`fe436f3f?ffffbb83`fe52133f
fffff802`6c866490??ffffbb83`fe521f6f?ffffbb83`fe4be96f
fffff802`6c8664a0??ffffbb84`01737c3f?00000000`00000000
0:?kd>?dq
fffff802`6c8664b0??00000000`00000000?00000000`00000000
fffff802`6c8664c0??00000000`00000000?00000000`00000000
fffff802`6c8664d0??00000000`00000000?00000000`00000000
fffff802`6c8664e0??00000000`00000000?00000000`00000000
fffff802`6c8664f0??00000000`00000000?00000000`00000000
fffff802`6c866500??00000000`00000000?00000000`00000000
fffff802`6c866510??00000000`00000000?00000000`00000000
fffff802`6c866520??00000000`00000000?00000000`00000000//?4.?取出回調(diào)數(shù)組第一個數(shù)據(jù)
0:?kd>?dq?(ffffbb83`fc851a8f>>4)<<4
ffffbb83`fc851a80??00000000`00000020?fffff800`704d8230
ffffbb83`fc851a90??00000000`00000000?00000000`00000000
ffffbb83`fc851aa0??6e497350`02030000?00000000`00000000
ffffbb83`fc851ab0??00000000`00100010?ffffbb83`fc851ac0
ffffbb83`fc851ac0??00690067`00650052?00790072`00740073
ffffbb83`fc851ad0??6e496c41`02030000?00000000`00000000
ffffbb83`fc851ae0??00000001`00060000?ffffbb83`fc851ae8
ffffbb83`fc851af0??ffffbb83`fc851ae8?00790072`00740073//?5.?上述數(shù)據(jù)中第?2?個?8?字節(jié)?指針(回調(diào)函數(shù))?所在模塊
0:?kd>?lm?a?fffff800`704d8230
Browse?full?module?list
start?????????????end?????????????????module?name
fffff800`704b0000?fffff800`70505000???360qpesv64???(no?symbols)

04

創(chuàng)建線程回調(diào)數(shù)組定位

方法一:

//?1.?由?PsSetCreateThreadNotifyRoutine?定位?nt!PspSetCreateThreadNotifyRoutine?地址
0:?kd>?uf?PsSetCreateThreadNotifyRoutine
nt!PsSetCreateThreadNotifyRoutine:
fffff805`2e2a4350?4883ec28????????sub?????rsp,28h
fffff805`2e2a4354?33d2????????????xor?????edx,edx
fffff805`2e2a4356?e865000000??????call????nt!PspSetCreateThreadNotifyRoutine?(fffff805`2e2a43c0)
fffff805`2e2a435b?4883c428????????add?????rsp,28h
fffff805`2e2a435f?c3??????????????ret//?2.?定位?nt!PspCreateThreadNotifyRoutine?數(shù)組地址
0:?kd>?uf?nt!PspSetCreateThreadNotifyRoutine
nt!PspSetCreateThreadNotifyRoutine:
fffff805`2e2a43c0?48895c2408??????mov?????qword?ptr?[rsp+8],rbx
fffff805`2e2a43c5?4889742410??????mov?????qword?ptr?[rsp+10h],rsi
fffff805`2e2a43ca?57??????????????push????rdi
fffff805`2e2a43cb?4883ec20????????sub?????rsp,20h
fffff805`2e2a43cf?8bf2????????????mov?????esi,edx
fffff805`2e2a43d1?8bd2????????????mov?????edx,edx
fffff805`2e2a43d3?e8b0030000??????call????nt!ExAllocateCallBack?(fffff805`2e2a4788)
fffff805`2e2a43d8?488bf8??????????mov?????rdi,rax
fffff805`2e2a43db?4885c0??????????test????rax,rax
fffff805`2e2a43de?0f842e8b0c00????je??????nt!PspSetCreateThreadNotifyRoutine+0xc8b52?(fffff805`2e36cf12)??Branchnt!PspSetCreateThreadNotifyRoutine+0x24:
fffff805`2e2a43e4?33db????????????xor?????ebx,ebxnt!PspSetCreateThreadNotifyRoutine+0x26:
fffff805`2e2a43e6?488d0d435cddff??lea?????rcx,[nt!PspCreateThreadNotifyRoutine?(fffff805`2e07a030)]
fffff805`2e2a43ed?4533c0??????????xor?????r8d,r8d
fffff805`2e2a43f0?488d0cd9????????lea?????rcx,[rcx+rbx*8]
fffff805`2e2a43f4?488bd7??????????mov?????rdx,rdi
fffff805`2e2a43f7?e880d8aeff??????call????nt!ExCompareExchangeCallBack?(fffff805`2dd91c7c)
fffff805`2e2a43fc?84c0????????????test????al,al
fffff805`2e2a43fe?7436????????????je??????nt!PspSetCreateThreadNotifyRoutine+0x76?(fffff805`2e2a4436)??Branchnt!PspSetCreateThreadNotifyRoutine+0x40:
fffff805`2e2a4400?40f6c601????????test????sil,1
fffff805`2e2a4404?0f85128b0c00????jne?????nt!PspSetCreateThreadNotifyRoutine+0xc8b5c?(fffff805`2e36cf1c)??Branch//?3.?顯示回調(diào)數(shù)組
0:?kd>?dq?nt!PspCreateThreadNotifyRoutine
fffff805`2e07a030??ffffbb8f`d044ab7f?ffffbb8f`d368fdbf
fffff805`2e07a040??00000000`00000000?00000000`00000000
fffff805`2e07a050??00000000`00000000?00000000`00000000
fffff805`2e07a060??00000000`00000000?00000000`00000000
fffff805`2e07a070??00000000`00000000?00000000`00000000
fffff805`2e07a080??00000000`00000000?00000000`00000000
fffff805`2e07a090??00000000`00000000?00000000`00000000
fffff805`2e07a0a0??00000000`00000000?00000000`00000000//?4.?取出回調(diào)數(shù)組第一個數(shù)據(jù)
0:?kd>?dq?(ffffbb8f`d044ab7f>>4)<<4
ffffbb8f`d044ab70??00000000`00000020?fffff805`2ecdd72c
ffffbb8f`d044ab80??00000000`00000000?e8f10366`0081e800
ffffbb8f`d044ab90??72724d46`02030000?66d18b66`00218c0f
ffffbb8f`d044aba0??ffffbb8f`cee83200?ffffbb8f`cee831f0
ffffbb8f`d044abb0??00000002`00000040?c82b66c4`eb586643
ffffbb8f`d044abc0??20206f49`02032b00?8a67c92b`66c3c02b
ffffbb8f`d044abd0??00690072`0044005c?005c0072`00650076
ffffbb8f`d044abe0??00610072`006d0076?006b0073`00640077//?5.?上述數(shù)據(jù)中?第?2?個?8字節(jié)?指針(回調(diào)函數(shù))?所在模塊
0:?kd>?lm?a?fffff805`2ecdd72c
Browse?full?module?list
start?????????????end?????????????????module?name
fffff805`2ecb0000?fffff805`2ed93000???360FsFlt???(deferred)

方法二:

05

加載鏡像回調(diào)數(shù)組定位

方法一:

//?1.?由?PsSetLoadImageNotifyRoutine?定位?nt!PsSetLoadImageNotifyRoutineEx?地址
0:?kd>?uf?PsSetLoadImageNotifyRoutine
nt!PsSetLoadImageNotifyRoutine:
fffff805`2e2a4370?4883ec28????????sub?????rsp,28h
fffff805`2e2a4374?33d2????????????xor?????edx,edx
fffff805`2e2a4376?e8d5000000??????call????nt!PsSetLoadImageNotifyRoutineEx?(fffff805`2e2a4450)
fffff805`2e2a437b?4883c428????????add?????rsp,28h
fffff805`2e2a437f?c3??????????????ret//?2.?定位?nt!PspLoadImageNotifyRoutine?數(shù)組地址
0:?kd>?uf?nt!PsSetLoadImageNotifyRoutineEx
nt!PsSetLoadImageNotifyRoutineEx:
fffff805`2e2a4450?48895c2418??????mov?????qword?ptr?[rsp+18h],rbx
fffff805`2e2a4455?4889742420??????mov?????qword?ptr?[rsp+20h],rsi
fffff805`2e2a445a?57??????????????push????rdi
fffff805`2e2a445b?4883ec70????????sub?????rsp,70h
fffff805`2e2a445f?488b058a37d8ff??mov?????rax,qword?ptr?[nt!_security_cookie?(fffff805`2e027bf0)]
fffff805`2e2a4466?4833c4??????????xor?????rax,rsp
fffff805`2e2a4469?4889442460??????mov?????qword?ptr?[rsp+60h],rax
fffff805`2e2a446e?488bf1??????????mov?????rsi,rcx
fffff805`2e2a4471?48f7c2feffffff??test????rdx,0FFFFFFFFFFFFFFFEh
fffff805`2e2a4478?0f85c28a0c00????jne?????nt!PsSetLoadImageNotifyRoutineEx+0xc8af0?(fffff805`2e36cf40)??Branchnt!PsSetLoadImageNotifyRoutineEx+0x2e:
fffff805`2e2a447e?e805030000??????call????nt!ExAllocateCallBack?(fffff805`2e2a4788)
fffff805`2e2a4483?488bf8??????????mov?????rdi,rax
fffff805`2e2a4486?4885c0??????????test????rax,rax
fffff805`2e2a4489?0f84c58a0c00????je??????nt!PsSetLoadImageNotifyRoutineEx+0xc8b04?(fffff805`2e36cf54)??Branchnt!PsSetLoadImageNotifyRoutineEx+0x3f:
fffff805`2e2a448f?33db????????????xor?????ebx,ebxnt!PsSetLoadImageNotifyRoutineEx+0x41:
fffff805`2e2a4491?488d0d985dddff??lea?????rcx,[nt!PspLoadImageNotifyRoutine?(fffff805`2e07a230)]
fffff805`2e2a4498?4533c0??????????xor?????r8d,r8d
fffff805`2e2a449b?488d0cd9????????lea?????rcx,[rcx+rbx*8]
fffff805`2e2a449f?488bd7??????????mov?????rdx,rdi
fffff805`2e2a44a2?e8d5d7aeff??????call????nt!ExCompareExchangeCallBack?(fffff805`2dd91c7c)
fffff805`2e2a44a7?84c0????????????test????al,al
fffff805`2e2a44a9?0f849f000000????je??????nt!PsSetLoadImageNotifyRoutineEx+0xfe?(fffff805`2e2a454e)??Branch//?3.?顯示回調(diào)數(shù)組
0:?kd>?dq?nt!PspLoadImageNotifyRoutine
fffff805`2e07a230??ffffbb8f`ceef9bdf?ffffbb8f`d044a6ff
fffff805`2e07a240??ffffbb8f`d055fa8f?ffffbb8f`d055fc6f
fffff805`2e07a250??00000000`00000000?00000000`00000000
fffff805`2e07a260??00000000`00000000?00000000`00000000
fffff805`2e07a270??00000000`00000000?00000000`00000000
fffff805`2e07a280??00000000`00000000?00000000`00000000
fffff805`2e07a290??00000000`00000000?00000000`00000000
fffff805`2e07a2a0??00000000`00000000?00000000`00000000//?4.?取出回調(diào)數(shù)組第一個數(shù)據(jù)
0:?kd>?dq?(ffffbb8f`ceef9bdf>>4)<<4
ffffbb8f`ceef9bd0??00000000`00000020?fffff805`317e37a4
ffffbb8f`ceef9be0??00000000`00000000?ffffbb8f`ceef9be0
ffffbb8f`ceef9bf0??434f444e`02030000?00000000`00000001
ffffbb8f`ceef9c00??ffffbb8f`d387b8c0?ffffbb8f`d387b8c0
ffffbb8f`ceef9c10??00000002`00000040?00000000`00000001
ffffbb8f`ceef9c20??20206f49`02030000?a2aba245`696ddc74
ffffbb8f`ceef9c30??00690072`0044005c?005c0072`00650076
ffffbb8f`ceef9c40??00550041`00450050?00000000`00480054//?5.?上述數(shù)據(jù)中?第?2?個?8?字節(jié)指針(回調(diào)函數(shù))?所在模塊
0:?kd>?lm?a?fffff805`317e37a4
Browse?full?module?list
start?????????????end?????????????????module?name
fffff805`317d0000?fffff805`317fb000???DsArk64????(deferred)

方法二:

//?1.?由?PsRemoveLoadImageNotifyRoutine?定位?nt!PspLoadImageNotifyRoutine?數(shù)組地址
0:?kd>?uf?PsRemoveLoadImageNotifyRoutine
nt!PsRemoveLoadImageNotifyRoutine:
fffff805`2e42d560?48895c2408??????mov?????qword?ptr?[rsp+8],rbx
fffff805`2e42d565?48896c2410??????mov?????qword?ptr?[rsp+10h],rbp
fffff805`2e42d56a?4889742418??????mov?????qword?ptr?[rsp+18h],rsi
fffff805`2e42d56f?57??????????????push????rdi
fffff805`2e42d570?4156????????????push????r14
fffff805`2e42d572?4157????????????push????r15
fffff805`2e42d574?4883ec20????????sub?????rsp,20h
fffff805`2e42d578?65488b342588010000?mov???rsi,qword?ptr?gs:[188h]
fffff805`2e42d581?4183cfff????????or??????r15d,0FFFFFFFFh
fffff805`2e42d585?4c8bf1??????????mov?????r14,rcx
fffff805`2e42d588?664401bee4010000?add?????word?ptr?[rsi+1E4h],r15w
fffff805`2e42d590?33ff????????????xor?????edi,edint!PsRemoveLoadImageNotifyRoutine+0x32:
fffff805`2e42d592?488d0d97ccc4ff??lea?????rcx,[nt!PspLoadImageNotifyRoutine?(fffff805`2e07a230)]
fffff805`2e42d599?488d2cf9????????lea?????rbp,[rcx+rdi*8]
fffff805`2e42d59d?488bcd??????????mov?????rcx,rbp
fffff805`2e42d5a0?e81b4186ff??????call????nt!ExReferenceCallBackBlock?(fffff805`2dc916c0)
fffff805`2e42d5a5?488bd8??????????mov?????rbx,rax
fffff805`2e42d5a8?4885c0??????????test????rax,rax
fffff805`2e42d5ab?7429????????????je??????nt!PsRemoveLoadImageNotifyRoutine+0x76?(fffff805`2e42d5d6)??Branchnt!PsRemoveLoadImageNotifyRoutine+0x4d:
fffff805`2e42d5ad?488bc8??????????mov?????rcx,rax
fffff805`2e42d5b0?e8cb4186ff??????call????nt!ExGetCallBackBlockRoutine?(fffff805`2dc91780)
fffff805`2e42d5b5?493bc6??????????cmp?????rax,r14
fffff805`2e42d5b8?7511????????????jne?????nt!PsRemoveLoadImageNotifyRoutine+0x6b?(fffff805`2e42d5cb)??Branch

06

注冊表通知回調(diào)數(shù)組定位

//?僅?CmUnRegisterCallback?可以定位//?1.?由?CmUnRegisterCallback?定位?nt!CallbackListHead?鏈表地址
0:?kd>?uf?CmUnRegisterCallback
nt!CmUnRegisterCallback:
fffff805`2e38bd50?4c8bdc??????????mov?????r11,rsp
fffff805`2e38bd53?53??????????????push????rbx
fffff805`2e38bd54?56??????????????push????rsi
fffff805`2e38bd55?57??????????????push????rdi
fffff805`2e38bd56?4154????????????push????r12
fffff805`2e38bd58?4155????????????push????r13
fffff805`2e38bd5a?4156????????????push????r14
fffff805`2e38bd5c?4157????????????push????r15
fffff805`2e38bd5e?4881ec80000000??sub?????rsp,80h
fffff805`2e38bd65?488bd9??????????mov?????rbx,rcx
fffff805`2e38bd68?be0d0000c0??????mov?????esi,0C000000Dh
fffff805`2e38bd6d?89b424d8000000??mov?????dword?ptr?[rsp+0D8h],esi
fffff805`2e38bd74?33c0????????????xor?????eax,eax
fffff805`2e38bd76?498943b0????????mov?????qword?ptr?[r11-50h],rax
fffff805`2e38bd7a?498943b8????????mov?????qword?ptr?[r11-48h],rax
fffff805`2e38bd7e?498943c0????????mov?????qword?ptr?[r11-40h],rax
fffff805`2e38bd82?49214380????????and?????qword?ptr?[r11-80h],rax
fffff805`2e38bd86?65488b042588010000?mov???rax,qword?ptr?gs:[188h]
fffff805`2e38bd8f?4183ccff????????or??????r12d,0FFFFFFFFh
fffff805`2e38bd93?664401a0e4010000?add?????word?ptr?[rax+1E4h],r12w
fffff805`2e38bd9b?33d2????????????xor?????edx,edx
fffff805`2e38bd9d?4c8d35ecf3ccff??lea?????r14,[nt!CmpCallbackListLock?(fffff805`2e05b190)]
fffff805`2e38bda4?498bce??????????mov?????rcx,r14
fffff805`2e38bda7?e894f094ff??????call????nt!ExAcquirePushLockExclusiveEx?(fffff805`2dcdae40)
fffff805`2e38bdac?41bf00000080????mov?????r15d,80000000hnt!CmUnRegisterCallback+0x62:
fffff805`2e38bdb2?4533c0??????????xor?????r8d,r8d
fffff805`2e38bdb5?488d542438??????lea?????rdx,[rsp+38h]
fffff805`2e38bdba?488d0ddff3ccff??lea?????rcx,[nt!CallbackListHead?(fffff805`2e05b1a0)]
fffff805`2e38bdc1?e82a94e1ff??????call????nt!CmListGetNextElement?(fffff805`2e1a51f0)
fffff805`2e38bdc6?488bf8??????????mov?????rdi,rax
fffff805`2e38bdc9?4889442440??????mov?????qword?ptr?[rsp+40h],rax
fffff805`2e38bdce?4885c0??????????test????rax,rax
fffff805`2e38bdd1?0f84cf000000????je??????nt!CmUnRegisterCallback+0x156?(fffff805`2e38bea6)??Branch//?2.?顯示?CMREG_CALLBACK?結(jié)構(gòu)(nt!CallbackListHead)
0:?kd>?dq?nt!CallbackListHead
fffff805`2e05b1a0??ffff9705`3572b420?ffff9705`3572ba20
fffff805`2e05b1b0??00000000`00000000?01d9e206`c817750c
fffff805`2e05b1c0??fffff805`2e05b1c0?fffff805`2e05b1c0
fffff805`2e05b1d0??00000000`00000000?00000000`00000000
fffff805`2e05b1e0??00000000`00060001?fffff805`2e05b1e8
fffff805`2e05b1f0??fffff805`2e05b1e8?00000000`00000000
fffff805`2e05b200??00000000`00060001?fffff805`2e05b208
fffff805`2e05b210??fffff805`2e05b208?00000000`00000000//?3.?顯示?nt!CallbackListHead?下一個結(jié)點
0:?kd>?dq?ffff9705`3572ba20
ffff9705`3572ba20??fffff805`2e05b1a0?ffff9705`35449660
ffff9705`3572ba30??00000000`00000000?01d9e206`c817750b
ffff9705`3572ba40??00000000`00000000?fffff805`3015c728
ffff9705`3572ba50??00000000`000c000c?ffff9705`3572a530
ffff9705`3572ba60??ffff9705`3572ba60?ffff9705`3572ba60
ffff9705`3572ba70??74705041`03060000?00000000`00000000
ffff9705`3572ba80??ffff9705`35729ae0?00000000`00000000
ffff9705`3572ba90??00000000`00000000?00000000`00000000//?4.?偏移?0x28?位置?的?8?字節(jié)指針(回調(diào)函數(shù))所在模塊
0:?kd>?lm?a?fffff805`3015c728
Browse?full?module?list
start?????????????end?????????????????module?name
fffff805`30150000?fffff805`301a5000???360qpesv64???(deferred)

07

刪除殺軟回調(diào)的方法

刪除上述四大系統(tǒng)回調(diào)的方法被分為兩類,“創(chuàng)建進程通知回調(diào)”、“創(chuàng)建線程通知回調(diào)”、“加載鏡像通知回調(diào)”被分為一類,為數(shù)組類;“注冊表通知回調(diào)”被分為一類,為雙向循環(huán)鏈表類,以下簡稱鏈表類。

數(shù)組類刪除方法是:找到驅(qū)動對應數(shù)組中的元素,將該元素內(nèi)核地址賦值為 0;

鏈表類刪除方法是:找到驅(qū)動對應的鏈表中的結(jié)點,利用數(shù)據(jù)結(jié)構(gòu)中雙向循環(huán)鏈表刪除結(jié)點的方法,刪除殺軟驅(qū)動對應的結(jié)點。

這里需要注意,數(shù)組類中:

“創(chuàng)建進程通知回調(diào)”、“創(chuàng)建線程通知回調(diào)”,在 win7 及以上的 個人系統(tǒng)和 Server 系統(tǒng)中,通常情況下,數(shù)組大小為 64 個元素;而“加載鏡像通知回調(diào)”中,通常情況下,win10 全系列及以上,數(shù)組大小為 64 個元素,win7-7601、win8-9200、win8.1-9600系統(tǒng)中,可能為 8 個或 64 個元素,為不定值,相關資料可以參考微軟官方文檔,解決方法是,通過 nt!PspLoadImageNotifyRoutineCount 確定當前注冊回調(diào)個數(shù)。

08

刪除殺軟回調(diào)效果

  • 運行 Mimikatz 測試:

    這里測試國內(nèi)外6款主流殺軟,國內(nèi)兩款:某0 數(shù)字衛(wèi)士和某絨,國外四款:卡巴斯基、Windows Defender、eset-nod32、avast;由于該項目主要消弱殺軟或EDR的動態(tài)查殺能力,這里,使用內(nèi)存加載 Mimikatz 的方式進行測試,注意該項目需要免殺或者重新構(gòu)思編碼,比如:換個合法漏洞驅(qū)動,編寫自定義驅(qū)動使用 kdmapper 改良版等項目內(nèi)存加載等,總之,首先要保證你的測試程序在殺軟環(huán)境下要免殺而且能正常執(zhí)行功能。在這里,只考慮刪除殺軟回調(diào)對殺軟的影響,其他相關因素需要通過某些方法進行消除處理。

    測試結(jié)果:

    • eset-nod32、avast、某絨、某0 數(shù)字衛(wèi)士:無需刪除殺軟回調(diào),內(nèi)存加載 Mimikatz,就可以正常執(zhí)行功能;

    • 卡巴斯基、Windows Defender:刪除全部回調(diào)前,內(nèi)存加載 Mimikatz 被查殺;刪除全部回調(diào)后,內(nèi)存加載 Mimikatz 正常執(zhí)行功能。

  • 注冊表修改測試:

    • 刪除全部回調(diào)前,某些注冊表鍵值不可修改;

    • 刪除全部回調(diào)后,某些注冊表鍵值現(xiàn)在已經(jīng)可以修改。

http://www.risenshineclean.com/news/27737.html

相關文章:

  • wordpress要不要放網(wǎng)站地圖seo是什么東西
  • 網(wǎng)站建設怎么做賬會計谷歌怎么推廣自己的網(wǎng)站
  • 四川住房和城鄉(xiāng)建設廳官網(wǎng)安全員seo主要是指優(yōu)化
  • 建設項目立項網(wǎng)站廣州百度seo排名
  • 住房和城鄉(xiāng)建設部網(wǎng)站村鎮(zhèn)建設新手電商運營從哪開始學
  • 湛江外包做網(wǎng)站seo優(yōu)化是啥
  • 在線做banner的網(wǎng)站網(wǎng)站發(fā)布與推廣方式
  • 個人注冊公司查詢中山seo推廣優(yōu)化
  • 網(wǎng)站域名證書哪里獲取搜索引擎優(yōu)化的重要性
  • 網(wǎng)站開發(fā)架構(gòu)網(wǎng)站seo快速優(yōu)化
  • 網(wǎng)頁基礎優(yōu)化站點
  • 專做裝修的網(wǎng)站凡科建站怎么導出網(wǎng)頁
  • 找網(wǎng)站開發(fā)公司需要注意那幾點產(chǎn)品推廣文案
  • 帝國建設網(wǎng)站成功營銷十大經(jīng)典案例
  • 怎么做網(wǎng)站客服彈窗專業(yè)提升關鍵詞排名工具
  • 深圳58同城網(wǎng)站建設站長網(wǎng)站提交
  • 旅游網(wǎng)站的后臺管理系統(tǒng)怎么做推銷網(wǎng)站
  • 網(wǎng)站 色調(diào)手機網(wǎng)站自助建站系統(tǒng)
  • 重慶金融網(wǎng)站建設一級域名二級域名三級域名的區(qū)別
  • 網(wǎng)站建設是屬于軟件開發(fā)費嗎百度推廣怎么收費的
  • 市環(huán)保局網(wǎng)站建設方案南寧seo手段
  • 頭像 wordpress天津seo博客
  • 做網(wǎng)站 我們的工人怎么寫中國營銷傳播網(wǎng)
  • 微信做淘寶優(yōu)惠券但網(wǎng)站是怎么建設但seo整站排名
  • dedecms 倒計時 天數(shù) 網(wǎng)站首頁免費b站推廣網(wǎng)站短視頻
  • 如何制作簡易個人網(wǎng)站網(wǎng)絡運營推廣
  • 百度云服務器做asp網(wǎng)站免費建網(wǎng)站的平臺
  • 網(wǎng)站的建設方法包括什么問題如何制作一個網(wǎng)站
  • 如何辦理網(wǎng)站上海搜索引擎關鍵詞優(yōu)化
  • 福州網(wǎng)站設計十年樂云seo網(wǎng)站seo站長工具