ARK相关技术

mallocfree:linxerARK相关技术(一)目录进程线程进程模块进程其他项目驱动模块SSDTShadowSSDTFSD一.进程1.进程枚举2.EPROCESS识别3.TerminateProcess1.进程枚举A.Ring3枚举进程1.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS)/Process32First/Process32NextZwQuerySystemInformation(SystemProcessesAndThreadsInformation)EnumWindows/GetWindowThreadProcessIdfor(;;)OpenProcess……B.PspCidTable查找PspCidTableExEnumHandleTable解析PspCidTableHANDLE_TABLEHANDLE_TABLE_ENTRYKPCR.KdVersionBlock-PspCidTable(wdbgexts.h)2000_HANDLE_TABLEtypedefstruct_HANDLE_TABLE{ULONGFlags;LONGHandleCount;PHANDLE_TABLE_ENTRY**Table;================================PEPROCESSQuotaProcess;HANDLEUniqueProcessId;LONGFirstFreeTableEntry;LONGNextIndexNeedingPool;ERESOURCEHandleTableLock;LIST_ENTRYHandleTableList;KEVENTHandleContentionEvent;}_HANDLE_TABLE,*PHANDLE_TABLE;XP~Win7HANDLE_TABLEnt!_HANDLE_TABLE+0x000TableCode:Uint8B=====================================+0x008QuotaProcess:Ptr64_EPROCESS+0x010UniqueProcessId:Ptr64Void+0x018HandleLock:_EX_PUSH_LOCK+0x020HandleTableList:_LIST_ENTRY+0x030HandleContentionEvent:_EX_PUSH_LOCK+0x038DebugInfo:Ptr64_HANDLE_TRACE_DEBUG_INFO+0x040ExtraInfoPages:Int4B+0x044Flags:Uint4B+0x044StrictFIFO:Pos0,1Bit+0x048FirstFreeHandle:Uint4B+0x050LastFreeHandleEntry:Ptr64_HANDLE_TABLE_ENTRY+0x058HandleCount:Uint4B+0x05cNextHandleNeedingPool:Uint4B+0x060HandleCountHighWatermark:Uint4BWin8_HANDLE_TABLEnt!_HANDLE_TABLE+0x000NextHandleNeedingPool:Uint4B+0x004ExtraInfoPages:Int4B+0x008TableCode:Uint4B==================================================+0x00cQuotaProcess:Ptr32_EPROCESS+0x010HandleTableList:_LIST_ENTRY+0x018UniqueProcessId:Uint4B+0x01cFlags:Uint4B+0x01cStrictFIFO:Pos0,1Bit+0x01cEnableHandleExceptions:Pos1,1Bit+0x01cRundown:Pos2,1Bit+0x01cDuplicated:Pos3,1Bit+0x020HandleContentionEvent:_EX_PUSH_LOCK+0x024HandleTableLock:_EX_PUSH_LOCK+0x028FreeLists:[1]_HANDLE_TABLE_FREE_LIST+0x028ActualEntry:[20]UChar+0x03cDebugInfo:Ptr32_HANDLE_TRACE_DEBUG_INFO2k~Win7nt!_HANDLE_TABLE_ENTRY+0x000Object:Ptr64去掉最低位，Object合法？+0x000ObAttributes:Uint4B+0x000InfoTable:Ptr64+0x000Value:Uint8B+0x008GrantedAccess:Uint4B+0x008GrantedAccessIndex:Uint2B+0x00aCreatorBackTraceIndex:Uint2B+0x008NextFreeTableEntry:Uint4BWin8nt!_HANDLE_TABLE_ENTRY+0x000VolatileLowValue:Int4B+0x000LowValue:Int4B去掉低位，合法Object？+0x000InfoTable:Ptr32_HANDLE_TABLE_ENTRY_INFO+0x000Unlocked:Pos0,1Bit+0x000Attributes:Pos1,2Bits+0x000ObjectPointerBits:Pos3,29Bits+0x004HighValue:Int4B+0x004NextFreeHandleEntry:Ptr32_HANDLE_TABLE_ENTRY+0x004LeafHandleValue:_EXHANDLE+0x004GrantedAccessBits:Pos0,25Bits+0x004ProtectFromClose:Pos25,1Bit+0x004RefCnt:Pos26,6BitsWin8X86ExpLookupHandleTableEntryWin8X64ExpLookupHandleTableEntryC.PsActiveProcessHeadSystem进程ActiveProcessLinks.BlinkKPCR.KdVersionBlock-PsActiveProcessHeadD.KiWaitInListHead/KiWaitOutListHead/KiDispatcherReadyListHead前2者是链表，通过ETHREAD.WaitListEntry串联后者是在非2000系统中是LIST_ENTRY[32]，也是通过ETHREAD.WaitListEntry串联查找三个列表XP:KeDelayExecutionThreadKiWaitInListHeadKiWaitOutListHead2600:KeGetCurrentPrcb()-KiWaitInListHeadXP:KiReadyThread-KiDispatcherReadyListHead2600:KeGetCurrentPrcb()-KiDispatcherReadyListHeadE.搜索内存搜索范围EPROCESS识别F.CSRSS.EXE句柄csrss.exe识别（\Windows\ApiPort）NtQuerySystemInformation（SystemHandleInformation）收集句柄对象EPROCESS识别（或ObjectTypeNumber）G.SwapContext查找SwapContextKiDispatchInterruptInlinehook上下文保护、EDI/ESI是ETHREAD,=DPCH.EPROCESS中其它链表I……2.EPROCESS识别ObjectTypePEBVADRootObjectTable几个ThreadListHead结合ETHREAD信息……？3.TerminateProcessA.NtTerminateProcessB.涂改内存C.卸载模块D.窗口攻击E.CreateJobObject/AssignProcessToJobObject/TerminateJobObjectF.注入代码，ExitProcessG.SetThreadContextH.调试器吸附,退出I.对每个线程(GetNextProcessThread)PspTerminateThreadByPointerJ…….二.线程1.线程枚举2.ETHREAD识别3.TerminateThread1.线程枚举A.PspCidTableB.SwapContextC.搜索内存搜索范围ETHREAD识别D.ThreadListEntryEPROCESS.ThreadListEntryKPROCESS.ThreadListEntryE……2.ETHREAD识别ObjectTypeTEBETHREAD.ThreadListHeadKTHREAD.ThreadListHead定位EPROCESS,检测EPROCESS的一些信息……3.TerminateThreadNtTerminateThreadPspTerminateThreadByPointerInsertAPC杀线程三.进程模块1.PEB枚举进程模块X86情况X64情况X64程序X86程序Ring3路径重定位问题2.LdrpHashTable枚举进程模块(LIST_ENTRY[32])X86情况X64情况X64程序X86程序路径问题3.Vad枚举进程模块避免误报？lkddt_CONTROL_AREA-bnt!_CONTROL_AREA+0x000Segment:Ptr32+0x004DereferenceList:_LIST_ENTRY+0x000Flink:Ptr32+0x004Blink:Ptr32+0x00cNumberOfSectionReferences:Uint4B+0x010NumberOfPfnReferences:Uint4B+0x014NumberOfMappedViews:Uint4B+0x018NumberOfSubsections:Uint2B+0x01aFlushInProgressCount:Uint2B+0x01cNumberOfUserReferences:Uint4B+0x020u:__unnamed+0x000LongFlags:Uint4B+0x000Flags:_MMSECTION_FLAGS+0x000BeingDeleted:Pos0,1Bit+0x000BeingCreated:Pos1,1Bit+0x000BeingPurged:Pos2,1Bit+0x000NoModifiedWriting:Pos3,1Bit+0x000FailAllIo:Pos4,1Bit+0x000Image:Pos5,1Bit+0x000Based:Pos6,1Bit+0x000File:Pos7,1Bit4.搜索内存枚举进程模块搜索范围PE识别5.模块卸载远线程FreeLibraryNtUnmapViewOfSection不足：通过PEB、LdrpHashTable还可枚举到四.进程其他项目1.进程快捷键枚举NtUserRegisterHo