Introduction bypasses DarkSpy method-vulnerability warning-the black bar safety net

ID MYHACK58:6220069588
Type myhack58
Reporter 佚名
Modified 2006-06-06T00:00:00


Introduction bypasses DarkSpy method DarkSpy is by CardMagic and wowocock the preparation of the anti-rootkit a good tool. Because you are writing Undergraduate composition with the detection of the rootkit related, so these days the analysis of it, see what's available. The analysis was carried out relatively smoothly, because DarkSpy inside the technology used in the majority of on the Internet has ever seen, But there are definitely some creative Oh. First talk about the inside of the new things: drive the development of the website of one of the members inspired us DarkSpy modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager The globalflag as 0x4000, which is what to do? It turns out that this will make the NtGlobalFlag added to Maintain Object Typelist flag, so the system when the object is created will get it added to the Type list, so you can Traverse the list to find the object. Modify flag requires a reboot of the machine, which should is the“strong mode”to restart reason. As that member said, the author deliberately concealed this point, I also feel wrong: if it is in order to prevent others to crack, the Should also provide an uninstall program, because this flag has not been cleared, is no longer in use DarkSpy of the user is still Will pay for this: each kernel object to an additional allocation of 1 6 bytes of the core space, and that thousands of Object? This technique of DKOM to said relatively weak, with the following code clear: VOID ClearObjectCreatorInfo( PVOID Object ) { POBJECT_HEADER ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object); POBJECT_HEADER_CREATOR_INFO CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader); if (CreatorInfo != NULL) { RemoveEntryList(&CreatorInfo->TypeList); InitializeListHead(&CreatorInfo->TypeList); } } Incoming processing of the object is off the chain. This few lines of code can let the“strong mode”failure.

The following simple talk about the break path to enlightenment: a

A drive: DarkSpy1. 0. 3 version and the previous is very simple, learn the Futo rootkit off PsLoadedModuleList, and then the driven object Incoming above ClearObjectCreatorInfo, regardless of the“strong mode”or“weak mode”are done. DarkSpy1. 0. Version 4 with modifications, but is still to find the DriverObject, at the appropriate time to clean out The can A, for example, can walkkernel object tree, there is a more simple way:)

Second, the process: DarkSpy of process function to a lot of things piled together to nausea rootkit authors, and how, is disgusting to you? Although However inside the technique may be stale, but such a combination, it is difficult to clear all. The following put hidden need to do the things listed include: 1, The PspCidTable go to futo erase; 2, process, thread, object incoming ClearObjectCreatorInfo; and 3, It also uses the csrss of process handle directly to the csrss process ZwClose out the most simple; 4, the DarkSpy on my machine crashes, analyzing dump, the original and the anti-virus conflict: it can also hook up SwapContext, bad? Recovery is not on the line. Recovery timing is important, I believe you can also think of good. About my idea: in any one of call SwapContext before the path up and down the hook, the hook procedure do nothing, and specifically checks for SwapContext, is partnership Change it back, this is a very common practice, if it hook somewhere else, too. 5, There is a thread to process, own to explore it, also the moving hands...hehe. Finally, you can completely hide yourself in the process, but you tired not tired, something non-process to do, no process can not do? Are the core driving...really not necessary.

Third, the file: Is said to be the Create IRP, Hey, but I also didn't learn the file system of the drive, the prawn Supplement.

Fourth, the registry: Although the test version does not have functionality, but look at the interface you can guess guess inside Edition: should be a copy or imitation of open-source tools RegHives to do, break the principles online are many. Just dump the method may be different.

The authors took Kung Fu for everyone to provide a good tool, but these techniques are a lot of online streaming a lot of the time Time, the effect is unsatisfactory. This short article can certainly cause the author to update, hehe.

I am a medium side dish, intermediate some of the stuff is Go drive network some master that, like that the globalflag, totally didn't expect to have what use, Thank you for some of the master pointing. Hidden video no space to upload, even.