maxthon2(voyagers 2) mxsafe. dll for web Trojan protection, and bypass-vulnerability warning-the black bar safety net

2007-11-04T00:00:00
ID MYHACK58:62200717500
Type myhack58
Reporter 佚名
Modified 2007-11-04T00:00:00

Description

author: void#ph4nt0m.org publish: 2007-09-27 http://www.ph4nt0m.org

Text Mode

maxthon2(voyagers 2) mxsafe. dll for web Trojan protection as well as bypass ----------------------------------------------------------------------- maxthon2 boot time loading mxsafe. dll for some of the api hook. In the browser to run the program,if such program is not in its Trust List,it will pop a box,asked to be allowed/prohibited. So,most download the Trojan at boot time it is detected.

You want to know mxsafe hook which api. od maxthon.exe, bp WriteProcessMemory, F9 看 改 了 哪些 地址 . 或者 启动 maxthon.exe with rooktit unhooker scan the following code hooks know.

the hook? (maxthon.exe v2. 0. 3. 4 6 4 3, mxsafe.dll v1. 0. 0. 4 7 7) --------------------------- 修改 ntdll.dll export table hook: [1] ZwCreateProcessEx/ZwCreateProcess // detect winxp,2 0 0 3/2 0 0 0 create process [2] ZwWriteVirtualMemory // for the detection of code injection

kernel32.dll iat hook: [3] ZwCreateProcessEx(xp 2 0 0 3)/ZwCreateProcess(2 0 0 0)// detect the winxp,2 0 0 3/2 0 0 0 create process [4] ZwWriteVirtualMemory // for the detection of code injection

kernel32.dll inline hook: [5] LoadLibraryExW // detect LoadLibraryA/W call [6] CreateProcessInternalW // detect CreateProcessA/W call

How to bypass ------------------------------ To do the sneaking into town,fire a gun do not,will be in the shellcode. unhook off the above[3],[4],[6]. unhook off[6]The inline better,mxsafe. dll only modified CreateProcessInternalW the first few bytes do a relative jmp,changed back to the original on the line. unhook out[3],[4]in the shellcode to be slightly troublesome point,because the memory of ntdll. dll image export table surface ZwCreateProcess (Ex),ZwWriteVirtualMemory has been mxsafe get rid of,so by manually parsing the export table to get the original native api address,and then restore the iat hook road is blocked. But there are other ways. well,there are still several ways to get the real address: 1. Read the original ntdll. dll file,and manually parse the export table to get true address. 2. Search memory of ntdll. dll image. text segment,using feature matching to find the native api of the address.

1 method to achieve them trouble. 2 method is simple point,note that some of the details: Look under the ntdll. dll inside the ZwCreateProcess(Ex)code.

win 2 0 0 3 sp1 ZwCreateProcessEx 0x32 ------------------------------------------ 7C9512A7 9 0 NOP 7C9512A8 > B8 3 2 0 0 0 0 0 0 MOV EAX,3 2 // syscall id 7C9512AD BA 0003FE7F MOV EDX,7FFE0300 7C9512B2 FF12 CALL DWORD PTR DS:[EDX] 7C9512B4 C2 2 4 0 0 RETN 2 4

win XP SP2 ZwCreateProcessEx 0x30 ------------------------------------------ 7C92D74E 9 0 NOP 7C92D74F 9 0 NOP 7C92D750 9 0 NOP 7C92D751 9 0 NOP 7C92D752 9 0 NOP 7C92D753 9 0 NOP 7C92D754 > B8 3 0 0 0 0 0 0 0 MOV EAX,3 0 // syscall id 7C92D759 BA 0003FE7F MOV EDX,7FFE0300 7C92D75E FF12 CALL DWORD PTR DS:[EDX] 7C92D760 C2 2 0 0 0 RETN 2 0

win 2 0 0 0 ZwCreateProcess -------------------------------------------- 77F88306 8BFF MOV EDI,EDI 77F88308 >/$ B8 2 9 0 0 0 0 0 0 MOV EAX,2 9 // syscall id 77F8830D |. 8D5424 0 4 LEA EDX,DWORD PTR SS:[ESP+4] 77F88311 |. CD 2E INT 2E 77F88313 \. C2 2 0 0 0 RETN 2 0

Find out what? The same ZwCreateProcessEx the syscall id in the xp,2 0 0 0 is not the same,and 2 0 0 0 only ZwCreateProcess,so I want to a feature of the pass to kill 2 0 0 0/xp/2 0 0 3 is not. So, in xp to match 0x000030B8,in 2 0 0 3 to match 0x000032B8,to find the real address,then to the in-memory kernel32. dll image import table search NtCreateProcessEx. (Because xp/2 0 0 3 CreateProcessA/W without NtCreateProcess to create a process),and then fix the iat hook. In 2 0 0 0 to match 0x00029B8,kernel32. dll search NtCreateProcess,to fix. NtWriteVirtualMemory similar,is not much to say. The sample code is not provided,interested,toss a few out.

Ye shield --------------- ring3 is unreliable,since the shellcode are up and running,also not your hook is what,I unhook what the manual labor. To defense-in-depth,or into ring0.

Finally --------------- For win2003,if the CPU Supports DEP,boot. ini inside and is/noexecute=optout,without mxsafe. dll small-time,the heap spray hung up. Didn't test vista,but UAC is also not a vegetarian.