3 6 0 safety guard is closed vulnerability analysis-vulnerability warning-the black bar safety net

2014-04-17T00:00:00
ID MYHACK58:62201444881
Type myhack58
Reporter 佚名
Modified 2014-04-17T00:00:00

Description

3 6 0 safety guard is closed the vulnerability analysis and testing environment for 3 6 0 security guards 9. 0, the latest version of Security Defender has to fix this vulnerability Phenomenon A Trojan can shut down 3 6 0 security guards, through reverse analysis found that the Trojan horse just simple run the following code: HMODULE h360 =GetModuleHandle(TEXT("safemon.dll")); int i = 0; for (i = 0; i Our own use the above code to run after a 3 6 0 security guards in the process 360tray.exe it automatically exit. Note: This app must be with a window program, and not make the console app, because console application is not loaded safemon. dll. The attack principle The above simple code will be able to lead off the 3 6 0, we take a look at this piece of code exactly do? First get safemon. dll the module address, and each one has a graphical interface will load this dll. And then from this module to find a feature code, The analysis found that looking for is the following code: 6 7 3 6 6 5 7 0 83EC 1 0 sub esp, 1 0 6 7 3 6 6 5 7 3 5 6 push esi 6 7 3 6 6 5 7 4 8D4424 0 4 lea eax, dword ptr [esp+4] 6 7 3 6 6 5 7 8 5 0 push eax 6 7 3 6 6 5 7 9 6A 0 0 push 0 6736657B 8D4C24 1 0 lea ecx, dword ptr [esp+1 0] 6736657F 5 1 push ecx 6 7 3 6 6 5 8 0 6 8 4 0 6 5 3 6 6 7 push 6 7 3 6 6 5 4 0 6 7 3 6 6 5 8 5 6A 0 0 push 0 6 7 3 6 6 5 8 7 6A 0 0 push 0 6 7 3 6 6 5 8 9 C74424 2 0 E48D4>mov dwordptr [esp+2 0], 67418DE4 ; ASCII "Q360SafeMonClass" 6 7 3 6 6 5 9 1 C74424 2 4 0 0 0 0 0>mov dwordptr [esp+2 4], 0 6 7 3 6 6 5 9 9 C74424 2 8 0 0 0 0 0>mov dwordptr [esp+2 8], 0 673665A1 FF15 10D34067 call dword ptr [] ; kernel32. GetCurrentProcess 673665A7 5 0 push eax 673665A8 FF15 58D14067 call dword ptr[] ; kernel32. CreateRemoteThread 673665AE 8BF0 mov esi,eax 673665B0 85F6 test esi, esi 673665B2 7 4 1 0 je short 673665C4 673665B4 6A FF push -1 673665B6 5 6 push esi 673665B7 FF15 24D14067 call dword ptr [] ; kernel32. WaitForSingleObject 673665BD 5 6 push esi 673665BE FF15 20D34067 call dword ptr[] ; kernel32. CloseHandle 673665C4 8B4424 1 0 mov eax, dword ptr [esp+1 0] 673665C8 5E pop esi 673665C9 83C4 1 0 add esp, 1 0 673665CC C3 retn Its role is to find Q360SafeMonClass the window handle. Found this piece of code after it will execute this piece of code to get the window handle. Why not just use FindWindow to find? Data analysis should be 3 6 0 do some protection, directly to the afraid find. To find this window will give him to send WM_COPYDATA message with the message COPYDATASTRUCT structure. dwData is 0x4d47534d, the data length is 0×1 0 0 0, the content is the random data. I wrote a program to simulate the above functions, run the successful conclusion of the 360tray the process, prove that the principle is not wrong. Vulnerability to debug What exactly is what causes 360tray so simple it was closed, I decided to debug it 3 6 0 see, Start OD prepare additional 360tray process, found it impossible to attach, the 3 6 0 do protection. You want to debug 3 6 0 first to put the protection removed. With XueTr see 3 6 0 the kernel Hook points, and try to restore: !

[1] [2] [3] next