/** * 过滤核心函数 * */ NTSTATUS NTAPI BkMapViewOfSection(IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect) { PVOID Section = NULL; ULONG bModuleFilter = MODULE_PASSED; // 获取Section Object NTSTATUS Status = ObReferenceObjectByHandle (SectionHandle, 0x00000004, //SECTION_MAP_READ *MmSectionObjectType, UserMode, (PVOID *)&Section, NULL); // 如果失败直接返回系统调用 if(NT_SUCCESS(Status)) { // 通过硬编码值找到FileObject PVOID Segment = *(PVOID*)((ULONG)Section + g_Offset_SegmentInSection); if(Segment) { PVOID ControlArea = *(PVOID*)((ULONG)Segment + g_Offset_ControlAreaInSegment); if(ControlArea) { PVOID FileObject = *(PVOID*)((ULONG)ControlArea + g_Offset_FileObjectInControlArea); // 如果是vista或者win7系统,FileObject需要清除最后3个bits if((g_SysVersion.dwMajorVersion == 6 && g_SysVersion.dwMinorVersion == 1) // Windows 7 || (g_SysVersion.dwMajorVersion == 6 && g_SysVersion.dwMinorVersion == 0)) // Windows Vista FileObject = (PVOID)((ULONG)FileObject & 0xFFFFFFF8); if(FileObject) { //KdPrint(("==>BkMapViewOfSection\n")); // 获取文件路径 POBJECT_NAME_INFORMATION ObjectKernelName = BkQueryNameString((PVOID)FileObject); if (ObjectKernelName != NULL) { //检查文件是否是PE文件,如果是做进一步检查,不是的话通过检查。 if (IsPEFile(&ObjectKernelName->Name)) { // 检查是否是可信文件hash if (!CheckIsFileHashSecure(&ObjectKernelName->Name)) { bModuleFilter = MODULE_FILTERED; } } ExFreePool(ObjectKernelName); } //KdPrint(("<==BkMapViewOfSection\n")); } } } ObDereferenceObject(Section); if (bModuleFilter == MODULE_FILTERED) { //KdPrint(("Module Filtered\n")); return STATUS_ACCESS_DENIED; } } // 调用原系统服务 NTSTATUS result = NtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Protect); return result; }
// // main // int main(int argc, char **argv) { dbCursor<LibM> cursor1; if (argc != 4) { printf("Usage: %s target lib_root_path full:0|1\n", argv[0]); return 0; } lib_root_path = argv[2]; bFull = argv[3][0] == '1'; TCHAR *filename = argv[1]; TCHAR filename2[MAX_PATH]; int i; DeleteFile("LibM.fdb"); if (!db.open("LibM")) { return 0; } printf("Built on " __DATE__ " " __TIME__ "\nInit db..."); build_instruction_db(); printf("total:%d OK\n", lib_count); //getch(); InitializeCriticalSection(&cs); while (1) { printf("Loading...\n"); if (!LoadFileR(filename, &stMapFile)) { cerr << "ERROR FILE!" << endl; //continue; break; } if (!IsPEFile(stMapFile.ImageBase)) { cerr << "NOT PE FILE!" << endl; UnLoadFile(&stMapFile); //continue; break; } pOH = GetOptionalHeader(stMapFile.ImageBase); pImageNtH = GetNtHeaders(stMapFile.ImageBase); int c0 = 0, c1 = 0, c2 = 0, c3 = 0, c4 = 0, count = 0; // read target function info wsprintf(filename2, _T("%s.txt"), filename); ifstream is2(filename2, ios::binary); if (!is2.is_open()) { break; } int tt; db.detach(); f_info.clear(); while (!is2.eof()) { int startEA, endEA; is2.read((char *)&startEA, sizeof(int)); is2.read((char *)&endEA, sizeof(int)); if (endEA - startEA < MIN_INS_LENGTH) { continue; } function_info fi; memset(&fi, 0, sizeof(fi)); fi.startEA = startEA; fi.len = endEA - startEA; fi.lib_name[0] = 0; f_info.push_back(fi); } total_function_len = f_info.size(); //sort(f_info.begin(), f_info.end(), myfunction); printf("OK\n"); tt = GetTickCount(); int thread_num = bMultiThread ? THREAD_NUM : 1; if (show_dump) { thread_num = 1; } HANDLE *thread = new HANDLE[thread_num]; for (i = 0; i < thread_num; i++) { thread[i] = (HANDLE)_beginthreadex(NULL, 0, bFull ? (&MatchThreadForFull) : (&MatchThread), (void *)i, 0, NULL); } WaitForMultipleObjects(thread_num, thread, TRUE, INFINITE); tt = GetTickCount() - tt; delete[] thread; db.attach(); UnLoadFile(&stMapFile); if (cursor1.select() > 0) { do { delete (ControlFlowGraph *)cursor1->cfg; } while (cursor1.next()); } DWORD s = 0; DWORD _r0 = 0, _r1 = 0, _r34 = 0, _r2 = 0, _r5 = 0, _fn = 0; for (i = 0; i < THREAD_NUM; i++) { s += instruction_count[i]; _r0 += r0[i]; _r1 += r1[i]; _r2 += r2[i]; _r34 += r34[i]; _r5 += r5[i]; _fn += fn[i]; } printf("#fn:%d #instr:%d t:%d found:%d\n", _fn, s, tt, found_c); printf("r1:\t%d\n", _r1); printf("r2:\t%d\n", _r2); printf("r34:\t%d\n", _r34); printf("r5:\t%d\n", _r5); printf("r0:\t%d\n", _r0); printf("fulled:\t%d\n", fulled); printf("check failed:\t%d\n", check_failed); printf("END.\n"); break; } DeleteCriticalSection(&cs); db.detach(); #ifdef _DEBUG cout << "Press ENTER..." << endl; char c; c = cin.get(); #endif return 0; }
int DetectOverlayedFile(LPCTSTR szFilePath) { HANDLE hFile; DWORD dwReaded; DWORD dwFileSize; DWORD dwPEOffset; DWORD dwSign; const DWORD dwBufferSize = 4096; BYTE buffer[4096]; BYTE* pSectionsTable; WORD wNumberOfSections; DWORD dwMaxRawSize, dwRawSize; IMAGE_SECTION_HEADER* pSectionHeader; int i; if(!IsPEFile(szFilePath)) return NOT_OVERLAY; hFile = CreateFile(szFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return ERROR_DETECT; dwFileSize = ::GetFileSize(hFile, NULL); if (dwFileSize == 0) { CloseHandle(hFile); return ERROR_DETECT; } ReadFile(hFile, buffer, dwBufferSize, &dwReaded, NULL); if (dwReaded != dwBufferSize && dwReaded != dwFileSize) { // Cannot read file, return CloseHandle(hFile); return ERROR_DETECT; } dwSign = *((WORD*)buffer); if (dwSign != 0x5A4D) { // Not MZ CloseHandle(hFile); return ERROR_DETECT; } dwPEOffset = *((DWORD*)(buffer + 0x3C)); if (dwPEOffset > (dwFileSize)) { // Offset out of file, return CloseHandle(hFile); return ERROR_DETECT; } // Move file pointer to the beginning of the PE header if (SetFilePointer(hFile, dwPEOffset, NULL, FILE_BEGIN) == -1) { CloseHandle(hFile); return ERROR_DETECT; } // Read PE header to buffer ReadFile(hFile, buffer, dwBufferSize, &dwReaded, NULL); if (dwReaded != dwBufferSize) { CloseHandle(hFile); return ERROR_DETECT; } dwSign = *((DWORD*)buffer); if (dwSign != 0x4550) { // Not PE CloseHandle(hFile); return ERROR_DETECT; } pSectionsTable = buffer + (*(WORD*)(buffer + 0x14)) + 0x18; wNumberOfSections = *(WORD*)(buffer + 6); if (wNumberOfSections == 0 || wNumberOfSections >= MAX_SECTIONS) return FALSE; dwMaxRawSize = 0; for (i = 0; i < wNumberOfSections; i++) { pSectionHeader = (IMAGE_SECTION_HEADER*)(pSectionsTable + 0x28 * i); dwRawSize = pSectionHeader->PointerToRawData + pSectionHeader->SizeOfRawData; if (dwMaxRawSize < dwRawSize) dwMaxRawSize = dwRawSize; } if(dwMaxRawSize == dwFileSize) { CloseHandle(hFile); return NOT_OVERLAY; } if(SetFilePointer(hFile,dwMaxRawSize,NULL,FILE_BEGIN) == -1) { CloseHandle(hFile); return ERROR_DETECT; } // Doc va kiem tra MZ, PE ReadFile(hFile,buffer,dwBufferSize,&dwReaded,NULL); if(dwReaded <dwBufferSize) return NOT_OVERLAY; for(i=0; i<dwBufferSize-sizeof(IMAGE_DOS_HEADER);i++) { if(buffer[i]=='M' && buffer[i+1]=='Z' && buffer[i+sizeof(IMAGE_DOS_HEADER)]=='P' && buffer[i+1+sizeof(IMAGE_DOS_HEADER)]) { CloseHandle(hFile); return OVERLAY_DOUBLE_MZ; } } CloseHandle(hFile); return OVERLAY_SINGLE_MZ; // return (dwMaxRawSize < dwFileSize); }
BOOL CALLBACK StatusDlgProc (HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) { HANDLE hThread ; //DWORD ProtFileThreadID; UINT ProtFileThreadID; switch (message) { case WM_INITDIALOG: //创建消息框缓冲 pMessageBuffer = new TCHAR [0x10000]; ZeroMemory(pMessageBuffer, 0x10000); //将消息缓冲区数据清零 hProgress = GetDlgItem(hDlg, IDC_PROGRESS) ; DragAcceptFiles(hDlg,TRUE); break; case WM_DROPFILES://支持文件拖放 if(FALSE==ISWORKING){ ZeroMemory(pMessageBuffer, 0x10000); //将消息缓冲区数据清零 ZeroMemory(szFilePath,MAX_PATH);//清空文件名缓冲 DragQueryFile((HDROP)wParam, 0, szFilePath, sizeof(szFilePath)); DragFinish((HDROP)wParam); SendDlgItemMessage(hDlg,IDC_MESSAGEBOX_EDIT,WM_SETTEXT,0,0);//清空消息框中的提示 SendDlgItemMessage(hDlg,IDC_FILEPATH_EDIT,WM_SETTEXT,MAX_PATH,(LPARAM)szFilePath); AddLine(hDlg,szFilePath); if(!IsPEFile(szFilePath,hDlg)) EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), FALSE); else EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), TRUE); SendMessage(hProgress,PBM_SETPOS, 0, 0); } break; case WM_COMMAND: switch (LOWORD (wParam)) { case IDC__EXIT_BUTTON: SendMessage(GetParent(GetParent(hDlg)), WM_CLOSE, 0, 0); break; //置顶 case IDC_ONTOP: if(SendDlgItemMessage(hDlg, IDC_ONTOP, BM_GETCHECK, 0, 0)==BST_CHECKED) SetWindowPos(GetParent(GetParent(hDlg)),HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE); else SetWindowPos(GetParent(GetParent(hDlg)),HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE); break; //保护 case IDC_PROT_BUTTON: EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), FALSE); EnableWindow(GetDlgItem(hDlg,IDC_OPEN_BUTTON), FALSE);//压缩过程中打开按钮不可用 //ProtTheFile(hDlg); //创建一个进程来压缩数据 // hThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ProtTheFile, (VOID *)hDlg, NORMAL_PRIORITY_CLASS, &ProtFileThreadID); hThread = (HANDLE)_beginthreadex( NULL, 0, (unsigned int (_stdcall*)(void*))&ProtTheFile, (LPVOID)hDlg, 0, &ProtFileThreadID ); CloseHandle(hThread); break; //打开预处理 case IDC_OPEN_BUTTON: if(!OpenFileDlg(szFilePath,hDlg)) break; SendDlgItemMessage(hDlg,IDC_FILEPATH_EDIT,WM_SETTEXT,MAX_PATH,(LPARAM)szFilePath); AddLine(hDlg,szFilePath); if(!IsPEFile(szFilePath,hDlg)) EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), FALSE); else EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), TRUE); SendMessage(hProgress,PBM_SETPOS, 0, 0); break; } return TRUE; break; } return FALSE; }