Hacking Book | Free Online Hacking Learning


attack defense confrontation: the secret of soft penetration drive

Posted by graebner at 2020-02-27

Li Mingzheng, Alfa laboratory, Tianrongxin

1 Definition and history of export of penetration drive

2 Introduction to the principle of penetration drive

3. Drive defense against killing soft

1.1 INTRODUCTION definition and history of penetration drive

The earliest domestic market for killing soft products was Ruixing, Jinshan and Jiangmin, with the help of the outbreak of dividends in the PC era. At its peak, rising could sell 700 million yuan a year by software, and its personal products almost monopolized the market at that time. No diamond can't do porcelain work. As the guarantee that anti-virus software has beaten each other in the process of fighting with the back door of virus Trojan horse, it is the first bottom driver loaded in the system. Among these bottom drivers, there is a general driver component called penetration driver.

In order to clean up the malware, antivirus software also needs to do the corresponding mandatory operation on the process file registry process. These corresponding mandatory operations are usually done through the API interface exposed by the DLL component of Ring3 by calling DeviceIoControl corresponding IoCode and then calling the underlying Ring0 driver. The underlying driver that completes the enforcement is what we call the penetration driver.

Let's start with anti-virus software from abroad. The birth and evolution of kill soft penetration drive comes from the confrontation between the original magic height and rootkit under windows.

CMD has a ver command. The echo after entering VER is like this.

The kernel of the windows system we use now is called Windows NT. 6.1 represents the kernel version number of the windows system you are using. Every time a new windows operating system is released, the NT kernel version number of the new windows system will be larger than the original. Many people have upgraded win10. Windows 10 displays 10.0 after entering the ver command. But the first kernel version of NT is not 1.1 but 3.1.

Because the working mechanism of antivirus software depends heavily on the underlying interface provided by the operating system. It is possible that when antivirus software is compatible from XP to the latest Windows 10, it is the code change of some driving components. However, when it moved from DOS era to nt3.1, the change of antivirus software is the change of the whole architecture. Nt3.1, as the originator of NT kernel, has been published for 23 years since July 27, 1993. There is a book called < show stopper > > which Zhang Yinkui, who debugged at the bottom, once translated completely. < wait and see - Microsoft's creation of NT and its future life-threatening rush > > it completely records the details of the NT kernel development led by David Cutler, the leading designer of the NT kernel, and the difficult birth of nt3.1.

The operation mechanism of all the underlying driven components of modern antivirus software can be found in the most primitive nt3.1.

Windows provides several standard APIs for deleting the registry, which are deletefile / terminateprocess / regdeletekey. This will be shown on MSDN of VS2008.

You can see that these general APIs have been supported since the earlier windows system. The initial antivirus software also uses these general APIs to delete the registry startup key of virus and Trojan horse, end the process and delete the parent file of virus. Because the early windows operating system is not perfect for ring0 control. Malware on the same starting line soon found some shortcuts. They can easily enter the windows kernel in the form of system driver. Some nouns may have heard of DLL inject / ring 3 inline hook / SSDT hook / inline hook, which are common means of malicious components. Generally speaking, the malicious components that enter the kernel are called rootkits. In the heyday of windows rootkit, security personnel set up a website called www.rootkit.com, The website has been unable to be opened with the running of the historical wheel. Of course, the early anti-virus software manufacturers of windows system soon found that to deal with these malicious components that penetrate into the system kernel, anti rootkit components that can operate file registration and process are also needed to kill the software itself, which slowly derived today's penetration driver.

Penetration drive has long been used in anti-virus software abroad.

Avastar.sys of avast, avgarcln.sys of AVG, McAfee ark.sys of wheat coffee, trendmicroark drv.sys of trend.

In general, RING3 loads the corresponding penetration drive DLL by calling the EXE component of cleanup, and the penetration drive DLL sends the corresponding icode through DeviceIoControl of RING3 to call the underlying function NT! Zwdeletefile / NT! Zwsetvaluekey / NT! Zwdeletekey, which is used to delete the file and clean the registry.

Let's talk about the penetration drive of anti-virus software in China.

The technology used in the penetration drive of anti-virus software in China is basically the same. Along with the free anti-virus in a large gap in the promotion of effective. With the increase of the number of software users, the development technology and personnel reserve of 360 at the bottom of windows have also grown greatly.

The early penetration driven developers of 360 are pan Jianfeng (pjf, ice blade author), Wang Yu (small mountain bear, now FIREYE laboratory researcher), Zheng Wenbin (mj0011). The first version of the product is always imperfect, and the product is always updated and improved in the iteration. In the early stage, under the leadership of Fu Sheng, 360 was only a small group with few resources, and RING3 programmers were very few, let alone the drivers and developers at the bottom of windows. Stumble slowly gathered the first batch of low-level developers.

The driving functions of 360's early products are also relatively scattered. Later, with the product iteration, two penetration drivers, bfsdll.dll/bfsdrv.sys bregdll.dll/bregdrv.sys, were gradually formed. It encapsulates the underlying interface of file and registry operations. At the beginning of the decade or so, the two components that penetrate the driver were exposed to have loopholes, that is, the 360 back door event that rising publicized at that time.

The problem is not that the unpublished cmxxkey function is called, but that any exe can publicly call the operation registry and file interface exposed by the DLL file provided by 360 without verification (without effective digital signature), which can bypass the monitoring of the underlying drive of antivirus software.

360 quickly fixed this problem and merged the two penetration driver files into one during the later version iteration. Unified as bapi.dll/bapidrv.sys. Later, it launched the penetration driven dsark.sys. To clean up the part-time fighting of malware.

The screenshots are the patents applied by 360 for registry penetration driver and file penetration driver at that time, as well as the underlying developers of windows kernel for penetration driver.

Poison bully and housekeeper are similar to 360, but all the RING3 components of poison bully and housekeeper export a class instead of the interface of a single RING3 API. Therefore, there is no single export function in the DLL of penetration driver.

2.1 introduction to the principle of penetration drive

Let's take a look at the normal system calls with openFile and regdeletevalue as examples

Kernel32! OpenFile à ntdll! Ntopenfile à windows kernel performs strict parameter check and cuts into ring0 à NT! Ntopenfile

(unpublished and not exported)

The same is true for deleting registry keys.

Kernel32! Regdeletevaluew - > ntdll! Ntdeletevaluekey à windows kernel performs strict parameter checking and cuts into

Ring0 "NT! Ntdeletevaluekey" NT! Cmdeletevaluekey "

Let's take a look at how bregdeletvaluew, which penetrates and drives exports, works.

Bapi! Bregdeletevaluew à Kernel32! DeviceIoControl à ntdll! Zwdeviceiocontrolfile à NT! Ntdeviceiocontrolfile à NT! Cmdeletevaluekey

It can be seen that the API interface exposed by calling the DLL component of RING3 directly bypasses the system checking mechanism when RING3 of the operating system cuts into ring0, and directly calls the API at the bottom of windows to realize some very low-level operations. This effect is not achieved by calling the regular RING3 function regdeletevaluew provided in Windows MSDN.

There is a web page that can't be found on the Internet, but the author still keeps a mirror image, which is the explanation made by MJ, the developer of 360's early penetration driver, after 360's penetration driver was exposed that RING3 call verification was not strict. Later, the early digital developers on pwn2own, with the help of nearly 10 years of low-level debugging skills, made use of the windows kernel privilege holes they found to shine through the Chrome sandbox. Of course, that's what they said.

Reverse domestic antivirus software registry penetration driver can simply use these commands to find the location of their corresponding underlying functions.

3. Drive defense against killing soft

3.1 fight against the soft shield under ring 3

Antivirus software has two attributes, one is the attribute of attack. The embodiment of the attribute of attack is the penetration driver introduced earlier. This is the spear for antivirus software to fight against malicious components,. Another attribute of antivirus software is defense (shield). Prevent malicious components from loading into the kernel (load driver), and prevent malicious components from infecting executable files (capture the behavior of operation files for feature comparison and behavior defense).

The implementation principle of anti-virus software shield on 32-bit and 64 bit systems is different. Let's take Windows 7 as an example to show how to fight against the anti-virus software shield.

The normal way of RING3 is to hide and seek. There are two forms of hide and seek. One is dll2shellcode and the other is shellcode backdoor. Both of them are directly binary backdoors. Up to now, script based backdoors such as PowerShell or JScript are popular because of their fast variety and easy to avoid killing.

The figure above shows that the modified shellcode type backdoor Poison Ivy's shellcode can run smoothly on win7 and win8 win8.1 systems. Because it's shellcode that makes it easy to avoid killing. After polymorphic shellcode is not easy to be killed by kill soft.

RING3 is a big headache. Many people don't know anything but run.

There is a tool called AutoRuns, which is now produced by Microsoft's sysinternal. It can launch in the corner of windows

Items are listed completely. You just need to find a corner and keep it in file format design.

3.2.1 fight against soft kill shield under ring0 (32-bit)

It is necessary to understand the working principle of the defense driver of kill soft in the kernel in order to fight against kill soft in ring0. In fact, the working principle of the shield (Defense driver) of kill soft in 32-bit system and 64 bit system is quite different due to the change of the underlying mechanism of the system. The following explanations take Windows 7 as an example.

There is a very subtle point on 32-bit system. This point is nt! Kifastcallentry. All RING3 function calls NT! Module's ring0 function calls must pass through this function. You can see that the execution process of NT! Kifastcallentry at the red shear head jumps to the defense driven code of antivirus software. In this way, we can intercept most important information of windows, such as process, module loading, registry modification, file operation, etc. With additional policy driven acceptance policy filtering, we can make feedback pop-up window to prompt users, directly block or release malicious behaviors.

In fact, all we need to do is restore these bytes of hooks of antivirus software in NT. But the dilemma is also obvious. If your driver is not a white driver or the driver with signature is easy to load, it will be blocked by kill soft intercept.

Our strategy is to load a normal driver with arbitrary address write arbitrary data vulnerability. The ring 3 program communicates with this vulnerability component to unlock the hook of kill soft in NT! Kifastcallentry. Once the hook is unlocked, the defense of kill soft under 32-bit system will collapse.

It is easy to find a normal driver that can write arbitrary data to any address in 32 bits. For example, you can search on Google

2010-01-23  RsNTGdi.sys

Another way to bypass the load driver of kill soft monitoring is to restart the add driver. There is a general way to restart the add drive under 32 bits. Load a white driver with signature. The loading path points to its own folder. Then use movefileex to move our malicious driver at the time of shutdown to replace the white driver just loaded. There are only two behaviors in this process: loading a legal driver and deleting and writing a new file. Neither of these behaviors will be blocked by antivirus software. After restart You get a ring0 component loaded in the system kernel by bypassing the kill soft driver.

3.2.2 fight against soft kill shield under ring0 (64 bit)

Due to the limitation of DSE (to prevent the loading of non signature drivers) and patchguard (to prevent the kernel code of patch) under the 64 bit system of Microsoft, the 64 bit low-tech malicious programs under ring0 are greatly reduced. The working mechanism of software killing under 64 bit is also limited to process / thread / module loading / registry callback with file filter driver / minifilter to realize driver defense.

Here are some key points of 64 bit.

NT! Pspcreateprocessnotifyroutineexcount (record the number of callback created by extension process)

NT! Pspcreateprocessnotifyroutinecount (number of process creation callbacks recorded)

NT! Pspcreatethreadnotifyroutinecount (records the number of thread creation callbacks)

NT! Psploadimagenotifyroutinecount (number of module load callbacks recorded)

NT! Cmpcallbackcount (number of registry callbacks recorded)

Ci! G? Cioptions (mark whether DSE is off or not)

Although patchguard does not allow tampering with code in the kernel, these variables in the kernel can be modified. After the above count is modified to 0, the system defense of antivirus software on 64 bit system will fail. After tampering with the DSE tag, the unsigned driver can be loaded on 64 bit system.

The same idea as the 32-bit system is to load a vulnerability driver with arbitrary address and write arbitrary data. (such as ldrvpro64.sys, which drives life)

Tampering with the above key positions can turn off 64 bit kill soft protection and DSE protection of the system itself.