|
发表于 2010-9-30 16:49:14
|显示全部楼层
二、HeapAlloc后门检测
在OllyDBG等三环Debugger调试状态下,LocalAlloc、HeapAlloc申请内存的初始填充值非0,某些壳可以通过这个来检测调试器了。
LPVOID HeapAlloc(
HANDLE hHeap, // handle to private heap block
DWORD dwFlags, // heap allocation control
SIZE_T dwBytes // number of bytes to allocate
);
dwFlags:
HEAP_NO_SERIALIZE equ 00000001h
HEAP_GROWABLE equ 00000002h
HEAP_GENERATE_EXCEPTIONS equ 00000004h
HEAP_ZERO_MEMORY equ 00000008h
HEAP_REALLOC_IN_PLACE_ONLY equ 00000010h
HEAP_TAIL_CHECKING_ENABLED equ 00000020h
HEAP_FREE_CHECKING_ENABLED equ 00000040h
HEAP_DISABLE_COALESCE_ON_FREE equ 00000080h
HEAP_CREATE_ALIGN_16 equ 00010000h
HEAP_CREATE_ENABLE_TRACING equ 00020000h
HEAP_MAXIMUM_TAG equ 0FFFh
HEAP_PSEUDO_TAG_FLAG equ 8000h
HEAP_TAG_SHIFT equ 18
dwFlags=00000008,则申请的内存处以00填充
――――――――――――――――――――――――
设置OllyDBD暂停在系统断点,忽略所有异常选项。使用IsDebug插件。
7C921231 C3 retn
//进入OllyDbg后暂停在这
HeapAlloc在XP上输出转向为ntdll的RtlAllocateHeap
下断:BP RtlAllocateHeap [ESP]<20000000
其实这里我们可以先运行,让其异常,就能快速定位到检测处了。
Shift+F9中断约8次后看堆栈:
0012FEB4 100034C7 返回到 JiangH_1.100034C7 来自 ntdll.RtlAllocateHeap
0012FEB8 003C0000
0012FEBC 00000000
0012FEC0 00019000
0012FEC4 00019000
0012FEC8 1000AEA8 JiangH_1.1000AEA8
修改堆栈中0012FEBC=00000008
取消以前的断点,在100034C7处下断
100034B5 83E6 F0 and esi,FFFFFFF0
100034B8 56 push esi
100034B9 6A 00 push 0
100034BB FF35 9CC50010 push dword ptr ds:[1000C59C]
100034C1 FF15 6C900010 call dword ptr ds:[1000906C] ; ntdll.RtlAllocateHeap
100034C7 5F pop edi
//RtlAllocateHeap后中断这里
100034C8 5E pop esi
100034C9 C3 retn
Shift+F9,EAX=011526D4,可以看到[011526D4]处都已经填充00了。
取消所有断点,继续F7走,看看哪里检测
10001F37 8B56 0C mov edx,dword ptr ds:[esi+C]
10001F3A 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
10001F3E 52 push edx
10001F3F E8 8C050000 call 100024D0
10001F44 8B4E 0C mov ecx,dword ptr ds:[esi+C]
10001F47 6A 00 push 0
10001F49 6A 01 push 1
10001F4B 51 push ecx
10001F4C FFD0 call eax ;011004DB
//进入
10001F4E 8B56 0C mov edx,dword ptr ds:[esi+C]
10001F51 68 78A00010 push 1000A078 ; ASCII "BS_New_Proc"
10001F56 52 push edx
10001F57 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
10001F5B E8 80050000 call 100024E0
进入10001F4C call eax , 就能看见HeapAlloc后门检测了
011404DB 55 push ebp
011404DC 8BEC mov ebp,esp
011404DE 53 push ebx
011404DF 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
011404E2 56 push esi
011404E3 8B75 0C mov esi,dword ptr ss:[ebp+C]
011404E6 57 push edi
011404E7 8B7D 10 mov edi,dword ptr ss:[ebp+10]
011404EA 85F6 test esi,esi
011404EC 75 09 jnz short 011404F7
011404EE 833D E40F1501 0>cmp dword ptr ds:[1150FE4],0
011404F5 EB 26 jmp short 0114051D
011404F7 83FE 01 cmp esi,1
011404FA 74 05 je short 01140501
011404FC 83FE 02 cmp esi,2
011404FF 75 22 jnz short 01140523
01140501 A1 D4261501 mov eax,dword ptr ds:[11526D4]
//检测[11526D4]是否为00000000
01140506 85C0 test eax,eax
01140508 74 09 je short 01140513
0114050A 57 push edi
0114050B 56 push esi
0114050C 53 push ebx
0114050D FFD0 call eax
//不为00000000,则运行至此处则异常崩溃 |
|