Январь - Xakep Online
26.11.2014 Views
Share Embed Flag

Январь - Xakep Online

Январь - Xakep Online

Январь - Xakep Online

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
xakep.ru

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

ïðîñòðàíñòâî ñâîåãî ïðîöåññà ïîñðåäñòâîì âûçîâà ôóíêöèè<br />

NtMapViewOfSection, íàçíà÷àÿ âñå íåîáõîäèìûå íàì ïðàâà. Ðåïàìèíã<br />

îñóùåñòâëÿåòñÿ èñêëþ÷èòåëüíî íà óðîâíå ÿäðà, íî ê îòîáðàæåííîé<br />

ñòðàíèöå ìîæíî îáðàùàòüñÿ äàæå èç ïðèêëàäíîãî óðîâíÿ. Êðàñîòà! Ïî<br />

ýòîé ñõåìå ðàáîòàþò ìíîãèå áðàíäìàóýðû è äðóãèå ïðîãðàììû, íóæäàþùèåñÿ<br />

â ïåðåõâàòå ÿäåðíûõ ôóíêöèé, íàïðèìåð, rootkit'û. Ïîäðîáíîñòè<br />

çäåñü: http://www.stanford.edu/~stinson/misc/curr_res/nt_hooking.txt.<br />

Ïóòü òðåòèé — ñáðîñ ôëàãà WP â ðåãèñòðå cr0. Ýòî äîñòàòî÷íî ãðÿçíûé<br />

òðþê ñ öåëîé ñâèòîé ïðîòèâîïîêàçàíèé è ðåêëàìàöèé, îäíàêî äëÿ íàøèõ<br />

öåëåé îí âïîëíå ïîäõîäèò. Èñïîëüçóåì åãî êàê ñàìûé ïðîñòîé<br />

è áûñòðûé âàðèàíò, óìåùàþùèéñÿ âñåãî â 3-õ (!) ìàøèííûõ êîìàíäàõ:<br />

êîä, îòêëþ÷àþùèé çàùèòó ÿäðà îò çàïèñè<br />

mov eax, cr0 ; ãðóçèì óïðàâëÿþùèé ðåãèñòð cr0 â ðåãèñòð eax<br />

and eax, 0FFFEFFFFh ; ñáðàñûâàåì áèò WP, çàïðåùàþùèé çàïèñü<br />

mov cr0, eax ; îáíîâëÿåì óïðàâëÿþùèé ðåãèñòð cr0<br />

Ñîîòâåòñòâåííî, ÷òîáû âêëþ÷èòü çàùèòó, ýòîò ñàìûé áèò WP íóæíî óñòàíîâèòü,<br />

÷òî è äåëàþò ñëåäóþùèå ìàøèííûå êîìàíäû:<br />

êîä, âêëþ÷àþùèé çàùèòó ÿäðà<br />

mov eax, cr0 ; ãðóçèì óïðàâëÿþùèé ðåãèñòð cr0 â ðåãèñòð eax<br />

or<br />

eax, 10000h ; ñáðàñûâàåì áèò WP, çàïðåùàþùèé çàïèñü<br />

mov cr0, eax ; îáíîâëÿåì óïðàâëÿþùèé ðåãèñòð cr0<br />

Ïîëèòè÷åñêè êîððåêòíàÿ ïðîãðàììà äîëæíà íå ïðîñòî îòêëþ÷àòü/âêëþ-<br />

÷àòü çàùèòó îò çàïèñè, à çàïîìèíàòü òåêóùåå ñîñòîÿíèå áèòà WP ïåðåä<br />

åãî èçìåíåíèåì, à çàòåì âîññòàíàâëèâàòü åãî îáðàòíî, èíà÷å ìîæíî<br />

íåïðîèçâîëüíî âêëþ÷èòü çàùèòó â ñàìûé íåïîäõîäÿùèé ìîìåíò, ñåðüåçíî<br />

íàâðåäèâ âèðóñó èëè rootkit'ó.<br />

Çàêîðîòèòü ôóíêöèþ KeBugCheckEx ìîæíî ðàçíûìè ïóòÿìè. Ñàìîå<br />

ïðàâèëüíîå (è íàäåæíîå!) — îïðåäåëèòü åå àäðåñ ïóòåì ðàçáîðà òàáëèöû<br />

èìïîðòà, íî ýòî ñëèøêîì äîëãî, ìóòîðíî, íóäíî è óòîìèòåëüíî.<br />

Ãîðàçäî ïðîùå ïîäñòàâèòü ãîòîâûå àäðåñà, æåñòêî ïðîïèñàâ èõ â ñâîåé<br />

ïðîãðàììå. Ìèíóñ ýòîãî ðåøåíèÿ â òîì, ÷òî íà äðóãèõ êîìïüþòåðàõ<br />

îíà ðàáîòàòü íå áóäåò. Ñòîèò óñòàíîâèòü (èëè óäàëèòü) êàêîé-òî<br />

ServicePack, ïåðåéòè íà äðóãóþ âåðñèþ ñèñòåìû, êàê âñå àäðåñà òóò æå<br />

èçìåíÿòñÿ, è ïðîèçîéäåò ñïëîøíîé çàâèñ. Òåì íå ìåíåå, èìåÿ èñõîä-<br />

ÈÑÊËÞ×ÅÍÈÅ È ÍÀÊÀÇÀÍÈÅ<br />

Âñåãäà ëè ïîìîãàåò øóíòèðîâàíèå KeBugCheckEx? Íàñêîëüêî ýòî áåçîïàñíî? Ýòî î÷åíü îïàñíî, òåì áîëåå<br />

äàëåêî íå âñåãäà ïîìîãàåò. Âîò, íàïðèìåð, ðàññìîòðèì ñëåäóþùèé ïðèìåð êîäà, ïîçàèìñòâîâàííûé èç ÿäðà:<br />

ôðàãìåíò êîäà, ïðè êîòîðîì øóíòèðîâàíèå KeBugCheckEx çàêàí÷èâàåòñÿ î÷åíü ïå÷àëüíî<br />

00565201 call ExAllocatePoolWithTag ; âûäåëåíèå ïàìÿòè èç ëóæè<br />

00565206 cmp eax, ebx ; ïðîâåðêà óñïåøíîñòè âûäåëåíèÿ ïàìÿòè<br />

00565208 mov ds:dword_56BA84, eax<br />

0056520D jnz short loc_56521C ; -> íàì äàëè ïàìÿòü! æèâåì, ìóæèêè!<br />

0056520F push ebx ;<br />

00565210 push ebx ;<br />

00565211 push 6 ; ñ ïàìÿòüþ âûøåë îáëîì<br />

00565213 push 5 ; îòïðàâëÿåìñÿ íà íåáåñà<br />

00565215 push 67h ;<br />

00565217 call KeBugCheckEx ;<br />

0056521C loc_56521C: ; CODE XREF: sub_5651C1+4Cj<br />

0056521C lea eax, [ebp+var_C] ; ïðîäîëæàåì íîðìàëüíîå âûïîëíåíèå<br />

0056521F push ebx<br />

00565220 push eax<br />

Ñèñòåìà âûäåëÿåò ïàìÿòü èç îáùåãî ïóëà, è åñëè ñ ïàìÿòüþ íå îáëîì, òî ïðîèñõîäèò íîðìàëüíîå ïðîäîëæåíèå,<br />

â ïðîòèâíîì ñëó÷àå âñïûõèâàåò ãîëóáîé ýêðàí. Äîïóñòèì, ìû çàêîðîòèëè KeBugCheckEx, ÷òî òîãäà?<br />

Íàñ îáëîìàëè íà ïàìÿòü, à ìû ïðîäîëæàåì íîðìàëüíîå âûïîëíåíèå, êàê íè â ÷åì íå áûâàëî, îáðàùàÿñü<br />

ïî óêàçàòåëþ, êîòîðûé óêàçûâàåò â íèêóäà. Âîçíèêàåò öåëûé êàñêàä âòîðè÷íûõ èñêëþ÷åíèé, à âñå<br />

ñòðóêòóðû äàííûõ ïðåâðàùàþòñÿ â òðóõó, è ñèñòåìà ðóøèòñÿ îêîí÷àòåëüíî. Âîò òàê.<br />

×ÅÃÎ ÍÅ ÓÌÅÅÒ NTFS<br />

Äëÿ ìèíèìàëèçàöèè ïîñëåäñòâèé êðàõà ñèñòåìû, NT ïîääåðæèâàåò ñïåöèàëüíûå call-back'è. Âñÿêèé äðàéâåð ìîæåò<br />

âûçûâàòü ôóíêöèþ KeRegisterBugCheckCallback è çàðåãèñòðèðîâàòü ñïåöèàëüíûé îáðàáîò÷èê, êîòîðûé áóäåò ïîëó-<br />

÷àòü óïðàâëåíèå â ìîìåíò âîçíèêíîâåíèÿ ãîëóáîãî ýêðàíà. Ýòî ïîçâîëÿåò êîððåêòíî îñòàíàâëèâàòü îáîðóäîâàíèå,<br />

íàïðèìåð, ïàðêîâàòü ãîëîâêè æåñòêîãî äèñêà. Øóòêà! À âîò äðàéâåðó ôàéëîâîé ñèñòåìû ñáðîñèòü ñâîè áóôåðà íè-<br />

÷óòü íå ïîìåøàëî áû, òåì áîëåå ÷òî îí ìîæåò ïðîâåðèòü èõ öåëîñòíîñòü ïî CRC èëè ëþáûì äðóãèì ïóòåì. Õîäÿò<br />

óñòîé÷èâûå ñëóõè, ÷òî NTFS èìåííî òàê è ïîñòóïàåò. Êàê áû íå òàê! Ìûùúõ äèçàññåìáëèðîâàë NTFS.SYS è íå íàøåë<br />

òàì íèêàêèõ ïðèçíàêîâ âûçîâà KeRegisterBugCheckCallback! Â ìîìåíò àâàðèè áóôåðà NTFS îñòàþòñÿ íå ñáðîøåííûìè,<br />

è îíà âûæèâàåò òîëüêî áëàãîäàðÿ ïîääåðæêå òðàíçàêöèé, ïðè êîòîðûõ ãàðàíòèðóåòñÿ àòîìàðíîñòü âñåõ<br />

îïåðàöèé, òî åñòü îïåðàöèÿ ëèáî âûïîëíÿåòñÿ, ëèáî — íåò. Îáíîâëåíèå ôàéëîâîé çàïèñè íå ìîæåò ïðîèçîéòè íàïîëîâèíó,<br />

è ïîòîìó, â îòëè÷èå îò FAT, ïîòåðÿííûå êëàñòåðû íà íåé íå îáðàçóþòñÿ. Íó, ïðàêòè÷åñêè íå îáðàçóþòñÿ.<br />

XÀÊÅÐ 01 /85/ 06 117

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!