Recently, Some friend complained to me that their rootkit driver had been killed by anti-virus software like McAfee and Nod32.So I began to find why.
I found that these "heuristic anti-virus" based on the export function mentioned in one of Jonna's article(BTW:Give my respect to Jonna).
First I take a look at McAfee, It has a strange heuristic strategy. if it found an export symbol "KeServiceDescriptorTable" ,while it didn`t found some normal driver function like "IoCreateDevice", It report the virus. So I think the first method is to find the KeServiceDescriptorTable dynamically.
With 90210's article "A more stable way to locate real KiServiceTable"(http://www.rootkit.com/newsread.php?newsid=176) and his help, I can find the KeServiceDescriptorTable's ServiceTableBase, it is enough.(Thank you 90210).
But I find NOD32 is more restrice, it will detect ZW* function and reported your driver as virus. So I must find a more common ways to locate export functions and symbols. Fortunately I found some pieces in from SVEN B. SCHREIBER. This book is cool!! The code is here:
代码 |
PVOID SpyMemoryCreate (DWORD dSize) { return ExAllocatePoolWithTag (PagedPool, max (dSize, 1), SPY_TAG); }
// ----------------------------------------------------------------- PVOID SpyMemoryDestroy (PVOID pData) // ============================================================== PMODULE_LIST SpyModuleList (PDWORD pdData, for (dSize = PAGE_SIZE; (pml == NULL) && dSize; dSize <<= 1) if (ns != STATUS_INFO_LENGTH_MISMATCH) break; // ----------------------------------------------------------------- PMODULE_LIST SpyModuleFind (PBYTE pbModule, if ((pml = SpyModuleList (NULL, &ns)) != NULL) // ----------------------------------------------------------------- PVOID SpyModuleBase (PBYTE pbModule, if ((pml = SpyModuleFind (pbModule, &dIndex, &ns)) != NULL) // ----------------------------------------------------------------- PIMAGE_NT_HEADERS SpyModuleHeader (PBYTE pbModule, if (((pBase = SpyModuleBase (pbModule, &ns)) != NULL) && // ----------------------------------------------------------------- PIMAGE_EXPORT_DIRECTORY SpyModuleExport (PBYTE pbModule, if ((pinh = SpyModuleHeader (pbModule, &pBase, &ns)) != NULL) if (pidd->VirtualAddress && // ----------------------------------------------------------------- PVOID SpyModuleSymbol (PBYTE pbModule, if ((pied = SpyModuleExport (pbModule, &pBase, &ns)) != NULL) for (i = 0; i < pied->NumberOfNames; i++) if (!strcmp (PTR_ADD (pBase, pdNames [i]), pbName)) // ----------------------------------------------------------------- PVOID SpyModuleSymbolEx (PBYTE pbSymbol,
|
So Now we can get symbol like this:
pKeServiceDescriptorTable = SpyModuleSymbolEx("KeServiceDescriptorTable", NULL, &ns);