He4Hook 使用指南 linux2linux 写于 2005/7/25 [介绍] He4Hook是一个老牌的 Russian Rootkit,但是由于一些新的rootkit出现,再加上其在功能上的单一--文件控制(隐藏或保护),He4Hook在国内的使用不是很普遍。所以无法找到一篇关于He4Hook使用的文档。但是我认为He4Hook的价值并不于它的功能,而是一个了解rootkit世界的很好的范例,阅读她的代码无疑是对自己的一次提高。可惜我对于文件系统驱动的不了解,无法更多的给你解释HookFileSystem(2)的DRIVER_OBJECT方法了。 在rootkit.com上收录的是He4Hook215b6版本,这是一个很经典的版本(这篇使用指南也是针对这个版本的)。但是这并不完整,她缺少了He4GetAdmin.zip和He4Sniffer.zip,这两个文件可以从He4 Project的主页http://he4dev.e1.bmstu.ru下载。在这个站点还有He4Hook最后的更新__he4hook_v21a_20021110.zip,她包括了支持Windows XP的驱动,可惜她去掉了Boot加载这种非常有趣的方式。此外,站上还有He4HookInv使用KCLASS,一个对于开发Windows驱动很有用的Kernel C++ classes。 完整的He4使用起来应至少应有下面这些文件: He4HookBoot.exe He4HookInv.sys He4HookControl.exe(以上三个在He4Hook215b6.zip中) He4Win32Srv.exe(在He4GetAdmin.zip中,作用使用服务启动一个具有SYSTEM权限的进程) He4Sniff.exe He4Ndis.sys He4Read.exe(以上三个在He4Sniffer.zip,类似于tcpdump的东东,这个不是本文的重点啦) 本篇只针对He4Hook的使用,故只会说明He4HookBoot,He4HookInv和He4HookControl的作用。 [文件说明] 1. He4HookBoot 这是一个Naitive Application,所以要启动它就必须将其修改注册表键值 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager/BootExecute 需要将原来的Autocheck Autochk * 添加为Autocheck Autochk * He4HookBoot 并且将He4HookBoot放到%systemroot%/system32目录下。 关于Native Application更详细的描述可以参看 Mark Russinovich的《Inside Native Applications》 http://www.sysinternals.com/Information/NativeApplications.html He4HookBoot的主要作用就是启动He4HookInv.sys驱动服务,以及He4Ndis.sys和He4Win32Srv.exe。 我们仔细看一下它在启动时,如何加载临时的He4HookInv.sys驱动服务(事实上我将He4Boot改名成了native了): a. 临时服务的安装 服务名称是NtCurrentTeb(),即7FFDE000. 21083: native.exe:160OpenKeyHKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/native.exeNOT FOUND 21084: native.exe:160OpenKeyHKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/native.exeNOT FOUND 21085: native.exe:160OpenKeyHKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/native.exeNOT FOUND 21086: native.exe:160OpenKeyHKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/native.exeNOT FOUND 21087: native.exe:160CreateKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSAccess: 0xF003F 21088: native.exe:160SetvalueHKLM/System/CurrentControlSet/Services/7FFDE000/TypeSUCCESS0x1 21089: native.exe:160SetvalueHKLM/System/CurrentControlSet/Services/7FFDE000/StartSUCCESS0x1 21090: native.exe:160SetvalueHKLM/System/CurrentControlSet/Services/7FFDE000/ErrorControlSUCCESS0x1 21091: native.exe:160SetvalueHKLM/System/CurrentControlSet/Services/7FFDE000/ImagePathSUCCESS"System32/DRIVERS /He4HookInv.sys" b. 临时服务的卸载 21191:native.exe:160OpenKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSAccess: 0x20019 21192: native.exe:160QueryvalueHKLM/System/CurrentControlSet/Services/7FFDE000/ObjectNameNOT FOUND 21193: native.exe:160QueryvalueHKLM/System/CurrentControlSet/Services/7FFDE000/TypeBUFFER TOO SMALL 21194: native.exe:160QueryvalueHKLM/System/CurrentControlSet/Services/7FFDE000/TypeSUCCESS0x1 21195: native.exe:160QueryKeyHKLM/System/CurrentControlSet/Services/7FFDE000BUFFER TOO SMALL 21196: native.exe:160QueryKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSName: 7FFDE000 21197: native.exe:160OpenKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSAccess: 0xF003F 21198: native.exe:160QueryKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSSubkeys = 1 21199: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/TypeSUCCESSType: DWORD_LITTLE_END Name: Type 21200: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/TypeSUCCESS 21201: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/StartSUCCESSType: DWORD_LITTLE_END Name: Start 21202: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/StartSUCCESS 21203: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/ErrorControlSUCCESSType: DWORD_LITTLE_END Name: ErrorControl 21204: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/ErrorControlSUCCESS 21205: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/ImagePathSUCCESSType: SZ Name: ImagePath 21206: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/ImagePathSUCCESS 21207: native.exe:160EnumerateKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSName: Enum 21208: native.exe:160OpenKeyHKLM/System/CurrentControlSet/Services/7FFDE000/EnumSUCCESSAccess: 0xF003F 21209: native.exe:160QueryKeyHKLM/System/CurrentControlSet/Services/7FFDE000/EnumSUCCESSSubkeys = 0 21210: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/Enum/CountSUCCESSType: DWORD_LITTLE_END Name: Count 21211: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/Enum/CountSUCCESS 21212: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/Enum/NextInstanceSUCCESSType: DWORD_LITTLE_END Name: NextInstance 21213: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/Enum/NextInstanceSUCCESS 21214: native.exe:160EnumeratevalueHKLM/System/CurrentControlSet/Services/7FFDE000/Enum/INITSTARTFAILEDSUCCESSType: DWORD_LITTLE_END Name: INITSTARTFAILED 21215: native.exe:160DeletevalueKeyHKLM/System/CurrentControlSet/Services/7FFDE000/Enum/INITSTARTFAILEDSUCCESS 21216: native.exe:160DeleteKeyHKLM/System/CurrentControlSet/Services/7FFDE000/EnumSUCCESSKey: 0xE1232310 21217: native.exe:160CloseKeyHKLM/System/CurrentControlSet/Services/7FFDE000/EnumSUCCESS 21218: native.exe:160DeleteKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESSKey: 0xE12314B0 21219: native.exe:160CloseKeyHKLM/System/CurrentControlSet/Services/7FFDE000SUCCESS 2. He4HookInv.sys 这才是He4Hook的核心,这个文件必须放在%SystemRoot%/System32/DRIVERS目录下(这一点可以从上面的临时服务安装中看出)。事实上He4HookInv.sys并没有加载,至少说没有加载成功,这个驱动总是返回STATUS_NO_SUCH_DEVICE,表明驱动加载失败,因此使用Icesword查找驱动的话会毫无所获,但驱动映象还会在系统内核空间内。而真正的入口确是 _InvisibleDriverEntry,通过查找内存中He4HookInv.sys的输出表定位 _InvisibleDriverEntry的地址进行调用,每次调用时还使用_InvisibleDriverUnload作一下清理。接着就为KeServiceDescriptorTable 和 KeServiceDescriptorTableShadow中的第2个SYSTEM_SERVICE_TABLE中添加新的系统服务入口。我们知道第0个由ntoskrnl.exe导出使用,第1个可能由win32k.sys导出使用,而第2个是空闲,所以He4HookInv.sys就利用它为He4HookControl.exe调用提供自己的系统调用。如果使用HookFileSystem(1)挂ZwCreateFile, ZwOpenFile,ZwQueryDirectoryFile钩子的话可以被Icesword轻易的发现,所以DRIVER_OBJECT选择是明智的,可惜这种隐藏也是有限性的。SMB共享,CreateFile("////.//PhysicalDrive0"...)和IceSword都能轻易地发现他们。 3. He4HookControl.exe 这是He4Hook的控制端,下面用几个选项的输出说明He4HookControl的用法: 1) 查询He4Hook的情况 C:/He4Hook>He4HookControl -q He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 m_DefaultHeapInfo: SystemMemoryUsage = 32768 HeapMemoryUsage = 16 UnlockListHeapInfo: SystemMemoryUsage = 4096 HeapMemoryUsage = 0 FSDefaultHeapInfo: SystemMemoryUsage = 32768 HeapMemoryUsage = 0 SOFileListHeapInfo: SystemMemoryUsage = 16384 HeapMemoryUsage = 0 LLDefaultHeapInfo: SystemMemoryUsage = 0 HeapMemoryUsage = 0 MiscDefaultHeapInfo: SystemMemoryUsage = 32768 HeapMemoryUsage = 0 DHDefaultHeapInfo: SystemMemoryUsage = 16384 HeapMemoryUsage = 0 如果没有He4HooInv.sys没有加载,会有下面的输出: He4HooInv device not installed Incorrect function. 2) 显示受保护文件的列表(现在什么都没有) C:/He4Hook>He4HookControl -s He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 Protected files list: 3)选择挂钩文件系统的方式。 -hk:0 脱钩文件系统 -hk:1 系统服务挂钩 -hk:2 Driver_Object挂钩 选择挂钩方式 1(默认通过HE4BOOT启动的挂钩方式为2,要使用文件保护选项 -c 的 E 标志需要选择方式 1) C:/He4Hook>He4HookControl -hk:1 He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 File system - hooked 4)设置所要保护文件的属性 将C:/MyFile设置为可读,可见。 选项 -a 将文件加入保护列表中。 -d 将文件从保护列表中删去。 -da 删除所有在保护列表中的文件。 (这个列表是由He4HookInv维护着的,每次启动后会消失) 选项 -c 设置要保护文件的属性 如果没有设置V,则该文件就隐藏了。现在的设置对其写和删除操作都会被拒绝, 如用notepad打开后修改保存,会报Access Deny。 C:/He4Hook>He4HookControl -a:C:/MyFile -c:RV He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 Protected files list: C:/MyFile (RV) 将刚才的保护文件列表全部删去 -da 选项 C:/He4Hook>He4HookControl -da He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 将MyFile文件替换成MyFileNew,用这种方式实现保护。 当要打开MyFile文件时,得到的确是MyFileNew,不过这种方式只有在挂SSDT时才有用(很容易想通的)。 C:/He4Hook>He4HookControl -a:C:/MyFile=C:/MyFileNew -c:ERV 。 He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 Protected files list: C:/MyFile (RVE) => /??/C:/MyFileNew 5)设置某个进程对于保护文件的操作权限(会排除原先对于保护文件的设置) 选项 -u 添加某个进程到“排除列表” -l 删除某个进程到“排除列表” -la 删除“排除列表”中的所有进程 选项-cp 设置进程的操作权限 a) 使进程notepad无法看到受保护的文件(不管原来受保护的文件是可见的,还是不可见的) C:/He4Hook>He4HookControl -u:notepad.exe -cp:R He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 Client Id = 384 (Process) (R) b) 使进程notepad可读,可删除和可看见保护文件,写入是受限制的。 C:/He4Hook>He4HookControl -u:notepad.exe -cp:RDV He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81305000 Client Id = 2d0 (Process) (RDV) 6) 选择装入驱动的类型 -i:0 打开现有的驱动(默认) -i:1 强制载入新的驱动(即原来的卸载,将驻留驱动的基址改变,作一次memcpy) C:/He4Hook>He4HookControl -i He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 812BA000 C:/He4Hook>He4HookControl -i:1 He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 812BA000 New version driver: He4HooInv device installed - Version: 20001005 Base: 81291000 Protected files list: C:/MyFile (RV) C:/He4Hook>He4HookControl -q He4HookControl v2.03 - control utility for He4HookInv Copyright (C) 2000 He4 developers team He4Dev@hotmail.com He4HooInv device installed - Version: 20001005 Base: 81291000 m_DefaultHeapInfo: SystemMemoryUsage = 32768 HeapMemoryUsage = 16 UnlockListHeapInfo: SystemMemoryUsage = 4096 HeapMemoryUsage = 0 FSDefaultHeapInfo: SystemMemoryUsage = 32768 HeapMemoryUsage = 0 SOFileListHeapInfo: SystemMemoryUsage = 16384 HeapMemoryUsage = 0 LLDefaultHeapInfo: SystemMemoryUsage = 0 HeapMemoryUsage = 0 MiscDefaultHeapInfo: SystemMemoryUsage = 32768 HeapMemoryUsage = 0 DHDefaultHeapInfo: SystemMemoryUsage = 16384 HeapMemoryUsage = 0 [测试] 我将He4Boot中的启动He4Win32Srv和He4NDIS部分去掉了,并将__HE4_BOOT_DEBUG宏打开了,你可以在启动时看到更多的信息,这些信息都会保存在System32目录下名为He4Boot.log的文件中。为了偷懒就利用了一下Sysinternals的native代码的批处理文件,He4Boot也被我改成了native。只要在CMD环境下转到所在目录,运行INSTALL.BAT就安装好了,重新启动就可以看到natvie(He4Boot)的输出信息了。卸载时运行UINSTALL.BAT就行了。注意请在W2K下测试,保存好所有重要数据。 |
He4Hook 使用指南
最新推荐文章于 2025-08-21 16:17:56 发布