• Come On! Ò»ÆðÀ´ÌåÑéÒ»ÏÂTLS CALLµÄÇ¿´ó°É

¸½¼þ:2.rar 

Ñо¿TlsCallBack£¬±¾Àý×Ó°´ÕÕxp sp2µÄ»·¾³¶øд£¬98Ï¿϶¨game over, 2000ÏÂûÓвâ¹ý£¬Ï£Íû´ó¼Ò¸æÖª½á¹û£¬Ð»Ð»

³ÌÐò±àÒë³öÀ´Ã»ÓÐTLS±í£¬ÊäÈë±íµÄÇø¶ÎÖÐÕÒÁ˸ö¿é¿Õ¼ä£¬Ó²¼ÓÁ˸ö±í½øÈ¥

ÉèÖÃODÍ£ÔÚϵͳ¶Ïµã£¬½ØÈë2.exe
¿ÉÒÔ¶ÔRtlImageDirectoryEntryToData϶Ϡ(ntdll.dllÖеÄ)
ÕÒµ½ÕâÀï
  7C9484E8           50                push eax                                 //Ò»¿ªÊ¼ebxÊÇ0, ºÍebx±È½Ï¾ÍÊǺÍ0±È½Ï
  7C9484E9           6A 09             push 9
  7C9484EB           6A 01             push 1
  7C9484ED           8B7D 08           mov edi,dword ptr ss:[ebp+8]
  7C9484F0           57                push edi
  7C9484F1           E8 6083FEFF       call ntdll.RtlImageDirectoryEntryToData  //·µ»ØÖµEAX = 4020C0, ÊÇTLS±íµÄʼַ
  7C9484F6           33DB              xor ebx,ebx
  7C9484F8           895D FC           mov dword ptr ss:[ebp-4],ebx
  7C9484FB           3BC3              cmp eax,ebx                              //¼ì²âTLSʼַÊÇ·ñΪ0, ÕâÀïÓÐ, ËùÒÔ²»Ìø              
  7C9484FD           74 20             je short ntdll.7C94851F
  7C9484FF           8B70 0C           mov esi,dword ptr ds:[eax+C]             //[4020C0+0C]½Ð×öTlsCallBack, ÎÒÕâÀïÖµÊÇ4020E0
  7C948502           8975 E0           mov dword ptr ss:[ebp-20],esi            //4020E0±£´æÔÚ±äÁ¿A
  7C948505           3BF3              cmp esi,ebx                              //ÏÔÈ»4020E0 !=0, ËùÒÔ²»Ìø
  7C948507           74 16             je short ntdll.7C94851F
  7C948509           381D 21C1997C     cmp byte ptr ds:[7C99C121],bl            //²»ÖªµÀ·´Õý²»Ìø
  7C94850F           0F85 2F2F0100     jnz ntdll.7C95B444
  7C948515           8B06              mov eax,dword ptr ds:[esi]               //È¡³ö4020E0ÖеÄÖµ, ÖµÊÇ401040£¬¼´CallBackÈë¿Ú
  7C948517           3BC3              cmp eax,ebx                              //Èç¹û²»µÈÓÚ0¾ÍÌø×ߣ¬delphiµÄ³ÌÐòÕâÀﶼÊÇ0
  7C948519           0F85 3A2F0100     jnz ntdll.7C95B459                       //Àý×ÓÖÐÎÒÓ²¼ÓÁËÖµ401040, ËùÒÔÒªÌø×ß
  7C94851F           834D FC FF        or dword ptr ss:[ebp-4],FFFFFFFF
  7C948523           E8 DA68FEFF       call ntdll.7C92EE02
  7C948528           C2 0800           retn 8


  7C95B459           8945 E4           mov dword ptr ss:[ebp-1C],eax            //ÉÏÃæÒòΪ401040²»Îª0, ËùÒÔÌøµ½ÕâÀï
  7C95B45C           83C6 04           add esi,4                                // 4020E0+4
  7C95B45F           8975 E0           mov dword ptr ss:[ebp-20],esi            // 4020E4±£´æÔÚ±äÁ¿A
  7C95B462           381D 21C1997C     cmp byte ptr ds:[7C99C121],bl            // ²»ÖªµÀºÍÉÏÃæÒ»Ñù,ÉÏÃæjnz²»Ìø£¬ÕâÀïjeÌø
  7C95B468           74 0F             je short ntdll.7C95B479                  
  7C95B46A           50                push eax
  7C95B46B           57                push edi
  7C95B46C           68 20B5957C       push ntdll.7C95B520  
  7C95B471           E8 7A4FFFFF       call ntdll.DbgPrint
  7C95B476           83C4 0C           add esp,0C
  7C95B479           53                push ebx
  7C95B47A           FF75 0C           push dword ptr ss:[ebp+C]
  7C95B47D           57                push edi
  7C95B47E           FF75 E4           push dword ptr ss:[ebp-1C]
  7C95B481           E8 0D5DFCFF       call ntdll.7C921193                      // ¸ú½øÈ¥, ¿´ÏÂÃæ
  7C95B486         ^ E9 8AD0FEFF       jmp ntdll.7C948515                       // ÌøÉÏÈ¥¼ì²âÏÂÒ»¸öCallBackÊÇ·ñ´æÔÚ


  7C921193           55                push ebp
  7C921194           8BEC              mov ebp,esp
  7C921196           56                push esi
  7C921197           57                push edi
  7C921198           53                push ebx
  7C921199           8BF4              mov esi,esp                              //±£´æStack
  7C92119B           FF75 14           push dword ptr ss:[ebp+14]
  7C92119E           FF75 10           push dword ptr ss:[ebp+10]
  7C9211A1           FF75 0C           push dword ptr ss:[ebp+C]
  7C9211A4           FF55 08           call dword ptr ss:[ebp+8]                // µÚÒ»´Î£¬ Call ½ø401040
  7C9211A7           8BE6              mov esp,esi                              //È¡»ØStack, ¿É¼ûTlsCallÖв»ÆÆ»µesi, ²»Òì³£³öÀ´£¬¾ÍÄÜÕý³£¼ÌÐøÏÂÒ»Call
  7C9211A9           5B                pop ebx
  7C9211AA           5F                pop edi
  7C9211AB           5E                pop esi
  7C9211AC           5D                pop ebp
  7C9211AD           C2 1000           retn 10



ÎÒÀý×ÓÖеĵÄEPÊÇ401000£¬ÎªÁË˵Ã÷ÎÊÌ⣬ÎÒ°ÑÄǶùÇå¿ÕÁË£¬ÏÖÔÚepÇ°£¬ÒòΪTlsCallBackµ½ÁË401040

  00401040           C705 E4204000 801>mov dword ptr ds:[4020E4],2.00401080                 ; ½«ÏÂÒ»¸öCallBackµÄÈë¿ÚдÈë
  0040104A           6A 00             push 0
  0040104C           68 20304000       push 2.00403020                                      ; ASCII "From Tls CallBack 1"
  00401051           68 00304000       push 2.00403000                                      ; ASCII "Tls CallBack 2 Actived"
  00401056           6A 00             push 0
  00401058           FF15 08204000     call dword ptr ds:[<&USER32.MessageBoxA>]            ; USER32.MessageBoxA
  0040105E           C3                retn


ÔÙÀ´¿´Ò»ÏÂTls±í£¬±íʼַÊÇ4020C0, +0C´¦ÊÇ4020E0³ÆΪTlsCallBack, 4020E0Ö¸Ïò401040, Õâ¸öµØÖ·»á±ÈepÏÈ»ñµÃÖ´ÐÐȨ(98²»´ø)
004020C0  00 00 00 00  00 00 00 00  D0 20 40 00  E0 20 40 00  ........?@.?@.        
004020D0  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
004020E0  40 10 40 00  00 00 00 00  00 00 00 00  00 00 00 00  @@.............
401040ÄǾ仰ÍêÁËÒԺ󣬱ä³ÉÏÂÃæ, ÎÒ¹ÊÒ⶯̬µÄ½«µÚ¶þ¸öTlsCallBackÈë¿Ú401080дÈ룬ÒòΪÕâÑù±È½ÏºÃÍæ
004020C0  00 00 00 00  00 00 00 00  D0 20 40 00  E0 20 40 00  ........?@.?@.
004020D0  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
004020E0  40 10 40 00  80 10 40 00  00 00 00 00  00 00 00 00  @@.€@.........

40105E ·µ»Øºó
  7C95B486         ^ E9 8AD0FEFF       jmp ntdll.7C948515                       // ÌøÉÏÈ¥¼ì²âÏÂÒ»¸öCallBackÊÇ·ñ´æÔÚ
ÓÉÓÚ401080´æÔÚ£¬Òò´Ë£¬¾Í½øÈëÁ˵ڶþ¸öTlsCallBack



  00401080           56                push esi                                 // esiÊÇÍâÃæ±£´æµÄStackÖµ£¬²»ÒªÆÆ»µ±È½ÏºÃ£¬Ñ¹Õ»±£´æ
  00401081           8BF4              mov esi,esp
  00401083           AD                lods dword ptr ds:[esi]                  // ´ÓStackÏòÏÂÑ°ÕÒep
  00401084           3D 00104000       cmp eax,2.401000                         // ÎÒÀý×ÓÖеÄepÊÇ401000
  00401089         ^ 75 F8             jnz short 2.00401083                     // ²»µÈ¾ÍÌøÉÏÈ¥¼ÌÐøÕÒ
  0040108B           05 C0000000       add eax,0C0                              // ÕÒµ½ÁË£¬401000+c0 = 4010c0
  00401090           8946 FC           mov dword ptr ds:[esi-4],eax             // ÐµÄep 4010C0 Ð´»ØStackÖеĵط½
  00401093           6A 00             push 0
  00401095           68 40304000       push 2.00403040                                      ; ASCII "From Tls CallBack 2"
  0040109A           68 60304000       push 2.00403060                                      ; ASCII "Change EP to 4010C0"
  0040109F           6A 00             push 0
  004010A1           FF15 08204000     call dword ptr ds:[<&USER32.MessageBoxA>]            ; USER32.MessageBoxA
  004010A7           5E                pop esi                                  // esi³öÀ´
  004010A8           C3                retn


ÔÚTlsCallBackÖпÉÒÔ¿´µ½ÔÚStackÖп´µ½epµÄÖµ£¬ ²¢ÇÒÕâ¸öep¾ÍÊÇÓÐЧ£¬ Òò´Ë¿ÉÒÔ¶¯Ì¬µÄ¸Äµô
ÕâÀï4010A8 retn ³öÀ´ºó£¬ÏÂÒ»¸öTlsCallBackµÄÖµÊÇ0£¬Òò´ËÕâÀïTlsCallBackµÄ¹¤×÷¶¼Íê³ÉÁË£¬ ÏÖÔÚµÄepÊÇ 4010C0



À´µ½ep
  004010C0           C705 E0204000 001>mov dword ptr ds:[4020E0],2.00401100     //½«µÚÒ»¸öTlsCallBackµÄÈë¿Ú¸Äµô£¬ÒÔºó»¹»áÈ¥
  004010CA           C705 E4204000 000>mov dword ptr ds:[4020E4],0              //µÚ¶þ¸öTlsCallBackÈë¿ÚÇå0, ²»ÐèÒªÓÃÁË
  004010D4           6A 00             push 0
  004010D6           68 80304000       push 2.00403080                                      ; ASCII "From new EP"
  004010DB           68 90304000       push 2.00403090                                      ; ASCII "Change Tls CallBack 1 and ExitProcess"
  004010E0           6A 00             push 0
  004010E2           FF15 08204000     call dword ptr ds:[<&USER32.MessageBoxA>]            ; USER32.MessageBoxA
  004010E8           6A 00             push 0
  004010EA           FF15 00204000     call dword ptr ds:[<&KERNEL32.ExitProcess>]          ; kernel32.ExitProcess

CallÁËExitProcess²¢Ã»ÓÐÍ꣬¸ú½ø¿´¿´¾ÍÖªµÀÁË
½øÈ¥ºóµÚÒ»¸öCallF7£¬¿´µ½ÏÂÃæ
  7C81CA2B           8B35 FC13807C     mov esi,dword ptr ds:[<&ntdll.NtTerminateProcess>]   ; ntdll.ZwTerminateProcess
  7C81CA31           FFD6              call esi
  7C81CA33           8985 20FFFFFF     mov dword ptr ss:[ebp-E0],eax
  7C81CA39           E8 82000000       call <jmp.&ntdll.LdrShutdownProcess>     //Õâ¸öÒªF7

һ·F8µ½ µ½ jmp short 7C943EBC£¬ÕâÀïÒ»´ó¶ÎÊÇcall ½øËùÓеÄdll DllMain´øDetach
´Ó je 7C943F6B Õâ¾ä»°³öÀ´, ÔÙF8Ê®¼¸Ðе½ call 7C9484D9, Õâ¸ö½øÈ¥¾ÍÊÇ×îÉÏÃæµÄ´¦ÀíTlsCallBackÄÇ´ó¶ÎÁË



Òò´ËExitProcessº¯ÊýÈÔ»áÌø½øTlsCallBack, ÏÖÔÚµÚ1¸öTlsCallBackµÄÈë¿ÚÊÇ401100
  00401100           68 00002000       push 200000                              //Èç¹ûÕâÀïÊÇ0£¬MessageBox»áµ¯²»³öÀ´
  00401105           68 C0304000       push 2.004030C0                                           ; ASCII "From Tls Call Back 1"
  0040110A           68 E0304000       push 2.004030E0                                           ; ASCII "App had Called ExitProcess"
  0040110F           6A 00             push 0
  00401111           FF15 08204000     call dword ptr ds:[<&USER32.MessageBoxA>]                 ; USER32.MessageBoxA
  00401117           C3                retn


¹ØÓÚ×îºóÒ»¸öMessageBox, ÎÒ²ÂÓÉÓÚÊÇÒѵ÷ÓÃNtTerminateProcessËùÒÔflagÊÇ0µÄ»°µ¯²»³öÀ´£¬ºÃÔÚ¿ÉÒÔÓàMB_SERVICE_NOTIFICATION 


Õâ¸öÍêÁËÒÔºó, ²ÅËãÕæÕýµÄÍêÁË£¬ Èô¸ÉF8ÅܳöLdrShutdownProcess£¬ÔÙÏÂÃæÒ»¸öCall¾ÍÊÇ sysenter