分析
拿到样本之后加载上驱动
可以看到输出的是线程ID 顺着ID可以轻松找到所属进程
可以看到线程入口被改掉了,驱动也加了VMP壳,所以动态分析比较好一点
实现
fffff880`068042fc 4053 push rbx
fffff880`068042fe 4883ec20 sub rsp, 20h
fffff880`06804302 65488b1c2588010000 mov rbx, qword ptr gs:[188h]
fffff880`0680430b 488b050e1d0000 mov rax, qword ptr [fffff880`06806020]
fffff880`06804312 488b4c2460 mov rcx, qword ptr [rsp+60h]
fffff880`06804317 0fb700 movzx eax, word ptr [rax]
fffff880`0680431a 4c8b5c2458 mov r11, qword ptr [rsp+58h]
fffff880`0680431f 4c8b542450 mov r10, qword ptr [rsp+50h]
fffff880`06804324 3d39380000 cmp eax, 3839h
fffff880`06804329 0f8f98010000 jg fffff880`068044c7
fffff880`0680432f 0f8465010000 je fffff880`0680449a
fffff880`06804335 3dce0e0000 cmp eax, 0ECEh
fffff880`0680433a 0f842d010000 je fffff880`0680446d
fffff880`06804340 3d6f170000 cmp eax, 176Fh
fffff880`06804345 0f8e69020000 jle fffff880`068045b4
fffff880`0680434b 3d72170000 cmp eax, 1772h
fffff880`06804350 0f8eea000000 jle fffff880`06804440
fffff880`06804356 3daf1d0000 cmp eax, 1DAFh
fffff880`0680435b 0f8e53020000 jle fffff880`068045b4
fffff880`06804361 3db11d0000 cmp eax, 1DB1h
fffff880`06804366 0f8ea7000000 jle fffff880`06804413
fffff880`0680436c 3df0230000 cmp eax, 23F0h
fffff880`06804371 7473 je fffff880`068043e6
fffff880`06804373 3d80250000 cmp eax, 2580h
fffff880`06804378 743f je fffff880`068043b9
fffff880`0680437a 3d00280000 cmp eax, 2800h
fffff880`0680437f 740b je fffff880`0680438c
fffff880`06804381 3d5a290000 cmp eax, 295Ah
fffff880`06804386 0f8528020000 jne fffff880`068045b4
fffff880`0680438c c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`06804392 41c70120020000 mov dword ptr [r9], 220h
fffff880`06804399 41c70090060000 mov dword ptr [r8], 690h
fffff880`068043a0 41c70228060000 mov dword ptr [r10], 628h
fffff880`068043a7 41c70300060000 mov dword ptr [r11], 600h
fffff880`068043ae c70180060000 mov dword ptr [rcx], 680h
fffff880`068043b4 e919020000 jmp fffff880`068045d2
fffff880`068043b9 c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`068043bf 41c70120020000 mov dword ptr [r9], 220h
fffff880`068043c6 41c70088060000 mov dword ptr [r8], 688h
fffff880`068043cd 41c70220060000 mov dword ptr [r10], 620h
fffff880`068043d4 41c703f8050000 mov dword ptr [r11], 5F8h
fffff880`068043db c70178060000 mov dword ptr [rcx], 678h
fffff880`068043e1 e9ec010000 jmp fffff880`068045d2
fffff880`068043e6 c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`068043ec 41c70120020000 mov dword ptr [r9], 220h
fffff880`068043f3 41c70000040000 mov dword ptr [r8], 400h
fffff880`068043fa 41c70298030000 mov dword ptr [r10], 398h
fffff880`06804401 41c70370030000 mov dword ptr [r11], 370h
fffff880`06804408 c701f0030000 mov dword ptr [rcx], 3F0h
fffff880`0680440e e9bf010000 jmp fffff880`068045d2
fffff880`06804413 c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`06804419 41c70110020000 mov dword ptr [r9], 210h
fffff880`06804420 41c70020040000 mov dword ptr [r8], 420h
fffff880`06804427 41c702b0030000 mov dword ptr [r10], 3B0h
fffff880`0680442e 41c70388030000 mov dword ptr [r11], 388h
fffff880`06804435 c70110040000 mov dword ptr [rcx], 410h
fffff880`0680443b e992010000 jmp fffff880`068045d2
fffff880`06804440 c702d0020000 mov dword ptr [rdx], 2D0h
fffff880`06804446 41c701f8010000 mov dword ptr [r9], 1F8h
fffff880`0680444d 41c700f0030000 mov dword ptr [r8], 3F0h
fffff880`06804454 41c70280030000 mov dword ptr [r10], 380h
fffff880`0680445b 41c70358030000 mov dword ptr [r11], 358h
fffff880`06804462 c701e0030000 mov dword ptr [rcx], 3E0h
fffff880`06804468 e965010000 jmp fffff880`068045d2
fffff880`0680446d c702c0020000 mov dword ptr [rdx], 2C0h
fffff880`06804473 41c701b8030000 mov dword ptr [r9], 3B8h
fffff880`0680447a 41c700d0030000 mov dword ptr [r8], 3D0h
fffff880`06804481 41c70258030000 mov dword ptr [r10], 358h
fffff880`06804488 41c703c0030000 mov dword ptr [r11], 3C0h
fffff880`0680448f c701c8030000 mov dword ptr [rcx], 3C8h
fffff880`06804495 e938010000 jmp fffff880`068045d2
fffff880`0680449a c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`068044a0 41c70120020000 mov dword ptr [r9], 220h
fffff880`068044a7 41c70098060000 mov dword ptr [r8], 698h
fffff880`068044ae 41c70230060000 mov dword ptr [r10], 630h
fffff880`068044b5 41c70308060000 mov dword ptr [r11], 608h
fffff880`068044bc c70188060000 mov dword ptr [rcx], 688h
fffff880`068044c2 e90b010000 jmp fffff880`068045d2
fffff880`068044c7 3dd73a0000 cmp eax, 3AD7h
fffff880`068044cc 0f84ba000000 je fffff880`0680458c
fffff880`068044d2 3dab3f0000 cmp eax, 3FABh
fffff880`068044d7 0f8485000000 je fffff880`06804562
fffff880`068044dd 3dee420000 cmp eax, 42EEh
fffff880`068044e2 747e je fffff880`06804562
fffff880`068044e4 3d63450000 cmp eax, 4563h
fffff880`068044e9 7477 je fffff880`06804562
fffff880`068044eb 3db9470000 cmp eax, 47B9h
fffff880`068044f0 0f8ebe000000 jle fffff880`068045b4
fffff880`068044f6 3dbb470000 cmp eax, 47BBh
fffff880`068044fb 7e3b jle fffff880`06804538
fffff880`068044fd 059fb5ffff add eax, 0FFFFB59Fh
fffff880`06804502 83f802 cmp eax, 2
fffff880`06804505 0f87a9000000 ja fffff880`068045b4
fffff880`0680450b c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`06804511 41c70120020000 mov dword ptr [r9], 220h
fffff880`06804518 41c700e8040000 mov dword ptr [r8], 4E8h
fffff880`0680451f 41c70278040000 mov dword ptr [r10], 478h
fffff880`06804526 41c70350040000 mov dword ptr [r11], 450h
fffff880`0680452d c701d0040000 mov dword ptr [rcx], 4D0h
fffff880`06804533 e99a000000 jmp fffff880`068045d2
fffff880`06804538 c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`0680453e 41c70120020000 mov dword ptr [r9], 220h
fffff880`06804545 41c700b8060000 mov dword ptr [r8], 6B8h
fffff880`0680454c 41c70248060000 mov dword ptr [r10], 648h
fffff880`06804553 41c70320060000 mov dword ptr [r11], 620h
fffff880`0680455a c701a0060000 mov dword ptr [rcx], 6A0h
fffff880`06804560 eb70 jmp fffff880`068045d2
fffff880`06804562 c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`06804568 41c70120020000 mov dword ptr [r9], 220h
fffff880`0680456f 41c700a8060000 mov dword ptr [r8], 6A8h
fffff880`06804576 41c70238060000 mov dword ptr [r10], 638h
fffff880`0680457d 41c70310060000 mov dword ptr [r11], 610h
fffff880`06804584 c70190060000 mov dword ptr [rcx], 690h
fffff880`0680458a eb46 jmp fffff880`068045d2
fffff880`0680458c c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`06804592 41c70238060000 mov dword ptr [r10], 638h
fffff880`06804599 41c70120020000 mov dword ptr [r9], 220h
fffff880`068045a0 41c70310060000 mov dword ptr [r11], 610h
fffff880`068045a7 c70190060000 mov dword ptr [rcx], 690h
fffff880`068045ad 41c700a0060000 mov dword ptr [r8], 6A0hfffff880`06804413 c702f8020000 mov dword ptr [rdx], 2F8h
fffff880`06804419 41c70110020000 mov dword ptr [r9], 210h
fffff880`06804420 41c70020040000 mov dword ptr [r8], 420h
fffff880`06804427 41c702b0030000 mov dword ptr [r10], 3B0h
fffff880`0680442e 41c70388030000 mov dword ptr [r11], 388h
fffff880`06804435 c70110040000 mov dword ptr [rcx], 410h这是修改ETHREAD的偏移
比如win7
+0x410 Win32StartAddress :
+0x420 ThreadListEntry :
+0x388 StartAddress :
+0x3b0 Cid : _CLIENT_ID
当然不需要这么麻烦修改一大堆的偏移,只要处理Win32StartAddress,StartAddress就可以了
PsCreateSystemThread附加进程后当前进程中创建线程
编译后来看看效果
system找不到所属驱动的线程
csrss中的2036线程就是驱动创建的,PCHunter也显示正常 不会显示红色(隐藏)
样本参考