最近本人在编写程序的时候意外的发现了一个未知的驱动挂钩了系统中的主要函数,而且并不能删除其中的挂钩,一旦使用ARK去掉挂钩就会蓝屏,这个驱动很符合病毒的特征,这个驱动是随机命名的,并且开机自动更改文件名,更改以后就自动删除了驱动文件,这个是WINDBG查看到的内核中被修改部分的代码
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Symbol search path is: E:\HookBacks\TemporaryProtective\TemporaryProtective\objfre_wxp_x86\i386;SRV*F:\symbols*http://msdl.microsoft.com/download/symbols;C:\bak\Jiage\objfre_wxp_x86\i386
Executable search path is:
Unable to read selector for PCR for processor 0
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.100216-1441
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055b6a0
Debug session time: Sat Sep 18 18:50:45.953 2010 (GMT+8)
System Uptime: 0 days 6:11:58.482
lkd> u IoCreateFile
nt!IoCreateFile:
80570d03 8bff mov edi,edi
80570d05 55 push ebp
80570d06 8bec mov ebp,esp
80570d08 83ec0c sub esp,0Ch
80570d0b 53 push ebx
80570d0c 56 push esi
80570d0d 33f6 xor esi,esi
80570d0f 8975fc mov dword ptr [ebp-4],esi
lkd> u
nt!IoCreateFile+0xf:
80570d12 8b1db8725580 mov ebx,dword ptr [nt!ExHotpSyncRenameSequence (805572b8)]
80570d18 f6c301 test bl,1
80570d1b 0f8544470700 jne nt!IoCreateFile+0x1a (805e5465)
80570d21 56 push esi
80570d22 56 push esi
80570d23 ff753c push dword ptr [ebp+3Ch]
80570d26 ff7538 push dword ptr [ebp+38h]
80570d29 ff7534 push dword ptr [ebp+34h]
lkd> u
nt!IoCreateFile+0x68:
80570d2c ff7530 push dword ptr [ebp+30h]
80570d2f ff752c push dword ptr [ebp+2Ch]
80570d32 ff7528 push dword ptr [ebp+28h]
80570d35 ff7524 push dword ptr [ebp+24h]
80570d38 ff7520 push dword ptr [ebp+20h]
80570d3b ff751c push dword ptr [ebp+1Ch]
80570d3e ff7518 push dword ptr [ebp+18h]
80570d41 ff7514 push dword ptr [ebp+14h]
lkd> u
nt!IoCreateFile+0x80:
80570d44 ff7510 push dword ptr [ebp+10h]
80570d47 ff750c push dword ptr [ebp+0Ch]
80570d4a ff7508 push dword ptr [ebp+8]
80570d4d e8bc5af96c call ed50680e
80570d52 3bc6 cmp eax,esi
80570d54 0f8c9e0f0000 jl nt!IoCreateFile+0x92 (80571cf8)
80570d5a 5e pop esi
80570d5b 5b pop ebx
lkd> u ed50680e
ed50680e 8bff mov edi,edi
ed506810 55 push ebp
ed506811 8bec mov ebp,esp
ed506813 81ec14020000 sub esp,214h
ed506819 a1cc7750ed mov eax,dword ptr ds:[ED5077CCh]
ed50681e 8945fc mov dword ptr [ebp-4],eax
ed506821 8b4508 mov eax,dword ptr [ebp+8]
ed506824 56 push esi
lkd> u IofCallDriver
nt!IofCallDriver:
804e47d5 e92026026d jmp ed506dfa
804e47da 80909090909068 adc byte ptr [eax-6F6F6F70h],68h
804e47e1 fa cli
804e47e2 6d ins dword ptr es:[edi],dx
804e47e3 50 push eax
804e47e4 ed in eax,dx
804e47e5 c3 ret
804e47e6 84c0 test al,al
lkd> u ed506dfa
ed506dfa 8bff mov edi,edi
ed506dfc 50 push eax
ed506dfd 8b442404 mov eax,dword ptr [esp+4]
ed506e01 9c pushfd
ed506e02 83792c07 cmp dword ptr [ecx+2Ch],7
ed506e06 7525 jne ed506e2d
ed506e08 60 pushad
ed506e09 52 push edx
lkd> u
ed506e0a 50 push eax
ed506e0b e8ccf5ffff call ed5063dc
ed506e10 50 push eax
ed506e11 e8f0feffff call ed506d06
ed506e16 58 pop eax
ed506e17 5a pop edx
ed506e18 85c0 test eax,eax
ed506e1a 7410 je ed506e2c
lkd> u
ed506e1c 52 push edx
ed506e1d e85ce9ffff call ed50577e
ed506e22 c705e87750ed01000000 mov dword ptr ds:[0ED5077E8h],1
ed506e2c 61 popad
ed506e2d 9d popfd
ed506e2e 58 pop eax
ed506e2f ff25547850ed jmp dword ptr ds:[0ED507854h]
ed506e35 cc int 3
这个是xuetr的分析的截图
请各位高手帮忙看一下这个是什么病毒,机器中安装有360安全卫士和NOD32 2.7版本,开启自动更新,安装有.net等程序,系统为XP,ProcessProtective.sys为我写的一个驱动,是正常的一个监控用的驱动程序,别的就什么也没有了 |
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
