首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>系统安全>文章内容
检测并禁用隐藏服务
来源:linux2linux_at_163.com 作者:linux2linux 发布时间:2005-05-31  

检测并禁用隐藏服务


隐藏服务的概念是由hxdef 和rootkit这些后门工具提出的。这些后门工具通过挂钩系统本地调用来隐藏自己,原本通过调用Windows API调用查看系统服务的企图都是徒劳的。所以这时的系统是不可靠的,不值得信任的。目前针对查找隐藏服务的工具已经有很多,比如IceSword,knlsc,FHS等等。虽然这些软件都是免费的,但是它们到目前为止都不是开源,所以将自己的实现版本展示出来,正如knlsc的作者所说的那样,这是一个简单的小程序。

Knlsc是通过将%SystemRoot%/System32/Config/System这个Hive文件转储出来,提取出ControlSet001/Services的子项再与RegEnumKeyEx的输出结果进行比对,发现若是在RegEnumKeyEx的输出结果中没有的子项就可以认为是一个隐藏的服务。当然knlsc还认为隐藏服务必须同时拥有ImagePath,Start,Type三个键值。据说knlsc运行时还将从资源段中放出一个驱动程序,但是估计这个驱动是假的。将knlsc托壳后用VC从资源段中导出的文件是一个没有EntryPoint但有MZ标志的驱动,没有办法进行反汇编。或许作者使用了SMC技术,放出资源文件后在进行修改,在执行文件中也有NtLoadDriver的调用片段,但是同一作者的knlps中的资源驱动却未作任何的处理。要实现检测隐藏服务的功能其实没有必要使用驱动程序,即使可以验证knlsc驱动的真实性。直接对Hive文件的转储也不是必须的,虽然这只要通过修改Gary Nebbett的示例代码就可做到。

Hive文件的转储可以通过RegSaveKey函数来进行,rootkitrevealer就是使用这个API的扩充函数RegSaveKeyEx工作的,至少到目前为止还没有挂钩这类函数的后门,但是世上没有永远的安全,在理论上是可行的,可能不得不对该函数的输出文件进行处理,这将在一定程度上影响该函数的执行时间。使用该函数时还必须赋予调用进程以SE_BACKUP_NAME权限。

在实现中将“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services"的子项都转储为Hive格式文件(使用DumpServiceInfo函数),存放在C:\tmp.hive,在C盘下不可有同名文件,否则会发生Dump错误。现在的问题是如何对Hive格式文件进行处理,在这一点上必须感谢Petter Nordahl-Hagen所写的NT Registry Hive access library,它是The Offline NT Password Editor的一部分。本人的实现很大程度上就是参照他的程序,然而这个库工作在Linux环境,但是它向VC编译器移植的工作量是极少的,只需稍加修改。

1.将 #include <unistd.h> 去掉

2.将程序中三处的

#define D_OFFS(o) ( (void *)&(key->o)-(void *)hdesc->buffer-vofs )

改为

#define D_OFFS(o) ( (int *)&(key->o)-(int *)hdesc->buffer-vofs )

因为在VC中无法打印void * 类型,只得改为int * 。

3.将程序中唯一的一处使用snprintf函数该为_snprintf,即

snprintf(path,maxlen,"(...)%s",tmp);改为

_snprintf(ptth,maxlen,”(…)%s”,tmp);

4.添加两个VC不支持的函数来使编译通过

void bzero(void *s,int n)

{

memset(s,0,n);

}

int strncasecmp(const char *s1, const char *s2, size_t n)

{

return _stricmp(s1,s2);

}

为了表示对Petter Nordahl-Hagen的尊重,我不再修改他的库文件ntreg.c和ntreg.h(除了以上移植的需要),而是将所有需要重写和添加的函数放到KHS.C文件中,这样可以使原来的库文件保持其独立性。

由于在Petter库中openHive函数使用open 和 read 函数来进行hive文件的读取,在VC条件下的read函数有一个问题,每当文件中存在一个0x1a的二进制数值时,read函数就会在那儿终止,这样就会导致hive文件无法完全导入。所以就使用了Windows API重写openHive,命名为My_openHive。相应的还重写了closeHive,writeHive并加上了前缀My_。

随后GetPatterns函数将使用RegEnumKey枚举的服务键值名称保存在pattern的全局变量指针中,为以后的匹配作准备。ShowHideService函数是由nk_ls函数改写的,将由Hive文件导出的buffer中的服务名称与pattern[I]作比较,这个比较过程使用CompareHive函数。若比较结果为相同,CompareHive会将pattern[I]置为NULL,以提高匹配速度,或许有更好的匹配算法,但在这个小程序中也不使用了。若结果不同,则说明该服务是隐藏的,显示出该隐藏服务的名称,文件路径(ShowPathImage是由cat_vk改写的),启动类型和服务类型,并将该隐藏服务的启动类型改为SERVICE_DISABLED。如果存在隐藏服务并且禁止了该隐藏服务(仅在buffer中的修改),通过调用My_writeHive将修改过的hive 的buffer保存在C:\tmp2.hiv文件中,此时提供用户一个选择“是否要禁用隐藏服务”,默认的选择是“否”,如果用户确实想要禁用,可输入“Yes”或“Y",接着使用RestoreServiceInfo函数将C:\tmp2.hiv文件导回原来的%SystemRoot%/System32/Config/System这个Hive文件中,这一步由系统自己来完成,值得一提的是Win32函数RegRestoreKey即使在dwFlags参数中使用了REG_FORCE_RESTORE (8) ,在第一次调用时往往会错误返回,一般在第二次调用就会成功,所以就使用了一个循环直到它成功后为止,并且调用它的进程需要有SE_RESTORE_NAME的权限。

至于让隐藏服务真正失去作用,仍然需要重新启动计算机之后。

下面给出KHS.C的完整源代码:

/*

* KHS.cpp - Kill Hide Services v0.1

* Copyright (c) 2005 linux2linux.

*

* It takes notes from knlsc and FHS.

* Thank you, Petter Nordahl-Hagen, for your "NT Registry Hive access library"

*

* Freely distributable in source or binary for noncommercial purposes.

*

* THIS SOFTWARE IS PROVIDED BY PETTER NORDAHL-HAGEN `AS IS'' AND

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.

*

*/

#include "ntreg.h"

#include <windows.h>

char **pattern;

int pattern_count;

int nohideservice;

int ischange;

extern char *val_types[REG_MAX+1];

struct hive *My_openHive(char *filename, int mode);

void My_closeHive(struct hive *hdesc);

int CompareHive(char *sample)

{

int i;

for(i = 0; i < pattern_count ; i++)

{

if(pattern[i]!=NULL)

{

if( strcmp ( sample , pattern[ i ] ) == 0 )

{

free(pattern[i]);

pattern[i]=NULL;

return 1;

}

}

}

return 0;

}

//Because read can't work well in windows.

//while it read 0x1a from the opened file, the function read will stop there.

//I don't know the reason why, it work well in linux envoriment.

// read the dumped hive file to fill hive struct.

// return the point

struct hive *My_openHive(char *filename, int mode)

{

HANDLE hFile;

int szread;

struct hive *hdesc;

int vofs;

unsigned long pofs;

char *c;

struct hbin_page *p;

struct regf_header *hdr;

int verbose = (mode & HMODE_VERBOSE);

CREATE(hdesc,struct hive,1);

hdesc->filename = str_dup(filename);

hdesc->state = 0;

hdesc->size = 0;

hdesc->buffer = NULL;

hFile = CreateFile(hdesc->filename,

GENERIC_READ, // open for reading

0, // do not share

NULL, // no security

OPEN_ALWAYS, // existing file only

FILE_ATTRIBUTE_NORMAL, // normal file

NULL); // no attr. template

if (hFile == INVALID_HANDLE_VALUE)

{

printf("Could not open hive file."); // process error

return 0;

}

/* Read the whole file */

hdesc->size = GetFileSize(hFile, NULL);

ALLOC(hdesc->buffer,1,hdesc->size);

ReadFile(hFile, (void *)hdesc->buffer, hdesc->size, &szread, NULL);

CloseHandle(hFile);

if (szread < hdesc->size) {

printf("Could not read file, got %d bytes while expecting %d\n",

szread, hdesc->size);

My_closeHive(hdesc);

return(NULL);

}

/* Now run through file, tallying all pages */

/* NOTE/KLUDGE: Assume first page starts at offset 0x1000 */

pofs = 0x1000;

hdr = (struct regf_header *)hdesc->buffer;

if (hdr->id != 0x66676572) {

printf("openHive(%s): File does not seem to be a registry hive!\n",filename);

return(hdesc);

}

for (c = hdr->name; *c && (c < hdr->name + 64); c += 2) putchar(*c);

hdesc->rootofs = hdr->ofs_rootkey + 0x1000;

while (pofs < hdesc->size) {

#ifdef LOAD_DEBUG

if (verbose) hexdump(hdesc->buffer,pofs,pofs+0x20,1);

#endif

p = (struct hbin_page *)(hdesc->buffer + pofs);

if (p->id != 0x6E696268) {

printf("Page at 0x%lx is not 'hbin', assuming file contains garbage at end",pofs);

break;

}

hdesc->pages++;

#ifdef LOAD_DEBUG

if (verbose) printf("\n###### Page at 0x%0lx has size 0x%0lx, next at 0x%0lx ######\n",pofs,p->len_page,p->ofs_next);

#endif

if (p->ofs_next == 0) {

#ifdef LOAD_DEBUG

if (verbose) printf("openhive debug: bailing out.. pagesize zero!\n");

#endif

return(hdesc);

}

#if 0

if (p->len_page != p->ofs_next) {

#ifdef LOAD_DEBUG

if (verbose) printf("openhive debug: len & ofs not same. HASTA!\n");

#endif

exit(0);

}

#endif

vofs = pofs + 0x20; /* Skip page header */

#if 1

while (vofs-pofs < p->ofs_next) {

vofs += parse_block(hdesc,vofs,verbose);

}

#endif

pofs += p->ofs_next;

}

return(hdesc);

}

void My_closeHive(struct hive *hdesc)

{

FREE(hdesc->filename);

FREE(hdesc->buffer);

FREE(hdesc);

}

int My_writeHive(struct hive *hdesc)

{

HANDLE hFile;

DWORD dwBytesWritten;

hFile = CreateFile("C:\\tmp2.hiv",

GENERIC_WRITE, // open for writing

0, // do not share

NULL, // no security

CREATE_ALWAYS, // open or create

FILE_ATTRIBUTE_NORMAL, // normal file

NULL);

if(hFile == INVALID_HANDLE_VALUE)

{ printf("Can't open dump file");

return 0;

}

WriteFile(hFile, hdesc->buffer, hdesc->size,&dwBytesWritten, NULL);

if(dwBytesWritten != hdesc->size)

{

printf("WriteHive error\n");

}

CloseHandle(hFile);

return 0;

}

void CleanPatterns()

{

int i;

if(pattern!=NULL)

{

for(i = 0; i < pattern_count; i++)

{

if(pattern[i]!=NULL)

free(pattern[i]);

}

free(pattern);

}

}

void GetPatterns()

{

HANDLE hService;

CHAR achKey[MAX_PATH];

DWORD i;

DWORD retCode;

int Nohide = 1;

DWORD SubKeyNum = 0;

pattern_count = 0;

if(RegOpenKeyEx(

HKEY_LOCAL_MACHINE, // handle to open key

"SYSTEM\\ControlSet001\\Services", // subkey name

NULL, // reserved

KEY_ALL_ACCESS,// security access mask

&hService // handle to open key

) != ERROR_SUCCESS)

{

printf("sorry %d\n",GetLastError());

return;

}

RegQueryInfoKey( hService,

NULL,

NULL,

NULL,

&SubKeyNum,

NULL,

NULL,

NULL,

NULL,

NULL,

NULL,

NULL);

//Before it don't work well , because i set the wrong premission of HKEY

//KEY_ALL_ACCESS is needed

if(SubKeyNum == 0)

{

printf("SubKey's Number is NULL, it's too strange.\n");

return;

}

pattern = malloc(sizeof(char *) * SubKeyNum );

for (i = 0, retCode = ERROR_SUCCESS; retCode == ERROR_SUCCESS; i++)

{

retCode = RegEnumKey(

hService, // handle to key to query

i, // index of subkey to query

achKey, // buffer for subkey name

MAX_PATH // size of subkey name buffer

);

if (retCode == (DWORD)ERROR_SUCCESS)

{

//What i add to get pattern Services Table.

pattern[ pattern_count ] = strdup ( achKey ) ;

pattern_count++;

}

}

CloseHandle(hService);

}

void ShowPathImage(struct hive *hdesc, int nkofs, char *path)

{

void *data;

int len,i,type;

char string[SZ_MAX+1];

type = get_val_type(hdesc, nkofs, path);

if (type == -1) {

printf("No such value <%s>\n",path);

return;

}

len = get_val_len(hdesc, nkofs, path);

if (!len) {

printf("Value <%s> has zero length\n",path);

return;

}

data = (void *)get_val_data(hdesc, nkofs, path, 0);

if (!data) {

printf("Value <%s> references NULL-pointer (bad boy!)\n",path);

abort();

return;

}

switch (type) {

case REG_SZ:

case REG_EXPAND_SZ:

case REG_MULTI_SZ:

cheap_uni2ascii(data,string,len);

for (i = 0; i < (len>>1)-1; i++) {

if (string[i] == 0) string[i] = '\n';

if (type == REG_SZ) break;

}

puts(string);

break;

case REG_DWORD:

printf("0x%08x",*(unsigned short *)data);

break;

default:

printf("Don't know how to handle type yet!\n");

case REG_BINARY:

hexdump((char *)data, 0, len, 1);

}

}

void EnablePriv(LPCTSTR lpName)

{

HANDLE hToken;

LUID sedebugnameValue;

TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )

{ printf("open process error\n");

return;

}

if ( ! LookupPrivilegeValue( NULL, lpName , &sedebugnameValue ) ){

printf("can't find privilege error\n");

CloseHandle( hToken );

return;

}

tkp.PrivilegeCount = 1;

tkp.Privileges[0].Luid = sedebugnameValue;

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof (tkp), NULL, NULL ) )

{

printf("adjust error\n");

CloseHandle( hToken );

}

}

int DumpServiceInfo()

{

HKEY hService;

EnablePriv(SE_BACKUP_NAME);

if(RegOpenKeyEx(

HKEY_LOCAL_MACHINE, // handle to open key

"SYSTEM\\ControlSet001\\Services", // subkey name

NULL, // reserved

KEY_ALL_ACCESS, // security access mask

&hService // handle to open key

) != ERROR_SUCCESS)

{ printf("can't get key handle\n");

return 0;

}

if(RegSaveKey(hService,"C:\\tmp.hiv",NULL) != ERROR_SUCCESS)

{

printf("Can't dump Service info\n");

CloseHandle(hService);

return 0;

}

CloseHandle(hService);

return 1;

}

void ShowHideService(struct hive *hdesc, char *path, int vofs, int type)

{

struct nk_key *key;

int nkofs;

struct ex_data ex;

int count = 0, countri = 0;

//wHAT I ADD

void *data;

int nkofs_cat;

int serviceno;

serviceno = 1;

nkofs = trav_path(hdesc, vofs, path, 0);

if(!nkofs) {

printf("nk_ls: Key <%s> not found\n",path);

abort();

return;

}

nkofs += 4;

key = (struct nk_key *)(hdesc->buffer + nkofs);

if (key->id != 0x6b6e) {

printf("Error: Not a 'nk' node!\n");

debugit(hdesc->buffer,hdesc->size);

}

if (key->no_subkeys) {

while ((ex_next_n(hdesc, nkofs, &count, &countri, &ex) > 0)) {

if(!CompareHive(ex.name) )

{

nohideservice = 0;

if(!(serviceno - 1))

printf("Hide Service List:\n");

printf("\n%d.------------------------------------------------------------\n",serviceno++ );

printf("Hide Service : %s\n", ex.name );

nkofs_cat = trav_path(hdesc, vofs, ex.name, 0);

printf("Image Path : ");

ShowPathImage(hdesc, nkofs_cat + 4, "ImagePath");

data = (void *) get_val_data(hdesc, nkofs_cat + 4, "Start", 0 );

if( data != NULL)

{

printf("Start Type : ");

switch(*(unsigned short *)data)

{

case 0:

printf("SERVICE_BOOT_START");

break;

case 1:

printf("SERVICE_SYSTEM_START");

break;

case 2:

printf("SERVICE_AUTO_START");

break;

case 3:

printf("SERVICE_DEMAND_START");

break;

case 4:

printf("SERVICE_DISABLED");

break;

default:

printf("UNKOWN START TYPE");

}

//disable the service

if( *(unsigned short *)data != 4 )

{

printf("(Will be set to Disabled)");

put_dword(hdesc, nkofs_cat + 4, "Start", 4);

ischange = 1;

}

printf("\n");

}

data = (void *) get_val_data(hdesc, nkofs_cat + 4, "Type", 0 );

printf("Service Type : ");

if( data != NULL)

{

if(*(unsigned short *)data & 1)

printf("SERVICE_KERNEL_DRIVER ");

if(*(unsigned short *)data & 2)

printf("SERVICE_FILE_SYSTEM_DRIVER " );

if(*(unsigned short *)data & 8)

printf("SERVICE_RECOGNIZER_DRIVER ");

if(*(unsigned short *)data & 16)

printf("SERVICE_WIN32_OWN_PROCESS ");

if(*(unsigned short *)data & 32)

printf("SERVICE_WIN32_SHARE_PROCESS ");

if(*(unsigned short *)data & 256)

printf("SERVICE_INTERACTIVE_PROCESS ");

printf("\n");

}

}

FREE(ex.name);

}

}

if(nohideservice)

printf("There are no hide services.\n");

else

printf("\nTotal Hide Services is %d\n\n",serviceno - 1);

}

int RestoreServiceInfo()

{

HKEY hService;

LONG tmp;

EnablePriv(SE_RESTORE_NAME);

if(RegOpenKeyEx(

HKEY_LOCAL_MACHINE, // handle to open key

"SYSTEM\\ControlSet001\\Services", // subkey name

NULL, // reserved

KEY_ALL_ACCESS,// security access mask

&hService // handle to open key

) != ERROR_SUCCESS)

{

printf("Can't open Service key\n");

return 0;

}

//The first time to Restore always fail even you set the Force flag

//The second time will success.

for(;;)

{

if((tmp = RegRestoreKey(hService,"C:\\tmp2.hiv", 8 ) ) == ERROR_SUCCESS )

{

break;

}

}

CloseHandle(hService);

return 1;

}

int main(int argc, char* argv[])

{

struct hive *pHive;

char c;

nohideservice = 1;

ischange = 0;

printf("KHS - kill hide services 0.1 by linux2linux, 2005/5/26.\n");

printf("Take notes from knlsc and FHS. \n\n");

if(!DumpServiceInfo())

return 0;

pHive = My_openHive("C:\\tmp.hiv",HMODE_RW);

if(pHive == NULL)

{

printf("Open Hive fail\n");

return 0;

}

GetPatterns();

ShowHideService(pHive,"",pHive->rootofs + 4 , 0);

CleanPatterns();

if(!nohideservice && ischange )

{

My_writeHive(pHive);

printf("Do you want Disable the hide Services ( Yes / No )? [ No ]:");

c = getchar();

if( ( c == 'Y' )|| c == 'y')

{

if( RestoreServiceInfo() )

printf("Success Restore\n");

}

else

{ printf("Quit without Restore.\n");

}

DeleteFile("C:\\tmp2.hiv");

}

DeleteFile("C:\\tmp.hiv");

My_closeHive(pHive);

return 0;

}

参考资源

1.The Offline NT Password Editor 源程序 - Petter Nordahl-Hagen

http://home.eunet.no/~pnordahl/ntpasswd/

2.<<Windows NT/2000 Native API Reference>> - Gary Nebbett

3.Knlsc, FHS, IceSword 使用说明


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·Windows 系统调用功能列表
·windows入侵提权-创建隐藏帐号(
· CC_STACKPROTECTOR防止内核stac
·Linux内核安全研究之Stack Overf
· Exploit The Linux Kernel NULL
·Kernel Locking 中文版
·IA32上Linux内核中断机制分析
·Award BIOS Rootkit,universal
·PHP代码审计
·N种内核注入DLL的思路及实现
·glibc 2.3.5 的一些新安全特性
·Struts2/XWork < 2.2.0 Remote C
  相关文章
·深入刨析EFS
·SQL Server 中各个系统表的作用
·windows2003服务器A级BT安全配置
·FreeBSD下构建安全的Web服务器
·glibc 2.3.5 的一些新安全特性
·反黑防黑:一个显为人知的 木马
·IIS6另类优化及安全配置
·后门技术及rootkit工具-Knark分
·安全稳定的实现进线程监控
·怎样让您的Linux操作系统更加安
·虚拟主机最安全设置
·实例讲解网站被入侵后需做的检测
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved