溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶(hù)服務(wù)條款》

驅(qū)動(dòng)DriverEntry的初始化

發(fā)布時(shí)間:2021-11-02 16:30:48 來(lái)源:億速云 閱讀:146 作者:小新 欄目:編程語(yǔ)言

這篇文章將為大家詳細(xì)講解有關(guān)驅(qū)動(dòng)DriverEntry的初始化,小編覺(jué)得挺實(shí)用的,因此分享給大家做個(gè)參考,希望大家閱讀完這篇文章后可以有所收獲。

一、驅(qū)動(dòng)DriverEntry的初始化

DriverEntry(PDRIVER_OBJECTDriverObject, UNICODE_STRING *pRegistry)的pRegistry中截取末尾名稱(chēng)去獲取并計(jì)算出設(shè)備名和DosDevices的名字。

pDriverName= pRegistry->Buffer;   Len = pRegistry->Length >> 1;   pFirstName = &pDriverName[Len];   if ( pFirstName == pDriverName )   { LABEL_8:     if ( *pFirstName != '\\' )       goto LABEL_10;   }   else   {     while ( *pFirstName != '\\' )     {       --pFirstName;       if ( pFirstName == pDriverName )         goto LABEL_8; }   }   ++pFirstName;

驅(qū)動(dòng)DriverEntry的初始化然后從pRegistry注冊(cè)表中去獲取sysmon的策略規(guī)則

驅(qū)動(dòng)DriverEntry的初始化

使用RtlQueryRegistryValues函數(shù),填入5個(gè)RTL_QUERY_REGISTRY_TABLE結(jié)構(gòu)體

RTL_QUERY_REGISTRY_TABLE QueryRegTable[5];

RtlInitUnicodeString(&g_ProcessAccessNamesRule,0);

  memset(QueryRegTable, 0, 560u);

  QueryRegTable[0].Flags = 1;

  QueryRegTable[0].Name =L"Parameters";   QueryRegTable[3].EntryContext =&ampOptionRulesv18;   QueryRegTable[4].EntryContext =&hash_alogrithms;   QueryRegTable[1].Flags = 304;   QueryRegTable[1].Name =g_Name_ProcessAccessNames;   QueryRegTable[1].EntryContext =&g_ProcessAccessNamesRule;   QueryRegTable[1].DefaultType = 0x7000007;   QueryRegTable[1].DefaultData =&unk_10015C34;   QueryRegTable[1].DefaultLength = 4;   QueryRegTable[2].Flags = 304;   QueryRegTable[2].Name = L"ProcessAccessMasks";   QueryRegTable[2].EntryContext =&g_ProcessAccessMasksRule;   QueryRegTable[2].DefaultType = 0x3000000;   QueryRegTable[3].Flags = 304;   QueryRegTable[3].Name =(PWSTR)&g_wOption;   QueryRegTable[3].DefaultType = 0x4000000;   QueryRegTable[4].Flags = 304;   QueryRegTable[4].Name =(PWSTR)&g_wHashingalgorithm;   QueryRegTable[4].DefaultType = 0x4000000;   RtlQueryRegistryValues(0,g_SysmonRegisterPath.Buffer, QueryRegTable, 0, 0);   if ( !g_ProcessAccessNamesRule.Buffer     || g_ProcessAccessNamesRule.Length <= 2u     || g_ProcessAccessNamesRule.MaximumLength<= 4u )   {    RtlFreeUnicodeString(&g_ProcessAccessNamesRule);    RtlInitUnicodeString(&g_ProcessAccessNamesRule, 0);   }

  g_OptionRules =(OptionRulesv18 >> 1) & 1;

對(duì)應(yīng)的注冊(cè)表鍵分別是L"Parameters"、L”P(pán)rocessAccessNames”、L"ProcessAccessMasks" 、L” Option”、L” Hashingalgorithm”

驅(qū)動(dòng)DriverEntry的初始化然后再次獲取L"Parameters"項(xiàng)下面的對(duì)應(yīng)的L"Rules"的KeyValues信息,這里是驅(qū)動(dòng)設(shè)置的規(guī)則。

驅(qū)動(dòng)DriverEntry的初始化下面展示出部分規(guī)則的數(shù)組

驅(qū)動(dòng)DriverEntry的初始化

上面的過(guò)程結(jié)束后就開(kāi)始判斷操作系統(tǒng)是否支持flt

驅(qū)動(dòng)DriverEntry的初始化

如果支持只實(shí)現(xiàn)IRP_MJ_CREATE、IRP_MJ_CLOSE 、IRP_MJ_DEVICE_CONTROL三個(gè)例程,后續(xù)會(huì)注冊(cè)miniFlt過(guò)濾,如果不支持Flt就使用老的模式Sfilter的模式

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]= (PDRIVER_DISPATCH)SysmonDispatchIrp;   DriverObject->MajorFunction[IRP_MJ_CLOSE]= (PDRIVER_DISPATCH)SysmonDispatchIrp;   DriverObject->MajorFunction[IRP_MJ_CREATE]= (PDRIVER_DISPATCH)SysmonDispatchIrp;   if ( IsOpenPipeConnect &&!IsSupportFlt )

  {

   DriverObject->MajorFunction[IRP_MJ_CREATE] =(PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[1] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_CLOSE] =(PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[IRP_MJ_READ]= (PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[IRP_MJ_WRITE]= (PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_QUERY_INFORMATION] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_SET_INFORMATION] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_QUERY_EA] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_SET_EA] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_FLUSH_BUFFERS] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_QUERY_VOLUME_INFORMATION] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_SET_VOLUME_INFORMATION] =(PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL]= (PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =(PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL]= (PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_LOCK_CONTROL] = (PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_CLEANUP] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_CREATE_MAILSLOT] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_QUERY_SECURITY] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_SET_SECURITY] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_POWER] =(PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[IRP_MJ_SYSTEM_CONTROL]= (PDRIVER_DISPATCH)SysmonDispatchIrp;

   DriverObject->MajorFunction[IRP_MJ_DEVICE_CHANGE] =(PDRIVER_DISPATCH)SysmonDispatchIrp;    DriverObject->MajorFunction[IRP_MJ_QUERY_QUOTA] =(PDRIVER_DISPATCH)SysmonDispatchIrp;     DriverObject->MajorFunction[IRP_MJ_SET_QUOTA]= (PDRIVER_DISPATCH)SysmonDispatchIrp;

  }

然后就是常規(guī)過(guò)程,IoCreateDevice、IoCreateSymbolicLink。

驅(qū)動(dòng)DriverEntry的初始化然后根據(jù)操作系統(tǒng)是否支持FltRegisterFilter(Driver, &g_Registration, &g_pFilter);

驅(qū)動(dòng)DriverEntry的初始化具體創(chuàng)建了哪些minifilter,接著看結(jié)構(gòu)體

驅(qū)動(dòng)DriverEntry的初始化

OperationRegistrationdd IRP_MJ_CREATE  ; DATA XREF:.data:10015014↓o

.rdata:10013454                 dd 0

.rdata:10013458                 dd offset PreOperation

.rdata:1001345C                 dd offset PostOperation

.rdata:10013460                 dd 0

.rdata:10013464                 dd IRP_MJ_CLEANUP

.rdata:10013468                 dd 0

.rdata:1001346C                 dd offset PreOperation

.rdata:10013470                 dd offset PostOperation

.rdata:10013474                 dd 0

.rdata:10013478                 dd IRP_MJ_SET_INFORMATION

.rdata:1001347C                 dd 0

.rdata:10013480                 dd offset PreOperation

.rdata:10013484                 dd offset PostOperation

.rdata:10013488                 dd 0

.rdata:1001348C                 dd IRP_MJ_CLOSE

.rdata:10013490                 dd 0

.rdata:10013494                 dd offset PreOperation

.rdata:10013498                 dd offset PostOperation

.rdata:1001349C                 dd 0

.rdata:100134A0                 dd IRP_MJ_CREATE_NAMED_PIPE

.rdata:100134A4                 dd 0

.rdata:100134A8                 dd offset PreOperation

.rdata:100134AC                 dd offset PostOperation

.rdata:100134B0                 dd 0

.rdata:100134B4                 dd IRP_MJ_OPERATION_END

.rdata:100134B8                 dd 0

.rdata:100134BC                 dd 0

.rdata:100134C0                 dd 0

.rdata:100134C4                 dd 0

從上可以看到minifilter過(guò)濾了IRP_MJ_CREATEIRP_MJ_CLEANUP、IRP_MJ_SET_INFORMATIONIRP_MJ_CLOSE、IRP_MJ_CREATE_NAMED_PIPE

文件系統(tǒng)相關(guān)的注冊(cè)完畢,然后就是設(shè)置一些進(jìn)程、線(xiàn)程相關(guān)的回調(diào)函數(shù)例程

PsSetLoadImageNotifyRoutine(SysmonLoadImageNotifyRoutine); PsSetCreateThreadNotifyRoutine(PsCreateThreadNotifyRoutine); PsSetCreateProcessNotifyRoutine(PsCreateProcessNotifyRoutine, 0);

驅(qū)動(dòng)DriverEntry的初始化

驅(qū)動(dòng)DriverEntry的初始化為了記錄注冊(cè)表sysmon還注冊(cè)表注冊(cè)表CmRegisterCallback(RegisterCallback, 0, &Cookie);回調(diào),

驅(qū)動(dòng)DriverEntry的初始化

為了記錄進(jìn)程open對(duì)象的事件注冊(cè)了ob事件

g_bIsRegisterCallback= 1;

  g_OperationRegistration.ObjectType =(POBJECT_TYPE *)PsProcessType;

  g_OperationRegistration.Operations = 1;

  g_OperationRegistration.PreOperation =PreProcessOperation;

  g_OperationRegistration.PostOperation =PostProcessOperation;

  g_CallbackRegistration.OperationRegistration= &g_OperationRegistration;

  *(_DWORD*)&g_CallbackRegistration.Version = 0x10100;

  g_CallbackRegistration.RegistrationContext =0;

  RtlInitUnicodeString(&g_CallbackRegistration.Altitude,L"1000");

  Status =g_ObRegisterCallbacks(&g_CallbackRegistration, &RegistrationHandle);

驅(qū)動(dòng)DriverEntry的初始化

為了獲取管道的事件,它掛接了設(shè)備L\\Device\\NamedPipe,創(chuàng)建了L\\Device\\SysmonPipeFilter的過(guò)濾設(shè)備

驅(qū)動(dòng)DriverEntry的初始化至此sysmon的DriverEntry的初始化動(dòng)作基本結(jié)束了。

二、IRP_MJ_DEVICE_CONTROL例程

Case 0x83400000:

打開(kāi)驅(qū)動(dòng)開(kāi)啟標(biāo)志,并且獲取且保存當(dāng)前UI進(jìn)程的句柄

驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化

Case  0x83400004

Ring3請(qǐng)求事件信息,并返回到ring3的緩沖區(qū)

驅(qū)動(dòng)DriverEntry的初始化

Case 0x83400008

加載策略規(guī)則

驅(qū)動(dòng)DriverEntry的初始化

Case 0x8340000C

獲取傳入進(jìn)程的相關(guān)信息(包括TokenUser、pTokenStatics、TokenGroup、TokenSeesion)

驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化還會(huì)獲取進(jìn)程pImagePathName、pCommandLine、CurrentDirectory

驅(qū)動(dòng)DriverEntry的初始化獲取進(jìn)程的CreateTime

驅(qū)動(dòng)DriverEntry的初始化該事件類(lèi)型為4或者1

驅(qū)動(dòng)DriverEntry的初始化

三、文件信息的記錄

Minifilter的PreOperation(PFLT_CALLBACK_DATA pData, PFLT_RELATED_OBJECTSFltObjects, PVOID *CompletionContext)例程為主要的判斷邏輯例程,先判斷當(dāng)前FileObject的路徑是否為管道路徑,管道事件直接記錄上報(bào)事件

驅(qū)動(dòng)DriverEntry的初始化特別判斷下IRP_MJ_SET_INFORMATION、IRP_MJ_CLEANUP,并且分別上報(bào)_,注意在判斷IRP_MJ_SET_INFORMATION的時(shí)候只記錄了RequestorMode是1即USER_MODE,并且是設(shè)置FileBasicInformation的請(qǐng)求。

驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化PreOperation處理完畢,則PostOperation(PFLT_CALLBACK_DATA pData, PFLT_RELATED_OBJECTSpFltFileObj, PVOID CompletionContext, int Flags)對(duì)前者處理的上下文CompletionContext進(jìn)行記錄日志或者釋放的處理,以IRP_MJ_SET_INFORMATION為例,PostOPerate則對(duì)PreOperate的CompletionContext的數(shù)據(jù)進(jìn)行上報(bào)。

驅(qū)動(dòng)DriverEntry的初始化

四、注冊(cè)表信息的記錄

Sysmon初始化的時(shí)候注冊(cè)了一個(gè)注冊(cè)表過(guò)濾,CmRegisterCallback(RegisterCallback, 0, &Cookie);回調(diào)函數(shù)是NTSTATUS__stdcall RegisterCallback(PVOID CallbackContext, PVOID Argument1, PVOIDArgument2),參數(shù)Argument1是過(guò)濾的注冊(cè)表操作類(lèi)型,sysmon過(guò)濾了0(RegNtDeleteKey   /  RegNtPreDeleteKey) 、4( RegNtRenameKey\RegNtPreRenameKey)、11(RegNtPostCreateKey)、15(RegNtPostDeleteKey)、16(RegNtPostSetValueKey)、17(RegNtPostDeleteValueKey)、19(RegNtPostRenameKey)27(RegNtPostCreateKeyEx)的注冊(cè)表操作

驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化

五、進(jìn)程操作過(guò)濾

Sysmon注冊(cè)了進(jìn)程操作過(guò)濾,g_ObRegisterCallbacks(&g_CallbackRegistration, &RegistrationHandle);,

驅(qū)動(dòng)DriverEntry的初始化他只記錄操作類(lèi)型為OB_OPERATION_HANDLE_CREATE,并且只記錄A進(jìn)程操作B進(jìn)程,A和B不是同一個(gè)進(jìn)程,注意RtlWalkFrameChain這個(gè)函數(shù)是獲取當(dāng)前操作線(xiàn)程的線(xiàn)程棧,KeQuerySystemTime(&pOpenInfo.CreateTime);是獲取當(dāng)前系統(tǒng)時(shí)間,并且會(huì)把這些信息上報(bào)。

六、其他重點(diǎn)技術(shù)細(xì)節(jié)

1.     進(jìn)程模塊的枚舉

驅(qū)動(dòng)DriverEntry的初始化

ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation,&ProcessInformation, 0x18u, 0)獲取ProcessInformation的信息,從PebBaseAddress= ProcessInformation.PebBaseAddress;取得進(jìn)程PEB的地址,在PEB結(jié)構(gòu)中得到LDR的地址,LDR是進(jìn)程加載模塊的結(jié)構(gòu)體,

struct _PEB

{

UCHAR InheritedAddressSpace;

UCHAR ReadImageFileExecOptions;

UCHAR BeingDebugged;

UCHAR BitField;

PVOID Mutant;

PVOID ImageBaseAddress;

PPEB_LDR_DATA Ldr;

PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

PVOID SubSystemData;

PVOID ProcessHeap;

PRTL_CRITICAL_SECTION FastPebLock;

PVOID AtlThunkSListPtr;

PVOID IFEOKey;

ULONG CrossProcessFlags;

unsigned __int32 ProcessInJob : 1;

unsigned __int32 ProcessInitializing : 1;

unsigned __int32 ReservedBits0 : 30;

union

{

PVOID KernelCallbackTable;

PVOID UserSharedInfoPtr;

};

ULONG SystemReserved[1];

。。。。。。

}

PPEB_LDR_DATA Ldr;這個(gè)就是加載模塊的結(jié)構(gòu),有三種加載表內(nèi)存加載表,加載順序表,初始化加載表從中可以枚舉出模塊信息。


struct _PEB_LDR_DATA

{

ULONG Length;

UCHAR Initialized;

PVOID SsHandle;

LIST_ENTRY InLoadOrderModuleList;

LIST_ENTRY InMemoryOrderModuleList;

LIST_ENTRY InInitializationOrderModuleList;

};

驅(qū)動(dòng)DriverEntry的初始化

2.     進(jìn)程參數(shù)的獲取

大致可以看到如下,首先要KeStackAttachProcess進(jìn)程的空間,然后獲取PEB地址,從PEB中的到ProcessParameters的結(jié)構(gòu)

驅(qū)動(dòng)DriverEntry的初始化

ProcessParameters結(jié)構(gòu)如下:

struct _RTL_USER_PROCESS_PARAMETERS

{

ULONG MaximumLength;

ULONG Length;

ULONG Flags;

ULONG DebugFlags;

PVOID ConsoleHandle;

ULONG ConsoleFlags;

PVOID StandardInput;

PVOID StandardOutput;

PVOID StandardError;

CURDIR CurrentDirectory;

UNICODE_STRING DllPath;

UNICODE_STRINGImagePathName;

UNICODE_STRING CommandLine;

PVOID Environment;

ULONG StartingX;

ULONG StartingY;

ULONG CountX;

ULONG CountY;

ULONG CountCharsX;

ULONG CountCharsY;

ULONG FillAttribute;

ULONG WindowFlags;

ULONG ShowWindowFlags;

UNICODE_STRING WindowTitle;

UNICODE_STRING DesktopInfo;

UNICODE_STRING ShellInfo;

UNICODE_STRING RuntimeData;

RTL_DRIVE_LETTER_CURDIRCurrentDirectores[32];

ULONG EnvironmentSize;

};

可以看到該結(jié)構(gòu)中進(jìn)程參數(shù)相關(guān)的各種信息。

3.     進(jìn)程Token相關(guān)信息的獲取

驅(qū)動(dòng)DriverEntry的初始化

驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化驅(qū)動(dòng)DriverEntry的初始化

都是通過(guò)ZwQueryInformationToken函數(shù)去獲取,只是是使用不同的ClassInformation類(lèi)去獲取,定義如下

typedef enum _TOKEN_INFORMATION_CLASS {

  TokenUser                             ,

  TokenGroups                           ,

  TokenPrivileges                       ,

  TokenOwner                            ,

  TokenPrimaryGroup                     ,

  TokenDefaultDacl                      ,

  TokenSource                           ,

  TokenType                             ,

  TokenImpersonationLevel               ,

  TokenStatistics                       ,

  TokenRestrictedSids                   ,

  TokenSessionId                        ,

  TokenGroupsAndPrivileges              ,

  TokenSessionReference                 ,

  TokenSandBoxInert                     ,

  TokenAuditPolicy                      ,

  TokenOrigin                           ,

  TokenElevationType                    ,

  TokenLinkedToken                      ,

  TokenElevation                        ,

  TokenHasRestrictions                  ,

  TokenAccessInformation                ,

  TokenVirtualizationAllowed            ,

  TokenVirtualizationEnabled            ,

  TokenIntegrityLevel                   ,

  TokenUIAccess                         ,

  TokenMandatoryPolicy                  ,

  TokenLogonSid                         ,

  TokenIsAppContainer                   ,

  TokenCapabilities                     ,

  TokenAppContainerSid                  ,

  TokenAppContainerNumber               ,

  TokenUserClaimAttributes              ,

  TokenDeviceClaimAttributes            ,

 TokenRestrictedUserClaimAttributes   ,

 TokenRestrictedDeviceClaimAttributes ,

  TokenDeviceGroups                     ,

  TokenRestrictedDeviceGroups           ,

  TokenSecurityAttributes               ,

  TokenIsRestricted                     ,

  TokenProcessTrustLevel                ,

  TokenPrivateNameSpace                 ,

  TokenSingletonAttributes              ,

  TokenBnoIsolation                     ,

  TokenChildProcessFlags                ,

  MaxTokenInfoClass

} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;

需要獲取那個(gè)就可以選擇那一個(gè)。

關(guān)于“驅(qū)動(dòng)DriverEntry的初始化”這篇文章就分享到這里了,希望以上內(nèi)容可以對(duì)大家有一定的幫助,使各位可以學(xué)到更多知識(shí),如果覺(jué)得文章不錯(cuò),請(qǐng)把它分享出去讓更多的人看到。

向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI