国外高手谈卡巴斯基存隐患(2)
http://tech.ddvip.com 2007年06月22日 社区交流 收藏本文
内容摘要:KAV的杀毒软件依靠诸多不安全内核层的黑客程序,从而将系统稳定性置于危险中。想要解决这个问题,首先KAV需要去掉不安全的内核层黑客程序,比如给非输出函数打补丁或者不加验证地关联系统服务等等。
当在用户调用模式下逐步转换它的核心模式代码时KAV便在开始破坏系统了 (毕竟很明显这是不可靠的!):
Breakpoint 0 hit
klif!sub_F8231820:
001b:f824d820 83ec08 sub esp,0x8
kd> u eip
klif!sub_F8231820:
f824d820 ebfe jmp klif!sub_F8231820 (f824d820)
f824d822 085355 or [ebx+0x55],dl
f824d825 56 push esi
f824d826 57 push edi
f824d827 33ed xor ebp,ebp
f824d829 6820d824f8 push 0xf824d820
f824d82e 896c2418 mov [esp+0x18],ebp
f824d832 896c2414 mov [esp+0x14],ebp
kd> g
Breakpoint 0 hit
klif!sub_F8231820:
001b:f824d820 ebfe jmp klif!sub_F8231820 (f824d820)
kd> g
Breakpoint 0 hit
klif!sub_F8231820:
001b:f824d820 ebfe jmp klif!sub_F8231820 (f824d820)
kd> bd 0
kd> g
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run kd.exe) or, *
* CTRL+BREAK (if you run WinDBG), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> gu
*** Fatal System Error: 0x000000d1
(0x00003592,0x0000001C,0x00000000,0x00003592)
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run kd.exe) or, *
* CTRL+BREAK (if you run WinDBG), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> g
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..........................
Loading User Symbols
................................
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {3592, 1c, 0, 3592}
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
Probably caused by : hardware
Followup: MachineOwner
---------
*** Possible invalid call from 804e331f ( nt!KeUpdateSystemTime+0x160 )
*** Expected target 804e358e ( nt!DbgBreakPointWithStatus+0x0 )
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00003592, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00003592, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00003592
CURRENT_IRQL: 1c
FAULTING_IP:
+3592
00003592 ?? ???
PROCESS_NAME: winlogon.exe
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
BUGCHECK_STR: 0xD1
LAST_CONTROL_TRANSFER: from 804e3324 to 00003592
FAILED_INSTRUCTION_ADDRESS:
+3592
00003592 ?? ???
POSSIBLE_INVALID_CONTROL_TRANSFER: from 804e331f to 804e358e
TRAP_FRAME: f7872ce0 -- (.trap fffffffff7872ce0)
ErrCode = 00000000
eax=00000001 ebx=000275fc ecx=8055122c edx=000003f8 esi=00000005 edi=ddfff298
eip=00003592 esp=f7872d54 ebp=f7872d64 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
00003592 ?? ???
Resetting default scope
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7872d50 804e3324 00000001 f7872d00 000000d1 0x3592
f7872d50 f824d820 00000001 f7872d00 000000d1 nt!KeUpdateSystemTime+0x165
0006f4ec 7432f69c 74320000 00000001 00000000 klif+0x22820
0006f50c 7c9011a7 74320000 00000001 00000000 ODBC32!_DllMainCRTStartup+0x52
0006f52c 7c91cbab 7432f659 74320000 00000001 ntdll!LdrpCallInitRoutine+0x14
0006f634 7c916178 00000000 c0150008 00000000 ntdll!LdrpRunInitializeRoutines+0x344
0006f8e0 7c9162da 00000000 0007ced0 0006fbd4 ntdll!LdrpLoadDll+0x3e5
0006fb88 7c801bb9 0007ced0 0006fbd4 0006fbb4 ntdll!LdrLoadDll+0x230
0006fbf0 7c801d6e 7ffddc00 00000000 00000000 kernel32!LoadLibraryExW+0x18e
0006fc04 7c801da4 0106c0f0 00000000 00000000 kernel32!LoadLibraryExA+0x1f
0006fc20 f824d749 0106c0f0 0000000e 0107348c kernel32!LoadLibraryA+0x94
00000000 00000000 00000000 00000000 00000000 klif+0x22749
STACK_COMMAND: .trap 0xfffffffff7872ce0 ; kb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware
IMAGE_NAME: hardware
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: CPU_CALL_ERROR
Followup: MachineOwner
---------
*** Possible invalid call from 804e331f ( nt!KeUpdateSystemTime+0x160 )
*** Expected target 804e358e ( nt!DbgBreakPointWithStatus+0x0 )
kd> u 804e331f
nt!KeUpdateSystemTime+0x160:
804e331f e86a020000 call nt!DbgBreakPointWithStatus (804e358e)
804e3324 ebb4 jmp nt!KeUpdateSystemTime+0x11b (804e32da)
804e3326 90 nop
804e3327 fb sti
804e3328 8d09 lea ecx,[ecx]
nt!KeUpdateRunTime:
804e332a a11cf0dfff mov eax,[ffdff01c]
804e332f 53 push ebx
804e3330 ff80c4050000 inc dword ptr [eax+0x5c4]解决方案
KAV的杀毒软件依靠诸多不安全内核层的黑客程序,从而将系统稳定性置于危险中。想要解决这个问题,首先KAV需要去掉不安全的内核层黑客程序,比如给非输出函数打补丁或者不加验证地关联系统服务等等。
KAV使用钩子函数或者其他不安全措施的那些操作也可以通过有记录的并且安全的API以及例行程序来实现,这些都是在Windows 设备驱动工具组(DDK)和可安装文件系统工具组(IFS kit)中详细说明过的。KAV的程序员有必要花时间理解关于如何使用有记录的方法在系统内核进行操作,而不是用字面上的hack-and-slash的方法,致使系统有崩溃或者甚至扩大特权范围的危险。
KAV所倚仗的很多不安全操作都被x64的补丁防御功能拦截了,这使得KAV更难发布针对64位系统的杀毒软件了(由于计算机开始支持x64,有的默认的就是x64的操作系统,于是X64版的杀毒软件也变得尤为重要)。32位的内核驱动无法在64位的系统中使用,因此KAV需要将它的驱动移植到x64上并且解决补丁防御功能的问题。另外,终端用户使用的是单核计算机的假设很快就会不成立了,现在很多系统都支持超线程或者多核。
来源:赛迪网 作者:杜莉 责编:豆豆技术应用
正在加载评论...