DTrace 二次研究
早些时候遇到一个navagio.sys驱动,无法通过IDA直接进行静态分析。于是想到能否通过Trace手段追踪一下。
初步想法
#pragma D option quiet
#pragma D option destructive
syscall::Nt*:entry
{
if(pid == 4)
printf("%s [Caller %s] 0x%p, 0x%x\n",probefunc, execname, curthread, tid);
}
通过编写D语言脚本,过滤出系统进程的Nt函数调用,效果如下:
C:\Program Files\DTrace>dtrace.exe -s C:\Users\VirtualCC\Desktop\ktrace.d
NtOpenKey [Caller System] 0xffffb20d54ce1080, 448
NtQueryValueKey [Caller System] 0xffffb20d54ce1080, 448
NtQueryValueKey [Caller System] 0xffffb20d54ce1080, 448
NtQueryValueKey [Caller System] 0xffffb20d54ce1080, 448
...... 此处省略
NtClose [Caller System] 0xffffb20d54ce1080, 448
NtClose [Caller System] 0xffffb20d54ce1080, 448
NtCreateSymbolicLinkObject [Caller System] 0xffffb20d54ce1080, 448
NtClose [Caller System] 0xffffb20d54ce1080, 448
NtClose [Caller System] 0xffffb20d54ce1080, 448
NtQuerySystemInformation [Caller System] 0xffffb20d54ce1080, 448
一些BCD的配置
bcdedit /set dtrace on
安装DTrace可参考微软官网。
设置环境变量
set PATH=%PATH%;"C:\Program Files\DTrace"
mkdir c:\symbols
set _NT_SYMBOL_PATH=srv*C:\symbols*https:
最终的实现脚本
找到线程,解析调用参数。
#pragma D option quiet
#pragma D option destructive
struct ustr{uint16_t buffer[256];};
inline uintptr_t MmHighestUserAddress = 0x7FFFFFFEFFFF;
int found;
PETHREAD ethread_ptr;
BEGIN
{
found = 0;
ethread_ptr=0;
}
syscall::Nt*:entry
{
if (pid == 4) {
if (probefunc == "NtOpenKey")
{
if(!found)
{
ethread_ptr = curthread;
found = 1;
}
}
if (ethread_ptr == curthread) {
if(probefunc != "NtQueryDirectoryFile")
printf("%s [Caller %s] 0x%p, 0x%x\n", probefunc, execname, curthread, tid);
if (probefunc == "NtOpenKey")
{
attr = (POBJECT_ATTRIBUTES)arg2;
if (attr->ObjectName)
{
temp = ((PUNICODE_STRING)attr->ObjectName)->Buffer;
len = ((PUNICODE_STRING)(attr->ObjectName))->Length / 2;
printf("%Y: 0x%p Open RegKeyName:%*.*ws\n", walltimestamp, curthread, len, len,
((struct ustr*)temp)->buffer);
}
}
if (probefunc == "NtCreateFile")
{
attr = (POBJECT_ATTRIBUTES)arg2;
if (attr->ObjectName)
{
temp = ((PUNICODE_STRING)attr->ObjectName)->Buffer;
len = ((PUNICODE_STRING)(attr->ObjectName))->Length / 2;
printf("%Y: 0x%p Create FileName: %*.*ws\n", walltimestamp, curthread, len, len,
((struct ustr*)temp)->buffer);
}
}
if (probefunc == "NtQueryValueKey")
{
temp = ((PUNICODE_STRING)arg1)->Buffer;
len = ((PUNICODE_STRING)arg1)->Length / 2;
printf("%Y: 0x%p value name: %*.*ws\n", walltimestamp, curthread, len, len,
((struct ustr*)temp)->buffer);
}
if (probefunc == "NtOpenFile")
{
attr = (POBJECT_ATTRIBUTES)arg2;
if (attr->ObjectName)
{
}
}
if (probefunc == "NtCreateSection") {
attr = (POBJECT_ATTRIBUTES)arg2;
if (attr->ObjectName)
{
temp = ((PUNICODE_STRING)attr->ObjectName)->Buffer;
len = ((PUNICODE_STRING)(attr->ObjectName))->Length / 2;
printf("%Y: 0x%p Create Section Name: %*.*ws\n", walltimestamp, curthread, len, len,
((struct ustr*)temp)->buffer);
}
}
if (probefunc == "NtCreateThreadEx") {
this->addr = (uintptr_t)arg4;
printf("%Y: 0x%p start addr: %p\n", walltimestamp, curthread, this->addr);
}
if (probefunc == "NtCreateEvent") {
attr = (POBJECT_ATTRIBUTES)arg2;
if (attr->ObjectName)
{
temp = ((PUNICODE_STRING)attr->ObjectName)->Buffer;
len = ((PUNICODE_STRING)(attr->ObjectName))->Length / 2;
printf("%Y: 0x%p Create Event Name: %*.*ws\n", walltimestamp, curthread, len, len,
((struct ustr*)temp)->buffer);
}
}
if (probefunc == "NtCreateSymbolicLinkObject") {
attr = (POBJECT_ATTRIBUTES)arg2;
if (attr->ObjectName)
{
temp = ((PUNICODE_STRING)attr->ObjectName)->Buffer;
len = ((PUNICODE_STRING)(attr->ObjectName))->Length / 2;
printf("%Y: 0x%p Create SymbolicLinkObject Name: %*.*ws\n", walltimestamp, curthread, len, len,
((struct ustr*)temp)->buffer);
}
}
if (probefunc == "NtQuerySystemInformation") {
printf("%Y: 0x%p system info class: 0x%x\n", walltimestamp, curthread, arg0);
}
}
}
}
下面是navagio.sys的trace结果:
```json
C:\Windows\system32>dtrace.exe -s C:\Users\Virtual-PC\Desktop\ktrace.d
NtOpenKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 Open RegKeyName:\Registry\Machine\System\CurrentControlSet\Services\navagio.sys
NtQueryValueKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 value name: ImagePath
NtQueryValueKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 value name: ObjectName
NtQueryValueKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 value name: Type
NtQueryKey [Caller System] 0xffffd20f01799040, 0x1618
NtOpenFile [Caller System] 0xffffd20f01799040, 0x1618
NtCreateSection [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtQuerySystemInformation [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 system info class: 0x95
NtOpenKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 Open RegKeyName:\Registry\Machine\System\CurrentControlSet\Control\Compatibility\Driver\navagio.sys
NtOpenFile [Caller System] 0xffffd20f01799040, 0x1618
NtOpenThreadTokenEx [Caller System] 0xffffd20f01799040, 0x1618
NtOpenProcessTokenEx [Caller System] 0xffffd20f01799040, 0x1618
NtQueryInformationToken [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtCreateSection [Caller System] 0xffffd20f01799040, 0x1618
NtOpenFile [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtOpenThreadTokenEx [Caller System] 0xffffd20f01799040, 0x1618
NtOpenProcessTokenEx [Caller System] 0xffffd20f01799040, 0x1618
NtQueryInformationToken [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtQueryValueKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 value name: ImagePath
NtOpenFile [Caller System] 0xffffd20f01799040, 0x1618
NtOpenThreadTokenEx [Caller System] 0xffffd20f01799040, 0x1618
NtOpenProcessTokenEx [Caller System] 0xffffd20f01799040, 0x1618
NtQueryInformationToken [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtCreateSection [Caller System] 0xffffd20f01799040, 0x1618
NtMapViewOfSection [Caller System] 0xffffd20f01799040, 0x1618
NtCreateFile [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 Create FileName: \??\C:\Users\Virtual-PC\Desktop\navagio.sys
NtQueryInformationFile [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtOpenFile [Caller System] 0xffffd20f01799040, 0x1618
NtUnmapViewOfSection [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtQueryValueKey [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:50:58: 0xffffd20f01799040 value name: PnpFlags
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtCreateSymbolicLinkObject [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:51:03: 0xffffd20f01799040 Create SymbolicLinkObject Name: \DosDevices\NavagioDevice
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtQuerySystemInformation [Caller System] 0xffffd20f01799040, 0x1618
2023 Mar 1 09:51:03: 0xffffd20f01799040 system info class: 0x67
NtUpdateWnfStateData [Caller System] 0xffffd20f01799040, 0x1618
NtUpdateWnfStateData [Caller System] 0xffffd20f01799040, 0x1618
NtUpdateWnfStateData [Caller System] 0xffffd20f01799040, 0x1618
NtUpdateWnfStateData [Caller System] 0xffffd20f01799040, 0x1618
NtOpenFile [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
NtQueryVolumeInformationFile [Caller System] 0xffffd20f01799040, 0x1618
NtClose [Caller System] 0xffffd20f01799040, 0x1618
进一步的想法是看到了创建的符号链接\DosDevices\NavagioDevice,如果说找到通信进程,然后进行对相应的进程的线程进行Trace,或许会有其他发现。以后有机会再看!
发表于 2023-3-1 10:28
