ArcaVir是出自波兰的功能强大的反病毒程序。 ArcaVir杀毒软件产品所使用的ps_drv.sys驱动允许用户打开\\Device\\ps_drv设备并以METHOD_NEITHER缓冲模式发布IOCTL。本地用户可以通过向驱动传送内核地址作为参数来覆盖任意地址,执行任意内核态代码。以下是一个有漏洞的IOCTL示例: seg000:00023F3C RootkitMemoryBlock proc near seg000:00023F3C seg000:00023F3C ArcaStruct = dword ptr -14h seg000:00023F3C Buffer = dword ptr -10h seg000:00023F3C InputBuffer = dword ptr -0Ch seg000:00023F3C BufferLength = dword ptr -8 seg000:00023F3C Address = dword ptr -4 seg000:00023F3C seg000:00023F3C push ebp seg000:00023F3D mov ebp, esp seg000:00023F3F sub esp, 14h seg000:00023F42 mov [ebp+ArcaStruct], ecx seg000:00023F45 push offset StrRootkitMemBlock ; "ROOTKIT_MEMBLOCK\n" seg000:00023F4A call DbgPrint seg000:00023F4F add esp, 4 seg000:00023F52 mov eax, [ebp+ArcaStruct] seg000:00023F55 cmp [eax+_ARCA_STRUCT.InputBufferLength], 8 seg000:00023F5C jnz short @@invalid_input_buffer_size seg000:00023F5E mov ecx, [ebp+ArcaStruct] seg000:00023F61 cmp [ecx+_ARCA_STRUCT.Type3InputBuffer], 0 seg000:00023F68 jnz short...
ArcaVir是出自波兰的功能强大的反病毒程序。 ArcaVir杀毒软件产品所使用的ps_drv.sys驱动允许用户打开\\Device\\ps_drv设备并以METHOD_NEITHER缓冲模式发布IOCTL。本地用户可以通过向驱动传送内核地址作为参数来覆盖任意地址,执行任意内核态代码。以下是一个有漏洞的IOCTL示例: seg000:00023F3C RootkitMemoryBlock proc near seg000:00023F3C seg000:00023F3C ArcaStruct = dword ptr -14h seg000:00023F3C Buffer = dword ptr -10h seg000:00023F3C InputBuffer = dword ptr -0Ch seg000:00023F3C BufferLength = dword ptr -8 seg000:00023F3C Address = dword ptr -4 seg000:00023F3C seg000:00023F3C push ebp seg000:00023F3D mov ebp, esp seg000:00023F3F sub esp, 14h seg000:00023F42 mov [ebp+ArcaStruct], ecx seg000:00023F45 push offset StrRootkitMemBlock ; "ROOTKIT_MEMBLOCK\n" seg000:00023F4A call DbgPrint seg000:00023F4F add esp, 4 seg000:00023F52 mov eax, [ebp+ArcaStruct] seg000:00023F55 cmp [eax+_ARCA_STRUCT.InputBufferLength], 8 seg000:00023F5C jnz short @@invalid_input_buffer_size seg000:00023F5E mov ecx, [ebp+ArcaStruct] seg000:00023F61 cmp [ecx+_ARCA_STRUCT.Type3InputBuffer], 0 seg000:00023F68 jnz short @@check_passed_parameters seg000:00023F6A seg000:00023F6A @@invalid_input_buffer_size: seg000:00023F6A push offset StrInvalidInputBufferSize ; "Zły rozmiar input bufora\n" seg000:00023F6F call DbgPrint seg000:00023F74 add esp, 4 seg000:00023F77 mov eax, STATUS_INVALID_BUFFER_SIZE seg000:00023F7C jmp @@exit seg000:00023F81 seg000:00023F81 @@check_passed_parameters: seg000:00023F81 mov edx, [ebp+ArcaStruct] seg000:00023F84 mov eax, [edx+_ARCA_STRUCT.Type3InputBuffer] seg000:00023F8A mov ecx, [eax] seg000:00023F8C mov edx, [eax+4] seg000:00023F8F mov [ebp+InputBuffer], ecx seg000:00023F92 mov [ebp+BufferLength], edx seg000:00023F95 cmp [ebp+BufferLength], 0 seg000:00023F99 jnz short @@check_output_buffer seg000:00023F9B push offset StrInvalidInputAddress ; "Zerowy rozmiar bufora do odczytu\n" seg000:00023FA0 call DbgPrint seg000:00023FA5 add esp, 4 seg000:00023FA8 mov eax, STATUS_INVALID_PARAMETER seg000:00023FAD jmp @@exit seg000:00023FB2 seg000:00023FB2 @@check_output_buffer: seg000:00023FB2 mov eax, [ebp+ArcaStruct] seg000:00023FB5 mov ecx, [eax+_ARCA_STRUCT.OutputBufferLength] seg000:00023FBB cmp ecx, [ebp+BufferLength] seg000:00023FBE jnz short @@invalid_output_buffer_size seg000:00023FC0 mov edx, [ebp+ArcaStruct] seg000:00023FC3 cmp [edx+_ARCA_STRUCT.UserBuffer], 0 seg000:00023FCA jnz short @@check_address seg000:00023FCC seg000:00023FCC @@invalid_output_buffer_size: seg000:00023FCC push offset StrInvalidOutputBufferSize ; "Zły rozmiar output bufora\n" seg000:00023FD1 call DbgPrint seg000:00023FD6 add esp, 4 seg000:00023FD9 mov eax, STATUS_INVALID_BUFFER_SIZE seg000:00023FDE jmp short @@exit seg000:00023FE0 seg000:00023FE0 @@check_address: seg000:00023FE0 mov eax, [ebp+InputBuffer] seg000:00023FE3 mov [ebp+Buffer], eax seg000:00023FE6 mov ecx, [ebp+BufferLength] seg000:00023FE9 mov edx, [ebp+InputBuffer] seg000:00023FEC lea eax, [edx+ecx-1]
