逆向工程 - 想使用 win API hooking 来检测 wmi 查询字符串吗？但是在fastprox.dll中找不到IWbemServices::ExecQuery - 吾爱随笔录

想使用 win API hooking 来检测 wmi 查询字符串吗？但是在fastprox.dll中找不到IWbemServices::ExecQuery

逆向工程视窗恶意软件

2021-07-08 04:28:27

我想在沙箱中使用 apimon 插件实现 WMI 查询检测功能https://github.com/tklengyel/drakvuf

为此，我必须获得 DLL 符号文件。但我无法IWbemServices::ExecQuery在任何 DLL 中找到该方法。

有什么想法可以像select * from win32_operatingsystem 仅使用 API 监控一样检测 wmi 查询字符串吗？

1个回答

如果您在 wmic 中执行，我不确定您在寻找什么

C:\WINDOWS\system32>wmic os get Name

你回来了

Name
Microsoft Windows 10 Pro|C:\WINDOWS|\Device\Harddisk0\Partition4

这是使用您的 select *from sql 或 wql 查询执行的，
这里是调用堆栈和相关信息

坏在

0:000> rM0
WMIC!CExecEngine::ProcessSHOWInfo:
00007ff7`a6fc5590 4053            push    rbx

调用栈

0:000> kP
Child-SP          RetAddr           Call Site
0000008c`90c9f6a8 00007ff7`a6fc2ffe WMIC!CExecEngine::ProcessSHOWInfo
0000008c`90c9f6b0 00007ff7`a6fe9141 WMIC!CExecEngine::ExecuteCommand+0x1ae
0000008c`90c9f750 00007ff7`a6fe8060 WMIC!CWMICommandLine::ProcessCommandAndDisplayResults+0x5f5
0000008c`90c9f910 00007ff7`a6feee6d WMIC!wmain+0x934
0000008c`90c9fb20 00007ff8`96f07c24 WMIC!__wmainCRTStartup+0x14d
0000008c`90c9fb60 00007ff8`986cd721 KERNEL32!BaseThreadInitThunk+0x14
0000008c`90c9fb90 00000000`00000000 ntdll!RtlUserThreadStart+0x21

脚本转储 arg1@rcx *rcx **rcx,arg2 @rdx....,arg3@r8....,arg4@r9...

0:000> $$>a< "xxxxx\arg64.wds"
rcx=00007ff7a70198e0
=========       @rcx
00007ff7`a70198e0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00007ff7`a70198f0  e0 2d 88 07 f5 01 00 00-00 00 00 00 00 00 00 00  .-..............
=========       *@rcx
00000000`00000000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000000`00000010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
rdx=00007ff7a70199e8
=========       @rdx
00007ff7`a70199e8  c0 e4 a8 07 f5 01 00 00-60 e5 a8 07 f5 01 00 00  ........`.......
00007ff7`a70199f8  20 01 73 09 f5 01 00 00-00 00 00 00 00 00 00 00   .s.............
=========       *@rdx
000001f5`07a8e4c0  20 00 6f 00 73 00 20 00-67 00 65 00 74 00 20 00   .o.s. .g.e.t. .
000001f5`07a8e4d0  4e 00 61 00 6d 00 65 00-00 00 ab ab ab ab ab ab  N.a.m.e.........
r8=0000000000000001
=========       @r8
00000000`00000001  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000000`00000011  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
=========       *@r8
Memory access error at ') '
r9=0000000000000000
=========       @r9
00000000`00000000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000000`00000010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
=========       *@r9
Memory access error at ') '

第二个参数包含您的 sql/wql 查询

0:000> dpu @rdx
00007ff7`a70199e8  000001f5`07a8e4c0 " os get Name"
00007ff7`a70199f0  000001f5`07a8e560 "os"
00007ff7`a70199f8  000001f5`09730120 "Installed Operating System/s management. "
00007ff7`a7019a00  00000000`00000000
00007ff7`a7019a08  00000000`00000000
00007ff7`a7019a10  00000000`00000000
00007ff7`a7019a18  000001f5`097300d0 "get"
00007ff7`a7019a20  00000000`00000000
00007ff7`a7019a28  00000000`00000000
00007ff7`a7019a30  00000000`00000000
00007ff7`a7019a38  00000000`00000000
00007ff7`a7019a40  000001f5`07a8ee00 "Select * from Win32_OperatingSystem"
00007ff7`a7019a48  00000000`00000000
00007ff7`a7019a50  00000000`00000001
00007ff7`a7019a58  000001f5`07a81770 "ᝰ.ǵ"
00007ff7`a7019a60  00000000`00000000
0:000>

如果您进一步遵循，您可以看到查询特定属性而不是通配符

0:000> rM0
WMIC!CExecEngine::ObtainXMLResultSet:
00007ff7`a6fc3030 4c8bdc          mov     r11,rsp
0:000> r rcx,rdx,r8,r9
rcx=00007ff7a70198e0 rdx=00000204437822d8 r8=00007ff7a70199e8 r9=0000003789d3b5b8
0:000> du /c 100 @rdx
00000204`437822d8  "SELECT Name FROM Win32_OperatingSystem"
0:000>

有一个记录的例子可以从这里的 wmi 方法中检索数据

编译并跟踪它，您可以看到在 fastprox.dll 中解析的方法如下

0:000> dps @rax+0xa0 l1
00007ff8`855846b0  00007ff8`854ec8f0 fastprox!CWbemSvcWrapper::XWbemServices::ExecQuery
0:000> r
rax=00007ff885584610 rbx=00007ff669e67bc8 rcx=00000160178261a0
rdx=00000160178122b8 rsi=0000000000000000 rdi=00000160177e65e0
rip=00007ff669da1638 rsp=00000050a376faf0 rbp=0000000000000000
 r8=000001601781fb08  r9=0000000000000030 r10=00000050a376fa20
r11=00000160178122b8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
wbemexec!main+0x448:
00007ff6`69da1638 ff90a0000000    call    qword ptr [rax+0A0h] ds:00007ff8`855846b0={fastprox!CWbemSvcWrapper::XWbemServices::ExecQuery (00007ff8`854ec8f0)}
0:000> ?? @rax == @@masm(poi(@rcx))
bool true
0:000> du @rdx
00000160`178122b8  "WQL"
0:000> du @r8
00000160`1781fb08  "SELECT * FROM Win32_OperatingSys"
00000160`1781fb48  "tem"
0:000>

这是在编辑答案之前从 wmic 命令调用的相同 fastprox::..::execquery

0:000> rM0
fastprox!CWbemSvcWrapper::XWbemServices::ExecQuery:
00007ff8`854ec8f0 4c8bdc          mov     r11,rsp
0:000> kp
Child-SP          RetAddr           Call Site
00000017`37abb518 00007ff7`ce3931c5 fastprox!CWbemSvcWrapper::XWbemServices::ExecQuery
00000017`37abb520 00007ff7`ce395e3d WMIC!CExecEngine::ObtainXMLResultSet+0x195
00000017`37abb760 00007ff7`ce392ffe WMIC!CExecEngine::ProcessSHOWInfo+0x8ad
00000017`37abf960 00007ff7`ce3b9141 WMIC!CExecEngine::ExecuteCommand+0x1ae
00000017`37abfa00 00007ff7`ce3b8060 WMIC!CWMICommandLine::ProcessCommandAndDisplayResults+0x5f5
00000017`37abfbc0 00007ff7`ce3bee6d WMIC!wmain+0x934
00000017`37abfdd0 00007ff8`96f07c24 WMIC!__wmainCRTStartup+0x14d
00000017`37abfe10 00007ff8`986cd721 KERNEL32!BaseThreadInitThunk+0x14
00000017`37abfe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> du @rdx; du /c 100 @r8
00000209`96d22868  "WQL"
00000209`96d76d38  "SELECT Name FROM Win32_OperatingSystem"
0:000> dps poi(@rcx)+a0 l1
00007ff8`855846b0  00007ff8`854ec8f0 fastprox!CWbemSvcWrapper::XWbemServices::ExecQuery
0:000>

其它你可能感兴趣的问题

上一篇为华为 EchoLife EG8145V5 寻找（或构建）内核下一篇我可以在我的 .so 文件中找到这个字符串的用法吗？手臂