Tag Archive for 'sptd'

[생활속의 Debugging] sptd.sys 는 왜 Registry를 감시 ??

Published
by
admin
on 4월 28, 2008
in Debugging Windows
. Comments

데몬 Tools를 설치하게 되면 sptd.sys라는 녀석도 함께 설치됩니다. 이녀석은 머하는 녀석이지 ??
일단 무슨 함수를 Hooking하고 있을까 ?? dds 명령으로 KiServiceTable을 체크해 봤습니다.

804e6948 805b1900 nt!NtCreateIoCompletion
804e694c 805e72ca nt!NtCreateJobObject
804e6950 80638053 nt!NtCreateJobSet
804e6954 f750bb3a*** ERROR: Module load completed but symbols could not be loaded for sptd.sys
sptd+0×5b3a // nt!NtCreateKey
804e6958 805e898a nt!NtCreateMailslotFile
804e695c 8057dccd nt!NtCreateMutant
804e6960 805891c8 nt!NtCreateNamedPipeFile
….
804e69c4 8057e101 nt!NtDuplicateToken
804e69c8 8064ff97 nt!NtSetBootOptions
804e69cc f750bc7e sptd+0×5c7e // nt!NtEnumerateKey
804e69d0 8064ff6f nt!NtEnumerateSystemEnvironmentValuesEx
804e69d4 f750bff6 sptd+0×5ff6 // nt!NtEnumerateValueKey
804e69d8 8062d9b9 nt!NtExtendSection

804e6a84 806216bb nt!NtOpenIoCompletion
804e6a88 806382ab nt!NtOpenJobObject
804e6a8c f750ba18 sptd+0×5a18//nt!NtOpenKey
804e6a90 8057dd7b nt!NtOpenMutant
804e6a94 805b2aa6 nt!NtOpenObjectAuditAl

804e6b28 806510bb nt!NtQueryIntervalProfile
804e6b2c 8062177c nt!NtQueryIoCompletion
804e6b30 f750c0c0 sptd+0×60c0//nt!NtQueryKey
804e6b34 80655cc4 nt!NtQueryMultipleValueKey
804e6b38 80650a42 nt!NtQueryMutant

804e6b6c 805b1436 nt!NtQueryTimer
804e6b70 8058bb31 nt!NtQueryTimerResolution
804e6b74 f750bf58 sptd+0×5f58 // nt!NtQueryValueKey
804e6b78 80583657 nt!NtQueryVirtualMemory
804e6b7c 8057f676 nt!NtQueryVolumeInformationFile

804e6c84 805ec4ff nt!NtSetTimerResolution
804e6c88 805e2051 nt!NtSetUuidSeed
804e6c8c f750c148 sptd+0×6148 // nt!NtSetValueKey
804e6c90 80622901 nt!NtSetVolumeInformationFile
804e6c94 8064e983 nt!NtShutdownSystem

nt!NtCreateKey, nt!NtEnumerateKey, nt!NtEnumerateValueKey, nt!NtOpenKey, nt!NtQueryKey, nt!NtSetValueKey
레지스트 Key 관련 함수들을 주루룩 Hooking하고 있군요.. 무슨 이유에서인지 .. 설마 ?? Process도 감시하고 있나 ??

lkd> dd nt!PspCreateProcessNotifyRoutine
8056a6e0 e18312d7 e229edef e19f3057 e3270597
8056a6f0 00000000 00000000 00000000 00000000
8056a700 00000004 00000000 8a1fcec8 8814f7b8
8056a710 8a3d5f18 8a3d5030 8a3d5e00 00000000
8056a720 00000000 00000000 00000000 00000000
8056a730 00000000 00000000 00000000 00000000
8056a740 00000000 6d6f7441 00000000 00000001
8056a750 00000000 00000000 00000000 00000000lkd> dd e18312d0
e18312d0 00000010 f75159ac 00000000 00590052
e18312e0 00020803 61564d43 e1028820 e10281f8
e18312f0 0c020802 6944624f e1012930 e18235b8
e1831300 0c020802 6944624f e2004688 8a2db338
e1831310 0c030802 6d4e624f 00300030 00300030
e1831320 00300030 00610034 0c030803 75737050
e1831330 00750061 00730064 00750074 00000062
e1831340 00010803 61564d43 0c050801 7346744e

lkd> u f75159ac
sptd+0xf9ac:
f75159ac 55 push ebp
f75159ad 8bec mov ebp,esp
f75159af 807d1000 cmp byte ptr [ebp+10h],0
f75159b3 0f85e8000000 jne sptd+0xfaa1 (f7515aa1)
f75159b9 56 push esi
f75159ba 57 push edi
f75159bb 33ff xor edi,edi
f75159bd ff154c6052f7 call dword ptr [sptd+0x2004c (f752604c)]

역시나 Process Notify를 등록하고 있군요 .  설마 File System도 Hooking 하는건 아닐까 ???

lkd> !drvobj ntfs 2
Driver object (8a312380) is for:
\FileSystem\Ntfs
DriverEntry: f7bd7184 Ntfs!GsDriverEntry
DriverStartIo: 00000000
DriverUnload: f752a95e sptd
AddDevice: 00000000 Dispatch routines:
[00] IRP_MJ_CREATE 8a37c0e8 +0×8a37c0e8
[01] IRP_MJ_CREATE_NAMED_PIPE 804fb709 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE 8a37c0e8 +0×8a37c0e8
[03] IRP_MJ_READ 8a37c0e8 +0×8a37c0e8
[04] IRP_MJ_WRITE 8a37c0e8 +0×8a37c0e8
[05] IRP_MJ_QUERY_INFORMATION 8a37c0e8 +0×8a37c0e8
[06] IRP_MJ_SET_INFORMATION 8a37c0e8 +0×8a37c0e8
[07] IRP_MJ_QUERY_EA 8a37c0e8 +0×8a37c0e8
[08] IRP_MJ_SET_EA 8a37c0e8 +0×8a37c0e8
[09] IRP_MJ_FLUSH_BUFFERS 8a37c0e8 +0×8a37c0e8
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 8a37c0e8 +0×8a37c0e8
[0b] IRP_MJ_SET_VOLUME_INFORMATION 8a37c0e8 +0×8a37c0e8
[0c] IRP_MJ_DIRECTORY_CONTROL 8a37c0e8 +0×8a37c0e8
[0d] IRP_MJ_FILE_SYSTEM_CONTROL 8a37c0e8 +0×8a37c0e8
[0e] IRP_MJ_DEVICE_CONTROL 8a37c0e8 +0×8a37c0e8
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 804fb709 nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN 8a37c0e8 +0×8a37c0e8
[11] IRP_MJ_LOCK_CONTROL 8a37c0e8 +0×8a37c0e8
[12] IRP_MJ_CLEANUP 8a37c0e8 +0×8a37c0e8
[13] IRP_MJ_CREATE_MAILSLOT 804fb709 nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY 8a37c0e8 +0×8a37c0e8
[15] IRP_MJ_SET_SECURITY 8a37c0e8 +0×8a37c0e8
[16] IRP_MJ_POWER 804fb709 nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL 804fb709 nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE 804fb709 nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA 8a37c0e8 +0×8a37c0e8
[1a] IRP_MJ_SET_QUOTA 8a37c0e8 +0×8a37c0e8
[1b] IRP_MJ_PNP 8a37c0e8 +0×8a37c0e8

Fast I/O routines:
FastIoCheckIfPossible f7b8beda Ntfs!NtfsFastIoCheckIfPossible
FastIoRead f7b72b57 Ntfs!NtfsCopyReadA
FastIoWrite f7b91448 Ntfs!NtfsCopyWriteA
FastIoQueryBasicInfo f7b7848e Ntfs!NtfsFastQueryBasicInfo
FastIoQueryStandardInfo f7b76f7e Ntfs!NtfsFastQueryStdInfo
FastIoLock f7b920f2 Ntfs!NtfsFastLock
FastIoUnlockSingle f7b921f8 Ntfs!NtfsFastUnlockSingle
FastIoUnlockAll f7bcb6ae Ntfs!NtfsFastUnlockAll
FastIoUnlockAllByKey f7bcb7f3 Ntfs!NtfsFastUnlockAllByKey
AcquireFileForNtCreateSection f7b7283a Ntfs!NtfsAcquireForCreateSection
ReleaseFileForNtCreateSection f7b72881 Ntfs!NtfsReleaseForCreateSection
FastIoQueryNetworkOpenInfo f7bb9e1d Ntfs!NtfsFastQueryNetworkOpenInfo
AcquireForModWrite f7b7ea10 Ntfs!NtfsAcquireFileForModWrite
MdlRead f7bb9f31 Ntfs!NtfsMdlReadA
MdlReadComplete 805322b8 nt!FsRtlMdlReadCompleteDev
PrepareMdlWrite f7bba2ab Ntfs!NtfsPrepareMdlWriteA
MdlWriteComplete 8061d1db nt!FsRtlMdlWriteCompleteDev
FastIoQueryOpen f7b76db8 Ntfs!NtfsNetworkOpenCreate
AcquireForCcFlush f7b726e2 Ntfs!NtfsAcquireFileForCcFlush
ReleaseForCcFlush f7b72708 Ntfs!NtfsReleaseFileForCcFlush

역시나 sptd가 Major Function들을 과함하게 Hook 하고 있군요.  과연 이 녀석의 정체는 도대체 멀까요 ?? ㅜ.ㅜ
( 귀찮아서 리버싱은 ㅜ.ㅜ )