About DeviceLock's Working Principle Analysis Report comes to the company's first job is to analyze the working principle of DeviceLock. He has encountered some difficulties, and now it is a small summary, preparing for future work. First, DeviceLock is a product of SmartLine Inc for data protection. When you have a computer or domain administrator privilege, you can control access to the same-moving media. And also supports a variety of interfaces such as WiFi, Bluetooth, USB, FireWare, string pair ports. Do not use any hardware, simply rely on software to achieve all.
First, this software has six objectives: 1. DeviceLock has network administrators to manage who has the power to access local equipment (floppy drive, optical drive, DVD drive, ZIP drive, USB device, Firewire, infrared, serial port, and parallel port, tape drive, WiFi, Bluetooth Adapter, etc.) 2. When the DeviceLock is installed, the administrator has the power to control the floppy drive, the optical drive, and other devices, including control of any time of seven days. 3, you can also control the mobile device. 4, DeviceLock can also resist attacks of viruses, Trojans and other malicious code propagating through mobile devices. 5, DeviceLock can also protect the disk intentionally or unintentionally. 6. DeviceLock can set different permissions through users. 7. Network administrators can refresh the cache of the storage device. DeviceLock consists of two parts, Service and Manager. A access control of the core, an implementation interface setting.
Second, specifically see how its security function is implemented, DeviceLock Manager | | | | | | | | | | | | | DEVICELOCK Service (Client Impersonation) --- LOCAL Security Authority Authentication --- Input Data Verification | | | | Windows NT Domain Active Directory
Establish a security check mechanism through SSPI, NT LAN Manager SSP, Local Security Authority Authentication. Manager can set configure these SSPIs. User's process access token (use id, group IDs) --------- Security Descriptor floppy drive | | ----- Security descriptor hard drive | | ----- Security Descriptor CD-ROM | | ----- Security Descriptor USB device ... You can control access to the ID and each device's Security Descriptor in the access token of User's Process. Third, my work starts 1. After completing the installation, reach three worthless target files: DLManager.exe 290 kb dluni.dll 3.00 KB 2, the tool extracted by the resource in DLService.exe Extract two files, you can use EZ Extract Resource, Exesc and so on to complete this work. The file subsequently extracted I named: DLSERVICE_EXE_0 64.6 KB DLSERVICE_EXE_1 1.80 KB By analyzing key issues in DLService_exe_0, the latter seems to be a file with Help. 3, below is the specific work uses IDA Pro to disassemble the target code. This file is a driven file format (that is .sys) written using the VC, but only the level of the assembly code can be analyzed. Finally, there is no breakthrough, I didn't take it. There are several ways to analyze the API function when analyzing, start tracking from the START function, and analyzes a few possible core functions. Some tools are useful in IDA Pro, such as: graphics analysis, display changes in the location of the code, have several ways, very practical. The jump of the instruction is very convenient. You can rename the function of the analysis completed and prompted. The difficulties encountered are: the amount of analysis is large, it is difficult to grasp, but can refer to the API function. I estimate that some code interferes with code. It is difficult to analyze the role of constants and variables in the code. Undocument's thing. Analysis of many functions will find that they are operating processing data, but I don't know the core issues.
Fourth, I will take a piece of code I have analyzed in detail: ---------------------------------- -------------------------------------------------- ---------------------------------- 17D98 fun_17d98 proc near; code xref: fun_17b04 1b317d98; fun_1a6a6 b5217d98 17d98 VAR_38 = DWORD PTR-38H; Define a data area, as a temporary variable, 17d98 var_30 = dword ptr -30h; the beginning of the initial value may be through EBP VAR _ ** points to each variable 17d98 var_2c = dword PTR-2CH17D98 var_28 = dword PTR-28H17D98 VAR_24 = BYTE PTR-24H17D98 VAR_20 = DWORD PTR -20H17D98 var_18 = DWORD PTR-18H17D98 VAR_10 = DWORD PTR-10H17D98 VAR_4 = DWORD PTR-417D98 arg_0 = DWORD PTR 8 -------------- -------------------------------------------------- -------------------------------------------------- ------ 17D98 Push EBP; base pointer 17d99 MOV EBP, ESP; pointer stack 17d9b push 0ffffffh17d9d push offset dword_10850 -------------------------------------------------- ------------------ four separate modules, no other entrance | *** DWORD_10850 is a variable area of a storage address, the content is as follows: DD 0FFFFFFFH | | * ** DD Offset LOC_17F6D | | *** DD Offset Loc_17F71 | | *** DD 0FFFFFFFH | | *** DD Offset Loc_17F37 | | *** DD Offset Loc_17F3B | ----------- -------------------------------------------------- ------- 17DA2 PUSH OFFSET FUN_1C978; Protection 1C978 address 17DA7 MOV Eax, Large FS: 0; FS: Additional Data Section 17DAD PUSH EAX;
Save the stack 17DAE MOV LARGE FS: 0, ESP; ESP-> FS: 017DB5 SUB ESP, 30H; ESP-30H-> ESP17DB8 PUSH EBX; the following three sentences are the protection site 17DB9 Push ESI17DBA PUSH EDI17DBB MOV [EBP VAR_18], ESP; ESP -> [EBP VAR_18] 17DBE AND [EBP VAR_24], 0; [EBP VAR_24] Clear 17DC2 XOR ESI, ESI; ESI Clear 17DC4 MOV [EBP VAR_38], ESI; ESI -> [EBP VAR_38] Clear 17DC7 MOV [EBP VAR_20], ESI; ESI -> [EBP VAR_20] Clear 17DCA MOV [EBP VAR_4], ESI; ESI -> [EBP VAR_4] Clear 17DCD CMP EDX, ESI; EDX = 0? 17DCF JZ Short Loc_17DFA; if EDX = 0, Jump ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------- 17DD1 CMP [EBP ARG_0], ESI;? 17DD4 JNZ Short Loc_17DF6 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------ 17DD6 MOV EAX, [EDX 4] 17DD9 MOV Eax, [EAX 4]; no meaning 17DDC Add Eax, 1CH; EAX 1CH-> EAX17DDF MOV [EBP VAR_28], EAX; EAX -> [EBP VAR_28] 17DE2 TEST BYTE PTR [EDX 2], 1; [EDX 2] = 1? 17DE6 JZ Short Loc_17DED ---------------------------------------- -------------------------------------------------- ------ 17DE8 PUSH 117DEA POP ECX; 1->
ECX17DEB JMP Short Loc_17DF1 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- ---------------------- 17DED LOC_17DED: Movsx ECX, Byte PTR [ECX 20H] 17DF1 LOC_17DF1: MOV BYTE PTR [EBP VAR_2C], CL; CL -> [EBP VAR_2C] 17DF4 JMP Short Loc_17e10; Exit ----------------------------------- -------------------------------------------------- ------------------------------- 17DF6 LOC_17DF6: CMP EDX, ESI17DF8 JNZ Short Loc_17E0A --------- -------------------------------------------------- ----- 17DFA LOC_17DFA: MOV EAX, [EBP Arg_0] 17DFD CMP Eax, ESI; subtraction 17DFF JZ Short Loc_17E0A; if eax = 0, jump ---------------- ------------------------------------------------ 17E01 MOV [EBP VAR_28], EAX17E04 MOV BYTE PTR [EBP VAR_2C], 1; 1 -> [EBP VAR_2C] 17E08 JMP Short LOC_17E0D ----------- -------------------------------------------------- -------------------------------------------------- ------- 17E0A LOC_17E0A: MOV [EBP VAR_28], ESI; subtle: Comparison, Exchange, Select 1 Level 1 Skip Eax and ESI 17E0D LOC_17E0D: MOV EAX, [EBP VAR_28] 17E10 LOC_17E10: OR [EBP VAR_4], 0FFFFFFFH; Setting 17E14 CMP Eax, ESI17E16 JZ LOC_17F78; whether it ends ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------ 17E1C Push Eax17E1D Call DS: SELOCKSUBJECTCONTEXT; Lock context, is it the role of the protection site?
------------------------------------------ 17E23 PUSH 117E25 POP EAX17E26 MOV [EBP var_4], eax17E29 mov edi, 206B6444h17E2E push edi; PoolType = 206B6444h17E2F push 40h; numberOfBytes = 40h17E31 push eax; Tag = 1 (PagedPool) 17E32 mov esi, ds: ExAllocatePoolWithTag17E38 call esi; ExAllocatePoolWithTag allocate memory 17E3A MOV EBX, EBP VAR_38], EBX; Return Value EAX-> EBX -> [EBP VAR_38] *** --------------------- ---------------------- 17E3F Push EDI; PoolType = EDI =? 17E40 MOV EDI, 200H 17E45 Push EDI; NumberofBytes = 200h17E46 Push 1; tag = 1 (PagedPool 17E48 Call ESI; ExallocatePoolwithTAG Assign Memory 17E4A MOV ESI, EAX17E4C MOV [EB P VAR_20], ESI; Return Value Eax-> ESI -> [EBP VAR_20] *** --------------------------- --------------- 17E4F Test EBX, EBX; take the sign = 0? 17E51 JZ LOC_17F30 ------------------- ----------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ------------- 17E5F Push 1; Revision =
117E61 Push EBX; SecurityDescriptor = EBX17E62 Call DS: RTLCReateSecurityDescriptor; Establishing Security Identifier 17E68 Test Eax, Eax; Take the Number 17E6A JL LOC_17F30; less than zero jump17f30 ----------------- -------------------------------------------- 17E70 Push 217E72 Push EDI17E73 Push ESI17E74 CALL DS: RTLCREATEACL; I have been couldn't find a function, guessing is to build an ACE item 17E7A Test Eax, EAX; take the sign 17E7C JL LOC_17F30; less than zero jump17f30 --------------- -------------------------------------------------- 17E82 mov eax, ds: SeExports; function could not find the guess is to set the output 17E87 push dword ptr [eax 0E0h] 17E8D mov edi, 1F01FFh17E92 push edi17E93 push 217E95 push esi17E96 mov esi, ds: RtlAddAccessAllowedAce 17E9C call esi; been looking for Not in the function, guess is RTLADDA CcessallowedAce adds an access to the license ACE17E9E Test Eax, EAX; take the mark 17EA0 JL LOC_17F30; less than zero jump17f30 ---------------------------------------------------------------------------------------------------- ------------------------------------ 17EA6 MOV EAX, DS: Seexports17EAB PUSH DWORD PTR [EAX 0E4H ] 17EB1 PUSH EDI17EB2 PUSH 217EB4 PUSH [EBP VAR_20] 17EB7 CALL ESI; I have been able to find a function, guessing RTLADDACCESSALLOWACE adds an access to ACE17EB9 Test Eax, EAX; Take the Number 17EBB JL Short Loc_17F30;
Small than zero jump17f30 ----------------------------------- ----------------- 17EBD PUSH 0; dacldefaulted = 017EBF PUSH [EBP VAR_20]; DACL = var_2017ec2 push 1; DaclPresent = 1-> Dacldefault valid 17EC4 Push EBX; push ebx; psecurity_descriptor = EBX17EC5 CALL DS: RTLSETDACLSECURITYDESCRIPTOR; set Dacl17ECB Test Eax, EAX; Take the Number 17ECD JL Short Loc_17F30; less than zero jump17f30 ------------------------- ------------------------------------- 17ec EAX, DS: Seexports17ed6 Push Dword PTR [ EAX 0E0H] 17edc Push Ebx17edd Call DS: RTLSetownerSecurityDescriptor; Set your own SID17EE3 TEST EAX, EAX; take the mark 17EE5 JL Short Loc_17F30; less than zero jump17f30 ----------------- -------------------------------------------- 17EE7 PUSH EBX; SEC UrityDescriptor = 17ee8 Call DS: RTLVALIDSECURITYDESCRIPTOR; check SID legitimacy 17eee test al, AL17EF0 JZ Short Loc_17f30 ----------------------------- ---------------------------------- 17EF2 MOV [EBP VAR_30], 10H17EF9 MOV ESI, DS: IOGETFILEOBJECTGENERICMAPPING17EFF Call ESI; IOGETFILEOBJECTGENERICMAPPING, no parameters 17f01 Push EAX17F02 Lea Eax, [EBP VAR_30] 17F05 Push EAX17F06 Call DS: RTLMapGenericmask;
Very access 17F0C lea eax, [ebp var_30] 17F0F push eax17F10 lea eax, [ebp var_30] 17F13 push eax17F14 push [ebp var_2C] 17F17 call esi; IoGetFileObjectGenericMapping17F19 push eax; AccessMode = eax17F1A push 0; GenericMapping = 017F1C push 0 ; PreviouslyGrantedAccess = 017F1E push [ebp var_30]; DesiredAccess17F21 push 1; ubjectContextLocked17F23 push [ebp var_28]; SubjectSecurityContext17F26 push ebx; SecurityDescriptor17F27 call ds: SeAccessCheck; provided that allows access 17F2D mov [ebp var_24], al ---- -------------------------------------- 17F30 LOC_17F30: NOP17F31 OR [EBP VAR_4], 0FFFFFFFH [EBP VAR_4] Set 17F35 JMP Short Loc_17F45 --------------------------- -------------------------------------------------- ----------------------------------------- 17F37 LOC_17F37:; *** 17f37 push 1 17F39 POP EAX 17F3A RETN; ****** ------------------------------------- -------------------------------------------------- ------------------------------ 17F3B LOC_17F3B:;
*** 17F3B MOV ESP, [EBP-18H] 17f3e or DWORD PTR [EBP-4], 0FFFFFFFH 17F42 MOV EBX, [EBP-38H] ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------ 17F45 LOC_17F45: Push [EBP VAR_28] 17F48 Call DS: seunlocksubjectContext; Unlock the context 17f4e test EBX, EBX17F50 JZ Short Loc_17f59; Do you need to release page memory ------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------- 17F52 Push EBX; parameter 17f53 call DS: EXFREEPOOL; EXFREEPOOL Release page memory ----------- ------------------------------ 17F59 LOC_17F59: CMP [EBP VAR_20], 017F5D JZ Short Loc_17F68; last allocated memory Failure is jump --------------------------------------------- ----------------- 17F5F Push [EBP VAR_20] 17F62 Call DS: EXFREEPOOL17F68 LOC_17F68: MOV Al, [EBP VAR_24] 17F6B JMP Short Loc_17F7A ------- ----------------------- -------------------------------------------------- -------------------------------------- 17F6D LOC_17F6D:; *** 17f6d Push 1 17f6f Pop Eax 17f70 Retn; ****** ---------------------------------------- -------------------------------------------------- ---------------------------- 17F71 LOC_17F71:; *** 17F71 MOV ESP, [EBP-18H] 17F74 or DWORD PTR [EBP -4], 0FFFFFFFH