环境:XP
内容:粗糙
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 1
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("Notepad.exe", null, objConfig, intProcessID)
双击的时候,
explorer.exe创建wscript.exe
之后svchost.exe创建wmiprvse.exe
触发svchost.exe创建wmiprvse.exe的原因应该是wscript.exe使用LPC通信
art Address kernel32!BaseThreadStartThunk (0x77e5aa60)
Stack Init b37cd000 Current b37ccc34 Base b37cd000 Limit b37c9000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
b37ccc4c 80511388 818abbb8 818abb48 805075c1 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4]) [D:\xpclient\base\ntos\ke\i386\ctxswap.asm @ 301]
b37ccc58 805075c1 00001190 00000174 8063616d nt!KiSwapThread+0x44 (FPO: [0,0,2]) (CONV: fastcall) [d:\xpclient\base\ntos\ke\thredsup.c @ 1333]
b37ccc80 806368ce 00000001 00000010 b37ccd01 nt!KeWaitForSingleObject+0x22c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xpclient\base\ntos\ke\wait.c @ 1162]
b37ccd3c 8059994c 0000020c 00c5ff70 00c5fe38 nt!NtReplyWaitReceivePortEx+0x761 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xpclient\base\ntos\lpc\lpcrecv.c @ 526]
b37ccd3c 7ffe0304 0000020c 00c5ff70 00c5fe38 nt!_KiSystemService+0x13b (FPO: [0,3] TrapFrame @ b37ccd64) (CONV: cdecl) [D:\xpclient\base\ntos\ke\i386\trap.asm @ 1299]
00c5fe18 77f3eb3c 77c57b45 0000020c 00c5ff70 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
00c5fe1c 77c57b45 0000020c 00c5ff70 00c5fe38 ntdll!ZwReplyWaitReceivePortEx+0xc (FPO: [5,0,0]) [D:\xpclient\base\ntdll\daytona\obj\i386\usrstubs.asm @ 1691]
00c5ff84 77c58021 00c5ffa8 77c5b80b 002b2160 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x145 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\xpclient\com\rpc\runtime\mtrt\lpcsvr.cxx @ 1744]
00c5ff8c 77c5b80b 002b2160 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xpclient\com\rpc\runtime\mtrt\lpcsvr.cxx @ 40]
00c5ffa8 77c58aaf 002a2f88 00c5ffec 77e5a5f9 RPCRT4!BaseCachedThreadRoutine+0xb0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xpclient\com\rpc\runtime\mtrt\hndlsvr.cxx @ 3885]
00c5ffb4 77e5a5f9 002b3d80 00000000 00000000 RPCRT4!ThreadStartRoutine+0x18 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xpclient\com\rpc\runtime\mtrt\threads.cxx @ 234]
00c5ffec 00000000 77c58a97 002b3d80 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\xpclient\base\win32\client\support.c @ 492]
kd> !handle 0000020c
PROCESS 81a1cda8 SessionId: 0 Cid: 0374 Peb: 7ffdf000 ParentCid: 02a0
DirBase: 08b2a000 ObjectTable: e14ca128 HandleCount: 253.
Image: svchost.exe
Handle table at e17b8000 with 253 entries in use
020c: Object: e16f12c0 GrantedAccess: 001f0001 Entry: e17b8418
Object: e16f12c0 Type: (81fa0048) Port
ObjectHeader: e16f12a8 (old version)
HandleCount: 1 PointerCount: 36
Directory Object: e15924b0 Name: epmapper
上面的栈,可以看出svchost.exe在等待rpc请求,如果有合理的请求,如启动wmiprvse.exe 就会触发,但是这个触发好像很难模仿,中间好像看到有通信协议的玩意
wmiprvse.exe最后创建目标进程
而触发 wmiprvse.exe创建notepad.exe的过程还没找到是谁触发这个RPC通信的,堆栈如下
kd> !process -1 0
PROCESS 81ba6da8 SessionId: 0 Cid: 049c Peb: 7ffdf000 ParentCid: 0374
DirBase: 197a3000 ObjectTable: e12f0218 HandleCount: 135.
Image: wmiprvse.exe
kd> kL
ChildEBP RetAddr
b279bd2c 8059994c nt!NtCreateProcessEx
b279bd2c 7ffe0304 nt!_KiSystemService+0x13b
00ccd3b4 77f3e1fc SharedUserData!SystemCallStub+0x4
00ccd3b8 77e79213 ntdll!NtCreateProcessEx+0xc
00ccddac 77dacb48 kernel32!CreateProcessInternalW+0x113e
00ccddf8 6dab7f33 ADVAPI32!CreateProcessAsUserW+0x12d
WARNING: Stack unwind information not available. Following frames may be wrong.
00ccde58 6dab82a5 cimwin32!DllUnregisterServer+0x3355
00ccea9c 6dab909f cimwin32!DllUnregisterServer+0x36c7
00ccecdc 6dab9480 cimwin32!DllUnregisterServer+0x44c1
00ccecf8 6dab9ede cimwin32!DllUnregisterServer+0x48a2
00cced1c 6682ba84 cimwin32!DllUnregisterServer+0x5300
00cced50 66830adf framedyn+0xba84
00ccf294 01018c01 framedyn+0x10adf
00ccf2fc 01018d9c wmiprvse+0x18c01
00ccf344 77ca26d0 wmiprvse+0x18d9c
00ccf374 77cbb954 RPCRT4!Invoke+0x30
00ccf76c 77cb6a19 RPCRT4!NdrStubCall2+0x21d
00ccf7d8 770c5fdd RPCRT4!CStdStubBuffer_Invoke+0x98
00ccf818 770c871b ole32!SyncStubInvoke+0x33
00ccf864 7700255f ole32!StubInvoke+0x158
00ccfb3c 76feb4ef ole32!CCtxComChnl::ContextInvoke+0x188
00ccfb74 770c6d29 ole32!MTAInvoke+0x69
00ccfba4 770c714a ole32!AppInvoke+0x95
00ccfc6c 770c4487 ole32!ComInvokeWithLockAndIPID+0x343
00ccfcd8 77c7ffb7 ole32!ThreadInvoke+0x2c3
00ccfd0c 77c5ce72 RPCRT4!DispatchToStubInC+0x17
00ccfd68 77c5d5b7 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x14d
00ccfd8c 77c5d6c3 RPCRT4!RPC_INTERFACE::DispatchToStub+0x82
00ccfdc0 77c5510e RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xde
00ccfdfc 77c57574 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x357
00ccfe20 77c57d86 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x196
00ccff84 77c58021 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x386
00ccff8c 77c5b80b RPCRT4!RecvLotsaCallsWrapper+0xb
00ccffa8 77c58aaf RPCRT4!BaseCachedThreadRoutine+0xb0
00ccffb4 77e5a5f9 RPCRT4!ThreadStartRoutine+0x18
00ccffec 00000000 kernel32!BaseThreadStart+0x37
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
b2ff2c4c 80511388 818b88f8 818b8888 805075c1 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
b2ff2c58 805075c1 00001337 00000174 8063616d nt!KiSwapThread+0x44 (FPO: [0,0,2]) (CONV: fastcall)
b2ff2c80 806368ce 00000001 00000010 00000001 nt!KeWaitForSingleObject+0x22c (FPO: [Non-Fpo]) (CONV: stdcall)
b2ff2d3c 8059994c 000005b0 00c0ff70 00c0fe38 nt!NtReplyWaitReceivePortEx+0x761 (FPO: [Non-Fpo]) (CONV: stdcall)
b2ff2d3c 7ffe0304 000005b0 00c0ff70 00c0fe38 nt!_KiSystemService+0x13b (FPO: [0,3] TrapFrame @ b2ff2d64) (CONV: cdecl)
00c0fe18 77f3eb3c 77c57b45 000005b0 00c0ff70 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
00c0fe1c 77c57b45 000005b0 00c0ff70 00c0fe38 ntdll!ZwReplyWaitReceivePortEx+0xc (FPO: [5,0,0])
00c0ff84 77c58021 00c0ffa8 77c5b80b 00921e10 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x145 (FPO: [Non-Fpo]) (CONV: thiscall)
00c0ff8c 77c5b80b 00921e10 77f78f9c 00000354 RPCRT4!RecvLotsaCallsWrapper+0xb (FPO: [Non-Fpo]) (CONV: stdcall)
00c0ffa8 77c58aaf 00912f88 00c0ffec 77e5a5f9 RPCRT4!BaseCachedThreadRoutine+0xb0 (FPO: [Non-Fpo]) (CONV: stdcall)
00c0ffb4 77e5a5f9 00920790 77f78f9c 00000354 RPCRT4!ThreadStartRoutine+0x18 (FPO: [Non-Fpo]) (CONV: stdcall)
00c0ffec 00000000 77c58a97 00920790 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: stdcall)
kd> !handle 5b0
PROCESS 81873560 SessionId: 0 Cid: 07c4 Peb: 7ffdf000 ParentCid: 0374
DirBase: 1c6a9000 ObjectTable: e125de40 HandleCount: 133.
Image: wmiprvse.exe
Handle table at e1dce000 with 133 entries in use
05b0: Object: e1cb9038 GrantedAccess: 001f0001 Entry: e1dceb60
Object: e1cb9038 Type: (81fa0048) Port
ObjectHeader: e1cb9020 (old version)
HandleCount: 1 PointerCount: 10
Directory Object: e15924b0 Name: OLE11
最后发现是wmiprvse.exe在等待这个LPC数据,如果合适的话,就会启动notepad.exe
wmiprvse.exe启动一次后,会一直存在,不会退出,如果退出的话,启动脚本,svchost.exe就会又启动wmiprvse.exe
所以想到模仿的话,可以发LPC数据给wmiprvse.exe,但好像没必要,直接这样写脚本就行了