Windows内核安全机制：Early Launch Anti-Malware (ELAM) 深入解析<\/h1>

1. ELAM概述<\/h2>
Early Launch Anti-Malware (ELAM)是Windows 8引入的一种内核安全机制，旨在防止恶意代码在内核地址空间中执行。该机制特别针对Rootkit攻击，使Rootkit更难破坏系统。<\/p>

1.1 核心功能<\/h3>

允许第三方安全软件注册内核模式驱动程序<\/li>
确保安全驱动程序在系统启动早期执行<\/li>
在其他第三方驱动程序加载前进行安全检查<\/li>

阻止恶意驱动程序加载到内核地址空间<\/li> <\/ul>

2. ELAM工作原理<\/h2>

2.1 Windows启动阶段<\/h3>

Windows系统引导过程分为多个阶段：<\/p>

固件初始化<\/li>
引导加载程序<\/li>
Windows启动管理器<\/li>
Windows内核加载<\/li>
内核初始化<\/li>
会话管理器初始化<\/li>

用户登录<\/li> <\/ol>

ELAM在内核加载阶段<\/strong>发挥作用，由Windows加载器(Winload.exe)加载。<\/p>

2.2 ELAM驱动加载时机<\/h3>

在内核加载后，但未开始初始化驱动程序时<\/li>
ELAM驱动程序定义为Boot Start驱动程序，具有最高优先级<\/li>
先于其他驱动程序加载和初始化<\/li> <\/ul>
2.3 注册表配置<\/h3>
ELAM驱动程序在注册表中的位置：<\/p>
HKLM\SYSTEM\CurrentControlSet\Services\[ELAMDriverName] <\/code><\/pre> 关键值：<\/p> start<\/code>：0x0表示引导启动驱动程序<\/li> type<\/code>：0x1表示内核驱动程序<\/li> <\/ul> 3. ELAM核心API<\/h2> 3.1 注册表回调API<\/h3> CmRegisterCallbackEx<\/code>：注册监视注册表数据的回调<\/li> CmUnRegisterCallback<\/code>：注销注册表回调<\/li> <\/ul> 函数原型<\/strong>：<\/p> NTSTATUS CmRegisterCallbackEx<\/span>( <\/span><\/span> PCALLBACK_FUNCTION CallbackFunction, <\/span><\/span> PCUNICODE_STRING Altitude, <\/span><\/span> PVOID DriverObject, <\/span><\/span> PVOID Context, <\/span><\/span> PLARGE_INTEGER Cookie <\/span><\/span>); <\/span><\/span> <\/span><\/span>NTSTATUS CmUnRegisterCallback<\/span>( <\/span><\/span> LARGE_INTEGER Cookie <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.2 启动驱动程序回调API<\/h3> IoRegisterBootDriverCallback<\/code>：注册启动驱动程序回调<\/li> IoUnRegisterBootDriverCallback<\/code>：注销启动驱动程序回调<\/li> <\/ul> 函数原型<\/strong>：<\/p> NTSTATUS IoRegisterBootDriverCallback<\/span>( <\/span><\/span> PIO_BOOT_DRIVER_CALLBACK CallbackFunction, <\/span><\/span> PVOID Context <\/span><\/span>); <\/span><\/span> <\/span><\/span>NTSTATUS IoUnRegisterBootDriverCallback<\/span>( <\/span><\/span> PIO_BOOT_DRIVER_CALLBACK CallbackFunction <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.3 回调函数原型<\/h3> typedef<\/span> VOID<\/span> (*<\/span>EX_CALLBACK_FUNCTION)( <\/span><\/span> PVOID CallbackContext, <\/span><\/span> PVOID Argument1, <\/span><\/span> PVOID Argument2 <\/span><\/span>); <\/span><\/span><\/code><\/pre>4. ELAM回调类型<\/h2> 4.1 BdCbStatusUpdate<\/h3> 提供驱动程序依赖项或引导驱动程序加载的状态更新。<\/p> 数据结构<\/strong>：<\/p> typedef<\/span> struct<\/span> _BOOT_DRIVER_STATUS_UPDATE { <\/span><\/span> UNICODE_STRING DriverPath; \/\/ 当前驱动的路径 <\/span><\/span><\/span><\/span> NTSTATUS Status; \/\/ 加载状态 <\/span><\/span><\/span><\/span>} BOOT_DRIVER_STATUS_UPDATE, *<\/span>PBOOT_DRIVER_STATUS_UPDATE; <\/span><\/span><\/code><\/pre>4.2 BdCbInitializeImage<\/h3> 提供引导驱动程序的元数据，允许ELAM驱动对其进行分类。<\/p> 分类选项<\/strong>：<\/p> BootDriverGood<\/code>：信任并加载<\/li> BootDriverBad<\/code>：阻止加载<\/li> BootDriverUnknown<\/code>：未知状态，根据策略处理<\/li> <\/ul> 数据结构<\/strong>：<\/p> typedef<\/span> struct<\/span> _BOOT_DRIVER_INFO { <\/span><\/span> UNICODE_STRING FilePath; \/\/ 驱动程序文件路径 <\/span><\/span><\/span><\/span> PVOID ImageBase; \/\/ 内存中的基地址 <\/span><\/span><\/span><\/span> ULONG ImageSize; \/\/ 映像大小 <\/span><\/span><\/span><\/span> ULONG Classification; \/\/ 分类状态 <\/span><\/span><\/span><\/span>} BOOT_DRIVER_INFO, *<\/span>PBOOT_DRIVER_INFO; <\/span><\/span><\/code><\/pre>5. ELAM分类依据<\/h2> ELAM驱动程序只能基于以下有限数据对驱动程序映像进行分类：<\/p> 映像名称<\/li> 映像注册为引导驱动程序的注册表位置<\/li> 映像文件的证书发布者和所有者<\/li> 映像的散列值和对应的算法名称<\/li> 证书指纹和指纹算法的名称<\/li> <\/ol> 限制<\/strong>：无法访问硬件驱动器上的二进制映像文件，因为存储设备驱动程序栈尚未初始化。<\/p> 6. ELAM执行策略<\/h2> 策略注册表位置：<\/p> HKLM\System\CurrentControlSet\Control\EarlyLaunch\DriverLoadPolicy <\/code><\/pre> 策略选项：<\/p> 策略值名称<\/th> 策略值<\/th> 描述<\/th> <\/tr> <\/thead> PNP_INITIALIZE_DRIVERS_DEFAULT<\/td> 0x00<\/td> 仅加载已知为非恶意的驱动程序<\/td> <\/tr> PNP_INITIALIZE_UNKNOWN_DRIVERS<\/td> 0x01<\/td> 加载已知非恶意和未知的驱动程序<\/td> <\/tr> PNP_INITIALIZE_BAD_CRITICAL_DRIVERS<\/td> 0x03<\/td> 加载已知非恶意、未知和已知为恶意的关键驱动程序（默认设置）<\/td> <\/tr> PNP_INITIALIZE_BAD_DRIVERS<\/td> 0x07<\/td> 加载所有驱动程序<\/td> <\/tr> <\/tbody> <\/table> 默认策略分析<\/strong>：<\/p> 允许加载恶意的关键驱动程序<\/li> 确保系统关键组件能够启动<\/li> 牺牲部分安全性以提高系统可用性<\/li> <\/ul> 7. ELAM的局限性<\/h2> 7.1 对Bootkit无效<\/h3> ELAM只能监视合法加载的驱动程序<\/li> Bootkit使用未注册的操作系统功能加载内核模式驱动程序<\/li> Bootkit可以在ELAM加载前执行恶意代码<\/li> <\/ul> 7.2 初始化时机问题<\/h3> 大多数Bootkit在内核初始化期间加载代码<\/li> 在I\/O子系统、对象管理器等初始化后，ELAM执行前加载<\/li> <\/ul> 8. ELAM驱动开发示例<\/h2> 8.1 基本结构<\/h3> #include<\/span> <ntddk.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 上下文结构体 <\/span><\/span><\/span><\/span>typedef<\/span> struct<\/span> _ELAM_CONTEXT { <\/span><\/span> BOOLEAN AllowUnknownDrivers; \/\/ 策略:是否允许未知驱动 <\/span><\/span><\/span><\/span>} ELAM_CONTEXT, *<\/span>PELAM_CONTEXT; <\/span><\/span> <\/span><\/span>\/\/ 回调函数原型 <\/span><\/span><\/span><\/span>VOID ElamBootDriverCallback<\/span>(PVOID CallbackContext, PVOID Argument1, PVOID Argument2); <\/span><\/span> <\/span><\/span>\/\/ 上下文全局变量 <\/span><\/span><\/span><\/span>ELAM_CONTEXT g_ElamContext =<\/span> { TRUE }; \/\/ 默认允许未知驱动 <\/span><\/span><\/span><\/code><\/pre>8.2 DriverEntry实现<\/h3> NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { <\/span><\/span> NTSTATUS status; <\/span><\/span> <\/span><\/span> \/\/ 注册ELAM回调函数 <\/span><\/span><\/span><\/span> status =<\/span> IoRegisterBootDriverCallback(ElamBootDriverCallback, &<\/span>g_ElamContext); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> KdPrint(("Failed to register ELAM callback. Status: 0x%x<\/span>\n<\/span>"<\/span>, status)); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> KdPrint(("ELAM driver loaded successfully.<\/span>\n<\/span>"<\/span>)); <\/span><\/span> <\/span><\/span> \/\/ 设置驱动卸载函数 <\/span><\/span><\/span><\/span> DriverObject-><\/span>DriverUnload =<\/span> [](PDRIVER_OBJECT DriverObject) { <\/span><\/span> \/\/ 注销回调 <\/span><\/span><\/span><\/span> IoUnRegisterBootDriverCallback(ElamBootDriverCallback); <\/span><\/span> KdPrint(("ELAM driver unloaded.<\/span>\n<\/span>"<\/span>)); <\/span><\/span> }; <\/span><\/span> <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>8.3 回调函数实现<\/h3> VOID ElamBootDriverCallback<\/span>(PVOID CallbackContext, PVOID Argument1, PVOID Argument2) { <\/span><\/span> PELAM_CONTEXT pContext =<\/span> (PELAM_CONTEXT)CallbackContext; <\/span><\/span> <\/span><\/span> \/\/ 检查回调类型 <\/span><\/span><\/span><\/span> if<\/span> ((ULONG_PTR)Argument1 ==<\/span> BdCbInitializeImage) { <\/span><\/span> \/\/ 获取驱动信息 <\/span><\/span><\/span><\/span> PBOOT_DRIVER_INFO BootDriverInfo =<\/span> (PBOOT_DRIVER_INFO)Argument2; <\/span><\/span> <\/span><\/span> \/\/ 检查驱动路径 <\/span><\/span><\/span><\/span> if<\/span> (wcsstr(BootDriverInfo-><\/span>FilePath.Buffer, L<\/span>"TrustedDriver.sys"<\/span>)) { <\/span><\/span> BootDriverInfo-><\/span>Classification =<\/span> BootDriverGood; \/\/ 可信驱动 <\/span><\/span><\/span><\/span> KdPrint(("Driver %wZ classified as Good.<\/span>\n<\/span>"<\/span>, &<\/span>BootDriverInfo-><\/span>FilePath)); <\/span><\/span> } else<\/span> if<\/span> (pContext-><\/span>AllowUnknownDrivers) { <\/span><\/span> BootDriverInfo-><\/span>Classification =<\/span> BootDriverUnknown; \/\/ 未知驱动 <\/span><\/span><\/span><\/span> KdPrint(("Driver %wZ classified as Unknown.<\/span>\n<\/span>"<\/span>, &<\/span>BootDriverInfo-><\/span>FilePath)); <\/span><\/span> } else<\/span> { <\/span><\/span> BootDriverInfo-><\/span>Classification =<\/span> BootDriverBad; \/\/ 阻止加载 <\/span><\/span><\/span><\/span> KdPrint(("Driver %wZ classified as Bad.<\/span>\n<\/span>"<\/span>, &<\/span>BootDriverInfo-><\/span>FilePath)); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>9. 总结<\/h2> ELAM是Windows内核中重要的安全机制，通过：<\/p> 早期加载安全驱动程序<\/li> 监控和分类其他引导驱动程序<\/li> 阻止已知恶意驱动加载<\/li> <\/ol> 虽然对Rootkit有较好的防御效果，但对Bootkit攻击防护有限。开发者可以通过注册适当的回调函数来实现自定义的安全策略，增强系统安全性。<\/p>

策略值名称<\/th>	策略值<\/th>	描述<\/th> <\/tr> <\/thead>
PNP_INITIALIZE_DRIVERS_DEFAULT<\/td>	0x00<\/td>	仅加载已知为非恶意的驱动程序<\/td> <\/tr>
PNP_INITIALIZE_UNKNOWN_DRIVERS<\/td>	0x01<\/td>	加载已知非恶意和未知的驱动程序<\/td> <\/tr>
PNP_INITIALIZE_BAD_CRITICAL_DRIVERS<\/td>	0x03<\/td>	加载已知非恶意、未知和已知为恶意的关键驱动程序（默认设置）<\/td> <\/tr>
PNP_INITIALIZE_BAD_DRIVERS<\/td>	0x07<\/td>	加载所有驱动程序<\/td> <\/tr> <\/tbody> <\/table> 默认策略分析<\/strong>：<\/p> 允许加载恶意的关键驱动程序<\/li> 确保系统关键组件能够启动<\/li> 牺牲部分安全性以提高系统可用性<\/li> <\/ul> 7. ELAM的局限性<\/h2> 7.1 对Bootkit无效<\/h3> ELAM只能监视合法加载的驱动程序<\/li> Bootkit使用未注册的操作系统功能加载内核模式驱动程序<\/li> Bootkit可以在ELAM加载前执行恶意代码<\/li> <\/ul> 7.2 初始化时机问题<\/h3> 大多数Bootkit在内核初始化期间加载代码<\/li> 在I\/O子系统、对象管理器等初始化后，ELAM执行前加载<\/li> <\/ul> 8. ELAM驱动开发示例<\/h2> 8.1 基本结构<\/h3> #include<\/span> <ntddk.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 上下文结构体 <\/span><\/span><\/span><\/span>typedef<\/span> struct<\/span> _ELAM_CONTEXT { <\/span><\/span> BOOLEAN AllowUnknownDrivers; \/\/ 策略:是否允许未知驱动 <\/span><\/span><\/span><\/span>} ELAM_CONTEXT, *<\/span>PELAM_CONTEXT; <\/span><\/span> <\/span><\/span>\/\/ 回调函数原型 <\/span><\/span><\/span><\/span>VOID ElamBootDriverCallback<\/span>(PVOID CallbackContext, PVOID Argument1, PVOID Argument2); <\/span><\/span> <\/span><\/span>\/\/ 上下文全局变量 <\/span><\/span><\/span><\/span>ELAM_CONTEXT g_ElamContext =<\/span> { TRUE }; \/\/ 默认允许未知驱动 <\/span><\/span><\/span><\/code><\/pre>8.2 DriverEntry实现<\/h3> NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { <\/span><\/span> NTSTATUS status; <\/span><\/span> <\/span><\/span> \/\/ 注册ELAM回调函数 <\/span><\/span><\/span><\/span> status =<\/span> IoRegisterBootDriverCallback(ElamBootDriverCallback, &<\/span>g_ElamContext); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> KdPrint(("Failed to register ELAM callback. Status: 0x%x<\/span>\n<\/span>"<\/span>, status)); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> KdPrint(("ELAM driver loaded successfully.<\/span>\n<\/span>"<\/span>)); <\/span><\/span> <\/span><\/span> \/\/ 设置驱动卸载函数 <\/span><\/span><\/span><\/span> DriverObject-><\/span>DriverUnload =<\/span> [](PDRIVER_OBJECT DriverObject) { <\/span><\/span> \/\/ 注销回调 <\/span><\/span><\/span><\/span> IoUnRegisterBootDriverCallback(ElamBootDriverCallback); <\/span><\/span> KdPrint(("ELAM driver unloaded.<\/span>\n<\/span>"<\/span>)); <\/span><\/span> }; <\/span><\/span> <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>8.3 回调函数实现<\/h3> VOID ElamBootDriverCallback<\/span>(PVOID CallbackContext, PVOID Argument1, PVOID Argument2) { <\/span><\/span> PELAM_CONTEXT pContext =<\/span> (PELAM_CONTEXT)CallbackContext; <\/span><\/span> <\/span><\/span> \/\/ 检查回调类型 <\/span><\/span><\/span><\/span> if<\/span> ((ULONG_PTR)Argument1 ==<\/span> BdCbInitializeImage) { <\/span><\/span> \/\/ 获取驱动信息 <\/span><\/span><\/span><\/span> PBOOT_DRIVER_INFO BootDriverInfo =<\/span> (PBOOT_DRIVER_INFO)Argument2; <\/span><\/span> <\/span><\/span> \/\/ 检查驱动路径 <\/span><\/span><\/span><\/span> if<\/span> (wcsstr(BootDriverInfo-><\/span>FilePath.Buffer, L<\/span>"TrustedDriver.sys"<\/span>)) { <\/span><\/span> BootDriverInfo-><\/span>Classification =<\/span> BootDriverGood; \/\/ 可信驱动 <\/span><\/span><\/span><\/span> KdPrint(("Driver %wZ classified as Good.<\/span>\n<\/span>"<\/span>, &<\/span>BootDriverInfo-><\/span>FilePath)); <\/span><\/span> } else<\/span> if<\/span> (pContext-><\/span>AllowUnknownDrivers) { <\/span><\/span> BootDriverInfo-><\/span>Classification =<\/span> BootDriverUnknown; \/\/ 未知驱动 <\/span><\/span><\/span><\/span> KdPrint(("Driver %wZ classified as Unknown.<\/span>\n<\/span>"<\/span>, &<\/span>BootDriverInfo-><\/span>FilePath)); <\/span><\/span> } else<\/span> { <\/span><\/span> BootDriverInfo-><\/span>Classification =<\/span> BootDriverBad; \/\/ 阻止加载 <\/span><\/span><\/span><\/span> KdPrint(("Driver %wZ classified as Bad.<\/span>\n<\/span>"<\/span>, &<\/span>BootDriverInfo-><\/span>FilePath)); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>9. 总结<\/h2> ELAM是Windows内核中重要的安全机制，通过：<\/p> 早期加载安全驱动程序<\/li> 监控和分类其他引导驱动程序<\/li> 阻止已知恶意驱动加载<\/li> <\/ol> 虽然对Rootkit有较好的防御效果，但对Bootkit攻击防护有限。开发者可以通过注册适当的回调函数来实现自定义的安全策略，增强系统安全性。<\/p>

Windows内核安全机制：Early Launch Anti-Malware (ELAM) 深入解析<\/h1>

1. ELAM概述<\/h2> Early Launch Anti-Malware (ELAM)是Windows 8引入的一种内核安全机制，旨在防止恶意代码在内核地址空间中执行。该机制特别针对Rootkit攻击，使Rootkit更难破坏系统。<\/p>

2. ELAM工作原理<\/h2>

3. ELAM核心API<\/h2>

4. ELAM回调类型<\/h2>

7. ELAM的局限性<\/h2>

8. ELAM驱动开发示例<\/h2>

1. ELAM概述<\/h2>
Early Launch Anti-Malware (ELAM)是Windows 8引入的一种内核安全机制，旨在防止恶意代码在内核地址空间中执行。该机制特别针对Rootkit攻击，使Rootkit更难破坏系统。<\/p>