[rootkitreader]

Hi,

I would like to start thread on best practises for unpacking rootkits.
Currently I'm trying to look at code of Mayachok.2 vbr rootkit.
My problem is how to unpack all parts of this rootkit. I mean get mbr, vbr and so on..
I'm not interested in taking unpacked code :)

~~~~~~~~
thanks!
~~~~~~~~

[rootkitreader]

Myabe some good tools would be helpful?!


~~~~~~~~
thanks!
~~~~~~~~

[EP_X0FF]

Myabe some good tools would be helpful?!

WinHex.

[rootkitreader]

EP_XOFF
thank you for your fast response.
Well I have question about WinHex is this tool (sorry I didn't downloaded it yet) user-mode or it is usermode and kernel-mode?
I'm asking about it because I'm wondering if it will always give you good look of mbr even if rootkit is hooked some functions so that it will return 'good' sectors always?
I've read that sinowal was doing this trick

[EP_X0FF]

It is handy user mode hex/disk/ram editor. For your task - Cidox - it is more than enough. Open disk and copy $Boot file for active partition, that is Cidox VBR. If you asking about universal solution for all known and possible new bootkits - such does not exists. Infect machine with bootkit and mount this infected HDD image/disk and then work with it with WinHex. If you need to debug MBR -> Bochs + IDA Pro is your friends.

[rootkitreader]

EP_XOFF!
Thank you so much for your tip here.

Well it seems that it is too hard for me since IDA (currently I'm using free edition) does not recognize the type of file and this make analysis of the code harder because code is not automatically disassembled.
I would appreciate if anyone could share with me already analysed/fully properly disassembled code of this $Boot file.
I'm posting my file to this thread.. ;(


~~~~~~~~
thanks!
~~~~~~~~

[EP_X0FF]

This is NTFS partition boot. You can read about it elsewhere, for example here http://bootmaster.filerecovery.biz/appnote3.html

[rootkitreader]

EP_XOFF!
Again I need to thank you for your help.
This link is really useful, but my problem is I want to understant code of bootkit and I have a $Boot file, but I don't have enough skill to simply properly disassembly this (Ida is treatnig this as sequence of bytes) and I need to deassembly this manually, which is very difficult to me, so if anybody could give me this code it could be great. I would like to know what exactly this bootkit code is doing, where is backuped original code, what kind of interrupts are hooked and so on...
Sorry, I understand that my expectations are maybe very big for this forum, but I know that here is so many big specialists that have done it many times...

~~~~~~~~
thanks!
~~~~~~~~

[EP_X0FF]

Open in IDA. Select boot code block - press Analyze selected area.

[rkhunter]

'C' - hot key for analyze selected area.