for dumping the zeroaccess filesystem you first need to know the Device name the rootkit has created. Usually it starts with ACPI#PNP. Then you have to use SCSI read function via IOCTL_SCSI_PASS_THROUGH_DIRECT to access the RC4 encrypted sectors of the filesystem.
Here are some tricks to find ZeroAccess in memory:
- kd> !object \global??
Object: e1004488 Type: (825d9418) Directory
ObjectHeader: e1004470 (old version)
HandleCount: 1 PointerCount: 139
Directory Object: e1001140 Name: GLOBAL??
Hash Address Type Name
---- ------- ---- ----
00 e13515f8 SymbolicLink NDIS
e140b2d8 SymbolicLink HID#Vid_0e0f&Pid_0003&MI_00#7&1b1a3d13&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}
e1407280 SymbolicLink DISPLAY1
...
...
...
e15e3cf0 SymbolicLink ACPI#PNP0501#2#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
19 823e3a28 Device ACPI#PNP0303#2&da1a3ff&0
...
...
look at the entry : 823e3a28 Device ACPI#PNP0303#2&da1a3ff&0
this is what we are looking for.
let''s get device object infos:
- kd> dt _device_object 823e3a28
ntdll!_DEVICE_OBJECT
+0x000 Type : 3
+0x002 Size : 0xb8
+0x004 ReferenceCount : 329
+0x008 DriverObject : 0x8235e858 _DRIVER_OBJECT
+0x00c NextDevice : (null)
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x840
+0x020 Characteristics : 0
+0x024 Vpb : (null)
+0x028 DeviceExtension : (null)
+0x02c DeviceType : 0x22
+0x030 StackSize : 10 ''
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe100b868
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0x1000
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x823e3ae0 _DEVOBJ_EXTENSION
+0x0b4 Reserved : (null)
and the driver object information:
- kd> dt -b _driver_object 0x8235e858
ntdll!_DRIVER_OBJECT
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : 0x823e3a28
+0x008 Flags : 0x12
+0x00c DriverStart : 0xf6ed9000
+0x010 DriverSize : 0x1f000
+0x014 DriverSection : 0x82309c08
+0x018 DriverExtension : 0x8235e900
+0x01c DriverName : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x024 HardwareDatabase : 0x8066e9d8
+0x028 FastIoDispatch : 0xf6ee6680
+0x02c DriverInit : 0xf6ee1eed
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction :
[00] 0xf6edf9d0
[01] 0xf6edf9d0
[02] 0xf6edf9d0
[03] 0xf6edf9d0
[04] 0xf6edf9d0
[05] 0xf6edf9d0
[06] 0xf6edf9d0
[07] 0xf6edf9d0
[08] 0xf6edf9d0
[09] 0xf6edf9d0
[10] 0xf6edf9d0
[11] 0xf6edf9d0
[12] 0xf6edf9d0
[13] 0xf6edf9d0
[14] 0xf6edf9d0
[15] 0xf6edf9d0
[16] 0xf6edf9d0
[17] 0xf6edf9d0
[18] 0xf6edf9d0
[19] 0xf6edf9d0
[20] 0xf6edf9d0
[21] 0xf6edf9d0
[22] 0xf6edf9d0
[23] 0xf6edf9d0
[24] 0xf6edf9d0
[25] 0xf6edf9d0
[26] 0xf6edf9d0
[27] 0xf6edf9d0
check out the Entry DriverName : _UNICODE_STRING "".
it has no name.
DriverStart is 0xf6ed9000 and DriverSize is 0x1f000. use it if you wanna dump the rootkit driver.
to load into ida for further debugging, just rebase the image to f6ed9000 and adjust the raw entries with to the virtual entries in the sections area, e.g. with a easy python script or with petools.
next check for suspicious thread entries.
- kd> !process 0 f system
PROCESS 825b4830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00ad7000 ObjectTable: e1000cc0 HandleCount: 273.
Image: System
VadRoot 825b3298 Vads 5 Clone 0 Private 3. Modified 5802. Locked 0.
DeviceMap e1004418
Token e10017e8
ElapsedTime 01:18:43.885
UserTime 00:00:00.000
KernelTime 00:00:16.484
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (60, 0, 345) (240KB, 0KB, 1380KB)
PeakWorkingSetSize 510
VirtualSize 1 Mb
PeakVirtualSize 2 Mb
PageFaultCount 6173
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 7
THREAD 825b45a8 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 READY
Not impersonating
DeviceMap e1004418
Owning Process 0 Image: <Unknown>
Attached Process 825b4830 Image: System
Wait Start TickCount 302300 Ticks: 19 (0:00:00:00.296)
Context Switch Count 6385
UserTime 00:00:00.000
KernelTime 00:00:06.875
Start Address nt!Phase1Initialization (0x80683528)
Stack Init f8ac2000 Current f8ac179c Base f8ac2000 Limit f8abf000 Call 0
Priority 0 BasePriority 0 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f8ac17b4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f8ac17c0 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
f8ac17f8 805187cf nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4])
f8ac1844 8068466d nt!MmZeroPageThread+0x61 (FPO: [0,6,0])
f8ac1dac 805c4a28 nt!Phase1Initialization+0x1145 (FPO: [1,342,0])
f8ac1ddc 80540fa2 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 nt!KiThreadStartup+0x16
...
...
...
THREAD 822f92d0 Cid 0004.0148 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
f6ee6954 Unknown
IRP List:
8230f5b0: (0006,0094) Flags: 00000030 Mdl: 00000000
82484f00: (0006,0094) Flags: 00000030 Mdl: 00000000
824cfec0: (0006,0094) Flags: 00000030 Mdl: 00000000
81d80f68: (0006,0094) Flags: 00000030 Mdl: 00000000
82387dd8: (0006,0094) Flags: 00000030 Mdl: 00000000
820b35d0: (0006,0094) Flags: 00000030 Mdl: 00000000
81e10ae0: (0006,0094) Flags: 00000030 Mdl: 00000000
82324268: (0006,0094) Flags: 00000030 Mdl: 00000000
82486df8: (0006,0094) Flags: 00000030 Mdl: 00000000
823e19b0: (0006,0094) Flags: 00000030 Mdl: 00000000
823eeaa8: (0006,0094) Flags: 00000030 Mdl: 00000000
824d7620: (0006,0094) Flags: 00000030 Mdl: 00000000
81d7af68: (0006,0094) Flags: 00000030 Mdl: 00000000
81d77f68: (0006,0094) Flags: 00000030 Mdl: 00000000
825660b8: (0006,0094) Flags: 00000030 Mdl: 00000000
8235fbd8: (0006,0094) Flags: 00000030 Mdl: 00000000
82458aa8: (0006,0094) Flags: 00000030 Mdl: 81e17b28
Not impersonating
DeviceMap e1004418
Owning Process 0 Image: <Unknown>
Attached Process 825b4830 Image: System
Wait Start TickCount 264949 Ticks: 37370 (0:00:09:43.906)
Context Switch Count 1105
UserTime 00:00:00.000
KernelTime 00:00:00.718
Start Address 0xf6ee1105
Stack Init f7a78000 Current f7a77d34 Base f7a78000 Limit f7a75000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f7a77d4c 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f7a77d58 804faf12 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f7a77d84 f6eddd8e nt!KeRemoveQueue+0x20e (FPO: [3,6,4])
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 0xf6eddd8e
the last entry "WARNING: Frame IP not..." points us to a the rootkit area as well "0xf6eddd8e".
next let's check the fake usermode ADS pe file of the rootkit, which is used as trap process to fuck up security and AV software.
- kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 825b4830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00ad7000 ObjectTable: e1000cc0 HandleCount: 273.
Image: System
PROCESS 82428580 SessionId: none Cid: 017c Peb: 7ffdb000 ParentCid: 0004
DirBase: 07440020 ObjectTable: e12fd698 HandleCount: 21.
Image: smss.exe
PROCESS 8232ab10 SessionId: 0 Cid: 0258 Peb: 7ffdd000 ParentCid: 017c
DirBase: 07440040 ObjectTable: e146ea38 HandleCount: 340.
Image: csrss.exe
PROCESS 822af978 SessionId: 0 Cid: 0270 Peb: 7ffd4000 ParentCid: 017c
DirBase: 07440060 ObjectTable: e1465838 HandleCount: 450.
Image: winlogon.exe
...
...
...
PROCESS 8239aa78 SessionId: 0 Cid: 06b4 Peb: 7ffd9000 ParentCid: 029c
DirBase: 074402e0 ObjectTable: e1aa3dc8 HandleCount: 5.
Image: 1145096676:456572859.exe
...
...
notice the file "1145096676:456572859.exe"
switch to this process context and get start and end infos if you wanna dump this shit.
- kd> .process /p /r 8239aa78
Implicit process is now 8239aa78
Loading User Symbols
...
kd> !dlls
0x00241ec0: C:\WINDOWS\1145096676:456572859.exe
Base 0x00400000 EntryPoint 0x00400210 Size 0x00000330
Flags 0x00005000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_LOAD_IN_PROGRESS
LDRP_ENTRY_PROCESSED
0x00241f18: C:\WINDOWS\system32\ntdll.dll
Base 0x7c910000 EntryPoint 0x7c923156 Size 0x000b7000
Flags 0x00084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
0x00241fc0: C:\WINDOWS\system32\kernel32.dll
Base 0x7c800000 EntryPoint 0x7c80b436 Size 0x00106000
Flags 0x00084004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
kd> db 0x400000 L330
00400000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
00400010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00400020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
00400040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00400050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00400060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00400070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
00400080 8b a1 28 c5 cf c0 46 96-cf c0 46 96 cf c0 46 96 ..(...F...F...F.
00400090 cf c0 47 96 cc c0 46 96-0c cf 1b 96 ca c0 46 96 ..G...F.......F.
004000a0 d1 92 d3 96 ce c0 46 96-c6 b8 d7 96 ce c0 46 96 ......F.......F.
004000b0 52 69 63 68 cf c0 46 96-00 00 00 00 00 00 00 00 Rich..F.........
004000c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004000d0 50 45 00 00 4c 01 01 00-82 97 3e 4e 00 00 00 00 PE..L.....>N....
004000e0 00 00 00 00 e0 00 03 01-0b 01 09 00 40 01 00 00 ............@...
004000f0 00 00 00 00 00 00 00 00-10 02 00 00 f0 01 00 00 ................
00400100 30 03 00 00 00 00 40 00-10 00 00 00 10 00 00 00 0.....@.........
00400110 05 00 00 00 00 00 00 00-05 00 00 00 00 00 00 00 ................
00400120 30 03 00 00 f0 01 00 00-a2 a8 00 00 02 00 00 80 0...............
00400130 00 00 10 00 00 10 00 00-00 00 10 00 00 10 00 00 ................
00400140 00 00 00 00 10 00 00 00-00 00 00 00 00 00 00 00 ................
00400150 98 02 00 00 3c 00 00 00-00 00 00 00 00 00 00 00 ....<...........
00400160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004001a0 00 00 00 00 00 00 00 00-f0 01 00 00 14 00 00 00 ................
004001b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004001c0 00 00 00 00 00 00 00 00-2e 74 65 78 74 00 00 00 .........text...
004001d0 3c 01 00 00 f0 01 00 00-40 01 00 00 f0 01 00 00 <.......@.......
004001e0 00 00 00 00 00 00 00 00-00 00 00 00 20 00 00 60 ............ ..`
004001f0 a2 ca 81 7c 00 00 00 00-b8 e8 91 7c 82 d6 91 7c ...|.......|...|
00400200 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400210 33 c0 50 50 68 00 00 40-00 6a 05 50 50 50 54 68 3.PPh..@.j.PPPTh
00400220 80 02 40 00 68 00 00 10-00 54 ff 15 fc 01 40 00 ..@.h....T....@.
00400230 ff 15 f8 01 40 00 ff 15-f0 01 40 00 5c 00 3f 00 ....@.....@.\.?.
00400240 3f 00 5c 00 41 00 43 00-50 00 49 00 23 00 50 00 ?.\.A.C.P.I.#.P.
00400250 4e 00 50 00 30 00 33 00-30 00 33 00 23 00 32 00 N.P.0.3.0.3.#.2.
00400260 26 00 64 00 61 00 31 00-61 00 33 00 66 00 66 00 &.d.a.1.a.3.f.f.
00400270 26 00 30 00 00 00 8b ff-38 00 3a 00 3c 02 40 00 &.0.....8.:.<.@.
00400280 18 00 00 00 00 00 00 00-78 02 40 00 40 00 00 00 ........x.@.@...
00400290 00 00 00 00 00 00 00 00-dc 02 00 00 00 00 00 00 ................
004002a0 00 00 00 00 06 03 00 00-f8 01 00 00 d4 02 00 00 ................
004002b0 00 00 00 00 00 00 00 00-1e 03 00 00 f0 01 00 00 ................
004002c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004002d0 00 00 00 00 10 03 00 00-00 00 00 00 f8 02 00 00 ................
004002e0 e8 02 00 00 00 00 00 00-ec 03 5a 77 43 72 65 61 ..........ZwCrea
004002f0 74 65 46 69 6c 65 00 00-d6 04 5a 77 54 65 73 74 teFile....ZwTest
00400300 41 6c 65 72 74 00 6e 74-64 6c 6c 2e 64 6c 6c 00 Alert.ntdll.dll.
00400310 b9 00 45 78 69 74 50 72-6f 63 65 73 73 00 4b 45 ..ExitProcess.KE
00400320 52 4e 45 4c 33 32 2e 64-6c 6c 00 00 00 00 00 00 RNEL32.dll......