A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #4633  by Alex
 Sat Jan 22, 2011 11:42 am
Thanks Frank for the paper and for the info about all there scripts (also thanks to EreTIk) - I will check them all!

There are two things in this paper wich are not clear for me:
- TDL4 rootkit hooks the ATAPI driver as well, but in a lower level way than its precedessor

- As more and more tools were easily able to dump its files even from usermode via IOCTL_SCSI_PASS_THROUGH_DIRECT calls directly to the port device, TDL4 changed the hook method to DriverStartIO
- TDL3 in the 2.7 version also hooks DriverStartIo to bypass SPTI, so it isn't new feature implemented in TDL4, isn't it?
- Hooking of DriverStartIo doesn't prevent from dumping rootkit's files.

p.s. There is a mistake on the last page in the nickname of our friend.

Regards,
Alex