A forum for reverse engineering, OS internals and malware analysis
Hi Metraton, how's your totally undetectable rootkit going? Do you feel more comfortable to share it now or is it still a secret? ;)
MetratonRK wrote:New version released (1.1.1)Olly still banned? Any reason?
Ring0 - the source of inspiration
USForce wrote:Hi Metraton, how's your totally undetectable rootkit going? Do you feel more comfortable to share it now or is it still a secret? ;)Hi USForce,
is not yet time to make public my POC, but soon I will :D
Unlock Wait object caused BSOD.
1: kd> .trap 0xffffffff976e1b30
ErrCode = 00000002
eax=0000001b ebx=0000001b ecx=53203c11 edx=00000000 esi=8bb0a750 edi=8bb0a810
eip=83ca11b9 esp=976e1ba4 ebp=976e1c18 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KeWaitForSingleObject+0x27d:
0008:83ca11b9 f00fba2807 lock bts dword ptr [eax],7 ds:0023:0000001b=????????
1: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
976e1c18 89ff9408 0000001b 00000000 00000000 nt!KeWaitForSingleObject+0x27d
WARNING: Frame IP not in any known module. Following frames may be wrong.
976e1c2c 9655c539 89ff9408 0000001b 00000000 0x89ff9408
976e1c9c 83ca46ae 89ff9408 0003017a 8bb0a750 NTBrain+0x4539
976e1cd8 83e6b6ed 83c08b01 00000000 83e6b6f2 nt!ExAcquireResourceExclusiveLite+0x1cf
976e1d00 967c8c5a 8b556148 9683ec5d 01dffe04 nt!NtDelayExecution+0x8d
976e1d08 9683ec5d 01dffe04 ffffffff 83c73c74 win32k!UserEnterUserCritSec+0xc
976e1d20 83c7d42a 0003017a 00000000 00000000 win32k!NtUserShowScrollBar+0xe
976e1d20 777764f4 0003017a 00000000 00000000 nt!KiFastCallEntry+0x12a
01dfff88 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
1: kd> .trap 0xffffffff976e1b30
ErrCode = 00000002
eax=0000001b ebx=0000001b ecx=53203c11 edx=00000000 esi=8bb0a750 edi=8bb0a810
eip=83ca11b9 esp=976e1ba4 ebp=976e1c18 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KeWaitForSingleObject+0x27d:
0008:83ca11b9 f00fba2807 lock bts dword ptr [eax],7 ds:0023:0000001b=????????
1: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
976e1c18 89ff9408 0000001b 00000000 00000000 nt!KeWaitForSingleObject+0x27d
WARNING: Frame IP not in any known module. Following frames may be wrong.
976e1c2c 9655c539 89ff9408 0000001b 00000000 0x89ff9408
976e1c9c 83ca46ae 89ff9408 0003017a 8bb0a750 NTBrain+0x4539
976e1cd8 83e6b6ed 83c08b01 00000000 83e6b6f2 nt!ExAcquireResourceExclusiveLite+0x1cf
976e1d00 967c8c5a 8b556148 9683ec5d 01dffe04 nt!NtDelayExecution+0x8d
976e1d08 9683ec5d 01dffe04 ffffffff 83c73c74 win32k!UserEnterUserCritSec+0xc
976e1d20 83c7d42a 0003017a 00000000 00000000 win32k!NtUserShowScrollBar+0xe
976e1d20 777764f4 0003017a 00000000 00000000 nt!KiFastCallEntry+0x12a
01dfff88 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
There seems to be some sort of bug. NTBrain locks VmWare virtual machine (XP SP3) while program startup right after NTBrain driver loading. Only hard reset is available.
Ring0 - the source of inspiration
liangtong wrote:Unlock Wait object caused BSOD.Hi liangtong,
1: kd> .trap 0xffffffff976e1b30
ErrCode = 00000002
eax=0000001b ebx=0000001b ecx=53203c11 edx=00000000 esi=8bb0a750 edi=8bb0a810
eip=83ca11b9 esp=976e1ba4 ebp=976e1c18 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KeWaitForSingleObject+0x27d:
0008:83ca11b9 f00fba2807 lock bts dword ptr [eax],7 ds:0023:0000001b=????????
1: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
976e1c18 89ff9408 0000001b 00000000 00000000 nt!KeWaitForSingleObject+0x27d
WARNING: Frame IP not in any known module. Following frames may be wrong.
976e1c2c 9655c539 89ff9408 0000001b 00000000 0x89ff9408
976e1c9c 83ca46ae 89ff9408 0003017a 8bb0a750 NTBrain+0x4539
976e1cd8 83e6b6ed 83c08b01 00000000 83e6b6f2 nt!ExAcquireResourceExclusiveLite+0x1cf
976e1d00 967c8c5a 8b556148 9683ec5d 01dffe04 nt!NtDelayExecution+0x8d
976e1d08 9683ec5d 01dffe04 ffffffff 83c73c74 win32k!UserEnterUserCritSec+0xc
976e1d20 83c7d42a 0003017a 00000000 00000000 win32k!NtUserShowScrollBar+0xe
976e1d20 777764f4 0003017a 00000000 00000000 nt!KiFastCallEntry+0x12a
01dfff88 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
Sometimes it may happen that the crash was due to the unwait of the particular system kernel thread, or for example (in my particular case) the unwait of a thread that waiting object name "\BasedNamedObjects\mixercallback" that cause BSOD, but if you send me your minidump I will ensure this. Which method you used to Unwait thread? it also happens with other Unwait methods? You have used "Unlock Thread [AppLevel]" ?
Thanks for reporting
Last edited by MetratonRK on Fri Jan 21, 2011 4:53 pm, edited 2 times in total.
EP_X0FF wrote:There seems to be some sort of bug. NTBrain locks VmWare virtual machine (XP SP3) while program startup right after NTBrain driver loading. Only hard reset is available.Hi EP,
is a known problem, in the next version will be solved. also happen on real pc?
Thanks for report
MetratonRK wrote:Hi,EP_X0FF wrote:There seems to be some sort of bug. NTBrain locks VmWare virtual machine (XP SP3) while program startup right after NTBrain driver loading. Only hard reset is available.Hi EP,
is a known problem, in the next version will be solved. also happen on real pc?
Thanks for report
no, I only noticed this on VmWare (2 CPU configuration). On VPC for example it works fine. Didn't tried it on VBox.
Regards.
Ring0 - the source of inspiration
EP_X0FF wrote: Hi,OK, thanks
no, I only noticed this on VmWare (2 CPU configuration). On VPC for example it works fine. Didn't tried it on VBox.
Regards.
Regards