A forum for reverse engineering, OS internals and malware analysis 

_DRIVER_DATA, Old Device Device Driver Hiding

Forum for discussion about kernel-mode development.

_DRIVER_DATA, Old Device Device Driver Hiding

 #104  by __Genius__
 Sun Mar 14, 2010 12:22 pm
I have been used _DRIVER_DATA structure and moving through linked list (flind-blind) for Hide my device driver already loaded in the kernel, the approach was affected to non-kernel level applications (like applications using EnumDeviceDriver() ), but almost all of other robust kernel-mode rootkit detectors could detect the hidden Device Driver, Anyone could explain any other method / Data Structure for Hiding device drivers ?

any help is appreciated .

Re: _DRIVER_DATA, Old Device Device Driver Hiding

 #105  by EP_X0FF
 Sun Mar 14, 2010 12:53 pm
Hi,

modern antirootkits using many ways, describing all of them is little bit too much.

What kind of antirootkits you tried? Perhaps knowing their names will help to answer on your question more accurate.

Re: _DRIVER_DATA, Old Device Device Driver Hiding

 #109  by __Genius__
 Sun Mar 14, 2010 2:47 pm
Hi EP, happy to see you here buddy .
Well, for testing I have been used IceSword and Rootkit Unhooker, both of them marked my device as hidden and could show it.
well, for testing that is working right or not, I have been written a little application for listing all device drivers on the system . I have been used EnumDeviceDriver() standard function for this purpose .
the result was interesting,

it's the output when I omit my technique for driver hiding :
There are 138 drivers:
Code: Select all
1: ntkrnlpa.exe
2: hal.dll
3: KDCOM.DLL
4: BOOTVID.dll
5: ACPI.sys
6: WMILIB.SYS
7: d347bus.sys
8: pci.sys
9: isapnp.sys
10: SCSIPORT.SYS
11: pciide.sys
12: PCIIDEX.SYS
13: MountMgr.sys
14: ftdisk.sys
15: dmload.sys
16: dmio.sys
17: PartMgr.sys
18: VolSnap.sys
19:          
20: d347prt.sys
21: disk.sys
22: CLASSPNP.SYS
23: fltMgr.sys
24: sr.sys
25: KSecDD.sys
26: Ntfs.sys
27: NDIS.sys
28: Mup.sys
29: intelppm.sys
30: nv4_mini.sys
31: VIDEOPRT.SYS
32: HDAudBus.sys
33: Rtenicxp.sys
34: usbuhci.sys
35: USBPORT.SYS
36: usbehci.sys
37: fdc.sys
38: serial.sys
39: serenum.sys
40: parport.sys
41: i8042prt.sys
42: kbdclass.sys
43: VMkbd.sys
44: imapi.sys
45: ElbyCDFL.sys
46: cdrom.sys
47: redbook.sys
48: ks.sys
49: audstub.sys
50: rasl2tp.sys
51: ndistapi.sys
52: ndiswan.sys
53: raspppoe.sys
54: raspptp.sys
55: TDI.SYS
56: psched.sys
57: msgpc.sys
58: ptilink.sys
59: raspti.sys
60: rdpdr.sys
61: termdd.sys
62: mouclass.sys
63: swenum.sys
64: update.sys
65: mssmbios.sys
66: vmnetadapter.sys
67: VMNET.SYS
68: NDProxy.SYS
69: RtkHDAud.sys
70: portcls.sys
71: drmk.sys
72: usbhub.sys
73: USBD.SYS
74: flpydisk.sys
75: Fs_Rec.SYS
76: Null.SYS
77: Beep.SYS
78: ehdrv.sys
79: vga.sys
80: mnmdd.SYS
81: RDPCDD.sys
82: Msfs.SYS
83: Npfs.SYS
84: rasacd.sys
85: ipsec.sys
86: tcpip.sys
87: ipnat.sys
88: netbt.sys
89: wanarp.sys
90: epfwtdir.sys
91: afd.sys
92: netbios.sys
93: rdbss.sys
94: ckldrv.sys
95: mrxsmb.sys
96: Fips.SYS
97: USBSTOR.SYS
98: usbprint.sys
99: Cdfs.SYS
100: hidusb.sys
101: HIDCLASS.SYS
102: HIDPARSE.SYS
103: mouhid.sys
104: Fastfat.SYS
105: dump_atapi.sys
106: dump_WMILIB.SYS
107: win32k.sys
108: Dxapi.sys
109: watchdog.sys
110: dxg.sys
111: dxgthk.sys
112: nv4_disp.dll
113: eamon.sys
114: ATMFD.DLL
115: vmnetbridge.sys
116: ndisuio.sys
117: mrxdav.sys
118: hcmon.sys
119: ParVdm.SYS
120: VMparport.sys
121: vmx86.sys
122: ElbyCDIO.sys
123: srv.sys
124: ACFSDK32.sys
125: NPF.sys
126: peg.sys
127: secdrv.sys
128: vmnetuserif.sys
129: wdmaud.sys
130: sysaudio.sys
131: vstor2.sys
132: vstor2-ws60.sys
133: HTTP.sys
134: IsDrv120.sys
135: Dbgv.sys
136: kmixer.sys
137: GhosR.sys
138: ntdll.dll
as you can see number 137 GhosR.Sys could be see , but when I'm loading GhosR.Sys (my device driver) with implementing the technique for hiding device drivers the result is :
There are 137 drivers:
Code: Select all
1: ntkrnlpa.exe
2: hal.dll
3: KDCOM.DLL
4: BOOTVID.dll
5: ACPI.sys
6: WMILIB.SYS
7: d347bus.sys
8: pci.sys
9: isapnp.sys
10: SCSIPORT.SYS
11: pciide.sys
12: PCIIDEX.SYS
13: MountMgr.sys
14: ftdisk.sys
15: dmload.sys
16: dmio.sys
17: PartMgr.sys
18: VolSnap.sys
19:          
20: d347prt.sys
21: disk.sys
22: CLASSPNP.SYS
23: fltMgr.sys
24: sr.sys
25: KSecDD.sys
26: Ntfs.sys
27: NDIS.sys
28: Mup.sys
29: intelppm.sys
30: nv4_mini.sys
31: VIDEOPRT.SYS
32: HDAudBus.sys
33: Rtenicxp.sys
34: usbuhci.sys
35: USBPORT.SYS
36: usbehci.sys
37: fdc.sys
38: serial.sys
39: serenum.sys
40: parport.sys
41: i8042prt.sys
42: kbdclass.sys
43: VMkbd.sys
44: imapi.sys
45: ElbyCDFL.sys
46: cdrom.sys
47: redbook.sys
48: ks.sys
49: audstub.sys
50: rasl2tp.sys
51: ndistapi.sys
52: ndiswan.sys
53: raspppoe.sys
54: raspptp.sys
55: TDI.SYS
56: psched.sys
57: msgpc.sys
58: ptilink.sys
59: raspti.sys
60: rdpdr.sys
61: termdd.sys
62: mouclass.sys
63: swenum.sys
64: update.sys
65: mssmbios.sys
66: vmnetadapter.sys
67: VMNET.SYS
68: NDProxy.SYS
69: RtkHDAud.sys
70: portcls.sys
71: drmk.sys
72: usbhub.sys
73: USBD.SYS
74: flpydisk.sys
75: Fs_Rec.SYS
76: Null.SYS
77: Beep.SYS
78: ehdrv.sys
79: vga.sys
80: mnmdd.SYS
81: RDPCDD.sys
82: Msfs.SYS
83: Npfs.SYS
84: rasacd.sys
85: ipsec.sys
86: tcpip.sys
87: ipnat.sys
88: netbt.sys
89: wanarp.sys
90: epfwtdir.sys
91: afd.sys
92: netbios.sys
93: rdbss.sys
94: ckldrv.sys
95: mrxsmb.sys
96: Fips.SYS
97: USBSTOR.SYS
98: usbprint.sys
99: Cdfs.SYS
100: hidusb.sys
101: HIDCLASS.SYS
102: HIDPARSE.SYS
103: mouhid.sys
104: Fastfat.SYS
105: dump_atapi.sys
106: dump_WMILIB.SYS
107: win32k.sys
108: Dxapi.sys
109: watchdog.sys
110: dxg.sys
111: dxgthk.sys
112: nv4_disp.dll
113: eamon.sys
114: ATMFD.DLL
115: vmnetbridge.sys
116: ndisuio.sys
117: mrxdav.sys
118: hcmon.sys
119: ParVdm.SYS
120: VMparport.sys
121: vmx86.sys
122: ElbyCDIO.sys
123: srv.sys
124: ACFSDK32.sys
125: NPF.sys
126: peg.sys
127: secdrv.sys
128: vmnetuserif.sys
129: wdmaud.sys
130: sysaudio.sys
131: vstor2.sys
132: vstor2-ws60.sys
133: HTTP.sys
134: IsDrv120.sys
135: Dbgv.sys
136: kmixer.sys
137: ntdll.dll
in the second list there's no entry named GhosR.sys, the result is interesting till not running a robust anti-Rootkit .
I have not a good knowledge in windows internals, do you know any other data Structure, or any other stealthy method whether be hook or not for implementing this technique?

thank you very much .
- Genius

Re: _DRIVER_DATA, Old Device Device Driver Hiding

 #110  by EP_X0FF
 Sun Mar 14, 2010 3:00 pm
Hi Spynet,
in the second list there's no entry named GhosR.sys, the result is interesting till not running a robust anti-Rootkit
EnumDeviceDriver querying information from NtQuerySystemInformation call.
NtQuerySystemInformation get this info from kernel unexported PsLoadedModulesList variable.

You have faked that list by relinking pointers. Definitely this is not enough to bypass antirootkits. Well I suppose any average
antirootkit will find your driver. Because it is still driver. And even this is not all.

And since you are trying to get information how generally bypass antirootkits you must understand that I simple can't help in this
case. We do not creating malware here.

I can only suggest you google for Futo, rkdemo, perhaps phide_ex (if you have enough skills in RE), Unreal.A (comes with source code) and
use something from them. Some of listed rootkits available only as binary files, so you need to disassemble them. Internet is full of
examples ;)

Regards.

Re: _DRIVER_DATA, Old Device Device Driver Hiding

 #118  by Alex
 Sun Mar 14, 2010 7:10 pm
You don't need to RE anti rootkits software to figure out how they detect hidden kernel modules and their device/driver objects. Please fallow this link http://www.ntinternals.org/driver_detection_test.php This test should help you in your own research, at the bottom of the page you will also find links to publicly available rootkit samples.

Alex
 Return to “Kernel-Mode Development”