Unpacked driver in attach.
Simda obfuscator is somehow irritating as it multistaged. Drivers and dlls weren't updated since March 2011. The only thing they change is upper obfuscation layer.
1) original_rootkit_driver -> decrypt second stage procedures (implemeted as second native PE file), can be decrypted in user mode debugger. Or break in WinDbg at Simda driver entry and trace until "call eax"
decrypt algo at 1 stage
3) third stage is 2 native PE drivers and 2 dlls, it uses for injection purposes.
All stages in attach. For more info see http://www.microsoft.com/security/porta ... imda.gen!A
Simda obfuscator is somehow irritating as it multistaged. Drivers and dlls weren't updated since March 2011. The only thing they change is upper obfuscation layer.
1) original_rootkit_driver -> decrypt second stage procedures (implemeted as second native PE file), can be decrypted in user mode debugger. Or break in WinDbg at Simda driver entry and trace until "call eax"
decrypt algo at 1 stage
Code: Select all
2) second stage procedures -> custom decryption of payload container (seems RC4) -> aplib unpacking next (break on aplib unpacking routine and dump kernel memory it fills). key1 := $E34CAD83;
key2 := $54B14C88;
for i := 0 to BufferSize div sizeof(DWORD) do
begin
dwData := IntputPtr^ + key1;
OutputPtr^ := dwData;
key1 := key1 + key2;
key2 := key2 - $42BE4641;
inc(InputPtr);
inc(OutputPtr);
end;
3) third stage is 2 native PE drivers and 2 dlls, it uses for injection purposes.
All stages in attach. For more info see http://www.microsoft.com/security/porta ... imda.gen!A
Attachments
pass: infected
(319.97 KiB) Downloaded 90 times
(319.97 KiB) Downloaded 90 times
Ring0 - the source of inspiration