A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #7302  by Dmitry Varshavsky
 Fri Jul 15, 2011 2:17 pm
Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.4 beta build 293.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Low-level operations with disk volumes. Support of MBR and GPT. Support of Microsoft/Veritas dynamic
volumes ( Simple, Spanned, Striped, Mirrored and Raid-5 )


Despite the fact that dynamic volumes are quite rare this is a great step forward in our low-level disk access library. As far as I know there is no any other anti-rootkit that can provide this feature.

+ Boot sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary boot sector in html log.


This might be the most interesting feature of the build. Finally we are able to detect, view, dump and restore forged and non-standard boot loaders ( that means that we can fight many bootkits such as TDL4/Sinowal/Alipop/Rmnet/etc. ). However, I'd like to point that we are still using "old" tdl3 detection code which can be bypassed on some type of disk controllers. We are currently working in this direction and will provide you with some advanced techniques in the near future.

+ Added detection and restoration of abnormal Global Descriptor Table (GDT) entries

Usually used to provide access to privileged instructions from R3 code.

+ Increased the number of checked autorun items
(LSA Providers, SubSystems\Windows и др.)


In every build we increase the number of checked autorun items.

* Detection and restoration of IDT and SysEnter hooks were improved

GDT selector offset and IA32_SYSENTER_CS register now are taken into account. In the previous builds gdt selector offset considered null, which is not right. The most arkit tools have the same bug unfortunately.

* Safe protected handles closure ( CloseHandle )

Serious bug indeed. Thanks to STRELiTZIA

* Checking standard OS Windows Firewall rules

* Overall work robustness of antirootkit was improved

* Help in Russian was improved


Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !
 #7316  by Dmitry Varshavsky
 Sat Jul 16, 2011 7:41 am
Eric_71 wrote:Hi,

I can't test, BSOD (XP sp3, latest TDL4 installed)
Hi Eric,
I can't analyze your minidump currently, don't have access to our symbols store on weekend. But let me guess. Are you using Virtual Box ? If yes, it's known issue. This BSOD is not present on the most of real machines. Also you can try Virtual PC to test.
As I said before, we are preparing some new code to perform low-level disk access, so this problem will be solved in the near future.
This also applies to the bug when Shadow defender is in Shadow mode. Shadow defender detects our attempt to access disk directly and call HalReturnToFirmware routine to prevent it.
Sorry for inconvenience.
 #7326  by Dmitry Varshavsky
 Sat Jul 16, 2011 3:09 pm
Eric_71 wrote:Hi,
Code: Select all
Are you using Virtual Box ?
No, real machine without antivirus or other software, just TDL4
Eric, thanks for your interest. Could you please send us a kernel-dump to investigate this issue ? Minidumps are almost useless..
 #7333  by STRELiTZIA
 Sat Jul 16, 2011 5:59 pm
Hi,

BSoD: PAGE_FAULT_IN_NONPAGED_AREA
Steps:.
1- Settings -> Extented Driver -> Install ----> restart system.
2- Now, goto: Tools -> Process Manager ----> BSoD.
Tested on Win XP SP3 Updated & VMware.

Regards.
 #7336  by Dmitry Varshavsky
 Sat Jul 16, 2011 7:45 pm
STRELiTZIA wrote:Hi,

BSoD: PAGE_FAULT_IN_NONPAGED_AREA
Steps:.
1- Settings -> Extented Driver -> Install ----> restart system.
2- Now, goto: Tools -> Process Manager ----> BSoD.
Tested on Win XP SP3 Updated & VMware.

Regards.
Heh, I was waiting for another BSOD from you btw :lol:
Installation of extended driver sets FLG_MAINTAIN_OBJECT_TYPELIST global flag, and after reboot arkit is able to get kernel object list by calling of unexported ntoskrnl.exe!ObGetObjectList func ( as an additional method ). However, this approach is a little bit buggy ( for a couple of reasons ) and could lead to bsod sometimes. I decided to remove this "feature" in the nearest beta. Anyway, thanks a lot for interesting in our product !
 #7383  by Dmitry Varshavsky
 Mon Jul 18, 2011 4:41 pm
I can confirm that we have problems with the latest TDL4 samples. We faced the same problem as us immigration department - somehow only early samples hit the testing list. We apologize for inconvenience. This problem will be fixed in the nearest beta.