Tigzy wrote:What about TLD? is it strong enough?Of course not.
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
Of course not.Obviously... :(
Any links about the latests TDL ?
Any tips to improve that code?
See Malware forum for latest TDL samples. Actually code you've posted, will be filtered out even by 4 years old Sinowal bootkit. Read about TDL, play with debugger, use alternative disk reading methods or even alternative MBR reading approach. It is not impossible and can be done even without bithacks/hooks/unhooking that for example used in some AV removers. TDL does not filters everything. However I think this is wasting of time and such things can be 100% identified heuristically and this approach will work, as showed TDL3 updates story - when a basic detection was working all TDL3 timelife.
Ring0 - the source of inspiration
Il will have a look on TDL threads
However I think this is wasting of time and such things can be 100% identified heuristicallyI'm not sure to understand, can you develop?
Short answer - for example by TDL3/4 approach to filtering and by it's KM/UM communication model. We are going to offtopic here.
Ring0 - the source of inspiration
Well, stopping offtopic.
Just saw TDL3 was hooking SCSI IRPs, so my method isn't deep enough...
Just saw TDL3 was hooking SCSI IRPs, so my method isn't deep enough...
Just saw TDL3 was hooking SCSI IRPs, so my method isn't deep enough...Yes, it isn't.
3.27 bypassed SPTI-based detectors (1.6 version of TDSSRemover, HitmanPro previous version)Therefore you can use other methods like: APTI, EPTI.
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
APTI interface was widely used in the previous versions of Vba32 Antirootkit and it was able to defeat all of TDL3 family and the very first TDL4 samples. However, latest TDL4 samples began to filter APTI requests, so now it's also not good enough. Moreover, almost forgotten TDL2 uses IofCallDriver/IofCompleteRequest inline hooks which are both very simple and powerful ( but still have some black holes in implementation which allows to easily bypass them ).
So, APTI is "yesterday" approach and SPTI is "day before yesterday" solution. However, you *MUST* clearly understand how they work to implement something better.
As for direct IO, guys, it's not simple in/out calls that conquer the world. We started developing direct hw access library few years ago and it's still far from stable variant. Yes, it's universal, but at the same time it's really hardware dependent solution even for "simple" IDE.. ( we have hundreds(!!) of cases for different chipsets ).
There are some cool ways to bypass filtering if you know the original addresses of IRP handlers/StartIo routine. But obtaining them are also not trivial ( btw, this functionality will be implemented soon in our ark.. )
So, APTI is "yesterday" approach and SPTI is "day before yesterday" solution. However, you *MUST* clearly understand how they work to implement something better.
As for direct IO, guys, it's not simple in/out calls that conquer the world. We started developing direct hw access library few years ago and it's still far from stable variant. Yes, it's universal, but at the same time it's really hardware dependent solution even for "simple" IDE.. ( we have hundreds(!!) of cases for different chipsets ).
There are some cool ways to bypass filtering if you know the original addresses of IRP handlers/StartIo routine. But obtaining them are also not trivial ( btw, this functionality will be implemented soon in our ark.. )
AFAIK first, who used SPTI was hitman pro tool, but actually it was a bug in TDL3.
What are APTI and EPTI?