A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #29270  by EP_X0FF
 Mon Sep 26, 2016 7:43 am
Attached here for historical purposes. Itself signed backdoor driver allowing execution of code in kernel mode. Written in best tradition of old 200x chinese rootkits - when you are wondering not about what it is doing but why it is even working. Main drama here, IOCTL 0xAA013044, string deobfuscation code in sub_103AC, used to deobfuscate driver device name and symbolic link. No security checks present.
Code: Select all
signed __int64 __fastcall sub_10524(PVOID IOCTL_InputBuffer)
{
  signed __int64 result; 
  __int64 OldCR4Value; 
  void (__fastcall *CallbackFunc)(PVOID (__stdcall *)(PVOID)); 
  PVOID (__stdcall *FunctionParameter)(PVOID); 

  if ( *(IOCTL_InputBuffer - 1) == IOCTL_InputBuffer )
  {
    CallbackFunc = IOCTL_InputBuffer;
    FunctionParameter = MmGetSystemRoutineAddress;
    OldCR4Value = 0i64;
    DisableSMEP(&OldCR4Value);
    CallbackFunc(FunctionParameter);
    SetCR4Value();
    result = 1i64;
  }
  else
  {
    result = 0i64;
  }
  return result;
}
As you might already guessed this is part of game "defense-in-depth approach". Despite current hysteria about this issue, its nothing new and GameGuard/StarForce/Frost did much more damage to PC/OS in the past.
Attachments
pass: shitware
(6.64 KiB) Downloaded 42 times