A forum for reverse engineering, OS internals and malware analysis
c:\eclipse\botnet\drivers\Bin\i386\kernel.pdbDriver contains detection of SoftIce and Wireshark by their drivers object names.
opera.exe thebat.exe thunderbird.exe msimn.exe telnet.exeMade test machine unbootable because of BSOD infinite loop :)
IofCompleteRequest МIofCallDriver IOFUNCS:
Мcs=%04x ss=%04x ds=%04x es=%04x fs=%04x gs=%04x efl=%08x
Мeip=%08x esp=%08x ebp=%08x
Мeax=%08x ebx=%08x ecx=%08x edx=%08x esi=%08x edi=%08x
CONTEXT: %08x
CALLSTACK:
МEIP: %x
FILE: unknown+0x%x (%08x:%08x) М
М (%08x:%08x) М+0x%x FILE: %ws
Kernel ver %u, OS: %s %u.%u-%u.%u
BugCheck %X, {%08x, %08x, %08x, %08x}
М%08x М%08x %ws+0x%x (%08x:%08x) %08x unknown+0x%x (%08x:%08x) (0x%08X-->0x%08X) М%02X М%s: Мh w b c r IofCompleteRequest МIofCallDriver IOFUNCS:Extracted driver attached
Мcs=%04x ss=%04x ds=%04x es=%04x fs=%04x gs=%04x efl=%08x
Мeip=%08x esp=%08x ebp=%08x
Мeax=%08x ebx=%08x ecx=%08x edx=%08x esi=%08x edi=%08x
CONTEXT: %08x
CALLSTACK:
МEIP: %x
FILE: unknown+0x%x (%08x:%08x) М
М (%08x:%08x) М+0x%x FILE: %ws
Kernel ver %u, OS: %s %u.%u-%u.%u
\ S y s t e m R o o t \ s y s t e m 3 2 \ d r i v e r s \ . s y s \SystemRoot\system32\ . s y s s y s t e m 3 2 \ d r i v e r s \ F i l t e r E r r o r C o n t r o l G r o u p S t a r t T y p e D i s p l a y N a m e I m a g e P a t h \ D e v i c e \ H a r d d i s k 0 \ D R 0 \SystemRoot\Temp\ .tmp ZwDeleteFile ZwClose ZwCreateKey ZwOpenKey ZwDeleteKey ZwQueryValueKey ZwSetValueKey ZwDeleteValueKey ZwFlushKey ZwEnumerateKey ZwEnumerateValueKey ZwQueryInformationFile ZwReadFile ZwWriteFile ZwLoadDriver KdDebuggerEnabled M i c r o s o f t W i n d o w s W i n d o w s C S D V e r s i o n P r o d u c t N a m e \ R E G I S T R Y \ M A C H I N E \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ T c p i p \ P a r a m e t e r s \ I n t e r f a c e s N a m e S e r v e r D h c p N a m e S e r v e r \ R E G I S T R Y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ G l o b a l l y O p e n P o r t s \ L i s t % u : T C P % u : T C P : * : E n a b l e d : S y s t e m % 0 2 u % u : U D P % u : U D P : * : E n a b l e d : S y s t e m % 0 2 u HTTP/1.1 200 Content-Type application/octet-stream Transfer-Encoding chunked \ D e v i c e \ T c p \ D e v i c e \ U d p \ D r i v e r \ t d x \ D r i v e r \ T c p i p \ R E G I S T R Y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ \ S y s t e m R o o t \ s y s t e m 3 2 \ d r i v e r s \ . s y s gotolalaland.ru trokokok.ru POST /update.php HTTP/1.1
Accept: */*
Accept-Language: en
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Length:
Pragma: no-cache
zqlcwlabu1.sys wrote:Driver\\NTICEVirusTotal result(s)
Driver\\npf
SystemRoot
sys
.cdata
hwbls
hwldi
hwsht
TransportAddress
ConnectionContext
\r\n\r\n
hwbcr
init
page
opera.exe
thebat.exe
thunderbird.exe
msimn.exe
telnet.exe
c:\eclipse\botnet\drivers\Bin\i386\kernel.pdb
%08x %ws+0x%x (%08x:%08x)
%08x unknown+0x%x (%08x:%08x)
(0x%08X-->0x%08X)
hwbcr
IofCompleteRequest
IofCallDriver
IOFUNCS:\r\n
cs=%04x ss=%04x ds=%04x es=%04x fs=%04x gs=%04x
eip=%08x esp=%08x ebp=%08x\r\n
eax=%08x ebx=%08x ecx=%08x edx=%08x esi=%08x edi=%08x\r\n
CONTEXT: %08x\r\n
CALLSTACK:\r\n
FILE: unknown+0x%x (%08x:%08x)
\r\nKernel ver %u, OS: %s %u.%u-%u.%u\r\n\r\n
BugCheck %X, {%08x, %08x, %08x, %08x}
.cdata
.com
CreateModule
DeleteModule
fDereferenceObject
ReferenceObjectByName
IoDriverObjectType
lInitUnicodeString
ExAllocatePoolWithTag
KeUnstackDetachProcess
StackAttachProcess
fCompleteRequest
PoCallDriver
PoStartNextPowerIrp
IoAttachDeviceToDeviceStack
ObfReferenceObject
GetRelatedDeviceObject
ReferenceObjectByHandle
IoGetCurrentProcess
ExFreePoolWithTag
_stricmp
KeGetCurrentThread
WaitForSingleObject
AllocateIrp
ClearEvent
FileObjectType
rcmp
strncat
QuerySystemInformation
KeServiceDescriptorTable
MmIsAddressValid
sprintf
BugCheckEx
GetVersion
BuildDeviceIoControlRequest
InitializeEvent
RtlFreeUnicodeString
RtlCompareUnicodeString
lCopyUnicodeString
GetSystemRoutineAddress
lFreeAnsiString
tlUnicodeStringToAnsiString
lQueryRegistryValues
IoRegisterShutdownNotification
SetPriorityThread
PsCreateSystemThread
RtlUnicodeStringToInteger
RtlTimeToTimeFields
RtlWriteRegistryValue
RtlCreateRegistryKey
swprintf
RtlDeleteRegistryValue
QueryNameString
SeSetAccessStateGenericMapping
lMapGenericMask
CreateAccessState
ObCreateObject
MmProbeAndLockPages
AllocateMdl
WaitForMultipleObjects
ResetEvent
NumberProcessors
_aulldiv
RtlAnsiStringToUnicodeString
RtlInitAnsiString
KeTickCount
ntoskrnl.exe
KeGetCurrentIrql
KfRaiseIrql
KfLowerIrql
KfReleaseSpinLock
KfAcquireSpinLock
HAL.dll
strncpy
csncpy
strlen
lCompareMemory
ReadFile
ZwWriteFile
QuerySystemTime
