[rkhunter]

In ring0 if you need read sectors, use SRB packets and IRP_MJ_SCSI request to disk port driver (the lowest level).
TDL has a lot of versions to counteract the low-level reading sectors. These methods have changed many times since the newly added detections. Look TDL history at corresponding topics. Moreover, each av-product solves this problem in its own way (from truly detection, ending heuristic methods).

[Tigzy]

Thanks for the pointers RKHunter ;)

What is SRB paquets? I can't find any reference on it on Google.
Do you have some documentation or maybe code snippets available?

EDIT: To send specific IRP request, my driver need to be filter driver? Or this can be done from any driver ?

[EP_X0FF]

Thanks for the pointers RKHunter ;)

What is SRB paquets? I can't find any reference on it on Google.
Do you have some documentation or maybe code snippets available?

http://msdn.microsoft.com/en-us/library ... s.85).aspx

for examples see WDK

[Tigzy]

Thanks EP_X0FF! :)

[Tigzy]

If I'm right, all I need to do is

- Create and allocate IRP with IoBuildDeviceIoControlRequest
- Send it down to the disk driver with IoCallDriver
- Get the IRP when returns and read it

Is this true?

[Tigzy]

Found something interesting as first approach : http://www.codeproject.com/KB/system/ra ... sg=3418718

EDIT: Not read, but sounds good : http://mirror.sweon.net/madchat/vxdevl/ ... ection.pdf
In fact, that website got lots of interesting docs: http://mirror.sweon.net/madchat/vxdevl/library/

[Vrtule]

There were leaked source code of an antirootkit tool some time ago. If I remember correctly, it was clone of IceSword and thee were also code responsible for low-level disk access. I can search my hard drive and upload the source, when I get home.

[EP_X0FF]

There were leaked source code of an antirootkit tool some time ago. If I remember correctly, it was clone of IceSword and thee were also code responsible for low-level disk access. I can search my hard drive and upload the source, when I get home.

It's KsBinSword IceSword clone.

http://www.kernelmode.info/forum/viewto ... word#p4052

[Tigzy]

Thank you all. Will check that code

[Tigzy]

Hello again.

Seems that little code works!
I guess this isn't powerful, but this is a beginning...

What about TLD? is it strong enough?

Code: Select all

void readSector()
{
	UNICODE_STRING	diskdevice;
	PFILE_OBJECT	pFileObj = NULL;
	PDEVICE_OBJECT	pDevObj  = NULL;
	PIRP			pIrp = NULL;
	IO_STATUS_BLOCK	ioStatus;
	NTSTATUS		status, returnStatus;
	LARGE_INTEGER	lDiskOffset;
	KEVENT			Event;
	CHAR			*sBuf; //Buffer
	SIZE_T			size = 512; //Sector size
	int 			i = 0;

	
	RtlInitUnicodeString(&diskdevice, L"\\Device\\Harddisk0\\DR0");
	
	// Get device object
	status = IoGetDeviceObjectPointer(&diskdevice, FILE_ALL_ACCESS, &pFileObj, &pDevObj);
	
	if (!NT_SUCCESS(status)) 
	{
		DbgPrint("IoGetDeviceObjectPointer Failed\n");
	} 
	
	else 
	{
		DbgPrint("IoGetDeviceObjectPointer Succceded");
		lDiskOffset.QuadPart = 0;
		
		// Allocate buffer
		sBuf = ExAllocatePool(NonPagedPool, size);		
		if (!sBuf) 
		{
			ObDereferenceObject(pFileObj);
			DbgPrint("Not enough ressources\n");
			return STATUS_INSUFFICIENT_RESOURCES;
		}
		
		KeInitializeEvent(&Event, NotificationEvent, FALSE);
		memset(sBuf, 'C', size);
		
		// Build IRP
		pIrp = IoBuildSynchronousFsdRequest(IRP_MJ_READ, pDevObj, sBuf, size, &lDiskOffset, &Event, &ioStatus);		
		if (!pIrp) 
		{
			ExFreePool(sBuf);
			ObDereferenceObject(pFileObj);		
			DbgPrint("Not enough ressources\n");			
			return STATUS_INSUFFICIENT_RESOURCES;
		}
		
		// Call disk driver
		status = IoCallDriver(pDevObj, pIrp);
		
		// Wait response
		if (status == STATUS_PENDING) 
		{
			DbgPrint("waiting response\n");
			returnStatus = KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE,	NULL);
			DbgPrint("Read status : 0x%x\n", returnStatus);

			// Print buffer
			for (i = 0 ; i < size ; i++)
			{
				DbgPrint("%c", sBuf[i]);
			}
			DbgPrint("\n");
			
			status = ioStatus.Status;
		}
		
		//--- Dereference PFile / free ressources
		ExFreePool(sBuf);
		ObDereferenceObject(pFileObj);
	}
}

mbrDumpGMER.png (20.17 KiB) Viewed 324 times

dumpWithMyCode.png (22.79 KiB) Viewed 324 times