A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #11785  by osC7h
 Fri Feb 24, 2012 10:46 am
MASM code snippets to "Kernel Object Hijack" detection and deleting..?
 #11789  by rkhunter
 Fri Feb 24, 2012 11:14 am
osC7h wrote:I need code examples, snippets for "Kernel Object Hijack" detection and deleting...

TDL infect driver for detection and cleaning...
Take dropper, infect system, run anti-rootkit, look results of hijack...
 #11790  by osC7h
 Fri Feb 24, 2012 11:46 am
rkhunter wrote:
osC7h wrote:I need code examples, snippets for "Kernel Object Hijack" detection and deleting...

TDL infect driver for detection and cleaning...
Take dropper, infect system, run anti-rootkit, look results of hijack...

I want to write a program (TDL infect driver detect&clean) that finds and memory addresses in the picture.
Image

I want to develop the Hidden Data,Driver Detection Softwares...
 #11793  by rkhunter
 Fri Feb 24, 2012 1:20 pm
osC7h wrote: I want to write a program (TDL infect driver detect&clean) that finds and memory addresses in the picture.
Well, look to this questions:

1. Are you analyzed TDL before?
2. Are you read articles about it from http://www.kernelmode.info/forum/viewto ... t=19#p2289?
3. Are you wrote kernel mode code before?
4. Are you know how disk I/O subsystem working?
 #11794  by osC7h
 Fri Feb 24, 2012 1:40 pm
rkhunter wrote:
osC7h wrote: I want to write a program (TDL infect driver detect&clean) that finds and memory addresses in the picture.
Well, look to this questions:

1. Are you analyzed TDL before?
2. Are you read articles about it from http://www.kernelmode.info/forum/viewto ... t=19#p2289?
3. Are you wrote kernel mode code before?
4. Are you know how disk I/O subsystem working?
1. yep
2. I'm look before.
3. yep basic
4. no..I just want to scan memory addresses that appear in the picture that I want to write an exe and driver. I don't want to make the direct disk io...
For a start, this is very nice :)
 #11803  by Alex
 Sat Feb 25, 2012 8:38 am
Sorry for messing with your posts...

Here is a small log from livekd, it should help you to understand the part of storage chain:
Code: Select all
0: kd> !devobj \Device\HardDisk0\DR0
Device object (89df1940) is for:
 DR0 \Driver\Disk DriverObject 89e31130
Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050
Vpb 89e132e0 Dacl e15c81fc DevExt 89df19f8 DevObjExt 89df1e58 Dope 89e534e0 
ExtensionFlags (0000000000)  
AttachedDevice (Upper) 89df2020 \Driver\PartMgr
AttachedTo (Lower) 89d25030 \Driver\atapi
Device queue is not busy.


0: kd> dd 89df19f8 L4
89df19f8  00000003 89df1940 89d25030 89df19f8


0: kd> !devobj 89d25030
Device object (89d25030) is for:
 IdeDeviceP1T0L0-e \Driver\atapi DriverObject 89d28960
Current Irp 00000000 RefCount 0 Type 00000007 Flags 00005050
Dacl e15c81fc DevExt 89d250e8 DevObjExt 89d25268 Dope 89e535e8 DevNode 89df3008 
ExtensionFlags (0000000000)  
AttachedDevice (Upper) 89df1940 \Driver\Disk
Device queue is not busy.


0: kd> !drvobj 89d28960 2
Driver object (89d28960) is for:
 \Driver\atapi
DriverEntry:   b9f279f7	atapi!GsDriverEntry
DriverStartIo: b9f19864	atapi!IdePortStartIo
DriverUnload:  b9f233d6	atapi!IdePortUnload
AddDevice:     b9f2147c	atapi!ChannelAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE                      b9f1c6f2	atapi!IdePortAlwaysStatusSuccessIrp
[01] IRP_MJ_CREATE_NAMED_PIPE           804f4562	nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       b9f1c6f2	atapi!IdePortAlwaysStatusSuccessIrp
[03] IRP_MJ_READ                        804f4562	nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       804f4562	nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           804f4562	nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             804f4562	nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    804f4562	nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA                      804f4562	nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS               804f4562	nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    804f4562	nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION      804f4562	nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL           804f4562	nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         804f4562	nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL              b9f1c712	atapi!IdePortDispatchDeviceControl
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     b9f18852	atapi!IdePortDispatch
[10] IRP_MJ_SHUTDOWN                    804f4562	nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL                804f4562	nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP                     804f4562	nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT             804f4562	nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              804f4562	nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY                804f4562	nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER                       b9f1c73c	atapi!IdePortDispatchPower
[17] IRP_MJ_SYSTEM_CONTROL              b9f23336	atapi!IdePortDispatchSystemControl
[18] IRP_MJ_DEVICE_CHANGE               804f4562	nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 804f4562	nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA                   804f4562	nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP                         b9f23302	atapi!IdePortDispatchPnp
 #11806  by osC7h
 Sat Feb 25, 2012 10:42 am
Infect driver: intelide.sys
Intelide.sys rsrc section infected codes is here...
These codes are in memory? example to kernel mode scans the memory?
Image
 #11816  by Alex
 Sun Feb 26, 2012 9:04 am
Please correct me if I wrong, but I think you are going to "scan memory" to find a forged resource section - right? It isn't good idea. Why not? Because resource section can be restored by the rootkit (and it is actually) and mapped image will looks OK. You should rather check storage stack looking for anomalies (try to use windbg commands from the posted log on infected machine) and than find a way how to read content of real infected kernel module from disk to compare it with contents returned by rootkit. Doing such cross view you will be able to find infected kernel module.