Page 1 of 2

W8.1/W10 Bootkit

PostPosted:Thu Jul 09, 2015 4:29 pm
by 0xffffffffffff
Hello,

I'm currently analysing the Rovnix Bootkit sourcecode. I'm wondering why it fails on W8.1 and W10 but works fine on XP-W8.
I've commented out quite a lot of the source code and it seems that it fails to start already in the VBR.

Any suggestions or ideas?

EDIT: No EFI/Secure Boot is used

Re: W8.1/W10 Bootkit

PostPosted:Fri Jul 10, 2015 4:08 am
by EP_X0FF
Purpose? Who need this legacy stuff? There are no computers with 8.1/10 running with BIOS except masochists. And such "tweak" is only needed for malicious purposes. Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.

Re: W8.1/W10 Bootkit

PostPosted:Thu Sep 03, 2015 7:30 am
by rexor
EP_X0FF wrote: ... Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
Can you suggest something more contemporary for educational analysis purposes?

Re: W8.1/W10 Bootkit

PostPosted:Fri Sep 04, 2015 3:09 am
by EP_X0FF
rexor wrote:
EP_X0FF wrote: ... Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
Can you suggest something more contemporary for educational analysis purposes?
Windows Research Kernel source.

Re: W8.1/W10 Bootkit

PostPosted:Sun Sep 06, 2015 7:35 am
by rexor
EP_X0FF wrote:
rexor wrote:
EP_X0FF wrote: ... Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
Can you suggest something more contemporary for educational analysis purposes?
Windows Research Kernel source.
I agree with you regarding the source of knowledge but the main difficulty is that in WRK there is too many information to process at once for the novice. On the other hand if there is an example (rootkit) of usage of such knowledge, then the education/study could IMO be more focused and productive and backed by the info in WRK.

So again, is you are stating that "Rovnix pack of crap" - do you have any example that actually the opposite?

My main goals are to understand the current technological landscape/advances in the contemporary rootkit development through reversing/code analysis.

Re: W8.1/W10 Bootkit

PostPosted:Sun Sep 06, 2015 4:43 pm
by EP_X0FF
Nope, surprisingly all malware code I ever saw were a quick coded packages of bullshit. I've no idea why you want to learn about classical bootkits in 2015, where every new computer comes with EFI.

Re: W8.1/W10 Bootkit

PostPosted:Sun Sep 06, 2015 8:07 pm
by rexor
EP_X0FF wrote:Nope, surprisingly all malware code I ever saw were a quick coded packages of bullshit. I've no idea why you want to learn about classical bootkits in 2015, where every new computer comes with EFI.
I suppose this is already an off-topic for this thread and as I'm too "young" to send PMs so...

I'm interested to understand various ways for OS subverting in kernel land as I do too see a lot of similar staff in user mode malware families and kernel malware is relatively new for me. EFI is indeed really powerful stuff, but why to create the whole rootkit in EFI? Even if we take for example HackingTeam, their use of EFI was only for persistence.

To summarize, I'm looking for something to start from as an introductory into the low-level OS world.

Re: W8.1/W10 Bootkit

PostPosted:Mon Sep 07, 2015 9:14 am
by Cr4sh
No one will going to leak any decent and well-coded malware source code to public. If you're interested in learning about bootloaders, kernels and other low-level stuff -- check WRK source code and open source implementations of EFI firmware (http://www.tianocore.org/edk2/ for example).

Re: W8.1/W10 Bootkit

PostPosted:Mon Sep 07, 2015 8:42 pm
by rexor
Cr4sh wrote:No one will going to leak any decent and well-coded malware source code to public. If you're interested in learning about bootloaders, kernels and other low-level stuff -- check WRK source code and open source implementations of EFI firmware (http://www.tianocore.org/edk2/ for example).

I never asked for source - malware families/samples/names is more then sufficient. All that I can understand from you guys is that there is no decent malware examples in public and all that is available is not worth looking into.

Thanks, topic closed.

Re: W8.1/W10 Bootkit

PostPosted:Tue Sep 08, 2015 6:03 pm
by Munsta
What if no one can detect those :P