Friday, March 23, 2012

Malware Analysis Tutorial 22: IRP Handler and Infected Disk Driver

Learning Goals:
  1. Use WinDbg for kernel debugging
  2. Understand basic inner working of disk driver
  3. Understand virtual hidden drive creation
  4. Reverse engineering Max++ driver infection technique
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction
This tutorial continues the analysis presented in Tutorial 20. We reveal how Max++ uses a modified disk driver to handle I/O requests on the disk it created (its name is "\\?\C2CAD..."). Recall that in section 4.2.3 we showed you Max++ creates a new IO device and hooks it to the malicious driver object, so that whenever an IO request is raised on this device the request will be forwarded to driver object 8112d550, as shown below. Pay attention to the value of MajorFunction (0xfae36bde), this is where IO requests are handled. Obtaining the module base address, we can easily calculate its offset: _+2BDE.

kd> dt _DRIVER_OBJECT 8112d550
nt!_DRIVER_OBJECT
   +0x000 Type             : 0n4
  ...
   +0x02c DriverInit       : 0xfae4772b     long  +0
   +0x030 DriverStartIo    : (null)
   +0x034 DriverUnload     : (null)
   +0x038 MajorFunction    : [28] 0xfae56bde     long  +0



To replicate the experiments of this tutorial, you have to follow the instructions in Section 2 of Tutorial 20. In this tutorial, we perform analysis on the code of raspppoe.sys from _+2BDE (0x10002BDE)

2. Lab Configuration
In general we will use the instructions of Section 2 of Tutorial 20. In the following we just remind you of several important steps in the configuration:
(1) You need a separate image named "Win_Notes" to record and comment the code. You don't really need to run the malware on this instance, but just to record all your observations using the .udd file. To do this, you have to modify the control flow of IMM so that it does not crash on .sys files. See Section 2 of Tutorial 20 for details. Jump to 0x10002BDE to start the analysis.
(2) The second "Win_DEBUG" image has to be run in the DEBUG mode and there should be a WinDbg hooked from the host system using COM part -- so here, we are doing kernel debugging.
(3) Set a breakpoint "bu _+2BDE" in WinDbg to intercept the driver entry function.

3. Background: Windows Driver Development
Opferman provides an excellent introduction and sample code in [1]. In the following, we summarize of the major points here.

(1) Each driver has a driver entry function, its prototype is shown below:

NTSTATUS DriverEntry(PDRIVER_OBJECT pDrv, PUNICODE_STRING reg)

Here pDrv is a pointer to _DRIVER_OBJECT, and reg is a string that represents the registry entry where the driver could store information.

As we shown earlier in Tutorial 20, the DriverEntry function is located at _+372b.

(2) Each driver may have a collection of 28 functions to handle different types of I/O requests (such as close handle, read, write etc.) The IRP Function code can be found at [2] (typical ones are IRP_MR_CREATE and IRP_MR_READ).

You might wonder, do we have to set breakpoints on all of the 28 functions? The answer is YES and NO. Look at the following dump (combined with the dump in section 1).

kd> dd 8112d550
8112d550  00a80004 81210030 00000002 fae54000
8112d560  00008000 ffbd7d80 8112d5f8 001a001a
8112d570  e1389208 8068fa90 00000000 fae5772b
8112d580  00000000 00000000 fae56bde fae56bde
8112d590  fae56bde fae56bde fae56bde fae56bde
8112d5a0  fae56bde fae56bde fae56bde fae56bde
8112d5b0  fae56bde fae56bde fae56bde fae56bde
8112d5c0  fae56bde fae56bde fae56bde fae56bde


At offset 0x38 of the driver object  (the starting of the major function array), all IRP handlers are set to one single function _+2BDE! The malware author tries to be lazy here, and it saves us a lot of job too. We can just concentrate on _+2BDE then!

Now before we move on, we should know that each IRP handler function has the following prototype:

NTSTATUS Handler(PDEVICE_OBJECT pDevice, PIRP pIRP)

Here, the first parameter is a device object, and the second parameter represents the IRP request to handle.

When we hit the _+2BDE handler, we could easily find out the contents of the two input parameters (device located at 8112d550 and irp located at 00070000) as below:

kd> dd esp
fafb73fc  81210030 8112d550 00070000 81210030
fafb740c  fafb7460 804e37f7 81210030 ffbbe7e8
fafb741c  00000000 fb07c7a9 81210030 c000014f
fafb742c  00000000 00000000 c3a408e0 00000000
fafb743c  00000001 00000000 804e2490 fa047501
fafb744c  00000000 fafb7450 fafb7450 804fb1a9
fafb745c  00000000 fafb748c fb07ce80 81210030
fafb746c  fafb7484 ffb6fe10 81210030 ffb6fe10
kd> dt _DEVICE_OBJECT 8112d550
nt!_DEVICE_OBJECT
   +0x000 Type             : 0n4
   +0x002 Size             : 0xa8
   +0x004 ReferenceCount   : 0n-2128543696
   +0x008 DriverObject     : 0x00000002 _DRIVER_OBJECT
   +0x00c NextDevice       : 0xfae54000 _DEVICE_OBJECT
   ...
kd> dt _IRP 00070000
nt!_IRP
   +0x000 Type             : 0n193
   +0x002 Size             : 0
   +0x004 MdlAddress       : 0x00000100 _MDL
  ...




4. Anatomy of Infected Disk Driver
Figure 1 shows you the first part of the IRP handler function at _+2BDE.
Figure 1. Infected Disk Driver

As shown in Figure 1, the control flow  is a very simple decision procedure. First it takes out the PDEVICE_OBJECT pointer from EBP+8 (1st parameter) and compare it with a global variable stored at 100061B0 (see highlighted area). Clearly, the global variables stores the newly created infected device (for \??\C2CAD...). If it is not a request to \??\C2CAD, the flow jumps to 10002BFD (second highlighted area), which calls PoCallDriver to relay the request to low level (real) drivers to do the work; otherwise it calls a self-defined function handleIRPForVirtualVolume which performs the real operation to simulate the virtual disk.

Challenge 1. Analyze the logic between 10002BFD and 10002C25 (highlighted area in Figure 1). Especially, explain the instructions at 0x10002C16 and 0x10002C19.

5. Simulating the Virtual Disk Operations
Now we will analyze the function handleIRPForVirtualVolume. It is located at _+292A. In this case, you need to set a breakpoint using "bp _+292A" in WinDbg. Figure 2 shows its major function body. Notice that you can easily infer from the context that EBX is an input parameter of the function, EBX points to the IRP request right now!

Figure 2. Function body of handleIRPForVirtualVolum


Now comes the interesting part. Look at Figure 2, at 0x1000293C EAX now has the "MajorFunction" of _IO_STACK_LOCATION  (the value is one of the IRP_MJ_xxx types). Then there is a big switch case statement (see the highlighted area in Figure 2), which redirects the control flow to handle each of the different IRP requests such as READ, WRITE, etc.

Challenge 2. Argue that the statement about "0x1000293C EAX now has the "MajorFunction" (the value is one of the IRP_MJ_xxx types" is true. You may need to find out the definition of IRP_MJ_xyz values.

As an example of how Max++ simulates the disk volume operation, we show how it handles the IRP_MJ_READ request. Figure 3 shows the handler code.

Figure 3. Simulate the Disk Operation on File
  First, let's look at the definition of _IO_STACK_LOCATION which represents an I/O operation task. Note that at this moment, ESI points to the current _IO_STACK_LOCATION, the following is its contents. You can easily infer that it's current Device Object is \??\C2CAD...

kd> dt _IO_STACK_LOCATION ff9c7fd8
nt!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0x3 ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0x2 ''
   +0x003 Control          : 0 ''
   +0x004 Parameters       : __unnamed
   +0x014 DeviceObject     : 0xffb746d8 _DEVICE_OBJECT
   +0x018 FileObject       : (null)
   +0x01c CompletionRoutine : (null)
   +0x020 Context          : (null)


Now look at the first instruction LEA EAX, [ESI-24] in Figure 3. The purpose here is to move 0x24 bytes away (note the direction of stack) and the size of _IO_STACK_LOCATION (0x24). So EAX is now pointing to a new _IO_STACK_LOCATION instance. The next couple of instructions copy the first 9 words of the existing _IO_STACK_LOCATION to the new.

Then at 0x10002B10 (look at the highlighted area of Figure 3), it assigns the value of ECX (from global variable at DS:[1000614C]) to offset 0x18 of the new _IO_STACK_LOCATION. Notice that 0x18 is the FileObject attribute (see above dump of _IO_STACK_LOCATION!). The following is the dump of  the File Object pointed by ECX:

kd> dt _FILE_OBJECT 811b25d0
nt!_FILE_OBJECT
   +0x000 Type             : 0n5
   +0x002 Size             : 0n112
   ...
   +0x02c Flags            : 0x40040
   +0x030 FileName         : _UNICODE_STRING "\WINDOWS\system32\config\yknueenf.sav"
   +0x038 CurrentByteOffset : _LARGE_INTEGER 0x0

   ...





Now it's pretty clear that the READ operation on the disk volume is actually achieved by CONSTRUCTING A NEW _IO_STACK_LOCATION task on the "*.sav" file created by Max++ earlier!

The last interesting point is at 0x10002B17: Max++ hooks up a function for the CompleteRoutine (offset 0x1c of _IO_STACK_LOCATION), the intention is pretty clear: the data stored on the *.sav file is encrypted, and Max++ now decodes it when reading it out.

We've finished a very challenging and interesting analysis of a portion of the infected disk driver. Now it's your job to finish the rest:

Challenge 3. What happens when FormatEx operation is performed on the virtual disk volume?

Challenge 4. Analyze all the other IRP_MJ_ operations supported by the infected disk driver (hint: this could take considerable efforts).




References
[1] T. Opferman, "Driver Development Introduction Part I", available at http://codeproject.com
[2] MSDN, "IRP Function Code", available at

83 comments:

  1. nice tutorials, big up!

    ReplyDelete
  2. Yeah, really good post.
    Almost similar way to keep information used in this service secure dataroom

    ReplyDelete
  3. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you need to watch this video
    right away...

    (VIDEO) Get your ex back with TEXT messages?

    ReplyDelete
  4. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  5. Any student who may need Business Essay Writing Services is free to request our writers for assistance as we are committed to helping our clients with any Marketing Essay Writing Service problem.

    ReplyDelete
  6. Thank you very much for this amazing article.visit websites.This blog very informative for me.

    ReplyDelete
  7. https://activatorscrack.com/clip-studio-paint-pro-cracked-keygen/
    CLIP STUDIO PAINT PRO Crack is the successor to Manga Studio (Comic Studio), which is an essential graphics software and app backed by creators of manga, comics, and cartoons.

    ReplyDelete
  8. https://activatorskey.com/smadav-crack-pro-keys/
    Smadav 2020 Crack is an anti-virus program with the second layer protection. It has an extra layer of security for your system. The program can exist with all the antivirus creations. It can run on Windows 10, XP, Vista, 7, and 8 and more. With its instinctive structure, the users can analyze and clear all viruses. You can boost up the protection of your computer. The admin password and commercial features are helpful for the users.

    ReplyDelete
  9. https://fullycrack.org/piranha-box-crack-full/
    Piranha Box Crack helps the users to understand the data of device and explanation. It helps you to write the store firmware, and arrangement the device. Moreover, This software enables the users to highlight and open Chinese android mobile phones, and tablets. Piranha Box software works on XP, Microsoft windows, windows 10, 8.1, 8 and 7 and Vista. However, This software has the support for MTK and SPD based android devices. Therefore, It provides help you to open the system, and explain the puzzling of misguided platforms.

    ReplyDelete
  10. https://finalcracked.com/fxfactory-full-crack-torrent/
    Fxfactory Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

    ReplyDelete
  11. https://crackedos.com/snagit-crack/
    SnagIt Keygen can change the indigen print screen operations. It provides extra characteristics. Newly version gives the permission batch capture embed products. Like: connection, images, and multimedia. The user can put some parameters and keyboard shortcuts. That is used to take the individual kind of information. Which are used to save the information in the folder? This folder is called a catalog.

    ReplyDelete
  12. https://softscracked.com/smadav-pro-crack-full-keygen/
    Smadav Pro Crack is an all in one good and powerful antivirus software that provides total safeguard preventing the pass on of the trojan. It provides you with additional safety and can identify infections, trojans, worms, and stop the spread that always distributed through the adobe flash. It gives you to research the open operations and close something that you believe, in addition to indicating this in the scans made not simply infected data.

    ReplyDelete
  13. https://crackedget.com/apowersoft-apowermirror-crack/
    Apowersoft ApowerMirror Crack is here and it has all the solutions to your problems! Apowersoft ApowerMirror Crack is an amazing software that wirelessly mirrors your iOS or Android device to your laptop or PC. It’s simple, extremely helpful and fast software. It’s an excellent option for Android developers as they can use it to easily test their demos.

    ReplyDelete
  14. https://greencracks.com/spyhunter-5-full-crack/
    Spyhunter 5 Full Crack very good software that removes the virus and also protects many websites like Windows, Apple Pc, and many other systems. This program is very simple and easy to download. It is an enemy of malware and spyware and all things that distract your computer work. Now it becomes the best anti-spyware and anti-malware software.

    ReplyDelete
  15. https://crackedfully.com/morphvox-pro-crack-torrent/
    Morphvox Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

    ReplyDelete
  16. https://thinkcrack.com/iphone-backup-extractor-crack-torrent/
    iPhone Backup Extractor Crack software directly restores the ICould data from the iPhone to the computer. The user first opens the ICould in the iPhone browser. When I could be open. Then login to the iPhone ID. Create an account of the iPhone. Gave the secret code. But necessary, keep in mind the secret code of this account. And then transfer the entire data of the iPhone into the computer.

    ReplyDelete
  17. https://crackedversion.com/sketch-crack-license-key/
    Sketch Crack is the most loyal drawing software with a set of fully developed drawing tools. That is for producing professional drawing projects. It has all the formalization drawing tools. This brand also has the best design information. You can ask for similar artistic tools. Further, it has excellent painting tools that users need to create pro designs. Also, its extra features will assist make, edit, and existing images by implanting and editing icons.

    ReplyDelete
  18. https://crackpluskey.com/idm-crack-latest-version-download-here/
    IDM Cracked This is a characteristic of discrimination. You can also change the current connection and have a better viewing system. The most important improvement of the software is the integration with other software. This is what you need all the features to meet the download requirements.

    ReplyDelete
  19. https://hmzapc.com/wondershare-recoverit-full-serial-key/
    Wondershare Recoverit Crack new program launched in the market to recover, rescue and retrieve deleted, lost or missing files from the hard drive. This program empowers users to recoup forgotten data at tremendous speed. Over time, a user’s own data becomes more pre-eminent than eternally, and any missing data will place you at hazard in the eternity, causing electronic data extra estimable.

    ReplyDelete
  20. need for speed most wanted free game download
    NFS Most Wanted Pc Download: an openworld action Car Racing Video Game. Criterion Games developed NFS Most Wanted Torrent. Electronics Arts published Need For Speed Most Wanted Pc Download Free Full Version. It is the 19th installment in the Need For Speed Games. Need For Speed Most Wanted Free Download Pc Game features both single player as well as the multiplayer gameplay modes.

    ReplyDelete
  21. People daily search for many Pc Games on web form different ages and from different parts of the world. Do they find the games of their interest?

    Many famous websites are available to download many games the old ones and the new games too. Pc Games Here is a place where you can find and Download Pc Games Full Version.

    On this site you can find all the games in different catogeries like GTA Games, NFS Games, Car Racing Games, Fighting Games, Cricket Games and Football Games. Some Of The Pc Games are described below.

    I love to play football and this is my favorite game which i play most. You can also visit here for Need For Speed Carbon Highly Compressed Pc Game Download

    ReplyDelete
  22. https://chproductkey.com/mixcraft-crack/
    Here’s to those who inspire you and don’t even know it.

    ReplyDelete
  23. https://shehrozpc.com/cinema-4d-studio-crack/
    Saying thank you is more than good manners, it is good spirituality.

    ReplyDelete
  24. https://cracksmod.com/reason-crack-full-keygen/
    Kindness is a language which the deaf can hear and the blind can see.

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. Make it a habit to tell people thank you. To express your appreciation, sincerely and without the expectation of anything in return. Truly appreciate those around you, and you’ll soon find many others around you. Truly appreciate life and you’ll find that you have more of it.
    https://shahzifpc.com/system-mechanic-pro-crack/

    ReplyDelete
  27. https://umarpc.com/speedify-crack/
    Appreciation is a wonderful thing. It makes what is excellent in others belong to us as well.

    ReplyDelete
  28. Because of the world is facing the big monster type of disease covid19 every one must have to stay at home to get himself protected as well as his whole family. But staying at home is a very hard job and quit boring. So many people have tried so many things to keep their selves busy at home. On of the most used method is to play games to entertain yourself and remain always busy. So you must visit here if you want to play
    battlefield 4 highly compressed 11mb

    ReplyDelete
  29. Every one of us at different part of our life must have some type of diseases. These are minor or severe type of disorders which you may also face. But at that time you must reduce the further damage to your human organs and natural human system by careful diagnose and use the medicine according to the symptoms and disease treatment with perfect dosage required. So all of us must have the knowledge of the medicine we are using at a specific time for the treatment of any type of symptoms. On the other hand most importantly we must know the side effects of these medicines. So you must visit the link for full information about
    risek 20 mg

    ReplyDelete
  30. https://cracksray.com/final-cut-pro-x-crack/

    Final Cut Pro X does many other jobs also apart from non-linear editing. It works for motion graphics and delivery.

    ReplyDelete
  31. https://lpcrack.com/adobe-photoshop-cc-crack/

    Adobe Photoshop CC can enhance your image focus by making changes to the image without losing the image resolution.

    ReplyDelete
  32. https://zsactivatorskey.com/auslogics-file-recovery-crack/

    Auslogics File Recovery is an efficient platform to recover files from hard drives and cards. It can recover the data from hard drives and cards within a few minutes.

    ReplyDelete
  33. https://cskeygen.com/voicemod-pro-crack/

    Voicemod Pro provides several features which are missing in other. It allows you to directly change your voice by speaking in microphone of your computer, mobile phone.

    ReplyDelete
  34. https://cracksad.com/miracle-box-crack/

    Miracle Box is complete toolkit for flashing. It has a user-friendly interface and is very convenient to use. Also, It is mainly used for chine devices and is used to unlock the device.

    ReplyDelete
  35. https://icrackedpc.com/avast-driver-updater-crack/

    Avast Driver Updater is done to optimize its output. Also, it is a multipurpose application. It improves the performance of the system.

    ReplyDelete
  36. https://crackdad.com/artweaver-plus-crack/

    Artweaver Plus contains many advanced brush tool options. Moreover, the interface of this software is quite easy to use.

    ReplyDelete
  37. This article is really a fastidious one it assists new internet visitors, who are wishing for blogging.
    Here is the link of Bestest Security Crack which Can protect your data safe & sound:
    https://softserialskey.com/usb-secure-crack/
    It’s all in the same memory encryption software.
    You can use USB security software to protect your passwords so that anyone who doesn’t know your password can unlock it and steal information.
    This software works with your setup, so you’ll need a password when connecting to USB

    ReplyDelete
  38. Really Appreciable Article , Honestly Said The Thing Actually I liked The most is the step by step explanation of everything needed to be known for a blogger or webmaster to comment , I am going show this to my other blogger freinds too
    https://mastercracked.com/smadav-pro-crack/

    ReplyDelete
  39. Really Appreciable Article , Honestly Said The Thing Actually I liked The most is the step by step explanation of everything needed to be known for a blogger or webmaster to comment , I am going show this to my other blogger freinds too
    https://mastercracked.com/smadav-pro-crack/

    ReplyDelete
  40. Thanks for sharing. Oops…there I go again…….
    https://mastercracked.com/smadav-pro-crack/

    ReplyDelete
  41. The article is very nice, “thank” you for sharing it! ?
    https://mastercracked.com/smadav-pro-crack/

    ReplyDelete
  42. I really like it when people get together and share opinions.
    Great site, continue the good work!
    https://softkeygenpro.com/superantispyware-professional/

    ReplyDelete