Tuesday, May 29, 2012

Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection

Learning Goals:
  1. Practice WinDbg for Intercepting Driver Loading
  2. Practice IMM for Modifying Binary Code
  3. Trace and Modify Control Flow Using IMM
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction

One typical feature of Max++ is its ability to hide malicious files in a hidden drive. In this tutorial, we show you how to modify the malware itself to break its hidden drive protection. Our goal is to dig out the B48DADFD.sys from the hidden drive. Recall that B48DADFD.sys is used to load a series of malicious DLL files, introduced in Tutorial 27,

2. Preliminaries: Who Has Loaded B8DADFD.sys?
We need to figure out who loads B48DADFD.sys first. Simply follow the instructions (1) to (4) of Tutorial 19 to set up the lab experiment. Once the WinDbg is started, click Debug->Event Filter to enable the "Load Module" event (as shown in Figure 1). Then, after you hit the BP at 0x401417 in IMM, press SHIFT+F9 to let it go. The first module you capture will be "_" (the one which hacks lz32.dll) and the second hit will get you B48DADFD.sys.

Figure 1. Enable Event Filter on Module Loading

As shown in the following, when WinDbg hit DebugService2+0x10, it's the handler for module load event. If you list all current modules using "lm", you will notice that B48DADF8 is the module being loaded. We can further dump the stack contents to find out the caller.

kd> g
nt!DebugService2+0x10:
80506d3e cc              int     3
kd> lm
start    end        module name
804d7000 806ed680   nt         (pdb symbols)          c:\windows\symbols\ntoskrnl.pdb\47A5AC97343A4A7ABF14EFD9E99337722\ntoskrnl.pdb
fadfc000 fae01000   B48DADF8   (deferred)            
faed4000 faedc000   _          (deferred)            

Unloaded modules:
f77c4000 f77ef000   kmixer.sys
f7b6e000 f7b99000   kmixer.sys
fb206000 fb207000   drmkaud.sys
f7b99000 f7bbc000   aec.sys
f7c89000 f7c96000   DMusic.sys
facec000 facfa000   swmidi.sys
fb0f0000 fb0f2000   splitter.sys
fad6c000 fad77000   imapi.sys
fad5c000 fad6b000   redbook.sys
fae6c000 fae71000   Cdaudio.SYS
fb050000 fb053000   Sfloppy.SYS
fae64000 fae69000   Flpydisk.SYS
fae5c000 fae63000   Fdc.SYS
kd> kv
ChildEBP RetAddr  Args to Child             
f76a251c 80506d80 f76a25b4 f76a2530 00000003 nt!DebugService2+0x10 (FPO: [Non-Fpo])
f76a2540 805a3113 f76a25b4 fadfc000 ffffffff nt!DbgLoadImageSymbols+0x42 (FPO: [Non-Fpo])
f76a26e4 805a7c9d f76a2800 00000000 00000000 nt!MmLoadSystemImage+0xa80 (FPO: [Non-Fpo])
f76a2894 804de7ec 00000036 f76a2974 0000001c nt!NtSetSystemInformation+0x8a9 (FPO: [Non-Fpo])
f76a2894 804dd98d 00000036 f76a2974 0000001c nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f76a28a8)
*** ERROR: Module load completed but symbols could not be loaded for *
f76a2918 faed50c7 00000036 f76a2974 0000001c nt!ZwSetSystemInformation+0x11 (FPO: [3,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
f76a299c faed6b93 ffbd2478 ffb23550 003f005c _+0x10c7
f76a2a34 faed6bf8 ffbd2478 ffb23550 ffb97840 _+0x2b93
f76a2a4c 804e37f7 ffa337b0 ffbd2468 ffbd2468 _+0x2bf8
f76a2a5c 8056c712 ffa33798 ffaad86c f76a2c04 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f76a2b3c 80563fec ffa337b0 00000000 ffaad7c8 nt!IopParseDevice+0xa12 (FPO: [Non-Fpo])
f76a2bc4 805684da 00000000 f76a2c04 00000040 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f76a2c18 8056cbeb 00000000 00000000 160de801 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f76a2c94 8056ccba 0012d624 00100000 003d3150 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f76a2cf0 8056cdf0 0012d624 00100000 003d3150 nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
f76a2d30 804de7ec 0012d624 00100000 003d3150 nt!NtCreateFile+0x30 (FPO: [Non-Fpo])
f76a2d30 7c90e4f4 0012d624 00100000 003d3150 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f76a2d64)
0012d648 003c2507 00401166 003c0000 fffffffe 0x7c90e4f4
0012ffd0 8054b6b8 0012ffc8 81148da8 ffffffff 0x3c2507
00413a40 ec81ec8b 0000030c d98b5653 f4b58d57 nt!ExFreePoolWithTag+0x676 (FPO: [Non-Fpo])
00413a4c f4b58d57 8bfffffd f45589c3 0000c0e8 0xec81ec8b
00413a50 8bfffffd f45589c3 0000c0e8 10c38300 0xf4b58d57
00413a54 f45589c3 0000c0e8 10c38300 0cf85d89 0x8bfffffd
00413a58 00000000 10c38300 0cf85d89 f3b58dff 0xf45589c3



As shown by the stack dump, it's the lz32.dll code (one instruction before 0x3C2507) that eventually triggers the load of B48DADFD.sys. The chain of calls are:

one instruction before 0x3C2507 (lz32.dll) --> ... --> IoCreateFile --> ... --> IopfCallDriver ... ---> load B484DADFD.sys

Challenge 1. Use the analysis techniques presented in Tutorial 27 and analyze how B48DADFD is loaded.



3. Lab Configuration
Given that B48DADFD is loaded by one instruction before 3C2507, we can start our lab configuration to dig out the malicious driver file. The lab configuration is shown below:

First, follow the instructions (1) to (4) of  Tutorial 19.  When the breakpoint at 0x004017 is hit, jump to 0X3C2502 in the CPU pane and set a software breakpoint on it (by right clicking in CPU pane -> go to expression). You should see the binary code as shown in Figure 2 below.
Figure 2. Breakpoint Right Before Loading B48DADFD.sys


At this moment, we are now ready to take the B48DADFD out.

4. Surgery on Hidden Drive
As the hidden drive is not visible in Windows explorer, we have to call some functions available in the windows system library to get B48DADFD.sys out of the hidden drive. This is possible because Max++ hooks up the file system driver to handle special requests on the hidden drive. Our plan is to overwrite the instructions right after the instruction of 0x003C2502, and try to copy the file out.

Browsing the kernel32.dll (View -> Executable Modules -> ViewNames) gives us one good candidate, as shown in Figure 3.

Figure 3. kernel32.dll CopyFileA

By MSDN,the prototype of CopyFileA is defined as below: (where "A" stands for ASCII, i.e., how file name is encoded. You could see there are several variations in Figure 3, such as copyFileW).

BOOL WINAPI CopyFile(
  _In_  LPCTSTR lpExistingFileName,
  _In_  LPCTSTR lpNewFileName,
  _In_  BOOL bFailIfExists
);

So the following is our plan, starting at 0x003C250C, we can use IMM to modify the binary code and insert a instruction CALL 7C8286D6. Meanwhile, we will modify the stack contents so that the three parameters are arranged properly. We can first modify the instructions, as shown in Figure 4. Simply right click in CPU pane --> assemble (or press space bar), and type "CALL 7C8286D6") to modify the binary code.

Figure 4. Modify Binary Code in IMM

We now need to create the parameters for the CopyFileA call. We need to insert two strings in the data dump window, the general approach is shown in Figure 5. Right click -> Binary -> Edit. Make sure that only insert data when EIP is 0x003c2507 to avoid destructing the data for previous calls of Max++.

Figure 5. Modify Binary Code

The inserted data is shown in Figure 6. The file string "\\.\C2CAD...\B48DADF8.sys" is retrieved from the earlier analysis of the ntLoadImage in the stack dump in section 2. As shown in Figure 6, we inserted two pieces of strings, one is the "\\.\C2CAD...\B48DADF8.sys" and the other is "c:\bad.sys". Also the parameter setting is shown in the stack once we have entered the data in the memory dump pane. The third parameter (FailfExists) can be set to "false" (0).

Figure 6. The Input Parameters of CopyFileA

Execute one step in the CPU pane and we have successfully pulled out the malicious driver file out. See Figure 7.

Challenge 2. List all files in the hidden drive and take all of them out.

Figure 7. Success

53 comments:

  1. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  2. counter strike condition zero download free full version pc
    https://downloadfreegameshere.com/counter-strike-condition-zero-download-free-full/

    ReplyDelete
  3. https://cracksmad.com/malwarebytes-crack/
    Here’s to those who inspire you and don’t even know it.

    ReplyDelete
  4. Here are some tips for your computer that you can watch on DVD.
    Would you like to make your own film?
    Or do you want to burn this series to DVD sooner or later on your computer?
    Whatever you want to see, Wondershare DVD Writer will do it all.
    In fact, to win (according to Wondershare DVD Carrier Windows 10), drag your favorite movie onto your DVD burner, set the entertainment,
    and click the back button.
    free Download Link is here:
    https://softserialskey.com/wondershare-dvd-creator-crack/

    ReplyDelete
  5. Pharmacy is the clinical health science that links medical science with chemistry and it is charged with the discovery, production, disposal, safe and effective use, and control of medications and drugs.
    duphaston

    ReplyDelete
  6. Just keep up the good work. One day you will succeed. Thanks a lot for sharing this blog with all of us here.
    crackprovst
    voicemod pro free crack
    propellerhead reason crack
    execrack

    ReplyDelete
  7. Luxion KeyShot Pro Crack Free Download is an advanced 3D imaging and animation application that provides everything you need to create fast, accurate and amazing graphics in real-time.luxionkeyshotprotorrent

    ReplyDelete
  8. The Ozone Advanced Crack Download may look like a relatively light update on paper, but it’s a significant lack of innovation, with an emphasis on auto-navigation, built-in reporting, and plug-in communication.ozoneadvancedactivationkey

    ReplyDelete
  9. Teorex Inpaint Key Crack Free: Frustrated by the nasty tourists who come and go and ruin the best shots? Keep them away from your photos with Inpaint! With a few simple steps, you can get an image as clear and beautiful as you want it to be.eorexinpaintforcrack

    ReplyDelete
  10. GOGOi – Downtempo Lounge Vol 2 (SERUM) Crack Download for xfer serum is GOGOi’s latest installation.gogoidowntempoloungevol2serumactivationkey

    ReplyDelete
  11. The GameMaker Key Crack is an easy-to-use game-making software that allows beginner developers to create great games using actions without programming knowledge.gamemakerstudiofreedownload

    ReplyDelete
  12. Windows Movie Maker Crack which is part of Windows Essentials 2012, is no longer available for download. Websites offering free Movie Maker Free Downloads don’t offer the real thing, and those downloads may contain malware, viruses, or hidden costs.windowsmoviemakerkeygen

    ReplyDelete
  13. thank u for nice information...

    DriverMax Pro

    Mixpad

    Deep Freeze

    PDF Annotator

    <a href="https://softwarebig.com/easeus-partition-master-crack-download/>EaseUS Partition Master</a><br>

    ReplyDelete
  14. Your article has such strong content that you shared and publish in your blog thanks dear for sharing such amazing blog.
    PreSonus Studio One Pro Keygen

    ReplyDelete
  15. Your blog really nice. Its sound really good. Thanks for the sharing this blog with us. Fashion is synonymous with comfort and style.
    DLL File Fixer Crack

    ReplyDelete
  16. Excellent site you’ve got here.. It’s hard to find high-quality writing like yours nowadays. I seriously appreciate individuals like you! Take care!!

    야한동영상

    ReplyDelete
  17. Thank you so much for sharing this information, this will surely help me in my work and therefore, I would like to tell you that very few people can write in a manner where the reader understands just by reading the article once. 야동

    ReplyDelete
  18. It’s really a great and useful piece of information. I am glad that you shared this useful information with us. Please keep us up to date like this. Thanks for sharing. 한국야동닷컴

    ReplyDelete
  19. I was able to think a lot while looking at this post. I will pass this blog to many people. Definitely a good blog is very good. Thank you for sharing.

    중국야동넷

    ReplyDelete
  20. Keep up the good work , I read few blog posts on this website and I believe that your weblog is rattling interesting. Thank you for this effort, I will give you 5 stars for this. Kindly check the link below Thank you! 일본야동닷컴

    ReplyDelete
  21. Folder Lock Crack
    Folder Lock Crack was produced by New Softwares.net to help users preserve and hide their personal data from strangers. Due to its excellent functionality, Folder Lock has received many awards on the world stage. For convenience, it has a multilingual user interface that can be accessed easily. Now you can easily protect, encrypt and destroy files with one click and you no longer have to worry about someone stealing them. You can also store your passwords in the vault so you can access them at any time and make it difficult for them to access other people.

    ReplyDelete
  22. days gone pc game download free full version
    Days Gone For PC Download is a game of terror and fear, primarily based on adventure and operations. It is designed, created through the 1st party “SIE Bend” company. And is published through the “SIE studio”. In its journey element, this PC game illustrates a worldwide unfold disease. In which many peoples turn out to be zombies, that are thirsty for human blood. The competition also aspects the journey about the game’s protagonist “Decon”. The adventure is about saving his wife two years after the outbreak of a pandemic disease.

    ReplyDelete
  23. Search with Visymo.com. Get In Touch. Dynamic Work Environment. Started In 1997. Highlights: In Service Since 1997, Offering An Inspiring And Dynamic Work Environment, Information Accessible From Multiple Sources for PC.
    mmd model creator
    activate snapseed product key
    malwbytes
    miku miku dance character creator
    mmd character maker

    ReplyDelete
  24. I am very impressed with your post because this post is very beneficial for me and provide a new knowledge to me
    axcrack
    crackbay
    suripc
    prosvst
    crackproz
    softcrack
    cractivator
    vstlicense.com


    ReplyDelete
  25. Tab browsing, RSS feed, internet searches in several searchers (Google, Wikipedia, Yahoo Search, MSN Search, Google Images...) in just a few clicks you will have them in your new vst crack.








    ReplyDelete
  26. Nice post. I used to be checking continuously this weblog and I am inspired! Extremely useful information particularly the final phase ��
    국내경마

    ReplyDelete
  27. Thank you for sharing this useful article , and this design blog simple and user friendly regards.

    바카라사이트

    ReplyDelete
  28. I am a fan who has watched your writing from before. I have learned a lot from you. Please come to my site and help me. 경마

    ReplyDelete
  29. I am really pleased to read this blog posts which includes tons of
    valuable information. 사설토토

    ReplyDelete
  30. I have been looking for articles on these topics for a long time. 카지노사이트 I don't know how grateful you are for posting on this topic. Thank you for the numerous articles on this site, I will subscribe to those links in my bookmarks and visit them often. Have a nice day


    ReplyDelete
  31. Great work with the hard work you have done I appreciate your work thanks for sharing it...
    Smart Driver Care Crack

    ReplyDelete
  32. Robin YouTube Video Downloader Pro Crack is a small Windows application that allows you to download and convert videos.
    Robin YouTube Video Downloader Pro Crack + Keygen Free Updated Version
    FabFilter Saturn 2 Crack + Torrent New Version

    ReplyDelete
  33. 1CLICK DVD Copy Pro is a full-featured software for duplicating DVD movies onto DVDs. They are fast, simple as well as easy to use.
    Click here
    Free Software

    ReplyDelete
  34. Its not my first time to visit this site,
    i am visiting this website dailly and take nice information from here all the time. 바카라사이트


    ReplyDelete
  35. Dr. Fu'S Security Blog: Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection >>>>> Download Full

    >>>>> Download LINK QW

    ReplyDelete
  36. Dr. Fu'S Security Blog: Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection >>>>> Download Full

    >>>>> Download LINK gf

    ReplyDelete
  37. 메이저사이트May 16, 2022 at 2:49 AM

    Your skill is great. I am so grateful that I am able to do a lot of work thanks to your technology.메이저사이트 I hope you keep improving this technology.


    ReplyDelete
  38. You have done a terrific job. I will absolutely dig it and personally refer to my friends. I am confident they will be benefited from this site.
    https://vstoriginal.com/waves-tune-real-time-crack/

    ReplyDelete
  39. Excellent information you have shared, thanks for taking the time to share with us such a great article. If you want to use a audio track from a video or some audio file downloaded from the Internet and looking for a more versatile and convenient ringtone maker, here, you will learn the easiest way to make an iPhone ringtones without iTunes, i know one site about iPhone ringtones maker which helps you to make a custom ringtone for iPhone. you can visit it.

    ReplyDelete
  40. Im taking your sustenance in addition, Thanks

    ReplyDelete
  41. finally i found best reading blog site in google.

    ReplyDelete
  42. Im glad to have found this post as its such an interesting one!

    ReplyDelete

  43. Quality content is the main to attract the people to pay a quick visit the web site, that's what this site is providing.

    ReplyDelete