Search found 4293 matches

by EP_X0FF
Mon Mar 15, 2010 2:19 pm
Forum: Malware
Topic: WinNT/BlackEnergy
Replies: 38
Views: 59985

WinNT/BlackEnergy

Wrong identified as Rustock (see Rustock 2010 ) this is another rootkit with few interesting features at board. It patches ETHREAD SystemTable pointer to specially allocated in NonPagedPool fake service table, that contains real addresses from SSDT and addresses replaced by rootkit handlers. User th...
by EP_X0FF
Mon Mar 15, 2010 1:28 pm
Forum: User-Mode Development
Topic: CreateProcess Native (x86-32 NT5.x)
Replies: 8
Views: 14435

Re: CreateProcess Native (x86-32 NT5.x)

Nebbett code does not working > Windows 2000 due to lack of authors understanding in Win32 subsystem notification. I created this one based on some public definitions and kernel32.dll reversing. Also if somebody have example how to create process using native only on Vista/Seven it will be great if ...
by EP_X0FF
Mon Mar 15, 2010 1:16 pm
Forum: Malware
Topic: Rootkit 4DW4R3 (TDL 2 clone)
Replies: 5
Views: 11043

Re: Rootkit 4DW4R3 (TDL 2 clone)

gjf wrote:"TDL2 Clone" - does it mean the standard detection/removal tools for TDSS can be used?
Yes, sure. All they should be able to detect and remove it.
by EP_X0FF
Mon Mar 15, 2010 9:59 am
Forum: User-Mode Development
Topic: CreateProcess Native (x86-32 NT5.x)
Replies: 8
Views: 14435

CreateProcess Native (x86-32 NT5.x)

This test project was developed long time ago, and I want to share it sources. All what it is doing -> trying to create process notepad.exe using only Native API calls. So basically it copies behavior of Windows CreateProcess function ( CreateProcessInternal ). Application is written on Delphi5 with...
by EP_X0FF
Mon Mar 15, 2010 9:22 am
Forum: Kernel-Mode Development
Topic: Books
Replies: 8
Views: 9538

Re: Books

Hi,

This is good idea.
Since we are not supporting warez here, I think links to official selling places amazon etc,
(if book is still available) will be very good.

So after little arranging of this topic it can be set as sticky.

Regards.
by EP_X0FF
Mon Mar 15, 2010 2:10 am
Forum: Malware
Topic: Rootkit 4DW4R3 (TDL 2 clone)
Replies: 5
Views: 11043

Rootkit 4DW4R3 (TDL 2 clone)

Hybrid rootkit, combining TDL 2 and TDL 3 stealth functionality. Firstly located ITW in the beginning of 2010. Rootkit called 4DW4R3 because of strings found inside binary while RE. Dropper using TDL3 spoolsv load driver technique, if it fails it calls NtLoadDriver directly. Rootkit driver is hidden...
by EP_X0FF
Mon Mar 15, 2010 1:38 am
Forum: Kernel-Mode Development
Topic: Low Level Disk I/O
Replies: 63
Views: 37319

Re: Low Level Disk I/O

Hi Vrtule, Yes, I/O ports are not so scary. I tried them two years ago. Would you like to share source? :) The method of reading/writing disk is very trivial - I access the disk throug \\.\PhysicalDriveX symbolic link (from usermode and kernelmode). So, I woud like to implement a better method of ma...
by EP_X0FF
Sun Mar 14, 2010 3:00 pm
Forum: Kernel-Mode Development
Topic: _DRIVER_DATA, Old Device Device Driver Hiding
Replies: 6
Views: 8051

Re: _DRIVER_DATA, Old Device Device Driver Hiding

Hi Spynet, in the second list there's no entry named GhosR.sys, the result is interesting till not running a robust anti-Rootkit EnumDeviceDriver querying information from NtQuerySystemInformation call. NtQuerySystemInformation get this info from kernel unexported PsLoadedModulesList variable. You h...
by EP_X0FF
Sun Mar 14, 2010 1:52 pm
Forum: User-Mode Development
Topic: Killing XueTr from User Mode (oXueTb Poc)
Replies: 0
Views: 4668

Killing XueTr from User Mode (oXueTb Poc)

This proof-of-concept targeting XueTr v0.32. This antirootkit self-protection based on numerous hooks set in kernel mode on common routines RkU Version: 5.1.700.2220, Type VX2 (VX+) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of process...
by EP_X0FF
Sun Mar 14, 2010 1:43 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 320935

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

ZeroAccess (aka Sirefef ) common information. Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes: Downloading and executing of arbi...