malicious Driver

Discussion on reverse-engineering and debugging.
Post Reply
marve
Posts: 1
Joined: Wed Mar 13, 2013 4:26 pm

malicious Driver

Post by marve » Wed Mar 13, 2013 4:39 pm

hi

reading about ZAccess driver, on http://resources.infosecinstitute.com/z ... h-rootkit/
I have a question about basic concept!

as it is mentioned there and we see in other drivers, all happens in DriverEntry routine...but I can't understand how!
DriverEntry has an argument which is Driver Obj, which I think to be its own (?), but it seems that malicious drivers needs an other driver obj! as an input in their
EriverEntry...there is no sign of finding other Obj before hooks in the driverEntry...it does not hook itself, does it? ;)

can any one explaine me more?
thanks

POPPOPRET
Posts: 2
Joined: Fri Aug 30, 2013 3:40 pm

Re: malicious Driver

Post by POPPOPRET » Fri Aug 30, 2013 7:20 pm

I believe the answer to your question is the device object.

http://msdn.microsoft.com/en-us/library ... s.85).aspx

The malicious driver can get a pointer to a particular device object (lets say keyboarddevice). There are APIs to do this.

Once it has the device object, it can TheDeviceObject->DriverObject to get a pointer to the DriverObject of the target driver.

It can then hook DriverObject->MajorFunction[IRP_MAXIMUM_FUNCTION], redirecting all future IRPS to the malicious handler. (I assume some form of trampoline is present to invoke the original driver code after the hook has fired).

That is the jist

ret

Post Reply