Simda obfuscator is somehow irritating as it multistaged. Drivers and dlls weren't updated since March 2011. The only thing they change is upper obfuscation layer.
1) original_rootkit_driver -> decrypt second stage procedures (implemeted as second native PE file), can be decrypted in user mode debugger. Or break in WinDbg at Simda driver entry and trace until "call eax"
decrypt algo at 1 stage
Code: Select all
key1 := $E34CAD83; key2 := $54B14C88; for i := 0 to BufferSize div sizeof(DWORD) do begin dwData := IntputPtr^ + key1; OutputPtr^ := dwData; key1 := key1 + key2; key2 := key2 - $42BE4641; inc(InputPtr); inc(OutputPtr); end;
3) third stage is 2 native PE drivers and 2 dlls, it uses for injection purposes.
All stages in attach. For more info see http://www.microsoft.com/security/porta ... imda.gen!A