A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #18515  by marve
 Wed Mar 13, 2013 4:39 pm

reading about ZAccess driver, on http://resources.infosecinstitute.com/z ... h-rootkit/
I have a question about basic concept!

as it is mentioned there and we see in other drivers, all happens in DriverEntry routine...but I can't understand how!
DriverEntry has an argument which is Driver Obj, which I think to be its own (?), but it seems that malicious drivers needs an other driver obj! as an input in their
EriverEntry...there is no sign of finding other Obj before hooks in the driverEntry...it does not hook itself, does it? ;)

can any one explaine me more?
 #20654  by POPPOPRET
 Fri Aug 30, 2013 7:20 pm
I believe the answer to your question is the device object.

http://msdn.microsoft.com/en-us/library ... s.85).aspx

The malicious driver can get a pointer to a particular device object (lets say keyboarddevice). There are APIs to do this.

Once it has the device object, it can TheDeviceObject->DriverObject to get a pointer to the DriverObject of the target driver.

It can then hook DriverObject->MajorFunction[IRP_MAXIMUM_FUNCTION], redirecting all future IRPS to the malicious handler. (I assume some form of trampoline is present to invoke the original driver code after the hook has fired).

That is the jist