A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3224  by egomoo
 Tue Oct 26, 2010 5:16 am
EP_X0FF wrote:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
!-->[Hidden] C:\WINDOWS\system32\drivers\paqkkmhplelf.sys
!-->[Hidden] C:\WINDOWS\system32\drivers\str.sys
But you need to do quick reset. That's the key :)

edit:
Beaten by GamingMaster. Yes, here it is - magic :)
the random driver will recreated while deleted by other antirootkit tool.

in my test,Safe Returner could remove the new Black Energy 2.1+ rootkit. (Use "DATEA0B.tmp.exe" sample)
You do not have the required permissions to view the files attached to this post.
 #3238  by GamingMasteR
 Wed Oct 27, 2010 8:34 am
the random driver will recreated while deleted by other antirootkit tool.
KDetective v1.3.1 can still defeat it :
- delete all suspicious notify routines
- restore hooked threads service table
- suspend the two suspicious system threads
- restore other splice hooks
- get the driver name from Kd+ -> Unloaded Drivers and delete it from system32\drivers folder
You do not have the required permissions to view the files attached to this post.
 #3826  by spaceman
 Fri Dec 03, 2010 3:26 am
EP_X0FF wrote:Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
edit:

two payload dlls can be extracted easily from svchost.exe for example.
This probably belongs in the Newbie Questions forum, but how do you extract dlls from a process?
 #3827  by EP_X0FF
 Fri Dec 03, 2010 9:22 am
Locate memory regions marked as r/w + executable (which are not belongs to any visible in loader list dlls) and dump them to disk.
 #5320  by EP_X0FF
 Sat Mar 05, 2011 4:48 am
Here is some fresh BlackEnergy2 to play.
Same antirootkits blacklist still in place.
You do not have the required permissions to view the files attached to this post.
 #6283  by dphrag
 Wed May 11, 2011 7:22 am
Hi all

I am trying to identify a data structure to enum/check for the service/filename , is there any ?

thanks
 #6288  by EP_X0FF
 Wed May 11, 2011 2:41 pm
dphrag wrote:Hi all

I am trying to identify a data structure to enum/check for the service/filename , is there any ?

thanks
Hello,

personally I don't understand what you asking. Can you be more specific?
 #6289  by dphrag
 Wed May 11, 2011 3:31 pm
I am using Windbg to debug some samples. I can find the servicetable hooks and the threads . I am trying to find a way by using windbg to get the service name or the driver name
 #6290  by EP_X0FF
 Wed May 11, 2011 4:06 pm
dphrag wrote:I am using Windbg to debug some samples. I can find the servicetable hooks and the threads . I am trying to find a way by using windbg to get the service name or the driver name
Did you tried lm command? AFAIR this rootkit real driver filename can be retrieved through unloaded modules list.