A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #31604  by My Worm
 Sat May 26, 2018 12:45 pm
Hi,

I have a question about the unsigned driver loaded into the kernel. I have a 64-bit operating system (Windows 10). I read the MBAR system protocol and saw that there is an unsigned driver in the kernel. I saw it in the properties of the file. It is OK?

Many thanks
 #31606  by Vrtule
 Sun May 27, 2018 8:44 am
If the driver package contains also the catalog (.cat) file, you do not need to sign the driver binary. Signing the catalog file does the trick. The catalog file contains hashes of files contained in the package, including the driver binary, so the driver integrity can be checked by
1) validating signature of the catalog file,
2) verifying that the hash of the driver bianry equals the hash stored in the catalog.
 #31609  by My Worm
 Mon May 28, 2018 8:05 pm
Thanks for reply. For example: monitor.sys is not digitaly signed and loaded in Kernel. No .cat file. And, when I am update my Windows 10 to newest version, TDSSKiller doesnt work in normal mode, but in Safe Mode yes.

Initializing...
Driver version: 4.3.0.15
------------ Kernel report ------------
05/26/2018 14:04:46
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\WppRecorder.sys
\SystemRoot\system32\drivers\SleepStudyHelper.sys
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\system32\drivers\mssecflt.sys
\SystemRoot\system32\drivers\SgrmAgent.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\system32\drivers\avgVmm.sys
\SystemRoot\system32\drivers\avgRvrt.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\avgbuniva.sys
\SystemRoot\system32\drivers\avgbloga.sys
\SystemRoot\system32\drivers\avgbidsha.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\avgSP.sys
\SystemRoot\system32\drivers\avgSnx.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\avgRdr2.sys
\SystemRoot\system32\drivers\afunix.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\avgNetSec.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\??\C:\WINDOWS\System32\drivers\zamguard64.sys
\SystemRoot\system32\DRIVERS\VBoxDrv.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\bam.sys
\SystemRoot\system32\drivers\avgbidsdrivera.sys
\SystemRoot\system32\drivers\avgArPot.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\tapwindscribe0901.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_bcb89b3386563bd7\CompositeBus.sys
\SystemRoot\System32\drivers\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_38c9bee769f9ef1f\nvlddmkm.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\iaLPSS2i_I2C.sys
\SystemRoot\system32\drivers\SpbCx.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\iaLPSS2_UART2.sys
\SystemRoot\system32\drivers\SerCx2.sys
\SystemRoot\System32\drivers\parport.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\serial.sys
\SystemRoot\System32\drivers\serenum.sys
\SystemRoot\System32\drivers\e1i63x64.sys
\SystemRoot\System32\drivers\iaLPSS2i_GPIO2.sys
\SystemRoot\System32\Drivers\msgpioclx.sys
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\acpipagr.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\system32\drivers\nvvad64v.sys
\SystemRoot\System32\drivers\nvvhci.sys
\SystemRoot\System32\drivers\dtliteusbbus.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\DriverStore\FileRepository\swenum.inf_amd64_ea7b19c04e7a8136\swenum.sys
\SystemRoot\System32\drivers\dtlitescsibus.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\drivers\USBSTOR.SYS
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\LEqdUsb.Sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\system32\DRIVERS\LHidEqd.Sys
\SystemRoot\system32\DRIVERS\LHidFilt.Sys
\SystemRoot\system32\DRIVERS\LMouFilt.Sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\lvrs64.sys
\SystemRoot\System32\drivers\athuwbx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\cldflt.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\avgMonFlt.sys
\SystemRoot\system32\drivers\avgStm.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\SystemRoot\System32\drivers\AgileVpn.sys
\SystemRoot\System32\drivers\rasl2tp.sys
\SystemRoot\System32\drivers\raspptp.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\drivers\ndiswan.sys
\SystemRoot\System32\drivers\condrv.sys
\??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IURegProcessFilter.sys
\??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IUFileFilter.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\1645BB24.sys
----------- End -----------
Done!

Scan started
Database versions:
main: v2018.05.26.03
rootkit: v2018.05.26.03

<<<2>>>
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffff8b85de9e9060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8b85de9119d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8b85de9e9060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8b85de5d3160, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffff8b85de5ac380, DeviceName: \Device\00000041\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffff8b85de9ea060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8b85de9129d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8b85de9ea060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8b85de7bb040, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffff8b85de5b1060, DeviceName: \Device\00000040\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 72232B3D

Partition information:

Partition 0 type is Other (0xc)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition is not bootable
Partition file system is FAT32

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1952393216
Partition is not bootable
Partition file system is NTFS

Partition 2 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 1952600064 Numsec = 921600
Partition is not bootable
Partition file system is NTFS

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition is not bootable

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Drive 1
This is a System drive
Scanning MBR on drive 1...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 9998B265

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 3806123422
GPT Header CurrentLba = 1 BackupLba 468862127
GPT Header FirstUsableLba 34 LastUsableLba 468862094
GPT Header Guid a188686-4575-48b5-a488-21fa158aa312
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 3806123422
Backup GPT header CurrentLba = 468862127 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 468862094
Backup GPT header Guid a188686-4575-48b5-a488-21fa158aa312
Backup GPT header Contains 128 partition entries starting at LBA 468862095
Backup GPT header Partition entry size = 128

Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID d0b882f8-8d58-4a50-b5ce-a68b9ebbd
FirstLBA 2048 Last LBA 923647
Attributes 1
Partition Name Basic data partition

Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID 2b5532d2-6a6c-415f-95e5-3993b657b7a
FirstLBA 923648 Last LBA 1128447
Attributes 0
Partition Name EFI system partition

GPT Partition 1 is bootable
Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID 8e7793c8-b684-460f-8ea-6c9c5283e350
FirstLBA 1128448 Last LBA 1161215
Attributes 0
Partition Name Microsoft reserved partition

Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID 8bbb0a7-463e-4baf-8a75-175eb9385d8
FirstLBA 1161216 Last LBA 468860927
Attributes 0
Partition Name Basic data partition

Disk Size: 240057409536 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffff8b85df53f060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8b85df541040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8b85df53f060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8b85df52db10, DeviceName: \Device\00000051\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffff8b85df53e690, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8b85df53b5b0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8b85df53e690, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8b85df540640, DeviceName: \Device\00000052\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffff8b85df538060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8b85df536040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8b85df538060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8b85df52ab10, DeviceName: \Device\00000053\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 5, DevicePointer: 0xffff8b85df53c690, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8b85df537040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8b85df53c690, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8b85df53e060, DeviceName: \Device\00000054\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-206848-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-1952600064-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
 #31614  by EP_X0FF
 Wed May 30, 2018 4:13 am
Monitor.sys is a part of Windows OS, it is installed via inf file monitor.inf located in windows\inf folder. This file has no embedded signature and signed via catalog file. Catalog file located in Windows\System32\CatRoot directory.
For example for monitor.sys from Windows 2012 R2 catalog file is C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ServerCore-Drivers-Package-windows~31bf3856ad364e35~amd64~~6.3.9600.16384.cat

If you want to check digital signatures of file instead of looking in file properties use sigverif from system32. Open Windows Run dialog, type sigverif and press enter. Later you can explore log file for details.
 #31616  by EP_X0FF
 Thu May 31, 2018 4:06 am
You have EFI boot, GPT partition table, x64 Windows 10. I suppose SecureBoot is also present. You don't need Kaspersky BSOD generator at first and at second I suppose to keep it "working" on every new Windows release they need to push it update too.
 #31620  by EP_X0FF
 Fri Jun 01, 2018 5:24 pm
Do you understand that everything (or 99.9%) of what this tool is capable to detect doesn't work on Windows 10 by design and 100% of TDSSKiller detected bootkits doesn't work with GPT? Why this BSOD generator doesn't work in normal mode is a question to the Kaspersky TDSSKiller support not here.