need help Explain this code

#31532 by lwbkm
Wed May 02, 2018 1:35 am

I found a driver sys , it can hide and delete himself and can not enum by ARK, but I don't understand this code. it got it from ida. who Can explain it to me.thanks very much.

Code: Select all

char __fastcall sub_140001EF0(__int64 a1)
{
  PVOID v1; // rax
  __int64 v2; // rcx
  PDRIVER_OBJECT v3; // rcx
  char v5; // [rsp+40h] [rbp-D8h]
  NTSTATUS (__stdcall *v6)(struct _DEVICE_OBJECT *, struct _IRP *); // [rsp+48h] [rbp-D0h]
  char v7; // [rsp+50h] [rbp-C8h]
  PVOID P; // [rsp+58h] [rbp-C0h]
  char v9; // [rsp+60h] [rbp-B8h]
  NTSTATUS v10; // [rsp+64h] [rbp-B4h]
  PVOID v11; // [rsp+68h] [rbp-B0h]
  PDRIVER_OBJECT DriverObject; // [rsp+70h] [rbp-A8h]
  PDEVICE_OBJECT DeviceObject; // [rsp+78h] [rbp-A0h]
  UNICODE_STRING DeviceName; // [rsp+80h] [rbp-98h]
  UNICODE_STRING DestinationString; // [rsp+90h] [rbp-88h]
  __int64 v16; // [rsp+A0h] [rbp-78h]
  UNICODE_STRING SymbolicLinkName; // [rsp+A8h] [rbp-70h]
  __int64 v18; // [rsp+B8h] [rbp-60h]
  char v19; // [rsp+C0h] [rbp-58h]
  char v20; // [rsp+D2h] [rbp-46h]
  __int64 v21; // [rsp+120h] [rbp+8h]

  v21 = a1;
  v11 = 0i64;
  v6 = 0i64;
  v7 = 0;
  qmemcpy(&v19, L"\\Device\\", 0x12ui64);
  memset(&v20, 0, 0x28ui64);
  v18 = 0i64;
  P = 0i64;
  v16 = 0i64;
  if ( (signed int)sub_1400028FC() >= 0 )
  {
    v1 = ExAllocatePool(0, 0x1000ui64);
    Dst = v1;
    if ( v1 )
    {
      memset(Dst, 0, 0x1000ui64);
      P = (PVOID)sub_1400014B8(&qword_140006010, 0i64, 1i64);
      if ( P )
      {
        qword_1400061C0 = sub_14000144C(&unk_140005140, 1024i64);
        if ( qword_1400061C0 )
        {
          qword_140006148 = sub_140001534(sub_140003F4C, 592i64, P);
          qword_140006150 = sub_140001534(sub_140003C8C, 848i64, P);
          qword_140006138 = sub_140001534(sub_14000432C, 256i64, P);
          qword_140006140 = sub_140001534(sub_1400041F0, 256i64, P);
          qword_140006188 = sub_140001534(sub_1400042E4, 80i64, P);
          qword_140006180 = sub_140001534(sub_140004298, 80i64, P);
          qword_140006190 = sub_140001534(sub_1400037E0, 640i64, P);
          qword_140006198 = sub_140001534(sub_140004158, 176i64, P);
          qword_1400061A0 = sub_140001534(sub_1400039CC, 848i64, P);
          v11 = (PVOID)sub_140001534(sub_140003754, 144i64, P);
          if ( v11 )
          {
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))sub_140001D6C("Fs_Rec.sys");
            if ( !v6 )
            {
              ExFreePoolWithTag(v11, 0);
              LOBYTE(v1) = 0;
              return (char)v1;
            }
            sub_140001CF0(v21, v6);
            RtlInitUnicodeString(&DestinationString, L"\\filesystem\\Fs_Rec");
            v10 = ObReferenceObjectByName(
                    &DestinationString,
                    576i64,
                    0i64,
                    0i64,
                    IoDriverObjectType,
                    0,
                    0i64,
                    &DriverObject);
            if ( v10 < 0 )
            {
              DbgPrint("failed :%x\n", (unsigned int)v10);
              LOBYTE(v1) = 0;
              return (char)v1;
            }
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))sub_140001BDC(v6);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            LOBYTE(v2) = 1;
            sub_140002678(v2, v6);
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))((char *)v6 + 12);
            v11 = (PVOID)sub_140001534(sub_140002D2C, 512i64, P);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            PsSetCreateProcessNotifyRoutineEx(v6, 0i64);
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))((char *)v6 + 12);
            v11 = (PVOID)sub_140001534(sub_140003674, 512i64, P);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            PsSetLoadImageNotifyRoutine(v6);
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))((char *)v6 + 12);
            RtlInitUnicodeString(&DeviceName, L"\\Device\\iubesks");
            RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\iubesks");
            v10 = IoCreateDevice(DriverObject, 0, &DeviceName, 0x22u, 0, 0, &DeviceObject);
            v10 = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
            if ( v10 < 0 )
            {
              LOBYTE(v1) = 0;
              return (char)v1;
            }
            DeviceObject->Flags &= 0xFFFFFF7F;
            qword_1400061E8 = (__int64)DeviceObject;
            qword_140006120 = (__int64)DriverObject->MajorFunction[0];
            qword_140006128 = (__int64)DriverObject->MajorFunction[2];
            qword_140006130 = (__int64)DriverObject->MajorFunction[14];
            v11 = (PVOID)sub_140001534(sub_140002E14, 2142i64, P);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            sub_1400014B8(&qword_140006010, P, 2i64);
            v9 = sub_14000276C();
            DriverObject->MajorFunction[0] = v6;
            DriverObject->MajorFunction[2] = v6;
            v3 = DriverObject;
            DriverObject->MajorFunction[14] = v6;
            LOBYTE(v3) = v9;
            sub_1400027B0(v3);
          }
          else
          {
            v7 = 0;
          }
          LOBYTE(v1) = v7;
          return (char)v1;
        }
        ExFreePoolWithTag(P, 0);
        LOBYTE(v1) = 0;
      }
      else
      {
        LOBYTE(v1) = 0;
      }
    }
  }
  else
  {
    LOBYTE(v1) = 1;
  }
  return (char)v1;
}

Username

lwbkm

Posts

11

Joined

Fri Apr 27, 2018 10:02 am

Re: need help Explain this code

#31534 by EP_X0FF
Wed May 02, 2018 4:15 am

It is DriverEntry. That's all what you can get as an answer from posting raw IDA HexRays dump. If you want help seriously then you should attach actual file not useless HexRay dump.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: need help Explain this code

#31535 by lwbkm
Wed May 02, 2018 7:29 am

EP_X0FF wrote: ↑Wed May 02, 2018 4:15 am It is DriverEntry. That's all what you can get as an answer from posting raw IDA HexRays dump. If you want help seriously then you should attach actual file not useless HexRay dump.

I only have this file sys;i want to understand how he realized it,maybe you can help me,thanks.

sys.rar

(11.27 KiB) Downloaded 4 times

Username

lwbkm

Posts

11

Joined

Fri Apr 27, 2018 10:02 am

Re: need help Explain this code

#31537 by Vrtule
Wed May 02, 2018 4:10 pm

As far as I understand the code, the driver just copies itself to some other memory locations, plays a little with FsRec.sys (since the kernel, including Patchguard, does not like registered callbacks not belonging to any driver) and returns STATUS_UNSUCCESSFUL, so the system unmaps its executable from meory. However, I am still not getting some minor things.

Since the driver is actually not loaded, its file can be deleted and it is not visible in the PsLoadedModuleList.

Assuming you are writting an ARK, this is NOT the way to go if you wish your driver being more stable and polite to other drivers.

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: need help Explain this code

#31539 by lwbkm
Thu May 03, 2018 2:17 am

thanks,As I understood before, but some functions I do not understand, there is a similar source code to refer to?

Username

lwbkm

Posts

11

Joined

Fri Apr 27, 2018 10:02 am

Re: need help Explain this code

#31543 by EP_X0FF
Thu May 03, 2018 8:28 am

This driver constructs shellcode in runtime in allocated from NonPaged pool memory, hooks IRP of some legitimate ms drivers and quits leaving shellcode work in callback routines. Later driver file can be removed by loader. That's why there is no "file" and "ark" won't detect it as "driver". However all it modifications are detectable. Strickly speaking this is piece of out-dated trash.

To reproduce this trash - load your driver, allocate memory from NonPaged pool, copy your shellcode to it and set notify routine where callback function will be your allocated memory. Unload your driver, remove file from disk. Done. Expect BSOD from PatchGuard on Windows 10 as "kernel notification callout modification".

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: need help Explain this code

#31545 by lwbkm
Thu May 03, 2018 10:04 am

thanks,verymuch,I understand. :D :D :D :D

Username

lwbkm

Posts

11

Joined

Fri Apr 27, 2018 10:02 am