A forum for reverse engineering, OS internals and malware analysis
kmd wrote:http://artemonsecurity.blogspot.com/201 ... inese.htmlHow many times should I post this? Five? Twelve? This lolkit has nothing to do with DrvMon. The statement in blogpost is incorrect. Having some "DrvMon" string inside does not give it ability to "prevent", "detect" or whatever. We had to consider giving really rare name to our tool, something like "Yzlaypfsshz500" to exclude possible linking with lolkits from China. From the logic of main blacklist with numerous crapware in it - some of this "antimalwarez" have the driver that can be exploited through not secured control code which disables some features of this "product" and obviously it will be called right before malware driver load. I don't want download, install and reverse all this pieces of shit just to find which one, because it is boring and out of any kind of interest.
i dont get it, im using drvmon as well as many others and didnt noticed any blacklisting or tool detection. can any1 shread some light?
\\.\%C:
\\.\PhysicalDrive0
Global\{65B4B2F0-2810-4df5-BD0F-0CE435A61102}
stinst.log
{2937F62B-D7E0-494e-A7CA-A37D957FC8AD}
{A66621EF-57B8-4ee3-A5D5-B76CB6002EBE}
%s%.8x.bat
:DELFILE
del "%s"
if exist "%s" goto :DELFILE
del "%s"
open
360tray.exe
explorer.exe
HardwareInfo.exe
HintClient.exe
CfgClt.exe
AVP.exe
KSafeTray.exe
RavMonD.exe
%.8X.tmp
%s%s
.exe
%s\%s.dll
%s\%s
Start
Svchost
netsvcs
%SystemRoot%
%s\System32\%s.exe -k %s
Parameters
%s\%s\%s
ServiceDll
360leakfixer.exe
RsAgent.exe
132020 197640 395280 790560 1581120 3162240
onment
Envir
Manager
Session
Control
%s\%s\%s %s\%s%s
Path
%s;%s
Environment
Paths
SOFTWARE\Microsoft\Windows\CurrentVersion
%s\%s %s\
HELPCTR.EXE
MSIMG32.dll
control.exe
OLE32.dll
Shell_TrayWnd
ImmLoadLayout
imm32.dll
ZwQueryValueKey
ntdll.dll
Keyboard Layout\Preload
user32.dll
%s\Control\Keyboard Layouts\%.8X
Layout File
%.8X
Layout Text
Program Manager
ntdll
ZwQuerySystemInformation
FILE
MACHINE\%s
Everyone
sfc_os.dll
SfcFileException
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SYSTEM\CurrentControlSet\Services
SYSTEM\CurrentControlSet
\\.\Guntior
%s\%s.sys
Base
SeLoadDriverPrivilege
ZwCreateFile
Enum
Service
ConfigFlags
Type
system32\%s.sys
ImagePath
Group
ErrorControl
Classes
Device
%s\%s\%s%s\%s
%s\%s%s\%s%s\%s
DrvAnti.exe
drvanti%.4d%.2d%.2d.log
E:\NBMSClient\%s\%s
%s%.8x.tmp
Handle=
%s%.8x.exe
%s %X
HintRoot.sys
SeDebugPrivilege
NtSystemDebugControl
\\.\HintDefend
\\.\DP0000
Set|DrvMon|0
IME file
setup.exe
C:\test.pdb
rkhunter wrote:- Interesting method of initialization via dll and keyboard layout switchingFirst time I saw this method of driver loading in an old "Wapomi/Qvod/Jadtre" Chinese malware which is a predecessor of this one. Do you know any other malware which use unusual driver loading method?
- Interesting method of driver loading via PnpManager (look function at 403118)
- Killing processes of AV-products via driver - PsTerminateProcess
Peter Kleissner wrote:Those crooks! They stole my NTFS driver source from my bootkit, and they are not even paying me! Crooks! Chinese copycats! Polizei!..this is the reason why I don't publish source code of my researches Peter, except if someone mail me...
It looks like they used my source 1:1. Look at this for example: ...
Alex wrote:Do you know any other malware which use unusual driver loading method?Don't remember any like this.
Alex wrote:First time I saw this method of driver loading in an old "Wapomi/Qvod/Jadtre" Chinese malware which is a predecessor of this one. Do you know any other malware which use unusual driver loading method?This one infects userinit.exe as well? Is that a common characteristic of this bootkit?
