A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #11985  by Tigzy
 Tue Mar 06, 2012 9:00 am

I got some piece of rootkit I analysed.

Dropper here (clic on white skull, pass infected) : http://www3.malekal.com/malwares/index. ... b526d6abc0

The rootkit patches acpi.sys for reboot survival.
Then it hooks a function somewhere in atapi.sys to hide the patched driver.

What is relevant (gmer log):
---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwResumeThread 805CAC22 1 Byte [CC] {INT 3 }
.text atapi.sys F9805852 1 Byte [CC] {INT 3 }
I fixed the atapi hook (code rewrite with Gmer), and the scan become (as expected):
---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwResumeThread 805CAC22 1 Byte [CC] {INT 3 }
.text ACPI.sys F986D300 24 Bytes [00, 00, 00, 00, 00, 00, 8B, ...]
.text ACPI.sys F986D319 7 Bytes [00, 6A, 0C, E8, AD, 13, 01]
.text ACPI.sys F986D321 5 Bytes [56, 68, CA, 06, 87]
.text ACPI.sys F986D327 3 Bytes [68, 5B, 2A]
.text ACPI.sys F986D32C 12 Bytes CALL F987E6CC ACPI.sys (Pilote ACPI pour NT/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\drivers\ACPI.sys section is writeable [0xF986D300, 0x1AF00, 0xE8000020]
.rsrc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF9896F00, 0x1C48, 0xE8000040]
.reloc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF9898B80, 0x2506, 0xE8000040]
We can see the acpi.sys patched in memory and on the disk.
My question is the following:

How does the rootkit do to hide the patched driver on the disk?
Someone has an idea of which function it hooks? and how works the 0xCC trap to act as a filter?

I got the atapi.sys base address in memory, launched IDA and found the place where it's supposed to be hooked on the legit driver (I can't get the infected one)
Looks like this:
Sans titre 1.png
Sans titre 1.png (10.22 KiB) Viewed 839 times
 #11986  by rkhunter
 Tue Mar 06, 2012 9:23 am
Can you attach full GMER log of infected system? Or make log of Xuetr.
 #11989  by Tigzy
 Tue Mar 06, 2012 9:38 am
The Gmer report is full.
Well, Xuetr is REALLY a good tool! :o

Atapi hooks
[XueTr][Atapi]: 29
Index Fun Name Current Entry Hook Original Entry Module
0 IRP_MJ_CREATE 0xF98096F2 - 0xF98096F2 C:\WINDOWS\system32\drivers\atapi.sys
1 IRP_MJ_CREATE_NAMED_PIPE 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
2 IRP_MJ_CLOSE 0xF98096F2 - 0xF98096F2 C:\WINDOWS\system32\drivers\atapi.sys
3 IRP_MJ_READ 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
4 IRP_MJ_WRITE 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
5 IRP_MJ_QUERY_INFORMATION 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
6 IRP_MJ_SET_INFORMATION 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
7 IRP_MJ_QUERY_EA 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
8 IRP_MJ_SET_EA 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
9 IRP_MJ_FLUSH_BUFFERS 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
10 IRP_MJ_QUERY_VOLUME_INFORMATION 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
11 IRP_MJ_SET_VOLUME_INFORMATION 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
12 IRP_MJ_DIRECTORY_CONTROL 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
13 IRP_MJ_FILE_SYSTEM_CONTROL 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
14 IRP_MJ_DEVICE_CONTROL 0xF9809712 - 0xF9809712 C:\WINDOWS\system32\drivers\atapi.sys
15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xF9805852 inline hook 0xF9805852 C:\WINDOWS\system32\drivers\atapi.sys
16 IRP_MJ_SHUTDOWN 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
17 IRP_MJ_LOCK_CONTROL 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
18 IRP_MJ_CLEANUP 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
19 IRP_MJ_CREATE_MAILSLOT 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
20 IRP_MJ_QUERY_SECURITY 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
21 IRP_MJ_SET_SECURITY 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
22 IRP_MJ_POWER 0xF980973C - 0xF980973C C:\WINDOWS\system32\drivers\atapi.sys
23 IRP_MJ_SYSTEM_CONTROL 0xF9810336 - 0xF9810336 C:\WINDOWS\system32\drivers\atapi.sys
24 IRP_MJ_DEVICE_CHANGE 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
25 IRP_MJ_QUERY_QUOTA 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
26 IRP_MJ_SET_QUOTA 0x804F354A - 0x804F354A C:\WINDOWS\system32\ntkrnlpa.exe
27 IRP_MJ_PNP_POWER 0xF9810302 - 0xF9810302 C:\WINDOWS\system32\drivers\atapi.sys
28 DriverStartIo 0xF9806864 - 0xF9806864 C:\WINDOWS\system32\drivers\atapi.sys
Code: Select all
[XueTr][[Disasm]]: 67
Address		Binary		Asm
F9805852		CC		int3
F9805853		FF55 8B		call   dword ptr [ebp-75]
F9805856		EC		in     al, dx
F9805857		51		push   ecx
F9805858		51		push   ecx
F9805859		8B45 0C		mov    eax, dword ptr [ebp+C]
F980585C		53		push   ebx
F980585D		56		push   esi
F980585E		57		push   edi
F980585F		8B78 60		mov    edi, dword ptr [eax+60]
F9805862		8B77 04		mov    esi, dword ptr [edi+4]
F9805865		897D F8		mov    dword ptr [ebp-8], edi
F9805868		FF15 88A480F9		call   dword ptr [F980A488]
F980586E		8B45 08		mov    eax, dword ptr [ebp+8]
F9805871		8B58 28		mov    ebx, dword ptr [eax+28]
F9805874		EB 4D		jmp    F98058C3
F9805876		807E 02 00		cmp    byte ptr [esi+2], 0
F980587A		8A83 84000000		mov    al, byte ptr [ebx+84]
F9805880		8846 05		mov    byte ptr [esi+5], al
F9805883		8A83 85000000		mov    al, byte ptr [ebx+85]
F9805889		8846 06		mov    byte ptr [esi+6], al
F980588C		8A83 86000000		mov    al, byte ptr [ebx+86]
F9805892		8846 07		mov    byte ptr [esi+7], al
F9805895		75 0E		jne    F98058A5
F9805897		8A4E 31		mov    cl, byte ptr [esi+31]
F980589A		C0E0 05		shl    al, 5
F980589D		80E1 1F		and    cl, 1F
F98058A0		0AC1		or     al, cl
F98058A2		8846 31		mov    byte ptr [esi+31], al
F98058A5		8B43 5C		mov    eax, dword ptr [ebx+5C]
F98058A8		8B58 0C		mov    ebx, dword ptr [eax+C]
F98058AB		8B45 0C		mov    eax, dword ptr [ebp+C]
F98058AE		8B78 60		mov    edi, dword ptr [eax+60]
F98058B1		8B77 04		mov    esi, dword ptr [edi+4]
F98058B4		895D 08		mov    dword ptr [ebp+8], ebx
F98058B7		897D F8		mov    dword ptr [ebp-8], edi
F98058BA		FF15 88A480F9		call   dword ptr [F980A488]
F98058C0		8B5B 28		mov    ebx, dword ptr [ebx+28]
F98058C3		833B 00		cmp    dword ptr [ebx], 00000000
F98058C6		74 AE		je     F9805876
F98058C8		33C0		xor    eax, eax
F98058CA		8A46 07		mov    al, byte ptr [esi+7]
F98058CD		6A 01		push   1
F98058CF		50		push   eax
F98058D0		33C0		xor    eax, eax
F98058D2		8A46 06		mov    al, byte ptr [esi+6]
F98058D5		50		push   eax
F98058D6		33C0		xor    eax, eax
F98058D8		8A46 05		mov    al, byte ptr [esi+5]
F98058DB		50		push   eax
F98058DC		53		push   ebx
F98058DD		E8 24190000		call   F9807206
F98058E2		85C0		test   eax, eax
F98058E4		8945 FC		mov    dword ptr [ebp-4], eax
F98058E7		75 14		jne    F98058FD
F98058E9		8B4D 0C		mov    ecx, dword ptr [ebp+C]
F98058EC		C646 03 08		mov    byte ptr [esi+3], 8
F98058F0		BE 0E0000C0		mov    esi, 0C000000E
F98058F5		8971 18		mov    dword ptr [ecx+18], esi
F98058F8		E9 C3020000		jmp    F9805BC0
F98058FD		8B45 FC		mov    eax, dword ptr [ebp-4]
F9805900		8947 10		mov    dword ptr [edi+10], eax
F9805903		8A56 02		mov    dl, byte ptr [esi+2]
F9805906		80FA C9		cmp    dl, 0C9
F9805909		0F84 84010000		je     F9805A93
F980590F		8366 28 00		and    dword ptr [esi+28], 00000000
F9805913		8A80 D0000000		mov    al, byte ptr [eax+D0]
Ok, I begin to understand now, by comparison, all this is overwritten with a call to another place:
But what for an int 3??
Code: Select all
F9805852		CC		int3
F9805853		FF55 8B		call   dword ptr [ebp-75]
F9805856		EC		in     al, dx


EDIT: In kernel hooks
[XueTr][Kernel Hook]: 17
Hooked Object Hook Address and Location Type Current Value Original Value
[*]len(1) RtlPrefetchMemoryNonTemporal[ntkrnlpa.exe] [0x80542354]->[-] Inline 90 C3
[*]len(1) KiFastCallEntry[ntkrnlpa.exe] [0x8053D736]->[-] Inline 06 05
[*]len(1) NtResumeThread[ntkrnlpa.exe] [0x805CAC22]->[-] Inline CC 6A
len(4) [ntkrnlpa.exe] [0x80501C30]->[-] Inline FE 02 00 FA 86 A2 61 80
len(4) [ntkrnlpa.exe] [0x80501C60]->[-] Inline F4 02 00 FA 08 72 5C 80
len(12) [ntkrnlpa.exe] [0x80501C88]->[-] Inline 03 03 00 FA 42 AC 5E 80 0D 03 00 FA 16 A7 61 80 42 AC 5E 80 E6 A8 61 80
[*]len(4) [ntkrnlpa.exe] [0x80501D14]->[-] Inline 12 03 00 FA 82 C4 61 80
[*]len(4) [ntkrnlpa.exe] [0x80501D74]->[-] Inline E0 02 00 FA 96 12 5C 80
[*]len(4) [ntkrnlpa.exe] [0x80501D8C]->[-] Inline E5 02 00 FA 22 15 5C 80
len(4) [ntkrnlpa.exe] [0x80501E90]->[-] Inline 1C 03 00 FA 32 C3 61 80
[*]len(4) [ntkrnlpa.exe] [0x80501EBC]->[-] Inline 17 03 00 FA 3E BC 61 80
len(4) [ntkrnlpa.exe] [0x80501F68]->[-] Inline 08 03 00 FA 0C 88 61 80
len(4) [ntkrnlpa.exe] [0x80501F90]->[-] Inline EF 02 00 FA 2A 8C 5C 80
[*]len(18) [ntkrnlpa.exe] [0x80541A5A]->[-] Inline E0 25 7F FF FF FF 0F 22 E0 0D 80 00 00 00 0F 22 E0 C3 D8 0F 22 D8 C3 0F 20 E0 25 7F FF FF FF 0F 22 E0 0D 80
[*]len(1) [ntkrnlpa.exe] [0x80541A72]->[-] Inline 00 C3
len(13) [ntkrnlpa.exe] [0x80681000]->[-] Inline 43 6F 75 6C 64 20 6E 6F 74 20 67 65 74 70 65 20 66 69 65 6C 64 20 66 72 6F 6D
[*]len(1) [atapi.sys] [0xF9805852]->[-] Inline CC 8B
 #11990  by rkhunter
 Tue Mar 06, 2012 9:44 am
Probably it intercepts IDT vector of int 3 (0xCC handler) and this is was answer of your question (the appointment of 0xCC).
Please attach full log.
 #11993  by rkhunter
 Tue Mar 06, 2012 10:02 am
IDT is clean, but there are a some kernel hooks look for this way. Try connect windbg to it's investigation.
 #11994  by Tigzy
 Tue Mar 06, 2012 10:36 am
There is a call just after the int3, I don't think the int3 is used to redirect the execution flow...
Maybe only a way to forbid the debugging of atapi? I don't know. However, I'm now able to find sensible functions to check (with IRPs MJ addresses), and to find inline hooks in this.
I will add this in my tool :)

Thanks for your help rkhunter, I appreciate it as always ;)
 #12802  by Alex
 Thu Apr 19, 2012 6:00 pm
Probably it was Virus.Win32.Rloader.a, and actually it uses INT3 to redirect the execution flow - just check content of the KiDebugRoutine...
 #13469  by Tigzy
 Mon May 28, 2012 12:15 pm
Hi Alex
just check content of the KiDebugRoutine...
Inline hooked?
Ingenious! It means that with only one instruction you can redirect the instruction flow in any memory adress you want without hardcoding it.
 #13671  by Alex
 Sun Jun 03, 2012 4:39 pm
There is nothing new in this method. For example few years ago bugcheck has published PoC of OnByteHook. Utilization of KiDebugRoutine/IDT/DRX is well know and used by some malware (RLoader, Pihar, ...). I wonder is there something new in latest variants of RLoader, because variant A even doesn't have selfdefense mechanism.