[Johnny5]

I was recently reading a very good writeup of the tdl3 analysis by Nguyen Pho Son and found out the link to these tools was broken (http://blog.cmclab.net/files/npson/scri ... cripts.rar). A_D_13 was mentioned in this article as well. Does anyone here have these scripts and maybe some detailed info on the ZeroAccess rootkit? I have a partial psuedocode of the Self-Defense driver and was also wondering if anyone else had more info they could share in PM with details, tools to help analysis, so on?? Would really appreciate it and this has been a good learning opportunity for me.

[frank_boldewin]

hey,

here are some infos about zeroaccess:

http://pxnow.prevx.com/content/blog/zer ... alysis.pdf

http://resources.infosecinstitute.com/s ... e-rootkit/

and the tdl3 scripts:

Code: Select all

# 10/15/2009
# build string from TDL3 rootkit binaries
# thug4lif3 at g00gles mail or npson at cmcinfosec.com
#
data = []
print type(data)
current_head = 0
for seg_ea in Segments():
for head in Heads(seg_ea, SegEnd(seg_ea)):
if GetOpType(head, 0) == 4 and GetOpType(head, 1) == 5 and GetMnem(head) == 'mov':
char = int(GetOpnd(head, 1).replace('h',''), 16)
if char > 0x19 and char < 0x7F:
data.append(chr(char))
if current_head == 0:
current_head = head
else:
if data:
print '%x - %s' % (current_head, ''.join(data))
data = [] #reset the list
current_head = 0

Code: Select all

# 10/15/2009
# resolve TDL3 ntosknrl.exe’s names and comment them into IDA disassembly
# thug4lif3 at g00gles mail or npson at cmcinfosec.com
#
import pefile, sys, string
"""
api_string = a1;
for ( result = 0; *api_string; ++api_string )
result = *(_WORD *)api_string + 0x1003F * result;
return result;
"""
ntos_api = dict()
def c_mul(a, b):
return eval(hex((long(a) * b) & 0xFFFFFFFFL)[:-1])
def calc_hash(api_name):
value = 0
for i in range(len(api_name)-1):
value = ord(api_name[i+1]) * 0x100 + ord(api_name[i]) + c_mul(value, 0x1003F)
value = ord(api_name[len(api_name)-1]) + c_mul(value, 0x1003F)
return value
pe = pefile.PE('C:\\WINDOWS\\system32\\ntoskrnl.exe')
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
ntos_api[calc_hash(exp.name)] = exp.name
for seg_ea in Segments():
for head in Heads(seg_ea, SegEnd(seg_ea)):
if GetOpType(head, 0) == 5 and GetMnem(head) == 'push' and len(GetOpnd(head, 0)) > 4:
hash_val = int(GetOpnd(head, 0).replace('h',''), 16)
api_name = ntos_api.get(hash_val, 0)
if api_name != 0:
print '%x - hash %x - api %s' % (head, hash_val, api_name)
MakeComm(head, api_name)

[Johnny5]

Thank you very much! Kind Sir! Rep+. I found those articles earlier I was kind of hoping for more info like how to search for the hidden volume to extract/delete volume and files. Doesn't seem the same as tdl.

[frank_boldewin]

for dumping the zeroaccess filesystem you first need to know the Device name the rootkit has created. Usually it starts with ACPI#PNP. Then you have to use SCSI read function via IOCTL_SCSI_PASS_THROUGH_DIRECT to access the RC4 encrypted sectors of the filesystem.

Here are some tricks to find ZeroAccess in memory:

• kd> !object \global??
  Object: e1004488 Type: (825d9418) Directory
  ObjectHeader: e1004470 (old version)
  HandleCount: 1 PointerCount: 139
  Directory Object: e1001140 Name: GLOBAL??
  
  Hash Address Type Name
  ---- ------- ---- ----
  00 e13515f8 SymbolicLink NDIS
  e140b2d8 SymbolicLink HID#Vid_0e0f&Pid_0003&MI_00#7&1b1a3d13&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}
  e1407280 SymbolicLink DISPLAY1
  ...
  ...
  ...
  e15e3cf0 SymbolicLink ACPI#PNP0501#2#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
  19 823e3a28 Device ACPI#PNP0303#2&da1a3ff&0
  ...
  ...

look at the entry : 823e3a28 Device ACPI#PNP0303#2&da1a3ff&0
this is what we are looking for.

let''s get device object infos:

• kd> dt _device_object 823e3a28
  ntdll!_DEVICE_OBJECT
  +0x000 Type : 3
  +0x002 Size : 0xb8
  +0x004 ReferenceCount : 329
  +0x008 DriverObject : 0x8235e858 _DRIVER_OBJECT
  +0x00c NextDevice : (null)
  +0x010 AttachedDevice : (null)
  +0x014 CurrentIrp : (null)
  +0x018 Timer : (null)
  +0x01c Flags : 0x840
  +0x020 Characteristics : 0
  +0x024 Vpb : (null)
  +0x028 DeviceExtension : (null)
  +0x02c DeviceType : 0x22
  +0x030 StackSize : 10 ''
  +0x034 Queue : __unnamed
  +0x05c AlignmentRequirement : 0
  +0x060 DeviceQueue : _KDEVICE_QUEUE
  +0x074 Dpc : _KDPC
  +0x094 ActiveThreadCount : 0
  +0x098 SecurityDescriptor : 0xe100b868
  +0x09c DeviceLock : _KEVENT
  +0x0ac SectorSize : 0x1000
  +0x0ae Spare1 : 0
  +0x0b0 DeviceObjectExtension : 0x823e3ae0 _DEVOBJ_EXTENSION
  +0x0b4 Reserved : (null)

and the driver object information:

• kd> dt -b _driver_object 0x8235e858
  ntdll!_DRIVER_OBJECT
  +0x000 Type : 4
  +0x002 Size : 168
  +0x004 DeviceObject : 0x823e3a28
  +0x008 Flags : 0x12
  +0x00c DriverStart : 0xf6ed9000
  +0x010 DriverSize : 0x1f000
  +0x014 DriverSection : 0x82309c08
  +0x018 DriverExtension : 0x8235e900
  +0x01c DriverName : _UNICODE_STRING ""
  +0x000 Length : 0
  +0x002 MaximumLength : 0
  +0x004 Buffer : (null)
  +0x024 HardwareDatabase : 0x8066e9d8
  +0x028 FastIoDispatch : 0xf6ee6680
  +0x02c DriverInit : 0xf6ee1eed
  +0x030 DriverStartIo : (null)
  +0x034 DriverUnload : (null)
  +0x038 MajorFunction :
  [00] 0xf6edf9d0
  [01] 0xf6edf9d0
  [02] 0xf6edf9d0
  [03] 0xf6edf9d0
  [04] 0xf6edf9d0
  [05] 0xf6edf9d0
  [06] 0xf6edf9d0
  [07] 0xf6edf9d0
  [08] 0xf6edf9d0
  [09] 0xf6edf9d0
  [10] 0xf6edf9d0
  [11] 0xf6edf9d0
  [12] 0xf6edf9d0
  [13] 0xf6edf9d0
  [14] 0xf6edf9d0
  [15] 0xf6edf9d0
  [16] 0xf6edf9d0
  [17] 0xf6edf9d0
  [18] 0xf6edf9d0
  [19] 0xf6edf9d0
  [20] 0xf6edf9d0
  [21] 0xf6edf9d0
  [22] 0xf6edf9d0
  [23] 0xf6edf9d0
  [24] 0xf6edf9d0
  [25] 0xf6edf9d0
  [26] 0xf6edf9d0
  [27] 0xf6edf9d0

check out the Entry DriverName : _UNICODE_STRING "".
it has no name.
DriverStart is 0xf6ed9000 and DriverSize is 0x1f000. use it if you wanna dump the rootkit driver.
to load into ida for further debugging, just rebase the image to f6ed9000 and adjust the raw entries with to the virtual entries in the sections area, e.g. with a easy python script or with petools.

next check for suspicious thread entries.

• kd> !process 0 f system
  PROCESS 825b4830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
  DirBase: 00ad7000 ObjectTable: e1000cc0 HandleCount: 273.
  Image: System
  VadRoot 825b3298 Vads 5 Clone 0 Private 3. Modified 5802. Locked 0.
  DeviceMap e1004418
  Token e10017e8
  ElapsedTime 01:18:43.885
  UserTime 00:00:00.000
  KernelTime 00:00:16.484
  QuotaPoolUsage[PagedPool] 0
  QuotaPoolUsage[NonPagedPool] 0
  Working Set Sizes (now,min,max) (60, 0, 345) (240KB, 0KB, 1380KB)
  PeakWorkingSetSize 510
  VirtualSize 1 Mb
  PeakVirtualSize 2 Mb
  PageFaultCount 6173
  MemoryPriority BACKGROUND
  BasePriority 8
  CommitCharge 7
  
  THREAD 825b45a8 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 READY
  Not impersonating
  DeviceMap e1004418
  Owning Process 0 Image: <Unknown>
  Attached Process 825b4830 Image: System
  Wait Start TickCount 302300 Ticks: 19 (0:00:00:00.296)
  Context Switch Count 6385
  UserTime 00:00:00.000
  KernelTime 00:00:06.875
  Start Address nt!Phase1Initialization (0x80683528)
  Stack Init f8ac2000 Current f8ac179c Base f8ac2000 Limit f8abf000 Call 0
  Priority 0 BasePriority 0 PriorityDecrement 0 DecrementCount 0
  ChildEBP RetAddr
  f8ac17b4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
  f8ac17c0 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
  f8ac17f8 805187cf nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4])
  f8ac1844 8068466d nt!MmZeroPageThread+0x61 (FPO: [0,6,0])
  f8ac1dac 805c4a28 nt!Phase1Initialization+0x1145 (FPO: [1,342,0])
  f8ac1ddc 80540fa2 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
  00000000 00000000 nt!KiThreadStartup+0x16
  ...
  ...
  ...
  THREAD 822f92d0 Cid 0004.0148 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
  f6ee6954 Unknown
  IRP List:
  8230f5b0: (0006,0094) Flags: 00000030 Mdl: 00000000
  82484f00: (0006,0094) Flags: 00000030 Mdl: 00000000
  824cfec0: (0006,0094) Flags: 00000030 Mdl: 00000000
  81d80f68: (0006,0094) Flags: 00000030 Mdl: 00000000
  82387dd8: (0006,0094) Flags: 00000030 Mdl: 00000000
  820b35d0: (0006,0094) Flags: 00000030 Mdl: 00000000
  81e10ae0: (0006,0094) Flags: 00000030 Mdl: 00000000
  82324268: (0006,0094) Flags: 00000030 Mdl: 00000000
  82486df8: (0006,0094) Flags: 00000030 Mdl: 00000000
  823e19b0: (0006,0094) Flags: 00000030 Mdl: 00000000
  823eeaa8: (0006,0094) Flags: 00000030 Mdl: 00000000
  824d7620: (0006,0094) Flags: 00000030 Mdl: 00000000
  81d7af68: (0006,0094) Flags: 00000030 Mdl: 00000000
  81d77f68: (0006,0094) Flags: 00000030 Mdl: 00000000
  825660b8: (0006,0094) Flags: 00000030 Mdl: 00000000
  8235fbd8: (0006,0094) Flags: 00000030 Mdl: 00000000
  82458aa8: (0006,0094) Flags: 00000030 Mdl: 81e17b28
  Not impersonating
  DeviceMap e1004418
  Owning Process 0 Image: <Unknown>
  Attached Process 825b4830 Image: System
  Wait Start TickCount 264949 Ticks: 37370 (0:00:09:43.906)
  Context Switch Count 1105
  UserTime 00:00:00.000
  KernelTime 00:00:00.718
  Start Address 0xf6ee1105
  Stack Init f7a78000 Current f7a77d34 Base f7a78000 Limit f7a75000 Call 0
  Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
  Kernel stack not resident.
  ChildEBP RetAddr
  f7a77d4c 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
  f7a77d58 804faf12 nt!KiSwapThread+0x46 (FPO: [0,0,0])
  f7a77d84 f6eddd8e nt!KeRemoveQueue+0x20e (FPO: [3,6,4])
  WARNING: Frame IP not in any known module. Following frames may be wrong.
  00000000 00000000 0xf6eddd8e

the last entry "WARNING: Frame IP not..." points us to a the rootkit area as well "0xf6eddd8e".

next let's check the fake usermode ADS pe file of the rootkit, which is used as trap process to fuck up security and AV software.

• kd> !process 0 0
  **** NT ACTIVE PROCESS DUMP ****
  PROCESS 825b4830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
  DirBase: 00ad7000 ObjectTable: e1000cc0 HandleCount: 273.
  Image: System
  
  PROCESS 82428580 SessionId: none Cid: 017c Peb: 7ffdb000 ParentCid: 0004
  DirBase: 07440020 ObjectTable: e12fd698 HandleCount: 21.
  Image: smss.exe
  
  PROCESS 8232ab10 SessionId: 0 Cid: 0258 Peb: 7ffdd000 ParentCid: 017c
  DirBase: 07440040 ObjectTable: e146ea38 HandleCount: 340.
  Image: csrss.exe
  
  PROCESS 822af978 SessionId: 0 Cid: 0270 Peb: 7ffd4000 ParentCid: 017c
  DirBase: 07440060 ObjectTable: e1465838 HandleCount: 450.
  Image: winlogon.exe
  ...
  ...
  ...
  
  PROCESS 8239aa78 SessionId: 0 Cid: 06b4 Peb: 7ffd9000 ParentCid: 029c
  DirBase: 074402e0 ObjectTable: e1aa3dc8 HandleCount: 5.
  Image: 1145096676:456572859.exe
  ...
  ...

notice the file "1145096676:456572859.exe"

switch to this process context and get start and end infos if you wanna dump this shit.

• kd> .process /p /r 8239aa78
  Implicit process is now 8239aa78
  Loading User Symbols
  ...
  
  
  kd> !dlls
  
  0x00241ec0: C:\WINDOWS\1145096676:456572859.exe
  Base 0x00400000 EntryPoint 0x00400210 Size 0x00000330
  Flags 0x00005000 LoadCount 0x0000ffff TlsIndex 0x00000000
  LDRP_LOAD_IN_PROGRESS
  LDRP_ENTRY_PROCESSED
  
  0x00241f18: C:\WINDOWS\system32\ntdll.dll
  Base 0x7c910000 EntryPoint 0x7c923156 Size 0x000b7000
  Flags 0x00084004 LoadCount 0x0000ffff TlsIndex 0x00000000
  LDRP_IMAGE_DLL
  LDRP_ENTRY_PROCESSED
  LDRP_PROCESS_ATTACH_CALLED
  
  0x00241fc0: C:\WINDOWS\system32\kernel32.dll
  Base 0x7c800000 EntryPoint 0x7c80b436 Size 0x00106000
  Flags 0x00084004 LoadCount 0x0000ffff TlsIndex 0x00000000
  LDRP_IMAGE_DLL
  LDRP_ENTRY_PROCESSED
  LDRP_PROCESS_ATTACH_CALLED
  
  
  kd> db 0x400000 L330
  00400000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
  00400010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
  00400020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00400030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
  00400040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
  00400050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
  00400060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
  00400070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
  00400080 8b a1 28 c5 cf c0 46 96-cf c0 46 96 cf c0 46 96 ..(...F...F...F.
  00400090 cf c0 47 96 cc c0 46 96-0c cf 1b 96 ca c0 46 96 ..G...F.......F.
  004000a0 d1 92 d3 96 ce c0 46 96-c6 b8 d7 96 ce c0 46 96 ......F.......F.
  004000b0 52 69 63 68 cf c0 46 96-00 00 00 00 00 00 00 00 Rich..F.........
  004000c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  004000d0 50 45 00 00 4c 01 01 00-82 97 3e 4e 00 00 00 00 PE..L.....>N....
  004000e0 00 00 00 00 e0 00 03 01-0b 01 09 00 40 01 00 00 ............@...
  004000f0 00 00 00 00 00 00 00 00-10 02 00 00 f0 01 00 00 ................
  00400100 30 03 00 00 00 00 40 00-10 00 00 00 10 00 00 00 0.....@.........
  00400110 05 00 00 00 00 00 00 00-05 00 00 00 00 00 00 00 ................
  00400120 30 03 00 00 f0 01 00 00-a2 a8 00 00 02 00 00 80 0...............
  00400130 00 00 10 00 00 10 00 00-00 00 10 00 00 10 00 00 ................
  00400140 00 00 00 00 10 00 00 00-00 00 00 00 00 00 00 00 ................
  00400150 98 02 00 00 3c 00 00 00-00 00 00 00 00 00 00 00 ....<...........
  00400160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00400170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00400180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00400190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  004001a0 00 00 00 00 00 00 00 00-f0 01 00 00 14 00 00 00 ................
  004001b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  004001c0 00 00 00 00 00 00 00 00-2e 74 65 78 74 00 00 00 .........text...
  004001d0 3c 01 00 00 f0 01 00 00-40 01 00 00 f0 01 00 00 <.......@.......
  004001e0 00 00 00 00 00 00 00 00-00 00 00 00 20 00 00 60 ............ ..`
  004001f0 a2 ca 81 7c 00 00 00 00-b8 e8 91 7c 82 d6 91 7c ...|.......|...|
  00400200 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00400210 33 c0 50 50 68 00 00 40-00 6a 05 50 50 50 54 68 3.PPh..@.j.PPPTh
  00400220 80 02 40 00 68 00 00 10-00 54 ff 15 fc 01 40 00 ..@.h....T....@.
  00400230 ff 15 f8 01 40 00 ff 15-f0 01 40 00 5c 00 3f 00 ....@.....@.\.?.
  00400240 3f 00 5c 00 41 00 43 00-50 00 49 00 23 00 50 00 ?.\.A.C.P.I.#.P.
  00400250 4e 00 50 00 30 00 33 00-30 00 33 00 23 00 32 00 N.P.0.3.0.3.#.2.
  00400260 26 00 64 00 61 00 31 00-61 00 33 00 66 00 66 00 &.d.a.1.a.3.f.f.
  00400270 26 00 30 00 00 00 8b ff-38 00 3a 00 3c 02 40 00 &.0.....8.:.<.@.
  00400280 18 00 00 00 00 00 00 00-78 02 40 00 40 00 00 00 ........x.@.@...
  00400290 00 00 00 00 00 00 00 00-dc 02 00 00 00 00 00 00 ................
  004002a0 00 00 00 00 06 03 00 00-f8 01 00 00 d4 02 00 00 ................
  004002b0 00 00 00 00 00 00 00 00-1e 03 00 00 f0 01 00 00 ................
  004002c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  004002d0 00 00 00 00 10 03 00 00-00 00 00 00 f8 02 00 00 ................
  004002e0 e8 02 00 00 00 00 00 00-ec 03 5a 77 43 72 65 61 ..........ZwCrea
  004002f0 74 65 46 69 6c 65 00 00-d6 04 5a 77 54 65 73 74 teFile....ZwTest
  00400300 41 6c 65 72 74 00 6e 74-64 6c 6c 2e 64 6c 6c 00 Alert.ntdll.dll.
  00400310 b9 00 45 78 69 74 50 72-6f 63 65 73 73 00 4b 45 ..ExitProcess.KE
  00400320 52 4e 45 4c 33 32 2e 64-6c 6c 00 00 00 00 00 00 RNEL32.dll......

[Johnny5]

Thanks for the update. I am learning quite a bit from the info you are posting. Do you happen to know of any sites that have a direct table listing of flag values so as to convert to its corresponding flag without having to hunt down the values in the SDK?

Example:

Code: Select all

          if ( ZwCreateFile(
                 &FileHandle,
                 0x100002u,  <- Like these flags 
                 &ObjectAttributes,
                 &IoStatusBlock,
                 &AllocationSize,
                 0,
                 7u,
                 2u,
                 0x20u, <- These too
                 0,
                 0) >= 0 )

I have the binary decompiled to a point and converted to Pseudocode, but I an stuck trying to figure out how to convert the rest. Also about 46 functions failed to decompile in IDA. I figured it was maybe some more Anti-RCE tricks?