MBR infection

#8571 by utsav.0202
Thu Sep 15, 2011 9:50 am

Hi

To clean the MBR I am doing

pIrp = IoBuildSynchronousFsdRequest(IRP_MJ_WRITE, pDevObj, ...);
IoCallDriver(pDevObj, pIrp);

what if a rootkit hooks the DriverStartIo routine in device's DRIVER_OBJECT structure and prevents the write operations?

Thanks and Regards
Utsav

Username

utsav.0202

Posts

Joined

Mon Apr 11, 2011 2:04 pm

#8613 by EP_X0FF
Sun Sep 18, 2011 12:27 am

Very rootkit specific. Go deeper or fool rootkit any other way. All this games ends up with making infection inactive and fix mbr utilities.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Display:

Sort by:

Jump to: