A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #26260  by 0xffffffffffff
 Thu Jul 09, 2015 4:29 pm
Hello,

I'm currently analysing the Rovnix Bootkit sourcecode. I'm wondering why it fails on W8.1 and W10 but works fine on XP-W8.
I've commented out quite a lot of the source code and it seems that it fails to start already in the VBR.

Any suggestions or ideas?

EDIT: No EFI/Secure Boot is used
 #26261  by EP_X0FF
 Fri Jul 10, 2015 4:08 am
Purpose? Who need this legacy stuff? There are no computers with 8.1/10 running with BIOS except masochists. And such "tweak" is only needed for malicious purposes. Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
 #26650  by rexor
 Thu Sep 03, 2015 7:30 am
EP_X0FF wrote: ... Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
Can you suggest something more contemporary for educational analysis purposes?
 #26659  by EP_X0FF
 Fri Sep 04, 2015 3:09 am
rexor wrote:
EP_X0FF wrote: ... Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
Can you suggest something more contemporary for educational analysis purposes?
Windows Research Kernel source.
 #26670  by rexor
 Sun Sep 06, 2015 7:35 am
EP_X0FF wrote:
rexor wrote:
EP_X0FF wrote: ... Rovnix pack of crap code heavily depends of undocumented system structures including that used during boot (e.g. KeLoaderBlock->BootDriverListHead). Forget about this crap.
Can you suggest something more contemporary for educational analysis purposes?
Windows Research Kernel source.
I agree with you regarding the source of knowledge but the main difficulty is that in WRK there is too many information to process at once for the novice. On the other hand if there is an example (rootkit) of usage of such knowledge, then the education/study could IMO be more focused and productive and backed by the info in WRK.

So again, is you are stating that "Rovnix pack of crap" - do you have any example that actually the opposite?

My main goals are to understand the current technological landscape/advances in the contemporary rootkit development through reversing/code analysis.
 #26672  by EP_X0FF
 Sun Sep 06, 2015 4:43 pm
Nope, surprisingly all malware code I ever saw were a quick coded packages of bullshit. I've no idea why you want to learn about classical bootkits in 2015, where every new computer comes with EFI.
 #26675  by rexor
 Sun Sep 06, 2015 8:07 pm
EP_X0FF wrote:Nope, surprisingly all malware code I ever saw were a quick coded packages of bullshit. I've no idea why you want to learn about classical bootkits in 2015, where every new computer comes with EFI.
I suppose this is already an off-topic for this thread and as I'm too "young" to send PMs so...

I'm interested to understand various ways for OS subverting in kernel land as I do too see a lot of similar staff in user mode malware families and kernel malware is relatively new for me. EFI is indeed really powerful stuff, but why to create the whole rootkit in EFI? Even if we take for example HackingTeam, their use of EFI was only for persistence.

To summarize, I'm looking for something to start from as an introductory into the low-level OS world.
 #26677  by Cr4sh
 Mon Sep 07, 2015 9:14 am
No one will going to leak any decent and well-coded malware source code to public. If you're interested in learning about bootloaders, kernels and other low-level stuff -- check WRK source code and open source implementations of EFI firmware (http://www.tianocore.org/edk2/ for example).
 #26681  by rexor
 Mon Sep 07, 2015 8:42 pm
Cr4sh wrote:No one will going to leak any decent and well-coded malware source code to public. If you're interested in learning about bootloaders, kernels and other low-level stuff -- check WRK source code and open source implementations of EFI firmware (http://www.tianocore.org/edk2/ for example).

I never asked for source - malware families/samples/names is more then sufficient. All that I can understand from you guys is that there is no decent malware examples in public and all that is available is not worth looking into.

Thanks, topic closed.