A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #11597  by R136a1
 Mon Feb 13, 2012 10:37 am
Hi there,

a friend drew my attention to this interesting talk about the Windows crash dump path.
I/O, You own: Regaining control of your disk in the presence of bootkits (Aaron LeMasters)

Master Boot Record based rootkits (MBR rootkits, or bootkits for short)have existed for decades but are more recently gaining widespread attention with the growing deployment of nasty bootkits such as TDL4 and Popureb. The most advanced versions of these rootkits hook the normal storage device stack (i.e., "normal I/O path") at the lowest possible level in order to hide the infected MBR and malicious components: the port and miniport drivers. This presentation will introduce a novel technique to read/write to disk using an alternate I/O path provided by the operating system: the crash dump I/O path. This poorly documented crash dump path represents a pristine, untargeted I/O path to disk, effectively defeating all known I/O-hooking rootkits.

In addition to providing the attendee with original research and a new methodology for defeating bootkits, this presentation will offer extensive insight into the poorly-understood crash dump mechanism used by Windows. This research is a result of weeks of debugging and reverse engineering various disk drivers and operating system core features. This presentation will distill all of those details into simple important facts for the attendee's consideration.

Source: http://www.syscan.org/index.php/sg/program
My friend also said he will try to release something to public (as far as his company allowed him to do). Probably a part of the code or a little tool. That would be great!

Has anybody already some experience an the aforementioned topic?
 #11599  by rkhunter
 Mon Feb 13, 2012 11:09 am
That's not was a mistake said that all tools or anti-rootkits that targeted to bootkits detection use alternate I/O stacks/path.
In this case, probably this mean, using of clean copy disk drivers that nt uses for crash dump writing.