A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25343  by EP_X0FF
 Sat Feb 28, 2015 5:19 pm
oep_000 wrote:You can read this article

GrayFish hooked DeviceIoContorl for Null.sys with win32k.sys vulnerability
and send IOCTL for WriteFile and CreateReg and ....
Your link not working either broken.
Last edited by EP_X0FF on Mon Dec 17, 2018 4:15 pm, edited 1 time in total. Reason: removed link in quote by request
 #25355  by oep_000
 Sun Mar 01, 2015 8:42 am
GrayFish exploits win32k.sys vulnerability and executes its code in kernel, hooks ZwShutdownSystem function in SSDT. Then it calls the hooked ZwShutdownSystem and this makes the payload to run. This payload then hooks IRP_MJ_DEVICE_CONTROL of Null.sys.
After that GrayFish uses the hooked IRP_MJ_DEVICE_CONTROL to perform its remained tasks.

This exploit is been used in EquationDrug too, not for hooking but for Privilege escalation.
Stuxnet alse used this exploit.
 #25357  by oep_000
 Sun Mar 01, 2015 8:43 am
The kaspersky report said that GrayFish infects VBR; I couldn't find any versions with this functionality yet. Does anyone have a sample with VBR infection?
 #33128  by mega
 Wed Aug 07, 2019 4:06 am
get a module from GROK in Es07er1K's upload.
no pass
(26.05 KiB) Downloaded 16 times