monitor MBR Sector

#14910 by R00tKit
Sun Jul 29, 2012 12:43 pm

hi

i want write tool for monitor disk sector (MBR for write)
i know to stack of file system is some thing like

file system
class driver
port driver
bus driver

so where is best for install filter? port or bus ?( or hook specific function ? )

what port/bus driver( scasi, ATA ,IDE,pci,USB? ) make it more generic ?

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: monitor MBR Sector

#14916 by EP_X0FF
Mon Jul 30, 2012 6:06 am

MBR is dying.

Have a look on this trash http://www.blueridge.com/index.php/prod ... enterprise, I don't remember when I was looking for it, how exactly it "guards".

Actually you can prevent MBR writing by setting up just a few hooks in SSDT. Yep IOCTL's too. This is boring and what is the purpose?

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: monitor MBR Sector

#14955 by R00tKit
Wed Aug 01, 2012 7:24 am

just a few hooks in SSDT?

WriteFile and DeviceIoControl?

http://support.microsoft.com/kb/942448
documented way?

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: monitor MBR Sector

#14972 by EP_X0FF
Thu Aug 02, 2012 6:29 am

NtCl0$e wrote:
just a few hooks in SSDT?
WriteFile and DeviceIoControl?

http://support.microsoft.com/kb/942448
documented way?

Yes, maybe in general + NtCreateFile, for IOCTL's - SPTD, TDL4 was using this in it dropper for example. However this wont work on x64 due to obvious reasons. For those you can try writing minifilter driver (as example see ProcMon).

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact