A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #3768  by AaLl86
 Mon Nov 29, 2010 5:46 pm
Hi All!
I'm new in this community. I'll introduce myself: my name is Andrea and i'm an italian "unemployed" security researcher.
I would like to present my implementation of TDL3 Removal Tool. Is a personal quite big project, it runs on Windows Xp, Vista, 7, on all 32 bit platform (no 64 bit already). It's still in alpha but fully working. It doesn't support RAID software system like Windows Dynamic disk. This is the only limitation it has.

I'll appreciative if some of you can test it.... the link is:
http://www.aall86.altervista.org/files/AntiTdl_0.1.zip

Tell me what do you think, and sorry for my english but it's not my native language...

Have a nice day. :D
Andrea
 #3771  by EP_X0FF
 Mon Nov 29, 2010 6:29 pm
Hello,

thank you for sharing your project.

Seems to be it working not at 100%. Infection still alive after removal procedure.
TDL is not functional, but it still here. If you take a look on EP of infected atapi.sys you will find that driver still infected.

Tested with TDL 3.273 (from March) under Windows XP SP3.
Attachments
pass: malware
(67.44 KiB) Downloaded 45 times
 #3772  by AaLl86
 Mon Nov 29, 2010 7:39 pm
Thank you very much... Indeed i wrote this cleaner with the latest version of TDL3 that it infect random driver... Tomorrow i download the payload from here and i look what's wrong ok? Many thanks for the test....

Have a nice evening!
Andrea
 #3779  by Alex
 Tue Nov 30, 2010 5:04 pm
Hi AaLl86,

It looks as if the tool doesn't work under VmWare (vmscsi.sys)? I didn't (couldn't) test it under real OS at the moment
Code: Select all
AntiTDL - Entry Point del driver richiamata!
AntiTdl!GetDriverInfo - Trovato Driver Nt "vmscsi.sys" ad indice 19.
AntiTdl!RepairForgedDriver - DriverStartIo function error!
Image
 #3783  by AaLl86
 Tue Nov 30, 2010 8:25 pm
Hi Alex! Thank you for your test... Yes you're right, i didn't test it with virtual vmscsi controller, with raid controller, and also with Daemon Tools (that i found it uses an orrible solution for working correctly). But these features are currently under development.... (the version is still Alpha 0.1). I tell you that i'm working on these problem and i will fix as soon as possible in the future releases.... i made this release for cleaning many of my friends simple pcs with a SATA or IDE controller... Just a week of time that i prepare a virtual machine with scsi controller and i post the fix here ok? Many thanks to you for your test....

Have a nice evening!
Andrea
Alex wrote:Hi AaLl86,

It looks as if the tool doesn't work under VmWare (vmscsi.sys)? I didn't (couldn't) test it under real OS at the moment
Code: Select all
AntiTDL - Entry Point del driver richiamata!
AntiTdl!GetDriverInfo - Trovato Driver Nt "vmscsi.sys" ad indice 19.
AntiTdl!RepairForgedDriver - DriverStartIo function error!
Image
 #3784  by AaLl86
 Tue Nov 30, 2010 8:33 pm
To EX_XOFF:
Hi Ep_xoff!
I made some tests with your sample: the cleaner removes currectly the infection, the only problem is that the infected file, at the end of the cleaning process, remain corrupted in its resource section, but in my test TDL3 become ko. I'm currently working on the restoration on the original file (it requires a deviation of the original driver IRP functions handler because TDL3 threads continuously rewrite it).
Can you explain me what did you intend with "TDL is not functional, but it still here"?
Perhaps do you mean what i wrote, or something else?

Thank you in advice
Andrea
EP_X0FF wrote:Hello,

thank you for sharing your project.

Seems to be it working not at 100%. Infection still alive after removal procedure.
TDL is not functional, but it still here. If you take a look on EP of infected atapi.sys you will find that driver still infected.

Tested with TDL 3.273 (from March) under Windows XP SP3.
 #3793  by EP_X0FF
 Wed Dec 01, 2010 11:53 am
I mean that port driver is still infected and TDL code gets control (since Windows boots normally).

Additionally you need to check your tool with older TDL3 versions:

3.0 - 3.23, 3.24.
 #3796  by STRELiTZIA
 Wed Dec 01, 2010 12:13 pm
Hi,
EP_X0FF wrote:I mean that port driver is still infected and TDL code gets control (since Windows boots normally).

Additionally you need to check your tool with older TDL3 versions:

3.0 - 3.23, 3.24.
Tested...
Not work with TDL 3.241 (Locker)

atapi.sys FAILED last error 0x0000001F
ntfs.sys FAILED last error 0x0000045D


Regards.
Attachments
(63.69 KiB) Downloaded 39 times
 #3815  by AaLl86
 Thu Dec 02, 2010 9:06 am
Hi!
Thank you for the test.... i'm currently working on these issues.... Thank you also for the payload you gave me....

Andrea
STRELiTZIA wrote:Hi,
EP_X0FF wrote:I mean that port driver is still infected and TDL code gets control (since Windows boots normally).

Additionally you need to check your tool with older TDL3 versions:

3.0 - 3.23, 3.24.
Tested...
Not work with TDL 3.241 (Locker)

atapi.sys FAILED last error 0x0000001F
ntfs.sys FAILED last error 0x0000045D


Regards.