A forum for reverse engineering, OS internals and malware analysis 

Rootkits sometimes not installing :/

Ask your beginner questions here.

Rootkits sometimes not installing :/

 #10086  by madaboo
 Sat Dec 03, 2011 9:56 am
Hi guys,
I don;t know why but some of samples of rootkits samples downloaded from this forum doesn't seem to install.
I'm working on Windows Xp SP2 'just installed' - The files that are dropping rootkits properly are only those whichs company name is Microsoft Corporatoin (it is property of exe file, e.g when you open up explorer on dir in which you have droppers, then some of those files has company name, and some doesn't.) . If dropper doesn't have this infromation then I can't install it. Whats wrong? How can I enforce installation of those rootkits?

Maybe I should disable something on windows?

Thank you for suggestions.

Re: Rootkits sometimes not installing :/

 #10091  by EP_X0FF
 Sat Dec 03, 2011 10:34 am
Hello,

what kind of rootkits?
Is this real or virtual environment?

Version info is completely unrelated just like moon phase.

Re: Rootkits sometimes not installing :/

 #10092  by madaboo
 Sat Dec 03, 2011 10:45 am
Hello

I'm talkng about TDSS Old variants.

And I'm working on VmWare v7, but tried also on VmWare v8 , VirutalBox and VirtualPC, always with same result.

Any tips?

Re: Rootkits sometimes not installing :/

 #10093  by EP_X0FF
 Sat Dec 03, 2011 10:49 am
Which one TDSS version? Some may have antivm at crypter level.

Re: Rootkits sometimes not installing :/

 #10096  by EP_X0FF
 Sat Dec 03, 2011 11:09 am
Successfully infected system with ytasfwDROPPER which is TDL2.

Virtual PC + WXP SP3.

Try to upgrade your windows.

Re: Rootkits sometimes not installing :/

 #10097  by madaboo
 Sat Dec 03, 2011 11:40 am
Oops,

After installation of SP3 on VirtualboX and executing ytasfwDROPPER I've got BSOD

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> g
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
C:\WINDOWS\msagent\intl
*** Fatal System Error: 0x0000007e
(0xC0000005,0x00000000,0xF899FB24,0xF899F820)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Sat Dec 3 12:38:56.560 2011 (UTC + 1:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
.............................................
Loading User Symbols

Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 0, f899fb24, f899f820}

Probably caused by : memory_corruption

Followup: memory_corruption
---------

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: f899fb24, Exception Record Address
Arg4: f899f820, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

FAULTING_IP:
+16
00000000 ?? ???

EXCEPTION_RECORD: f899fb24 -- (.exr 0xfffffffff899fb24)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: f899f820 -- (.cxr 0xfffffffff899f820)
eax=00000000 ebx=f53421f8 ecx=f79b7000 edx=000002e1 esi=00000000 edi=81c64d28
eip=00000000 esp=f899fbec ebp=f899fc64 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
+16
00000000 ?? ???

FAILED_INSTRUCTION_ADDRESS:
+16
00000000 ?? ???

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f5343650 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f899fbe8 f5343650 00000000 0000084c 81c64d28 0x0
f899fc64 805a399d 81c64d28 81c62000 81c64d28 rbcqftiqrncbvgqd!DtEbksfsSdlk+0x3dc
f899fd4c 805a3c73 80000354 00000001 00000000 nt!IopLoadDriver+0x66d
f899fd74 804e426b 80000354 00000000 81fc4b30 nt!IopLoadUnloadDriver+0x45
f899fdac 8057aeff f873fcf4 00000000 00000000 nt!ExpWorkerThread+0x100
f899fddc 804f88ea 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804d8f8c-804d8f90 5 bytes - nt!KiXMMIZeroPage+30
[ fa f7 80 0c 02:e9 a7 fc 30 77 ]
804d93b6-804d93ba 5 bytes - nt!ExAcquireResourceSharedLite+10 (+0x42a)
[ fa 8b 75 08 33:e9 05 a6 2d 77 ]
804da72e-804da732 5 bytes - nt!KiChainedDispatch+28 (+0x1378)
[ fa ff 15 08 76:e9 ad 60 32 77 ]
804db65b-804db65f 5 bytes - nt!ExReleaseResourceLite+b (+0xf2d)
[ fa 66 8b 51 0e:e9 00 6f 2d 77 ]
804db880-804db884 5 bytes - nt!KiDispatchInterrupt+c (+0x225)
[ fa 3b 00 74 1d:e9 7b 68 30 77 ]
804db954-804db955 2 bytes - nt!SwapContext+30 (+0xd4)
[ fa 89:e9 df ]
804db957-804db958 2 bytes - nt!SwapContext+33 (+0x03)
[ 28 8b:2d 77 ]
804dbb3a-804dbb3e 5 bytes - nt!KiIdleLoop+13 (+0x1e3)
[ fa 3b 6d 00 74:e9 29 5f 30 77 ]
804dbbdb-804dbbdf 5 bytes - nt!KiRetireDpcList+4d (+0xa1)
[ fa 3b 6d 00 75:e9 a8 62 30 77 ]
804dbc69-804dbc6d 5 bytes - nt!Ki386AdjustEsp0+1e (+0x8e)
[ fa 8b 15 40 f0:e9 d2 49 2d 77 ]
804dbc7d-804dbc81 5 bytes - nt!KiSetDebugActive+6 (+0x14)
[ fa 88 48 2c 88:e9 b6 88 2d 77 ]
804de7fd-804de801 5 bytes - nt!KiServiceExit (+0x2b80)
[ fa f7 45 70 00:e9 ee 1e 2d 77 ]
804de85f - nt!KiServiceExit+62 (+0x62)
[ fa:cc ]
804de9a4-804de9a8 5 bytes - nt!KiServiceExit2 (+0x145)
[ fa f7 45 70 00:e9 67 d6 31 77 ]
804de9e4 - nt!KiServiceExit2+40 (+0x40)
[ fa:cc ]
804df05c-804df060 5 bytes - nt!Kei386EoiHelper (+0x678)
[ fa f7 45 70 00:e9 87 55 2d 77 ]
804df09c - nt!KiExceptionExit+40 (+0x40)
[ fa:cc ]
804e0dc3 - nt!VdmFixEspEbp+3 (+0x1d27)
[ 0f:cc ]
804e1f22-804e1f26 5 bytes - nt!KiFlushNPXState+4 (+0x115f)
[ fa 8b 3d 1c f0:e9 69 24 2d 77 ]
804e2b6c-804e2b70 5 bytes - nt!KiCallUserMode+54 (+0xc4a)
[ fa 8b 0e 89 0c:e9 1f 39 32 77 ]
804e2c5a-804e2c5e 5 bytes - nt!KeSwitchKernelStack+3e (+0xee)
[ fa 89 8a 68 01:e9 09 0c 2d 77 ]
804e2cef-804e2cf3 5 bytes - nt!NtCallbackReturn+3b (+0x95)
[ fa 8b 35 04 f0:e9 44 39 32 77 ]
804e2e11-804e2e15 5 bytes - nt!ExfInterlockedAddUlong+1 (+0x122)
[ fa 8b 01 01 11:e9 02 02 32 77 ]
804e2e35-804e2e39 5 bytes - nt!ExfInterlockedInsertTailList+1 (+0x24)
[ fa 8b 41 04 89:e9 36 e2 2f 77 ]
804e2e51-804e2e55 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x1c)
[ fa 8b 01 3b c1:e9 52 b0 31 77 ]
804e32a5-804e32a9 5 bytes - nt!KeUpdateSystemTime+e6 (+0x454)
[ fa ff 81 70 08:e9 d6 38 30 77 ]
804e32f6-804e32fa 5 bytes - nt!KeUpdateSystemTime+137 (+0x51)
[ fa ff 15 08 76:e9 3d 0b 30 77 ]
804e3308-804e330c 5 bytes - nt!KeUpdateSystemTime+149 (+0x12)
[ fa ff 15 08 76:e9 a3 39 30 77 ]
804e35e3-804e35e7 5 bytes - nt!ExAcquireResourceExclusiveLite+f (+0x2db)
[ fa 8b 75 08 eb:e9 b8 ec 2c 77 ]
804e8910-804e8914 5 bytes - nt!ExIsResourceAcquiredExclusiveLite+b (+0x532d)
[ fa 8b 4d 08 32:e9 2b 90 2f 77 ]
804e8a15-804e8a19 5 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x105)
[ fa 8b 75 08 33:e9 16 0c 30 77 ]
804ed38c-804ed390 5 bytes - nt!CcGetActiveVacb+5 (+0x4977)
[ fa 8b 45 08 8b:e9 4f 3a 2f 77 ]
804ee3c2-804ee3c6 5 bytes - nt!ExIsResourceAcquiredSharedLite+c (+0x1036)
[ fa 8b 4d 08 39:e9 21 33 2f 77 ]
804efade-804efae2 5 bytes - nt!ExReleaseResourceForThreadLite+8 (+0x171c)
[ fa 8b 45 08 66:e9 6d 34 30 77 ]
804efe58-804efe5c 5 bytes - nt!ExDisableResourceBoostLite+5 (+0x37a)
[ fa 8b 45 08 80:e9 cb 12 2f 77 ]
804f0288 - nt!ExAcquireSharedStarveExclusive+f (+0x430)
[ fa:cc ]
804f0439-804f043d 5 bytes - nt!ExSetResourceOwnerPointer+c (+0x1b1)
[ fa 8b 75 08 f6:e9 7a 30 30 77 ]
804f0be0-804f0be4 5 bytes - nt!ExpAllocateExclusiveWaiterEvent+65 (+0x7a7)
[ fa 5f 5e 5b c9:e9 d3 1e 2c 77 ]
804f0d01-804f0d05 5 bytes - nt!KeRestoreFloatingPointState+79 (+0x121)
[ fa f6 03 01 0f:e9 62 51 31 77 ]
804f0ddb-804f0ddf 5 bytes - nt!KeSaveFloatingPointState+9f (+0xda)
[ fa 0f 20 c0 8b:e9 90 52 31 77 ]
804f134c-804f1350 5 bytes - nt!CcSetActiveVacb+7 (+0x571)
[ fa 8b 45 08 83:e9 6f 25 30 77 ]
804fae39-804fae3d 5 bytes - nt!ExpFindCurrentThread+10d (+0x9aed)
[ fa 8b 75 f8 8b:e9 9a 90 2b 77 ]
804faea3 - nt!ExpFindCurrentThread+187 (+0x6a)
[ fa:cc ]
804faf07-804faf0b 5 bytes - nt!ExpAllocateSharedWaiterSemaphore+5e (+0x64)
[ fa 5f 5e c9 c2:e9 44 93 2b 77 ]
804fb5e8-804fb5ec 5 bytes - nt!ExConvertExclusiveToSharedLite+5 (+0x6e1)
[ fa 8b 45 08 66:e9 83 e7 2e 77 ]
805038af-805038b3 5 bytes - nt!KeRemoveQueueDpc+6 (+0x82c7)
[ fa 8b 45 08 8b:e9 2c 2f 30 77 ]
805073df-805073e3 5 bytes - nt!IoStartTimer+17 (+0x3b30)
[ fa 66 83 78 02:e9 1c 70 2e 77 ]
8050939e-805093a2 5 bytes - nt!Ki386SetupAndExitToV86Code+a3 (+0x1fbf)
[ fa 51 8b 73 04:e9 8d cf 2f 77 ]
8050ba6b-8050ba6f 5 bytes - nt!Ki386VdmEnablePentiumExtentions+5 (+0x26cd)
[ fa 0f 20 e0 f7:e9 90 97 2f 77 ]
8050ff93 - nt!KiSaveProcessorControlState+75 (+0x4528)
[ 0f:cc ]
WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view entire output.
222 errors : !nt (804d8f8c-805353b0)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

STACK_COMMAND: .cxr 0xfffffffff899f820 ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------
any ideas?

Re: Rootkits sometimes not installing :/

 #10098  by EP_X0FF
 Sat Dec 03, 2011 11:55 am
What do you expect from kernel mode rootkit that hooks lots of service routines with splicing + IofCallDriver and IofCompleteRequest? Stable work?
I've no ideas how to "fix" malware.

Re: Rootkits sometimes not installing :/

 #10127  by CloneRanger
 Sun Dec 04, 2011 9:14 am
madaboo

I don;t know why but some of samples of rootkits samples downloaded from this forum doesn't seem to install. I'm working on Windows Xp SP2 'just installed'
EP_X0FF

Successfully infected system with ytasfwDROPPER which is TDL2.

Virtual PC + WXP SP3.

Try to upgrade your windows
.

@ EP_X0FF

Hi, upgrading windows from XP2 - XP3 is an interesting way of being able to get infected with more Rootkits :o Just wondered why XP3 is worse than XP2, in that respect ?

TIA
 Return to “Newbie Questions”