A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #108  by EP_X0FF
 Sun Mar 14, 2010 1:52 pm
This proof-of-concept targeting XueTr v0.32.

This antirootkit self-protection based on numerous hooks set in kernel mode on common routines
RkU Version: 5.1.700.2220, Type VX2 (VX+)
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
>Shadow SSDT
win32k.sys-->NtUserBuildHwndList, Type: Address Change 0xBF835F21-->F490E274 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserDestroyWindow, Type: Address Change 0xBF845873-->F490E656 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address Change 0xBF8B1369-->F490E356 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserGetForegroundWindow, Type: Address Change 0xBF820BC1-->F490E3A0 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserMessageCall, Type: Address Change 0xBF80EE6B-->F490E698 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address Change 0xBF8B3D3D-->F490E4D4 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserQueryWindow, Type: Address Change 0xBF803B56-->F490E516 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserSetParent, Type: Address Change 0xBF879695-->F490E554 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserSetWindowLong, Type: Address Change 0xBF832BEC-->F490E5D2 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserShowWindow, Type: Address Change 0xBF834FA9-->F490E614 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserWindowFromPoint, Type: Address Change 0xBF8213A9-->F490E592 [C:\Documents and Settings\XueTr.sys]
ntoskrnl.exe+0x0009A639, Type: Inline - RelativeCall 0x80571639-->F490F30E [XueTr.sys]
ntoskrnl.exe+0x0009A903, Type: Inline - RelativeCall 0x80571903-->F490F166 [XueTr.sys]
ntoskrnl.exe+0x000A48C9, Type: Inline - RelativeCall 0x8057B8C9-->F490F58A [XueTr.sys]
ntoskrnl.exe+0x000AB325, Type: Inline - RelativeCall 0x80582325-->F490F58A [XueTr.sys]
ntoskrnl.exe+0x000B330F, Type: Inline - RelativeCall 0x8058A30F-->F490F166 [XueTr.sys]
win32k.sys-->NtUserPostMessage, Type: Inline - RelativeJump 0xBF8089B4-->F490E3EC [XueTr.sys]
[948]XueTr.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00402B20 [XueTr.exe]
Unknown addresses are belongs to NtOpenProcess, NtOpenThread, NtTerminateProcess, NtTerminateThread, NtDuplicateObject.

Few kernel mode hooks set with using extended hooking mechanism based on call patching,
this is bypasses public rku hooks detection engine, of course this can't bypass private version.

Getting all these stuff set gives unpredictable results in multiprocessor environment, for example such
ridiculous number of hooks rising chances to get a blue screen at antirootkit start.
There should be compromise between protection and tool safety.

The following proof-of-concept is able to successfully terminate XueTr v0.32
from user mode, without using kernel mode driver or removing XueTr hooks.

I suggest antirootkit author stop using that sh1t and remove most of this useless hooks.
This will dramatically improve stability and usability of your tool.

This proof-of-concept was tested only with Windows XP SP3.
However it can be quickly adopted to any Windows versions from WXP till W7.
Author of XueTr was notified about this vulnerability week ago.

Below is binary and source code (incomplete of course) of this proof-of-concept.

MD5 for oXueTb.exe

SHA1 for oXueTb.exe
pass: ineedthis
(14.57 KiB) Downloaded 122 times