A forum for reverse engineering, OS internals and malware analysis 

DrvMon

Forum for announcements and questions about tools and software.

Re: DrvMon

 #6536  by Brock
 Wed May 25, 2011 3:27 pm
I assume there are definitely more that could freeze the system up, this is exactly why I incorporate core system driver loading allowance. And yes, it seems that other drivers such as kmixer.sys denying can also potentially lock the system up too from what I noticed in my own testing. It seems legacy drivers are the main drivers with issues from first glance? Vga.dll seems to be the main perpetrator at large however :lol:

Re: DrvMon

 #6537  by EP_X0FF
 Wed May 25, 2011 3:32 pm
In my test multiple blocking of kmixer.sys has no effect to system. Probably something network related or third-party software with their drivers can also affect system.
A configurable whitelist may solve this problem.

Re: DrvMon

 #6538  by Brock
 Wed May 25, 2011 3:32 pm
Agreed.

Re: DrvMon

 #6931  by kmd
 Fri Jun 24, 2011 10:22 am
hi
i was playing with samples from zero access thread and found imagepath spoofing not handled by drvmon. bug?

Re: DrvMon

 #6935  by EP_X0FF
 Fri Jun 24, 2011 10:40 am
Hello,

This kind of spoofing is not handled by current available 1.2 version. As well as load-from-header.
All these resolved in v2.0 that is ready for about 1 month.

Screenshot below indicates ZA capture and load block.

Image

Link to VT result of serial.sys (http://www.virustotal.com/file-scan/rep ... 1308911554)

Re: DrvMon

 #7743  by EP_X0FF
 Fri Jul 29, 2011 3:00 am
xqrzd wrote:I'm not sure if this is real, but would DrvMon be able to block this: http://crowdleaks.org/hbgary-inc-workin ... me-magenta? Supposedly it is able to bypass PsSetLoadImageNotifyRoutine.
Aside of fairy tales from Hoglung (btw how does his "security" business right now?) the Hint inside this article is technically incorrect. Callbacks called always right before transferring control to image entry point. To work and be "invincible" this super driver still needs to be loaded first.

Probably in this article he meant something like AVG Antirootkit (whose detection rely only on callbacks) which is piece of crap.

Re: DrvMon

 #7744  by xqrzd
 Fri Jul 29, 2011 4:20 am
I also thought the hint was wrong, how could returning an error from DriverEntry bypass the callback when DrvMon patches the DriverEntry to return error.
thanks for the info :)

Re: DrvMon

 #7755  by Tigzy
 Fri Jul 29, 2011 10:58 am
I got a question for you.You use PsSetLoadImageNotifyRoutine to get informed about Driver loading, but how can you forbid this cause this is only a callback, not a hook?
Excuse me if the answer is obvious for you... :)

EDIT: Maybe by altering the file?
 Return to “Tools/Software”