rootkit is hot today, everybody wanna write a rootkit, if you often browse USENET, you're gonna see many guys ask for
how to get an undocumented kernel structure, or something how to hook a kernel routine, it's too bad, these techniques
are also widely used by some *famous* commercial products, of course, rootkits.
i usually run IceSword to check what's going on if i find my box is in a *unusual* status, IceSword is cool and can locate many of malicious software esp. kernel mode malware. one day i find:
apparently, this is a highly suspicious module required being striked! (or my bad, i will be striked, it's a shame ! :( ) .
because i have no 2 boxes for real kernel debugging, so i hook up the WinDbg to do a quick local kernel debug to
catch the bad guy living in my sweet machine.
lkd> lm
start end module name
00de0000 00e11000 kext (deferred)
01000000 0106b000 windbg (deferred)
01690000 01799000 ext (deferred)
01900000 01953000 exts (deferred)
01960000 01acd000 kdexts (deferred)
02000000 022b7000 dbgeng (deferred)
03000000 03118000 dbghelp (deferred)
4b210000 4b261000 MSCTF (deferred)
4c510000 4c53e000 msctfime (deferred)
63090000 63099000 LPK (deferred)
71b30000 71b41000 MPR (deferred)
74ae0000 74b41000 USP10 (deferred)
74b80000 74bf0000 RICHED20 (deferred)
75d60000 75d87000 apphelp (deferred)
76180000 7619d000 IMM32 (deferred)
77370000 77407000 COMCTL32 (deferred)
774b0000 775e4000 ole32 (deferred)
77b60000 77b68000 VERSION (deferred)
77b70000 77bca000 msvcrt (deferred)
77bd0000 77c18000 GDI32 (deferred)
77c20000 77cbf000 RPCRT4 (deferred)
77cd0000 77dd3000 comctl32_77cd0000 (deferred)
77e10000 77ea1000 USER32 (deferred)
77eb0000 77f02000 SHLWAPI (deferred)
77f30000 77fdc000 ADVAPI32 (deferred)
7c800000 7c92b000 kernel32 (deferred)
7c930000 7ca00000 ntdll (deferred)
7ca10000 7d1f0000 SHELL32 (deferred)
80800000 80a6b000 nt (pdb symbols) e:\symbol\ntoskrnl.pdb\4106003FF97D4BCBA99245BF2172A8C12\ntoskrnl.pdb
80a6b000 80a8a000 hal (deferred)
b9092000 b90c2000 kmixer (deferred)
b9110000 b9123000 sysaudio (deferred)
b9123000 b913e000 wdmaud (deferred)
b9436000 b94507c0 naiavf5x (deferred)
b985d000 b9860b80 vmnetuserif (deferred)
b99a1000 b99ff000 srv (deferred)
b9ac7000 b9b18000 HTTP (deferred)
b9b18000 b9b2dc80 vmx86 (deferred)
ba426000 ba442000 dump_atapi (deferred)
ba442000 ba458000 Udfs (deferred)
ba458000 ba46d000 Cdfs (deferred)
ba495000 ba4bc000 ipnat (deferred)
ba4bc000 ba4cd000 Fips (deferred)
ba4cd000 ba543000 mrxsmb (deferred)
ba543000 ba573000 rdbss (deferred)
ba573000 ba59d000 afd (deferred)
ba59d000 ba5ce000 netbt (deferred)
ba5ce000 ba62f000 tcpip (deferred)
ba62f000 ba648000 ipsec (deferred)
ba708000 ba71c000 usbhub (deferred)
ba7bc000 ba7fc000 update (deferred)
ba7fc000 ba833000 rdpdr (deferred)
ba8d3000 ba8e6000 raspptp (deferred)
ba8e6000 ba900000 ndiswan (deferred)
ba91e000 ba933000 rasl2tp (deferred)
ba933000 ba945000 i8042prt (deferred)
ba945000 ba95d000 parport (deferred)
ba95d000 ba970000 serial (deferred)
ba970000 ba985000 drmk (deferred)
ba985000 ba9ae000 portcls (deferred)
ba9ae000 ba9d6000 ks (deferred)
ba9d6000 ba9e9000 redbook (deferred)
ba9e9000 ba9fe000 cdrom (deferred)
ba9fe000 baa28000 USBPORT (deferred)
baa28000 baa43000 VIDEOPRT (deferred)
baa43000 baa66700 s3gnbm (deferred)
bf800000 bf9d0000 win32k (deferred)
bf9d0000 bf9e6000 dxg (deferred)
bf9e6000 bfa3e080 s3gnb (deferred)
f71f9000 f7218000 Mup (deferred)
f7218000 f724e000 NDIS (deferred)
f724e000 f72e3000 Ntfs (deferred)
f72e3000 f730a000 KSecDD (deferred)
f730a000 f732f000 fltMgr (deferred)
f732f000 f7342000 CLASSPNP (deferred)
f7342000 f7361000 SCSIPORT (deferred)
f7361000 f737d000 Unknown_Module_f7361000 (deferred) // NOTE: This is the unknow driver.
f737d000 f73a6000 volsnap (deferred)
f73a6000 f73d1000 dmio (deferred)
f73d1000 f73f7000 ftdisk (deferred)
f73f7000 f740c000 pci (deferred)
f740c000 f7440000 ACPI (deferred)
f7440000 f7465e00 d347bus (deferred)
f7487000 f7490000 WMILIB (deferred)
f7497000 f74a6000 isapnp (deferred)
f74a7000 f74b4000 PCIIDEX (deferred)
f74b7000 f74c7000 MountMgr (deferred)
f74c7000 f74d2000 PartMgr (deferred)
f74d7000 f74e7000 disk (deferred)
f74e7000 f74f3000 Dfs (deferred)
f74f7000 f7506000 viaagp (deferred)
f7507000 f7511000 crcdisk (deferred)
f7517000 f7521000 flpydisk (deferred)
f7527000 f7533000 vga (deferred)
f7537000 f7542000 Msfs (deferred)
f7547000 f7554000 Npfs (deferred)
f7557000 f7565000 msgpc (deferred)
f7567000 f7575460 mvstdi5x (deferred)
f7577000 f7584000 netbios (deferred)
f7597000 f75a4000 wanarp (deferred)
f75b7000 f75c0000 dump_WMILIB (deferred)
f75c7000 f75d0000 ndisuio (deferred)
f75d7000 f75e1000 Dxapi (deferred)
f75e7000 f75f5000 processr (deferred)
f75f7000 f7600000 watchdog (deferred)
f7607000 f7611b00 viaudio (deferred)
f7617000 f7620e00 fetnd5 (deferred)
f7627000 f7632000 fdc (deferred)
f7637000 f7641000 serenum (deferred)
f7647000 f7651000 mouclass (deferred)
f7657000 f7661000 kbdclass (deferred)
f7667000 f7670000 ndistapi (deferred)
f7677000 f7686000 raspppoe (deferred)
f7687000 f7692000 TDI (deferred)
f7697000 f76a2000 ptilink (deferred)
f76a7000 f76b0000 raspti (deferred)
f76b7000 f76c6000 termdd (deferred)
f76c7000 f76d0000 mssmbios (deferred)
f76f7000 f7705000 NDProxy (deferred)
f7707000 f770f000 kdcom (deferred)
f770f000 f7717000 BOOTVID (deferred)
f7717000 f771e000 viaide (deferred)
f771f000 f7726000 dmload (deferred)
f777f000 f7784200 RTL8139 (deferred)
f7787000 f778c180 usbuhci (deferred)
f778f000 f7795a00 usbehci (deferred)
f7797000 f779f000 msmpu401 (deferred)
f779f000 f77a7000 fsvga (deferred)
f77a7000 f77af000 audstub (deferred)
f77c7000 f77cf000 Fs_Rec (deferred)
f77cf000 f77d6000 Null (deferred)
f77d7000 f77de000 Beep (deferred)
f77df000 f77e7000 mnmdd (deferred)
f77e7000 f77ef000 RDPCDD (deferred)
f77ef000 f77f7000 rasacd (deferred)
f77f7000 f77fe000 dxgthk (deferred)
f781f000 f7824400 vmnetbridge (deferred)
f784f000 f7853b00 hcmon (deferred)
f7857000 f785e000 parvdm (deferred)
f790b000 f790d800 VMNET (deferred)
f795f000 f7961780 gameenum (deferred)
f7983000 f7985580 vmnetadapter (deferred)
f7987000 f7988480 d347prt (deferred)
f799b000 f799c300 kldbgdrv (deferred)
f79a5000 f79a6280 swenum (deferred)
f79af000 f79b0580 USBD (deferred)
f7a47000 f7a48b40 VMparport (deferred)
f7b7c000 f7b7c600 SetupNT (deferred)
first, let check the driver and device object, if the driver need process I/O request, usually it require a driver object and
a device object (in most cases, this is true, we don't talk about very sophisticate stuff here),
lkd> !object \driver
Object: e1007898 Type: (84e84488) Directory
ObjectHeader: e1007880
HandleCount: 0 PointerCount: 88
Directory Object: e10016d8 Name: Driver
Hash Address Type Name
---- ------- ---- ----
00 84b863f0 Driver Beep
84c34cb8 Driver NDIS
84c67a18 Driver KSecDD
01 84b9be30 Driver FsVga
84bcb9b8 Driver Mouclass
84b198e8 Driver Raspti
03 848628a0 Driver Fips
84bcbad8 Driver Kbdclass
04 84b90240 Driver VgaSave
84b159e0 Driver NDProxy
05 84b1ff38 Driver Ptilink
84e2a040 Driver MountMgr
843d4aa8 Driver wdmaud
06 84b74a78 Driver Processor
84481228 Driver SetupNT
07 84e2aa88 Driver dmload
84e29178 Driver isapnp
08 84b46c18 Driver redbook
84df6438 Driver atapi
10 84b8c358 Driver RasAcd
84b15c20 Driver VMnetAdapter
84e2a860 Driver dmio
84b53760 Driver IpNat
11 84bcac30 Driver audstub
84b92040 Driver usbuhci
84bc2e38 Driver Win32k
8446b198 Driver VMnetuserif
12 84b6e870 Driver usbhub
84b16b08 Driver swenum
84b19a08 Driver rdpdr
84b68ce0 Driver ms_mpu401
8464ea30 Driver VMnetBridge
13 84b53650 Driver RDPCDD
84b1fd10 Driver Update
84b1ce18 Driver RasPppoe
84b468e0 Driver FETNDIS
84851680 Driver HTTP
14 843d5618 Driver kldbgdrv
84b1b158 Driver TermDD
84e2ad60 Driver Ftdisk
84e7bae8 Driver d347bus
843d43d0 Driver sysaudio
15 84bca670 Driver Rasl2tp
84b55500 Driver Fdc
16 84614ce8 Driver Parvdm
18 84b1c040 Driver PptpMiniport
84bd91c0 Driver serenum
84c33df0 Driver crcdisk
84e35168 Driver WMIxWDM
84e354c0 Driver ACPI_HAL
19 84649f00 Driver hcmon
21 84864778 Driver NaiAvTdi1
8486e600 Driver NetBT
84e29280 Driver viaagp
22 84b6b3e8 Driver Cdrom
84b1e220 Driver mssmbios
84b46d38 Driver VIAudio
23 84df7f38 Driver ViaIde
84350530 Driver kmixer
24 8484f6d8 Driver Wanarp
849df620 Driver Tcpip
84b54400 Driver mnmdd
84b9b670 Driver gameenum
25 84e2a1a0 Driver VolSnap
28 84b91178 Driver Null
84b51040 Driver usbehci
84e28e30 Driver d347prt
29 84bb3da0 Driver IPSec
84c7df38 Driver Disk
84e50c18 Driver PCI
30 84b94f38 Driver Serial
84b1d140 Driver NdisTapi
84b1f040 Driver NdisWan
84df6540 Driver PartMgr
31 849df040 Driver Gpc
32 84e32420 Driver ACPI
84bde158 Driver vmx86
33 84b90458 Driver Flpydisk
84bb6e90 Driver rtl8139
84e81ec8 Driver PnpManager
8467e1b8 Driver VMparport
84b93da0 Driver NaiAvFilter1
34 849eeba8 Driver AFD
8464d040 Driver Ndisuio
35 84b95660 Driver Parport
36 84b9bf38 Driver i8042prt
84b5a858 Driver S3SavageNB
all seems to be OK. then i get stucked for a while. after a few minutes, i think we can get started to dump the raw memory
of the driver image, perhaps i can find some clue if we're lucky enough (if the code is not extremely obfuscated)
lkd> dc f7361000 f737cfff
(Note: because the output is too large, so i only list most interesting bits here)
f736ccf0 735c3a64 74727672 72645c6d 72657669 d:\srvrtm\driver
f736cd00 74735c73 6761726f 64695c65 74615c65 s\storage\ide\at
f736cd10 5c697061 74696e69 cc00632e cccccccc api\init.c..
f736e220 00730055 00720065 006c0053 00760061 U.s.e.r.S.l.a.v.
f736e230 00440065 00760065 00630069 00540065 e.D.e.v.i.c.e.T.
f736e240 006d0069 006e0069 004d0067 0064006f i.m.i.n.g.M.o.d.
f736e250 00410065 006c006c 0077006f 00640065 e.A.l.l.o.w.e.d.
f736e260 00000032 00000000 00730055 00720065 2.......U.s.e.r.
f736e270 0061004d 00740073 00720065 00650044 M.a.s.t.e.r.D.e.
f736e280 00690076 00650063 00690054 0069006d v.i.c.e.T.i.m.i.
f736e290 0067006e 006f004d 00650064 006c0041 n.g.M.o.d.e.A.l.
f736e2a0 006f006c 00650077 00320064 00000000 l.o.w.e.d.2.....
f736e7e0 6d6d6f43 63696e75 6f697461 7265506e CommunicationPer
f736e7f0 65687069 006c6172 4e6e6547 00007465 ipheral.GenNet..
f736e800 0074654e 6964654d 68436d75 65676e61 Net.MediumChange
f736e810 72655072 65687069 006c6172 436e6547 rPeripheral.GenC
f736e820 676e6168 00007265 6e616843 00726567 hanger..Changer.
f736e830 6974704f 446c6163 506b7369 70697265 OpticalDiskPerip
f736e840 61726568 0000006c 4f6e6547 63697470 heral...GenOptic
f736e850 00006c61 6974704f 006c6163 6e616353 al..Optical.Scan
f736e860 5072656e 70697265 61726568 0000006c nerPeripheral...
f736e870 536e6547 6e6e6163 00007265 6e616353 GenScanner..Scan
f736e880 0072656e 6f526443 7265506d 65687069 ner.CdRomPeriphe
f736e890 006c6172 436e6547 6d6f5264 00000000 ral.GenCdRom....
f736e8a0 6f526443 0000006d 6d726f57 69726550 CdRom...WormPeri
f736e8b0 72656870 00006c61 576e6547 006d726f pheral..GenWorm. // I'm scared by *GenWorm* !
f736e8c0 6d726f57 00000000 636f7250 6f737365 Worm....Processo
f736e8d0 72655072 65687069 006c6172 506e6547 rPeripheral.GenP
f736e8e0 65636f72 726f7373 00000000 636f7250 rocessor....Proc
f736e8f0 6f737365 00000072 6e697250 50726574 essor...PrinterP
f736e900 70697265 61726568 0000006c 506e6547 eripheral...GenP
f736e910 746e6972 00007265 6e697250 00726574 rinter..Printer.
f736e920 65706154 69726550 72656870 00006c61 TapePeripheral..
f736e930 536e6547 65757165 6169746e 0000006c GenSequential...
f736e940 75716553 69746e65 00006c61 6b736944 Sequential..Disk
f736e950 69726550 72656870 00006c61 446e6547 Peripheral..GenD
f736e960 006b7369 6b736944 00000000 ca01ac1c isk.Disk........
f7375140 00650052 00690067 00740073 00790072 R.e.g.i.s.t.r.y.
f7375150 004d005c 00630061 00690068 0065006e \.M.a.c.h.i.n.e.
f7375160 0053005c 00730079 00650074 005c006d \.S.y.s.t.e.m.\.
f7375170 00750043 00720072 006e0065 00430074 C.u.r.r.e.n.t.C.
f7375180 006e006f 00720074 006c006f 00650053 o.n.t.r.o.l.S.e.
f7375190 005c0074 006f0043 0074006e 006f0072 t.\.C.o.n.t.r.o.
f73751a0 005c006c 006e0050 00000070 00440000 l.\.P.n.p.....D.
f73751b0 00730069 00620061 0065006c 00690046 i.s.a.b.l.e.F.i.
f73751c0 006d0072 00610077 00650072 0061004d r.m.w.a.r.e.M.a.
f73751d0 00700070 00720065 004c0000 00670065 p.p.e.r...L.e.g.
f73751e0 00630061 00440079 00740065 00630065 a.c.y.D.e.t.e.c.
f73751f0 00690074 006e006f 004c0000 00670065 t.i.o.n...L.e.g.
f7375200 00630061 00440079 00740065 00630065 a.c.y.D.e.t.e.c.
f7375210 00690074 006e006f cccc0000 cccccccc t.i.o.n.......
f7369df0 0044005c 00760065 00630069 005c0065 \.D.e.v.i.c.e.\.
f7369e00 00640049 005c0065 00640049 00440065 I.d.e.\.I.d.e.D.
f7369e10 00760065 00630069 00500065 00640025 e.v.i.c.e.P.%.d.
f7369e20 00250054 004c0064 00640025 0025002d T.%.d.L.%.d.-.%.
f7369e30 00000078 cccccccc ff8bcccc 81ec8b55 x...........U...
great, the driver seems to have some relationship with ATAPI.sys, and has
interest in storage device, but there is a bad sign since i found GenWorm,
i'm exciting (scared of course!). The most important clues are the registry path
and the device name format string. i first try to find the device who's name match
the pattern \Device\Ide\IdeDeviceP*T*L*, it's a reasonable check, i think.
lkd> !object \device\ide
Object: e1438230 Type: (84e84488) Directory
ObjectHeader: e1438218
HandleCount: 0 PointerCount: 9
Directory Object: e1007980 Name: Ide
Hash Address Type Name
---- ------- ---- ----
03 84df4b58 Device IdeDeviceP0T0L0-3
84e25028 Device IdePort0
04 84df2028 Device IdePort1
84df7278 Device PciIde0Channel0-0
19 84e2bd10 Device PciIde0Channel1-1
32 84e2b030 Device PciIde0
33 84df4410 Device IdeDeviceP1T0L0-e
mmm, not bad. let me dump the device fields.
lkd> dt nt!_DEVICE_OBJECT 84df4b58
+0x000 Type : 3
+0x002 Size : 0x234
+0x004 ReferenceCount : 0
+0x008 DriverObject : 0x84df6438
+0x00c NextDevice : 0x84df2028
+0x010 AttachedDevice : 0x84e28cb0
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x5050
+0x020 Characteristics : 0x101
+0x024 Vpb : (null)
+0x028 DeviceExtension : 0x84df4c10
+0x02c DeviceType : 2
+0x030 StackSize : 1 ''
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 1
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe15e8658
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0
+0x0ae Spare1 : 1
+0x0b0 DeviceObjectExtension : 0x84df4d90
+0x0b4 Reserved : (null)
lkd> !devstack 84df4b58
!DevObj !DrvObj !DevExt ObjectName
84b95748 \Driver\redbook 84b95800
84b95030 \Driver\Cdrom 84b950e8 CdRom0
84e28cb0 \Driver\ACPI 84e311a8 00000066
> 84df4b58 \Driver\atapi 84df4c10 IdeDeviceP0T0L0-3
!DevNode 84e28b08 :
DeviceInst is "IDE\CdRomSAMSUNG_DVD-ROM_SD-816B_________________H001____\5&782cc20&0&0.0.0"
ServiceName is "cdrom"
lkd> dt nt!_DRIVER_OBJECT 0x84df6438
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : 0x84df4410
+0x008 Flags : 0x12
+0x00c DriverStart : (null)
+0x010 DriverSize : 0
+0x014 DriverSection : 0x84e84d08
+0x018 DriverExtension : 0x84df64e0
+0x01c DriverName : _UNICODE_STRING "\Driver\atapi"
+0x024 HardwareDatabase : 0x809f9260 "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xf737957f Unknown_Module_f7361000!GsDriverEntry+0
+0x030 DriverStartIo : 0xf7368dec Unknown_Module_f7361000!IdePortStartIo+0
+0x034 DriverUnload : 0x84b01c50 +ffffffff84b01c50
+0x038 MajorFunction : [28] 0x84b01bf8 +ffffffff84b01bf8
this indicate that the device object is created by ATAPI.sys. however, no ATAPI in lm command output.
ATAPI may have been hijacked by some bad guys.
let's dump the dispatch routines:
lkd> dps 0x84df6438+0x38 L20
84df6470 84b01bf8
84df6474 84b01bf8
84df6478 84b01bf8
84df647c 84b01bf8
84df6480 84b01bf8
84df6484 84b01bf8
84df6488 84b01bf8
84df648c 84b01bf8
84df6490 84b01bf8
84df6494 84b01bf8
84df6498 84b01bf8
84df649c 84b01bf8
84df64a0 84b01bf8
84df64a4 84b01bf8
84df64a8 84b01bf8
84df64ac 84b01bf8
84df64b0 84b01bf8
84df64b4 84b01bf8
84df64b8 84b01bf8
84df64bc 84b01bf8
84df64c0 84b01bf8
84df64c4 84b01bf8
84df64c8 84b01bf8
84df64cc 84b01bf8
84df64d0 84b01bf8
84df64d4 84b01bf8
84df64d8 84b01bf8
84df64dc 84b01bf8
84df64e0 84df6438
84df64e4 f7373208
84df64e8 00000000
84df64ec 000c000a
then check the assembler code:
lkd> uf 84b01bf8
84b01bf8 jmp 84b01bfc
84b01bfc push ebx
84b01bfd lea ebx,[84b01c5c]
84b01c03 push ebx
84b01c04 push eax
84b01c05 push esp
84b01c06 call nt!IoAcquireVpbSpinLock (80848c58)
84b01c0b mov ebx,[ebx]
84b01c0d call dword ptr [ebx+0x90]
84b01c13 call nt!IoReleaseVpbSpinLock (8084ab53)
84b01c18 mov eax,[ebx+0x8]
84b01c1b sahf
84b01c1c pushfd
84b01c1d mov eax,[esp+0x14]
84b01c21 push eax
84b01c22 mov eax,[eax+0x60]
84b01c25 movzx eax,byte ptr [eax]
84b01c28 push dword ptr [esp+0x14]
84b01c2c call dword ptr [ebx+eax*4+0x20]
84b01c30 mov [esp+0x4],eax
84b01c34 push eax
84b01c35 push esp
84b01c36 call nt!IoAcquireVpbSpinLock (80848c58)
84b01c3b call dword ptr [ebx+0x94]
84b01c41 pop eax
84b01c42 popfd
84b01c43 push eax
84b01c44 jnz 84b01c0b
84b01c46 call nt!IoReleaseVpbSpinLock (8084ab53)
84b01c4b pop eax
84b01c4c pop ebx
84b01c4d ret 0x8
examine the instruction -> call dword ptr [ebx+0x90]
lkd> u poi(poi(84b01c5c)+90)
f7455a4e lock inc dword ptr [ebx+0xc]
f7455a52 ret
f7455a53 lock dec dword ptr [ebx+0xc]
f7455a57 jnz f7455a61
f7455a59 pushad
f7455a5a push ebx
f7455a5b call f7443cf2
f7455a60 popad
lkd> u poi(84b5fbe4+0x94)
*** ERROR: Module load completed but symbols could not be loaded for d347bus.sys
d347bus+0x15a53:
f7455a53 lock dec dword ptr [ebx+0xc]
f7455a57 jnz d347bus+0x15a61 (f7455a61)
f7455a59 pushad
f7455a5a push ebx
f7455a5b call d347bus+0x3cf2 (f7443cf2)
f7455a60 popad
f7455a61 ret
f7455a62 push ebp
lkd> lmvm d347bus
start end module name
f7440000 f7465e00 d347bus (no symbols)
Loaded symbol image file: d347bus.sys
Image path: d347bus.sys
Image name: d347bus.sys
Timestamp: Sun Aug 22 21:31:09 2004 (4128A01D)
CheckSum: 00034FBA
ImageSize: 00025E00
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
so d347bus hijack ATAPI, scan the code address 84b01bf8
lkd> !pool 84b01bf8
Pool page 84b01bf8 region is Nonpaged pool
84b01000 size: ba0 previous size: 0 (Allocated) RTLm
84b01ba0 size: 8 previous size: ba0 (Free) ....
84b01ba8 size: 48 previous size: 8 (Allocated) NDpf
*84b01bf0 size: 108 previous size: 48 (Allocated) *V386
Owning component : Unknown (update pooltag.txt)
84b01cf8 size: 18 previous size: 108 (Free) MntA
84b01d10 size: 80 previous size: 18 (Allocated) PXh.
84b01d90 size: 8 previous size: 80 (Free) Thre
84b01d98 size: 18 previous size: 8 (Allocated) Wmip
84b01db0 size: 100 previous size: 18 (Allocated) NDmo
84b01eb0 size: 150 previous size: 100 (Allocated) WanJ
So actually ATAPI's dispatch routine is hijaced by d347bus.sys with a
ExAllocatePoolWithTag and copy the instructions to the allocated pool
to hook the dispatch routines.
the atapi driver object is listed in the debug output, however, the module has been
modified, so the debugger can not recognize the ATAPI.sys since no pdb symbol
match the checksum, i think.
there're some obfuscated code in the image, this is interesting. and i am still have concern
on what's the heck GenWorm mean?! may i can build a repro in VMWare to trace
d347bus.sys.
d347bus.sys is bus driver of Daemon Tool, basically it should do no harm to my
computer, however, if d347bus.sys is hijacked by another driver, this will become
more complex, resreved for future striking!
ok, now, go to bed.
