分享
 
 
 

Daemon Tool Is A Rootkit ? - The Unknown Driver

王朝c#·作者佚名  2006-12-16
窄屏简体版  字體: |||超大  

rootkit is hot today, everybody wanna write a rootkit, if you often browse USENET, you're gonna see many guys ask for

how to get an undocumented kernel structure, or something how to hook a kernel routine, it's too bad, these techniques

are also widely used by some *famous* commercial products, of course, rootkits.

i usually run IceSword to check what's going on if i find my box is in a *unusual* status, IceSword is cool and can locate many of malicious software esp. kernel mode malware. one day i find:

apparently, this is a highly suspicious module required being striked! (or my bad, i will be striked, it's a shame ! :( ) .

because i have no 2 boxes for real kernel debugging, so i hook up the WinDbg to do a quick local kernel debug to

catch the bad guy living in my sweet machine.

lkd> lm

start end module name

00de0000 00e11000 kext (deferred)

01000000 0106b000 windbg (deferred)

01690000 01799000 ext (deferred)

01900000 01953000 exts (deferred)

01960000 01acd000 kdexts (deferred)

02000000 022b7000 dbgeng (deferred)

03000000 03118000 dbghelp (deferred)

4b210000 4b261000 MSCTF (deferred)

4c510000 4c53e000 msctfime (deferred)

63090000 63099000 LPK (deferred)

71b30000 71b41000 MPR (deferred)

74ae0000 74b41000 USP10 (deferred)

74b80000 74bf0000 RICHED20 (deferred)

75d60000 75d87000 apphelp (deferred)

76180000 7619d000 IMM32 (deferred)

77370000 77407000 COMCTL32 (deferred)

774b0000 775e4000 ole32 (deferred)

77b60000 77b68000 VERSION (deferred)

77b70000 77bca000 msvcrt (deferred)

77bd0000 77c18000 GDI32 (deferred)

77c20000 77cbf000 RPCRT4 (deferred)

77cd0000 77dd3000 comctl32_77cd0000 (deferred)

77e10000 77ea1000 USER32 (deferred)

77eb0000 77f02000 SHLWAPI (deferred)

77f30000 77fdc000 ADVAPI32 (deferred)

7c800000 7c92b000 kernel32 (deferred)

7c930000 7ca00000 ntdll (deferred)

7ca10000 7d1f0000 SHELL32 (deferred)

80800000 80a6b000 nt (pdb symbols) e:\symbol\ntoskrnl.pdb\4106003FF97D4BCBA99245BF2172A8C12\ntoskrnl.pdb

80a6b000 80a8a000 hal (deferred)

b9092000 b90c2000 kmixer (deferred)

b9110000 b9123000 sysaudio (deferred)

b9123000 b913e000 wdmaud (deferred)

b9436000 b94507c0 naiavf5x (deferred)

b985d000 b9860b80 vmnetuserif (deferred)

b99a1000 b99ff000 srv (deferred)

b9ac7000 b9b18000 HTTP (deferred)

b9b18000 b9b2dc80 vmx86 (deferred)

ba426000 ba442000 dump_atapi (deferred)

ba442000 ba458000 Udfs (deferred)

ba458000 ba46d000 Cdfs (deferred)

ba495000 ba4bc000 ipnat (deferred)

ba4bc000 ba4cd000 Fips (deferred)

ba4cd000 ba543000 mrxsmb (deferred)

ba543000 ba573000 rdbss (deferred)

ba573000 ba59d000 afd (deferred)

ba59d000 ba5ce000 netbt (deferred)

ba5ce000 ba62f000 tcpip (deferred)

ba62f000 ba648000 ipsec (deferred)

ba708000 ba71c000 usbhub (deferred)

ba7bc000 ba7fc000 update (deferred)

ba7fc000 ba833000 rdpdr (deferred)

ba8d3000 ba8e6000 raspptp (deferred)

ba8e6000 ba900000 ndiswan (deferred)

ba91e000 ba933000 rasl2tp (deferred)

ba933000 ba945000 i8042prt (deferred)

ba945000 ba95d000 parport (deferred)

ba95d000 ba970000 serial (deferred)

ba970000 ba985000 drmk (deferred)

ba985000 ba9ae000 portcls (deferred)

ba9ae000 ba9d6000 ks (deferred)

ba9d6000 ba9e9000 redbook (deferred)

ba9e9000 ba9fe000 cdrom (deferred)

ba9fe000 baa28000 USBPORT (deferred)

baa28000 baa43000 VIDEOPRT (deferred)

baa43000 baa66700 s3gnbm (deferred)

bf800000 bf9d0000 win32k (deferred)

bf9d0000 bf9e6000 dxg (deferred)

bf9e6000 bfa3e080 s3gnb (deferred)

f71f9000 f7218000 Mup (deferred)

f7218000 f724e000 NDIS (deferred)

f724e000 f72e3000 Ntfs (deferred)

f72e3000 f730a000 KSecDD (deferred)

f730a000 f732f000 fltMgr (deferred)

f732f000 f7342000 CLASSPNP (deferred)

f7342000 f7361000 SCSIPORT (deferred)

f7361000 f737d000 Unknown_Module_f7361000 (deferred) // NOTE: This is the unknow driver.

f737d000 f73a6000 volsnap (deferred)

f73a6000 f73d1000 dmio (deferred)

f73d1000 f73f7000 ftdisk (deferred)

f73f7000 f740c000 pci (deferred)

f740c000 f7440000 ACPI (deferred)

f7440000 f7465e00 d347bus (deferred)

f7487000 f7490000 WMILIB (deferred)

f7497000 f74a6000 isapnp (deferred)

f74a7000 f74b4000 PCIIDEX (deferred)

f74b7000 f74c7000 MountMgr (deferred)

f74c7000 f74d2000 PartMgr (deferred)

f74d7000 f74e7000 disk (deferred)

f74e7000 f74f3000 Dfs (deferred)

f74f7000 f7506000 viaagp (deferred)

f7507000 f7511000 crcdisk (deferred)

f7517000 f7521000 flpydisk (deferred)

f7527000 f7533000 vga (deferred)

f7537000 f7542000 Msfs (deferred)

f7547000 f7554000 Npfs (deferred)

f7557000 f7565000 msgpc (deferred)

f7567000 f7575460 mvstdi5x (deferred)

f7577000 f7584000 netbios (deferred)

f7597000 f75a4000 wanarp (deferred)

f75b7000 f75c0000 dump_WMILIB (deferred)

f75c7000 f75d0000 ndisuio (deferred)

f75d7000 f75e1000 Dxapi (deferred)

f75e7000 f75f5000 processr (deferred)

f75f7000 f7600000 watchdog (deferred)

f7607000 f7611b00 viaudio (deferred)

f7617000 f7620e00 fetnd5 (deferred)

f7627000 f7632000 fdc (deferred)

f7637000 f7641000 serenum (deferred)

f7647000 f7651000 mouclass (deferred)

f7657000 f7661000 kbdclass (deferred)

f7667000 f7670000 ndistapi (deferred)

f7677000 f7686000 raspppoe (deferred)

f7687000 f7692000 TDI (deferred)

f7697000 f76a2000 ptilink (deferred)

f76a7000 f76b0000 raspti (deferred)

f76b7000 f76c6000 termdd (deferred)

f76c7000 f76d0000 mssmbios (deferred)

f76f7000 f7705000 NDProxy (deferred)

f7707000 f770f000 kdcom (deferred)

f770f000 f7717000 BOOTVID (deferred)

f7717000 f771e000 viaide (deferred)

f771f000 f7726000 dmload (deferred)

f777f000 f7784200 RTL8139 (deferred)

f7787000 f778c180 usbuhci (deferred)

f778f000 f7795a00 usbehci (deferred)

f7797000 f779f000 msmpu401 (deferred)

f779f000 f77a7000 fsvga (deferred)

f77a7000 f77af000 audstub (deferred)

f77c7000 f77cf000 Fs_Rec (deferred)

f77cf000 f77d6000 Null (deferred)

f77d7000 f77de000 Beep (deferred)

f77df000 f77e7000 mnmdd (deferred)

f77e7000 f77ef000 RDPCDD (deferred)

f77ef000 f77f7000 rasacd (deferred)

f77f7000 f77fe000 dxgthk (deferred)

f781f000 f7824400 vmnetbridge (deferred)

f784f000 f7853b00 hcmon (deferred)

f7857000 f785e000 parvdm (deferred)

f790b000 f790d800 VMNET (deferred)

f795f000 f7961780 gameenum (deferred)

f7983000 f7985580 vmnetadapter (deferred)

f7987000 f7988480 d347prt (deferred)

f799b000 f799c300 kldbgdrv (deferred)

f79a5000 f79a6280 swenum (deferred)

f79af000 f79b0580 USBD (deferred)

f7a47000 f7a48b40 VMparport (deferred)

f7b7c000 f7b7c600 SetupNT (deferred)

first, let check the driver and device object, if the driver need process I/O request, usually it require a driver object and

a device object (in most cases, this is true, we don't talk about very sophisticate stuff here),

lkd> !object \driver

Object: e1007898 Type: (84e84488) Directory

ObjectHeader: e1007880

HandleCount: 0 PointerCount: 88

Directory Object: e10016d8 Name: Driver

Hash Address Type Name

---- ------- ---- ----

00 84b863f0 Driver Beep

84c34cb8 Driver NDIS

84c67a18 Driver KSecDD

01 84b9be30 Driver FsVga

84bcb9b8 Driver Mouclass

84b198e8 Driver Raspti

03 848628a0 Driver Fips

84bcbad8 Driver Kbdclass

04 84b90240 Driver VgaSave

84b159e0 Driver NDProxy

05 84b1ff38 Driver Ptilink

84e2a040 Driver MountMgr

843d4aa8 Driver wdmaud

06 84b74a78 Driver Processor

84481228 Driver SetupNT

07 84e2aa88 Driver dmload

84e29178 Driver isapnp

08 84b46c18 Driver redbook

84df6438 Driver atapi

10 84b8c358 Driver RasAcd

84b15c20 Driver VMnetAdapter

84e2a860 Driver dmio

84b53760 Driver IpNat

11 84bcac30 Driver audstub

84b92040 Driver usbuhci

84bc2e38 Driver Win32k

8446b198 Driver VMnetuserif

12 84b6e870 Driver usbhub

84b16b08 Driver swenum

84b19a08 Driver rdpdr

84b68ce0 Driver ms_mpu401

8464ea30 Driver VMnetBridge

13 84b53650 Driver RDPCDD

84b1fd10 Driver Update

84b1ce18 Driver RasPppoe

84b468e0 Driver FETNDIS

84851680 Driver HTTP

14 843d5618 Driver kldbgdrv

84b1b158 Driver TermDD

84e2ad60 Driver Ftdisk

84e7bae8 Driver d347bus

843d43d0 Driver sysaudio

15 84bca670 Driver Rasl2tp

84b55500 Driver Fdc

16 84614ce8 Driver Parvdm

18 84b1c040 Driver PptpMiniport

84bd91c0 Driver serenum

84c33df0 Driver crcdisk

84e35168 Driver WMIxWDM

84e354c0 Driver ACPI_HAL

19 84649f00 Driver hcmon

21 84864778 Driver NaiAvTdi1

8486e600 Driver NetBT

84e29280 Driver viaagp

22 84b6b3e8 Driver Cdrom

84b1e220 Driver mssmbios

84b46d38 Driver VIAudio

23 84df7f38 Driver ViaIde

84350530 Driver kmixer

24 8484f6d8 Driver Wanarp

849df620 Driver Tcpip

84b54400 Driver mnmdd

84b9b670 Driver gameenum

25 84e2a1a0 Driver VolSnap

28 84b91178 Driver Null

84b51040 Driver usbehci

84e28e30 Driver d347prt

29 84bb3da0 Driver IPSec

84c7df38 Driver Disk

84e50c18 Driver PCI

30 84b94f38 Driver Serial

84b1d140 Driver NdisTapi

84b1f040 Driver NdisWan

84df6540 Driver PartMgr

31 849df040 Driver Gpc

32 84e32420 Driver ACPI

84bde158 Driver vmx86

33 84b90458 Driver Flpydisk

84bb6e90 Driver rtl8139

84e81ec8 Driver PnpManager

8467e1b8 Driver VMparport

84b93da0 Driver NaiAvFilter1

34 849eeba8 Driver AFD

8464d040 Driver Ndisuio

35 84b95660 Driver Parport

36 84b9bf38 Driver i8042prt

84b5a858 Driver S3SavageNB

all seems to be OK. then i get stucked for a while. after a few minutes, i think we can get started to dump the raw memory

of the driver image, perhaps i can find some clue if we're lucky enough (if the code is not extremely obfuscated)

lkd> dc f7361000 f737cfff

(Note: because the output is too large, so i only list most interesting bits here)

f736ccf0 735c3a64 74727672 72645c6d 72657669 d:\srvrtm\driver

f736cd00 74735c73 6761726f 64695c65 74615c65 s\storage\ide\at

f736cd10 5c697061 74696e69 cc00632e cccccccc api\init.c..

f736e220 00730055 00720065 006c0053 00760061 U.s.e.r.S.l.a.v.

f736e230 00440065 00760065 00630069 00540065 e.D.e.v.i.c.e.T.

f736e240 006d0069 006e0069 004d0067 0064006f i.m.i.n.g.M.o.d.

f736e250 00410065 006c006c 0077006f 00640065 e.A.l.l.o.w.e.d.

f736e260 00000032 00000000 00730055 00720065 2.......U.s.e.r.

f736e270 0061004d 00740073 00720065 00650044 M.a.s.t.e.r.D.e.

f736e280 00690076 00650063 00690054 0069006d v.i.c.e.T.i.m.i.

f736e290 0067006e 006f004d 00650064 006c0041 n.g.M.o.d.e.A.l.

f736e2a0 006f006c 00650077 00320064 00000000 l.o.w.e.d.2.....

f736e7e0 6d6d6f43 63696e75 6f697461 7265506e CommunicationPer

f736e7f0 65687069 006c6172 4e6e6547 00007465 ipheral.GenNet..

f736e800 0074654e 6964654d 68436d75 65676e61 Net.MediumChange

f736e810 72655072 65687069 006c6172 436e6547 rPeripheral.GenC

f736e820 676e6168 00007265 6e616843 00726567 hanger..Changer.

f736e830 6974704f 446c6163 506b7369 70697265 OpticalDiskPerip

f736e840 61726568 0000006c 4f6e6547 63697470 heral...GenOptic

f736e850 00006c61 6974704f 006c6163 6e616353 al..Optical.Scan

f736e860 5072656e 70697265 61726568 0000006c nerPeripheral...

f736e870 536e6547 6e6e6163 00007265 6e616353 GenScanner..Scan

f736e880 0072656e 6f526443 7265506d 65687069 ner.CdRomPeriphe

f736e890 006c6172 436e6547 6d6f5264 00000000 ral.GenCdRom....

f736e8a0 6f526443 0000006d 6d726f57 69726550 CdRom...WormPeri

f736e8b0 72656870 00006c61 576e6547 006d726f pheral..GenWorm. // I'm scared by *GenWorm* !

f736e8c0 6d726f57 00000000 636f7250 6f737365 Worm....Processo

f736e8d0 72655072 65687069 006c6172 506e6547 rPeripheral.GenP

f736e8e0 65636f72 726f7373 00000000 636f7250 rocessor....Proc

f736e8f0 6f737365 00000072 6e697250 50726574 essor...PrinterP

f736e900 70697265 61726568 0000006c 506e6547 eripheral...GenP

f736e910 746e6972 00007265 6e697250 00726574 rinter..Printer.

f736e920 65706154 69726550 72656870 00006c61 TapePeripheral..

f736e930 536e6547 65757165 6169746e 0000006c GenSequential...

f736e940 75716553 69746e65 00006c61 6b736944 Sequential..Disk

f736e950 69726550 72656870 00006c61 446e6547 Peripheral..GenD

f736e960 006b7369 6b736944 00000000 ca01ac1c isk.Disk........

f7375140 00650052 00690067 00740073 00790072 R.e.g.i.s.t.r.y.

f7375150 004d005c 00630061 00690068 0065006e \.M.a.c.h.i.n.e.

f7375160 0053005c 00730079 00650074 005c006d \.S.y.s.t.e.m.\.

f7375170 00750043 00720072 006e0065 00430074 C.u.r.r.e.n.t.C.

f7375180 006e006f 00720074 006c006f 00650053 o.n.t.r.o.l.S.e.

f7375190 005c0074 006f0043 0074006e 006f0072 t.\.C.o.n.t.r.o.

f73751a0 005c006c 006e0050 00000070 00440000 l.\.P.n.p.....D.

f73751b0 00730069 00620061 0065006c 00690046 i.s.a.b.l.e.F.i.

f73751c0 006d0072 00610077 00650072 0061004d r.m.w.a.r.e.M.a.

f73751d0 00700070 00720065 004c0000 00670065 p.p.e.r...L.e.g.

f73751e0 00630061 00440079 00740065 00630065 a.c.y.D.e.t.e.c.

f73751f0 00690074 006e006f 004c0000 00670065 t.i.o.n...L.e.g.

f7375200 00630061 00440079 00740065 00630065 a.c.y.D.e.t.e.c.

f7375210 00690074 006e006f cccc0000 cccccccc t.i.o.n.......

f7369df0 0044005c 00760065 00630069 005c0065 \.D.e.v.i.c.e.\.

f7369e00 00640049 005c0065 00640049 00440065 I.d.e.\.I.d.e.D.

f7369e10 00760065 00630069 00500065 00640025 e.v.i.c.e.P.%.d.

f7369e20 00250054 004c0064 00640025 0025002d T.%.d.L.%.d.-.%.

f7369e30 00000078 cccccccc ff8bcccc 81ec8b55 x...........U...

great, the driver seems to have some relationship with ATAPI.sys, and has

interest in storage device, but there is a bad sign since i found GenWorm,

i'm exciting (scared of course!). The most important clues are the registry path

and the device name format string. i first try to find the device who's name match

the pattern \Device\Ide\IdeDeviceP*T*L*, it's a reasonable check, i think.

lkd> !object \device\ide

Object: e1438230 Type: (84e84488) Directory

ObjectHeader: e1438218

HandleCount: 0 PointerCount: 9

Directory Object: e1007980 Name: Ide

Hash Address Type Name

---- ------- ---- ----

03 84df4b58 Device IdeDeviceP0T0L0-3

84e25028 Device IdePort0

04 84df2028 Device IdePort1

84df7278 Device PciIde0Channel0-0

19 84e2bd10 Device PciIde0Channel1-1

32 84e2b030 Device PciIde0

33 84df4410 Device IdeDeviceP1T0L0-e

mmm, not bad. let me dump the device fields.

lkd> dt nt!_DEVICE_OBJECT 84df4b58

+0x000 Type : 3

+0x002 Size : 0x234

+0x004 ReferenceCount : 0

+0x008 DriverObject : 0x84df6438

+0x00c NextDevice : 0x84df2028

+0x010 AttachedDevice : 0x84e28cb0

+0x014 CurrentIrp : (null)

+0x018 Timer : (null)

+0x01c Flags : 0x5050

+0x020 Characteristics : 0x101

+0x024 Vpb : (null)

+0x028 DeviceExtension : 0x84df4c10

+0x02c DeviceType : 2

+0x030 StackSize : 1 ''

+0x034 Queue : __unnamed

+0x05c AlignmentRequirement : 1

+0x060 DeviceQueue : _KDEVICE_QUEUE

+0x074 Dpc : _KDPC

+0x094 ActiveThreadCount : 0

+0x098 SecurityDescriptor : 0xe15e8658

+0x09c DeviceLock : _KEVENT

+0x0ac SectorSize : 0

+0x0ae Spare1 : 1

+0x0b0 DeviceObjectExtension : 0x84df4d90

+0x0b4 Reserved : (null)

lkd> !devstack 84df4b58

!DevObj !DrvObj !DevExt ObjectName

84b95748 \Driver\redbook 84b95800

84b95030 \Driver\Cdrom 84b950e8 CdRom0

84e28cb0 \Driver\ACPI 84e311a8 00000066

> 84df4b58 \Driver\atapi 84df4c10 IdeDeviceP0T0L0-3

!DevNode 84e28b08 :

DeviceInst is 'IDE\CdRomSAMSUNG_DVD-ROM_SD-816B_________________H001____\5&782cc20&0&0.0.0'

ServiceName is 'cdrom'

lkd> dt nt!_DRIVER_OBJECT 0x84df6438

+0x000 Type : 4

+0x002 Size : 168

+0x004 DeviceObject : 0x84df4410

+0x008 Flags : 0x12

+0x00c DriverStart : (null)

+0x010 DriverSize : 0

+0x014 DriverSection : 0x84e84d08

+0x018 DriverExtension : 0x84df64e0

+0x01c DriverName : _UNICODE_STRING '\Driver\atapi'

+0x024 HardwareDatabase : 0x809f9260 '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM'

+0x028 FastIoDispatch : (null)

+0x02c DriverInit : 0xf737957f Unknown_Module_f7361000!GsDriverEntry+0

+0x030 DriverStartIo : 0xf7368dec Unknown_Module_f7361000!IdePortStartIo+0

+0x034 DriverUnload : 0x84b01c50 +ffffffff84b01c50

+0x038 MajorFunction : [28] 0x84b01bf8 +ffffffff84b01bf8

this indicate that the device object is created by ATAPI.sys. however, no ATAPI in lm command output.

ATAPI may have been hijacked by some bad guys.

let's dump the dispatch routines:

lkd> dps 0x84df6438+0x38 L20

84df6470 84b01bf8

84df6474 84b01bf8

84df6478 84b01bf8

84df647c 84b01bf8

84df6480 84b01bf8

84df6484 84b01bf8

84df6488 84b01bf8

84df648c 84b01bf8

84df6490 84b01bf8

84df6494 84b01bf8

84df6498 84b01bf8

84df649c 84b01bf8

84df64a0 84b01bf8

84df64a4 84b01bf8

84df64a8 84b01bf8

84df64ac 84b01bf8

84df64b0 84b01bf8

84df64b4 84b01bf8

84df64b8 84b01bf8

84df64bc 84b01bf8

84df64c0 84b01bf8

84df64c4 84b01bf8

84df64c8 84b01bf8

84df64cc 84b01bf8

84df64d0 84b01bf8

84df64d4 84b01bf8

84df64d8 84b01bf8

84df64dc 84b01bf8

84df64e0 84df6438

84df64e4 f7373208

84df64e8 00000000

84df64ec 000c000a

then check the assembler code:

lkd> uf 84b01bf8

84b01bf8 jmp 84b01bfc

84b01bfc push ebx

84b01bfd lea ebx,[84b01c5c]

84b01c03 push ebx

84b01c04 push eax

84b01c05 push esp

84b01c06 call nt!IoAcquireVpbSpinLock (80848c58)

84b01c0b mov ebx,[ebx]

84b01c0d call dword ptr [ebx+0x90]

84b01c13 call nt!IoReleaseVpbSpinLock (8084ab53)

84b01c18 mov eax,[ebx+0x8]

84b01c1b sahf

84b01c1c pushfd

84b01c1d mov eax,[esp+0x14]

84b01c21 push eax

84b01c22 mov eax,[eax+0x60]

84b01c25 movzx eax,byte ptr [eax]

84b01c28 push dword ptr [esp+0x14]

84b01c2c call dword ptr [ebx+eax*4+0x20]

84b01c30 mov [esp+0x4],eax

84b01c34 push eax

84b01c35 push esp

84b01c36 call nt!IoAcquireVpbSpinLock (80848c58)

84b01c3b call dword ptr [ebx+0x94]

84b01c41 pop eax

84b01c42 popfd

84b01c43 push eax

84b01c44 jnz 84b01c0b

84b01c46 call nt!IoReleaseVpbSpinLock (8084ab53)

84b01c4b pop eax

84b01c4c pop ebx

84b01c4d ret 0x8

examine the instruction -> call dword ptr [ebx+0x90]

lkd> u poi(poi(84b01c5c)+90)

f7455a4e lock inc dword ptr [ebx+0xc]

f7455a52 ret

f7455a53 lock dec dword ptr [ebx+0xc]

f7455a57 jnz f7455a61

f7455a59 pushad

f7455a5a push ebx

f7455a5b call f7443cf2

f7455a60 popad

lkd> u poi(84b5fbe4+0x94)

*** ERROR: Module load completed but symbols could not be loaded for d347bus.sys

d347bus+0x15a53:

f7455a53 lock dec dword ptr [ebx+0xc]

f7455a57 jnz d347bus+0x15a61 (f7455a61)

f7455a59 pushad

f7455a5a push ebx

f7455a5b call d347bus+0x3cf2 (f7443cf2)

f7455a60 popad

f7455a61 ret

f7455a62 push ebp

lkd> lmvm d347bus

start end module name

f7440000 f7465e00 d347bus (no symbols)

Loaded symbol image file: d347bus.sys

Image path: d347bus.sys

Image name: d347bus.sys

Timestamp: Sun Aug 22 21:31:09 2004 (4128A01D)

CheckSum: 00034FBA

ImageSize: 00025E00

Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

so d347bus hijack ATAPI, scan the code address 84b01bf8

lkd> !pool 84b01bf8

Pool page 84b01bf8 region is Nonpaged pool

84b01000 size: ba0 previous size: 0 (Allocated) RTLm

84b01ba0 size: 8 previous size: ba0 (Free) ....

84b01ba8 size: 48 previous size: 8 (Allocated) NDpf

*84b01bf0 size: 108 previous size: 48 (Allocated) *V386

Owning component : Unknown (update pooltag.txt)

84b01cf8 size: 18 previous size: 108 (Free) MntA

84b01d10 size: 80 previous size: 18 (Allocated) PXh.

84b01d90 size: 8 previous size: 80 (Free) Thre

84b01d98 size: 18 previous size: 8 (Allocated) Wmip

84b01db0 size: 100 previous size: 18 (Allocated) NDmo

84b01eb0 size: 150 previous size: 100 (Allocated) WanJ

So actually ATAPI's dispatch routine is hijaced by d347bus.sys with a

ExAllocatePoolWithTag and copy the instructions to the allocated pool

to hook the dispatch routines.

the atapi driver object is listed in the debug output, however, the module has been

modified, so the debugger can not recognize the ATAPI.sys since no pdb symbol

match the checksum, i think.

there're some obfuscated code in the image, this is interesting. and i am still have concern

on what's the heck GenWorm mean?! may i can build a repro in VMWare to trace

d347bus.sys.

d347bus.sys is bus driver of Daemon Tool, basically it should do no harm to my

computer, however, if d347bus.sys is hijacked by another driver, this will become

more complex, resreved for future striking!

ok, now, go to bed.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有