Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I tried to find the answer to this and spend hours reading books about rootkits and googling but no luck, the closest thing i found was a series of tweets which didn't help much
basically there is a bootkit that hooks something at the minifilter layer, and i heard that it is sometimes possible to use the ATA_PASS_THROUGH IOCTL from user-mode to bypass some of these hooks even at the minifilter layer, but where can i find a place that explains how exactly i have to use ATA_PASS_THROUGH from a usermode application to read sectors from disk? i want to read the MBR but the bootkit is returning a fake MBR, i want to try the user-mode approach before trying to write a kernel driver to bypass it.
so where can i learn more about how its possible to use ATA_PASS_THROUGH from user-mode to read sectors from disks or write to them? any open-source project or something?
thanks
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Kernel Debugging | 9-13 Sept 2024 | Live, Online |
Developing Minifilters | 15-19 July 2024 | Live, Online |
Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
Writing WDF Drivers | 20-24 May 2024 | Live, Online |
Comments
If a rootkit is already running, that's it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.
Tim Roberts, [email protected]
Software Wizard Emeritus
A side note : i said minifilter layer by mistake, i meant miniport
yes i know if they do everything right i cant do anything but i know that we can bypass this particular sample with ATA pass through even tho they are hooking something at the miniport layer, i just don't know how to use it, how can i use ATA_PASS_THROUGH IOCTL to read or write to sectors on disk from user-mode?
This is the series of tweets I'm talking about, might provide more info to people reading this :
twitter.com/hFireF0X/status/568716462669602816
why bother - just reformat
I'm analyzing it, not trying to save a system or anything, i just want to learn how can i use ATA_PASS_THROUGH or SCSI_PASS_THROUGH or similar IOCTLS to read or write to disk right now
okay - so pull out the drive, connect it to a system that does not have a root kit and do normal IO. on a system that has a root kit, you will never be able to make this work. the root kit can always intercept your calls in some way - it might crash the OS, corrupt the C drive etc. as it does so, but it can do it. if the root kit in question leaves some paths open, then its a buggy root kit. those are by far the easiest to catch