Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How to use ATA_PASS_THROUGH to read or write to disk and bypass bootkit hooks from user-mode?

kernelboikernelboi Member Posts: 21

I tried to find the answer to this and spend hours reading books about rootkits and googling but no luck, the closest thing i found was a series of tweets which didn't help much

basically there is a bootkit that hooks something at the minifilter layer, and i heard that it is sometimes possible to use the ATA_PASS_THROUGH IOCTL from user-mode to bypass some of these hooks even at the minifilter layer, but where can i find a place that explains how exactly i have to use ATA_PASS_THROUGH from a usermode application to read sectors from disk? i want to read the MBR but the bootkit is returning a fake MBR, i want to try the user-mode approach before trying to write a kernel driver to bypass it.

so where can i learn more about how its possible to use ATA_PASS_THROUGH from user-mode to read sectors from disks or write to them? any open-source project or something?

thanks

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,852

    If a rootkit is already running, that's it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.

    Tim Roberts, [email protected]
    Software Wizard Emeritus

  • kernelboikernelboi Member Posts: 21
    edited June 2020

    A side note : i said minifilter layer by mistake, i meant miniport

    @Tim_Roberts said:
    If a rootkit is already running, that's it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.

    yes i know if they do everything right i cant do anything but i know that we can bypass this particular sample with ATA pass through even tho they are hooking something at the miniport layer, i just don't know how to use it, how can i use ATA_PASS_THROUGH IOCTL to read or write to sectors on disk from user-mode?

  • kernelboikernelboi Member Posts: 21
    edited June 2020

    This is the series of tweets I'm talking about, might provide more info to people reading this :

    twitter.com/hFireF0X/status/568716462669602816

  • MBond2MBond2 Member Posts: 715

    why bother - just reformat

  • kernelboikernelboi Member Posts: 21

    @MBond2 said:
    why bother - just reformat

    I'm analyzing it, not trying to save a system or anything, i just want to learn how can i use ATA_PASS_THROUGH or SCSI_PASS_THROUGH or similar IOCTLS to read or write to disk right now

  • MBond2MBond2 Member Posts: 715

    okay - so pull out the drive, connect it to a system that does not have a root kit and do normal IO. on a system that has a root kit, you will never be able to make this work. the root kit can always intercept your calls in some way - it might crash the OS, corrupt the C drive etc. as it does so, but it can do it. if the root kit in question leaves some paths open, then its a buggy root kit. those are by far the easiest to catch

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 9-13 Sept 2024 Live, Online
Developing Minifilters 15-19 July 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online