How to Hard Reboot a system?

KeBugCheck(POWER_FAILURE_SIMULATE);

or

mov dx, 64h
mov al, 0FEh
out dx, al

You can of course hard hang the machine if the i8042prt driver is touching the hardware at the same time. And of course this does not work on a machine where the ps2 resources are not pure io ports (memory mapped io etc)

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of zhzhtst@163.com
Sent: Wednesday, September 09, 2009 10:33 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to Hard Reboot a system?

KeBugCheck(POWER_FAILURE_SIMULATE);

or

mov dx, 64h
mov al, 0FEh
out dx, al


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> KeBugCheck(POWER_FAILURE_SIMULATE);

HalReturnToFirmware is better.

mov dx, 64h
mov al, 0FEh
out dx, al

Not obliged to work on modern ACPI/APIC machines.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> But it restores it’s settings after some time. So if we hard boot it will

not get chance to restores it’s settings.

The software which hard reboots the machine with the user working on it is malware, yes, really so, even if its goal is to protect against another (possible worse) malware.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

>

> But it restores it’s settings after some time. So if we hard boot it
will
> not get chance to restores it’s settings.

The software which hard reboots the machine with the user working on
it is
malware, yes, really so, even if its goal is to protect against
another
(possible worse) malware.

If the user installs the software that works exactly as described, and
is installed by the user with a full understanding of what it is going
to do, then why do you say it is malware? Software with bugs (eg Windows
7 - http://isc.sans.org/diary.html?storyid=7093) can make worse things
happen to your system, and you don’t call that malware (or maybe you do
:slight_smile:

That said, I think that there are better ways to solve the problem.

James

Based on my experience with one latest variant of a rootkit, I will say the OP is in correct direction.

One can treat is as a malware; but than other options are format the system or live with the rootkit. based on the several feedback I received from our support guys, customers are ready to try anything to avoid format. *even* when support guys told them that xyz tool is in beta and may crash your machine to unrecoverable state.

regarding the malware,

I observed is that the latest version of one type of rootkits which do not drop any files in machine; instead they change sectors, hooks to storage stack. rootkit driver has registered shutdown notification so even if you change the infected part on disk the rootkit will overwrite that during shutdown IRP processing. So the only possible workaround is to restart the machine without generating shutdown notification, and we have tested this working with success till the latest version of rootkit.

Aditya

>

Based on my experience with one latest variant of a rootkit, I will
say the OP
is in correct direction.

One can treat is as a malware; but than other options are format the
system
or live with the rootkit. based on the several feedback I received
from our
support guys, customers are ready to try anything to avoid format.
*even* when
support guys told them that xyz tool is in beta and may crash your
machine to
unrecoverable state.

regarding the malware,

I observed is that the latest version of one type of rootkits which do
not
drop any files in machine; instead they change sectors, hooks to
storage
stack. rootkit driver has registered shutdown notification so even if
you
change the infected part on disk the rootkit will overwrite that
during
shutdown IRP processing. So the only possible workaround is to restart
the
machine without generating shutdown notification, and we have tested
this
working with success till the latest version of rootkit.

I have found that they are also ‘safe mode proof’ so the old trick of
booting into safe mode and cleaning out the registry just doesn’t work
anymore.

I know I’m taking this further offtopic, but do you (or anyone else)
have an opinion on the protections offered by the 64 bit kernels and how
useful they are in preventing this sort of exploit? My opinion based on
general observations of such protections is that they only need to be
broken once and it’s all over until the next windows patch (and between
the time when the patch is released and when it starts to get rolled
out, the malware has already been updated too).

James

>>I have found that they are also ‘safe mode proof’ so the old trick of booting into safe mode and cleaning out the registry just doesn’t work anymore.

Correct, the recent ones are too advanced. The rootkit (to which I referred in last post) writers are actually improving it by reverse engineering the detection tools. They start with one security researcher sample, than improved it based on one anti-rootkit tool and so on. So It seems that very soon they will became almost(:-), i’ll not say competely) invisible.

If you are referring to patch guard than that is reverse-engineered long back(which probably you already know). For expert comments I guess Skywing should be *informed*.

Regarding usefulness of 64 bit protection in such malware cases, I don’t think they actually check for hooking of drivers in storage stack currently. And as this malware is not touching any SSDT, IDT etc, patch guard will *probably* not take any action against them. Also as a filter can be placed above port driver I do not think there is any possibility of even detecting that using current techniques.

Not allowing unsigned binary to be loaded may help(as already in place in Vista and above) but I never went to the details of this aspect, so may be there is an alternative to this also.

Aditya

Yes they undeniable offer “more protection”, but you’re still in the same
old cat and mouse malware game that you’ve always been in, Russinovich
mentions this in his blog I think, it just depends how hard the other party
is trying…

I also don’t believe there has been a “pressure” on the rootkit community to
*really* put effort into either x86 or x64 Vista/Win7 based rootkits simply
because the corporate take up of Vista has been so poor. Having said that,
as Win7 rolls out and large corporates “actually” start to move away from XP
(will they?), we may see a surge of development in this area.

As far as corporates adopting x64 technology though over x86 in the current
economy, they would have to have good reason I imagine, and also good
understanding of the benefits to be excited about it…

But I’d dare to say that if someone had explained to the Dalai Lama how
Vista x64 would have stopped the Chinese Govt hacking him simply through
driver signing protection, that he might have been receptive to an
upgrade…ahh the joy of hindsight.

Alex Ionescu has done some some interesting work regarding PatchGuard and
session 0 exploits though James, and the usual rootkit site links also have
some “interesting” code.

My 2 english pence.

crispin.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
Sent: 10 September 2009 10:54
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to Hard Reboot a system?

Based on my experience with one latest variant of a rootkit, I will
say the OP
is in correct direction.

One can treat is as a malware; but than other options are format the
system
or live with the rootkit. based on the several feedback I received
from our
support guys, customers are ready to try anything to avoid format.
*even* when
support guys told them that xyz tool is in beta and may crash your
machine to
unrecoverable state.

regarding the malware,

I observed is that the latest version of one type of rootkits which do
not
drop any files in machine; instead they change sectors, hooks to
storage
stack. rootkit driver has registered shutdown notification so even if
you
change the infected part on disk the rootkit will overwrite that
during
shutdown IRP processing. So the only possible workaround is to restart
the
machine without generating shutdown notification, and we have tested
this
working with success till the latest version of rootkit.

I have found that they are also ‘safe mode proof’ so the old trick of
booting into safe mode and cleaning out the registry just doesn’t work
anymore.

I know I’m taking this further offtopic, but do you (or anyone else)
have an opinion on the protections offered by the 64 bit kernels and how
useful they are in preventing this sort of exploit? My opinion based on
general observations of such protections is that they only need to be
broken once and it’s all over until the next windows patch (and between
the time when the patch is released and when it starts to get rolled
out, the malware has already been updated too).

James


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4413 (20090910) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4413 (20090910) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Doron Holan wrote:

I am speechless that you think that a hard reboot is the right answer.

Although I would be aghast if a shipping product tried to do this, I
know that I have had to use exactly this scheme to kill certain kinds of
malware in some of our client’s machines. As a one-time clean-up
tactic, it’s not completely loony.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Offline cleanup seems to be a potentially safer alternative. The
file-system and registry can be ‘cleaned’ of the malware in the static state
of not having the malware (presumably assisted by a rootkit of some type)
running and thus able to hide/re-attach itself.

Better than “Safe Mode”, I refer to it as “Dead Mode”. It has been very
helpful in rescuing some non-technical friends systems when they have shown
up with a bad case of drive-by-malware hangover.

Cheers,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, September 10, 2009 12:58 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to Hard Reboot a system?

Doron Holan wrote:

I am speechless that you think that a hard reboot is the right answer.

Although I would be aghast if a shipping product tried to do this, I
know that I have had to use exactly this scheme to kill certain kinds of
malware in some of our client’s machines. As a one-time clean-up
tactic, it’s not completely loony.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

PatchGuard is not a security mitigation (something that makes it more difficult to reliably gain code execution by exploiting a vulnerability).

That being said, mitigations have been added to the platform over time (e.g. ASLR on Vista, NX, …), and I think that it’s a safe bet to say that more will come in time. Mitigations are based on attacking the conditions needed to gain meaningful code execution vs. trying to clean up afterwards.

  • S

-----Original Message-----
From: James Harper
Sent: Thursday, September 10, 2009 02:53
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to Hard Reboot a system?

>
> Based on my experience with one latest variant of a rootkit, I will
say the OP
> is in correct direction.
>
> One can treat is as a malware; but than other options are format the
system
> or live with the rootkit. based on the several feedback I received
from our
> support guys, customers are ready to try anything to avoid format.
even when
> support guys told them that xyz tool is in beta and may crash your
machine to
> unrecoverable state.
>
> regarding the malware,
>
> I observed is that the latest version of one type of rootkits which do
not
> drop any files in machine; instead they change sectors, hooks to
storage
> stack. rootkit driver has registered shutdown notification so even if
you
> change the infected part on disk the rootkit will overwrite that
during
> shutdown IRP processing. So the only possible workaround is to restart
the
> machine without generating shutdown notification, and we have tested
this
> working with success till the latest version of rootkit.
>

I have found that they are also ‘safe mode proof’ so the old trick of
booting into safe mode and cleaning out the registry just doesn’t work
anymore.

I know I’m taking this further offtopic, but do you (or anyone else)
have an opinion on the protections offered by the 64 bit kernels and how
useful they are in preventing this sort of exploit? My opinion based on
general observations of such protections is that they only need to be
broken once and it’s all over until the next windows patch (and between
the time when the patch is released and when it starts to get rolled
out, the malware has already been updated too).

James


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I think Windows PE booting from optical media or USB stick is a much better
solution. Less chance of leaving the disk in an partially updated state.
With the free WAIK, you can run the same version of Windows and do pretty
much anything to the hard drive. Mounting the registry for cleanup can be
done easily using Resplendence Registrar Registry Manager. Symantec Ghost
can create a bootable Windows PE USB stick and copy Ghost32.exe onto it for
drive and/or volume backup and restoration. They can also do the same using
PC-DOS but accessing NTFS partitions is not native to the command line, but
internal to the Ghost program.

There are registers that will permit a hard reboot, either cold or warm. It
is not that difficult to find out how to do it, but I don’t want any
software that does it on my system unless I specifically authorize it to do
it each time.

“David R. Cattley” wrote in message news:xxxxx@ntdev…
> Offline cleanup seems to be a potentially safer alternative. The
> file-system and registry can be ‘cleaned’ of the malware in the static
> state
> of not having the malware (presumably assisted by a rootkit of some type)
> running and thus able to hide/re-attach itself.
>
> Better than “Safe Mode”, I refer to it as “Dead Mode”. It has been very
> helpful in rescuing some non-technical friends systems when they have
> shown
> up with a bad case of drive-by-malware hangover.
>
> Cheers,
> Dave Cattley
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
> Sent: Thursday, September 10, 2009 12:58 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] How to Hard Reboot a system?
>
> Doron Holan wrote:
>> I am speechless that you think that a hard reboot is the right answer.
>>
>
> Although I would be aghast if a shipping product tried to do this, I
> know that I have had to use exactly this scheme to kill certain kinds of
> malware in some of our client’s machines. As a one-time clean-up
> tactic, it’s not completely loony.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>

> One can treat is as a malware; but than other options are format the system or live with the rootkit.

The best option is to boot off antivirus product CD and scan.

Another option is to detach the hard disk, attach to another computer with AutoRun off, and do AV scan there.

processing. So the only possible workaround is

…is to boot off antivirus CD.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

>>The best option is to boot off antivirus product CD and scan.

Well, Not for this case,

that AV scanners scans for files and not for disk sectors and I found that the said rootkit just put its data at some sectors, so I do no think AV product CD will have any chance cleaning it.

Another must have thing to clean that using this method is signatures for that rootkit file, which may not have any information pertaining to the said malware because if it would have signature of the rootkit file than it could have cleaned that in first place without even giving it a chance to execute.

I am not saying that this will not help but as mentioned it will not be helpful in all scenarios like this one. And than if certain tool is saving a customer from a format on the price of a hard reboot, I think it should be acceptable. So I agree that hard reboot is not good, but at times it could be the only possible solution.

Thanks,
Aditya

But what if it spreads to other systems? The cost of reinstalling one system won’t look so bad at that point, but it will be to late, and the cost of reinstalling a single system has to be less than the cost of extensive analysis to arrive at the conclusion that it’s ‘clean.’

mm

> Well, Not for this case,

For absolutely any case (if the AV has the databases fresh enough).

No need in rootkit revealers in any kind, absolutely any kind. Just boot from a clean CD/DVD/another hard drive and run the usual AV with fresh databases.

that AV scanners scans for files and not for disk sectors and I found that the said rootkit just put its
data at some sectors

Not important. It will still need to patch some usual location (boot sector or a file) for this hidden file to gain control.

Another must have thing to clean that using this method is signatures for that rootkit file, which may not
have any information pertaining to the said malware

If the AV software is obsolete, then the game is lost :slight_smile: so is the obsolete rootkit revealer :slight_smile:

And than if certain tool is saving a customer from a format on the price of a hard reboot

Sooner or later, the customer’s machine will experience random crashes and hungs with such software, and format (at least Windows reinstall) is the fastest and most cost-effective way of curing this.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> > Well, Not for this case,

For absolutely any case (if the AV has the databases fresh enough).

Always assume that your AV database is not fresh enough.

No need in rootkit revealers in any kind, absolutely any kind. Just
boot from
a clean CD/DVD/another hard drive and run the usual AV with fresh
databases.

If your AV database knows about version n, then the rootkit only has to
be version n+1 and you will either find nothing, or will fail to clean a
hook or two and the virus will be right back on the next boot.

> that AV scanners scans for files and not for disk sectors and I
found that
> the said rootkit just put its
> data at some sectors

Not important. It will still need to patch some usual location (boot
sector or
a file) for this hidden file to gain control.

They are finding more and more places to patch unfortunately.

> Another must have thing to clean that using this method is
signatures for
> that rootkit file, which may not
> have any information pertaining to the said malware

If the AV software is obsolete, then the game is lost :slight_smile: so is the
obsolete
rootkit revealer :slight_smile:

Always assume your AV software is obsolete. I’m getting to the point
where I think the only good AV software is software that either
completely disconnects the computer from the network (some do, but I’m
sure a virus that was motivated enough could disable that) on detected
infection (‘something is not right’ detection), or wipes the bootsector
and turns it off hard, like the OP wants to do, forcing a reinstall (or
a bootfix)

> And than if certain tool is saving a customer from a format on the
price of a
> hard reboot

Sooner or later, the customer’s machine will experience random crashes
and
hungs with such software, and format (at least Windows reinstall) is
the
fastest and most cost-effective way of curing this.

And if the computer is on a network, probably all the other machines on
the network too (port 445 exploits anyone?)

James (feeling paranoid this morning :slight_smile:

>They are finding more and more places to patch unfortunately.

Proper AV should just check the boot sector and then check the MS’s digital signatures on all Windows files. :slight_smile:

The most “killer” way of doing things. Then the usual registry cleanup and so on.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Hi All,

I am very thankful of all of you for providing different solutions.

Thanks & Regards,
Rajendra.