How to use ATA_PASS_THROUGH to read or write to disk and bypass bootkit hooks from user-mode?

I tried to find the answer to this and spend hours reading books about rootkits and googling but no luck, the closest thing i found was a series of tweets which didn’t help much

basically there is a bootkit that hooks something at the minifilter layer, and i heard that it is sometimes possible to use the ATA_PASS_THROUGH IOCTL from user-mode to bypass some of these hooks even at the minifilter layer, but where can i find a place that explains how exactly i have to use ATA_PASS_THROUGH from a usermode application to read sectors from disk? i want to read the MBR but the bootkit is returning a fake MBR, i want to try the user-mode approach before trying to write a kernel driver to bypass it.

so where can i learn more about how its possible to use ATA_PASS_THROUGH from user-mode to read sectors from disks or write to them? any open-source project or something?

thanks

If a rootkit is already running, that’s it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.

A side note : i said minifilter layer by mistake, i meant miniport

@Tim_Roberts said:
If a rootkit is already running, that’s it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.

yes i know if they do everything right i cant do anything but i know that we can bypass this particular sample with ATA pass through even tho they are hooking something at the miniport layer, i just don’t know how to use it, how can i use ATA_PASS_THROUGH IOCTL to read or write to sectors on disk from user-mode?

This is the series of tweets I’m talking about, might provide more info to people reading this :

twitter.com/hFireF0X/status/568716462669602816

why bother - just reformat

@MBond2 said:
why bother - just reformat

I’m analyzing it, not trying to save a system or anything, i just want to learn how can i use ATA_PASS_THROUGH or SCSI_PASS_THROUGH or similar IOCTLS to read or write to disk right now

okay - so pull out the drive, connect it to a system that does not have a root kit and do normal IO. on a system that has a root kit, you will never be able to make this work. the root kit can always intercept your calls in some way - it might crash the OS, corrupt the C drive etc. as it does so, but it can do it. if the root kit in question leaves some paths open, then its a buggy root kit. those are by far the easiest to catch

1 Like