Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

How to use ATA_PASS_THROUGH to read or write to disk and bypass bootkit hooks from user-mode?

kernelboikernelboi Member Posts: 21

I tried to find the answer to this and spend hours reading books about rootkits and googling but no luck, the closest thing i found was a series of tweets which didn't help much

basically there is a bootkit that hooks something at the minifilter layer, and i heard that it is sometimes possible to use the ATA_PASS_THROUGH IOCTL from user-mode to bypass some of these hooks even at the minifilter layer, but where can i find a place that explains how exactly i have to use ATA_PASS_THROUGH from a usermode application to read sectors from disk? i want to read the MBR but the bootkit is returning a fake MBR, i want to try the user-mode approach before trying to write a kernel driver to bypass it.

so where can i learn more about how its possible to use ATA_PASS_THROUGH from user-mode to read sectors from disks or write to them? any open-source project or something?



  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,939

    If a rootkit is already running, that's it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • kernelboikernelboi Member Posts: 21
    edited June 2020

    A side note : i said minifilter layer by mistake, i meant miniport

    @Tim_Roberts said:
    If a rootkit is already running, that's it. Game over, you lose. Whatever you can do, from user or kernel, they can spoof.

    yes i know if they do everything right i cant do anything but i know that we can bypass this particular sample with ATA pass through even tho they are hooking something at the miniport layer, i just don't know how to use it, how can i use ATA_PASS_THROUGH IOCTL to read or write to sectors on disk from user-mode?

  • kernelboikernelboi Member Posts: 21
    edited June 2020

    This is the series of tweets I'm talking about, might provide more info to people reading this :

  • MBond2MBond2 Member Posts: 316

    why bother - just reformat

  • kernelboikernelboi Member Posts: 21

    @MBond2 said:
    why bother - just reformat

    I'm analyzing it, not trying to save a system or anything, i just want to learn how can i use ATA_PASS_THROUGH or SCSI_PASS_THROUGH or similar IOCTLS to read or write to disk right now

  • MBond2MBond2 Member Posts: 316

    okay - so pull out the drive, connect it to a system that does not have a root kit and do normal IO. on a system that has a root kit, you will never be able to make this work. the root kit can always intercept your calls in some way - it might crash the OS, corrupt the C drive etc. as it does so, but it can do it. if the root kit in question leaves some paths open, then its a buggy root kit. those are by far the easiest to catch

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging TBD 2021 Live, Online