loading the scsi PORT driver, and reading from disk directly from the PORT driver?

Hello everyone :slight_smile: first of thank you for your great website, been reading stuff that were posted here for years now and it always has been very helpful to me.

I am writing a forensic tool, and for me to be able to read the disk in the presence of a rootkit, the best method i can think of (and which i heard some AVs do this as well) is to load the scsi PORT driver from disk (instead of using the already loaded one), and read the disk using the newly loaded driver instead of the original module, because the original one is infected.

the problem is i cannot find any project or blog post or anything that explains which exported functions inside the port driver i should use and how.

So any help is appreciated, how can i read the disk using the port driver? which exported functions inside of it should i use and how (meaning how should i fill up the arguments)? any blogpost/open-source project related to this?

Any competant malware writer if they were infecting the port/miniport driver would then modify the image on the drive. So you don’t gain anything from this approach.

This is the type of question that you should easily figure out on your own. The WDK samples includes a driver that reads from the port driver. If you cannot figure this out then you are definitely not ready to figure out AV software.

@Don_Burn said:
Any competant malware writer if they were infecting the port/miniport driver would then modify the image on the drive. So you don’t gain anything from this approach.

This is the type of question that you should easily figure out on your own. The WDK samples includes a driver that reads from the port driver. If you cannot figure this out then you are definitely not ready to figure out AV software.

But do you have a better solution? lets say burning down the hard disk is not an option and we have to somehow read the disk and bypass the rootkit, what better option do we have other than this?

which exported functions inside the port driver i should use and how

Huh? I find your question super confusing. Are you trying to be ultra-clever here (by saying you plan to bypass much of the I/O Subsystem and call the driver’s entry points yourself)? Or do you simply not understand how the Windows I/O Subsystem works? Or ???

Does your question not amount to two things: (a) How do I send requests to be processed from my driver to another driver, and then (b) How can I do something super-clever, like load a separate driver instance that I trust more than the one in memory and use that new instance to service my I/O requests. Knowing (a) is basic prerequisite information to writing a Windows driver. (b) is rather clever and unlikely to be achievable using supported methods.

It should go without saying, as Mr. Burn correctly noted, that if you don’t understand how to program in kernel-mode on Windows, and write Windows drivers, you’re clearly not ready to be doing anything like writing AV software.

OTOH, maybe you’re an experienced Windows driver dev, and your post was just super unclear.

Peter

@“Peter_Viscarola_(OSR)” said:

which exported functions inside the port driver i should use and how

Huh? I find your question super confusing. Are you trying to be ultra-clever here (by saying you plan to bypass much of the I/O Subsystem and call the driver’s entry points yourself)? Or do you simply not understand how the Windows I/O Subsystem works? Or ???

Does your question not amount to two things: (a) How do I send requests to be processed from my driver to another driver, and then (b) How can I do something super-clever, like load a separate driver instance that I trust more than the one in memory and use that new instance to service my I/O requests. Knowing (a) is basic prerequisite information to writing a Windows driver. (b) is rather clever and unlikely to be achievable using supported methods.

It should go without saying, as Mr. Burn correctly noted, that if you don’t understand how to program in kernel-mode on Windows, and write Windows drivers, you’re clearly not ready to be doing anything like writing AV software.

OTOH, maybe you’re an experienced Windows driver dev, and your post was just super unclear.

Peter

Yes i apologize for my English, sorry for asking it in a confusing way. my question is not (a), i basically want to bypass the entire I/O subsystem and read the disk from the lowest possible way, everything is infected in the lowest layers so i need to manually load the port driver and read the disk sectors and bypass the lowest possible hooks. the rootkits that are currently out there do not go to trouble of infecting disk images, they just hook everything in miniport layer. the point that the Mr Don made is not a problem because we can put the appropriate driver that we need inside our tool, so even if the disk images are infected too we can read the disk, just need to load the right version of the driver. also i am not at all claiming to be an expert in writing disk drivers at these layers, obviously you and Mr Don know much more than me so this is why i am here and asking for guidance.

(As an aside, you are posting from a proxy IP address that has a very bad reputation… I know because the IP from which you post is visible to me as a mod on this site. If you are writing a legit forensic tool, it would be much wiser for you to post from a legit site so that we are saved the effort of questioning whether you are a white hat or a black hat).

ETA: Having a username “kernelsubvert0r” doesn’t help, either.

i basically want to bypass the entire I/O subsystem and read the disk from the lowest possible way

OK… so… what is it that you need for us to tell you that you can’t discover from 20 minutes reading the storage stack docs? That’s a serious question.

Peter

First I know of rootkits that do infect images. Second, even if you can load a new copy of the driver how do you prevent the rootkit from infecting it. The bottom line is if you are infected with a root kit you need to boot with an image that is not infected from some other media to fix the drive.

if you can load a new copy of the driver how do you prevent the rootkit from infecting it

It’s a good question. The OP hasn’t described if he wants a private channel to the hard disk that he can use while the system continues to run, or if he wants a temporary private channel that can be used for some I/Os just before restarting the machine… akin to what the crash dump driver uses.

Regardless… If the guy knows how to write a Windows driver, I don’t know what he’s asking us to help him with. And then there’s the question of his intentions…

Peter

@“Peter_Viscarola_(OSR)” said:
(As an aside, you are posting from a proxy IP address that has a very bad reputation… I know because the IP from which you post is visible to me as a mod on this site. If you are writing a legit forensic tool, it would be much wiser for you to post from a legit site so that we are saved the effort of questioning whether you are a white hat or a black hat).

i basically want to bypass the entire I/O subsystem and read the disk from the lowest possible way

OK… so… what is it that you need for us to tell you that you can’t discover from 20 minutes reading the storage stack docs? That’s a serious question.

Peter

Sorry i am using a proxy, its a browser extension, for some reason OSR doesnt open up without using a proxy, but I’ll try to use a different proxy.

I was hoping to see if there is any open source project that has done this, or any article or something like this that can help me speed up my coding.

to make my question less confusing, you can read this article : https://cloud.tencent.com/developer/article/1171108

i basically want to do the same thing that Kaspersky does. (sorry tho the article is not English, but if you are using chrome you can translate the entire page)

EDIT: i fixed up the connection problem now I’m connected without proxy, and we are not doing anything “blackhat” we are just writing a simple forensic tool that can bypass rootkit hooks and read the MBR to check if a system is really infected or not.

@Don_Burn said:
First I know of rootkits that do infect images. Second, even if you can load a new copy of the driver how do you prevent the rootkit from infecting it. The bottom line is if you are infected with a root kit you need to boot with an image that is not infected from some other media to fix the drive.

The problem is we need to have a reliable way of determining if a system/MBR is infected or not, lets say you need to check 100 computers, so a tool is needed to quickly check if a system is infected. so do you suggest any other approach or do you think this is the best way of doing it (again, obviously nothing is perfect, but is there any better way?) there’s a link to an article in my previous post, maybe that would clear up the confusion.

so do you suggest any other approach

Well, Mr. Burn suggested you boot a clean image (like, from a flash drive or via PXE maybe).

That should solve all your problems, no??

Peter

@“Peter_Viscarola_(OSR)” said:

so do you suggest any other approach

Well, Mr. Burn suggested you boot a clean image (like, from a flash drive or via PXE maybe).

That should solve all your problems, no??

Peter

but as i said, we need to check 100s of computers, many remotely, to see if the MBR is infected or not, so booting with a clean image is not gonna work

Here is a sad bit of truth that you seem to be ignoring. If you have malware in your kernel, the game is over. You have already lost. There is no hope. Whatever you can do, they can undo. Whatever path you try, they can mask. The malware writers are smarter than us. The only possibility is off-line detection, and even then it’s unlikely you can remove it.

Sorry i am using a proxy, its a browser extension, for some reason OSR doesn’t open up without using a proxy

Hmmmm… You need to use a different system or different network, then. This site is accessible around the world, including from the PRC. I know this to be true. No proxy should be necessary.

i fixed up the connection problem now I’m connected without proxy, and we are not doing anything “blackhat” we are just writing a simple forensic tool that can bypass rootkit hooks and read the MBR to check if a system is really infected or not.

Really? The last IP address you posted from was LOOKS to be a VPN address in Japan, with just a SLIGHTLY better reputation than the one in France from which you signed-up, and no better than the one in the Netherlands from which you also posted:

Yeah… I apologize, Mr. kernelsubvert0r… but I’m not willing to help under those circumstances.

For NOW… I’m going to leave your account active and I’m not going to lock the thread, in case somebody else on the forum is willing to assist you under the conditions that you’re working. But I’m not that person.

ETA: And lest anyone wonder… I often check the originating IP address of posters who come to us with security/malware type of questions. Not always, but as frequently as I can.

Peter

@Tim_Roberts said:
Here is a sad bit of truth that you seem to be ignoring. If you have malware in your kernel, the game is over. You have already lost. There is no hope. Whatever you can do, they can undo. Whatever path you try, they can mask. The malware writers are smarter than us. The only possibility is off-line detection, and even then it’s unlikely you can remove it.

Yes sir i am aware of that, but that doesn’t stop AVs from writing anti rootkit tools either, because it might not stop 100% of rootkits, but at least it can detect 90%, and 90% is better than 0%.

@“Peter_Viscarola_(OSR)” said:

Sorry i am using a proxy, its a browser extension, for some reason OSR doesn’t open up without using a proxy

Hmmmm… You need to use a different system or different network

I’m not sure what is causing this because I’m not even from Japan so not sure why its showing you Japan, maybe it is a VPN used in my workplace network, i guess I’ll come back when i arrive home, sorry.

Yeah? It’s not a secret: Just check your IP address with any common service that’ll show you this.

The netblock from which you’re now posting is a /24, assigned to M247 in Tokyo, which is now owned by GLOBALAXS. It WAS previously homed in Manchester, England.

i guess I’ll come back when i arrive home

That’s a good idea.

Peter

If you need legitimate forensic information there is a very simple solution - just unplug the drive from the possibly infected system and connect it to a know good one. If you can’t do that’ then you don’t have a legitimate forensic need. if you can, then problem solved with nothing special needing to be written