Help to Delete Rootkit

Roberto_Carlos · March 23, 2010, 4:27am

I am new to driver programming. I was trying to delete a Rootkit. I use ZwDeleteFile and i got a error STATUS_SHARING_VIOLATION ! See my code !!
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{
UNICODE_STRING uniString1;
OBJECT_ATTRIBUTES obj;
NTSTATUS result;
int i;

//DbgPrint(“DriverEntry called\n”);

// Register a dispatch function
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}

theDriverObject->DriverUnload = OnUnload;

RtlInitUnicodeString(&uniString1, L"\Device\HarddiskVolume1\Windows\System32\drivers\w928x.sys");
InitializeObjectAttributes(&obj, &uniString1, OBJ_CASE_INSENSITIVE, NULL, NULL);
result = ZwDeleteFile(&obj);

I trying to use ZwOpenFile to Share Access but i got same error:

nts = ZwOpenFile(&hFile,
DELETE,
&ObjAttributes,
&IoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_DELETE_ON_CLOSE);

KdPrint((“\n ZwOpenFile Driver %x \n”, nts));

ZwOpenFile c0000043 -----> ERROR

NTDEV-26 · March 23, 2010, 6:51am

If it is doing FS filtering or SSDT hooking, It won’t allow you to do these
operations.
Better get a good anti rootkit (IceSword, GMER, RootkitRevealer – No
affiliations and No guarantees).

Or boot your system with live CD (linux with your FS support or WinPE) and
try to remove it.
You might remove it, but if it is a boot start driver and it’s service key
remains there, Your system may refuse to boot.

Onus is on you.

BTW–> This is list is for driver related discussions.

Regards
Deepak Gupta

On Tue, Mar 23, 2010 at 1:55 PM, wrote:

> I am new to driver programming. I was trying to delete a Rootkit. I use
> ZwDeleteFile and i got a error STATUS_SHARING_VIOLATION ! See my code !!
> NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING
> theRegistryPath)
> {
> UNICODE_STRING uniString1;
> OBJECT_ATTRIBUTES obj;
> NTSTATUS result;
> int i;
>
> //DbgPrint(“DriverEntry called\n”);
>
> // Register a dispatch function
> for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
> {
> theDriverObject->MajorFunction[i] = OnStubDispatch;
> }
>
> theDriverObject->DriverUnload = OnUnload;
>
> RtlInitUnicodeString(&uniString1,
> L"\Device\HarddiskVolume1\Windows\System32\drivers\w928x.sys");
> InitializeObjectAttributes(&obj, &uniString1, OBJ_CASE_INSENSITIVE,
> NULL, NULL);
> result = ZwDeleteFile(&obj);
>
>
> I trying to use ZwOpenFile to Share Access but i got same error:
>
> nts = ZwOpenFile(&hFile,
> DELETE,
> &ObjAttributes,
> &IoStatusBlock,
> FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
> FILE_DELETE_ON_CLOSE);
>
> KdPrint((“\n ZwOpenFile Driver %x \n”, nts));
>
>
> ZwOpenFile c0000043 -----> ERROR
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Aditya_Shrivastava · March 23, 2010, 8:58am

>>BTW–> This is list is for driver related discussions.

Speculating from “I am new to driver programming. I was trying to delete a Rootkit.” I think OP is writing a anti-rootkit solution.

Roberto_Carlos · March 23, 2010, 10:42am

Ok, but this is a driver. The rootkit use mini Filter File System and monitor the registry, driver… It’s not possible to intercepet the Filter and disable driver ? It’s possible to unload DLL ? I trying to unload driver

nts = ZwUnloadDriver(&unicodeString);

return 0, Status Success , but before giving unload , driver loads DLL! Not possible to OpenFile ???

Don_Burn_1 · March 23, 2010, 11:09am

Please search for rootkit and malware in the archives. The discussions
on this group have been long and detailed. There is no reason to start
a new discussion on this, except to say that a beginning driver writer
is doomed to try foil a rootkit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Posted At: Tuesday, March 23, 2010 10:41 AM
Posted To: ntdev
Conversation: Help to Delete Rootkit
Subject: RE: Help to Delete Rootkit

Ok, but this is a driver. The rootkit use mini Filter File System and
monitor
the registry, driver… It’s not possible to intercepet the Filter and
disable
driver ? It’s possible to unload DLL ? I trying to unload driver

nts = ZwUnloadDriver(&unicodeString);

return 0, Status Success , but before giving unload , driver loads
DLL! Not
possible to OpenFile ???

__________ Information from ESET Smart Security, version of virus
signature
database 4968 (20100323) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Alex_Grig · March 23, 2010, 11:18am

Here is a security lesson for you.

Your account that you routinely use for everyday activiities should not be
Administrator or belong to Administrators group.

Let me repeat that again.

YOUR ACCOUNT THAT YOU ROUTINELY USE FOR EVERYDAY ACTIVITIES SHOULD NOT BE
ADMINISTRATOR OR BELONG TO ADMINISTRATORS GROUP.

Can you hear me now?

wrote in message news:xxxxx@ntdev…
>I am new to driver programming. I was trying to delete a Rootkit. I use
>ZwDeleteFile and i got a error STATUS_SHARING_VIOLATION ! See my code !!
> NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN
> PUNICODE_STRING theRegistryPath)
> {
> UNICODE_STRING uniString1;
> OBJECT_ATTRIBUTES obj;
> NTSTATUS result;
> int i;
>
> //DbgPrint(“DriverEntry called\n”);
>
> // Register a dispatch function
> for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
> {
> theDriverObject->MajorFunction[i] = OnStubDispatch;
> }
>
> theDriverObject->DriverUnload = OnUnload;
>
> RtlInitUnicodeString(&uniString1,
> L"\Device\HarddiskVolume1\Windows\System32\drivers\w928x.sys");
> InitializeObjectAttributes(&obj, &uniString1, OBJ_CASE_INSENSITIVE,
> NULL, NULL);
> result = ZwDeleteFile(&obj);
>
>
> I trying to use ZwOpenFile to Share Access but i got same error:
>
> nts = ZwOpenFile(&hFile,
> DELETE,
> &ObjAttributes,
> &IoStatusBlock,
> FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
> FILE_DELETE_ON_CLOSE);
>
> KdPrint((“\n ZwOpenFile Driver %x \n”, nts));
>
>
> ZwOpenFile c0000043 -----> ERROR
>
>
>
>

Aditya_Shrivastava · March 24, 2010, 2:10am

>>The rootkit use mini Filter File System and monitor the registry, driver… It’s not possible to intercepet the Filter and disable driver ?

As Deepak already told u, try with some anti-rootkit solutions, you’ll probably be able to delete the file. Try gmer or icesword to delete the file.
For investigation include RKU too.

> It’s possible to unload DLL ?
you mean driver, answer is no for most of the cases, unless rootkit is a minifilter and have provided an unload routine(which I do not think, they’ll do)

>I trying to unload driver nts = ZwUnloadDriver(&unicodeString);
Don’t do this, check how a driver is loaded. registry, files & a restart is what u need.