There are two places to look for a fair amount of detail about
KeBugCheck*(), 1) an article from NT Insider 2) Rajeev’s book. It’s been at
least 6 yrs I did not hack that path, but when a Bugcheck is about to occur,
a slew of routines related to bugcheck gets called, one of them raise the
IRQL to very high ( probably synch_lvl ), so essentially everything is
disabled except the power supply, and when the image is dumped to pagefile,
the raw file system is used, IIRC…
For rootkit tackling, I would look for some firewall docs, since they handle
those stuff farily reasonably.
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Thursday, July 08, 2004 1:26 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Rootkit detection
I was wondering if there is any 100% sure fire way of
detecting a rootkit on an NT system.
I’m writing a detection program for my parents network, and
so far the most reliable way is
a forced bugcheck followed by the subsequent full memory
dump. I’d then take the dump file
and examine it on a known-clean system, but is there any way
that I can detect without the OS
crash? If not, is there anyway that the memory dump routines
used by BugCheckEx() can be hijacked,
and then modify whats being written.
I guess someone can find out how to find the BugCheckEx routine in
ntoskrnl.dll and redirect it to some other function. Not sure what the
purpose of this would be tho’.
I have no knowledge of how “rootkit” works, what it does and how to detect
it, so I can’t comment on that.
Also, on a more curiosity driven note, how exactly does
BugCheck() work. I know it outputs the data, dumps memory,
then halts or spins or whatever, but
like how does it dump memory and how does it ‘lock’ the
system such that ctrl alt del doesnt
work anymore??
I’m not sure how you think Ctrl-Alt-Del is delt with in the system, but I’m
going to explain how it works:
When a key is pressed, whichever it may be, the keyboard driver reads it,
decodes it to whatever function it may be, say you press the ‘A’ key, it
comes out as a keycode that gets translated to ‘A’ by some level of Windows.
If you press the Ctrl-key, it sets an internal state-flag to say “Ctrl has
been pressed”. Same with Alt. So when the Del-key is pressed, the keyboard
driver will say “If Ctrl and Alt pressed DoSpecialThing”.
DoSpecialThing in Windows, I believe, is a special call to some function
that translates this to a message that can not be filtered (as I understand
it you’re not able to filter “ctrl-alt-del”). But if BugCheckEx doesn’t
listen to these messages, nothing will happen.
I think some people believe that Ctrl-Alt-Del in itself is magical and that
there is some kind of special signal from the keyboard to the system. There
isn’t. It’s just a keypress as any other.
In DOS, this keypress combination would lead to the keyboard interrupt
routine setting the “Reset” pin output on the keyboard controller.
In my RTOS implementation of a keyboard driver, I just did a tripple fault
to reset the machine. Other implementations might be to jump into a debugger
(or do nothing…).
–
Mats
asa
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
