I am doing a project on rootkits.Rootkits are written in WDM PROGRAMMING but avoid using UNLOAD calll to avoid detection and termination.
I tried but even though service handle was removed the driver continued to run until system reboot.
I was wondering how antirootkits then terminate rootkits i.e. drivers without unload called.
Please do help me.
I tried including openScManager in another driver code to unload the sample rootkit but to call it we need to include “windows.h” in driver code to terminate the rootkit with ZwTerminateProcess function with handle of rootkit returned by openservice fuction which causes error on compilation.
Does anybody know about any other way the antirootkits work?
Does anyone has any idea!Please do tell me.
Check out the books The Rootkit Arsenal and Hacking - The Art Of
Exploitation. They will give you good insight into rootkit techniques - and
thus maybe some answers on how to defeat/remove them. Then read Mark
Russinovich’s blog. In particular, he has a series of entries from roughly
the fall of 2005 where he discovered a rootkit on his machine and he
discusses all the techniques he used to remove it. As a precursor to all of
this you need a fairly solid Windows kernel/driver background. Check out
Walter Oney’s book, Viscarola & Mason’s Device Driver Development book
(available on the OSR site) and Russinovich’s (and others) Windows Internals
book.
This isn’t necessarily a trivial task and can get into a cat and mouse
routine very quickly.
D.J.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, October 21, 2010 7:40 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Terminating or unloading a driver or rootkit
I am doing a project on rootkits.Rootkits are written in WDM PROGRAMMING
but avoid using UNLOAD calll to avoid detection and termination.
I tried but even though service handle was removed the driver continued to
run until system reboot.
I was wondering how antirootkits then terminate rootkits i.e. drivers
without unload called.
Please do help me.
I tried including openScManager in another driver code to unload the sample
rootkit but to call it we need to include “windows.h” in driver code to
terminate the rootkit with ZwTerminateProcess function with handle of
rootkit returned by openservice fuction which causes error on compilation.
Does anybody know about any other way the antirootkits work?
Does anyone has any idea!Please do tell me.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You’re trying to include ‘Windows.h’ at the same time as ‘WDM.H,’ I would
guess.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of D.J. Stachniak
Sent: Thursday, October 21, 2010 10:50 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Terminating or unloading a driver or rootkit
Check out the books The Rootkit Arsenal and Hacking - The Art Of
Exploitation. They will give you good insight into rootkit techniques - and
thus maybe some answers on how to defeat/remove them. Then read Mark
Russinovich’s blog. In particular, he has a series of entries from roughly
the fall of 2005 where he discovered a rootkit on his machine and he
discusses all the techniques he used to remove it. As a precursor to all of
this you need a fairly solid Windows kernel/driver background. Check out
Walter Oney’s book, Viscarola & Mason’s Device Driver Development book
(available on the OSR site) and Russinovich’s (and others) Windows Internals
book.
This isn’t necessarily a trivial task and can get into a cat and mouse
routine very quickly.
D.J.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, October 21, 2010 7:40 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Terminating or unloading a driver or rootkit
I am doing a project on rootkits.Rootkits are written in WDM PROGRAMMING
but avoid using UNLOAD calll to avoid detection and termination.
I tried but even though service handle was removed the driver continued to
run until system reboot.
I was wondering how antirootkits then terminate rootkits i.e. drivers
without unload called.
Please do help me.
I tried including openScManager in another driver code to unload the sample
rootkit but to call it we need to include “windows.h” in driver code to
terminate the rootkit with ZwTerminateProcess function with handle of
rootkit returned by openservice fuction which causes error on compilation.
Does anybody know about any other way the antirootkits work?
Does anyone has any idea!Please do tell me.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Don’t try that, if you notice none of the Anti-rootkit is actually able to simply unload the driver. (Tell this to your manager and they should understand ;))
Detect a hidden driver, try deleting its file, removing its entry from registry, killing/deleting the process/service which extracts and loads it. But there is no clean way of doing it. I doubt actually if there is a way, but than you can reverse engineer and can come with some hack, but you’ll end up crashing the system.
For instance if it is attached to a stack and some upper driver has its device object, you can not just go and remove it because the upper driver still holds its reference and it will pass its IRPs to this DO, which eventually will crash the system.
No method works for all rootkits. One has to look into how the rootkit ticks and then think about strategies for removing it.
From your questions you do not know Windows kernel programming. Finding
rootkits is extremely hard, removing them in many cases is impossible
(the only solution be back up the data and rebuild the system. This is
not a task for an inexperienced developer, the likely scenarios are:
- You can’t remove the kit
- You think you have removed the rootkit, but have not
- You attempt to remove the rootkit and damage the system (I’ve seen
anti-rootkit code that messed things up enough the disks were
corrupted).
So if you want to do this with real life systems and rootkits, plan to
spend a few years to get up to speed.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@hotmail.com” wrote
in message news:xxxxx@ntdev:
> I am doing a project on rootkits.Rootkits are written in WDM PROGRAMMING but avoid using UNLOAD calll to avoid detection and termination.
> I tried but even though service handle was removed the driver continued to run until system reboot.
> I was wondering how antirootkits then terminate rootkits i.e. drivers without unload called.
> Please do help me.
> I tried including openScManager in another driver code to unload the sample rootkit but to call it we need to include “windows.h” in driver code to terminate the rootkit with ZwTerminateProcess function with handle of rootkit returned by openservice fuction which causes error on compilation.
> Does anybody know about any other way the antirootkits work?
> Does anyone has any idea!Please do tell me.
> (the only solution be back up the data and rebuild the system.
AV product’s Live CD can help a lot.
Not Kaspersky’s though, since they use Linux for LiveCD, which means a) half of Ethernet adapters not supported b) half of video adapters not supported with no auto-fallback to VGA since X11 cannot do this c) Dynamic Disks are not supported d) non-trivial storage controllers not supported too e) the Linux version of the engine is single-threaded and thus times slower then Windows one.
But other vendors can have more decent Live CD implementations.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
I ahve seen Avast removing rootkits with ease.It has never damaged the system.I heard that it uses GMER technology but I dont know anything other than that.
Yes I am new to kernel programming, anyway at any time in life we can start learning new things and this is mine.
I tried including “windows.h” with “ntddk.h” and “stdio.h” and “process.h”.Anyway that is not harmfull.I don’t think so.
Yes, I do think rootkits can be removed if all attachments and refrences to higher drivers are handled carefully.
Anyway Thanks for all your suggestions and helping me in this cat mouse game.
Please can anybody provide the source codes of book " The Rootkit Arsenal and Hacking - The Art Of Exploitation ".I have all the books you have asked for but I am not able to find source for this book anywhere.
> Not Kaspersky’s though, since they use Linux for LiveCD, which means
a) half of Ethernet adapters not supported
b) half of video adapters not supported with no auto-fallback to VGA since X11 cannot do this
c) Dynamic Disks are not supported
d) non-trivial storage controllers not supported too
e) the Linux version of the engine is single-threaded and thus times slower then Windows one.
Sorry, but it is obvious to anyone who ACTUALLY tried Linux that you are spreading bullshit all over the place, without having any first-hand experience with anything, apart from Windows. You seem just to love making an idiot out of yourself. Keep on going…
Anton Bassov
> I was wondering how antirootkits then terminate rootkits i.e. drivers without unload called.
You cannot make compromised system fix itself. Period. The only possible way to RELIABLY remove
a rootkit is to it from the external OS that does not depend on the target disk’s data in any possible way…
Anton Bassov
Maxim, Anton,
Probably the statements should have read…
M> Not Kaspersky’s though, since they
[have a crappy LiveCD.]
A> Sorry, but it is obvious to anyone who ACTUALLY tried Linux that
[the mentioned problems are no issue on newer Linux versions.]
Da?
> Probably the statements should have read…
Well, I said EXACTLY what I meant - the content is just about an obvious attitude, rather than about some particular unfounded statement, and the particular form this content was expressed is about unwillingness to discuss issues like that on NTTALK …
Anton Bassov
> The only possible way to RELIABLY remove
a rootkit is to it from the external OS that does not depend on the
target disk’s data in any possible way…
You will also want to remove any dependencies on the tartet’s optical drive
or SATA controller or BIOS flash or PCI option ROM’s or private NVRAM’s, or
anything else that has storage capacity and is flashables. 
In short,
Lol.
On the other hand, if you know the rootkit really well (e.g. you wrote it),
it might be possible.
Regards,
George.
> You will also want to remove any dependencies on the tartet’s optical drive or SATA controller
or BIOS flash or PCI option ROM’s or private NVRAM’s, or anything else that has storage capacity
and is flashables.
AFAIK, rootkit that resides in a firmware is more of a theory, rather than of a real-world problem (or at least was at the time when I worked in the field of Windows kernel security).
Therefore, I think that, for all practical purposes of a commercial product, you can limit yourself to those rootkits that operate either 100% at the OS level and/or infect boot sector…
Anton Bassov
I am working on kernel level rootkits at present only.So I am least bothered about firmaware or bootkits.
Is there anyway of finding out if it is attached to any device object or stack and safely delink them.I have been trying these for many days.
Any references will be helpful.
Don’t know your design, but I guess the most reliable solution will be the following:
-
Detecting rootkit in a “read only” mode i.e. by doing some heuristics which identifies possible rootkit presence (none solutions at the given moment can identify rootkit with 100% precision). The main idea is to act as soft as possible, do not try to write somewhere and cause some unloads
-
Mapping your alert indicators into possible root kit file name
-
Checking all files on system drive and storing them somewhere thus forming set of files S1
-
Issuing system bug check using KeBugCheckEx
-
Booting your custom kernel instead of Windows
-
Checking all files on system drive and thus forming set of files S2
-
Check where S1 and S2 have differences
-
Remove rootkit file(s) if you were lucky enough to identify it
-
Rebooting into Windows
Agree with Anton that Kaspersky live CD sucks, I’d prefer Fedora or Ubuntu Live CDs.
xxxxx@hotmail.com wrote:
I ahve seen Avast removing rootkits with ease.
It removes viruses. I seriously doubt it can remove rootkits.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@hotmail.com wrote:
I am working on kernel level rootkits at present only.So I am least bothered about firmaware or bootkits.
Is there anyway of finding out if it is attached to any device object or stack and safely delink them.I have been trying these for many days.
Any references will be helpful.
Anything you can do, they can undo. All it would take is a periodic
timer in the rootkit that goes out and reconnects the device object.
And remember that a device stack connection is not required to maintain
rootkit operation. Once the rootkit is LOADED, it can install its
tentacles all over the system.
You seem to be ignoring the advice. It is provably IMPOSSIBLE to
reliably undo a rootkit in every circumstance. You might be able to
DETECT the presence of a rootkit, and that knowledge itself is quite
valuable, but the only reliable remedy is to reformat and reinstall.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>> Not Kaspersky’s though, since they use Linux for LiveCD, which means
> a) half of Ethernet adapters not supported
> b) half of video adapters not supported with no auto-fallback to VGA since X11 cannot do this
> c) Dynamic Disks are not supported
> d) non-trivial storage controllers not supported too
> e) the Linux version of the engine is single-threaded and thus times slower then Windows one.Sorry, but it is obvious to anyone who ACTUALLY tried Linux that you are spreading bullshit all over
the place,
This is not about Linux in general. This is about Linux from Kaspersky LiveCD.
Trust me, it has all aforementioned issues.
Your attempt to defend Linux in general here looks funny and childish. Surely I know that Linux supports Promise disk controller and Dynamic Disks, nevertheless, the one used by Kaspersky - does not.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> M> Not Kaspersky’s though, since they
[have a crappy LiveCD.]
Their support promised to have better LiveCD this year. We will look.
A> Sorry, but it is obvious to anyone who ACTUALLY tried Linux that
Surely the issues of this LiveCD do not arise on full Linux distros.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com