Rootkit Ntoskrnl Exercise
- 1
Rootkit Ntoskrnl Exercise Test
Page 2 of 3 - Still have rootkit? - posted in Virus, Trojan, Spyware, and Malware Removal Help: I HAD run fixmbr; it just didn't seem to fix the problem.Ok. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze. For this exercise, obtain upx301w.zip and redpill.exe from the NAS, in the folder “Binary Auditing”. From Windows XP virtual Machine. Figure 10.7: The last thing what is worth being mentioned, can be seen in figure 10.8 The rootkit also locks two files, ntoskrnl.exe.
| Name | Filename | Status | Description |
|---|---|---|---|
| PDCOMP | _amdevntas.sys | X | Added by the Trojan-Spy.Win32.Batton.rk spyware and information stealer. Trojan-Spy spies upon user's activity and steals confidential user information. |
| lololol | _hideme_imhiddenlololol.exe | X | Added by the Troj/Hideme-A Trojan. This infection is hidden by the rootkit file C:_hideme_MYFILE.SYS. |
| Print Spooler Service | <random file name>.exe | X | Added by the Troj/HacDef-DJ backdoor Trojan and rootkit. |
| DER005 | <random filename> | X | Added by the Troj/Hackvan-B Trojan rootkit. |
| XRW005 | <random filename> | X | Added by the Troj/Hackvan-B Trojan rootkit. |
| System SSDP Services | <random letters>.sys | X | Added by the Troj/Pardot-A rootkit. |
| pe386 | <random number> | X | Added by the Backdoor.Rustock.A backdoor Trojan. This infection uses Alternate Data Streams and rootkit technology to hide itself and the service entry. |
| 3klagia | 3klagia.dll | X | Added by the Backdoor.Rustock backdoor rootkit. |
| 4fdw | 4fdw.dll | X | Added by the Backdoor.Rustock backdoor rootkit. |
| 63cica | 63cica.sys | X | Added by a variant of the Troj/NTRootK-CL rootkit. |
| accctsggw | accctsggw.cat | X | Added by the Backdoor.Rustock backdoor rootkit. |
| agehhtd | agehhtd.cat | X | Added by the Backdoor.Rustock backdoor rootkit. |
| <unknown> | agpbrdg5.sys | X | Added by a variant of Troj/Haxdor-Gen. |
| aiqpbter | aiqpbter.chm | X | Added by the Backdoor.Rustock backdoor rootkit. |
| alcom | alcom.sys | X | A variant of the Haxdoor rootkit. |
| alcop server | alcop.sys | X | Added by a variant of the Goldun.Fam rootkit. |
| apcdli | apcdli.sys | X | Added by the Mal/RootKit-A rootkit. |
| Network Control Manager | aries.sys | X | Added by the Sony/XCP DRM Rootkit. This file is the actual rootkit driver for the Sony DRM application. |
| <Unknown> | armdvc.sys | X | Added by a variant of the Goldun.Fam rootkit. |
| ARM TSL device | armdvc.sys | X | Added by a variant of the Troj/Haxdor-Gen rootkit. |
| ARM FDCG850 device | armrfc.sys | X | Added by a variant of the Goldun rootkit. |
| <unknown> | arprmdg5.sys | X | A variant of the HaxDoor rootkit. |
| asc355 | asc355.sys | X | A variant of the TROJ_AGENT.AAND rootkit. |
| asc3550o | asc3550o.sys | X | Identified as a variant of the Trojan.Rootkit.Agent rootkit. |
| asc355O | asc355O.sys | X | Identified as the Trojan.Rootkit.Agent.NCY rootkit. |
| DirectSound KDriver | asplg.sys | X | Added by a variant of the Goldun.Fam rootkit. |
| <unknown> | asusrx25.sys | X | Variant of the Troj/Haxdor-Fam rootkit. |
| Object memory mapping 8.0 | ati2ksag.sys | X | Added by a variant of the Goldun.Fam rootkit. |
| Object memory mapping 8.0 | ati2kstg.sys | X | A variant of the Haxdoor rootkit. |
| Object memory mapping 8.0 | ati2psag.sys | X | Added by a variant of the Goldun.Fam rootkit. |
There are lots of good answers in this thread. In particular, someone took the time to look at the code, and that person wrote it only took them minutes to find similarities that make my opinion difficult to dismiss.
About the lack of documentation, consider that only a tiny fraction of the kernel’s internals surface in the DDK. All our internal headers have a .w extension and are littered with directives like begin_ntddk, end_ntddk (and many others), so a large number of structures and many fields inside existing structures are hidden or replaced by a generic reserved field.
Macros names, parameters, etc. never appears in the compiled code. It is highly improbable (I studied math, “impossible” is not a word lol), almost surely impossible that a clean-room reimplementation ends up using macros for the same things, let alone macros with the same or similar names.
Also, consider that optimizing compilers emit code that is extremely hard to follow even for us. Heck, the debugger, together with the PRIVATE symbols that has the name of all private symbols, and the actual source code, has a hard time to sync with the disassembly with the code when stepping through. While it is possible to write code that behaves similarly seen from outside, it is again implausible that the expression of this behavior results in code that looks nearly identical to the original. Consider that the name of local variables is never part of the binaries, only public symbols are. Also, consider that the compiler aggressively optimizes out variables to reduce memory accesses and holds values in CPU registers as much as possible, so those variables, while conceptually present, don’t really exist as such in the disassembled code. How to explain that a reimplementation comes up with the same variables, declared in the same order, when those variables are optimized out by the compiler?
What about in-line functions, both explicit and auto-unlined by the compiler? How do you even know there was a function in the first place, and how do you invent a name that is identical to the name of said function in the original code?
Rootkit Ntoskrnl Exercise Equipment
Funnily, I had a conversation with a very seasoned kernel engineer (I report directly to him) about ReactOS and my Quora reply. He told me the team looked into ReactOS some time ago and reached the exact same conclusions: impossible.
Rootkit Download
In particular, this person distinctly remembers a hack he implemented (I’m not going to reveal any details, but suffice to say it was in response to some assertion by some 3rd parties that something Microsoft declared in a court of law as very difficult). He explained the hack to me in full details and, boy, hacky that was, and they found the same hack in ReactOS’s code, except that the présumer authors of that “clean room” implementation probably have no idea regarding why the hack was there.
Finally, “clean room” takes another sense when one knows that Alex (yes) worked for Microsoft until spring 2019 at least, as a contractor for a company called Cloudbase Solutions SRL. His Microsoft email address was v-alione@microsoft.com. I don’t know if he had access to the ntos code, or NTFS or anything else, but very close from home he was, for sure.
So to those who want to take my opinion to court, I say it’s a “careful what you wish for” type of thing, but again I’m not a lawyer, and in other regards ReactOS aligns with a very old version of the NT kernel. It is possible (my opinion only) that Microsoft does does not care?