photo doc155602017_152116624_zpsa322a969.gif

пятница, 19 июля 2013 г.

Win32/Simda family ring0 payload


[General View]

Articles,links about him
Main features:
  •  infect the drivers from nt!PsLoadedModuleList
  •  ability to hide rootkit files
  •  pseudo "modularity" architecture
  •  written in disgusting style :D

As already noted  EP_X0FF the code was not changed since March 2011

Here bin-diffing:

Rootkit works only on x86 systems, but not so long ago he got a bootkit module for x64 Windows versions.

[Startup Cases] 


  •  DriverEntry start with empty RegistryPath:
     call payload function
  •  DriverEntry start with not empty RegistryPath ,but not from system32 directory:
     call infect and payload functions,not using direct inject usermode modules
  •  DriverEntry start with RegistryPath and include system32 directory [start like infected file]:
     create system thread (PsCreateSystemThread) and in that thread,call infect and payload functions.
Code in infected driver load original rootkit,which is stored on this path:
[name generate via md5(ZwQueryVolumeInformationFile[VolumeCreationTime])]


At first Simda is trying to establish own debugging interface by overwriting KiDebugRoutine pointer to its callback function.
(he get this pointer with help of signature-based search in exported function KeEnterKernelDebugger)
Accordingly all the hooks of the rootkit ,implemented via software breakpoints int3(0xCC)
For intercepted functions he create structures,that it stores in an array of pointers.
struct array_hook_struct
   pvoid array_hook_struct_pointer;    

   int     size_array;
array_hook_struct_pointer  - ptr to array of hook_struct
size_array - size of that array

Main and most important hook structure,looks something like here:
struct hook_struct
   int init_boolean;
   int hook_type;
   int reserved_1;
   pvoid hook_function_origin_addr;
   pvoid hook_handler_addr;
   int reserved_2;
   pvoid detour_addr;
   pvoid nop_chain_addr;
So inside rootkit debugging interface,when a breakpoint exception has been occurred ,he dispatch them and redirect control flow to eip of detour function.
Here how this look with help of hex-rays:

What exactly Simda hooks?
The lower driver IRP_MJ_INTERNAL_DEVICE_CONTROL(IRP_MJ_SCSI) function,of hard disk DR0 device.
Hook-handler checked all SRB_FUNCTION_EXECUTE_SCSI request.
This hook provide :
  • to replace the contents of the infected driver to original clean code
  • to replace the contents of the original file rootkit(\\systemroot\\system32\\c_%4.4x%d.nls)by the contents of the biggest .nls file in the directory(\\systemroot\\system32\\)
Atapi and scsi driver hooks screenshots:

Hook of NtResumeThread, provide inject of Simda module into usermode processes


As I mentioned early,Simda support modules architecture,which work in ring0 and in ring3.
r3 modules injected into the user-mode shell-process (explorer.exe)
r0 modules copied to the allocated memory.Then Simda created manually DRIVER_OBJECT struct and for the field DRIVER_OBJECT.DriverSection value is taken from the original
driver object \Driver\Disk (with ObReferenceObjectByName [* IoDriverObjectType]).
Some of the names of the modules within the sample

At ITW me was found only the implementation of the r0 module ModuleR0Pdm
and r3 bcs module


The main task of this module, the creation of web-redirect config, hooks in NDIS and spoofing in network packets ip4 (UDP[DNS], TCP[http] protocols).
The path to the config file:
swprintf(path_conf, L"\\systemroot\\temp\\%d.tmp", md5(VolumeCreationTime)[0x2] ^ md5(VolumeCreationTime)[0x0] ^ 0x58589954); 
Config strings encrypted with trivial alg,that looks like here:
 for (i=0;i < length_str ; i++)
    key_xor[i %sizeof(int)]^=str[i];
In kernelmode.info article about Win32/Simda you can also download my web-redirect config decrypt script.

Hooks module installed in all structures NDIS_OPEN_BLOCK (NDIS_MINIPORT_BLOCK->OpenQueue)from all miniport drivers except intermediate drivers and drivers with media type NdisMediumWan,NdisMediumCoWan.
That functions will be hooked:
The system hooks module supports the NDIS versions 5.1;6.0;6.1;6.20

Installed hooks:

Here how look the dns-spoofing in action,with google.com example:

[Detection example]

For this test i used vba32-ark tool.You can see the detection of the acpi driver infection and two installed break-hooks:


Nothing special here,i am just believe that this old shit will never rise again.
See you in hell Win32/Simda
thx for reading.
Found error?Hate me?
Please say it to me! ;)

Manipulate the pulse, the pattern, the beat
Dominate the world

суббота, 2 марта 2013 г.

Win32/Gapz family ring0 payload

This is a general analysis of rootkit payload Gapz family,and him technics.
Other analyses:

VirusTotal example:

[A little about dropper]

As has been discussed in other articles dropper uses different exploits for privileges elevate on the system.Because my main task will be to review ring0 payload,i am not stoped on the detailed analysis dropper. 
Show only schematically the way I chose to analyze the payload:

[Blocks-code conception]

So dropper successfully exploited the vulnerability,and shellcode load payload.
Payload looked like code,splited into structured blocks.Each unit has its own header, which precedes the main code in the block.

size_header == 0x20
0x0   delta_const
0x4   reserved1
0x8   reserved2
0xC  size_block
0x10 offset init_block_function
0x14 offset to config (only first block) 

0x18 reserved3[2]

Rootkit initial code parses the header of each blocks and called the initialization function.
In these functions, in general, Gapz allocated a pool that is filled with offset functions and specific to different data blocks.

In turn, all initialized address blocks (initialized pools) are stored in another pool Block_Box

[Blocks description]

Most blocks has a strong purpose in function, and it is possible to give specific names.
The table summary of all blocks:
Block name
Block description
Contains the basic functions Ntoskrnl.exe, hal.dll used Gapz Also includes a code infector MBR / VBR, various help-functions, fields and buffers
Contains all the cryptographic algorithms used in Gapz (like md4, md5, sha-1, rc4 etc.)
Includes hook-algorithms,disasm lengths engine.
Includes features for working FAT file system Gapz
Contains handler of hook atapi driver
Includes function for parsing strings
Includes function parser,wraps Ndis
Gapz Tcp/Ip stack implementation
http protocol wraps
Contains handler hook in Null driver and function-interfaces(for usermode)
Includes functions injects in usermode processes, process notify callback.
Locking block, contains the main polling cycle C&C,and the function uses a number of other functional blocks.

[Network Activity]

As seen from the table to the network part include three blocks Block_TcpIpStack, Block_ndisImp, Block_Http.
In order to control the transmission of data at the miniport driver rootkit uses this technique:
  • parses the image of ndis driver , namely .data section to find ndisMiniportList.(which stores structures NDIS_MINIPORT_BLOCK)
  • parses NDIS_MINIPORT_BLOCK and grabbing information from them  
Thus in Gapz implemented independent full protocol stack TCP/IP.
Brief simplified sheme:

In the config file contains a list of domains rootkit C&C in the third level, and one second-level static.
Polling loop domains:

I am not found any interesting in Gapz protocol,all network activity of him used only for loading usermode payloads.

[Gapz File System]

Image of the file system is located at this path:
  \??\%C%:\System Volume Information\{00cb26da-f0cf-8c37-ece7-611d1b0cfb1a}
  Orange color it is random value

I found that the main code Block_FileSystem taken from open source project FullFat:

Gapz FullFatFS location picture:

 All data is stored in the filesystem is encrypted.In general, the main purpose of file system it is keep downloadable usermode modules.


All hooks are set with a disassembler lengths engine.
First hook set on IdePortDispatchDeviceControl in atapi driver:

The main purpose of this hook is very boring and standard: the substitution of buffer for read protected sectors,and deny write operation on them.Also protect yourself from IOCTL_ATA_PASS_THROUGH ,IOCTL_ATA_PASS_THROUGH_DIRECT

Hook in Null driver, is used as an interface to the usermode modules of rootkit.
In Block_Null_hooker contains a set of about 20 functions that are used to control Fullfat FS Gapz.
Hook handler looks like a typical DeviceIoControl handler, but the problem is that instead of the hook function null_IRP_MJ_DEVICE_CONTROL Gapz hook _NlsUnload (IRP_MJ_SHUTDOWN) wtf??

[09.04.2013] update
Ok ESET white paper explain this hook :)


In the Block_ProcessManagment contains main loop putting Process notify callback (PsSetCreateProcessNotifyRoutine), waiting for the Event,queries the FullFat file system for the presence new usermode modules received from C&C. 
If the module is found, it is inject him into the process by sending a standard APC.
In Process notify callback is not anything interesting, only manipulation
with double-linked lists, heh dont give a fuck for what they need ^_^.


Why so little written about such a large project? 
  • I dropped a lot of details
  • Lazy (tired) 
  • Gapz ugly (my hopes were not justified) 
  • Interest disappeared
  • C&C is dead and not respond
  • darkness around me

But seriously, I spent a lot of time to learn, get a lot of fun, experience, and made some notes for myself.
(hehe yes I think how to make fucking cool rootkit :D)

Overall not bad other researchers will also look at the Gapz.
I can missed something or be a wrong,maybe in some other version Gapz exist some changes..;)
Thanks for reading,sorry for bad english..(i am try learn him >_<)


Shine, shine your light on me.
Illuminate me, make me complete.