0x16/7ton

 photo doc155602017_152116624_zpsa322a969.gif

суббота, 2 марта 2013 г.

Win32/Gapz family ring0 payload


This is a general analysis of rootkit payload Gapz family,and him technics.
Other analyses:
Samples:

VirusTotal example:

[A little about dropper]


As has been discussed in other articles dropper uses different exploits for privileges elevate on the system.Because my main task will be to review ring0 payload,i am not stoped on the detailed analysis dropper. 
Show only schematically the way I chose to analyze the payload:















[Blocks-code conception]


So dropper successfully exploited the vulnerability,and shellcode load payload.
Payload looked like code,splited into structured blocks.Each unit has its own header, which precedes the main code in the block.

size_header == 0x20
Block_Header
0x0   delta_const
0x4   reserved1
0x8   reserved2
0xC  size_block
0x10 offset init_block_function
0x14 offset to config (only first block) 

0x18 reserved3[2]

Rootkit initial code parses the header of each blocks and called the initialization function.
In these functions, in general, Gapz allocated a pool that is filled with offset functions and specific to different data blocks.

In turn, all initialized address blocks (initialized pools) are stored in another pool Block_Box




























[Blocks description]



Most blocks has a strong purpose in function, and it is possible to give specific names.
The table summary of all blocks:
Block name
Block description
Block_Api
Contains the basic functions Ntoskrnl.exe, hal.dll used Gapz Also includes a code infector MBR / VBR, various help-functions, fields and buffers
Block_crypto
Contains all the cryptographic algorithms used in Gapz (like md4, md5, sha-1, rc4 etc.)
Block_hook_engine
Includes hook-algorithms,disasm lengths engine.
Block_FileSystem
Includes features for working FAT file system Gapz
Block_Atapi_Hooker
Contains handler of hook atapi driver
Block_parser
Includes function for parsing strings
Block_ndisImp
Includes function parser,wraps Ndis
Block_TcpIpStack
Gapz Tcp/Ip stack implementation
Block_Http
http protocol wraps
Block_Null_hooker
Contains handler hook in Null driver and function-interfaces(for usermode)
Block_ProcessManagment
Includes functions injects in usermode processes, process notify callback.
Block_Main
Locking block, contains the main polling cycle C&C,and the function uses a number of other functional blocks.


[Network Activity]


As seen from the table to the network part include three blocks Block_TcpIpStack, Block_ndisImp, Block_Http.
In order to control the transmission of data at the miniport driver rootkit uses this technique:
  • parses the image of ndis driver , namely .data section to find ndisMiniportList.(which stores structures NDIS_MINIPORT_BLOCK)
  • parses NDIS_MINIPORT_BLOCK and grabbing information from them  
Thus in Gapz implemented independent full protocol stack TCP/IP.
 
Brief simplified sheme:



























In the config file contains a list of domains rootkit C&C in the third level, and one second-level static.
Polling loop domains:















I am not found any interesting in Gapz protocol,all network activity of him used only for loading usermode payloads.

[Gapz File System]


Image of the file system is located at this path:
  \??\%C%:\System Volume Information\{00cb26da-f0cf-8c37-ece7-611d1b0cfb1a}
  Orange color it is random value

I found that the main code Block_FileSystem taken from open source project FullFat:

Gapz FullFatFS location picture:











 All data is stored in the filesystem is encrypted.In general, the main purpose of file system it is keep downloadable usermode modules.

[Hooks]


All hooks are set with a disassembler lengths engine.
First hook set on IdePortDispatchDeviceControl in atapi driver:
















The main purpose of this hook is very boring and standard: the substitution of buffer for read protected sectors,and deny write operation on them.Also protect yourself from IOCTL_ATA_PASS_THROUGH ,IOCTL_ATA_PASS_THROUGH_DIRECT

Hook in Null driver, is used as an interface to the usermode modules of rootkit.
In Block_Null_hooker contains a set of about 20 functions that are used to control Fullfat FS Gapz.
Hook handler looks like a typical DeviceIoControl handler, but the problem is that instead of the hook function null_IRP_MJ_DEVICE_CONTROL Gapz hook _NlsUnload (IRP_MJ_SHUTDOWN) wtf??













[09.04.2013] update
Ok ESET white paper explain this hook :)


[ProcessManagment]


In the Block_ProcessManagment contains main loop putting Process notify callback (PsSetCreateProcessNotifyRoutine), waiting for the Event,queries the FullFat file system for the presence new usermode modules received from C&C. 
If the module is found, it is inject him into the process by sending a standard APC.
In Process notify callback is not anything interesting, only manipulation
with double-linked lists, heh dont give a fuck for what they need ^_^.


[Conclusion]


Why so little written about such a large project? 
  • I dropped a lot of details
  • Lazy (tired) 
  • Gapz ugly (my hopes were not justified) 
  • Interest disappeared
  • C&C is dead and not respond
  • darkness around me
 :D

But seriously, I spent a lot of time to learn, get a lot of fun, experience, and made some notes for myself.
(hehe yes I think how to make fucking cool rootkit :D)

Overall not bad other researchers will also look at the Gapz.
I can missed something or be a wrong,maybe in some other version Gapz exist some changes..;)
Thanks for reading,sorry for bad english..(i am try learn him >_<)

-----------------------------------

Shine, shine your light on me.
Illuminate me, make me complete.

Комментариев нет:

Отправить комментарий