This is a general analysis of rootkit payload Gapz family,and him technics.
Other analyses:
- About dropper
- Gapz bootkit-technique
- [09.04.2013] update ESET white-paper
VirusTotal example:
[A little about dropper]
As has been discussed in other articles dropper uses different exploits for privileges elevate on the system.Because my main task will be to review ring0 payload,i am not stoped on the detailed analysis dropper.
Show only schematically the way I chose to analyze the payload:
[Blocks-code conception]
So dropper successfully exploited the vulnerability,and shellcode load payload.
Payload looked like code,splited into structured blocks.Each unit has its own header, which precedes the main code in the block.
size_header == 0x20
Block_Header
0x0 delta_const
0x4 reserved1
0x8 reserved2
0xC size_block
0x10 offset init_block_function
0x14 offset to config (only first block)
0x18 reserved3[2]
Rootkit initial code parses the header of each blocks and called the initialization function.
In these functions, in general, Gapz allocated a pool that is filled with offset functions and specific to different data blocks.
In turn, all initialized address blocks (initialized pools) are stored in another pool Block_Box
[Blocks description]
Most blocks has a strong purpose in function, and it is possible to give specific names.
The table summary of all blocks:
Block name
|
Block description
|
Block_Api
|
Contains the basic functions Ntoskrnl.exe, hal.dll used Gapz
Also includes a code infector MBR / VBR, various help-functions, fields and buffers
|
Block_crypto
|
Contains all the cryptographic algorithms used in Gapz (like md4, md5, sha-1, rc4 etc.)
|
Block_hook_engine
|
Includes hook-algorithms,disasm lengths engine.
|
Block_FileSystem
|
Includes features for working FAT file system Gapz
|
Block_Atapi_Hooker
|
Contains handler of hook atapi driver
|
Block_parser
|
Includes function for parsing strings
|
Block_ndisImp
|
Includes function parser,wraps Ndis
|
Block_TcpIpStack
|
Gapz Tcp/Ip stack implementation
|
Block_Http
|
http protocol wraps
|
Block_Null_hooker
|
Contains handler hook in Null driver and function-interfaces(for usermode)
|
Block_ProcessManagment
|
Includes functions injects in usermode processes, process notify callback.
|
Block_Main
|
Locking block, contains the main polling cycle C&C,and the function uses a number of other functional blocks.
|
[Network Activity]
As seen from the table to the network part include three blocks Block_TcpIpStack, Block_ndisImp, Block_Http.
In order to control the transmission of data at the miniport driver rootkit uses this technique:
- parses the image of ndis driver , namely .data section to find ndisMiniportList.(which stores structures NDIS_MINIPORT_BLOCK)
- parses NDIS_MINIPORT_BLOCK and grabbing information from them
Thus in Gapz implemented independent full protocol stack TCP/IP.
Brief simplified sheme:
In the config file contains a list of domains rootkit C&C in the third level, and one second-level static.
Polling loop domains:
Polling loop domains:
I am not found any interesting in Gapz protocol,all network activity of him used only for loading usermode payloads.
[Gapz File System]
Image of the file system is located at this path:
\??\%C%:\System Volume Information\{00cb26da-f0cf-8c37-ece7-611d1b0cfb1a}
Orange color it is random value
Orange color it is random value
I found that the main code Block_FileSystem taken from open source project FullFat:
Gapz FullFatFS location picture:
All data is stored in the filesystem is encrypted.In general, the main purpose of file system it is keep downloadable usermode modules.
[Hooks]
All hooks are set with a disassembler lengths engine.
First hook set on IdePortDispatchDeviceControl in atapi driver:
The main purpose of this hook is very boring and standard: the substitution of buffer for read protected sectors,and deny write operation on them.Also protect yourself from IOCTL_ATA_PASS_THROUGH ,IOCTL_ATA_PASS_THROUGH_DIRECT
Hook in Null driver, is used as an interface to the usermode modules of rootkit.
In Block_Null_hooker contains a set of about 20 functions that are used to control Fullfat FS Gapz.
Hook handler looks like a typical DeviceIoControl handler, but the problem is that instead of the hook function null_IRP_MJ_DEVICE_CONTROL Gapz hook _NlsUnload (IRP_MJ_SHUTDOWN) wtf??
[09.04.2013] update
Ok ESET white paper explain this hook :)
Ok ESET white paper explain this hook :)
[ProcessManagment]
In the Block_ProcessManagment contains main loop putting Process notify callback (PsSetCreateProcessNotifyRoutine), waiting for the Event,queries the FullFat file system for the presence new usermode modules received from C&C.
If the module is found, it is inject him into the process by sending a standard APC.
In Process notify callback is not anything interesting, only manipulation
with double-linked lists, heh dont give a fuck for what they need ^_^.
[Conclusion]
Why so little written about such a large project?
- I dropped a lot of details
- Lazy (tired)
- Gapz ugly (my hopes were not justified)
- Interest disappeared
- C&C is dead and not respond
- darkness around me
But seriously, I spent a lot of time to learn, get a lot of fun, experience, and made some notes for myself.
(hehe yes I think how to make fucking cool rootkit :D)
Overall not bad other researchers will also look at the Gapz.
I can missed something or be a wrong,maybe in some other version Gapz exist some changes..;)
Thanks for reading,sorry for bad english..(i am try learn him >_<)
-----------------------------------
Shine, shine your light on me.
Illuminate me, make me complete.
