Bootkit hard drive Forensics-lecture 1

Bootkit hard drive Forensics-lecture 1

Some time ago, I received an email asking me how to bypass the bootkit hard drive filter. This highlight is that my MBR spoofing code can be driven by a popular forensic tool. Although I believe that hard disk forensics should not be installed in a running system, instead, it should be installed in a pure version of the system. According to this theory, I wrote a tool to bypass the driver file of the bootkit virus and published this report. In another email I received, I was asked to demonstrate how to use WinDbg to check the existence of the bootkit filter. So in this research report, I will show these two knowledge points: bypassing the bootkit virus and detecting the bootkit virus.

Note:

1. MBR is all called Master Boot Record, also known as the primary Boot Sector, located in the first sector of the hard disk.

2. WinDbg is a powerful user-mode and kernel-mode debugging tool on windows.

3. Bootkit is called BIOS Rootkit. This rootkit is very concealed and runs directly in the bios system.

Hard drive filter-new and old driver modules

According to my previous article, we already know that Hard Disk Filters often obtain permissions by means of hooks. This method uses the IRP_MJ_SCSI routine in the microport driver. Other ideas are that this hook sub-method may be using StartIO routines in windows driver development. However, in any case, these routines can only be used in driver modules of earlier versions, and these drivers cannot be obtained in windows Vista or later versions. All driver modules use either the SCSI interface of your hardware or the ATA interface, because all driver modules are the same, so I will use an ATA Hard Drive System as a test object.

Driver modules of earlier versions

In versions earlier than windows Vista, these hard drive drivers all have an atapi. sys driver, which is a separate ATA channel driver. It provides one port and one micro port. If a hard disk requires a custom micro-port, the vendor will write their own port and micro-port driver. This is not easy.

When a device receives a request similar to the IRP_MJ_SCSI routine, it will use the IoStartPacket routine in the StartIO routine for queuing. This routine calls an address of the DriverStartIo routine in the hard drive. Therefore, in addition to IRP_MJ_SCSI, All I/O requests on the hard disk will be blocked as long as DriverStartIo is used for hooks or hooks.

 

 

New driver modules

This new version of the driver module providesThe drivers of ataport. sys and atapi. sys, that is, the drivers that Microsoft supplies port drivers and the interaction between micro-ports. They run at the same time to ensure the interaction between disk channels. The port driver can provide some basic functions, while the micro-port driver provides some special functions for the hardware. Therefore, if a vendor needs a custom microport, they can easily write an interactive Driver (ataport. sys) and Microsoft supply port driver (atapi. sys ).

Through this new module, the IRP_MJ_SCSI routine in the ataport. sys driver will point out a function for the ataport. sys (IdePortDispatch) driver. Through this theory, we know that it uses an internal mechanism to queue and process all requests, rather than using IoStartPacket routines. This means that the rootkit hooks can be remotely operated through IRP_MJ_SCSI and DriverStartIo routines.

TDL file warning

Although the TDL file is not very active, I still need to mention it. It can intercept the kdcom. dll file (COM debugger extension, which is responsible for debugging the driver and kernel module ). If you try to debug the COM debugger extension (kdcom. dll), then the system will become a "Brick Machine", and then it will be restarted, you even cannot enter the security mode.

Use WinDbg to detect some major rootkit

First, you must find the disk you are starting. In most cases, \ Device \ Harddisk0 \ DR0. Then, you must make sure that the winDbg has been loaded and the loading is successful. In this case, use "! Devstack command to display the device stack. Then find the underlying device (micro port ).

 

For some devices infected with TDL4, The microport interactive driver (\ driver \ atapi) will display an error, but it cannot use "! Mongobj "and"! Drvobj "command, so we must use the underlying driver component dt _ DEVICE_OBJECT to connect the micro-port driven by the micro-port interaction.

Now, we can first check whether the driver component (especially the scheduling table) has a function pointer hook or rootkit. In a clean system, all dispatch programs or dispatch programs have some addresses. The program can process some micro ports, ports, or ntoskrnl symbols. However, in the system infected with TDL4, this "! Drvobj commands cannot be used, so you must use the "dds" command. The following figure shows the commands and steps.

Use it in a clean system! Drvobj command

Use the dds command in a clean System

 

The following figure shows the system that has been infected with TDL4.

 

Found? All addresses are changed to the same address.

It is deceiving the AV tool. When the atapi. sys driver is ended, rovnix redirects these pointers to unused spaces. Therefore, the solution is not just a function problem, but a whole module problem. If the driver scheduling table shows clean, the next thing is to disassemble the address of IRP_MJ_SCSI (IRP_MJ_INTERNAL_DEVICE_CONTROL. If the dispatcher has the readable and writable permission, it is likely to implant the rootkit of the inline test. You can try this command on the icon and point IRP_MJ_SCSI to ataport! IdePortDispatch.

 

If it is a clean system, the IRP_MJ_SCSI header should be like this.

It is very difficult to find the rootkit for Inline Testing, especially those upgraded rootkit that have been redirected and called. You can compare the disk image with the module memory to check whether rootkit exists. This is the best solution. However, you must first have some parameters and code for system images and module memory that are not infected with rootkit. In this way, we can compare them.