Brief Analysis of IceSword & amp; Rootkit Unhooker driver

IceSword version: 1.20cn Revision No.: 061022
----------------------------------------------------

0. Process
(Omitted)

1. Port
IS calls IoBuildDeviceIoControlRequest to Tcpip respectively. the TCP device object and UDP device object created by sys send IRP. In the output buffer, the port/IP/status/PID structure array is returned, but not associated with the process ).

2. Driver
In the driver section, the kernel module IS enumerated by calling NtQuerySystemInformation (SYSTEMMODULEINFORMATION). Here, by the way, in the Application Section, IS calls the EnumServiceStatusExA function to enumerate all running modules. When you enumerate a module, search for its ImagePath value in the Registry and compare the path with the corresponding module listed in the kernel section. If the path is the same, it is deemed that the module already exists, if they are different or not found, the hidden module is used.

3. Registry
In IceSword, registry processing is relatively simple, that is, ZwOpenKey, ZwQueryKey, ZwClose, ZwEnumerateKey, and ZwEnumerateValueKey are called for enumeration. Restore the first dozens of bytes before calling them.

4. File System
This part IS important, and IS also a clever place to process, that IS, to use the so-called Raw fsd I/O to enumerate files and directories. In fact, it is to call IoAllocateIrp, and then fill in each domain (first IRP_MJ_CREATE, then IRP_MJ_DIRECTORY_CONTROL (IRP_MN_QUERY_DIRECTORY), and then "directly" to ntfs. sys/fastfat. the DispatchCreate and DispatchDirecotryControl dispatch routines of sys, but there are two problems to note:

A. IS sets the SL_RETURN_SINGLE_ENTRY flag in the lower-layer stack when filling IRP_MJ_DIRECTORY_CONTROL IRP. This causes FSD to return only one FILE_BOTH_DIRECTORY_INFORMATION structure each time, instead of returning all (DS returns all ). When IoStatus. Status = STATUS_NO_MORE_FILES, confirm that the enumeration is complete.

B. IS there a way to directly locate the address of the dispatch routine mentioned above (through feature search), people do not directly call IoCallDriver, but directly call the past, in addition, it will persist the first dozens of bytes of the dispatch routine, so what FSD dispatch routine table HOOK and what fsd hook are used for white pulling.


RkU version: 3.30.150.400
------------------------------------------------

0. Process
(Omitted)

1. Driver
"Hidden drivers detection
Detection of drivers hidden from Windows API
Combines four different methods of detection and including special five (c) Stealth Walker technology
And six (c) KMSE-Kernel Memory Scanning Engine "---- RkU

As mentioned in the help document, RkU does spend a certain amount of code on the driver enumeration module. It is crazy to analyze the time difference, so let's list it in several sections:
A. traverse the type linked list (POBJECT_TYPE-> TypeList) of the IoDriverObjectType object type to obtain the Object Body information of all DRIVER types, that is, the DRIVER_OBJECT structure. Then, retrieve: PDRIVER_OBJECT-> DeviceObject, traverse DeviceObject-> AttachedDevice, and get the DRIVEROBJECT information. All these items are put in the output buffer.
B. traverse the type linked list of the IoDeviceObjectType object type. The idea is the same as above.

Of course, the premise for a and B to successfully implement enumeration is that the NtGlobalFlags variable sets the Maintain type list flag, otherwise there is nothing in the output buffer.

C. Call ZwOpenDirectoryObject to open the directory object to obtain the handle, and then call ObReferenceObjectByHandle to obtain the pointer of the directory object (its structure is OBJECT_DIRECTORY ),