Progress of MBr-based bootkit: Ghost Shadow-TDL4-BMW

Make a summary of what was previously written.
1. mbrbootkit-ghosting
? 0? 3. Ghost Series
? 0? 3 features: only the XP system is supported. It is modified based on open-source foreign versions.
? 0? 3. From the MBR, the server is suspended for 13 H, the server is hosted in high-end memory, the server is mounted to ntldr, ntos functions are hooked, and virus drivers are loaded during ntos initialization to perform a series of operations.
? 0? 3. All virus codes are located outside the operating system of the MBR. formatting the hard disk and reinstalling the system cannot be solved.
? 0? 3. Disadvantages: only the XP system is supported, and insufficient protection is provided for you, so it is easy to detect and fix the problem.
2, mbrbootkit-tdl4
? 0? 3tdl4 Series
? 0? 3. It is popular in Europe and America, and is rarely seen in China. Its technical level is higher than that of ghosting.
? 0? 3. All Windows operating systems are supported. Even 64-bit win7, and supports bypassing patchguard and driver loading Signature Verification on 64-bit win7. If this technology becomes popular, the security attack on 64-bit Windows systems will be fatal.
? 0? 3mbr-ldr16-ldr32 (ldr64)-drv32 (drv64)
? 0? The main function of 3mbr is to search for the ldr16 module in the rootkit encrypted partition, load it into the memory, and give control to him.
? 0? 3ldr16:
After the disk is loaded and running, the INT 13 H hook is used to hook the read and write operations on the hard disk. Then, the original backup MBR in the last encrypted sector of the disk is loaded into the memory and the control is handed over to the original MBR for execution. The latter will load the operating system boot module. The system boot module reads the file started by the system through INT 13 H. Each read operation must be processed by a tld4 hook.
In the hook program, if it is used to determine whether to read a specific file, it will be processed; otherwise, it will be directly uploaded.
One file to be processed is kdcom. dll.
This dll is related to system debugging. Ldr16 will judge the features of this file in the hook program. If yes, it will be processed. Including processing for 32-bit and 64-bit programs at the same time.
When the file is found to be loaded, ldr16 searches for the ldr32 or ldr64 component in the encrypted partition, and loads kdcom. dll instead of memory based on the different systems. This completes the hijacking in the memory. In addition, ldr16 also needs to change the BCD information in the memory. The latter is the hive file used to replace boot. ini after Windows Vista.
Tdl4 will modify the bcdlibraryboolean_emsenabled key in BCD. The default flag is "16000020" and replace it with "26000022 "? 6? 2 bcdosloaderboolean_winpemode. Start the winpe System Mode of the system. In winpe mode, code integrity verification is not performed, so that the system does not verify the digital signature of kdcom. dll. This mode can be disabled by setting the/MININT parameter to an invalid value after the validation period.
? 0? 3ldr32/ldr64
To ensure the system initialization is successful, ldr32/ldr64 must support the kdcom. dll function.
For 32-bit and 64-bit systems, the export functions are the same. However, for ldr32/ldr64 of tdl4, you only need to process it in kddebuggerinitialize1. For other functions, you can directly return success. Through this simple method, tdl can be initialized early in the system startup, and the effect of prohibiting the system debugger is achieved.
In the early stage of system initialization, phase1initialization will call kddebuggerinitialize1, and then initialize tdl.
The code for ldr32/ldr64 is basically the same, because it is compiled using the same C code.
After kddebuggerinitialize1 is called, ldr32/ldr64 performs a series of initialization operations.
Call the undisclosed function iocreatedriver to create a driver object for ldr32/ldr64, because kdcom. dll itself is not loaded as a driver. At the same time, the initialization function is passed as a parameter to iocreatedriver.
? 0? 3. Call ioregisterplugplaynotification to register an out-of-the-box callback.
? 0? 3. When the plug-and-play callback is called, The system searches for the primary rootkit driver drv32/drv64 in the tdl4 encrypted partition, whether it is 32-bit or 64-bit depends on the current operating system. Then, load the primary rootkit Driver (drv32/drv64) into the memory and perform necessary configuration. Then, call the entry point of the driver.
? 0? 3drv32/drv64:
? 0? 3 once ldr32/ldr64 is successfully initialized, the main function module of rootkit will be loaded. Its main function is to hide itself and prevent it from being discovered by security software. When the security software tries to access the key sector of the rootkit, it returns false results, such as accessing the MBR. When the last region of the disk is accessed, false normal information is returned.
? 0? 3. By hijacking the device object of atapi. sys, this method of hook will not trigger the ptach guard protection mechanism.
? 0? 3. In addition, the rootkit also creates a monitoring thread to check whether the object hook and MBR are restored. If the rootkit is recovered, the MBR will be infected again.
? 0? 3 advantages: strong compatibility, support for all Windows systems, powerful hidden protection functions, difficult to obtain original MBR information and powerful self-protection functions in a poisoned system, in the kernel thread, protect your own hooks and MBR. Once restored, it will immediately hook and infect them, making it difficult to clear them.
? 0? 3. Disadvantages: The current Ark tool is becoming more and more powerful, and there is still a way to detect and fix it. In addition, if you go to winpe to fix the issue, you can kill it in seconds.
Biosrootkit-BMW Virus
I. BMW virus BIOS
The BIOS section of the ISA module, named hook. Rom, is added to check whether the MBR is recovered. If it is found that the MBR has been fixed, about 14 sectors of the virus code in the BIOS will be written into the MBR, resulting in repeated formatting, high cells, or re-partitioning.
? 0? After executing part of the virus code of 3mbr, the virus code of 6 sectors will be read from 2nd sectors to 0x7c00, and then jumped to this place for execution, then, read the backup MBR from the 7th sectors to the memory to verify the validity of the sector. After verification, read the sector where the Boot Sector in the Partition Table is located to 0x7c00 to verify the validity of the boot partition. After verification, determine the type of the pilot partition. Currently, the virus supports NTFs and FAT32, which are processed differently based on different partition types, and then the file system finds the sector where the file is located, find the corresponding Windows System File and read the PE information to determine whether the file has been infected. (XP/2003system is winlogon.exe, win7/vistasystem is wininit.exe)
? 0? 3. If the Windows system file is infected, "Find it OK!" is displayed on the screen! ", Then transfer to the original MBR, jump to the original MBR for execution; if the windows system file is not infected, then the PE is infected with the write sector, and then displayed on the screen" find it OK! ", Then transferred to the original MBR, and jumped to the original MBR for execution.
? 0? 3bmw virus Windows part (Winlogon and wininit File Execution infected)
After the virus code is decrypted, load the specified file, create a virus, call createthread to create a thread, and jump back to the original entry point for execution. In the virus thread, sleepfor 10 seconds, then, call urldownloadtofilea to download a downloader from the hacker server to the local device. After verifying that the file is successfully downloaded, call winexec to run it to download and run multiple malicious programs. The virus also downloads the driver named C: \ My. SYS: the previous virus code creates a load driver through a series of service functions. After completion, the virus thread enters the infinite sleep state.
? 0? 3c: \ My. SYS: the disk hook driver will be loaded in the Winlogon infected code. The drive performs read, write, deviceiocontrol, and disptach hook on the disk. sys drive to prevent read of MBR and related virus sectors.
? 0? 3. BIOS rootkit has many advantages and disadvantages:
? 0? 31. Be able to get the system initiative right away. Because programs solidified on the BIOS chip are the first to be executed when the computer starts, the BIOS rootkit embedded in the BIOS chip can naturally gain the system initiative immediately.
? 0? 32. Do not leave any marks on the hard disk. The BIOS rootkit mainly exists in the BIOS chip, so the traditional hard disk-based security detection program will be ineffective.
? 0? 33. Can repeatedly infect existing operating systems or newly installed systems. Because the BIOS rootkit exists in the BIOS chip, it is useless to reinstall the new system.
? 0? 34. Able to defend against almost all existing security software such as hips, anti-virus, and audit. All the existing hips, anti-virus, audit, and other security software are almost Based on the operating system, and there is no function for BIOS rootkit in the hardware.
? 0? 35. difficult to detect. BiOS rootkit is generally used as the standard ISA or PCI module in BIOS design specifications. Therefore, it is difficult to determine whether the corresponding module is a BIOS rootkit.
? 0? 36. Difficult to clear. Even if an ISA/PCI module is identified as a BIOS rootkit, it can be cleared only through hardware programming. Not everyone has the hardware programmer and can master it.
? 0? 3. the disadvantages of biosrootkit are as follows:
? 0? 31. Programming is difficult. The BIOS rootkit is mainly written by assembler, and the Assembly can only call specific BIOS interrupt calls. For example, if the int H System Boot interruption can be called normally, and the INT 13 H disk is interrupted, the reason is that the disk device is not ready when the BIOS boots the computer.
? 0? 32. The BIOS type is complicated, and it is difficult to achieve a good general BIOS rootkit. The BIOS chip type and its motherboard type, or even the motherboard number, have great restrictions on the BIOS rootkit. In addition, bios of award, Ami, and Phoenix have different hardware call specifications, so it is difficult to implement BIOS rootkit with good versatility.
? 0? 33. Missing BIOS-related technical information. BIOS-related information has always been a strictly confidential secret of major BIOS manufacturers. Therefore, many of the information required for writing BIOS rootkit, such as electrical features and call parameters, cannot be found.
? 0? 34. Complicated problems such as operating system real/protection mode conversion and system guidance. Programming in protection mode, especially for non-open-source Windows operating systems, it is difficult to implement BIOS rootkit for operating system flow control.
? 0? 35. BIOS space restrictions. The size of the BIOS chip is generally kb. In addition to the fixed program initially added by the manufacturer, the available space is often insufficient to put down the BIOS rootkit.
? 0? 3. About the BMW bios, it has always been a very troublesome issue. To do a good job, you must parse, package, and split the entire BIOS file. But you can see the virus operation. The BIOS tool CBROM is used to implement the entire process. What the virus does is to read the bios, use the tool to add its own code, and automatically correct the BIOS file, then write the integrated BIOS file back. We can also do this by reading the bios and checking whether there is any virus code in it. If so, use a tool to remove it and then write the BIOS code back. Everything is so simple. The only difficulty is your testing machine.