Blog
Uncategorized
1

Hard Disk Firmware Hacking (Part 1)

I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple …

Read More
Uncategorized

Hard Disk Firmware Hacking (Part 2)

Now that everything is ready to be connected, power up the hard drive an run openocd with the following command: openocd -f interface/<your interface here>.cfg -f target/test.cfg test.cfg should be the configuration for the CPU used by your hard disk controller, for most marvell CPUs this config should work. I’m …

Read More
Uncategorized
2

Intercepting all System Calls by Hooking KiFastSystemCall

Usually I don’t post things like this, but because KiFastSystemCall hooking only works on x86 systems and doesn’t work on Windows 8 or above, it no longer has much use in malware. There are also multiple public implementations for this method, just not very elegant, which I hope to correct. …

Read More
Uncategorized
6

Code Mutation (Polymorphism)

Before we start it’s probably best to explain some things: Signature – A pattern of bytes used by an antivirus to identify malicious executables, this could be a string, parts of a function, or a hash. Crypting – This is the most common way of evading antivirus detections, it works …

Read More
Uncategorized
4

Bootkit Disk Forensics – Part 3

Getting Original Pointers XP is a little more complicated than newer systems due to the use of a single driver for both port and miniport; however, getting the original pointers is fairly straight forward depending on how you do it. IRP_MJ_SCSI & DriverStartIo – Method 1 (Windows XP) A common …

Read More
Uncategorized
10

Bootkit Disk Forensics – Part 2

DriverStartIo As I explained in the previous article: DriverStartIo is used by older miniports to actually perform the disk I/O, it takes 2 parameters (a device object and an IRP), exactly the same as IoCallDriver does. The call to DriverStartIo is done with IoStartPacket; however, the device object passed is …

Read More
Uncategorized
9

Bootkit Disk Forensics – Part 1

Recently I got the idea to play around with bypassing bootkit disk filters from an email i received, which highlighted that my MBR spoofing code was able to get underneath the driver of a popular forensics tool, preventing it from reading the real disk sectors. Although I believe disk forensics …

Read More
Uncategorized
4

RIG Exploit Kit – Source Code Leak

As the past has show us, cybercriminals are not the most trustworthy people when it come to holding valuable sources, and it looks like we’re about to get another reminder of that, this time with an exploit pack leak. RIG is a popular exploit kit which has been around for …

Read More
Uncategorized
6

Using Kernel Rootkits to Conceal Infected MBR

If you’ve look at any of the major bootkits such as TDL4 and Rovnix, you’ve probably noticed they employ certain self defense features to prevent removal; specifically, intercepting read/write requests to the boot sectors. While these defense mechanisms can fool some software, they may, in some cases, make infections even …

Read More
Uncategorized
15

Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)

We’ll be writing a hooking engine using trampoline based hooks as explained in the previous article (we don’t handle relative instructions as they’re very rare, but we do use atomic write operations to prevent race conditions). First things first, we need to define the proxy functions which we will redirect …

Read More