PRACTICAL MALWARE ANALYSIS: KERNEL DEBUGGING WITH WINDBG (LAB 10-02)

Tools Used

  1. IDA Pro
  2. VirtualKD
  3. Cerbero Profiler 2.5
  4. Windbg

Sample:

  1. Lab10-02.exe SHA256: 20bf5d516f3f3ef4c9453437211486b73d519ff97d8659851012adff8e84e0a9
  2. Lab10-02.sys SHA256: 42b66f4dcb1380ab6330cfb638ce97c7bea6d772eddd1d34c1031b0d16dea19c

VirusTotal:

  • Detection Rate: 28/55(1),0/55 (2)
  • Analyzed on 2016-03-08
  • Compilation Date: 2010-12-31 15:33:33(1), 2010-12-31 15:22:59(2)
  • View report here(1) & here(2)

Lab 10-2
The file for this lab is Lab10-02.exe.
Questions
1. Does this program create any files? If so, what are they?

Cerbero Profiler highlighted that the malware contains a PE Resource. Instinct tells me that this malware behaves like a packer and will extract this resource onto the target’s machine.

MZ
Figure 1. MZ header in resource
strings
Figure 2. IDA Pro’s string

“C:\\Windows\\System32\\Mlwx486.sys” seems suspicious. xRef this string might help us to solve this problem.

extract
Figure 3. Extract Resource

In the main method, we can see that the code is trying to extract the FILE resource into “C:\\Windows\\System32\\Mlwx486.sys”.

createService
Figure 4. Create Service 486 WS Driver

After extracting the driver, the malware then goes on to create a service (486 WS Driver) and start it using StartServiceA.

Procmon
Figure 5. WriteFile

Using Proc mon we can observe that WriteFile to “C:\\Windows\\System32\\Mlwx486.sys” was captured by the tool.

2. Does this program have a kernel component?

Attempts to locate the dropped driver in system32 folder was fruitless. Somehow the file is not in the folder. So instead I decided to extract the driver out from the resource directly. Firing up IDA Pro we can see DriverEntry function suggesting that this executable is a driver.

3. What does this program do?

DrierEntry leads us to the following subroutine in IDA Pro (0x10706). The malware is attempting to change the flow of the kernel Service Descriptor Table and the target that it is attempting to hook is the NtQueryDirectoryFile. The malware calls MmGetSystemRoutineAddress to get the pointer to the NtQueryDirectoryFile and KeServiceDescriptorTable subroutine. Then it loops through the service descriptor table looking for the address of NtQueryDirectoryFile. Once found, it will overwrite the address with the evil hook (custom subroutine).

evilhook
Figure 6. Evil Hook
rtlcompare
Figure 6. NTQueryDirectoryFile

In the driver, NTQueryDirectoryFile function is used. According to msdn, this function returns various kinds of information about files in the directory specified by a given file handle. Further down, we can see that RtlCompareMemory is called. A comparison was made between the filename and the following string “Mlwx“. If it matches, the file will be hidden.

compare
Figure 7. Mlwx string

To see all this win action, fire up Windbg and attach it to the kernel.

use the following command to list the service descriptor table. This table has yet been tampered with…

kd> dps nt!KiServiceTable l 100

kiservice
Figure 8. Default Service Descriptor Table

Set breakpoint by using this command bu Mlwx486!DriverEntry. Run Lab10-02.exe and windbg should break.Set breakpoint at nt!IopLoadDriver+0x66a and let the program run again. Once the kernel breaks, you will be able to run !object \Driver to list the loaded drivers. DriverInit for the malware has yet been executed at this stage so you can set your breakpoint from this point on.

breakpoint
Figure 9. Break @ DriverEntry
driverinit
Figure 10. DriverInit
ida
Figure 11. DriverEntry

From Figure 10 & 11, we can see that DriverInit is actually DriverEntry in IDA Pro.

runing kd> dps nt!KiServiceTable l 100 now shows that the service descriptor table has been modified.

service2
Figure 12. Service Descriptor Table modified

To conclude, the malware uses ring 0 rootkit to hide files that starts with “Mlwx” via hooking of the service descriptor table.

Advertisements
PRACTICAL MALWARE ANALYSIS: KERNEL DEBUGGING WITH WINDBG (LAB 10-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s