- IDA Pro
- Lab10-03.exe SHA256: d66e15eea51ebd4bfd13f8c97646253740b1e6a99328d22232fd01ae13ef5d05
- Lab10-03.sys SHA256: 59d09b747441ed35e0fc0b5b352b4c66532f1fdd4646457a5ea972f067a55b30
- Detection Rate: 5/56(1),4/56 (2)
- Analyzed on 2016-03-09
Compilation Date: 2011-11-22 10:38:53(1), 2012-01-14 11:30:50(2)
- View report here(1) & here(2)
This lab includes a driver and an executable. You can run the executable
from anywhere, but in order for the program to work properly, the driver
must be placed in the C:\Windows\System32 directory where it was originally
found on the victim computer. The executable is Lab10-03.exe, and the driver
1. What does this program do?
Lab10-03.exe begins with creating Process Helper service on the machine. The service runs a driver located at C:\\windows\\System32\\Lab10-03.sys. It then attempts to start the service.
After the service loads the driver, the malware then creates a handle to the driver’s symbolic link; “\\\\.\\ProcHelper“. It then calls the DeviceIoControl function passing in 0x0ABCDEF01h as the dwIoControlCode.
The malware then uses COM based approach to open the browser (http://www.malwareanalysisbook.com/ad.html) via NAVIGATE function every 30 seconds in an infinite loop. Refer to Lab-7-02 for more details.
2. Once this program is running, how do you stop it?
You would need to reboot the computer. Note that the service was created with start type set to SERVICE_DEMAND_START. Therefore if you were to reboot the computer, the driver will not be loaded in the operating system. The following commands (self explanatory) might come in handy as well if the driver is set to run automatically.
- sc query type= kernel
- sc stop “Process Helper”
- sc delete “Process Helper”
3. What does the kernel component do?
The driver creates a device with “\\Device\\ProcHelper” as its symbolic link. It set MajorFunction[IRP_MJ_DEVICE_CONTROL] to 0x10666(as shown below).
According to MSDN, The IRP_MJ_DEVICE_CONTROL request is sent by the I/O Manager and other operating system components, as well as other kernel-mode drivers. Normally this IRP is sent on behalf of a user-mode application that has called the Microsoft Win32 DeviceIoControl function or on behalf of a kernel-mode component that has calledZwDeviceIoControlFile.
In figure 5, we can see that there are references to PEPROCESS(via IoGetCurrentProcess) by offset of 0x8c and 0x88. The image below shall explain how these offset came about.
To conclude the driver was trying to unlink a process from the link list by modifying the process link list.