Tools Used

  1. IDA Pro
  2. VirtualKD
  3. Windbg


  1. Lab10-03.exe SHA256: d66e15eea51ebd4bfd13f8c97646253740b1e6a99328d22232fd01ae13ef5d05
  2. Lab10-03.sys SHA256: 59d09b747441ed35e0fc0b5b352b4c66532f1fdd4646457a5ea972f067a55b30


  • Detection Rate: 5/56(1),4/56 (2)
  • Analyzed on 2016-03-09
  • Compilation Date: 2011-11-22 10:38:53(1), 2012-01-14 11:30:50(2)
  • View report here(1) & here(2)

Lab 10-3
This lab includes a driver and an executable. You can run the executable
from anywhere, but in order for the program to work properly, the driver
must be placed in the C:\Windows\System32 directory where it was originally
found on the victim computer. The executable is Lab10-03.exe, and the driver
is Lab10-03.sys.
1. What does this program do?

Figure 1. Create Service

Lab10-03.exe begins with creating Process Helper service on the machine. The service runs a driver located at C:\\windows\\System32\\Lab10-03.sys. It then attempts to start the service.

Figure 2. DeviceIoControl

After the service loads the driver, the malware then creates a handle to the driver’s symbolic link; “\\\\.\\ProcHelper“. It then calls the DeviceIoControl function passing in 0x0ABCDEF01h as the dwIoControlCode.

Figure 3. COM based Navigate

The malware then uses COM based approach to open the browser ( via NAVIGATE function every 30 seconds in an infinite loop. Refer to Lab-7-02 for more details.

2. Once this program is running, how do you stop it?

You would need to reboot the computer. Note that the service was created with start type set to SERVICE_DEMAND_START. Therefore if you were to reboot the computer, the driver will not be loaded in the operating system. The following commands (self explanatory) might come in handy as well if the driver is set to run automatically.

  1. sc query type= kernel
  2. sc stop “Process Helper”
  3. sc delete “Process Helper”

3. What does the kernel component do?

Figure 4. CreateSymbolicLink

The driver creates a device with “\\Device\\ProcHelper” as its symbolic link. It set MajorFunction[IRP_MJ_DEVICE_CONTROL] to 0x10666(as shown below).

According to MSDN, The IRP_MJ_DEVICE_CONTROL request is sent by the I/O Manager and other operating system components, as well as other kernel-mode drivers. Normally this IRP is sent on behalf of a user-mode application that has called the Microsoft Win32 DeviceIoControl function or on behalf of a kernel-mode component that has calledZwDeviceIoControlFile.

Figure 5. Blink and Flink

In figure 5, we can see that there are references to PEPROCESS(via IoGetCurrentProcess) by offset of 0x8c and 0x88. The image below shall explain how these offset came about.

Figure 6. _LIST_ENTRY

To conclude the driver was trying to unlink a process from the link list by modifying the process link list.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s