Skip to content

Latest commit

 

History

History
162 lines (127 loc) · 6.98 KB

lab-10-1.md

File metadata and controls

162 lines (127 loc) · 6.98 KB
Raw

This post is part of the series of Practical Malware Analysis Exercises.

1) Does the program make changes to the registry?

Yes, a new service is installed.

RegShot shows a new service being installed:

  • Type: Kernel device driver, 0x1
  • Start: On demand, 0x3
  • Binary: C:\Windows\System32\Lab10-01.sys
----------------------------------
Keys added: 6
----------------------------------
HKLM\SYSTEM\ControlSet001\Services\Lab10-01
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Security
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Security
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Enum

----------------------------------
Values added: 20
----------------------------------
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\ImagePath: "\??\C:\Windows\System32\Lab10-01.sys"
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\DisplayName: "Lab10-01"
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\Lab10-01\Enum\INITSTARTFAILED: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\ImagePath: "\??\C:\Windows\System32\Lab10-01.sys"
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\DisplayName: "Lab10-01"
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Lab10-01\Enum\INITSTARTFAILED: 0x00000001
HKU\S-1-5-21-1957994488-1708537768-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\oboolkc\Qrfxgbc\tb\Yno10-01.rkr: 02 00 00 00 06 00 00 00 20 EB 05 AE E5 6B CF 01
HKU\S-1-5-21-1957994488-1708537768-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\bobbyxp\Desktop\go\Lab10-01.exe: "Lab10-01"

2) The user space program calls AdvApi32.ControlService function. Set a BP to see what is executed in the kernel as a result?

Success with a breakpoint set on driver's DriverUnload function at f7ecb486.

EXE called ControlService on the driver, with code SERVICE_CONTROL_STOP.

.text:00401080 call ds:ControlService

WinDbg: with verbose mode on (ctrl-alt-v), identified the loaded driver. Size=0xe80=3712b= ~3.7 MB. Confirmed by IDA.

ModLoad: f7eca000 f7ecae80 Lab10-01.sys

WinDbg: listed all driver objects in Driver namespace !object \Driver

kd> !object \driver
..... snip .....
06 863bcb10 Driver Lab10-01
..... snip .....

WinDbg: found MajorFunction table that lists IRP handler functions dt nt!_DRIVER_OBJECT 863bcb10

kd> dt nt!_DRIVER_OBJECT 863bcb10
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : (null)
+0x008 Flags : 0x12
+0x00c DriverStart : 0xf7ecb000 Void
+0x010 DriverSize : 0xe80
+0x014 DriverSection : 0x865f1c68 Void
+0x018 DriverExtension : 0x863bcbb8 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\Driver\Lab10-01"
+0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xf7ecb959 long +0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : 0xf7ecb486 void +0
<0x038 MajorFunction : [28] 0x804fa87e long nt!IopInvalidDeviceRequest+0

The ControlService function from the EXE instructs the driver to stop, so DriverUnload is likely called.

kd> bp 0xf7ecb486

Ran the program in the VM. WinDbg breakpoint hit.

Breakpoint 0 hit
Lab10_01+0x486:
f7ecb486 8bff mov edi,edi

3) What does this program do?

It disables the firewall via registry keys when the service unloads. Firewall isn't just turned off, it's "greyed out" and can't turn back on.

After the DriverUnload breakpoint was hit (0xf7ecb486), started single stepping through the driver (F10 or p).

From WinDbg:

f7ecb486 8bff mov edi,edi
f7ecb488 55 push ebp
f7ecb489 8bec mov ebp,esp
f7ecb48b 51 push ecx
f7ecb48c 53 push ebx
f7ecb48d 56 push esi
f7ecb48e 8b3580b7ecf7 mov esi,dword ptr [Lab10_01+0x780 (f7ecb780)]
f7ecb494 57 push edi
f7ecb495 33ff xor edi,edi
f7ecb497 68bcb6ecf7 push offset Lab10_01+0x6bc (f7ecb6bc)
f7ecb49c 57 push edi
f7ecb49d 897dfc mov dword ptr [ebp-4],edi
f7ecb4a0 ffd6 call esi

From IDA:

  • Call to Lab10_01+0x780 (f7ecb780).
  • Offset 0x780 points to RtlCreateRegistryKey.
  • Offset 0x6bc points to a unicode string \Registry\Machine\SOFTWARE\Policies\Microsoft
  • Obvious that it creates the registry key.
  • Found SYS file's DriverUnload function in IDA at offset 0x486. It creates several registry keys on unload.
    • \Registry\Machine\SOFTWARE\Policies\Microsoft
    • \Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsFirewall
    • \Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
    • \Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
  • Then it writes registry values.
    • \Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile:EnableFirewall=0
    • \Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile:EnableFirewall=0

Links

  1. Service registry key values: http://support.microsoft.com/kb/103000