{"id":568,"date":"2012-02-14T13:02:38","date_gmt":"2012-02-14T13:02:38","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=568"},"modified":"2012-02-20T01:09:09","modified_gmt":"2012-02-20T01:09:09","slug":"purple-haze-kernel-driver","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/02\/14\/purple-haze-kernel-driver\/","title":{"rendered":"Purple Haze – kernel driver"},"content":{"rendered":"

One of pieces used by Purple Haze malware is its driver (c:\\WINDOWS\\Temp\\2.tmp) loaded by NtLoadDriver API. It can’t be directly loaded into IDA for analysis, because it contains a layer of protection. One way to bypass it is to use some good anti-rootkit tool e.g. xuetr<\/a> and dump the malicious kernel driver from memory after it is loaded and decrypted. Since this may not work all the time, sometimes it’s better to control the execution flow through windbg right from the DriverEntry via a well-known IopLoadDriver+xxx trick. Using windbg has many advantages as we can dump physical memory anytime we wish or poke around the code and map findings to IDA as we go along, we can also see decryption in action and prevent any actions driver may take to wipe out the content of memory or detect debuggers.<\/p>\n

\"\"<\/a><\/p>\n

In this particular case xuetr worked, and dumping the driver directly from memory is a piece of cake – after fixing the section alignments we can finally load it into IDA.<\/p>\n

\"\"<\/a><\/p>\n

btw. if you use IDA’s built-in VOLUME_DISK_EXTENTS structure, you need to fix it as it doesn’t take into account an 8-byte alignment of data – structure members are placed at incorrect offsets (this is not obvious and original MS headers also don’t mention it explicite, so it can be a bit misleading).<\/p>\n

00000000 VOLUME_DISK_EXTENTS struc ; (sizeof=0x18, standard type)\r\n00000000 NumberOfDiskExtents dd ?\r\n00000004 Extents\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0     DISK_EXTENT ?\r\n00000018 VOLUME_DISK_EXTENTS ends<\/pre>\n
correct:<\/p>\n
00000000 VOLUME_DISK_EXTENTS2 struc ; (sizeof=0x1C)\r\n00000000 NumberOfDiskExtents dd ?\r\n00000004 padding \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0    dd ?\r\n00000008 Extents\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0    DISK_EXTENT ?\r\n0000001C VOLUME_DISK_EXTENTS2 ends<\/pre>\n
similarly<\/p>\n
 00000000 DEVOBJ_EXTENSION struc ; (sizeof=0x8, standard type)\r\n 00000000 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dw ?\r\n 00000002 Size\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dw ?\r\n 00000004 DeviceObject\u00a0\u00a0\u00a0 dd ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; offset\r\n 00000008 DEVOBJ_EXTENSION ends<\/pre>\n
is more useful with extra fields:<\/p>\n
00000000 DEVOBJ_EXTENSION2 struc ; (sizeof=0x29)\r\n00000000 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dw ?\r\n00000002 Size\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dw ?\r\n00000004 DeviceObject\u00a0\u00a0\u00a0 dd ?\r\n00000008 PowerFlags\u00a0\u00a0\u00a0\u00a0\u00a0 dd ?\r\n0000000C Dope\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dd ?\r\n00000010 ExtensionFlags\u00a0 dd ?\r\n00000014 DeviceNode\u00a0\u00a0\u00a0\u00a0\u00a0 dd ?\r\n00000018 AttachedTo\u00a0\u00a0\u00a0\u00a0\u00a0 db ?\r\n00000019 StartIoCount\u00a0\u00a0\u00a0 dd ?\r\n0000001D StartIoKey\u00a0\u00a0\u00a0\u00a0\u00a0 dd ?\r\n00000021 StartIoFlags\u00a0\u00a0\u00a0 dd ?\r\n00000025 Vpb\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dd ?\r\n00000029 DEVOBJ_EXTENSION2 ends<\/pre>\n","protected":false},"excerpt":{"rendered":"
One of pieces used by Purple Haze malware is its driver (c:\\WINDOWS\\Temp\\2.tmp) loaded by NtLoadDriver API. It can’t be directly loaded into IDA for analysis, because it contains a layer of protection. One way to bypass it is to use … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/568"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=568"}],"version-history":[{"count":11,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/568\/revisions"}],"predecessor-version":[{"id":579,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/568\/revisions\/579"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}