Rendrako / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

Detect DriverStartIO hooks #3

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Reported by Frank B. 

kd> !drvobj \driver\atapi 2
Driver object (8216c878) is for:
\Driver\atapi
DriverEntry:   f84e75f7    
DriverStartIo: 81ca5292    
DriverUnload:  f84e3204    
AddDevice:     f84e1300    

Dispatch routines:
[00] IRP_MJ_CREATE                      f84dc572    +0xf84dc572
[01] IRP_MJ_CREATE_NAMED_PIPE           804f320e    nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       f84dc572    +0xf84dc572
[03] IRP_MJ_READ                        804f320e    nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       804f320e    nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           804f320e    nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             804f320e    nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    804f320e    nt!IopInvalidDeviceRequest
[08] IRP_......
see DriverStartIo
kd> u 81ca5292
81ca5292 55              push    ebp
81ca5293 8bec            mov     ebp,esp
81ca5295 8b4508          mov     eax,dword ptr [ebp+8]
81ca5298 83ec0c          sub     esp,0Ch
81ca529b 3b0504b5ca81    cmp     eax,dword ptr ds:[81CAB504h]
81ca52a1 a180b5ca81      mov     eax,dword ptr ds:[81CAB580h]
81ca52a6 7503            jne     81ca52ab
81ca52a8 894508          mov     dword ptr [ebp+8],eax
kd> !address 81ca5292
 80fed000 - 01213000                           
         Usage       KernelSpaceUsageNonPagedPool

Original issue reported on code.google.com by michael.hale@gmail.com on 7 Jan 2011 at 6:52

GoogleCodeExporter commented 9 years ago
Also check DriverUnload

Original comment by michael.hale@gmail.com on 7 Jan 2011 at 7:44

GoogleCodeExporter commented 9 years ago
Fixed in r27. Not going to add DriverUnload checks because they frequently 
point to another module anyway. 

Original comment by michael.hale@gmail.com on 7 Jan 2011 at 10:30