help,about find and detection hide driver ?

help,about find and detection hide driver ,if has a driver file it is in ZwQuerySystemInformation and PsLoadedModuleList is hide ,i use PsLoadedModuleList and printed SystemInformationClass of ZwQuerySystemInformation could not find and detection it,i how to find and detection it ? (now i only know use SystemInformationClass of ZwQuerySystemInformation and PsLoadedModuleList find and detection hide driver)please help me .

 

кто-то может перевести хотя-бы на английский ?

 

sdfnabc
You can download sources of Process Hunter, it show's different solutions of detection hidden processes.

 

n0name thank you ,i think is not detection hidden processes,i think is how detection hidden drivers .sys file,thank you.

 

лучше жестами, в виде видеоролика

sdfnabc
sorry mate, we don't speak chinese here

 

sdfnabc
RootkitRevealer from www.sysinternals.com. If it doesn`t help search "Helios" - it`s the best from free-wares.

 

sorry, i looked through your post
There are two situation(if driver's code executing) - ring3 application send some request to the driver, and the driver execute this request. And second - the driver can create system thread, and continue execution in this thread. In first situation you can scan handle table of target process and find handle of opened device, after that detecting driver is simple problem. In second u have to scan thread queue and find thread with start address, witch have not been containered in module list.
PS: I'm sorry for my English.

 

thank gilg ,fluderast

to n0name: you say is right , about you say "second - the driver can create system thread, and continue execution in this thread." i think this is good method,but now i can get system all the thread but how know which thread is a drivers ?

For example in WINXP
i can use thread +0x220 get it eprocess know it is a process,but how can know it is a driver?

sorry my english is very poor.

 

fluderast
But Helios in contrast to Rootkit Unhooker doesn`t bring BSoD on 3 of 4 computers. It`s a kind of holy wars

 

Очень интересно, а минидамп то можно посмотреть, хотя бы один?

 

EP_X0FF
Немного ошибся - бсода нет. Машина насмерть виснет при старте. Запускалось на нескольких машинах. Один раз удалось запустить под какой-то ВмВарью. Типичный конфиг - PIV HyperThreading, RkUnhooker 3.0.80.295

 

Who can answer my problem? thank

 

@gilg

Попробуйте последнюю версию, хотя возможно это какие-то проблемы с HT.

@sdfnabc

Try DarkSpy www.fyyre.net/~cardmagic (almost the same driver finding functionality)

or IceSword (it is very weak in this, only PsLoadedModuleList implementation)

 

to EP_XOFF

I know DS ,IS and RKU, i very much like DS and your RKU ,I is think know how in r0 detection hide driver,use PsLoadedModuleList and ? ,have what method ? thank

 

To hide driver from PsLoadedModulesList all what you need -> flink/blink redirection.

IceSword using the following methods for hidden drivers detection

1) Its own implementation of PsLoadedModulesList
2) Objects directory walking (partially, can't detect cardmagic's BadRkDemo)

DarkSpy using the following methods for hidden drivers detection

1) PsLoadedModulesList
2) Objects directory walking
3) Drivers objects scan
4) Device objects scan

Rootkit Unhooker using this:

1) PsLoadedModulesList
2) Objects directory walking
3) Drivers objects scan
4) Device objects scan
5) Kernel Memory scan
6) Driver references scan
7) System threads scan

(5) and (7) in some cases can lead to BSOD or system freeze.

 

to EP_XOFF

thank you very much ,I think if use PsLoadedModulesList (flink/blink redirection) and DriverObjects hide as your RKdemo12 I can't find and detection it ,about you say (7)"System threads scan",how know which System thread is a drivers ?

I know in WINXP I can use thread +0x220 get it eprocess know it is a process,but how can know it is a driver?

sorry my english is very poor.

 

We are walking inside thread and making code analysis. That method was implemented in last private version of Rootkit Unhooker, as I remember v2.5.54

But in public version we use more easy methods and simple show something detected as "unknown_code_page". You can see that with our Rootkit Demo v1.0/1.1/1.2

But it is possible to hide driver from any type of currently known detection methods.
For example phide_ex is detected on start, but after first refresh it is disappers because it is not using delay execution functions which are used to detect threads. For fully functional rootkit it is needed more work, because too many traces should be hidden. RkDemo and phide_ex hidden drivers are not anymore drivers - they are simple "pieces of code" executed somewhere in kernel mode. It is very difficult to detect such things.

About detection.
You can try to implement somehow hook on swapcontext, but there are many problems with it.
Or use kernel mode memory scanning for searching for something like Portable-Executable Second method is very simple bypassable.

 

thank you EP_X0FF :

You say "You can try to implement somehow hook on swapcontext"， I has try hook swapcontext it is success ,i get some system thread but how making code (or thread) analysis,analysis thread address contents ?

sorry ,It is very difficult if possible please give me some about this thread analysis simple code ? sorry ,thank you. my email :yyaoyu@hotmail.com

 

почему? =)
Затереть что ли?

Дык а сканирование потоков, как ты писал выше не помогает?

 

Сноситься MZP заголовок, offset на PE-заголовок и все приехали. Можно ещё почистить кусок кода до блеска и при этом все будет работать. А можно просто выделить память где-нибудь в ntoskrnl, записать туда код и запустить поток там, а дроппер выгрузить.
Пример: китайский mod нашего Rootkit Demo v1.1, правда он у них получился кривой до невозможности - загрузка ЦП 100% все время.

Сначала нужно определить какой поток сканировать. Стартовый адрес потока может быть абсолютно фейковым.

Если есть предложения - rkunhooker@xell.ru, страна будет благодарна =)

I'm sorry, but you must understand that such things are unavailable for wide public. I can give you only direction - all others you have to do yourself.