.hi all,
i'm currently working on a paper that describes some analysing techniques that can be useful e.g. when kernel level rootkits use crippling/crypting stuff like rustock.
the aim is to have the clean native, uncrippled and pe-repaired driver of rustock, so that it can be loaded into ida for the main malware analysis.
all the work is done so far, but i'm unsatisfied with some technique i use in the last stage of uncrippling, because it's not very generic.
ok, the trick i'm using works fine here on my windows xp sp2 box, but differs on other systems, even if it's easy to find the right breakpoint.
here's what i'm doing:
1. starting softice
2. setting up a breakpoint in ntoskrnl.exe at 0x805a0591
what's at this address you ask?
0f 8c xx xx xx xx jl somewhere
ff 75 90 push dword [ebp-70] <--- breakpoint is here
e8 xx xx xx xx call RtlImageNtHeader
when a driver is mapped into memory now, softice will break at this address and ebp-70 has a pointer to the start of the driver image.
from here it's easy to find the oep of the driver.
ImageBase + EntryPoint (start of PE-Header (e_lfanew points to it at offset 3ch) + 28h)
so after setting a breakpoint:
bpx imagebase+entrypoint
and leaving the debugger, the next time softice pops up at the drivers start address.
yeah i know, normal drivers are easy to detect at startup, like using iocreatedevice or the bpload function of softice, but this all fails with rustock, so i use this approach.
patching the driver start with 0xcc (int 3) and setting "i3here on" in softice also fails, because the driver won't start then. :(
any other cool tricks are really appreciated.
cheers,
frank boldewiin
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}