Cthulhu
January 22nd, 2009, 07:07
Nothing new but yet interesting:
http://www.codeproject.com/KB/tips/hide-driver.aspx
http://www.codeproject.com/KB/tips/hide-driver.aspx
View Full Version : CodeProject: Driver to Hide Processes and Files
Daniel Pistelli
January 22nd, 2009, 07:32
Old information. You find plenty of these samples on rootkit.com. Morover, it's rather obsolete since on x64 you can't do SDT hooking nor ntoskrnl patching (patch guard). Last but not least, on vista x64 >= you have to sign drivers. Signatures for rootkits are obtained and kept only by gov agencies.
The best way to hide a driver is not trying to. Combine this strategy with maybe a polymorphic engine and the driver becomes very difficult to detect.
The best way to hide a driver is not trying to. Combine this strategy with maybe a polymorphic engine and the driver becomes very difficult to detect.
deroko
January 22nd, 2009, 09:35
I agree with Daniel, the best way to stay unoticed is to do not hide driver, and to be as much as possible compatible with the system, thus user will not see anything suspicious and you are safe.
GamingMasteR
January 22nd, 2009, 10:05
The article is about how to hide processes/files not drivers 
For driver hidding it's better to use drivers infection or using a launcher driver to mapp the real driver code into Nonpaged memory pools then unload the launcher ...
For driver hidding it's better to use drivers infection or using a launcher driver to mapp the real driver code into Nonpaged memory pools then unload the launcher ...
Daniel Pistelli
January 22nd, 2009, 10:30
Well, actually the point was that it uses the same techniques used by many rootkits/mw, such as hooking NtQueryDirectoryFile in kernel mode. So, the same applies to user mode mw. If you mean that it shouldn't be used by rk/mw and that it's _just_ a way to hide files, then I would absolutely discourage people from hooking the SDT to hide a file. The right way is writing an FS filter. Because, like I said above, on x64 this system doesn't work (in kernel mode), it's obsolete.
Manualy mapping the driver in nonpaged pool isn't the best technique as well. If you're a driver which interacts with the system you are likely to register callbacks etc. I could build an anti rootkit tool which looks at all registered callbacks etc and checks if there is one contained in a memory location with no associated driver. It's not 100% proof of a rootkit, but it could help reveal anomalities.
Manualy mapping the driver in nonpaged pool isn't the best technique as well. If you're a driver which interacts with the system you are likely to register callbacks etc. I could build an anti rootkit tool which looks at all registered callbacks etc and checks if there is one contained in a memory location with no associated driver. It's not 100% proof of a rootkit, but it could help reveal anomalities.
deroko
January 23rd, 2009, 12:57
well anyway, if it was for hiding process/drivers you achive same results either by unlinking process from eprocess or driver from PsLoadedModulesList, but that's not it, still you are visible. The best way -> put some files into c:\windows\system32, load driver with not suspicious name, be compatible with the system, and everything will be just fine imho
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.