live_dont_exist
August 13th, 2011, 02:17
Hi,
I was trying my hang out at Lenny Zeltser's latest malware challenge. There was a question there about a file that got downloaded on to a system and then hid itself. The question was 'What API's did it use to do this?'.
I managed to get the exact location of these "hidden files and reg keys" using Procmon and CaptureBat and could even cd into the "hidden" directory. Next up was the API question. Googling showed that it was the API called ntquerydirectoryfile which was responsible for displaying files in a directory [Output of "dir"] and RegEnumValue was responsible for viewing values of registry keys. So that's what the malware/rootkit was probably hooking.
The point though was..How do I actually confirm this? Running cmd or regedit did not show me these files or registry keys. So I thought, lets open up cmd in a debugger and see what happens. I opened up 'cmd' - F9'd it in Olly and typed in 'dir'. To my surprise the "hidden" directory revealed itself. The same behavior was found with 'regedit' as well. That confused me..I'll explain why.
Both cmd and regedit are 'User mode' programs. Olly is also a 'User mode' program. Olly is the parent for both these processes. So when i type 'dir' in cmd... instead of the program itself telling the OS to run 'dir' - Olly tells the OS to run 'dir' instead. That's it..rt? It doesn't modify anything AFAIK [Could be wrong].
So yes.. I got the answer to my question for the Lenny challenge, but it was just a stroke of luck to be frank. I had started putting breakpoints on RegEnumValue and Ntquerydirectoryfile when this happened.
Any thoughts?
Thanks
Arvind
I was trying my hang out at Lenny Zeltser's latest malware challenge. There was a question there about a file that got downloaded on to a system and then hid itself. The question was 'What API's did it use to do this?'.
I managed to get the exact location of these "hidden files and reg keys" using Procmon and CaptureBat and could even cd into the "hidden" directory. Next up was the API question. Googling showed that it was the API called ntquerydirectoryfile which was responsible for displaying files in a directory [Output of "dir"] and RegEnumValue was responsible for viewing values of registry keys. So that's what the malware/rootkit was probably hooking.
The point though was..How do I actually confirm this? Running cmd or regedit did not show me these files or registry keys. So I thought, lets open up cmd in a debugger and see what happens. I opened up 'cmd' - F9'd it in Olly and typed in 'dir'. To my surprise the "hidden" directory revealed itself. The same behavior was found with 'regedit' as well. That confused me..I'll explain why.
Both cmd and regedit are 'User mode' programs. Olly is also a 'User mode' program. Olly is the parent for both these processes. So when i type 'dir' in cmd... instead of the program itself telling the OS to run 'dir' - Olly tells the OS to run 'dir' instead. That's it..rt? It doesn't modify anything AFAIK [Could be wrong].
So yes.. I got the answer to my question for the Lenny challenge, but it was just a stroke of luck to be frank. I had started putting breakpoints on RegEnumValue and Ntquerydirectoryfile when this happened.
Any thoughts?
Thanks
Arvind