Kiling a virus in systemspace

[AH]

First of all some things to my person:

My name is Andreas Hötker and I'm from germany. Normaly I don't write any english postings, so I hope my writing isn't to bad and you are able to understand me. In the language, in which I normaly write code, I've already written several little security tools (hobby). A few weeks ago, I've learned a little bit of ASM to do things, I can't do with my programming language (-> driver writing).

At the moment I'm trying to write some kind of "taskmanager" for drivers, which should be able to kill a virus on demand, which has placed itself as a driver into systemspace. To do so, I've to get the DriverSection member placed in the DRIVER_OBJECT structure of the "driver", which I wan't to unload. (Or LDR_DATA_TABLE_ENTRY of the driver in PsLoadedModuleList? That should be the same.)

I already have tried ObReferenceObjectByName, but I need the drivername of the registry for unloading - and for this kind of malware, I don't get it  :'(.

I've an other way in mind, too, but if it works, it's very bad programming and a very unsafe way to do it.

My question: Who knows a possible way to get DRIVER_OBJECT structure from any driver in the system to "kick out" unwanted malware?

In don't want any code hier, only idears in te form of
-> get ... Pointer by using function...
-> get ... Pointer by adding ... to ... Pointer
I only need idears. I write code by myself.

Who is able to help me out?

Greeting

Andreas

[remus2k]

hi andreas :U

do you want processkiller?
or which you mean exactly?


greetz

[AH]

Hello remus2k

No, "processkiller" not, I've written already this kind of taskmanager. I wan't to write a "driverkiller".
In Natvie API there is a wellknown funktion, which is able to load a driver into kernelspace without writing anything to the registry.
Drivers are a kind of "DLL" which are loaded into the process "System". Drivers have very high privileges and are able to read out and write to virtual memory adress-spaces over 2GB. Drivers can not be terminated or seen by the Windows taskmanager.

Those malware is hard to kill - and I wan't to kill this kind of a "virus", that's all.

Greetings

Andreas

[remus2k]

have you icq?

[remus2k]

I am at present with a friend in the net
i am are home and found the example of my pc send it

[AH]

have you icq?

No, I haven't.

[AH]

I've forgotten to write some things down:
Operating system Windows2000/XP

What infos do I get by now over the virus I wan't to unload:
- base-adress of the loaded "driver" in virtual memory
- size of the loaded "driver" in virtual memory
- index of the modul (maybe the index in PsLoadedModuleList?)
- the filename and the path of the driver
- the imagename (nearly the same as filrname + path) of the driver

So: Any idears which could help me?

[P1]

My question: Who knows a possible way to get DRIVER_OBJECT structure from any driver in the system to "kick out" unwanted malware?

That depends, if the Malware wants to hide or not.  Today's malware hooks the system like a rootkit and hides it's existance.  Even killing off it's competition viruses, when found. 

Second concern is you could trash a system by turning off/unloading a driver on the system.

Which brings us back to how to remove a virus technology.  How are you identifying this virus driver?

I be open on this one, if you have to ask the question while doing kind of work.  It makes us wonder what you are doing for the skills you present here.  i.e.  If you can identify the virus driver, why are you asking about removal?  Both skills use the same basic knowledge.

Have you tried, SC_MANAGER_ENUMERATE_SERVICE  ???  Using standard SERVICE_CONTROL_STOP message.

Regards,  P1   :8)

[AH]

Hello PI...

Today's malware hooks the system like a rootkit and hides it's existance.  Even killing off it's competition viruses, when found. 

That's right, I know. I'm just getting into that stuff and I take care of "special hiding" later.

Second concern is you could trash a system by turning off/unloading a driver on the system.

That's right, too. When terminating system-processes by a special taskmanager, system can crash to (and with drivers the crash is a little bit harder).
First of all: I don't want to sell this sofware anywhere. It's only an "experiment", that should show me, how to blast nasty things out of my system, that I  don't want there. So "driver taskmanager" (I call him Mister Root) first have to show me as much informations about those drivers, which are running on my system.  By this informations I decide by myself which driver I wan't to kill and which driver I better leve untoutched.

Have you tried, SC_MANAGER_ENUMERATE_SERVICE  ???  Using standard SERVICE_CONTROL_STOP message.

You mean ControlService API? Just look at what I have to do to use this:
- Use function OpenSCManager to get a handle to Servicemanager
- Use funktion OpenService to get a Service-Handle, which I have to use in ControlService
This kind of "software", I wan't to terminate is getting into kernel by a Native API without writing anything to the registry - so I do not get a "servicename", which I have to use in OpenService (Am I right with that?).
I don't want to post the name of this Native API here, but I think you know much more about virus detection than I do, so I think you are knowing the name of this API best.
And there is an other thing: I'm not very confirm with writing virus-code, but why should a virus take care of a request to shut it down? Only real applications, like anti-virus-software maybe, should take care of such a request - and this software I don't want to kill at all.  :bg

The way I want to go ist over another ( :bg  :lol) Native API, which terminates a driver without calling it's DriverUnload function. This funktion is very badly documented in Gary Nebbetts Native API Documentation, but I tested it and it works well, if I'm useing the pointer to DriverSection member in DRIVER_OBJECT structure.

If you are haveing any informations about detecting a virus in kernel space, I'm very interested in that, too. I'm thinking, that I can get DriverSection pointer on my own (I just want to get the best way), but getting more informations about what is realy a driver and what looks like a virus, that would be great!

Greetings

Andreas

[hutch--]

Andreas,

After some consideration the team have decided to close the topic, not from anything you have done but for the reason that the subject material is dangerous and would work as a resource for people who would use this information in a malicious way. For the task you have in mind we would encourage you to work with the DDK version that suits the OS versions you are interested in to get the best results.