This document summarizes a presentation on analyzing the Win32/Olmarik(TDL4) rootkit through forensic examination and debugging techniques. It discusses the evolution of rootkits from x86 to x64 systems and techniques used by TDL rootkits to bypass security protections like driver signature enforcement. It also demonstrates tools like TdlFsReader that were developed to analyze the hidden TDL file system and decrypt encrypted files.

1. Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)Александр МатросовЕвгений Родионов

2. Who we are?malware researchers at ESET- rootkits analysis- developing cleaning tools- tracking new rootkit techniques- research cybercrime groups http://www.joineset.com/

3. План мастер-классаЭволюция современных руткит-программ

4. Этапы установки на x86/x64

5. Буткити обход проверки подписи

6. Отладка буткита наэмуляторе Bochs

7. Хуки в режиме ядра

8. Отладка с использованием WinDbg

9. Файловая система TDL4

10. TdlFsReader, как инструмент криминалистической экспертизы Evolution of rootkits

11. Evolution of rootkits functionalityx86x64DropperRootkitRootkitRootkitbypass HIPS and AV self-defenseself-defenseprivilege escalation Surviving rebootsurviving rebootbypass signature check install rootkit driver injecting payloadbypass MS PatchGuardinjecting payloadKernel modeUser mode

12. 64-bit OS rootkitKernel-Mode Code Signing Policy

13. It is difficult to load unsigned kernel-mode driver

14. Kernel-Mode Patch Protection (Patch Guard):

15. SSDT (System Service Dispatch Table)

16. IDT (Interrupt Descriptor Table)

17. GDT ( Global Descriptor Table)

18. MSRs (Model Specific Registers) Evolution of TDL rootkits

19. Evolution of TDL rootkits

20. Installation x86/x64

22. Installation stagesexploitpayloaddropperrootkit

23. Dropper layouts

24. Dropped modules

25. Installation x86

26. Installation x64

27. Bootkit and bypassing driver signature check

28. Types of integrity checksPnP Device Installation Signing Requirements

29. Kernel-Mode Code Signing Policy

30. Enforced on 64-bit version of Windows Vista and later versionsKernel-mode Code Signing Policy Enforcement

31. Boot process of Windows OS

32. Code integrity check

33. Boot Configuration Data (BCD)

34. BCD Example

35. BCD Elements controlling KMCSP (before KB2506014)

36. Subverting KMCSP Abusing vulnerable signed legitimate kernel-mode driver

37. Switch off kernel-mode code signing checks by altering BCD data:

38. abuse WinPeMode

39. disable signing check

40. patch Bootmgr and OS loaderAbusing Win PE mode: TDL4 modulesint 13h – service provided by BIOS to communicate to IDE HDD controller

41. Abusing Win PE mode: workflow

42. MS Patch (KB2506014)BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode

43. Size of the export directory of kdcom.dllhas been changedBypassing KMCSP: another attemptPatch bootmgr and OS loader (winload.exe) to disable KMCSP

44. Bypassing KMCSP: ResultBootmgr fails to verify OS loader’s integrityMS10-015kill TDL3

45. Debugging bootkit with Bochs

46. Bochs support starting from IDA 5.5

47. DEMO

48. Kernel-mode hooks

49. Stealing Miniport Driver ObjectBefore InfectionAfter Infection

50. Stealing Miniport Device Object

51. Filtering Disk Read/Write Requests Filtered requests:

52. IOCTL_ATA_PASS_THROUGH_DIRECT

53. IOCTL_ATA_PASS_THROUGH;

54. IRP_MJ_INTERNAL_DEVICE_CONTROL

55. To protect:

56. Infected MBR;

57. Hidden file system from being read or overwrittenDebugging bootkit with WinDbg

58. WinDbg and kdcom.dllWinDbgKDCOM.DLLNTOSKRNLKdDebuggerInitializeRETURN_STATUSData packetKdSendPacketRETURN_CONTROLData PacketKdReceivePacketKD_RECV_CODE_OK

59. TDL4 and kdcom.dlloriginal callfake call

60. TDL4 and kdcom.dlloriginal export tablefake export table