Here is a basic listing of my C: drive contents:
C:\>dirNow I'll create a few of the special streams.
Volume in drive C has no label.
Volume Serial Number is 400B-1E43
Directory of C:\
08/22/2010 01:36 PM 0 AUTOEXEC.BAT
08/22/2010 01:36 PM 0 CONFIG.SYS
08/22/2010 01:38 PM dir Documents and Settings
06/03/2011 02:58 PM dir Program Files
09/20/2011 10:50 AM dir WINDOWS
C:\>echo hi > \\?\C:\NULSanity check on the drive contents (we should see two new files):
C:\>echo hi > \\?\C:\NUL:hidden
C:\>echo hi > test.txt
C:\>echo hi > test.txt:^G^G^G
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 400B-1E43
Directory of C:\
08/22/2010 01:36 PM 0 AUTOEXEC.BAT
08/22/2010 01:36 PM 0 CONFIG.SYS
08/22/2010 01:38 PM dir Documents and Settings
09/20/2011 10:57 AM 5 NUL
06/03/2011 02:58 PM dir Program Files
09/20/2011 11:21 AM 5 test.txt
09/20/2011 10:50 AM dir WINDOWSNow let's see how we do! I'll use tsk-xview.exe (note you also need offreg.dll).Z:\tools>tsk-xview.exe -r -vIt detected both streams perfectly, albeit displaying the file name as ^^^ instead of ^G^G^G (it could be more console-friendly and print those chars as hex values).
[INFO] High-level enumeration. Please wait.
[INFO] Found 95773 files and dirs
[INFO] Opened \\.\PhysicalDrive0
[INFO] Partition NTFS (0x07) at sector 56
[INFO] Low-level enumeration. Please wait.
[STREAM] C:/NUL:hidden
Inode: 12991-128-3
Size: 8
SIA Created: Tue Sep 20 10:56:14 2011
SIA File Modified: Tue Sep 20 10:57:27 2011
SIA MFT Modified: Tue Sep 20 10:57:27 2011
SIA Accessed: Tue Sep 20 10:57:27 2011
FNI Created: Tue Sep 20 10:56:14 2011
FNI File Modified: Tue Sep 20 10:56:14 2011
FNI MFT Modified: Tue Sep 20 10:56:14 2011
FNI Accessed: Tue Sep 20 10:56:14 2011
[STREAM] C:/test.txt:^^^
Inode: 12994-128-6
Size: 5
SIA Created: Tue Sep 20 10:58:25 2011
SIA File Modified: Tue Sep 20 11:21:17 2011
SIA MFT Modified: Tue Sep 20 11:21:17 2011
SIA Accessed: Tue Sep 20 11:21:17 2011
FNI Created: Tue Sep 20 10:58:25 2011
FNI File Modified: Tue Sep 20 10:58:25 2011
FNI MFT Modified: Tue Sep 20 10:58:25 2011
FNI Accessed: Tue Sep 20 10:58:25 2011
6 comments:
Hi Michael,
I just recent bought a copy of your book and enjoyed reading it. One thing I noticed is there is a few missing tools used from the book. Is it possible to get the source for these tools like unlinker and Tsk-xview? They would serve as a good example in creating a antirootkit client as scarce as examples go. Also do you any tools/information about creating a tool to detect and remove something like ZeroAccess rootkit?? Would love to learn from a example like that.
The unlinker source was left out intentionally since it could be used maliciously, but if I can find it, I'll post it. The tsk-xview source I definitely have and will post it as well. Check back in a few days. ZeroAccess has been requested by others as well, its on the list but so are many other things ;-)
The unlinker source has been added, you can recompile with VS2010. http://code.google.com/p/malwarecookbook/source/detail?r=103. Its local only (meaning you can only unlink DLLs in the unlinker.exe process, unless you further modify it).
The tsk-xview source has been added: http://code.google.com/p/malwarecookbook/source/detail?r=104. Recompiling this may not be easy, I remember running into various issues regarding TSK lib and Visual Studio.
Wow! Thanks a lot! Will take note about compiling Tsk lib w/ Visual Studio. I am not too worried about the unlinker being local only. Just wanted to learn from all the tools and resources used in the book and maybe one day be able to create my own antirootkit. Thanks again so much for taking the time not only to share these tools and the source, but also for sharing your knowledge on the aspects of malware analysis. Will be checking be checking this blog every so often to see what's new :). Thanks again!
It would also be interesting to script this tool using pytsk in python.
http://code.google.com/p/pytsk/
Post a Comment