Wednesday, April 4, 2012

Punking PnkBstrK.sys

Man talk about being out of ones league! So I've been spending the last few days trying to brush up on how to reverse Windows Kernel drivers. First step was flipping through pages of Rootkits: Subverting the Windows Kernel to learn the basics of how kernel drivers work. I really have never looked this deep before. There is one problem with using that book as a reference, being you know, trashed by Lulzsec. So the links to example code and utilities no longer exist.

I thought it wouldn't be all that important and I could simply connect my kernel debugger, start a game and watch the driver being loaded (by setting "bp PnkBstrK!DriverEntry" in WinDbg). Boy was I wrong, I don't know if they're doing something special to hide themselves but I couldn't for the life of me break on the driver being loaded. At first I thought I was doing something wrong, so I set the debugger to break on any module load. This can be done by breaking in the current session and going to Debug -> Event Filters and enabling the on module load option.
How to break on module loads (provided they aren't f'ing with you)
So I did this, then hit '.reboot' and watched every driver load. You can get the driver name by using the '.lastevent' command on break.
Using .lastevent on driver load
So, I watched, every, stupid, friggen, driver load (there's a lot by the way). But I never saw PnkBstrK.sys load. What was really strange was I started up a game, then quit out then used Ctrl+Break to cause WinDbg to send a break. I then ran "lm" to see what modules were loaded. I started to see PnkBstrK under the Unloaded section. But.. I could never actually *catch* it loading.
Game loading the drivers, and showing pnkbstrk being 'unloaded'

So how the hell do I break into it? Well first off, I wanted to make sure it was actually being loaded and have 100% control over loading and unloading the driver. To do this the Rootkit book suggests using InstDrv.exe, which as far as I can tell doesn't really exist any more. So instead I found a new tool to help in loading and unloading. I found a tool called WinDriver from Jungo which has a helper tool called wdreg.exe which you can use to load/unload drivers.
Using wdreg to load PnkBstrK
By running the command "wdreg.exe -file PnkBstrK install" you can have the PnkBstrK.sys driver loaded and installed. Notice you don't pass the .sys and you are also required to use the full path (I copied it to the WinDriver directory). So I kept loading/unloading and *still* wasn't able to break. So I started searching around for other methods. Some forums suggested using WinDbg's "bu" command. This did not work. Next I visited openrce to see if they had any tips and found this. Which inevitably lead me to searching for and setting a breakpoint on IopLoadDriver. As an added bonus I found a tweet by stupid smart @Ivanlef0u which was the command I needed:
bp nt!IopLoadDriver+0x66a . Yeah that pasted big, but you know what? I don't care, it deserves that font size, because it friggen worked.
call'ing into PnkBstrK.sys FINALLY!
Now I can start to figure out their dinky little xor obfuscation and see what ioctrl's it uses with the various services... Yay!

No comments:

Post a Comment