I really do want to be posting more, and exploring more and learning more. But right now I'm stuck in state of tedium. The past few attempts at looking at PnkBstrK.sys have left me pretty bored. Right now the majority of the code is doing some sort of silly obfuscation and is just fixing up addresses and data. After the first IOCTL is sent to the driver, the IOCTL instructs the driver to fix up some table of addresses. In IDA we can see this table of pointers in it's base address form.
 |
| A table of pointers that are to be 'rebased' during execution |
You can see from my comments in the above code that various registers contain the address of the driver in memory, which in a below function are used to recalculate the table and update it to point to where the driver is loaded for the current execution run. This table, when all is said it is updated to look like:
ee05b844 ee05e046
ee05b848 ee05c997
ee05b84c ee05d719
ee05b850 ee05bc4d
ee05b854 ee05f5f1
...
ee05bad0 ee05c842
ee05bad4 ee05c049
ee05bad8 ee05f3e4
ee05badc ee05eff3
ee05bae0 ee05cc3c
While that part of the code is easy to understand, what isn't easy is the next part.
 |
| Borrrrrrrrrrrrrrrrrrringgg.... |
The rest appears to just be doing arithmetic to change various addresses both in the stack and in the registers. It's so boring and tedious that I find it hard to walk through more than a few functions at a time before I give up and go do something else.
I guess, that *would* be the entire point of obfuscation :>. However, I don't plan on giving up, but forgive me this might take a bit longer because, well, it's boring as shit. Someday when I have more free time (right now i'm clocking in about 1-2 hours a week looking at this) I'll sit down and run through the entire process to see if there are any patterns I can extract on what it is doing from a more high level view point.
No comments:
Post a Comment