Thread: Application in Nt Native Api

  1. #1
    Registered User
    Join Date
    Jan 2009
    Posts
    6

    Question Application in Nt Native Api

    Well, We are trying to build an application using NT Native Api.
    This application is for to delete some files used by a trojan, with most
    popular AV donīt detect here and also donīt delete the main files.
    The problem is:
    This trojan install a .sys(Image sys Driver) with protects, all files used
    by trojan to be deleted in boot process.
    In other way, we cannot change any information from the registry, about this
    trojan, because in Windows Environment, this trojan have a dll hooking any
    change into their registry values, blocking the changes and in some cases,
    rolling back any changes, we try to do, and of course, we cannot delete
    those files, because, this dll, protectīs all yours owns files, including
    the .sys file.
    We try to insert a function native from NT, such as NTUnload, but donīt
    work, I think because the driver donīt have a section with instructions to
    unload the driver.
    We can delete this files using NTDeleteFIle from NT Native Api, in our
    executable, because the driver from trojan load before US, blocking the
    function and we see a message(STATUS_SHARING_VIOLATION). So, we donīt have
    any ideas to delete this files, they donīt infect any otherīs files, they
    only intall Yours own files to monitoring PC activity and to try get Bank
    Information.
    So we donīt have more any ideas how we can delete the files.

    Can someone help us?

    By the way, if is needed, we can send here, or in private e-mail our source code, witch we try to delete this files, who we build a smaller application
    in NT Native Api.


    And the trojan dll use winlogon.exe to still in memory, but when we try to
    close winlogon, they use System to stay in activity. we try to stop the
    service, but we allways receive a information we do not have rights to do
    this action, and I beliave, they donīt have a function STOP in the main dll
    from Services. All steps was testing in Windows Environment also in Safe
    Mode environment donīt work.

    Thanks for Your help.

  2. #2
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    Download Rootkit Unhooker, go to the "Drivers" tab, find the evil driver, right click on it and select "Wipe File".
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  3. #3
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    If you know the name, try forbidding execution permission on the file.
    The reboot & delete.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  4. #4
    Registered User
    Join Date
    Jan 2009
    Posts
    6

    Exclamation Information.

    We like to build a solution, not using 3rd party.
    We cannot block execution, because they have a dll and this dll still hooking the system, blocking any attemps to delete, block, rename, averything we can do it was tested, so we begin to build a Application usingo Nt Native Api.
    But, anyway, thanks for Your replies, but we need a help in NT Native Api.

  5. #5
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Fire against fire, huh...
    Still, I don't see a reason for not using a 3rd party solution, but if that is your desire...
    I wish you luck, then. Kernel programming is not my area.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  6. #6
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Unfortunately, unless you can find a way to "unhook" this driver [which I doubt there is an API to do that - as hooking is generally done by simply putting new values in the relevant dispatch tables], you are not going to be able to "attack" it by driver code, NT API or otherwise, since it will [as I understand it from what you've written] use various hooks to prevent itself from being removed.

    The native API is still just the internal representation of, mainly, the external API function calls - it is not some sort of silver bullet that allows you to do things you can't use with the external API.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  7. #7
    Registered User
    Join Date
    Jan 2009
    Posts
    6

    Question To be more especific!

    Anyone can please, contribute with an example to use ZwWriteFile/NtWriteFile
    procedure? I think maybe I can in boot proccess change the trojan file content
    to another one to stop himself to work.
    The file accesses should be "\\??\\C:\\PROGRA~1\\UNT\\UNT.DLL".

    Thanks for all.

  8. #8
    Registered User
    Join Date
    Jan 2009
    Posts
    6
    Anyone can contribute with a example to use ZwWriteFile/NtWriteFile with the file "\\??\\C:\\PROGRA~1\\UNT\\UNT.DLL" to change the file contents?

    Regards.

  9. #9
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    If you have no rights to open that file with write access, there's no difference whether you use NtWriteFile or WriteFile.

    Like matsp said, NT api does not help you to bypass OS security or limitations. It may help you to implement a few things differently than WinAPI does it, but not much - it certainly doesn't help with denied access.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  10. #10
    Registered User
    Join Date
    Jan 2009
    Posts
    6

    Question

    Do you have a example with this function using this file?

    Regards.

    Quote Originally Posted by maxorator View Post
    If you have no rights to open that file with write access, there's no difference whether you use NtWriteFile or WriteFile.

    Like matsp said, NT api does not help you to bypass OS security or limitations. It may help you to implement a few things differently than WinAPI does it, but not much - it certainly doesn't help with denied access.

  11. #11
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    The first hit I got in Google describes how the function works fairly well - if you do not understand how to use that information, you are most certainly not ready to write driver-level code - that is NOT beginner stuff.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  12. #12
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    Are you suggesting that this file is still used when you reboot in safe mode?

    Perhaps boot off a live-CD, mount the NTFS volume from there and delete the bad file. No way is it going to be in use from there.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  13. #13
    Registered User
    Join Date
    Jan 2009
    Posts
    6

    Question Example:

    Here is the source code which I try to compile and also build my solution.
    Please see at: http://sousasamir.blogspot.com/
    Thanks for help.

    Regards.

  14. #14
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Have you not listened to what we are saying: Whether you use the NT Native API or otherwise, you can not bypass the security system in windows.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  15. #15
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    Wow, and I thought unformatted code posted here was ugly.
    That just raises the bar way out of sight. It's awful (*pukes*)
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Want to learn Windows API for Game Programming
    By George M. in forum Windows Programming
    Replies: 15
    Last Post: 09-28-2008, 10:26 AM
  2. A question about windows programming
    By Hussain Hani in forum Windows Programming
    Replies: 16
    Last Post: 05-23-2007, 07:38 AM
  3. what SHOULD be a painfully simple API call...
    By Citizen Bleys in forum Windows Programming
    Replies: 3
    Last Post: 09-17-2003, 03:20 PM
  4. Registery with api?
    By ismael86 in forum Windows Programming
    Replies: 1
    Last Post: 05-14-2002, 10:28 AM
  5. NT Service - researching...
    By schu777 in forum Windows Programming
    Replies: 3
    Last Post: 03-25-2002, 02:58 PM

Tags for this Thread