PDA

View Full Version : Application in Nt Native Api



sousasamir
01-18-2009, 02:21 PM
Well, We are trying to build an application using NT Native Api.
This application is for to delete some files used by a trojan, with most
popular AV donīt detect here and also donīt delete the main files.
The problem is:
This trojan install a .sys(Image sys Driver) with protects, all files used
by trojan to be deleted in boot process.
In other way, we cannot change any information from the registry, about this
trojan, because in Windows Environment, this trojan have a dll hooking any
change into their registry values, blocking the changes and in some cases,
rolling back any changes, we try to do, and of course, we cannot delete
those files, because, this dll, protectīs all yours owns files, including
the .sys file.
We try to insert a function native from NT, such as NTUnload, but donīt
work, I think because the driver donīt have a section with instructions to
unload the driver.
We can delete this files using NTDeleteFIle from NT Native Api, in our
executable, because the driver from trojan load before US, blocking the
function and we see a message(STATUS_SHARING_VIOLATION). So, we donīt have
any ideas to delete this files, they donīt infect any otherīs files, they
only intall Yours own files to monitoring PC activity and to try get Bank
Information.
So we donīt have more any ideas how we can delete the files.

Can someone help us?

By the way, if is needed, we can send here, or in private e-mail our source code, witch we try to delete this files, who we build a smaller application
in NT Native Api.


And the trojan dll use winlogon.exe to still in memory, but when we try to
close winlogon, they use System to stay in activity. we try to stop the
service, but we allways receive a information we do not have rights to do
this action, and I beliave, they donīt have a function STOP in the main dll
from Services. All steps was testing in Windows Environment also in Safe
Mode environment donīt work.

Thanks for Your help.

maxorator
01-18-2009, 02:27 PM
Download Rootkit Unhooker, go to the "Drivers" tab, find the evil driver, right click on it and select "Wipe File".

Elysia
01-18-2009, 02:28 PM
If you know the name, try forbidding execution permission on the file.
The reboot & delete.

sousasamir
01-18-2009, 02:47 PM
We like to build a solution, not using 3rd party.
We cannot block execution, because they have a dll and this dll still hooking the system, blocking any attemps to delete, block, rename, averything we can do it was tested, so we begin to build a Application usingo Nt Native Api.
But, anyway, thanks for Your replies, but we need a help in NT Native Api.

Elysia
01-18-2009, 02:49 PM
Fire against fire, huh...
Still, I don't see a reason for not using a 3rd party solution, but if that is your desire...
I wish you luck, then. Kernel programming is not my area.

matsp
01-18-2009, 05:03 PM
Unfortunately, unless you can find a way to "unhook" this driver [which I doubt there is an API to do that - as hooking is generally done by simply putting new values in the relevant dispatch tables], you are not going to be able to "attack" it by driver code, NT API or otherwise, since it will [as I understand it from what you've written] use various hooks to prevent itself from being removed.

The native API is still just the internal representation of, mainly, the external API function calls - it is not some sort of silver bullet that allows you to do things you can't use with the external API.

--
Mats

sousasamir
01-20-2009, 11:33 AM
Anyone can please, contribute with an example to use ZwWriteFile/NtWriteFile
procedure? I think maybe I can in boot proccess change the trojan file content
to another one to stop himself to work.
The file accesses should be "\\??\\C:\\PROGRA~1\\UNT\\UNT.DLL".

Thanks for all.

sousasamir
01-20-2009, 11:35 AM
Anyone can contribute with a example to use ZwWriteFile/NtWriteFile with the file "\\??\\C:\\PROGRA~1\\UNT\\UNT.DLL" to change the file contents?

Regards.

maxorator
01-20-2009, 11:45 AM
If you have no rights to open that file with write access, there's no difference whether you use NtWriteFile or WriteFile.

Like matsp said, NT api does not help you to bypass OS security or limitations. It may help you to implement a few things differently than WinAPI does it, but not much - it certainly doesn't help with denied access.

sousasamir
01-20-2009, 11:48 AM
Do you have a example with this function using this file?

Regards.


If you have no rights to open that file with write access, there's no difference whether you use NtWriteFile or WriteFile.

Like matsp said, NT api does not help you to bypass OS security or limitations. It may help you to implement a few things differently than WinAPI does it, but not much - it certainly doesn't help with denied access.

matsp
01-20-2009, 01:27 PM
The first hit I got in Google describes how the function works fairly well - if you do not understand how to use that information, you are most certainly not ready to write driver-level code - that is NOT beginner stuff.

--
Mats

Salem
01-20-2009, 02:09 PM
Are you suggesting that this file is still used when you reboot in safe mode?

Perhaps boot off a live-CD, mount the NTFS volume from there and delete the bad file. No way is it going to be in use from there.

sousasamir
01-20-2009, 02:51 PM
Here is the source code which I try to compile and also build my solution.
Please see at: http://sousasamir.blogspot.com/
Thanks for help.

Regards.

matsp
01-20-2009, 03:07 PM
Have you not listened to what we are saying: Whether you use the NT Native API or otherwise, you can not bypass the security system in windows.

--
Mats

Salem
01-20-2009, 03:52 PM
Wow, and I thought unformatted code posted here was ugly.
That just raises the bar way out of sight. It's awful (*pukes*)

kermit
01-20-2009, 04:49 PM
Wow, and I thought unformatted code posted here was ugly.
That just raises the bar way out of sight. It's awful (*pukes*)

But the blue on black is so soothing... ;)

BobS0327
01-30-2009, 06:41 PM
Anyone can contribute with a example to use ZwWriteFile/NtWriteFile with the file "\\??\\C:\\PROGRA~1\\UNT\\UNT.DLL" to change the file contents?

Regards.

A complete fully functional userland example has been posted at Sysinternals (http://forum.sysinternals.com/forum_posts.asp?TID=17548&PID=88705#88705).