Thursday, September 2, 2010

pHide_Ex [ reversing point of view ]



Hi, in this post I will introduce some aspects of phide_ex demo Rootkit .


introduction
phide_ex firstly was appeared in october 2006, phide_ex was just an example of ultimate process hiding & it's not aid to apply in the wild as other security pros maybe already know that . When it was appeared, It could bypass all security products like famous Rootkit Unhooker, GMER , IceSword , bitdefender & such products because of robust technique that it was implemented as the main technique for process hiding . Well, after almost 4 years (or nearby 5 years) it was an old technique which malicious rootkits could be used for hiding it's presence. it was a special & advanced rootkit but as times going techniques also will going more advance & now it's not an effective solution to real professional Rootkits . I just don't want to write up something for giving you the experience for writing a rootkit just like phide_ex, this post & maybe the next post is a little study case for this specimen, but as a reverse engineering point of view .
Well, if you're interested to having a sample of this treasure then feel free to comment out & I will put the example for further investigation . We will begin by the first part of reverse engineering with investigation of phide_ex.exe file which is the main usermode code for this demo rootkit .


First of all, let's see what's this specimen want to do in your machine :

The first routine that this demo rootkit will do is Getting the full path of your windows directory through using Standard Windows Function, second parameter is 104h which is equals to 260 in decimal format & will push in stack after the first parameter with name of Buffer & identifies the buffer which contains the full path of windows directory & because it's an _in parameter in standard windows library it can be use for showing a value .




After that, as you may see , the author used the old 16-bit function format for Creating, Writing & Closing a standard text file (& in this case it's better to say log file) . _lcreate is a function which is equals to CreateFile in standard win32 library, it contains two parameters as follow according to ms documentation :
LONG _lcreat(
LPCSTR lpszFileName,
int fnAttribute
);

so the path of the file which is identical to lpszFileName & it pushed to the stack as
the first parameter & the second parameter which identifies the attribute of the file
is set to 0.

_lwrite is also 16 bit function format which writes data to the specific file .

& finally it will close the file .
after these steps the rootkit will using standard CreateFileA function to
create the log file in this path : "C:\phide_ex.log" file .



This is the log file which is generated by phide_ex for producing the output
as an evident for presence of this rootkit on the test system .

& in the next post I will go into more details about this rootkit (I will not promise but
I might go to deep analysing of this rootkit & will write up about it's kernel driver
in the future).

stay tuned ... .


No comments:

Post a Comment