Friday, March 28, 2014

0x3B Rootkit Debugging

Right, so I believe I've gotten the 'end of the month solved-posts' mostly out of the way! Now I can start posting the more interesting things, like a rootkit I found recently whilst debugging! This was also my first rootkit-based debugging, very neat. I hope I run into more!

Unfortunately, the OS was reinstalled before I could ask for a kernel-dump to have fun/learn with for later purposes, but it's okay, we have enough information. The thread can be found (here)

--------------------

So here's the bug check itself:

SYSTEM_SERVICE_EXCEPTION (3b)

This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.

We've all seen this before, fairly common bug check. Let's look further into the dump:

BugCheck 3B, {c0000005, fffff80003cef274, fffff8800cd1ef50, 0}

0: kd> ln fffff80003cef274
(fffff800`03cef230)   nt!IofCallDriver+0x44   |  (fffff800`03cef290)   nt!ExQueryDepthSList

^^ From the above, we can see that the exception occurred in nt!IofCallDriver. We can also see mention of nt!ExQueryDepthSList, which is a routine that returns the number of entries currently in a given sequenced singly linked list.

Linked list + an exception occurring in nt!IofCallDriver. Well, what driver? This is very suspicious. At this point, I was very concerned a rootkit was present on the system. Why did I become suspicious of a rootkit being present? Well, first we must understand how rootkits work. I am not going to go extremely in-depth, but I will of course explain!

--------------------

In its most basic description, rootkits (at least in this generation) thrive off of what is known as Direct Kernel Object Manipulation (DKOM). DKOM greatly increases the sophistication of the rootkit and allows it to go undetected by today's basic antivirus suites. Some of the things it allows rootkits to do are:

1. Hook the Interrupt Descriptor Table (IDT). By doing this, the rootkit can filter exported kernel functions. Remember, interrupts signal the kernel that something needs to be done. That's exactly how today's OS' work, they work based on interrupts.

-- It's worth noting that current generation (as of this post, at least) rootkits actually do no longer hook, as it's detectable. However, as far as I know, the IDT is still hooked.

2. Direct access to kernel memory.

3. Modify objects in memory and go undetected in doing so.

4. Hide processes, files, network-based connections (ports), etc.

5. Add privileges/groups to tokens. It can also go one step further and manipulate the token to fool Event Viewer.

etc...

-------------------- 

With this said, let's take a look at how processes are overall managed by the OS:

(thanks to the HB Gary .pdf for this)

I am not going to go in-depth here, but if you'd like to understand a fair amount about this diagram, my good friend Harry has written about it (here).

Essentially, rootkits take advantage of the linked list structure by modifying pointers within the linked list by using DKOM. Rootkits also change the Flink and Blink pointers (which we can see in the above diagram) to wrap around processes that should be hidden.

-------------------- 

So now that we understand all of that, you should now also understand why I was suspicious when seeing a linked list routine + an exception occurring in nt!IofCallDriver.

When I saw this, I had the user run aswMBR. This is a rootkit scanner that scans for TDL4/3, MBRoot (Sinowal), Whistler and other rootkits. Here was the log:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-03-28 10:16:54
-----------------------------
10:16:54.620    OS Version: Windows x64 6.1.7601 Service Pack 1
10:16:54.620    Number of processors: 2 586 0x170A
10:16:54.622    ComputerName: **Removed** UserName:
10:16:58.691    Initialze error C0000001 - driver not loaded
10:17:34.248    Service scanning
10:17:35.346    Service 3d0ce9e8976dc0a9 C:\Windows\System32\Drivers\3d0ce9e8976dc0a9.sys **HIDDEN**
10:18:19.964    Modules scanning
10:18:19.972    Disk 0 trace - called modules:
10:18:19.977  
10:18:19.982    Scan finished successfully
10:18:59.144    The log file has been saved successfully to "C:\Users\**Removed**\Desktop\aswMBR.txt"
From the above log, we can see it's showing a hidden service (driver appears to be likely loading at boot). The 3d0ce9e8976dc0a9.sys driver is the driver responsible for this call - nt!IofCallDriver.

The user also noted that when attempting to install HijackThis, they got the following message:

The system administrator has set policies to prevent this installation.
Remember step #5 from above?

5. Add privileges/groups to tokens. It can also go one step further and manipulate the token to fool Event Viewer.
This is exactly what the rootkit did, it appeared to modify tokens and disallow the install of Hijackthis, and other probable common startup/hijacker detection software.

-------------------- 

Overall, the user reinstalled the OS.

Thanks for reading, more debugging posts soon!

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD while watching online video - Windows 7 x86

What the issue was -
Broadcom MediaPC HD Video Decoder driver needed to be updated.

[SOLVED] SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Driver problem (code 37)

What the issue was -
After debugging, I believed the system may have been infected with a rootkit. The user ran aswMBR and a rootkit was discovered. The OS was reinstalled.

-- I will be writing an extensive debugging blog post on this specific thread.

[SOLVED] IRQL_GT_ZERO_AT_SYSTEM_SERVICE

Link to solved thread - MSI GT60 BSOD WIN7 IRQL_GT_ZERO_AT_SYSTEM_SERVICE

What the issue was -
Bitdefender needed to be removed and replaced with MSE.

[SOLVED] MULTIPLE_IRP_COMPLETE_REQUESTS

Link to solved thread - BSOD starting some games

What the issue was - 


- AODDriver2.sys was listed and loaded and the software needed to be removed.

- vmote.sys renamed to vmote.old.

[SOLVED] SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Can some one explain these dumpfiles Please

What the issue was -
AODDriver2.sys was listed and loaded and the software needed to be removed.

[SOLVED] INTERNAL_POWER_ERROR / KERNAL_DATA_INPAGE_ERROR

Link to solved thread - KERNAL_DATA_INPAGE_ERROR

What the issue was -
Hibernate file needed to be increased to 100%.

[SOLVED] KERNEL_SECURITY_CHECK_FAILURE / MEMORY_MANAGEMENT / SYSTEM_SERVICE_EXCEPTION / IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSoD multiple times a day

What the issue was - 


- Asus bloatware needed to be removed.

- Video card drivers needed to be updated.

[SOLVED] IRQL_GT_ZERO_AT_SYSTEM_SERVICE

Link to solved thread - BSOD - Locale ID: 1033 - BCCode: 4a - Win7 Ultimate 64-bit

What the issue was -
Bitdefender needed to be removed and replaced with MSE.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - Drive Power State Failure Windows 8.1 64-Bit

What the issue was - 


- Video card drivers needed to be updated.

- AiCharger.sys was present on the system, therefore Asus bloatware needed to be uninstalled.

- Kaspersky needed to be removed and replaced with Windows Defender.

[SOLVED] IRQL_GT_ZERO_AT_SYSTEM_SERVICE

Link to solved thread - BSOD ntoskrnl.exe (nt+0x75BC0)

What the issue was -
Bitdefender needed to be removed and replaced with MSE.

[SOLVED] SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

Link to solved thread - BSOD "dxgmms1.sys" while playing World of Warcraft on Windows 7 Ultimate x64

What the issue was - 


- AVG needed to be removed and replaced with MSE.

- Daemon Tools needed to be removed.

- Video card drivers needed to be updated.

[SOLVED] CACHE_MANAGER

Link to solved thread - error CACHE_MANAGER ntoskrnl.exe+14dca0

What the issue was - 


- AODDriver2.sys was listed and loaded and the software needed to be removed.

- AnyDVD needed to be removed.

- sptd.sys was listed and loaded and needed to be removed.

- ESET needed to be removed and replaced with Windows Defender.

- TuneUpUtilities needed to be removed

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL / SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Help me Fix Blue Screen Errors on Windows 8.1

What the issue was - 


- Video card drivers needed to be updated.

- ROCCAT drivers needed to be updated.

- RivaTuner/EVGA Precision/MSI Afterburner needed to be removed.

[SOLVED] SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M / DPC_WATCHDOG_VIOLATION

Link to solved thread - DPC_WATCHDOG_VIOLATION crashing frequently

What the issue was - 


- Video card drivers needed to be updated.

- Asus bloatware needed to be removed.

- avast! needed to be removed and replaced with Windows Defender.

- PowerISO needed to be removed.

- TuneUpUtilities needed to be removed.

[SOLVED] WHEA_UNCORRECTABLE_ERROR

Link to solved thread - WHEA_UNCORRECTABLE_ERROR while playing games

What the issue was -
CMOS needed to be cleared, there was an improper BIOS setting.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - Many BSOD's caused by: ntoskrnl.exe (nt+0x14DCA0)

What the issue was - 


- Intel Rapid Storage Technology needed to be updated.

- AiCharger.sys was present on the system, therefore Asus bloatware needed to be uninstalled.

- Norton needed to be replaced with Windows Defender.

[SOLVED] SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

Link to solved thread - The Blue Screen of Death..

What the issue was - 


- avast! needed to be removed and replaced with MSE.

- Video card drivers needed to be updated.

- WinPCap needed to be uninstalled.

[SOLVED] CRITICAL_PROCESS_DIED / DRIVER_VERIFIER_IOMANAGER_VIOLATION

Link to solved thread - Getting BSOD only when playing Dark Souls (CRITICAL_PROCESS_DIED)

What the issue was -
XInput Wrapper for DS3 was causing conflicts when playing games, however, HDD was also faulty and needed to be replaced.

[SOLVED] MULTIPLE_IRP_COMPLETE_REQUESTS / DRIVER_IRQL_NOT_LESS_OR_EQUAL / SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

Link to solved thread - BSOD- multiple-irp-complete-requests

What the issue was - 


- AODDriver2.sys was listed and loaded and the software needed to be removed.

- AsRock App Charger needed to be removed.

- Video card drivers needed to be updated.

[SOLVED] IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Blue Screen with IRQL_NOT_LESS_OR_EQUALin Windows 7

What the issue was -
Norton had to be removed and replaced with MSE.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - BSOD Driver Power State Failure Windows 8 64bit by ntoskrnl.exe

What the issue was -
Intel Rapid Storage/Start Technology was causing conflicts, so it was replaced with the generic driver.

[SOLVED] 0xA0000001

Link to solved thread - Random blue screen problems when playing

What the issue was -
Video card drivers needed to be uninstalled, and then the latest version needed to be installed.

[SOLVED] IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - IRQL Not Less or Equal

What the issue was -
ESET needed to be removed and replaced with Windows Defender.

[SOLVED] IRQL_GT_ZERO_AT_SYSTEM_SERVICE

Link to solved thread - Computer crashed with IRQL_GT_ZERO_AT_SYSTEM_SERVICE

What the issue was -
SoundTap needed to be uninstalled.

Sunday, March 23, 2014

End of the month update coming soon!

We're nearing April 1st already, wow! It seems like just yesterday it was Christmas!

Within the next day or so (hopefully), I will unleash the wave of this month's solved posts I haven't gotten around to posting, and maybe 1-2 (and if I am in a writing mood, more) kernel-based debugging posts. One of them is 0x101 and the other is 0x133.

Stay tuned : )

Friday, March 14, 2014

500 answers on MS Answers

I hit 500 answers on MS Answers today, which is very exciting! I'm very glad that I have provided answers/solutions to so many people. It feels wonderful to be part of a great community. 500 more to go for 1000!

Wednesday, March 12, 2014

[SOLVED] CRITICAL_PROCESS_DIED / KERNEL_SECURITY_CHECK_FAILURE / MEMORY_MANAGEMENT

Link to solved thread - BSOD‘s daily for many times

What the issue was - 


- Asus bloatware needed to be removed.

- Connectify needed to be removed.

- PowerISO needed to be removed.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Driver IRQL not less or equal - EtronXHCI.sys

What the issue was -
Etron USB 3.0 Extensible Host Controller driver needed to be updated.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Windows 8 Blue Screen crash problem
 

What the issue was - QuickHeal needed to be removed and replaced with Windows Defender.

[SOLVED] VIDEO_DXGKRNL_FATAL_ERROR

Link to solved thread - Windows 8.1 (VIDEO_DXGKRNL_FATAL_ERROR)

What the issue was - 


- Video card drivers needed to be updated.

- McAfee needed to be replaced with Windows Defender.

[SOLVED] IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Windows 8.1 BSOD IRQL_NOT_LESS_OR_EQUAL

What the issue was -
AVG needed to be removed and replaced with Windows Defender.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - Windows 7 Blue Screen

What the issue was - 


- HUAWEI Mobile Connect driver needed to be updated.

- ESET needed to be removed and replaced with MSE.

- Daemon Tools needed to be removed.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - Windows BlueScreen 9F when going to sleep

What the issue was -
Kaspersky was causing network conflicts, therefore it was removed and replaced with MSE. If Kaspersky was reinstalled, the crashes continued again, so Kaspersky was contacted. I am not aware as to if the user received a fix or patch from Kaspersky.

[SOLVED] KERNEL_SECURITY_CHECK_FAILURE

Link to solved thread - kernel security check failure

What the issue was -
Gigabyte Easy Saver (and/or Easy Tune) needed to be removed.

Sunday, March 9, 2014

Most Answers for the Week badge #4

I have received my 4th badge for getting the Most Answers for the Week in the Windows category of Answers. I received the last one on Dec. 29th. Onward and upward!

Friday, March 7, 2014

0x7C Debugging

I've been working on a thread (here) in which I managed to get my first look into an 0x7C. Unfortunately, it was not a Kernel-Dump and the user has been MIA since following my recommendations, so I imagined it's solved and he/she just never reported back.

BUGCODE_NDIS_DRIVER (7c)

This bug check indicates that a problem occurred with an NDIS driver.

So there's the basic definition of this particular bug check. Let's get into the debugging, shall we?

--------------------


BugCheck 7C, {1f, ffffe000027491a0, 1, 0}

^^ The 1st parameter of the bug check is 0x01 which indicates that the 2nd parameter of the bug check is a miniport address.
  
Let's look into it:

3: kd> !ndiskd.miniport ffffe000027491a0

MINIPORT

    [Pointer is unavailable; cannot dereference]

    Ndis Handle        ffffe000027491a0
    Ndis API Version   [Unreadable version value]
    Adapter Context    ffffe0000274b000
    Miniport Driver    ffffe0000274a068 - [Unreadable MiniBlock]  [Unreadable version value]
    Ndis Verifier      [Unreadable value]

    Media Type         802.3
    Physical Medium    802.3
    Device Path        String with 144 characters [Buffer at ffffc000005f88f0 is not available]
    Device Object      [DeviceObject at ffffe0000274a0a8 is not readable]
    MAC Address        [MAC address at ffffcf8001cfcfb0 is unavailble]

^^ We likely cannot read the Miniport driver or DevObj fields because it's not a Kernel-Dump. Anyway, from this, we can see that the type of media that disconnected was 802.3, which is WIRED ethernet.


STATE

    Miniport           PAUSING
    Device PnP         Started
    Datapath           00000002          ← DIVERTED_BECAUSE_MEDIA_DISCONNECTED
    NBL Status         NDIS_STATUS_MEDIA_DISCONNECTED
    Operational status [Unreadable value]
    Operational flags  [Unreadable value]
    Admin status       [Unreadable value]
    Media              MediaDisconnected
    Device Power       [Unreadable value]
    Driver Power       [Unreadable value]
    References         [Ref.ReferenceCount at ffffe0000274a328 is not readable]
    User Handles       0
    Total Resets       0
    Pending OID        None
^^ From the above we can see that 802.3 was reported disconnected, and because of that, there was a pause. The miniport cannot send data at this time because its media is disconnected. NDIS will intercept transmitted packets and immediately return them with an unsuccessful status code.

The problem is, we likely never return from this pause and/or disconnected state, at least we didn't at the time of the crash.

If we take a look at the call stack:

3: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
ffffd000`20186938 fffff800`00e542fd : 00000000`0000007c 00000000`0000001f ffffe000`027491a0 00000000`00000001 : nt!KeBugCheckEx
ffffd000`20186940 fffff800`00e3f485 : ffffe000`027491a0 00000000`00000000 ffffe000`02748020 ffffe000`0274a5e8 : ndis!ndisBugCheckEx+0x1d
ffffd000`20186980 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!NdisMPauseComplete+0x1b235
^^ NDIS calls a miniport driver's MiniportPause function to initiate a pause request for a miniport adapter. The miniport adapter remains in the Pausing state until the pause operation is complete.

After a miniport driver completes all outstanding send requests and NDIS returns all the network data structures in outstanding receive indications to the driver, the driver calls NdisMPauseComplete to complete the pending pause request. After the driver calls NdisMPauseComplete, the miniport adapter is in the Paused state.

NDIS calls the MiniportRestart function to initiate a restart request for a miniport adapter that is paused.

As we can see however, this never occurred, and instead, NDIS called into a bugcheck which brought down the system.

--------------------

Overall, I recommended the user do two things:

1. Ensure their network drivers were up to date via the manufacturers website.

2. If the user was connecting wirelessly, remove the wireless from the equation and attempt to connect via wired ethernet for awhile and see if the crashes stop. If the user was using a wireless adapter (USB) instead of built-in wireless on the laptop, remove it.

Finally, if the above two failed, I mentioned likely a faulty NIC. I haven't heard anything bad back yet, and it has been over a week, so I imagine everything is okay. Hopefully.


That's all!

[SOLVED] MEMORY_MANAGEMENT / KERNEL_DATA_INPAGE_ERROR

Link to solved thread - Blue Screen Error kernel_data_inpage_error ASSISTANCE PLEASE

What the issue was -
Kaspersky needed to be removed and replaced with Windows Defender. The user wanted to continue to use Kaspersky, so Kaspersky was contacted for a patch/workaround. Unknown as to whether or not it was ever provided.

[SOLVED] CRITICAL_STRUCTURE_CORRUPTION

Link to solved thread - BSDO with Critical Structure Corruption

What the issue was - 


- AVG needed to be removed and replaced with Windows Defender.

- Daemon Tools needed to be removed.

- sptd.sys needed to be removed.

Saturday, March 1, 2014

[SOLVED] KERNEL_DATA_INPAGE_ERROR

Link to solved thread - 2-3 Times BSOD Everyday after Upgrading to Windows 8.1

What the issue was -


- McAfee needed to be removed and replaced with Windows Defender.

- Asus bloatware needed to be uninstalled.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD with Windows 7, HP Eitebook 2560p

What the issue was -
WiFi drivers needed to be updated.

[SOLVED] IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD IRQL_NOT_LESS_OR_EQUAL every restart hal.dll

What the issue was -
Realtek card reader driver needed to be updated.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - windows 8 driver_irql_not_less_or_equal (Netio.sys), can anyone help me?

What the issue was -
Avira needed to be removed and replaced with Windows Defender.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL / QUOTA_UNDERFLOW

Link to solved thread - BSOD help please

What the issue was -
Video card drivers needed to be updated, as well as the BIOS.

[SOLVED] PAGE_FAULT_IN_NONPAGED_AREA

Link to solved thread - bluescreen on clean install
 

What the issue was - Video card driver needed to be downloaded and installed from Intel's site as opposed to manufacturer.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - Windows 8.1 64-bit "Driver_Power_State Failure"

What the issue was - 


- AMD Overdrive needed to be uninstalled.

- Atheros Bluetooth drivers needed to be updated.

[SOLVED] KERNEL_DATA_INPAGE_ERROR

Link to solved thread - Windows 8: randomly getting kernel_data_inpage_error BSOD

What the issue was -
Avira and McAfee were installed which was creating conflicts and file system corruption, both needed to be removed and replaced with Windows Defender.

[SOLVED] VIDEO_TDR_FAILURE

Link to solved thread - BSOD, Locale ID: 1033, BCCode: 116

What the issue was -
Video card was faulty.

[SOLVED] VIDEO_DXGKRNL_FATAL_ERROR

Link to solved thread - Windows 8.1 BSOD caused by dxgkrnl.sys and/or watchdog.sys

What the issue was - 


- Latest video card drivers needed to be installed.

- AVG needed to be removed and replaced with Windows Defender.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - BSOD on NEW win 8.1 Computer

What the issue was - 


- nVidia drivers needed to be updated.

- avast! needed to be removed and replaced with Windows Defender.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - DRIVER_POWER_STATE_FAILURE Blue Screen Error

What the issue was -
Intel Rapid Storage Technology's driver needed to be replaced with the generic Windows driver.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL / SYSTEM_SERVICE_EXCEPTION

Link to solved thread - BSOD Week 2

What the issue was - 


- Daemon Tools needed to be uninstalled.

- InterVideo needed to be uninstalled.

- Realtek Wireless LAN drivers needed to be updated.

[SOLVED] BAD_POOL_HEADER

Link to solved thread - Getting error bad_pool_header on bootup Plz help (win8.1)

What the issue was -
AVG needed to be removed and replaced with Windows Defender.

[SOLVED] DPC_WATCHDOG_VIOLATION / SYSTEM_SERVICE_EXCEPTION / MULTIPLE_IRP_COMPLETE_REQUESTS

Link to solved thread - Windows 8.1 BSOD

What the issue was - 






- WinPcap needed to be uninstalled.

- doubleTwist iPod software needed to be uninstalled.

- Hamachi needed to be updated due to 0x44 BSOD bug.

- McAfee needed to be removed and replaced with Windows Defender.