def invoke(self, ctlcode, value, outlength=0x1000):
device_handle = KERNEL32.CreateFileA(
"\\\\.\\%s" % self.pipepath, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, None, OPEN_EXISTING, 0,
None) % 2**32
if device_handle == 0xffffffff:
# Only report an error if the error is not "name not found",
# indicating that no kernel analysis is currently taking place.
if KERNEL32.GetLastError() != 2:
log.warning("Error opening handle to driver (%s): %d!",
driver_name, KERNEL32.GetLastError())
return False
out = ctypes.create_string_buffer(outlength)
length = ctypes.c_uint()
ret = KERNEL32.DeviceIoControl(device_handle, ctlcode, value,
len(value), out, ctypes.sizeof(out),
ctypes.byref(length), None)
KERNEL32.CloseHandle(device_handle)
if not ret:
log.warning("Error performing ioctl (0x%08x): %d!", ctlcode,
KERNEL32.GetLastError())
return False
return out.raw[:length.value]
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(
sys_file) or not os.path.exists(exe_file):
log.warning(
"No valid zer0m0n files to be used for process with pid %d, injection aborted",
self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n' + driver_name + '.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n' + 'Prov = "' + random_string(
8
) + '"\r\nServiceDescription = "' + random_string(
12
) + '"\r\nServiceName = "' + service_name + '"\r\nDriverName = "' + driver_name + '"\r\nDiskId1 = "' + service_name + ' Device Installation Disk"\r\nDefaultInstance = "' + service_name + ' Instance"\r\nInstance1.Name = "' + service_name + ' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll",
"{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll",
"{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : " + new_sys)
log.info("[-] Inf name : " + new_inf)
log.info("[-] Application name : " + new_exe)
log.info("[-] Service : " + service_name)
fh = open(new_inf, "w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system(
'cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '
+ new_inf + '"')
os.system("net start " + service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr,
None, os.getenv("TEMP"), byref(si),
byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting " + exe_name + ".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER,
GENERIC_READ | GENERIC_WRITE, 0, None,
OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid) + "_" + str(ppid) + "_" + str(
os.getpid()) + "_" + str(pi.dwProcessId) + "_" + str(
pid_vboxservice) + "_" + str(pid_vboxtray) + '\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0,
byref(bytes_returned), None)
msg = os.getcwd() + '\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg),
len(unicode(msg)), None, 0,
byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def run(self, waiting_time):
# Open driver device
self.hdevice = KERNEL32.CreateFileA(self.device_name,
GENERIC_READ | GENERIC_WRITE, 0,
None, OPEN_EXISTING, 0, None)
if self.hdevice == INVALID_HANDLE_VALUE:
self.log.error("CreateFileA failed with error : 0x%x" %
KERNEL32.GetLastError())
quit()
self.log.info("Driver device file opened, handle = %x" % self.hdevice)
#todo : build command line
self.process = Process(self.command_line, self.log)
self.process.create_suspended()
self.pre_run()
self.log.info("Target process handle value is 0x%x" %
self.process.process_handle)
self.thread_running = True
thread = Thread(target=self.pipe_reader_thread, args=())
#Create an unpack event which will be signaled when the
self.hUnpackEvent = KERNEL32.CreateEventA(NULL, 0, 0, "DaEvent")
self.UserlandNotidyEvent = KERNEL32.CreateEventA(
NULL, 0, 0, "UserlandNotidyEvent")
#Struct sent to the driver
MyPidStruct = PID_STRUCT()
MyPidStruct.do_log = self.kernel_log
MyPidStruct.RWEPolicy = self.rwe_policy
MyPidStruct.InitialNXState = self.initial_nx_state
MyPidStruct.UserlandNotidyEvent = self.UserlandNotidyEvent
MyPidStruct.TargetProcessHandle = self.process.process_handle
#Initiate driver's state and communication mecanisms
BytesReturned = DWORD(0)
success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_SETUP_STUFF,
ctypes.byref(MyPidStruct),
ctypes.sizeof(MyPidStruct), NULL, 0,
ctypes.byref(BytesReturned), 0)
if not (success):
self.log.error("DeviceIoControl failed")
raise UnpackerException("DeviceIoControl failed")
thread.start()
#Resume main process thtread
self.process.resume()
self.log.info("Main thread resumed")
#Wait for unpacking to terminate
r = KERNEL32.WaitForSingleObject(self.hUnpackEvent,
self.max_unpack_time)
if (r == WAIT_ABANDONED):
self.log.error("Wait abandoned, something went wrong")
raise UnpackerException("Wait abandoned, something went wrong")
if (r == WAIT_TIMEOUT):
self.log.info("Wait timed out")
self.log.info("Thread suspended")
if (r == WAIT_OBJECT_0):
self.log.info("Event signaled")
BytesReturned = DWORD(0)
success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_SUSPEND_TRACKED,
NULL, 0, NULL, 0,
ctypes.byref(BytesReturned), 0)
if not (success):
self.log.error("DeviceIoControl failed")
raise UnpackerException("DeviceIoControl failed")
self.thread_running = False
result = self.post_treatment()
BytesReturned = DWORD(0)
success = KERNEL32.DeviceIoControl(self.hdevice,
IOCTL_UNTRACK_AND_RESUME_PROCESSES,
NULL, 0, NULL, 0,
ctypes.byref(BytesReturned), 0)
if not (success):
self.log.error("DeviceIoControl failed")
raise UnpackerException("DeviceIoControl failed")
BytesReturned = DWORD(0)
success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_CLEANUP, NULL,
0, NULL, 0,
ctypes.byref(BytesReturned), 0)
if not (success):
self.log.error("DeviceIoControl failed")
raise UnpackerException("DeviceIoControl failed")
KERNEL32.CloseHandle(self.hdevice)
KERNEL32.CloseHandle(self.UserlandNotidyEvent)
self.process.terminate()
KERNEL32.ExitProcess(0)