Uninformed - vol 4 article 2

Informative Information for the Uninformed

Current

All

About

Vol 4» 2006.Jun

Next: Device Objects Up: Object Specific Signatures Previous: Thread Objects Contents

Driver Objects

A tool written previously named MODGREPPER[3] by Joanna Rutkowska of invisiblethings.org used a signature based approach to detect hidden DRIVER_OBJECTs. This signature was later 'broken' by valerino described in a rootkit.com article titled "Please don't greap me!"[6]. Listed here are a few fields which a signature could be built upon to detect DRIVER_OBJECTs.

$\begin{tabular}{\vert l\vert l\vert} \par \hline \par \textbf{Type} & I/O Subsys... ...\_STRING structure containing the driver name \\ \par \hline \par \end{tabular}$

The following fields of the DRIVER_OBJECT can be validated by assuring they fall within the range of a loaded driver image such that:

DriverStart < FIELD < DriverStart + DriverSize.

$\begin{tabular}{\vert l\vert l\vert} \par \hline \par \textbf{DriverInit} & Addr... ...for IRP\_MJ\_XXX, can default to ntoskrnl.exe \\ \par \hline \par \end{tabular}$