Supporting Files on my analysis of the malware designated hdroot.
C Python C++
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

Index of Suplemental Files

1.1 Binary Files – hdroot-bootkit-analysis/binaries

File Description
C_932.NLS 64-bit bootkit service DLL sample, as installed
driver32.sys.bin 32-bit kernel driver used by the dropper to write directly to the physical disk.
driver64.sys.bin 64-bit signed kernel driver used by the dropper to write directly to the physical disk.
dropper64.bin 64-bit dropper sample that installs bootkit
mbr-clean.bin MBR before modification, for comparison.
mbr-inst.bin MBR that has been modified after install.
pe1_decrypted.bin 32-bit bootkit service DLL sample, extracted and decrypted from decrypted rkimage
pe1_encrypted_b61e1dcf.bin 32-bit bootkit service DLL sample, extracted in original form from decrypted rkimage. XOR key is 0xb64e1dcf.
pe2_decrypted.bin 64-bit bootkit service DLL sample, extracted and decrypted from decrypted rkimage
pe2_encrypted_b61e8d81.bin 64-bit bootkit service DLL sample, extracted in original form from decrypted rkimage. XOR key is 0xb64e8d81.
rkimage_decrypted.bin rkImage sample, extracted from harddrive and decrypted.
rkimage_encrypted.bin rkImage sample, extracted from harddrive and decrypted.
rkimage_backdoor_decrypted.bin rkImage sample with example backdoor, extracted from harddrive and decrypted.
rkimage_backdoor_encrypted.bin rkImage sample with example backdoor, extracted from harddrive. Obfuscated with 0x76 byte-XOR.
verifier_win7_decrypted.bin verifier sample, containing the verifier sector followed by two copies of the original mbr sector.
verifier_win7_encrypted.bin Verifier sample, containing the verifier sector followed by two copies of the original mbr sector. Obfuscated with 0x76 byte-XOR.
verifier_win10_decrypted.bin verifier sample, containing the verifier sector followed by two copies of the original mbr sector.
verifier_win10_encrypted.bin Verifier sample, containing the verifier sector followed by two copies of the original mbr sector. Obfuscated with 0x76 byte-XOR.

1.2 Code Files – hdroot-bootkit-analysis/code

File Description
convert.c C utility to decrypt verifier and rkimage samples.
dll_decryptor.c C utility to decrypt service DLL samples with 4-byte XOR keys.
fuzzer.py Simple python fuzzer to discover commands to dropper64.bin
proof.cpp C++ program to install as backdoor. Writes C:\proof.txt as evidence that bootkit ran successfully.

1.3 Evidence Files – hdroot-bootkit-analysis/evidence

File Description
crc_error.PNG Error message shown by check command when secondary bootkit image is modified after install.
driver64_certificate.PNG Screenshot of the stolen certificate used by the 64-bit kernel driver.
driver64_valid.PNG Screenshot showing that the certificate on the kernel driver has not been revoked.
dropper64_certificate.PNG Screenshot of the stolen certificate used by the 64-bit dropper.
dropper64_revoked.PNG Screenshot showing that the certificate on the dropper has been revoked.
hashes_after.txt Hashes taken of files after the bootkit has run on a Windows 7 virtual machine.
hashes_before.txt Hashes taken of files before the bootkit has run on a Windows 7 virtual machine.
hashes_win10.txt Hashes of the first and second rkImage locations on a Windows 10 virtual machine with > 30% free space.
install_win10.PNG Screenshot of installing a backdoor on Windows 10.
install_win10_cmd.PNG Screenshot of installing cmd.exe as the backdoor.
install_win7.PNG Screenshot of installing a backdoor on Windows 7 with low disk space.
installer_cmd.txt The text output of installing a backdoor on Windows 10.
Neowiz.p7b Extracted certificate used in the 64-bit kernel driver.
reg_service_after.txt Registry after boot, with timestamps showing it was written to, even if the values didn’t change.
reg_service_before.txt Registry before rebooting, with timestamps.
vol_modules.txt Volatility output snippet from listing modules that shows the kernel driver.
vol_reg_debugfile.txt Volatility output that shows a registry key for the DEBUGFILE service used by the kernel driver.

1.4 Ida Pro Files – hdroot-bootkit-analysis/ida pro

File Description
driver32.sys.idb Ida Pro file for the 32-bit kernel driver. Functionally same as the 64-bit driver.
driver64.sys.idb Ida Pro file for the 64-bit kernel driver. Functionally same as the 32-bit driver.
dropper64.i64 Ida Pro file for the dropper sample. Largely not reversed, as the static sample is packed with VMProtect.
mbr_infected.idb Ida Pro file for the bootkit MBR. Disassembly is 16-bit.
pe1_decrypted.idb Ida Pro file for the 32-bit service DLL. Functionally same as the 64-bit DLL.
pe2_decrypted.i64 Ida Pro file for the 64-bit service DLL. Functionally same as the 32-bit DLL.
rkimage_decrypted.idb Ida Pro file for rkImage. Contains real mode (16-bit) and protected mode (32-bit) segments. Also has undefined data at the end because the sample disassembled was mistakenly longer than the rkimage+bootkit length.
verifier_decrypted.idb Ida Pro file for the verifier. Contains verifier and original MBR. Disassembly is 16-bit.