Thursday, June 23, 2011

Reversing Stuxnet: 1

In the mrxnet.sys kernel module of Stuxnet, the call the create a new device very peculiar. Drivers (running in kernel mode) create new devices to expose control/communication mechanisms to userland by calling IoCreateDevice. The disassembly of the call can be seen here:


Many of the parameters passed are interesting. The first interesting argument, DeviceName, was a NULL pointer, hence the 0 value. This means that the programmers did not want to give the device a name. Based on the MSDN documentation, it also means that this Device cannot have a DACL (Discretionary Access Control List) associated with it. The next argument that interested me was the value passed for DeviceType. They are passing the flag for FILE_DEVICE_DISK_FILE_SYSTEM. This flag is passed because mrxnet is the filesystem filter component of the rootkit. Next, the DeviceCharacteristics argument was interesting, because it specifies DO_SYSTEM_BOOT_PARTITION. This could have to do with installing the drivers on the System Boot partition (like the C: drive). Finally, the argument for Exclusive was 0. This means that more than one handle to this device can be opened concurrently. This probably means that the rootkit supports concurrency either via threading or some sort of synchronization mechanism.

#define DO_SYSTEM_BOOT_PARTITION           0x00000100
#define FILE_DEVICE_DISK_FILE_SYSTEM        0x00000008

These #define statements exist the public windows header files. Using them, the function call in the Stuxnet source code looked similar to the following:

IoCreateDevice(pMyDriverObject, 8, NULL, FILE_DEVICE_DISK_FILE_SYSTEM, DO_SYSTEM_BOOT_PARTITION, FALSE, pMyDeviceObject);

The MSDN article detailing IoCreateDevice can be found here:
http://msdn.microsoft.com/en-us/library/ff548397%28VS.85%29.aspx

The #define statements used above were posted here:
http://www.perisoft.net/engineer/wdmcard.htm.

No comments:

Post a Comment