[Technical Paper] GanDiao.sys (ancient kernel driver based malware)

[Luca91]

Hi all,

this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. 

This driver was used by various malware families and it allowed any userland application to kill other protected processes.

This doc also includes a custom userland app source code to use GanDiao and test its capabilities.

ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf

iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf

As usual, I'm also attaching both PDF files here, just in case. 

Enjoy.

GanDiao.pdf GanDiao_ITA.pdf

[boot]

13 hours ago, Luca91 said:

kill other protected processes...

Except for using MmUnmapViewOfSection to cause other processes to crash. We can also use ZwTerminateProcess to kill a specified process, which may still be effective in some versions of Win10...

e.g.

Code snippets taken from an old project

NTSTATUS ZwKillProcess(HANDLE pid)
{
	HANDLE hProcess = NULL;
	CLIENT_ID ClientId;
	OBJECT_ATTRIBUTES oa;
	NTSTATUS status;
	ClientId.UniqueProcess = pid;
	ClientId.UniqueThread = 0;
	oa.Length = sizeof(oa);
	oa.RootDirectory = 0;
	oa.ObjectName = 0;
	oa.Attributes = 0;
	oa.SecurityDescriptor = 0;
	oa.SecurityQualityOfService = 0;
	status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
	if (NT_SUCCESS(status))
	{
		DbgPrint("OpenProcess success,pid: %d", hProcess);
		ZwTerminateProcess(hProcess, 0);
		ZwClose(hProcess);
		return status;
	};
	DbgPrint("OpenProcess failed,pid: %d", hProcess);
	return FALSE;
}

[Luca91]

4 hours ago, boot said:

Except for using MmUnmapViewOfSection to cause other processes to crash. We can also use ZwTerminateProcess to kill a specified process, which may still be effective in some versions of Win10...

 

Yeah, it is not a "clean" process termination. The process will just crash. It is more an "instant crash" at the next ntdll memory access.

Your code using ZwTerminateProcess is a much cleaner approach.

After finishing this paper, I was wondering if such a driver can still be loaded on recent NT using a "bring your own vulnerable driver" attack. I don't have time to test it in one of my VMs right now...

@boot may ask you a favor? Since you (apparently) are form China, can you confirm that my translation of the word "GanDiao" is actually accurate? ("Get rid of" / "Kill it"). Many thanks.

Edited 19 hours ago by Luca91

[jackyjask]

@Luca91 nice wite up, thanks!

quick question:  

>0x7C920000 is the base address of ntdll.dll!

is it the same on all other OSes as well?

or just WinXP Sp3 32bit and thats it?

 

[Luca91]

42 minutes ago, jackyjask said:

@Luca91 nice wite up, thanks!

quick question:  

>0x7C920000 is the base address of ntdll.dll!

is it the same on all other OSes as well?

or just WinXP Sp3 32bit and thats it?

 

Hi Jacky,

nope, on my XP sp3 VM the correct base address is 0x7C910000. In fact I had to patch GanDiao to strictly use that address, but eventually I figured out that it still managed to unmap ntdll even using that address (because is still part of the that memory region). 

[jackyjask]

but it's weird to have the same contant addr  even between reboots?

seems ASLr  was introduced later on... ?

[Luca91]

5 minutes ago, jackyjask said:

but it's weird to have the same contant addr  even between reboots?

seems ASLr  was introduced later on... ?

Yeah that’s the reason (and this is why I doubt in the first place that exploiting a “bring your own vulnerable driver” attack would succeed on recent NT versions, without at least a way to disable/bypass ASLR). 

That wasn’t a problem in XP tho, as ASRL have been introduced starting form Vista.

Anyway I’m pretty sure that more advanced rootkits of that time, used to dynamically calculate these addresses.

[jackyjask]

ZwOpenSection/ZwQuerySection

eg

[Luca91]

3 hours ago, jackyjask said:

ZwOpenSection/ZwQuerySection

eg

Nice example @jackyjask 
Yes, assuming you have a way to load the unsigned driver (by exploiting a signed driver that is not black listed, or by running NT in test mode) and you are calling these APIs from the driver itself, this should work.

I never tried it personally tho. So I’m not 100% sure and there could be further hitches.