Jump to content
Tuts 4 You

[Technical Paper] GanDiao.sys (ancient kernel driver based malware)

Luca91

By Luca91
in Malware Reverse Engineering

 Share

Recommended Posts

Luca91

Luca91

Posted
Posted

Hi all,

this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. 

This driver was used by various malware families and it allowed any userland application to kill other protected processes.

This doc also includes a custom userland app source code to use GanDiao and test its capabilities.

ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf

iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf

As usual, I'm also attaching both PDF files here, just in case. 

Enjoy.

GanDiao.pdf GanDiao_ITA.pdf

  • Like 5
  • Thanks 2
boot

boot

Posted
Posted
13 hours ago, Luca91 said:

kill other protected processes...

Except for using MmUnmapViewOfSection to cause other processes to crash. We can also use ZwTerminateProcess to kill a specified process, which may still be effective in some versions of Win10...

e.g.

Code snippets taken from an old project 

NTSTATUS ZwKillProcess(HANDLE pid)
{
	HANDLE hProcess = NULL;
	CLIENT_ID ClientId;
	OBJECT_ATTRIBUTES oa;
	NTSTATUS status;
	ClientId.UniqueProcess = pid;
	ClientId.UniqueThread = 0;
	oa.Length = sizeof(oa);
	oa.RootDirectory = 0;
	oa.ObjectName = 0;
	oa.Attributes = 0;
	oa.SecurityDescriptor = 0;
	oa.SecurityQualityOfService = 0;
	status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
	if (NT_SUCCESS(status))
	{
		DbgPrint("OpenProcess success,pid: %d", hProcess);
		ZwTerminateProcess(hProcess, 0);
		ZwClose(hProcess);
		return status;
	};
	DbgPrint("OpenProcess failed,pid: %d", hProcess);
	return FALSE;
}
  • Like 2
Luca91

Luca91

Posted
  • Author
Posted (edited)
4 hours ago, boot said:

Except for using MmUnmapViewOfSection to cause other processes to crash. We can also use ZwTerminateProcess to kill a specified process, which may still be effective in some versions of Win10...

 

Yeah, it is not a "clean" process termination. The process will just crash. It is more an "instant crash" at the next ntdll memory access.

Your code using ZwTerminateProcess is a much cleaner approach.

After finishing this paper, I was wondering if such a driver can still be loaded on recent NT using a "bring your own vulnerable driver" attack. I don't have time to test it in one of my VMs right now...

@boot may ask you a favor? Since you (apparently) are form China, can you confirm that my translation of the word "GanDiao" is actually accurate? ("Get rid of" / "Kill it"). Many thanks.

Edited by Luca91
  • Like 2
jackyjask

jackyjask

Posted
Posted

@Luca91 nice wite up, thanks!

quick question:  

>0x7C920000 is the base address of ntdll.dll!

is it the same on all other OSes as well?

or just WinXP Sp3 32bit and thats it?

 

  • Like 1
Luca91

Luca91

Posted
  • Author
Posted
42 minutes ago, jackyjask said:

@Luca91 nice wite up, thanks!

quick question:  

>0x7C920000 is the base address of ntdll.dll!

is it the same on all other OSes as well?

or just WinXP Sp3 32bit and thats it?

 

Hi Jacky,

nope, on my XP sp3 VM the correct base address is 0x7C910000. In fact I had to patch GanDiao to strictly use that address, but eventually I figured out that it still managed to unmap ntdll even using that address (because is still part of the that memory region). 

  • Like 1
jackyjask

jackyjask

Posted
Posted

but it's weird to have the same contant addr  even between reboots?

seems ASLr  was introduced later on... ? :)

  • Like 1
Luca91

Luca91

Posted
  • Author
Posted
5 minutes ago, jackyjask said:

but it's weird to have the same contant addr  even between reboots?

seems ASLr  was introduced later on... ? :)

Yeah that’s the reason (and this is why I doubt in the first place that exploiting a “bring your own vulnerable driver” attack would succeed on recent NT versions, without at least a way to disable/bypass ASLR). 

That wasn’t a problem in XP tho, as ASRL have been introduced starting form Vista.

Anyway I’m pretty sure that more advanced rootkits of that time, used to dynamically calculate these addresses.

  • Like 1
Luca91

Luca91

Posted
  • Author
Posted
3 hours ago, jackyjask said:

ZwOpenSection/ZwQuerySection

eg

Nice example @jackyjask :)
Yes, assuming you have a way to load the unsigned driver (by exploiting a signed driver that is not black listed, or by running NT in test mode) and you are calling these APIs from the driver itself, this should work.

I never tried it personally tho. So I’m not 100% sure and there could be further hitches.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...