Debugging a Crash, Found a Trojan

Article
05/23/2012

Hi, I'm Manish from Global Escalation Services. I would like to present a multiple random bug check issue, which was caused by malicious code (trojan) running on the machine. This is the walkthrough of how we found the virus on the server.

In this particular dump, the machine crashed with Bugcheck 0xA (IRQL_NOT_LESS_OR_EQUAL) because we got a Page Fault at dispatch level, also known as DPC Level (IRQL 2). Windows system architecture governs that we cannot have a page fault at dispatch level because paging requires I/O, I/O requires a wait, and we cannot wait while the IRQL is above dispatch level. So when this anomaly happens Windows will intentionally crash the machine.

We trapped in CcMapData because we touched the address c226d800 which was not valid because it’s paged out. If we look at implementation of CcMapData on MSDN https://msdn.microsoft.com/en-us/library/windows/hardware/ff539155(v=vs.85).aspx we see that this function can only be called below Dispatch Level, but the current CPU IRQL is 2.

So how did this happen? The most likely possibility is that some driver on the stack raised the IRQL by calling KeRaiseIrql and then forgot to lower it by calling KeLowerIrql. There are many drivers on this stack and anyone could be the culprit. It is difficult to track when one of these may have done it as it’s long gone.

We could have enabled IRQL Checking using Driver Verifier to find the culprit but we have to enable it on all drivers listed in the stack (and possibly others), which could cause some performance issues. Also this was not the only crash we were seeing; there were various stop codes.

So before going the verifier route I decided to dig more into this dump. I noticed there is an address on the stack for which the module name is not getting resolved. This looked odd (suspicious) as most of the time the debugger does a great job of finding the module.

I started investigating what is this module. It turned out to be a Trojan “TrojanDropper:Win32/Sirefef.B”.
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FSirefef.B

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: c226d800, memory referenced

Arg2: d0000002, IRQL

Arg3: 00000000, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: 808b64a6, address which referenced memory

0: kd> kv

ChildEBP RetAddr Args to Child

f78ae41c 808b64a6 badb0d00 00000000 00000001 nt!KiTrap0E+0x2a7 (FPO: [0,0] TrapFrame @ f78ae41c)

f78ae4cc f71a6f2d 8b22d520 f78ae4fc 00000400 nt!CcMapData+0x8c (FPO: [Non-Fpo])

f78ae4ec f71a4494 f78ae7ec 8b64c150 01c6d800 Ntfs!NtfsMapStream+0x4b (FPO: [Non-Fpo])

f78ae560 f71a6df0 f78ae7ec 8b3a7100 e7c50ce0 Ntfs!NtfsReadMftRecord+0x86 (FPO: [Non-Fpo])

f78ae598 f71a6fac f78ae7ec 8b3a7100 e7c50ce0 Ntfs!NtfsReadFileRecord+0x7a (FPO: [Non-Fpo])

f78ae5d0 f718e46d f78ae7ec e7c50cd8 e7c50ce0 Ntfs!NtfsLookupInFileRecord+0x37 (FPO: [Non-Fpo])

f78ae67c f718e541 f78ae7ec e7c50cd8 f718e2cb Ntfs!NtfsWalkUpTree+0xbe (FPO: [Non-Fpo])

f78ae6d8 f718e263 f78ae7ec e7c50cd8 00000000 Ntfs!NtfsBuildNormalizedName+0x44 (FPO: [Non-Fpo])

f78ae704 f7196c2e f78ae7ec 8801d600 e7c50da0 Ntfs!NtfsQueryNameInfo+0x4b (FPO: [Non-Fpo])

f78ae774 f71a0ff6 f78ae7ec 88081cb0 8b5f9260 Ntfs!NtfsCommonQueryInformation+0x291 (FPO: [Non-Fpo])

f78ae7d8 f71a102f f78ae7ec 88081cb0 00000001 Ntfs!NtfsFsdDispatchSwitch+0x12a (FPO: [Non-Fpo])

f78ae8f4 8081df85 8b3a7020 88081cb0 88081cb0 Ntfs!NtfsFsdDispatchWait+0x1c (FPO: [Non-Fpo])

f78ae908 f721fd28 8b2fd220 8b60d308 8b54b020 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78ae934 8081df85 8b5f9260 88081cb0 88081cb0 fltMgr!FltpDispatch+0x152 (FPO: [Non-Fpo])

f78ae948 f721fd28 88081ed0 8b60d308 c000000d nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78ae974 8081df85 8b54b020 88081cb0 88081cb0 fltMgr!FltpDispatch+0x152 (FPO: [Non-Fpo])

f78ae988 f5c62bec 88081cb0 8b54a980 88081cb0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

WARNING: Stack unwind information not available. Following frames may be wrong.

f78ae99c f5c5e3ee 8b03b690 00000000 f78ae9c0 CtxSbx+0x5bec

f78ae9ac 8081df85 8b03b690 88081cb0 8b0528e0 CtxSbx+0x13ee

f78ae9c0 f61074e1 8b0528e0 8801d600 f78aea00nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78ae9e4 f61075d0 8b0a9b80 00081cb0 f78aea08 CtxAltStr+0x44e1

f78ae9f4 8081df85 8b0a9b80 88081cb0 88081ed0 CtxAltStr+0x45d0

f78aea08 8b5cfc89 00000000 87ef0000 87ef9002 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aec90 8081df85 8b5ef610 8b08c110 8b08c2a8 0x8b5cfc89 <------------ This looks odd what is this module?

f78aeca4 f7241607 8b08c2a8 00000000 f78aece8nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aecb4 f72412b2 8b08c2a8 8b392b70 87f11974 CLASSPNP!SubmitTransferPacket+0xbb (FPO: [Non-Fpo])

f78aece8 f7241533 00000000 00000e00 87f11808 CLASSPNP!ServiceTransferRequest+0x1e4 (FPO: [Non-Fpo])

f78aed0c 8081df85 8b392ab8 00000000 8b2a2670 CLASSPNP!ClassReadWrite+0x159 (FPO: [Non-Fpo])

f78aed20 f74c80cf 8b2b7d80 87f11998 f78aed44 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aed30 8081df85 8b6e4020 87f11808 87f119bc PartMgr!PmReadWrite+0x95 (FPO: [Non-Fpo])

f78aed44 f7317053 87f119d8 8b6e8148 882b9888 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aed60 8081df85 8b2b7cc8 87f11808 87f119fc ftdisk!FtDiskReadWrite+0x1a9 (FPO: [Non-Fpo])

f78aed74 f72cf4f5 885360cc 88536098 87f26810 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aed90 f72d1517 87f11808 885360cc 8b60c470 volsnap!VspDecrementIrpRefCount+0x14f (FPO: [Non-Fpo])

f78aeda8 f72c0398 87f26810 87f26810 88536098 volsnap!VspWriteVolumePhase22+0x3d (FPO: [Non-Fpo])

f78aee30 f72d15d3 00f26810 885360cc 00000000 volsnap!VspAcquireNonPagedResource+0xc6 (FPO: [Non-Fpo])

f78aee50 8081e123 00000000 87f215e8 88536098 volsnap!VspWriteVolumePhase2+0x59 (FPO: [Non-Fpo])

f78aee80 f7241829 f78aeeb0 f72413ec 8b392ab8 nt!IopfCompleteRequest+0xcd (FPO: [Non-Fpo])

f78aee88 f72413ec 8b392ab8 87f215e8 00000001 CLASSPNP!ClassCompleteRequest+0x11 (FPO: [Non-Fpo])

f78aeeb0 8081e123 00000000 8b08c428 8b08c5c0 CLASSPNP!TransferPktComplete+0x1fd (FPO: [Non-Fpo])

f78aeee0 f7266545 8b6e30e8 8b08c428 f78aef24 nt!IopfCompleteRequest+0xcd (FPO: [Non-Fpo])

f78aeef0 f7265a8a 87f856a8 00000001 00000000 SCSIPORT!SpCompleteRequest+0x5e (FPO: [Non-Fpo])

f78aef24 f7265130 8b6e30e8 87f856a8 f78aef9b SCSIPORT!SpProcessCompletedRequest+0x6a7 (FPO: [Non-Fpo])

f78aef9c 8083211c 8b6e30a4 8b6e3030 00000000 SCSIPORT!ScsiPortCompletionDpc+0x2bd (FPO: [Non-Fpo])

f78aeff4 8088dba7 f3f4f92c 00000000 00000000 nt!KiRetireDpcList+0xca (FPO: [Non-Fpo])

f3f4f948 80a603d9 ffdffa02 f3f4f980 f3f4f980 nt!KiDispatchInterrupt+0x37 (FPO: [Uses EBP] [0,0,1])

f3f4f964 80a60577 8b6c226c f3f4f980 8088d91d hal!HalpCheckForSoftwareInterrupt+0x81 (FPO: [Non-Fpo])

f3f4f970 8088d91d 8b304c00 000001a3 f3f4fa04 hal!HalEndSystemInterrupt+0x67 (FPO: [Non-Fpo])

f3f4f970 809395e7 8b304c00 000001a3 f3f4fa04 nt!KiInterruptDispatch+0x5d (FPO: [0,2] TrapFrame @ f3f4f980)

f3f4fa04 80939c37 88139178 88028301 00000008 nt!ObpAllocateObject+0x199 (FPO: [Non-Fpo])

f3f4fa38 808f8d28 00000000 8b76aad0 f3f4fa70 nt!ObCreateObject+0x129 (FPO: [Non-Fpo])

f3f4fb44 80937a40 8b6afd10 00000000 88028398 nt!IopParseDevice+0x710 (FPO: [Non-Fpo])

f3f4fbc4 80933b74 00000000 f3f4fc04 00000042 nt!ObpLookupObjectName+0x5b0 (FPO: [Non-Fpo])

f3f4fc18 808eaee7 00000000 00000000 dffa7c01 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])

f3f4fc94 808ec181 077ef198 c0140000 077ef14c nt!IopCreateFile+0x447 (FPO: [Non-Fpo])

f3f4fcf0 808eec10 077ef198 c0140000 077ef14c nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])

f3f4fd30 808897ec 077ef198 c0140000 077ef14c nt!NtCreateFile+0x30 (FPO: [Non-Fpo])

f3f4fd30 7c82847c 077ef198 c0140000 077ef14c nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ f3f4fd64)

077ef22c 00000000 00000000 00000000 00000000 0x7c82847c

The current CPU IRQL is 2, at which pagefaults cannot be serviced, hence windows crashed the machine.

0: kd> !irql

Debugger saved IRQL for processor 0x0 -- 2 (DISPATCH_LEVEL)

Un-assembling from the return address of this unknown driver, to try to confirm that this is really driver code and that it really does belong in this call stack:

0: kd> ub 8b5cfc89

8b5cfc62 8bd7 mov edx,edi

8b5cfc64 c60605 mov byte ptr [esi],5

8b5cfc67 895e18 mov dword ptr [esi+18h],ebx

8b5cfc6a c7460400020000 mov dword ptr [esi+4],200h

8b5cfc71 c7460809000000 mov dword ptr [esi+8],9

8b5cfc78 c7461c70fb5c8b mov dword ptr [esi+1Ch],8B5CFB70h

8b5cfc7f c64603e0 mov byte ptr [esi+3],0E0h

8b5cfc83 ff158c805d8b call dword ptr ds:[8B5D808Ch]

Sure does call IofCallDriver

0: kd> dps 8B5D808Ch l1

8b5d808c 8081df40 nt!IofCallDriver

So what is this driver? In Windows every image starts with a PE header which starts with letters “MZ”. So I started looking for PE header. I took the offset of the module on the stack and went back to its page boundary, then I started moving 1 page back at a time looking for the PE header.

0: kd> dc 8b5cf000

8b5cf000 0010b9f2 f02b0000 3b063c8b 83137538 ......+..<.;8u..

8b5cf010 c08304e9 04f98304 b85fee73 00000001 ........s._.....

8b5cf020 9cb8c35e b98b5d86 00000010 ff8bd02b ^....]......+...

8b5cf030 3b02348b 83137530 c08304e9 04f98304 .4.;0u..........

8b5cf040 b85fee73 00000001 335fc35e ccc35ec0 s._.....^._3.^..

8b5cf050 83ec8b55 78a04cec 538b5da4 c0b60f56 U....L.x.].SV...

8b5cf060 827ae857 ff330000 33f46589 f845c7db W.z...3..e.3..E.

8b5cf070 00000400 8b084d8b 52510c55 50b4458d .....M..U.QR.E.P

0: kd> dc 8b5cf000-1000

8b5ce000 01c73024 00000000 c70cc483 00800002 $0..............

8b5ce010 845e5f00 b10874db 0815ff01 8b8b5d80 ._^..t.......]..

8b5ce020 6a0c2444 15ff5000 8b5d8028 14c25b5d D$.j.P..(.].][..

8b5ce030 cccccc00 cccccccc cccccccc cccccccc ................

8b5ce040 6a306a56 2415ff00 8b8b5d80 74f685f0 Vj0j...$.].....t

8b5ce050 6a006a53 68026a01 8b5d0892 5d08ae68 Sj.j.j.h..].h..]

8b5ce060 ff006a8b 5d80ac15 ff56508b 5d80a815 .j.....].PV....]

8b5ce070 000d8b8b ff8b5da2 5d80b015 6a006a8b .....].....].j.j

0: kd> dc 8b5cf000-1000*2

8b5cd000 0689c033 89044689 46890846 1046890c 3....F..F..F..F.

8b5cd010 89144689 ec831846 1c46891c 57204689 .F..F.....F..F W

8b5cd020 85244689 8d0574f6 02eb284e c033c933 .F$..t..N(..3.3.

8b5cd030 41890189 08418904 8b34468b 4e891048 ...A..A..F4.H..N

8b5cd040 14508b10 8b145689 4e891848 1c508b18 ..P..V..H..N..P.

8b5cd050 8b1c5689 4e891848 1c508b20 2424448d .V..H..N .P..D$$

8b5cd060 244c8d50 186a510c 8b245689 6a302454 P.L$.Qj..V$.T$0j

8b5cd070 46c65205 46c70005 00000008 0c46c700 .R.F...F......F.

Finally I found the PE header for this image.

0: kd> dc 8b5cf000-1000*3

8b5cc000 00905a4d 00000003 00000004 0000ffff MZ..............

8b5cc010 000000b8 00000000 00000040 00000000 ........@.......

8b5cc020 00000000 00000000 00000000 00000000 ................

8b5cc030 00000000 00000000 00000000 000000d0 ................

8b5cc040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th

8b5cc050 70207369 72676f72 63206d61 6f6e6e61 is program canno

8b5cc060 65622074 6e757220 206e6920 20534f44 t be run in DOS

8b5cc070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......

Using the built-in debugger extension !dh I dumped the header of this image to find the name. Unfortunately there is no name for this image. This address 8b5cc000 is not in the loaded module list, which raised further suspicion. Either it is hiding its load address or this driver was not loaded by standard loading mechanism. This module date shows it’s pretty recent build.

0: kd> !dh 8b5cc000

File Type: DLL

FILE HEADER VALUES

14C machine (i386)

4 number of sections

4EA3461E time date stamp Sun Oct 23 04:09:26 2011

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

2102 characteristics

Executable

32 bit word machine

DLL

OPTIONAL HEADER VALUES

10B magic #

9.00 linker version

A400 size of code

2000 size of initialized data

0 size of uninitialized data

46C0 address of entry point

1000 base of code

----- new -----

10000000 image base

1000 section alignment

200 file alignment

1 subsystem (Native)

5.00 operating system version

0.00 image version

5.00 subsystem version

10000 size of image

400 size of headers

DF1F checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

0 DLL characteristics

0 [ 0] address [size] of Export Directory

C91C [ 3C] address [size] of Import Directory

0 [ 0] address [size] of Resource Directory

0 [ 0] address [size] of Exception Directory

0 [ 0] address [size] of Security Directory

F000 [ 3FC] address [size] of Base Relocation Directory

0 [ 0] address [size] of Debug Directory

0 [ 0] address [size] of Description Directory

0 [ 0] address [size] of Special Directory

0 [ 0] address [size] of Thread Storage Directory

0 [ 0] address [size] of Load Configuration Directory

0 [ 0] address [size] of Bound Import Directory

C000 [ 1A8] address [size] of Import Address Table Directory

0 [ 0] address [size] of Delay Import Directory

0 [ 0] address [size] of COR20 Header Directory

0 [ 0] address [size] of Reserved Directory

SECTION HEADER #1

.text name

A354 virtual size

1000 virtual address

A400 size of raw data

400 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

60000020 flags

Code

(no align specified)

Execute Read

SECTION HEADER #2

.rdata name

13AC virtual size

C000 virtual address

1400 size of raw data

A800 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

40000040 flags

Initialized Data

(no align specified)

Read Only

SECTION HEADER #3

.data name

4B0 virtual size

E000 virtual address

200 size of raw data

BC00 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

C0000040 flags

Initialized Data

(no align specified)

Read Write

SECTION HEADER #4

.reloc name

576 virtual size

F000 virtual address

600 size of raw data

BE00 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

42000040 flags

Initialized Data

Discardable

(no align specified)

Read Only

0: kd> !lmi 8b5cc000

Loaded Module Info: [8b5cc000]

ffffffff8b5cc000 is not a valid address

0: kd> lmvm 8b5cc000

start end module name

Checking the import table it does have calls to raise and lower the IRQL. We get to the import table by taking the base address plus the offset to the Import Address Table Directory. The below output is just a snippet of the whole table.

0: kd> dps 8b5cc000+c000

8b5d8000 80a603f4 hal!KfLowerIrql

8b5d8004 80a5ff00 hal!KeGetCurrentIrql

8b5d8008 80a600b4 hal!KfRaiseIrql

Dumping the entire image contents in memory to find more clues about this driver. Again, I am only showing snippets of the whole output.

0: kd> dc 8b5cc000 L?10000/4