Analysis of VirTool:WinNT/Exforel.A rootkit

A few days ago guys from MMPC reported about rootkit [backdoor] called VirTool:WinNT/Exforel.A
Review has included information in terms of network communication. But rootkit also contains some internal noteworthy features. First of all, startup processes from context of trusted services.exe. This is done with help of shellcode which injected into services.
Code injection:

Shellcode logic:

Driver listens input and output pipes in two special threads. Purpose of each of them writing data into pipes and reading it. Scheme of working stdin dispatcher thread:

Another interesting feature of rootkit – method with help of which it do pages of process writable.

Pages translation scheme:

Undocumented kernel objects offsets table:

posted by https://twitter.com/artem_i_baranov

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips