Further into rustock
So I was sitting in Hoglund and Butler's Advanced Rootkits class playing with instdrv and injecting processes via device drivers, when I had an idea.
I know where rustok puts its rootkit driver from the partial unpacked disassembly I was able to do, but I can't get at it because its in an ADS which is hidden by the rootkit itself. But here I am playing with instdrv which lets you load and unload drivers by path.
So I told it to unload pe386.sys and then I ran lads.exe to see if I could find the ADS now. Indeed it was there. From there it was a matter of doing cat.exe c:\windows\system32\:pe386.sys > c:\owned.sys to extract the driver! However this driver is protected somehow so on to the next step :)
Also Ero and Pedram gave me some awesome techniques for unpacking things a little better and based on that I was able to extract some VERY interesting infomration from rustock. There is an IP address:
Which belongs to OrgName: McColo Corporation
Address: 125 E. Delaware Ave.
And a http path:
as well as several other things I am exploring. This is why I love Blackhat!