Tuesday, October 30, 2018

NtRaiseHardError , BSOD (Blue Screen of Death)

If you ever see windows assembly code like this where it's adjusting privileges and then calling the undocumented function to Raise a Hard Error, that is potentially malware trying to generate a BSOD (Blue Screen of Death)


push offset LibFileName ; "ntdll"
call ds:LoadLibraryA
mov edi, eax

push offset ProcName ; "RtlAdjustPrivilege"
push edi ; "ntdll"
call ds:GetProcAddress

push offset aNtraiseharderr ; "NtRaiseHardError"
push edi ; "ntdll"
call ds:GetProcAddress

push ....
push ....
push ....
push ....
call ....


--------------

As referenced here
https://undocumented.ntinternals.net/


NtRaiseHardError(



  IN NTSTATUS             ErrorStatus,
  IN ULONG                NumberOfParameters,
  IN PUNICODE_STRING      UnicodeStringParameterMask OPTIONAL,
  IN PVOID                *Parameters,
  IN HARDERROR_RESPONSE_OPTION ResponseOption,
  OUT PHARDERROR_RESPONSE Response );


------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own
https://www.youtube.com/watch?v=b0WQwCQGjv4

No comments:

Post a Comment