Tuesday, October 30, 2018

\\\\.\\PhysicalDrive0 and CreateFileA , MBR overwriting

If you see malware performing this action in windows assembly

push ...
push ...
push ...
push ...
push ...
push ...
push offset FileName ; "\\\\.\\PhysicalDrive0"
call ds:CreateFileA

It may be trying to open the entire C drive as 1 large file and write to it which can be catastrophic

For example if you see this followed up with this code

push 0
push ...
push ...
push ...
push ...
call ds:WriteFile

Where the offset is 0, that means it's trying to overwrite your MBR (master boot record)


------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own

https://www.youtube.com/watch?v=b0WQwCQGjv4

No comments:

Post a Comment