Reversing Stuxnet: 2 (Breaking into Mrxnet.sys)

This is how to break into Mrxnet.sys to perform dynamic analysis on Stuxnet:

1) start windbg and hit ctrl+k to attach to a kernel. 

2) start the VM with Suxnet installed on it 

3) manually break(ctrl+break) As Soon As Possible in the boot sequence. 

4) "sxe ld:mrxnet" it's not a very well known fact that an exception is thrown upon driver load (probably to make debugging easier), and then caught so we don't have an unhandled exception. This command breaks when an exception is thrown during the loading of the mrxnet module. 

5) 'g' this will continue execution of the VM until the above exception is thrown 

6) "!dh mrxnet". This will list information about the mrxnet module, including the address of the entry point. Below is the output (notice the value of "address of entry point"):

kd> !dh mrxnet

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

     14C machine (i386)

       6 number of sections

4B5DAD1C time date stamp Mon Jan 25 09:39:24 2010

       0 file pointer to symbol table

       0 number of symbols

      E0 size of optional header

     102 characteristics

            Executable

            32 bit word machine

OPTIONAL HEADER VALUES

     10B magic #

    8.00 linker version

    1B00 size of code

     A00 size of initialized data

       0 size of uninitialized data

    2005 address of entry point

     480 base of code

         ----- new -----

00010000 image base

      80 section alignment

      80 file alignment

       1 subsystem (Native)

    6.00 operating system version

    6.00 image version

    5.00 subsystem version

    2980 size of image

     480 size of headers

    8352 checksum

00040000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

       0  DLL characteristics

       0 [       0] address [size] of Export Directory

    2044 [      28] address [size] of Import Directory

    2380 [     3F8] address [size] of Resource Directory

       0 [       0] address [size] of Exception Directory

    2980 [    1A78] address [size] of Security Directory

    2780 [     154] address [size] of Base Relocation Directory

    1C70 [      1C] address [size] of Debug Directory

       0 [       0] address [size] of Description Directory

       0 [       0] address [size] of Special Directory

       0 [       0] address [size] of Thread Storage Directory

    1D38 [      40] address [size] of Load Configuration Directory

       0 [       0] address [size] of Bound Import Directory

    1C00 [      70] address [size] of Import Address Table Directory

       0 [       0] address [size] of Delay Import Directory

       0 [       0] address [size] of COR20 Header Directory

       0 [       0] address [size] of Reserved Directory

SECTION HEADER #1

   .text name

    1736 virtual size

     480 virtual address

    1780 size of raw data

     480 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

68000020 flags

         Code

         Not Paged

         (no align specified)

         Execute Read

SECTION HEADER #2

  .rdata name

     2B4 virtual size

    1C00 virtual address

     300 size of raw data

    1C00 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

48000040 flags

         Initialized Data

         Not Paged

         (no align specified)

         Read Only

Debug Directories(1)

                Type       Size     Address  Pointer

                cv           44        1d80     1d80            Format: RSDS, guid, 1, b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

SECTION HEADER #3

   .data name

      A0 virtual size

    1F00 virtual address

     100 size of raw data

    1F00 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

C8000040 flags

         Initialized Data

         Not Paged

         (no align specified)

         Read Write

SECTION HEADER #4

    INIT name

     302 virtual size

    2000 virtual address

     380 size of raw data

    2000 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

E2000020 flags

         Code

         Discardable

         (no align specified)

         Execute Read Write

SECTION HEADER #5

   .rsrc name

     3F8 virtual size

    2380 virtual address

     400 size of raw data

    2380 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

         Initialized Data

         Discardable

         (no align specified)

         Read Only

SECTION HEADER #6

  .reloc name

     1B8 virtual size

    2780 virtual address

     200 size of raw data

    2780 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

         Initialized Data

         Discardable

         (no align specified)

         Read Only

7) once the exception in part 4 is thrown, a breakpoint  was set on the entry point of mrxnet module by using "bp mrxnet+2005". This command sets a software breakpoint at 0x2005 bytes past the base of the mrxnet module. As seen in step 6, the "address of entry point" of mrxnet.sys is 0x2005.

8) 'g'

9) now, the VM execution should stop at the entry point of the mrxnet module:

Screenshot of a debugger broken in mrxnet.sys

This is the disassembly of DriverEntry in mrxnet.sys as shown in IDA. Notice, it is the same as the disassembly shown in the above windbg screenshot.