This is how to break into Mrxnet.sys to perform dynamic analysis on Stuxnet:
1) start windbg and hit ctrl+k to attach to a kernel.
2) start the VM with Suxnet installed on it
3) manually break(ctrl+break) As Soon As Possible in the boot sequence.
4) “sxe ld:mrxnet” it’s not a very well known fact that an exception is thrown upon driver load (probably to make debugging easier), and then caught so we don’t have an unhandled exception. This command breaks when an exception is thrown during the loading of the mrxnet module.
5) ‘g’ this will continue execution of the VM until the above exception is thrown
6) “!dh mrxnet”. This will list information about the mrxnet module, including the address of the entry point. Below is the output (notice the value of “address of entry point”):
kd> !dh mrxnet
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
6 number of sections
4B5DAD1C time date stamp Mon Jan 25 09:39:24 2010
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
8.00 linker version
1B00 size of code
A00 size of initialized data
0 size of uninitialized data
2005 address of entry point
480 base of code
----- new -----
00010000 image base
80 section alignment
80 file alignment
1 subsystem (Native)
6.00 operating system version
6.00 image version
5.00 subsystem version
2980 size of image
480 size of headers
8352 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
0 DLL characteristics
0 [ 0] address [size] of Export Directory
2044 [ 28] address [size] of Import Directory
2380 [ 3F8] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
2980 [ 1A78] address [size] of Security Directory
2780 [ 154] address [size] of Base Relocation Directory
1C70 [ 1C] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
1D38 [ 40] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
1C00 [ 70] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
1736 virtual size
480 virtual address
1780 size of raw data
480 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
68000020 flags
Code
Not Paged
(no align specified)
Execute Read
SECTION HEADER #2
.rdata name
2B4 virtual size
1C00 virtual address
300 size of raw data
1C00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
(no align specified)
Read Only
Debug Directories(1)
Type Size Address Pointer
cv 44 1d80 1d80 Format: RSDS, guid, 1, b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb
SECTION HEADER #3
.data name
A0 virtual size
1F00 virtual address
100 size of raw data
1F00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C8000040 flags
Initialized Data
Not Paged
(no align specified)
Read Write
SECTION HEADER #4
INIT name
302 virtual size
2000 virtual address
380 size of raw data
2000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E2000020 flags
Code
Discardable
(no align specified)
Execute Read Write
SECTION HEADER #5
.rsrc name
3F8 virtual size
2380 virtual address
400 size of raw data
2380 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
SECTION HEADER #6
.reloc name
1B8 virtual size
2780 virtual address
200 size of raw data
2780 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
7) once the exception in part 4 is thrown, a breakpoint was set on the entry point of mrxnet module by using “bp mrxnet+2005”. This command sets a software breakpoint at 0x2005 bytes past the base of the mrxnet module. As seen in step 6, the “address of entry point” of mrxnet.sys is 0x2005.
8) ‘g’
9) now, the VM execution should stop at the entry point of the mrxnet module:
Screenshot of a debugger broken in mrxnet.sys
This is the disassembly of DriverEntry in mrxnet.sys as shown in IDA. Notice, it is the same as the disassembly shown in the above windbg screenshot.
By: Neil Sikka