Rootkit \\?\globalroot\Device\__max++>\ paths?

Networking/Security Forums -> Exploits // System Weaknesses

Author: xer0syk0 PostPosted: Fri Oct 02, 2009 3:21 am    Post subject: Rootkit \\?\globalroot\Device\__max++>\ paths?
Hi everyone,

I work on and fix lots of computers with varying degrees of infection by malware/viruses/trojans/rootkits etc.

Lately many rootkit infections on the computers I have been looking at share a common characteristic of being referenced as libraries with this particular path structure:



where XXXXXXX refers to a hex address (I suppose in memory) where the file lies (I guess?) and injects itself into core processes like svchost/alg/lsass/etc. An example of this kind of infection can be found here:

My question is what exactly is this globalroot path?

From what I have searched online, it appears to be called a "mount point" (which wikipedia describes as a convenient way for an OS to reference files from arbritrary locations in memory or on the hard disk). The only reason I know this is that there is a program called Win32kDiag that seems to reveal these mount points and reveal the location of the actual file on the hard drive. It would be nice if anyone could confirm this information.

Is this path indeed a mount point, or something else? In what ways can you derive the original path of such a path and delete the perpetrating library?

I am well aware that tools such as GMER and other rootkit detection tools can detect the presence of such a globalroot path/rootkit, but they cannot remove them. I have tried to use Kaspersky AVZ scripts to remove such infections with BC_DeleteFile() and DeleteFile(), but they do not work. They are however able to quarantine the file and produce a copy of it.

I have produced such a copy of the file quarantined file and uploaded it to VirusTotal ( Perhaps there is a tool that can search for copies of a specific file, like the one I have found? Well, the premise doesn't seem that complicated so I guess I could code one myself.

So in the case that something like Win32kDiag would fail me, what other ways would there be to combat something like this? (I have not yet had a chance to test the capabilities of Win32kDiag on a machine, I have only seen logs online of people who have this very problem). I am aware that it is possible to simply slave the said hard drive to another computer and scan that hard drive with MBAM or another anti-virus program, but I find that the hardware required to do so may not always be convenient or accessible at the given time.

Thanks for taking the time to read this,

Author: xer0syk0 PostPosted: Sun Oct 04, 2009 5:57 am    Post subject: solution
Well, it turns out you can only use Win32kDiag to diagnose and remove the problem files.

This is a set of instructions I have written pertaining to the use of Win32k Diag:

Win32kDiag detects mount points or hidden rootkits which inject themselves
into kernel processes via the \\?\globalroot\device\__max++\XXXXXXXX.x86.dll method.
This can be discovered by GMER/DarkSpy/other rootkit detectors which detect ADS's/SSDT.

The program is command line and will produce a log of all of the mount points it finds.
The files shown are not necessarily all malicious; warning flags or entries will usually
be denoted by the message "could not open/access file". These files are worth
investigating. If you happen upon a file that cannot be FileAlyzed, cannot be copied,
moved, deleted, or renamed (or cannot be handled by Unlocker) and does not show information
about its manufacturer, chances are you have found the malicious library/program.

Search for "DLL" in your Win32kDiag log if you have the XXXXXXXX.x86.dll infection.
If you have a different kind of globalroot path infection, simply look for executables
that match the above criteria.

You can then manually seek out these files and delete/replace them using unlocker or
by other methods (slaving the hard drive to another computer, or accessing the hard drive
outside of Windows (boot disc/recovery console). It is often a wise idea to replace files with versions on other
working computers (for example, replacing an infected shell or critical component).


Author: RoboGeekLocation: LeRoy, IL PostPosted: Sun Oct 04, 2009 8:58 pm    Post subject:
What you have found is the 2 ways rootkits infect systems. The first is normally a user mode infection that hooks files. The one that hides much better uses DKOM to infect and hide itself.

Rootkits come in two forms: user mode and kernel mode, and rootkits hide by either hooking files, or DCOM (Direct Kernel Object Manipulation).

Thats a big reason why if your PC is rooted, you can't trust the output from ANY software - HJT, MalwareBytes, Spybot, etc.

Win32kDiag can be tricked too

Hooked files like in your post are fairly easy since they show themselves to programs like Icesword and RKU.

Author: xer0syk0 PostPosted: Sun Oct 04, 2009 10:06 pm    Post subject: hmmm
That's what I would expect as well...

But in that case, what are some methods to remove rootkits that don't rely on traditional scanning programs or diagnostic outputs?

Or would you simply employ all of those tools on the system in question from outside the operating system so the rootkit never intercepts the kernel messages?

Your advice is greatly appreciated.


Author: Gundamrx793 PostPosted: Sat Nov 07, 2009 11:02 pm    Post subject:

I'm just wondering but what exactly does Win32kDiag do? because i currently have a virus a Trojan Zlob.Kh virus...and the path is the same as what you entered...

And how hard is it to remove the Trojan with Win32kDiag?


Networking/Security Forums -> Exploits // System Weaknesses

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group