System to bypass a compromised mass storage device driver stack and method thereof

US 9,275,229 B2
Filed: 03/15/2012
Issued: 03/01/2016
Est. Priority Date: 03/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method to circumvent malicious software in a computing device, the method comprising the steps of:

identifying a dump port driver having a function;

transmitting at least one command configured to obtain information related to a physical hardware device, the physical hardware device (i) in communication with the computing device and (ii) configured to execute an I/O command;

exploiting data from an information leak to (i) locate a dump port device extension and (ii) initialize a memory space; and

causing the function to be executed for transmission of the I/O command to the physical hardware device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to circumvent malicious software via a system configured to bypass a device driver stack and, consequently, also bypass the malicious software that may be adversely affecting the device driver stack by using an alternative stack such as a crash dump I/O stack. The crash dump I/O stack is poorly documented relative to the device driver stack and functions independently from the device driver stack.

174 Citations

27 Claims

1. A method to circumvent malicious software in a computing device, the method comprising the steps of:
- identifying a dump port driver having a function;
  
  transmitting at least one command configured to obtain information related to a physical hardware device, the physical hardware device (i) in communication with the computing device and (ii) configured to execute an I/O command;
  
  exploiting data from an information leak to (i) locate a dump port device extension and (ii) initialize a memory space; and
  
  causing the function to be executed for transmission of the I/O command to the physical hardware device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein the physical hardware device includes a mass storage area.
  - 3. The method of claim 2, further comprising the step of:
    - initializing a request block to specify a READ command or specify a WRITE command.
  - 4. The method according to claim 1,wherein,the physical hardware device is a mass storage device, andthe identification of the dump port driver includes searching a loaded module list for one of a plurality of names to identify the dump port driver for the mass storage device.
  - 5. The method according to claim 4, wherein the one of the plurality of names contains a prefix.
  - 6. The method according to claim 4, wherein the identification of the dump port driver includes verifying the identified dump port driver is correct by parsing an export table.
  - 7. The method according to claim 1, wherein the physical hardware device is a mass storage device configured to contain debugging data for use during a critical system crash of the computing device.
  - 8. The method according to claim 7, wherein the debugging data is core dump data.
  - 9. The method according to claim 1, wherein the at least one command includes (i) a first command configured to obtain at least one of a target identification, a path, and a logical unit number, and (ii) a second command configured to obtain a hardware register.
  - 10. The method according to claim 1, wherein the function is at least one of a start in/out function and a DispatchCrb function.
  - 11. The method of claim 1,wherein,the data is a memory pointer to the dump port device extension.
  - 12. The method of claim 1,wherein,the dump port device extension is located by calling to a function of the dump port driver and receiving the dump port device extension address.

13. A method to circumvent malicious software in a computing device via a physical hardware device linked to a computing device, the method comprising:
- identifying a dump port driver;
  
  getting boot device information to enable transmission of an I/O command to a boot device;
  
  determining an entry point for a function for transmitting the command to the physical hardware device;
  
  exploiting data from an information leak to (i) locate a dump port device extension and (ii) initialize a memory space; and
  
  causing the function to be executed for transmission of the command to the physical hardware device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13,wherein,the data is a memory pointer to the dump port device extension.
  - 15. The method of claim 13,wherein,the dump port device extension is located by (i) calling to a function of the dump port driver and (ii) receiving a dump port device extension address.
  - 16. The method of claim 13,wherein,the physical hardware device is a mass storage device, andfurther comprising the step of initializing a request block to specify a READ command or specify a WRITE command.
  - 17. The method of claim 13,wherein,the data is from an internal source that is unintentionally exposed to an external source.

18. A system to command a physical hardware device in communication with a computing device, the system comprising:
- a bypass command driver configured to identify a dump port driver, obtain boot device information, find a function, locate a dump port device extension and initialize a memory space, and call the function, the dump port driver in communication with the bypass command driver;
  
  a computer program comprising the function, the function configured to transmit a command to the physical hardware device;
  
  a mini port driver in communication with the dump port driver;
  
  a bus driver in communication with the mini port driver and the dump port driver;
  
  a hardware bus in communication with the bus driver; and
  
  a physical hardware device in communication with the hardware bus,wherein,the bypass command driver is configured to locate the dump port device extension using data obtained from an information leak.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The system of claim 18, wherein the function is configured (i) for storage in the dump port driver and (ii) to transmit the command via the bus driver.
  - 20. The system of claim 18, further comprising:
    - a request block that includes a command descriptor block configured to be initialized with the command.
  - 21. The system of claim 18,wherein,the physical hardware device is a mass storage device, andthe command is a READ or a WRITE command.
  - 22. The system of claim 18, wherein the physical hardware device is a boot device.
  - 23. The system of claim 18, further comprising:
    - a memory space to send or receive data transferred as a result of execution of the command.
  - 24. The system of claim 18,wherein,the bypass command driver is configured to execute an operation to exploit the information leak.
  - 25. The system of claim 18,wherein,the operation to exploit the information leaked is executed by after executing an operation to obtain boot device information.
  - 26. The system of claim 18,wherein,the data is from an internal source that is unintentionally exposed to an external source.

27. A method to circumvent malicious software in a computing device, the method comprising the steps of:
- identifying a dump port driver having a function;
  
  transmitting at least one command configured to obtain information related to a physical hardware device, the physical hardware device (i) in communication with the computing device and (ii) configured to execute an I/O command;
  
  locating a dump port device extension using an information leak; and
  
  causing the function to be executed for transmission of the I/O command to the physical hardware device,wherein,the information leak is data from an internal source that is unintentionally exposed to an external source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
Mandiant LLC (Alphabet Inc.)
Inventors
LeMasters, Aaron
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
Waliullah, Mohammed

Application Number

US13/421,843
Publication Number

US 20130247186A1
Time in Patent Office

1,447 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/568   eliminating virus, restorin...

G06F 21/572   Secure firmware programming...

G06F 21/85   interconnection devices, e....

G06F 2221/033   Test or assess software

System to bypass a compromised mass storage device driver stack and method thereof

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

System to bypass a compromised mass storage device driver stack and method thereof

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others