Skip to content

Instantly share code, notes, and snippets.

@hfiref0x

hfiref0x/zam.md

Created Feb 26, 2020
Embed
What would you like to do?
MalwareFox ZAM backdoor IOCTL list

ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.

All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.

0x8000202C

Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.

0x80002030

Wrapper around ZwQuerySystemInformation(SystemProcessInformation).

0x80002034

Enumerate process modules for given PID. Does ZwOpenProcess/ObReferenceObjectByHandle/KeStackAttachProcess and walks loader list.

0x80002038

Creates registry key with full access, handle returned to user-mode.

0x8000203C

Deletes arbitrary registry key.

0x80002058

Deletes arbitrary registry value.

0x80002020

Returns information about given loaded image - ZwQuerySystemInformation(SystemModuleInformation).

0x8000200C

Modify arbitrary driver object.

0x80002010

Add requester process id to the list of trusted processes (must be called first before calling other IOCTLs).

0x80002014

Read arbitrary disk sectors using SCSI request.

0x80002018

Write arbitrary disk sectors using SCSI request.

0x8000201C

Open arbitrary physical drive.

0x80002084

Open thread by id and return handle to user-mode (wrapper around ZwOpenThread).

0x80002048

Terminate process by id, will not terminate critical processes (ZwOpenProcess/ZwTerminateProcess).

0x8000204C

Open process by id. Forces CurrentThread->PreviousMode to KernelMode by patching it and calls NtOpenProcess if Windows build is known. Otherwise it defaults to usual ZwOpenProcess.

0x8000205C

Returns information about files in the directory specified by the file handle by direct talking to device via IRP. Basically it is reimplemented ZwQueryDirectoryFile.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Feb 26, 2020

You are a god of reverse engineering

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment