Process-patching, the Dorf way

During a quiet Sunday afternoon in Vancouver, I decided to have a peek inside the latest dropped Dorf sys files, since I haven’t looked into them personally for a little while. Two layers of decryption later, and I saw a slight twist on an old technique – the sys file calls PsSetLoadImageNotifyRoutine to get Windows to tell it every time a new process is started.

Dorf sys - PsSetLoadImageNotifyRoutine

A fairly usual next step would be to kill the process if it’s one that the malware doesn’t like, and indeed the Dorf sys file checks the filename against an internal list and terminates ones that match … if necessary. But in fact it would rather patch the process than stop it – it makes an attempt to patch the entry point of loading processes that might be a threat to it, so that when they run they just immediately return a value of 0.

Dorf sys - patching the entry point

This means that programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didn’t actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside.