The “PsGetCurrentProcessId” function exported by the infected “ntoskrnl.exe” windows PE file is hooked in order to execute malicious code whenever the function is imported and called from other processes.
The malicious hooked code contains 2 executable PE files that get called in the process.
First one is a kernel-level PE file that executes the second one, which is a SpamBot Trojan.
The hooked “PsGetCurrentProcessId” function checks the presence of the kernel-level PE file inside the code and rebuilds the imported driver-level functions the file uses. The functions’ addresses are imported by searching them in the memory of the mapped module files. The virus repairs and reconstructs the imports and relocations of the kernel-level resident PE file so it can execute functions from it inside the original “ntoskrnl.exe” file.
After that, the malicious code passes a decryption key to the Kernel-level PE file and calls a function exported by the Kernel-level PE file.
When the function is called, the infected file decrypts a third PE File (which is a SpamBot) and registers a driver-supplied callback that is subsequently notified whenever an image is loaded for execution. When it detects that explorer.exe is loading for execution is creates a second thread that will make explorer.exe to execute the SpamBot.
It first iterates through explorer.exe threads searching for an alertable thread and attaches to the thread in such a way that a function of the kernel-level PE file will be executed from explorer.exe
When the function is called it searches through kernek32.dll exports and makes a hash for each function. It then compares the hashes with the hash of the following functions VirtualAlloc, VirtualFree, GetModuleHandleA, LoadLibrary and GetProcAddress and saves the addresses in a structure. Using these functions it rebuilds the import, export and reloc section of the SpamBot. Now, the SpamBot is fixed so the kernel-level PE file runs the SpamBot.
However, neither the kernel-level file nor the SpamBot file is present on disk, so it can only be detected in memory. It also doesn’t create a separate process, thus having rootkit behavior.
What makes the kernel-level PE file more dangerous is that it can decrypt, inject and execute any file into explorer.exe, not only this specific SpamBot.