NoVirusThanks DOS Device Inspector is a highly specialized system utility used in malware analysis to view, audit, and analyze Windows DosDevices object namespaces and symbolic links. In Windows, MS-DOS device names (like C:, COM1, or custom driver names) are symbolic links pointing to actual kernel device objects (like \Device\HarddiskVolume1). Rootkits and advanced malware frequently manipulate these links to hide files, intercept disk requests, or bypass security tools. Core Use Cases in Malware Analysis
Malware analysts utilize this tool during dynamic and behavioral analysis to catch kernel-level tampering:
Detecting Rootkit Hiding Techniques: Some rootkits create fake or altered symbolic links to redirect security software away from the actual malicious files or directories.
Auditing Driver-to-User Mode Communications: Malware that drops a kernel driver creates a symbolic link in the \DosDevices</code> namespace to allow its user-mode component to send commands. This tool reveals those hidden communication channels.
Analyzing Device Hijacking: Ransomware or low-level Wiper malware may re-route standard drive letters (like D:) to unallocated space or virtual malicious devices to block system recovery. Step-by-Step Guide to Using the Tool
Because you are dealing with live kernel-level objects, always execute these steps inside a secure, isolated sandbox or virtual machine (such as Flare VM): 1. Take a Baseline (Pre-Detonation)
Before running the suspicious malware sample, open DOS Device Inspector. Take a screenshot or export the list of existing symbolic links and their target kernel destinations. This establishes what your clean system environment looks like. 2. Run the Malware Sample
Detonate the malware sample in your isolated environment. Allow it sufficient time to execute its payload, drop its drivers, or attempt to modify system structures. 3. Inspect the Object Namespaces
Refresh or re-run the DOS Device Inspector to check for changes across three critical areas:
Global Namespaces (\DosDevices</code>): Look for newly created drive letters or strangely named communication pipes.
Local Session Namespaces: Check for links restricted to specific user sessions, which user-mode malware often uses to evade system-wide scanners.
Target Mismatches: Look closely at standard drive letters. Ensure C: still points to the correct hardware volume (e.g., \Device\HarddiskVolumeX) and hasn’t been redirected to a malicious driver object. 4. Cross-Reference with Behavioral Logs
If you find a suspicious new DOS device entry or symbolic link:
Copy the symbolic link name or the target device object string.
Open a behavioral logger like Sysinternals Process Monitor (ProcMon) or Process Hacker.
Filter your capture by the DeviceIoControl or CreateFile APIs to see exactly which malicious process created or interacted with that specific device name. Complementary Tools
To get a full picture of the threat, pair DOS Device Inspector with other specialized analysis utilities:
WinObj (Sysinternals): For broader exploration of the entire Windows Object Manager namespace.
Device Tree: To visualize the relationships between drivers and device objects.
OSArmor: Another utility by NoVirusThanks that can block the execution of suspicious processes trying to bypass these system limits.
Leave a Reply