Dailydave mailing list archives
Re: modGREPER - hidden kernel modules detector
From: rd <rd () thc org>
Date: Fri, 24 Jun 2005 18:40:41 +0700
James Butler wrote:
Joanna, We (Sherri and I) had already defeated this detection mechanism before you released it. Perhaps you should see: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Sparks
[snip]
modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through whole kernel memory in order to find structures which looks like a valid module description objects. Currently two most important objects type are recognized well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some sort of artificial intelligence built in, which allows it recognize if the given bytes actuallydescribe a module-specific object. The term AI for this algorithm isprobably a little bit exaggerated, since it is just a few bunches of logical rules which should be satisfied by the potential fields of the structure in question...
hi, I'm not into windows kernel part so this is just my opinion :) . I think this kind of detection (by searching module structure from kernel memory) could be defeated easily by clean up/free unnecessary fields (which could be used to identify the structure as the module structure) by zero out or write random data to the original module structure (of course you should not overwrite important data such as function pointer or so). This might be similar to module hiding in Linux, in which cleaner.c (by stealth/teso) unlink the module structure to hide the module, while KSTAT (by s0ftpr0ject) searches /dev/kmem for module structure to detect hidden module. My modclean tool which was written few years ago solves this problem simply by cleanup module structure as well as its symbols (to avoid the detection by tools which search for module symbols) after unlink the module in order to hide the kernel module. cheers, --rd -- rd <rd () thc org> - The Hacker's Choice - http://www.thc.org PGP Key Fingerprint - E18F 6CE8 E12B 3306 80D9 6B5A 364B 1D77 71BB 82EF _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 06)
- <Possible follow-ups>
- Re: modGREPER - hidden kernel modules detector joanna (Jun 07)
- Re: modGREPER - hidden kernel modules detector Mark (Jun 07)
- Re: modGREPER - hidden kernel modules detector James Butler (Jun 07)
- Re: modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 07)
- Re: modGREPER - hidden kernel modules detector rd (Jun 24)
- Re: modGREPER - hidden kernel modules detector Mark (Jun 25)
- Re: modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 07)