Dailydave mailing list archives
New book - Rootkits: Subverting the Windows Kernel
From: "James Butler" <james.butler () hbgary com>
Date: Thu, 21 Jul 2005 11:57:29 -0400
<Commercial ... So set your Tivo properly> Rootkits: Subverting the Windows Kernel http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr _8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846 The lack of existence of a definitive book on rootkits led Greg Hoglund and I to author a one that we believe will fill the void. Much in the same way as the Shellcoders Handbook and Exploiting Software did for the field of vulnerability discovery and exploitation. The book covers the subject matter in-depth going as far as to answering a number of questions posed over time on the forums at rootkit.com. Such as: - Hooking the system call table - Circumventing memory protections - Hooking the Interrupt Descriptor Table (IDT) - Hooking the SYSENTER instruction. - Covert communications - Interacting with hardware Our book doesn't answer these questions with theory. Instead, we use hard hitting functional code examples that can be compiled and used "off the shelf". Readers who aren't new to rootkits and hooking should still enjoy the section on hooking user land processes from the kernel utilizing a method that does not require calls to OpenProcess(), VirtualProtectEx(), WriteVirtualMemory() etc. Ever curious about how DKOM and the FU rootkit really work? See Chapter 7 that provides the complete play by play. Included in the DKOM chapter you will find a section on synchronization. Yes, that's right - information is provided allowing one to modify shared data structures in a multiple CPU safe manner without trying to find unexported spinlocks and mutexes. Want to hide local network ports? Complete source code is detailed and included in a section on hooking. It describes the structures TCPIP.SYS uses and how to alter them such as to confuse netstat and similar programs. If you're still not totally convinced that rootkits may need to be put on the agenda for your next meeting with the CIO or CTO of your company then consider the following. What happens once an attacker has popped a box? Either using a product like Canvas, Core Impact, or using a free tool like Metasploit? More and more focus has been put into getting into the kernel after exploiting a system service. Remember Barnaby Jack's paper? If you think your CIO or CTO will respond with, "Well we have a great IDS and run HIPS on our exposed machines.", consider this: There are no signatures currently for kernel shellcode and even if there were bypassing an IDS is much like going through airport security (don't look suspicious). Most HIPS products do not completely protect you from kernel infection. Last but not least are chapters on network communication from the kernel, hardware interaction, and rootkit detection. For the complete context, read on. Rootkits: Subverting the Windows Kernel http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr _8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846 Preface xv Acknowledgments xix About the Authors xxi 1 Leave No Trace 1 Understanding Attackers' Motives 2 The Role of Stealth 2 When Stealth Doesn't Matter 3 What Is a Rootkit? 4 Why Do Rootkits Exist? 4 Remote Command And Control 5 Software Eavesdropping 5 Legitimate Uses of Rootkits 6 How Long Have Rootkits Been Around? 7 How Do Rootkits Work? 8 Patching 8 Easter Eggs 9 Spyware Modifications 9 Source-Code Modification 9 The Legality of Software Modification 10 What a Rootkit Is Not 10 A Rootkit Is Not an Exploit 11 A Rootkit Is Not a Virus 11 Rootkits and Software Exploits 13 Why Exploits Are Still a Problem 15 Offensive Rootkit Technologies 17 HIPS 17 NIDS 17 Bypassing the IDS/IPS 18 Bypassing Forensic Tools 18 Conclusion 20 2 Subverting the Kernel 21 Important Kernel Components 22 Rootkit Design 23 Introducing Code into the Kernel 25 Building the Windows Device Driver 26 The Device Driver Development Kit 27 The Build Environments 27 The Files 27 Running the Build Utility 29 The Unload Routine 30 Loading and Unloading the Driver 30 Logging the Debug Statements 31 Fusion Rootkits: Bridging User and Kernel Modes 32 I/O Request Packets 33 Creating a File Handle 37 Adding a Symbolic Link 38 Loading the Rootkit 39 The Quick-and-Dirty Way to Load a Driver 40 The Right Way to Load a Driver 41 Decompressing the .Sys File from a Resource 43 Surviving Reboot 46 Conclusion 47 3 The Hardware Connection 49 Ring Zero 50 Tables, Tables, and More Tables 52 Memory Pages 53 Memory Access Check Details 53 Paging and Address Translation 55 Page-Table Lookups 56 The Page-Directory Entry 58 The Page-Table Entry 59 Read-Only Access to Some Important Tables 59 Multiple Processes, Multiple Page Directories 59 Processes and Threads 60 The Memory Descriptor Tables 61 The Global Descriptor Table 61 The Local Descriptor Table 62 Code Segments 62 Call Gates 62 The Interrupt Descriptor Table 62 Other Types of Gates 65 The System Service Descriptor Table 66 The Control Registers 66 Control Register Zero (Cr0) 66 Other Control Registers 67 The Eflags Register 67 Multiprocessor Systems 68 Conclusion 69 4 The Age-Old Art of Hooking 71 Userland hooks 71 Import Address Table Hooking 73 Inline Function Hooking 74 Injecting a DLL into Userland Processes 76 Kernel Hooks 81 Hooking the System Service Descriptor Table 82 Hooking the Interrupt Descriptor Table 91 Hooking the major I/O Request Packet Function Table in the Device Driver Object 86 A Hybrid Hooking Approach 106 Getting into a Process's Address Space 106 Memory Space for Hooks 111 Conclusion 112 5 Runtime Patching 113 Detour Patching 114 Rerouting the Control Flow using MigBot 115 Checking for Function Bytes 117 Keeping Track of the Overwritten Instructions 118 Using NonPagedPool Memory 121 Runtime Address Fixups 121 Jump Templates 125 The Interrupt Hook Example 126 Variations on the Method 133 Conclusion 133 6 Layered Drivers 134 A Keyboard Sniffer 136 I/O Request Packet (IRP) and Stack Locations 137 The KLOG Rootkit: A Walk-Through 140 File Filter Drivers 153 Conclusion 167 7 Direct Kernel Object Manipulation 169 DKOM Benefits and Drawbacks 169 Determining the Version of the Operating System 171 User-Mode Self-Determination 171 Kernel-Mode Self-Determination 173 Querying the Operating System Version in the Registry 174 Communicating with the Device Driver from Userland 175 Hiding with DKOM 179 Process Hiding 180 Device-Driver Hiding 185 Synchronization Issues 189 Token Privilege and Group Elevation with DKOM 193 Modifying a Process Token 194 Faking out the Windows Event Viewer 208 Conclusion 210 8 Hardware Manipulation 213 Why Hardware? 215 Modifying the Firmware 216 Accessing the Hardware 217 Hardware Addresses 217 Accessing Hardware is not Like Accessing RAM 218 Timing Considerations 219 The I/O Bus 219 Accessing the BIOS 221 Accessing PCI and PCMCIA Devices 221 Example: Accessing the Keyboard Controller 222 The 8259 Keyboard Controller 222 Changing the LED Indicators 222 Hard Reboot 229 Keystroke Monitor 229 How Low Can You Go? Microcode Update 236 Conclusion 237 9 Covert Channels 239 Remote Command, Control, and Exfiltration of Data 240 Disguised TCP/IP Protocols 241 Beware of Traffic Patterns 242 Don't Send Data "in the Clear" 242 Use Time to Your Advantage 243 Hide Under DNS Requests 243 "Stego" on ASCII Payloads 244 Use Other TCP/IP Channels 245 Kernel TCP/IP Support for Your Rootkit Using TDI 246 Build the Address Structure 246 Create a Local Address Object 248 Create a TDI Endpoint with Context 252 Associate an Endpoint with a Local Address 254 Connect to a Remote Server (Send the TCP Handshake) 257 Send Data to a Remote Server 259 Raw Network Manipulation 262 Implementing Raw Sockets on Windows XP 262 Binding to an Interface 263 Sniffing with Raw Sockets 264 Promiscuous Sniffing with Raw Sockets 264 Sending Packets with Raw Sockets 265 Forging the Source 266 Bouncing Packets 266 Kernel TCP/IP Support for Your Rootkit Using NDIS 267 Registering the Protocol 267 The Protocol Driver Callbacks 273 Moving Whole Packets 278 Host Emulation 285 Creating Your MAC Address 286 Handling ARP 286 The IP Gateway 289 Sending a Packet 289 Conclusion 293 10 Rootkit Detection 295 Detecting Presence 295 Guarding the Doors 296 Scanning the "Rooms" 298 Looking for Hooks 298 Detecting Behavior 308 Detecting Hidden Files and Registry Keys 308 Detecting Hidden Processes 309 Conclusion 312 Index 315 P.S. We will be releasing VICE 2.0, using advanced detection algorithms, in conjunction with or shortly after this book. <Commercial over. Continue with your day.> _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New book - Rootkits: Subverting the Windows Kernel James Butler (Jul 21)