Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

New book - Rootkits: Subverting the Windows Kernel

From: "James Butler" <james.butler () hbgary com>
Date: Thu, 21 Jul 2005 11:57:29 -0400
<Commercial ... So set your Tivo properly>

Rootkits: Subverting the Windows Kernel
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk
it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr
_8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846

The lack of existence of a definitive book on rootkits led Greg Hoglund and
I to author a one that we believe will fill the void. Much in the same way
as the Shellcoders Handbook and Exploiting Software did for the field of
vulnerability discovery and exploitation. The book covers the subject matter
in-depth going as far as to answering a number of questions posed over time
on the forums at rootkit.com. Such as:

    - Hooking the system call table
    - Circumventing memory protections
    - Hooking the Interrupt Descriptor Table (IDT)
    - Hooking the SYSENTER instruction.
    - Covert communications
    - Interacting with hardware

Our book doesn't answer these questions with theory. Instead, we use hard
hitting functional code examples that can be compiled and used "off the
shelf".

Readers who aren't new to rootkits and hooking should still enjoy the
section on hooking user land processes from the kernel utilizing a method
that does not require calls to OpenProcess(), VirtualProtectEx(),
WriteVirtualMemory() etc. Ever curious about how DKOM and the FU rootkit
really work? See Chapter 7 that provides the complete play by play. Included
in the DKOM chapter you will find a section on synchronization. Yes, that's
right - information is provided allowing one to modify shared data
structures in a multiple CPU safe manner without trying to find unexported
spinlocks and mutexes.

Want to hide local network ports? Complete source code is detailed and
included in a section on hooking. It describes the structures TCPIP.SYS uses
and how to alter them such as to confuse netstat and similar programs.

If you're still not totally convinced that rootkits may need to be put on
the agenda for your next meeting with the CIO or CTO of your company then
consider the following. What happens once an attacker has popped a box?
Either using a product like Canvas, Core Impact, or using a free tool like
Metasploit? More and more focus has been put into getting into the kernel
after exploiting a system service. Remember Barnaby Jack's paper? If you
think your CIO or CTO will respond with, "Well we have a great IDS and run
HIPS on our exposed machines.", consider this: There are no signatures
currently for kernel shellcode and even if there were bypassing an IDS is
much like going through airport security (don't look suspicious). Most HIPS
products do not completely protect you from kernel infection.

Last but not least are chapters on network communication from the kernel,
hardware interaction, and rootkit detection. For the complete context, read
on.

Rootkits: Subverting the Windows Kernel
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk
it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr
_8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846

Preface xv

Acknowledgments xix

About the Authors xxi

1 Leave No Trace 1
Understanding Attackers' Motives 2
   The Role of Stealth 2
   When Stealth Doesn't Matter 3
What Is a Rootkit? 4
Why Do Rootkits Exist? 4
   Remote Command And Control 5
   Software Eavesdropping 5
   Legitimate Uses of Rootkits 6
How Long Have Rootkits Been Around? 7
How Do Rootkits Work? 8
   Patching 8
   Easter Eggs 9
   Spyware Modifications 9
   Source-Code Modification 9
   The Legality of Software Modification 10 
What a Rootkit Is Not 10
   A Rootkit Is Not an Exploit 11
   A Rootkit Is Not a Virus 11
Rootkits and Software Exploits 13
   Why Exploits Are Still a Problem 15
Offensive Rootkit Technologies 17
   HIPS 17
   NIDS 17
   Bypassing the IDS/IPS 18
   Bypassing Forensic Tools 18
Conclusion 20

2 Subverting the Kernel 21
Important Kernel Components 22
Rootkit Design 23
Introducing Code into the Kernel 25
Building the Windows Device Driver 26
   The Device Driver Development Kit 27
   The Build Environments 27
   The Files 27
   Running the Build Utility 29
   The Unload Routine 30
Loading and Unloading the Driver 30
Logging the Debug Statements 31
Fusion Rootkits: Bridging User and Kernel Modes 32
   I/O Request Packets 33
   Creating a File Handle 37
   Adding a Symbolic Link 38
Loading the Rootkit 39
   The Quick-and-Dirty Way to Load a Driver 40
   The Right Way to Load a Driver 41
Decompressing the .Sys File from a Resource 43 
Surviving Reboot 46 
Conclusion 47

3 The Hardware Connection 49
Ring Zero 50
Tables, Tables, and More Tables 52
Memory Pages 53
   Memory Access Check Details 53
   Paging and Address Translation 55
   Page-Table Lookups 56
   The Page-Directory Entry 58
   The Page-Table Entry 59
   Read-Only Access to Some Important Tables 59
   Multiple Processes, Multiple Page Directories 59
   Processes and Threads 60
The Memory Descriptor Tables 61
   The Global Descriptor Table 61
   The Local Descriptor Table 62
   Code Segments 62
   Call Gates 62
The Interrupt Descriptor Table 62
   Other Types of Gates 65
The System Service Descriptor Table 66
The Control Registers 66
   Control Register Zero (Cr0) 66
   Other Control Registers 67
   The Eflags Register 67
Multiprocessor Systems 68
Conclusion 69

4 The Age-Old Art of Hooking 71
Userland hooks 71
   Import Address Table Hooking 73
   Inline Function Hooking 74
   Injecting a DLL into Userland Processes 76 
   Kernel Hooks 81
   Hooking the System Service Descriptor Table 82
   Hooking the Interrupt Descriptor Table 91
   Hooking the major I/O Request Packet Function Table in the
   Device Driver Object 86
A Hybrid Hooking Approach 106
   Getting into a Process's Address Space 106
   Memory Space for Hooks 111
Conclusion 112

5 Runtime Patching 113
Detour Patching 114
   Rerouting the Control Flow using MigBot 115
   Checking for Function Bytes 117
   Keeping Track of the Overwritten Instructions 118
   Using NonPagedPool Memory 121
   Runtime Address Fixups 121
Jump Templates 125
   The Interrupt Hook Example 126
Variations on the Method 133
Conclusion 133

6 Layered Drivers 134
A Keyboard Sniffer 136
   I/O Request Packet (IRP) and Stack Locations 137 
   The KLOG Rootkit: A Walk-Through 140 
File Filter Drivers 153 Conclusion 167

7 Direct Kernel Object Manipulation 169
DKOM Benefits and Drawbacks 169
Determining the Version of the Operating System 171
   User-Mode Self-Determination 171
   Kernel-Mode Self-Determination 173
   Querying the Operating System Version in the Registry 174 
Communicating with the Device Driver from Userland 175
Hiding with DKOM 179
   Process Hiding 180
   Device-Driver Hiding 185
   Synchronization Issues 189
Token Privilege and Group Elevation with DKOM 193
   Modifying a Process Token 194
   Faking out the Windows Event Viewer 208 
Conclusion 210

8 Hardware Manipulation 213
Why Hardware? 215
Modifying the Firmware 216
Accessing the Hardware 217
   Hardware Addresses 217
   Accessing Hardware is not Like Accessing RAM 218
   Timing Considerations 219
   The I/O Bus 219
   Accessing the BIOS 221
   Accessing PCI and PCMCIA Devices 221
Example: Accessing the Keyboard Controller 222
   The 8259 Keyboard Controller 222
   Changing the LED Indicators 222
   Hard Reboot 229
   Keystroke Monitor 229
How Low Can You Go? Microcode Update 236 
Conclusion 237

9 Covert Channels 239
Remote Command, Control, and Exfiltration of Data 240 
Disguised TCP/IP Protocols 241
   Beware of Traffic Patterns 242
   Don't Send Data "in the Clear" 242
   Use Time to Your Advantage 243
   Hide Under DNS Requests 243
   "Stego" on ASCII Payloads 244
   Use Other TCP/IP Channels 245
Kernel TCP/IP Support for Your Rootkit Using TDI 246
   Build the Address Structure 246
   Create a Local Address Object 248
   Create a TDI Endpoint with Context 252
   Associate an Endpoint with a Local Address 254
   Connect to a Remote Server (Send the TCP Handshake) 257
   Send Data to a Remote Server 259
Raw Network Manipulation 262
   Implementing Raw Sockets on Windows XP 262
   Binding to an Interface 263
   Sniffing with Raw Sockets 264
   Promiscuous Sniffing with Raw Sockets 264
   Sending Packets with Raw Sockets 265
   Forging the Source 266
   Bouncing Packets 266
Kernel TCP/IP Support for Your Rootkit Using NDIS 267
   Registering the Protocol 267
   The Protocol Driver Callbacks 273
   Moving Whole Packets 278
Host Emulation 285
   Creating Your MAC Address 286
   Handling ARP 286
   The IP Gateway 289
   Sending a Packet 289
Conclusion 293

10 Rootkit Detection 295
Detecting Presence 295
   Guarding the Doors 296
   Scanning the "Rooms" 298
   Looking for Hooks 298
Detecting Behavior 308
   Detecting Hidden Files and Registry Keys 308
   Detecting Hidden Processes 309
Conclusion 312
   
Index 315

P.S. We will be releasing VICE 2.0, using advanced detection algorithms, in
conjunction with or shortly after this book.

<Commercial over. Continue with your day.>


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: