Dailydave mailing list archives

Re: HITB trip report

From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Mon, 03 Oct 2005 22:16:02 +0200

Dave Aitel wrote:

Joanna Rutkowska's talk on Windows kernel rootkit finding was good - her
basic hypothesis (which I agree with) is that if you enumerate all the
places in the kernel people can hook, you can write a reliable rootkit
detector. My stance is that there's just not enough entropy in the
kernel to truly hide in.


basically Dave claims that it is possible to write custom backdoors
which would hijack code pointers (which are located in data section so
we cannot check their integrity with a tool like SVV) in a *specific*
applications (like a web server process or so) and will act as a
sniffer, because the code pointer would point to a function processing
the packets received from the network... I agree with his point of view,
with the following restrictions however:

1) it may be extremely difficult to do it in an application written in C
(we need to be quite lucky so that application we're exploiting actually
calls the packet processing function via a code pointer)

2) in case of application written in C++ it should be easy to write
program for checking the integrity of VPTR tables (check if all pointers
point to code located in a valid code section).

3) this is definitely a good way for writing a network/application
sniffer, but is probably not enough to implement for example a key
stroke logger... And it is definitely not enough to implement classic
rootkit functionality like files, registry or process hiding... On the
other hand, sometimes it may be not necessary for the malware to survive
the reboot and then we don't need to worry about files/registry hiding...

Anyway, it would be interesting to see if anybody actually make use of
this idea in the wild (or just in a working proof-of-concept) so I could
 add appropriate checks into the OMCD document ;)


Overall - professionally organized, well put-together conference. Hotel
was 5 star...and it showed. Conference is largely under-priced, even
including plane ticket price.


Yes, the conference was really great :)

regards,
joanna.

Current thread:

HITB trip report Dave Aitel (Oct 03)
- Re: HITB trip report Joanna Rutkowska (Oct 03)
- Re: HITB trip report mel (Oct 03)
- Re: HITB trip report I)ruid (Oct 03)