Scribd
Upload
235 views31 pages

11 Rootkit Techniques

Hooking, memory patching, and direct kernel object manipulation are common rootkit techniques. Hooking involves redirecting interrupts or system calls to malicious code. Memory patching involves directly modifying kernel routines to add detours. Direct kernel object manipulation allows rootkits to hide processes and files by altering kernel data structures. These techniques allow rootkits to intercept and filter system activity, but are increasingly being detected by security software.

Uploaded by

Stiiven Rodriguez Alvarez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
235 views31 pages

11 Rootkit Techniques

Hooking, memory patching, and direct kernel object manipulation are common rootkit techniques. Hooking involves redirecting interrupts or system calls to malicious code. Memory patching involves directly modifying kernel routines to add detours. Direct kernel object manipulation allows rootkits to hide processes and files by altering kernel data structures. These techniques allow rootkits to intercept and filter system activity, but are increasingly being detected by security software.

Uploaded by

Stiiven Rodriguez Alvarez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Rootkit Techniques

Aaron Sedlacek

Malware - 11/20/2015 Rootkit Techniques 1


Agenda
Hooking
Memory Patching
Direct Kernel Object Manipulation

Malware - 11/20/2015 Rootkit Techniques 2


Kernel Mode Rootkits
Kernel Mode Rootkits are installed as
drivers
Most rootkits target 32-bit Windows OSs
64-bit Windows architectures require drivers to be
signed by Microsoft before they can be installed
To subvert this, attackers will:
Install a valid, signed driver with a known exploit
Use stolen signing certificates
Exploit the kernel itself, lol
http://www.sekoia.fr/blog/windows-driver-
signing-bypass-by-derusbi/

Malware - 11/20/2015 Rootkit Techniques 3


Hooking
The most classic of all kernel rootkit
techniques
Simple to implement, simple to detect
Still widely used
Often in conjunction with techniques discussed
later in this lecture!

Malware - 11/20/2015 Rootkit Techniques 4


Interrupt Descriptor Table Hooking (IDT
Hooking)

Base address of the IDT is stored in the IDTR


In order to hook a specific Interrupt, a rootkit just
changes the pointer in the IDT to their own
malicious function
SIDT and LIDT instructions
Used to read/write to/from the IDTR register
Each processor has its own IDTR and IDT
This means that a rootkit will have to hook each
IDT

Malware - 11/20/2015 Rootkit Techniques 5


IDT Hooking Problems
This technique is old
As of 2009, INT 0x2E was made obsolete
SYSENTER is now used to perform syscalls
Interrupt hooking is easy to detect
No way to filter results of an interrupt
The rootkits hook function is just pass-through
code that is executed before the interrupt handler

Malware - 11/20/2015 Rootkit Techniques 6


Machine Specific Register Hooking (MSR
Hooking)

This is how we hook SYSENTER


SYSENTER switches to kernel-mode using three
MSRs
IA32_SYSENTER_CS 0x174, 16-bit selector of ring 0 code
segment
IA32_SYSENTER_EIP 0x176, 32-bit offset into ring 0 code
segment
IA32_SYSENTER_ESP 0x175, 32-bit stack pointer for ring 0
stack
Just like the IDTR, there are instructions for
accessing the MSRs
RDMSR and WRMSR - read/write MSR
MSRs are processor specific just like IDTs
Malware - 11/20/2015 Rootkit Techniques 7
MSR Hooking Problems
More modern than IDT hooking
Still easy to detect, and only provides pass-
through functions :-(

Malware - 11/20/2015 Rootkit Techniques 8


System Descriptor Table Hooking (SDT, SSDT)

SSDT resides in read-only memory


Rootkits have to disable and then re-enable the
Write Protection (WP) bit in the CR0 register
Rootkit authors could also map an MDL over the
SSDT

Disable WP Enable WP

Malware - 11/20/2015 Rootkit Techniques 9


System Descriptor Table Hooking (SDT, SSDT)

With WP off, the attacker swaps a new address into


the target address
Declare the original syscall prototype (e.g., ZwSetValueKey())
Declare a corresponding function ptr (e.g., ZwSetValueKeyPtr)
Define a function ptr (e.g., oldZwSetValueKey)
Implement a hook routine (e.g., newZwSetValueKey())
InterlockedExchange() to swap in a ptr to new function
i. The new function can execute the old syscall, and filter the
results
Hook ZwQueryDirectoryFile() to hide directories
Hook ZwQuerySystemInformation() to hide processes

Malware - 11/20/2015 Rootkit Techniques 10


System Descriptor Table Hooking (SDT, SSDT)
KeServiceDescriptorTable KiServiceTable

Base [0] Function 0

Before Hook: Kernel Count


[i] Function i
Code

Limit

Number

KeServiceDescriptorTable KiServiceTable

[0] Function 0
Base

[i] Function i
After Hook: Kernel
Count Hook Code

Limit

Number

Malware - 11/20/2015 Rootkit Techniques 11


SSDT Hooking Problems

Relatively straightforward to implement


Provides the ability to filter system calls!
On its own, still trivial to detect

Malware - 11/20/2015 Rootkit Techniques 12


Hooking IRP Handlers

Access the DRIVER_OBJECT of another driver


Hook the MajorFunction handlers
IoGetDeviceByObjectPointer()
Returns a ptr to to a device object and its file
object.
DEVICE_OBJECT structure contains a ptr to DRIVER_OBJECT!
Then use InterlockedExchange() to swap in our
hook function
Device object must be dereferenced
(ObDereferenceObject()) So that the victim driver can be
unloaded in the future

Malware - 11/20/2015 Rootkit Techniques 13


Agenda
Hooking
Memory Patching
Direct Kernel Object Manipulation

Malware - 11/20/2015 Rootkit Techniques 14


Detour Patching
Not nearly as programmatically clean as
hooking
However, the payoff is higher
We can:
Block calls made by applications
Replace entire routines
Trace system calls and intercept input parameters
Filter output parameters
We can modify any kernel-mode routine
Detecting patching is much less
straightforward

Malware - 11/20/2015 Rootkit Techniques 15


Detour Patching
Detour
High Memory
Target Target

Jump


Trampoline
Original
Code

Original Detour
Code Jump
Detour
Code

Low Memory

Malware - 11/20/2015 Rootkit Techniques 16


Epilog and Prolog Detours
Epilog Detour
High Memory Target Prolog Detour
Used to block calls, trace
calls, intercept input
Trampoline
Original parameters
Detour Code Epilog Detour
Jump
Used to filter output
Detour parameters
Code Resides at the end of the
routine, and most likely
contains a ret
Prolog Detour Does not return
program control to the
target routine
Jump
Trampoline

Original
Code
Detour
Code
Detour
Low Memory
Jump

Malware - 11/20/2015 Rootkit Techniques 17


Detour Jumps
How do rootkits place jumps?
More obvious - near Jump or call
mov ebx, 0xCAFEBABE
jmp [ebx] or call [ebx]
Middle ground - push and ret
push 0xCAFEBABE
ret
Less obvious - modify IDT and cause an exception,
just like our anti-analysis lab!

Malware - 11/20/2015 Rootkit Techniques 18


Detour Patching Problems
Detour Patching detection
Analysts can create and compare checksums of
functions
Rootkits can patch the checksum code
This is Microsofts current problem with the Kernel Patch
Protection feature
Most rootkit authors prefer to more subtle
techniques
Code is static and normally unchanging
Instead, alter a part of the Kernel thats
dynamic!

Malware - 11/20/2015 Rootkit Techniques 19


Agenda
Hooking
Memory Patching
Direct Kernel Object Manipulation

Malware - 11/20/2015 Rootkit Techniques 20


Dynamic Kernel Structures
Manipulate kernel structures that are
frequently updated during normal system
operation
Even higher levels of stealth, but much higher
complexity
Concurrency issues
Portability and pointer arithmetic issues
The more specialized a rootkit gets, the less portable it
becomes

Malware - 11/20/2015 Rootkit Techniques 21


EPROCESS Object
Opaque structure that represents a process
Offset 0x09C: UniqueProcessId - Ptr32 Void
Pointer to a 32-bit process ID
Offset 0x0a0: ActiveProcessLinks - _LIST_ENTRY
Windows uses a doubly linked list to track executing
processes
Offset 0x0E0: Token - _EX_FAST_REF
Address of the security token of the corresponding process
Offset 0x14C: ImageFileName - Uchar [16],
Stores the name of the binary file used to instantiate the
process

Malware - 11/20/2015 Rootkit Techniques 22


EPROCESS Manipulation

EPROCESS EPROCESS EPROCESS EPROCESS EPROCESS EPROCESS

FLink FLink FLink FLink FLink FLink

BLink BLink BLink BLink BLink BLink

Doubly linked list can be modified to hide a


process

Malware - 11/20/2015 Rootkit Techniques 23


EPROCESS Manipulation

EPROCESS EPROCESS EPROCESS EPROCESS EPROCESS EPROCESS

FLink FLink FLink FLink FLink FLink

BLink BLink BLink BLink BLink BLink

PsGetCurrentProcess() to get a pointer to


the current EPROCESS, then traverse the
list
Malware - 11/20/2015 Rootkit Techniques 24
EPROCESS Manipulation
Modify the ActiveProcessLinks as necessary
Neighboring processes
FLink and BLink ignore the process we are
hiding
Process being hidden
FLink and BLink point back to the current
process
This is to prevent a BSOD when the hidden
process is terminated
The kernel dispatcher uses a different bookkeeping scheme,
there is no loss of kernel functionality

Malware - 11/20/2015 Rootkit Techniques 25


DRIVER_SECTION Object
Another very frequently manipulated
structure
Used to help the system track loaded drivers
VOID ptr in the DRIVER_OBJECT points to it
Contains fields like filePath and fileName
The first entry in a DRIVER_SECTION is a
_LIST_ENTRY
This list entry has a FLink and a BLink
Drivers can be hidden the exact same was a
processes!

Malware - 11/20/2015 Rootkit Techniques 26


DRIVER_SECTION Manipulation

DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION

FLink FLink FLink FLink FLink FLink

BLink BLink BLink BLink BLink BLink

Doubly linked list can be modified to hide a


process

Malware - 11/20/2015 Rootkit Techniques 27


DRIVER_SECTION Manipulation

DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION DRIVER_SECTION

FLink FLink FLink FLink FLink FLink

BLink BLink BLink BLink BLink BLink

Malware - 11/20/2015 Rootkit Techniques 28


Access Tokens
Each process gets an access token
Specifies the user, security groups, and privileges
associated with the process
All of these fields can be edited by a rootkit!
You can change the user running a process, its
privileges, etc.
Each EPROCESS holds a pointer to its TOKEN object

Malware - 11/20/2015 Rootkit Techniques 29


Questions?

Malware - 11/20/2015 Rootkit Techniques 30


References
1. Dang, Bruce, and Alexandre Gazet. Practical Reverse
Engineering: X86, X64, ARM, Windows Kernel,
Reversing Tools, and Obfuscation. Print.

1. Blunden, Bill. The Rootkit Arsenal Escape and Evasion


in the Dark Corners of the System, Second Edition.
2nd ed. Burlington, Mass.: Jones & Bartlett Learning,
2013. Print.

Malware - 11/20/2015 Rootkit Techniques 31

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy