Rootkits:

What they are and how to find them

or
check yo self before you wreck yo self!
Part 1

Xeno Kovah –2010

xkovah at gmail
 Ice Cube is a Friendly Rootkit
Advocating for Rootkit Detection!
You betta check yo self
fore you wreck yo self
cause I'm bad for your health
I come real stealth

: O

2
http://www.youtube.com/watch?v=AJR62vsAg-0
All materials is licensed under a Creative
Commons Share Alike license.
• http://creativecommons.org/licenses/by-sa/3.0/

3
May your skill tree overgroweth…

YOU
ARE
HERE
:D

4
 About Me
• Security nerd - generalist, not specialist
• Been following rootkits for quite a while, but
mostly as just a side thing to keep an eye on.
But therefore I was ready to strike when some
work came up in the area.
• Mostly made of 4 elements - Carbon,
Hydrogen, Nitrogen, and…Oxygen!
• http://www.youtube.com/watch?
v=d0zION8xjbM#t=2m21s

5
 About You?
• Name & Department
• Why did you want to take the class?
• Which jelly belly flavors do you hate?
(Because I decided the "which is your
favorite" is too hard a question)

6
7
 Agenda
• Day 1 - Part 1 - Rootkit stuff
• Day 1 - Part 2 - More rootkit stuff
• Day 2 - Part 3 - ???
• Day 2 - Part 4 - Profit!

8
 Miss Alaineous
• Questions: Ask em if you got em
– If you fall behind and get lost and try to tough it out until you
understand, it s more likely that you will stay lost, so ask
questions ASAP.
• Browsing the web and/or checking email during class
is a good way to get lost ;)
• 2 hours, 10 min break, 1.5 hours, lunch, 1 hour w/ 5
min break thereafter

9
 What does it all mean?!?!
• Try to have a little more practical class
• Practical in the sense that one way or another you'll
learn about new tools and how you can use them to
detect rootkits.
• But simultaneously I want to reinforce how much
better off you are for having taken the other classes ;)
• Don't have enough time to get heavy into the
attribution of changes. That would be things like
"What module allocated this memory? Where in the
module is the code which causes the changes?" etc
– Also need the RE class for that. You DID register for the RE class already
didn't you?

10
 why, Why, WHY!?!?
Why have a homework before anyone has learned anything?!

• Understand what people (sponsors/

subordinates/you) would actually go through/
see when trying to detect rootkits (if they even
knew to try.)
• Understand that some tools are more equal
than others when it comes to detecting things,
and the danger of a false sense of security.
• Provide a concrete before-and-after picture of
the necessity of this type of information for
even being able to understand what the good
tools are trying to tell you
• Have the tools in-hand to then apply them to
other systems
11
 Watchugot? Watchuget?
• You ve got:
– Rootkits VM
• You're going to get
– Anonymized homework writeups from everyone in all the
instances of this class
– Rootkit detector capability comparison matrix
– TiddlyWiki describing how to install the rootkits (targeted at
other instructors) + some reverse engineering rootkit
material cut from the RE class
– A collection of more detectors, and a collection of more
proof-of-concept rootkits from places like rootkit.com (be
warned, some of the PoCs will be detected by AV, so don't
use on your work laptop.)
– Eventually, 2nd "for fun" rootkit VM :D, which still just uses
techniques from this class, but takes away most of the easy
win detection mechanisms

12
Textbook pros/cons

13
2005 - Rootkits: Subverting the Windows
Kernel
• Pro: Written by two people who
contributed a lot to the foundations of
understanding what s possible with
rootkits
• Con: …but starting to show its age, with
lack of many newer techniques.
• Con: Without existing OS internals
knowledge, could be too much complexity
too fast. Windows Internals book by MS
definitely helps to explain what they re
talking about at some points.
14
 2007 - Professional Rootkits
• Pro: Builds up a rootkit of increasing
capabilities, with explanations of the
code
• Cons: Adds nothing new to the field,
just basically a reference for example
code for the most stable versions of
various techniques (not always the most
stealthy techniques.)
• E.g. the type of thing which can be used
to make the Sony Rootkit style software
15
2009 - The Rootkit Arsenal: Escape and Evasion
in the Dark Corners of the System
• Pro: More inclusive of newer techniques like bootkits than the
Hoglund/Butler book.
• Pro/Con: Comes with lots of code, BUT…Doesn t allow you to
download the code from anywhere, so if you want to experiment
with it, you have to re-type it (or go find the original)
• Con: A bunch of the code is apparently just re-written from other
people s example code (e.g. files on rootkit.com). Also either
doesn t know how to program (use -> not *. in C!) or he was just
trying to further obfuscate ripped off code.
• Con/Pro: Author comes from a forensics background rather than
having OS knowledge, and thus he throws in a bunch of
forensics stuff (which I question the relevance of, because I
consider anti-forensics to be its own separate field from rootkit
hiding). But if you haven't had exposure to anti-forensics, then
it's a pro as you can learn more.

16
2010 - Hacking Exposed: Malware &
Rootkits
• Pro: Good up to date reference which covers
rootkits as they are seen in the wild, with many
references to specific malware instances
• Pro/Con: Overall does a decent job, but while
rootkits are sexy and therefore get cover billing,
they re still a minority content area (around 120
pages of how rootkits work and 34 pages of
detection).
• Con: A lot of the detection recommendations
are un-actionable, though that s a problem for
anyone talking about the area.
• Con: Almost no source code
17
 What is a rootkit?
(or more importantly, how will I define it for this class)
• It s an overused term is what it is
• It's neither a root, nor a kit
• An attacker tool
• NOT how they get root
• "A rootkit is a set of programs which *PATCH* and
*TROJAN* existing execution paths within the
system. This process violates the *INTEGRITY* of
the TRUSTED COMPUTING BASE (TCB)." - Greg
Hoglund, http://www.phrack.com/issues.html?
issue=55&id=5
• The only universal truth about rootkits is that they
are trying to hide the attacker s presence
• 2 basic categorization schemes though

18
 TAXONOMY?!
19
http://spennypost.blogspot.com/2010/10/fbu-bonfire-night-strike.html
 Lord of the rings around the rosie
• Ring 3 – Userspace-Based
• Ring 0 – Kernel-Based
• Ring -1 – Virtualization-Based
– Intel VT-x(Virtualization Technology for x86), AMD-V (AMD Virtualization), Hypervisor subverted
• "Ring -1.5?" - Post-BIOS, Pre OS/VMM
– e.g. Master Boot Record (MBR) "bootkit"
– Peripherals with DMA(Direct Memory Access) (this can be ring 0, -1, or -1.5 depending on
whether VT-d is being used)
– Not a generally acknowledged "ring", but the place I think it fits best
• Ring -2 – System Management Mode (SMM)
• "Ring -2.5" - BIOS (Basic Input Output System), EFI (Extensible Firmware Interface)
– because they are the first code to execute on the CPU and they control what gets loaded into
SMM
– Not a generally acknowledged "ring", but the place I think it fits best
• Ring -3 – Chipset Based
– Intel AMT(Active Management Technology)

But BIOS could use VT-d to prevent DMA, and it initializes peripherals, so…?
Yeah, things get squishy at the bottom with non-real-rings. 20
 Stealth Malware Taxonomy
Joanna Rutkowska 2006

• http://invisiblethings.org/papers/malware-taxonomy.pdf
• Type 0: Uses only legitimate system features
• Type 1: Modifies things which should be static
• Type 2: Modifies things which are dynamic
• Type 3: Exists outside the operating system

• Type 4: Exists outside the main CPU/RAM

– Added by me

21
 Example Type 0 Malware
• Spyware
– There's nothing illegitimate about a cell phone map application
wanting to access your location data to show the local map. It's
only when it starts sending that location with your PII to a 3rd party
location that it starts to become questionable.
• Trojans
– There's nothing illegitimate about allowing users to install
programs. And there's no realistic way for a user to assess the full
extent of all that program's capabilities. When a program contains
capabilities which arguably have nothing to do with its advertised
purpose, that's when it becomes questionable.
• Bots
– There's nothing illegitimate about allowing an application to make
network connections. It's only when it's making thousands of them
as a part of a DDoS that's when it becomes questionable.
• Hide in plain sight
– Programs can name themselves whatever the developer wants. But
when the developer wants it to be named misleadingly similar to a
"trusted" software vendor like Microsoft's files, that's when it
becomes questionable.
22
 Detecting Type 0
• Out of scope for the taxonomy ;)
– Also mostly out of scope for this class
• Blacklisting
– Signature-based Anti-Virus
• Behavioral analysis
– Triumfant, QualysGuard, most AV to some
degree
• Filesystem integrity checking
– Tripwire, Bit9, SolidCore (for HBSS)

23
Why is Type 0 going undetected?
• Companies are overly invested in
blacklisting technology. Explosion in
polymorphism undermining signature-
based approaches.
• Whitelisting technologies often require
dedicated maintainers to understand
expected or known good state.
Thus they are typically not targeted at
home users.
24
 Stealth Malware Taxonomy
Joanna Rutkowska 2006

• http://invisiblethings.org/papers/malware-taxonomy.pdf
• Type 0: Uses only legitimate system features
• Type 1: Modifies things which should be static
• Type 2: Modifies things which are dynamic
• Type 3: Exists outside the operating system

• Type 4: Exists outside the main CPU/RAM

– Added by me

25
 Example Type 1 Malware
• Most in-the-wild rootkits are a mix of
Type 1 and Type 2
• The following are a quick glimpse at
some of the techniques we're going to
be looking at in this class.

26
 IAT Hook

27
From: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf
 SSDT Hook

28
From: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf
 Inline Hook

29
From: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf
Bootkit Lives here (from disk), but in order to do anything of consequence it has to keep
hooking each subsequent thing to keep control.

30

From http://www.stoned-vienna.com/downloads/Presentation.pdf
 Detecting Type 1
• GMER - My favorite (www.gmer.net)
– Here comes a new challenger! Virus Blok Ada (the people
who found Stuxnet) have been significantly improving their
anti-rootkit (Vba32arkit.exe), and since it has extra removal
capabilities built in, I'm diggin' it. Shoryuken!
• Tuluka, GMER, RootkitUnhooker, IceSword, Helios Lite,
RootkitRevealer, System Virginity Verifier(SVV), WinDbg !
chkimg, VICE, RAIDE, chkrootkit, etc,
• See http://www.antirootkit.com/software/index.htm and http://
ntinternals.org/anti_rootkits.php
• [VMWatcher] for out of band integrity checks
• Strider [GhostBuster] for cross-view of hiding things on
disk (but you can generally detect bootkits with memory
integrity checks, and you can’t get GhostBuster anyway)

31
 Preventing Type 1
• PatchGuard. Windows x64
– Unintended consequences? Pushes Type
1 to Type 0 or Type 2?
– Still need detection? x64 bootkit in the wild
[3]
• [NICKLE]. Assumes virtualized system
– What about VM escape? Still need
detection?
– [HyperSentry]

32
Why are Type 1 going undetected?
• None of the previously listed software is
meant to be run in an enterprise;
they re meant to be run manually on
single systems.
• The best detectors need deep system
knowledge in order to interpret the
results. Administrators may not have
this knowledge.

33
 Stealth Malware Taxonomy
Joanna Rutkowska 2006

• http://invisiblethings.org/papers/malware-taxonomy.pdf
• Type 0: Uses only legitimate system features
• Type 1: Modifies things which should be static
• Type 2: Modifies things which are dynamic
• Type 3: Exists outside the operating system

• Type 4: Exists outside the main CPU/RAM

– Added by me

34
 Example Type 2 Malware
• Direct Kernel Object Manipulation
[DKOM]
– Developed specifically to avoid using Type
1 hooking, because it was recognized to be
eminently detectable (presented hook
detector VICE at same time)
• Kernel Object Hooking [KOH]
– Generalization of existing techniques, with
suggestions of some example Windows
objects to hook

35
 Process Linked List Before DKOM

36
From: http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
Process Linked List After DKOM

37
From: http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
 KOH
• Hook function pointers in dynamically allocated objects
in the kernel
• typedef struct {
SHORT Type;
UCHAR Number;
UCHAR Importance;
LIST_ENTRY DpcListEntry;
PKDEFERRED_ROUTINE DeferredRoutine;
PVOID DeferredContext;
PVOID SystemArgument1;
PVOID SystemArgument2;
PULONG Lock;
} KDPC, *PKDPC;

38
 Detecting Type 2
• Plenty of things handle canonical DKOM
through cross-view detection
– VBA32AR, GMER, IceSword, RootkitRevealer,
F-Secure BlackLight, Sophos Anti-Rootkit, etc
• In some cases you may be able to
automatically infer semantic constraints on
data structures and verify them at runtime
[Petroni][LKIM]
• Recent academic interest in KOH
– [HookMap], [HookSafe], [HookScout]

39
Why are Type 2 going undetected?
• Same reasons as for Type 1, and…
• No good tools to detect KOH. Detecting
KOH system-wide (as opposed to
specific things attackers are known to
use) looks like it could induce
unacceptable performance penalty.
Also KOH detection could be more
prone to race conditions, and attempts
to eliminate these conditions would add
more performance overhead. More work
needed there.

40
 Stealth Malware Taxonomy
Joanna Rutkowska 2006

• http://invisiblethings.org/papers/malware-taxonomy.pdf
• Type 0: Uses only legitimate system features
• Type 1: Modifies things which should be static
• Type 2: Modifies things which are dynamic
• Type 3: Exists outside the operating system

• Type 4: Exists outside the main CPU/RAM

– Added by me

41
 Example Type 3 Malware
• Ring -1 – Virtualization-Based
– Intel VT-x(Virtualization Technology for x86), AMD-V (AMD
Virtualization), Hypervisor subverted
• "Ring -1.5?" - Post-BIOS, Pre OS/VMM
– e.g. Master Boot Record (MBR) "bootkit"
– Peripherals with DMA(Direct Memory Access) (this can be ring 0,
-1, or -1.5 depending on whether VT-d is being used)
– Not a generally acknowledged "ring", but the place I think it fits best
• Ring -2 – System Management Mode (SMM)
• "Ring -2.5" - BIOS (Basic Input Output System), EFI (Extensible
Firmware Interface)
– because they are the first code to execute on the CPU and they
control what gets loaded into SMM
– Not a generally acknowledged "ring", but the place I think it fits best
• Ring -3 – Chipset Based
– Intel AMT(Active Management Technology)

42
 43
From http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf
 44
From http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf
 Batteries Not
Included!

45
From http://support.amd.com/us/Processor_TechDocs/24593.pdf
 Detecting Type 3 – Ring -1
• Due to hype surrounding ring -1 rootkits, people
had incentive to find them.
• Don t Tell Joanna, The Virtualized Rootkit Is
Dead [8]
– Exhibits same misunderstanding of technically
detectable vs people can actually detect it in
practice
• Timing side-effect detection
• Compatibility is Not Transparency: VMM
Detection Myths and Realities [9]
• In addition some people have suggested the
classic approach of just go lower , as in, scan
from ring -2 or ring -3 (e.g. [DeepWatch])
46
Prevent/Detect Type 3 – Ring -2
• There are mechanisms in both Intel and AMD s
virtualization extensions to deprivilege the code
running in SMRAM, by basically virtualizing it, and
limiting the code s view of memory so that it can t
scribble on your OS/hypervisor.
– AMD also has an option for the hypervisor to intercept
SMIs and fake out a transition directly to SMM without
requiring writing the separate minimal hypervisor which
lives in SMM – talk on *implementing* this at
ShmooCon 2010 [SMMshmoo]
• Not aware of any commercial vendors who do this
yet.
• Can theoretically just integrity check SMRAM, iff
you have access, which requires getting there first,
or going through the same hole as an attacker
47
 48
From http://www.invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf
FIXME: add NIC infection

49
FIXME: add KBC infection

50
 Detecting Type 4 – Ring -3
• Use other ring -3 detectors and get
there first? TPM can verify a compatible
BIOS, but what about everything else?
[DeepWatch] wasn t designed for it, but
can it help?
• Self-attestation [SWATT][SBAP]
[Pioneer]
• SOL?
• Too soon to say
51
 Why are Type 3 & 4 going
undetected?
• Cache 22? Not looking for them in the
wild because we re not hearing about
them being found in the wild?
• Even if we want to look for them, there
are no tools to help us do so. Have to
roll your own.
• Level of development effort and
hardware-dependencies probably
indicates they will only be used in highly
targeted attacks.
52
 Stealth Malware Taxonomy
Joanna Rutkowska 2006

• http://invisiblethings.org/papers/malware-taxonomy.pdf
• Type 0: Uses only legitimate system features
• Type 1: Modifies things which should be static
• Type 2: Modifies things which are dynamic
• Type 3: Exists outside the operating system

• Type 4: Exists outside the main CPU/RAM

– Added by me

53
 They Might Be Giants:
Where your eyes don't go
(rootkit themesong as far as I'm concerned)
• Where your eyes don't go a filthy scarecrow waves its broomstick arms
And does a parody of each unconscious thing you do
When you turn around to look it's gone behind you
On its face it's wearing your confused expression
Where your eyes don't go

Where your eyes don't go a part of you is hovering

It's a nightmare that you'll never be discovering

• Should you worry when the skullhead is in front of you

Or is it worse because it's always waiting where your eyes don't go?

• http://www.youtube.com/watch?v=hqY3kASMFW8

54
 Spoiler Alert
• There are ~8 rootkits leveraging ~10
techniques in the example VM,
depending on how you count.

55
• What If…we ran GMER on our example
VM?
• (Note to self, try and crowdsource the 56
interpretation to start with)
 Inline Hooks
if control flow redirect
PE section where (call, jmp)
the hook resides module space where
module within
process memory it's redirected to
if it is within a module
function name number of bytes
process name address range
within module that changed

specific virtual memory

process ID (PID) interpretation of
address where the changed bytes
change is found (if possible)

57

Book page 340

 !chkimg
• You can also find modifications to static
code/data areas with the !chkimg
windbg command. It checks the version
in memory against the file on disk

58
 System Virginity Verifier
• http://invisiblethings.org/tools/svv/
svv-2.3-src.zip
• http://invisiblethings.org/papers/
rutkowska_bhfederal2006.ppt
• Like !chkimg but tries to apply some
heuristics to the modifications it found to
apply a severity score.

59
 False Positives
McAfee HBSS HIPS

60
 Stuxnet use of inline hooks
• From the Stuxnet Dossier: http://www.symantec.com/content/en/us/
enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
• "~WTR4141.tmp then loads ~WTR4132.tmp, but before doing
so, it attempts to hide the files on the removable drive. Hiding
the files on the removable drive as early in the infection process
as possible is important for the threat since the rootkit
functionality is not installed yet, as described in the Windows
Rootkit Functionality section. Thus, ~WTR4141.tmp implements
its own less-robust technique in the meantime.
• WTR4141.tmp hooks the following APIs from kernel32.dll and
Ntdll.dll:
• From Kernel32.dll
– FindFirstFileW
– FindNextFileW
– FindFirstFileExW
• From Ntdll.dll
– NtQueryDirectoryFile 61
– ZwQueryDirectoryFile"
 Go with what you know…
Import Address Table (IAT) Hooks
If GMER can, it tries to infer
This is the address in the IAT which module space the
pointing somewhere other than function pointer is pointing into.
where it should (based on the And if there's version
Exports Address Table (EAT) information in that module, it
of the exporting module pulls that out too

This is the module This is the function

doing the importing being imported by
the first module and
exported by the
second

Telling you that This is the module

this is an IAT hook doing the exporting
62

Book page 265

 63
Image by Ero Carrera
 64
Image by Ero Carrera
 Review: Import Descriptor (from winnt.h)

I think they meant INT

typedef struct _IMAGE_IMPORT_DESCRIPTOR {!
union {!
DWORD Characteristics; // 0 for terminating null import descriptor!
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)!
! ! ! ! ! //Xeno Comment: In reality a PIMAGE_THUNK_DATA!
};!
DWORD TimeDateStamp; // 0 if not bound,!
// -1 if bound, and real date\time stamp!
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
!
// O.W. date/time stamp of DLL bound to (Old BIND)!
!
DWORD ForwarderChain; // -1 if no forwarders!
DWORD Name;!
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
!
! ! ! ! ! //Xeno Comment: In reality a PIMAGE_THUNK_DATA!
} IMAGE_IMPORT_DESCRIPTOR;!
!

• While the things in blue are the fields filled in for the most common case, we
will actually have to understand everything for this structure, because you
could run into all the variations.
65
 66
Image by Ero Carrera
Review: Import Names Table Import Address Table
(IMAGE_THUNK_DATA array) (IMAGE_THUNK_DATA array)
Import data
structures 0x014B, IoDeleteSymbolicLink

ON DISK 0x040B, RtlInitUnicodeString

0x01DA, IofCompleteRequest

Array of IMAGE_IMPORT_BY_NAME
Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR

OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name ntoskrnl.exe
FirstThunk
0
0
Zero-filled
0 IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0 67
… Graphical style borrowed from the Matt Pietrek articles
Review: Import Names Table Import Address Table
(IMAGE_THUNK_DATA array) (IMAGE_THUNK_DATA array)
Import data
structures 0x014B, IoDeleteSymbolicLink

IN MEMORY 0x040B, RtlInitUnicodeString

AFTER IMPORTS 0x01DA, IofCompleteRequest

RESOLVED Array of IMAGE_IMPORT_BY_NAME

Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR
IAT entries now
OriginalFirstThunk point to the full
TimeDateStamp virtual addresses
where the
ForwarderChain functions are
found in the other
Name ntoskrnl.exe modules (just
FirstThunk ntoskrnl.exe in
this case)
0
0
Zero-filled
0 IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0 68
… Graphical style borrowed from the Matt Pietrek articles
Review: Import Names Table Import Address Table
(IMAGE_THUNK_DATA array) (IMAGE_THUNK_DATA array)
Import data
structures 0x014B, NtQuerySysInfo

ON DISK 0x040B, RtlInitUnicodeString

0x01DA, IofCompleteRequest

Array of IMAGE_IMPORT_BY_NAME
Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR

OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name ntdll.dll
FirstThunk
0
0
Zero-filled
0 IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0 69
… Graphical style borrowed from the Matt Pietrek articles
Review: Import Names Table Import Address Table
(IMAGE_THUNK_DATA array) (IMAGE_THUNK_DATA array)
Import data
structures 0x014B, NtQuerySysInfo

IN MEMORY 0x040B, RtlInitUnicodeString

AFTER IMPORTS 0x01DA, IofCompleteRequest

RESOLVED Array of IMAGE_IMPORT_BY_NAME

Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR
IAT entries now
OriginalFirstThunk point to the full
TimeDateStamp virtual addresses
where the
ForwarderChain functions are
found in the other
Name ntdll.dll modules (just
FirstThunk ntoskrnl.exe in
this case)
0
0
Zero-filled
0 IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0 70
… Graphical style borrowed from the Matt Pietrek articles
 Review: IAT Hooking
• When the IAT is fully resolved, it is
basically an array of function pointers.
Somewhere, in some code path, there s
something which is going to take an IAT
address, and use whatever s in that
memory location as the destination of the
code it should call.
• What if the whatever s in that memory
location gets changed after the OS loader
is done? What if it points at attacker code?
71
 Review: IAT Hooking 2
• Well, that would mean the attacker s code
would functionally be man-in-the-middle ing
the call to the function. He can then change
parameters before forwarding the call on to the
original function, and filter results that come
back from the function, or simply never call the
original function, and send back whatever
status he pleases.
– Think rootkits. Say you re calling OpenFile. It
looks at the file name and if you re asking for a file
it wants to hide, it simply returns no file found.
• But how does the attacker change the IAT
entries? This is a question of assumptions
about where the attacker is.
72
 Review: IAT Hooking 3
• In a traditional memory-corrupting exploit, the attacker is, by
definition, in the memory space of the attacked process, upon
successfully gaining arbitrary code execution. The attacker can
now change memory such as the IAT for this process only,
because remember (from OS class or Intermediate x86) each
process has a separate memory space.
• If the attacker wants to change the IAT on other processes, he
must be in their memory spaces as well. Typically the attacker
will format some of his code as a DLL and then perform DLL
Injection in order to get his code in other process memory
space.
• The ability to do something like DLL injection is generally a
prerequisite in order to leverage IAT hooking across many
userspace processes. In the kernel, kernel modules are
generally all sharing the same memory space with the kernel,
and therefore one subverted kernel module can hook the IAT of
any other modules that it wants.

73
 Review: DLL Injection
• See http://en.wikipedia.org/wiki/
DLL_injection for more ways that this
can be achieved on Windows/*nix
• We re going to use the AppInit_DLLs
way of doing this, out of laziness
• (Note: AppInit_DLLs' behavior has
changed in releases > XP, it now has to
be enabled with Administrator level
permissions.)
74
 Review: Lab: IAT hooking
• http://www.codeproject.com/KB/vista/api-hooks.aspx
– This will hook NtQuerySystemInformation(), which is what taskmgr.exe uses in
order to list the currently running processes. It will replace this with
HookedNtQuerySystemInformation(), which will hide calc.exe
– I modified that code to use IAT hooking rather than inline (which is much simpler
actually)
• Steps:
– Compile AppInitHookIAT.dll
– Place at C:\AppInitHookIAT.dll for simplicity
– Use regedit.exe to add C:\AppInitHookIAT.dll as the value for the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\AppInit_DLLs (if there is already something there,
separate the entries with a comma)
– Start calc.exe, start taskmgr.exe, confirm that calc.exe doesn't show up in the list
of running processes.
– Remove C:\AppInitHookIAT.dll from AppInit_DLLs and restart taskmgr.exe.
– Confirm calc.exe shows up in the list of running processes.
– (This is a basic "userspace rootkit" technique. Because of this, all entries in this
registry key should always be looked upon with suspicion.)
75
 Go with what you know: IDT
If we had run the bhwin_keysniff from IntermediateX86 we would
have seen the following:

As it is, we see something like:

This indicates that interrupt index 0xE in the Interrupt Descriptor

Table (IDT) does not point as its normal location, it points at
memory address 0xF9F55A40, and GMER has not been able to
determine which driver, if any, is associated with that memory
range (thanks to another rootkit we'll learn about later.)

Let's do a quick review of what we learned about segmentation

and the IDT. 76

Book page 270

 Review: Surprise! No one uses segmentation
directly for memory protection! :D
• On most systems, segmentation is not
providing the primary RWX type permissions,
they instead rely on paging protections.

Vol.3a, Sect. 77
3.2.1
 Review: One more time
One of the segment registers The address you see in
(SS/CS/DS/ES/FS/GS) assembly instructions
(implicitly with a CS or SS selector)

GDT or LDT
(depending on the TI bit
of the segment selector)

78
 Review: GDT & LDT

All entries
in these
tables are
Segment
Descriptor
structures
Special registers
point to the base
of the tables &
specify their size 79
 Review: Segment Descriptors
• Each segment has a segment descriptor, which specifies the
size of the segment, the access rights and privilege level for the,
the segment type, and the location of the first byte of the
segment in the linear address space (called the base address of
the segment).

Segment
Base Address Limit
Base Address
31:24 19:16 23:16

Base Address 15:0 Segment Limit 15:0

I approve
of this
summary

80
Review: IDTR Usage

81
Review: Interrupt Gate Descriptor
Note that the two halves
of the offset form a
32 bit address.
Offset 31:16

Segment Selector
Offset 15:0
(16 bits)

Descriptors not in use should have P = 0

Winners don't
use drugs!
82
 From IDT to Interrupt Handler

83
Review: IDT Relation to Segments

84
 A hint

The IDT change seems to be due to a module called mm.sys

which hooks the Page Fault handler… Hmm…who do we know
that might want to do that… 85
 Review: ASCII Art of Dooooom!

86

Book page 516 http://www.phrack.com/issues.html?issue=63&id=8

 Missed one!
• Turns out the GDT is modified to have a call
gate. While you could see this with manual
windbg inspection using the !descriptor plugin
from the Intermediate x86 class, Tuluka also
detects it:

• Let's go review call gates quick shall we?

87

Book page 308

 Review: Call Gates
("I'm down with Bill Gates, I call him Money for short. I phone him up at home, and I make him do my tech support!"
- Weird Al, "It's All About the Pentiums")

•Call gates are basically a way to transfer control from one segment to
another segment (possibly at a different privilege ring, possible at a
different size in terms of whether it's 16/32 bits.)
•But the key point is you don't want people to be able to call to anywhere
in the other segment, you want the interface to be controlled and well-
understood. So calling to a call gate brings code to a specific place 88
which the kernel has set up.
 Review: Call Gates 2
• The CALL, RET, and JMP x86 instructions have a
special form for when they are doing inter-segment
control flow transfer (normal call, ret, jmps are
intra-segment for reasons which will become clear
shortly.)
• Each of them takes a single far pointer as an
argument (though in ret's case, it's popping it off
the stack).
• A call gate expects as many parameters as
specified by the "Param Count" field on the
previous slide (max of 32 due to 5 bit field).
Parameters are just pushed onto the stack right to
left like a normal cdecl/stdcall calling convention.
• Return value from the far call is returned in eax.
• __asm{call fword ptr 0x48:0x12345678};
89
 Funny thing that…
• Run GMER while Tuluka is loaded, get:

(With thanks to http://memegenerator.net/yo-dawg/ for making that easy!) 90

A portrait of the rootkit as a young
man in the middle

(CC BY-NC-SA 2.0) image by thrill kills sunday pills 91

http://www.flickr.com/photos/27086700@N03/2994587384/in/photostream/
 Normal Intra-Module Function Call
WickedSweetApp.exe
…
push 1234
call SomeFunc()
add esp, 4
1 …
SomeFunc:
mov edi, edi
push ebp 2
mov ebp, esp
sub esp, 0x20
…
ret

92
 Inline Hooked Intra-Module Function Call
WickedSweetApp.exe WickedWickedDll.dll
…
push 1234
MySomeFunc:
call SomeFunc()
<stuff>
add esp, 4
…
…
1 mov edi, edi
…
push ebp
SomeFunc:
4 mov ebp, esp
jmp MySomeFunc
3 jmp SomeFunc+5
sub esp, 0x20
…
ret

That reminds me of trig class! 93

 Inline Hooked Intra-Module Function Call
WickedSweetApp.exe WickedWickedDll.dll
…
push 1234
MySomeFunc:
call SomeFunc()
<stuff>
add esp, 4
…
…
1 mov edi, edi
…
push ebp
SomeFunc:
4 mov ebp, esp
jmp MySomeStuff
3 jmp SomeFunc+5
sub esp, 0x20
…
ret

94
 Normal Inter-Module Function Call
WickedSweetApp.exe WickedSweetLib.dll
…
… SomeFunc:
push 1234 mov edi, edi
call [0x40112C] push ebp
add esp, 4
…
mov ebp, esp
Import Address Table sub esp, 0x20
0x40112C:SomeFunc …
0x401130:SomeJunk ret
0x401134:ScumDunk
…

95
 Normal Inter-Module Function Call
WickedSweetApp.exe WickedWickedDll.dll WickedSweetLib.dll

…
… SomeFunc:
push 1234 mov edi, edi
call [0x40112C] 1 MySomeFunc: push ebp
add esp, 4 … mov ebp, esp
… call SomeFunc() sub esp, 0x20
Import Address Table … …
0x40112C:MySomeFunc ret 3 ret
0x401130:SomeJunk
0x401134:ScumDunk
…

96
 Normal Inter-Module Function Call
WickedSweetApp.exe WickedWickedDll.dll WickedSweetLib.dll

…
… SomeFunc:
push 1234 mov edi, edi
call [0x40112C] 1 MySomeFunc: push ebp
add esp, 4 … mov ebp, esp
… call SomeFunc() sub esp, 0x20
Import Address Table … …
0x40112C:MySomeFunc ret 3 ret
0x401130:SomeJunk
0x401134:ScumDunk
…

97
 Normal Interrupt Event

ntkrnlpa.exe
…
KiTrap03:
mov edi, edi
push ebp
mov ebp, esp
1: Interrupt sub esp, 0x20
…
3: Interrupt Return iret

Pop quiz, hot shot. What's the

difference between ntoskrnl.exe
98
and ntkrnlpa.exe?
 Hooked Interrupt Event

pwnsauce.sys ntkrnlpa.exe
…
… KiTrap03:
DebugHook: mov edi, edi
… push ebp
if() mov ebp, esp
jmp KiTrap03 sub esp, 0x20
1: Interrupt else …
iret …
3: Interrupt Return
4: Interrupt Return iret

99
 Hooked Interrupt Event

pwnsauce.sys ntkrnlpa.exe
…
… KiTrap03:
DebugHook: mov edi, edi
… push ebp
if() mov ebp, esp
jmp KiTrap03 sub esp, 0x20
1: Interrupt else …
iret …
3: Interrupt Return
4: Interrupt Return iret

100
 Hooked IDT + inline hook
(not common, just saying. be aware of potential to mix and match techniques)

pwnsauce.sys ntkrnlpa.exe
… …
DebugHook: KiTrap03:
… mov edi, edi
if(){ push ebp
jmp KiTrap03 mov ebp, esp
sub esp, 0x20
DebugHook+x: …
1: Interrupt … …
}else jmp DebugHook+x

3/5: Interrupt Return iret

101
 Stuxnet trojaned DLL
• Stuxnet used forwarded exports for the
93 of 109 exports in s7otbxdx.dll which
it didn t need to intercept.

102
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
 Stuxnet trojaned DLL 2

103
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
 Stuxnet trojaned DLL 2

NO! I'm the real

s7otbxdx, I swear!
He's wearing a
mission impossible
style latex mask
104
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
 Stuxnet trojaned DLL 2

Shut up s7otbxsx!
And btw, what's
PLC's favorite dish?

105
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
 Stuxnet trojaned DLL 2

It's a Luther Burger.

…Blast!

106
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
 Further Reading
• Hacker Defender Readme: http://
www.megasecurity.org/trojans/h/
hackerdefender/
Hackerdefender1.00r.html

107
 References
(from the early "Rootkits are lame" talk slides)
• [VMWatcher] http://www.csc.ncsu.edu/faculty/jiang/pubs/CCS07.pdf
• [NICKLE]: http://friends.cs.purdue.edu/dokuwiki/doku.php?id=nickle
• [3] TDL rootkit x64 goes wild
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

• [HyperSentry] http://discovery.csc.ncsu.edu/pubs/ccs10.pdf
• [HookMap] http://www4.ncsu.edu/~zwang15/files/raid08.pdf
• [HookSafe] http://www4.ncsu.edu/~zwang15/files/ccs09.pdf
• [HookScout] http://www.ecs.syr.edu/faculty/yin/pubs/hookscout-dimva10.pdf

108
 References 2
(from the early "Rootkits are lame" talk slides)
• https://www.blackhat.com/presentations/bh-usa-07/Ptacek_Goldsmith_and_Lawson/
[8] Don t Tell Joanna, The Virtualized Rootkit Is Dead
Presentation/bh-usa-07-ptacek_goldsmith_and_lawson.pdf

• [9] Compatibility is Not Transparency: VMM Detection Myths and Realities

http://www.usenix.org/event/hotos07/tech/full_papers/garfinkel/garfinkel_html/
• http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf
[DKOM] VICE – Catch the hookers -
• [KOH] Kernel Object Hooking (KOH) Rootkits -
http://www.rootkit.com/newsread.php?newsid=501
• http://www.blackhat.com/presentations/bh-usa-08/Bulygin/
[DeepWatch] Chipset Based Approach to Detect Virtualization Malware
bulygin_Chip_Based_Approach_to_Detect_Rootkits.pdf

109
 References 3
(from the early "Rootkits are lame" talk slides)
• [SWATT] SWATT: SOFTWARE-BASED ATTESTATION FOR EMBEDDED SYSTEMS,
http://sparrow.ece.cmu.edu/~adrian/projects/swatt.pdf
• [SBAP] SBAP: SOFTWARE-BASED ATTESTATION FOR PERIPHERALS,
http://sparrow.ece.cmu.edu/group/pub/li_mccune_perrig_SBAP_trust10.pdf

• [SMMshmoo] Ring -1 vs. Ring -2: Containerizing Malicious SMM Interrupt Handlers on AMD-V,
http://www.shmoocon.org/2010/slides/containerizing.zip
• [GhostBuster] The Strider GhostBuster Project,
http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/
• [LKIM] Linux kernel integrity measurement using contextual inspection,
portal.acm.org/citation.cfm?id=1314354.1314362
• [Petroni] An Architecture for Specification-Based Detection of
Semantic Integrity Violations in Kernel Dynamic Data
http://www.usenix.org/event/sec06/tech/full_papers/petroni/
petroni_html/

110