Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Published byGeorge Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06."— Presentation transcript:

1 Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06

2 Presentation “structure” typedef struct hook_slide { slide_ptr IAT; slide_ptr Inline; slide_ptr Injection; slide_ptr Detection; } hSlides_t; #include #define GOOD 1 struct RootkitPresentation { slide_ptr Definition; slide_ptr Evolution; hSlides_t Userland_API_Hooking; slide_ptr Resources; slide_ptr References; } rootkits; If(do_presentation(rootkits) != GOOD) exit(QUICKLY); exit(0);

3 rootkits.Definition The Hacker Jargon File: rootkit: /root´kit/, n. [very common] A kit for maintaining root; an automated cracking tool. What script kiddies use. After a cracker has first broken in and gained root access, he or she will install modified binaries such as a modified version login with a backdoor, or a version of ps that will not report the cracker's processes). This is a rootkit. Wikipedia: “A rootkit is a set of software tools intended to conceal running processes, files or system data …” 0x00

4 rootkits.Evolution The Roots: Rootkits were originally for *nix systems. The goal of these kits were to allow an attacker to maintain root access to a computer. This is where the “root” comes from in the compound word. These kits typically replaced/modified common administrative utilities to hide backdoor utilities. The Branches: Rootkits have grown into API hooking, kernel hooking, DKOM (Direct Kernel Object Manipulation), and more… 0x00

5 rootkits.API_Hooking IAT Hooking: Overwrite Import Address Table entries. To overwrite IAT entries, one must be in the same address space of a process. Inline Hooking: Overwrite the first part of a function to jump to another function. To overwrite IAT entries, one must be in the same address space of a process. 0x00

6 rootkits.API_Hooking.IAT Definition - IAT: The Import Address Table is a list of function pointers. IAT function pointers are set when the Windows loader loads a program. A function pointer points to the address of a function contained in a.dll loaded into the address space of the process. 0x00

7 rootkits.Userland_API_Hooking.Inline Definition – Inline Hooking: Inline Hooking consists of modifying a function in memory in order to change the flow of execution. First handful of bytes of a function are replaced with a statement which tells the IP (instruction pointer) to execute code somewhere else in memory. 0x00

8 rootkits.Userland_API_Hooking.Injection[0] Each process has its own view of memory. Virtual Memory Process A’s memory is protected from modification by process B. How does one perform IAT or Inline hooking if A’s memory is completely inaccessible? … wait for it… It’s not!

9 rootkits.Userland_API_Hooking.Injection[1] Ways to Inject: Modify the DLL Imports of a executable image (LordPE and similar). Use the registry key - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. (User32.dll loads DLLs listed in this key) Using SetWindowsHookEx() Using CreateRemoteThread() 0x00

10 rootkits.Userland_API_Hooking.Detection IAT Hooking: Look in the IAT for function addresses that are not in the typical range. Inline Hooking: Check first few bytes of a function for a jump. 0x00

11 rootkits.Resources Hacker Defender rootkit defeating common rootkit detectors http://hxdef.org/download/brilliant.php Rootkit technology development http://www.rootkit.com Rootkit detection Strider - http://research.microsoft.com/rootkithttp://research.microsoft.com/rootkit BlackLight - http://www.f-secure.com/blacklighthttp://www.f-secure.com/blacklight RootkitRevealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html http://www.sysinternals.com/Utilities/RootkitRevealer.html Sophos Anti-Rootkit http://www.sophos.com/products/free- tools/sophos-anti-rootkit.htmlhttp://www.sophos.com/products/free- tools/sophos-anti-rootkit.html 0x00

12 rootkits.References Hoglund, Greg and James Butler. Rootkits: Subverting the Windows Kernel. Stoughton, MA: Addison-Wesley, 2006 Portable Executable format - http://www.microsoft.com/whdc/system/platform /firmware/PECOFF.mspx http://www.microsoft.com/whdc/system/platform /firmware/PECOFF.mspx 0x00

Download ppt "Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06."

Similar presentations

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.

Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.
VICE – Catch the hookers! (Plus new rootkit techniques)

VICE – Catch the hookers! (Plus new rootkit techniques)
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security

2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security
1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.

1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.

Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Rootkits – Avoiding detection Tillmann Werner, Seminar Computer Security, B-IT 2006-11-27.

Rootkits – Avoiding detection Tillmann Werner, Seminar Computer Security, B-IT
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved. 0-13-148521-0 The Assembly Language Level.

Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved The Assembly Language Level.
Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google