Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Published byGordon Short Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to."— Presentation transcript:

1 Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8)

2 Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to hide rootkit presence –Modify data that stores information about processes, files, etc. that would reveal presence of rootkit This chapter –Modifying data that stores information on rootkit

3 Direct Kernel Object Manipulation Hooking disadvantages –If someone knows where to look, hooks can usually be detected –Modern kernel/hardware memory protection mechanisms may make some hooks unusable (read-only, no-execute protection) DKOM –Directly modify objects the kernel relies upon for its bookkeeping and reporting –Normally, modifications to processes or tokens is done via Object Manager in kernel Performs protection checks –DKOM bypasses Object Manager and its checks

4 DKOM Disadvantages –Must disassemble format of object WinDbg makes it easier –Must know how object is used so that code doesn’t break after modification –Must know how object changes between versions of OS –Only objects the kernel keeps in memory and uses for accounting purposes can be modified Can not be used to hide files Can be used to hide processes, device drivers, ports Can be used to elevate privilege levels

5 Determining OS version User-mode –Win32 API OSVERSIONINFOEX structure –Returned by GetVersionEx Kernel-mode –Old versions of Windows PsGetVersion API –New versions (XP) of Windows RtlGetVersion –Parse string that is returned Either mode –Windows registry query HKEY_LOCAL_MACHINE\SOFTWARE\Microso ft\Windows\NT\CurrentVersion\* RegQueryValueEx

6 Making it happen From user-mode –Must create IOCTLs to communicate with driver that performs DKOM I/O Control Codes –IOCTLs included within IRPs –Example in book

7 Process hiding Objects referenced by user process such as Taskmgr.exe ZwQuerySystemInformation call lists running processes –Traverses doubly linked list in the EPROCESS structure of each process FLINK = pointer to process in front BLINK = pointer to process in back –Find a reference to EPROCESS of current process by calling PsGetCurrentProcess

8 Process hiding Hiding done based on process name –PIDs are pseudo-random –Name is included in EPROCESS structure –Location of name obtained via GetLocationOfProcessName –16 byte character string (first 16 characters of binary on disk) Traverse list and update FLINK and BLINK pointers to point around process to be hidden –Must ensure that hidden process has valid FLINK and BLINK pointers when hidden process exits via PspExitProcess –Have them point to itself What about process scheduler? –Apparently does not rely on FLINK/BLINK

9 Device driver hiding drivers.exe utility Windows Device Manager –Rely on ZWQuerySystemInformation with a SYSTEM_INFORMATION_CLASS of 11 –Modules also referenced via doubly linked list Same trick used Modify FLINK and BLINK again –Finding the list is hard Scan memory manually for MODULE_ENTRY object structure Use Kernel Processor Control Block (KPRCB) for Windows XP and beyond Use WinDbg to view members of the DRIVER_OBJECT structure (contains an undocumented field 0x14 into structure that is a pointer to driver’s MODULE_ENTRY

10 Issues in list traversal Processes and modules may be added or deleted while traversing –Must grab PspActiveProcessMutex –Must deal with possible pre-emption while modifying Must run at DISPATCH_LEVEL to prevent

11 Token privilege and group elevation Process token derived from login session of user that spawned process Every thread within process has its own token Use modifications to token to gain elevated privileges to install rootkit –Win32 API: OpenProcessToken, AdjustTokenPrivileges, AdjustTokenGroups –One can modify token privileges without elevated privileges by directly modifying privelege information in token Stored in variable length portion of token Example privileges: p 197 –SeCreateTokenPrivilege –SeAssignPrimaryTokenPrivilege –SeLockMemoryPrivilege –SeIncreaseQuotaPrivilege –SeUnsolicitedInputPrivilege –etc

12 Token privilege and group elevation Major problem –Adding privileges to variable length part of token –Must avoid increasing token size –Look to modify in place –Many privileges are included but are in a DISABLED state SE_PRIVILEGE_DISABLED SE_PRIVILEGE_ENABLED_BY_DEFAULT SE_PRIVILEGE_ENABLED

13 Token privilege and group elevation Group elevation –Privileges associated with group membership Determined by group SID Adding SIDs to a process token adds privileges –Much more complicated than adding privileges Requires allocating new memory and updating pointers in SID_AND_ATTRIBUTE table i.e. unlike privileges there are no “disabled” SIDs to fill in

14 Hiding while performing DKOM Events generated upon all actions –Registered callbacks upon certain events must be disabled to ensure stealth –Example: Windows Event Log Process being created Parent PID Username that owns process Must change values in process token to other users to hide tracks

15 Other DKOM targets Hiding network ports –Modifying tables of open ports in TCPIP.SYS Recommended tools –SoftIce –WinDbg –IDA Pro –Microsoft Symbol Server

16 Hardware manipulation Physical access allows for hardware/firmware changes to be made –BIOS modifications CIH virus destroyed BIOS No known public rootkit for BIOS –BIOS modifications to PCI devices Example in book 8259 keyboard controller –Modifies HAL.DLL (Hardware Abstraction Layer) –Technically not a hardware modfication, but adds exploit at interrupt processing level using assembly commands specific to hardware Microcode update for processors –Used to fix bugs –Stored in BIOS and uploaded to processor every time machine boots –Protected by strong encryption on Intel processors (but not AMD processors) AMD K8 microcode update driver IA32 microcode driver

Download ppt "Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to."

Similar presentations

Operating-System Structures

Operating-System Structures
Operating System Structures

Operating System Structures
VICE – Catch the hookers! (Plus new rootkit techniques)

VICE – Catch the hookers! (Plus new rootkit techniques)
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Operating-System Structures

Operating-System Structures
IT Systems Operating System EN230-1 Justin Champion C208 – 3273 www.staffs.ac.uk/personal/engineering_and_technology/jjc1.

IT Systems Operating System EN230-1 Justin Champion C208 –
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.

2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?

1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
Buffer Overflow Attacks Figure 9-21. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.

Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
COMPUTER SOFTWARE Chapter 3. Software & Hardware? Computer Instructions or data, anything that can be stored electronically is Software. Hardware is one.

COMPUTER SOFTWARE Chapter 3. Software & Hardware? Computer Instructions or data, anything that can be stored electronically is Software. Hardware is one.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

Similar presentations

Ads by Google