Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hidden Processes: The Implication for Intrusion Detection

Published byAudra Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "Hidden Processes: The Implication for Intrusion Detection"— Presentation transcript:

1 Hidden Processes: The Implication for Intrusion Detection
James Butler Dr. Jeff Undercoffer Dr. John Pinkston

2 Rootkits First appeared in 1993 as a collection of compromised system binaries: ls, ps, netstat, login, du, Facilitated access and masked activity Why – because they could Consider the case of Kevin Mitnick: served five years in prison, 8 months of that in solitary confinement tested then-nascent laws that had been enacted for dealing with computer crime Most famous for the “Mitnick Attack”

3 The Mitnick Attack

4 Anomaly Based IDSs Detect:
Aberrant processes and services Files that are created/deleted/modified Network connections Uses and trusts the underlying operating system If the underlying operating system is compromised, the IDS fails.

5 Basic Types Kernel Application Library Device Driver (Microsoft)
LKM (Linux) Application Library

6 Attack Scenario Attacker gains elevated access to computer system
Attacker installs a Rootkit Rootkit’s functions Hide processes Hide files Hide network connections Install a backdoor for future access to the system Rootkits act as a part of the operating system so they have access to kernel memory.

7 State of Current Rootkits
Advanced rootkits filter data Hook the System Call Table of the operating system (the functions exported by the kernel) Hook the Interrupt Descriptor Table (IDT) Interrupts are used to signal to the kernel that it has work to perform. By hooking one interrupt, a clever rootkit can filter all exported kernel functions.

8 Next Generation Rootkit Techniques
Direct kernel object modification in memory A device driver or loadable kernel module has access to kernel memory A sophisticated rootkit can modify the objects directly in memory in a relatively reliable fashion.

9 Hiding Processes - Windows
Locate the Processor Control Block (KPRCB) Located at 0xffdff120 fs register in kernel mode points to 0xffdff000 Within the KPRCB is a pointer to the Current Thread block (ETHREAD) Located at fs:[124] or 0xffdff124 An ETHREAD contains a KTHREAD structure

10 Hiding Processes - Windows
The KTHREAD structure contains a pointer to the EPROCESS block of the current process The EPROCESS block contains a LIST structure, which has a forward and backward pointer to active processes This creates the doubly linked list of active processes in Windows

11 Hiding Processes - Windows
To hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide

12 Hiding Processes - Windows
Hiding Processes - Before (Windows) Hiding Processes - After (Windows)

13 Hiding Processes - Windows
Why does the process continue to run? Scheduling in the Windows kernel is thread based and not process based. Although scheduling code to run is based upon threads, when the kernel reports what is running on the system, it reports based upon EPROCESS blocks which can be modified with no adverse affect. This is what current tools (IDS’s) rely upon to discover what is running on the system.

14 Hiding Processes – LINUX
The LINUX kernel contains an array of task_struct’s. A task_struct is similar to an EPROCESS block in Windows task_struct contains pointers to the prev_task and next_task task_struct also contains pointers to the prev_run and next_run for the running processes

15 Hiding Processes – LINUX
To hide a process, remove the process from the list of prev_task and next_task Leave next_run and prev_run alone

16 Hiding Processes - Linux
Hiding Processes - Before (Linux) Hiding Processes - After (Linux)

17 Hiding Processes - LINUX
Process will freeze? It is no longer able to be scheduled The LINUX scheduler walks the list of task_struct’s to calculate the goodness value of the process to decide rather to schedule it or not. In order to make this work, you must also hot-patch the LINUX scheduler to schedule the hidden process. Inject binary into the scheduler

18 Detecting Hidden Processes in Windows
Methodology: Examine each thread to ensure its corresponding process descriptor (EPROCESS) is appropriately linked. This requires patching the kernel in memory. Hunt and Brubacher introduced Detours for intercepting Win32 binary functions.

19 Detours Overwrite beginning of target function with an unconditional jump to a Detour function Detour function calls a Trampoline function The Trampoline function contains the overwritten bytes of the original Target function and calls the Target function The Target function returns to the Detour function The Detour function returns to the source caller

20 Detours

21 Patching the Windows kernel
SwapContext does context switching in Windows Overwrite the first seven bytes of SwapContext with a jump to our Detour function EDI points to the KTHREAD of the thread to be scheduled to run Our Detour function follows the KTHREAD to the EPROCESS block and determines if it is still appropriately linked in the list of active processes.

22 Detecting Hidden Processes in LINUX
Injectso is a library similar to Detours Intended as a means of attack Uses ELF - Executable and Linkable Format Already Has stubs into code

23 Conclusion Detecting processes that have hidden from the OS by means of unhooking themselves from system accounting processes is computational expensive! Prevention is worth a pound of cure!

Download ppt "Hidden Processes: The Implication for Intrusion Detection"

Similar presentations

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
VICE – Catch the hookers! (Plus new rootkit techniques)

VICE – Catch the hookers! (Plus new rootkit techniques)
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chap 2 System Structures.

Chap 2 System Structures.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security

2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Day 11 Processes. Operating Systems Control Tables.

Day 11 Processes. Operating Systems Control Tables.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Similar presentations

Ads by Google