Transcript
ROOTKITs
by somma (fixbrain@gmail.com)
22000-00-00
Contents
Classification of ROOTKITs
Type II ROOTKITs
Type III ROOTKITs
Next Generation ROOTKITs
Classification of ROOTKITs
1st Generation ( Type I ) Does not modify OS / Process / etc…-> replace / modified system file -> UNIX login backdoor (binary modification)
2nd Generation ( Type II )Modifies which designed not to be modified
-> code of process, modules, OS code, kernel modules, etc…-> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc…
3rd Generation ( Type III )Modifies which designed to be modified-> data sections, heap, stack, etc…-> FU (Pioneer of DKOM - Direct Kernel Object Manipulation)
The NEXT Generationvirtualization ?
32000-00-00
Type II ROOTKITs
NTIllusion
Hacker defender
NTRootkit - The first windows NT kernel based ROOTKIT
Sony Rootkit
modifiescode section (e.g. Import table, Export table)user mode / Kernel mode APIskernel mode undocumented APIsISR (Interrupt Service Routine)MSR (Model Specific Register)…
42008-05-16
Type II ROOTKITs – cont.
API Hooking
52008-05-16
Type II ROOTKITs – cont.
SDT Hooking (http://somma.egloos.com/2731001)
62008-05-16
Type II ROOTKITs – cont.
IDT Hooking (http://somma.egloos.com/3365054)
72008-05-16
Type II ROOTKITs – cont.
DEMO- API Hooking (Ring 3) (CheatEngine)
- Code Injection (Ring 3) (WinMine.exe hacking)
- SDT hooking (Ring 0) (FxLoader / bkdp.sys)
- IDT hooking (Ring 0) (SDFP – app.exe / template.sys – real machine)
82008-05-16
Type III ROOTKITs
FU - The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation)
He4Hook - RAW IRP hooking on File system driver
PHIDE2
Layered driver (Filter driver)
modifiesdata sectionsIRP handlerskernel objects that allocated and managed dynamically
…
92008-05-16
Type III ROOTKITs – cont.
Break EPROCESS list
102008-05-16
Type III ROOTKITs – cont.
Break DRIVER_OBJECT list
112008-05-16
Type III ROOTKITs – cont.
DEMO- FU rootkit
- jeng_2SDT hook & DKOM example
122008-05-16
Fighting ROOTKITs
Check IAT (Import Address Table)Check inline hooks
Check System Service Dispatch Table (ntoskrnl.exe)Check Shadow table (win32k.sys)
Check Driver’s IRP handlerCheck MSR ( MSR_SYSENTER )…
how ?ECD (Explicit Compromise Detection)Cross View Based Detectionuse DKOM to find out ROOTKITs
- dump PspCidTable- trace OS Scheduler data base, etc…
Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx )
132008-05-16
Fighting ROOTKITs – cont.
DEMO- API Hook detection and API Hook removal
hook_shield PlgnPETest.dll
- Finding process FU hided by DKOM techniquedump PspCidTable
142008-05-16
Next Generation ROOTKITs
DEMO- Hypervisor based rootkit
152008-05-16
Q & A
162008-05-16
top related