BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey by Harlan Carvey [email protected] [email protected]
Jan 02, 2016
BlackHat Windows Security
2004
Data Hiding on a Live System
by Harlan Carveyby Harlan [email protected]@yahoo.com
Purpose
Present/discuss different techniques for hiding data on LIVE systems (NTFS)
Address methods of preventing and detecting this activity
What is NOT covered? Maintenance tracks, boot sector, file slack, etc.
What is being hidden?
Data Text Output of commands (samdump, etc.)
Executables Programs Games Rootkits
Who are we hiding it from?
Other users
Administrators
Investigators/forensics analysts
Altering files
File Changes Name Extension
Information regarding extensions and associations is maintained in the Registry
‘assoc’ command
File Signature (this is NOT a hash)
Altering Names/Extensions
Samdump.log ->
C:\winnt\system32
\MSODBC32.DLL
Altering file signatures
First 20 bytes of the file
Change JFIF/GIF89a in graphics file to something else
Executables (.exe, .dll, .sys, .ocx, .scr) begin w/ “MZ”
Sigs.pl performs signature analysis
DOS Attributes
'Attrib' command
Explorer settings
'dir' switch (dir /a[:h])
Perl ignores (opendir/readdir, glob)
hfind.exe (FoundStone)
File Splitting
File Splitting Almost as old as DOS Many programs available Malicious uses
File Splitting
Original File Arbitrarily sized segments
“touching” files
Alter the creation, last access, last modification dates
'touch' in Unix
Microsoft SetFileTime() API
Used to hide from search tools dir /t[:a] afind.exe (FoundStone) macmatch.exe (NTSecurity.nu)
File Binding
Elite Wrap
Saran Wrap, Silk Rope
OLE/COM
MS OLE/COM API
“Structured Storage”, “Compound files” “File system within a file”
MergeStreams Demo May discover using “strings” or “grep”
wd.exe
NTFS Alternate Data Streams
NTFS4 (NT) and NTFS5 (2K)
Creating
Using
Running executables hidden in ADSs
NTFS4 vs. NTFS5
Creating ADSs
Type command Type notepad.exe > myfile.txt:np.exe
Cp.exe from Resource Kit
Bind to file or directory listing Notepad myfile.txt:hidden.txt Notepad :hidden.txt
Executing ADSs
Running executables hidden in ADSs
Native methods NTFS4 - ‘start’ (FoundStone) NTFS5 - several methods
Detecting ADSs
lads.exe, by Frank Heyne (heysoft.de)
sfind.exe (FoundStone)
streams.exe (SysInternals)
ads.pl (Perl)
Encryption
PGP
Fcrypt (ntsecurity.nu)
Perl (Crypt::TripleDES)
Steganography
The art of hiding information S-Tools4 http://www.citi.umich.edu/u/provos/stego/
Registry
Licensing information
Software installation dates and information
Contains binary and string data types
"Hidden" Functionality
Registry keys
Used by various malware The ubiquitous "Run" key Services
ClearPagefileAtShutdown Registry key
StartUp directories
Rootkits
Kernel-mode vs. user-mode
API Hooking/DLL Injection NTRootkit HackerDefender (DLL Injection) AFX Rootkit 2003 (DLL Injection) Vanquish (DLL Injection) FU (DKOM)
How to prevent/detect
Configuration Policies/Management
Monitoring Event Logs Additional monitoring applications Scans
Questions?