2006 black security1 rootkits: the basics tim shelton [bl4ck] black security...
TRANSCRIPT
![Page 1: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/1.jpg)
2006 Black Security 1
Rootkits: the basics
Tim Shelton[BL4CK] Black Security
[email protected]://blacksecurity.org
![Page 2: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/2.jpg)
2006 Black Security 2
Introduction
Black Security Research Group Exploitation
Windows Linux / BSD / *NIX Embedded Systems
Information Security Research & Analysis
Application Security Development
![Page 3: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/3.jpg)
2006 Black Security 3
Rootkits
Rootkits: Common Techniques Windows Rootkits & Malware
DLL Injection Process Injection User-land / Kernel-land Attacks
Linux / *BSD Rootkits User-land Rootkit Kernel-land Rootkit
Mac OSX Rootkits User-land Rootkit Kernel-land Rootkit
![Page 4: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/4.jpg)
2006 Black Security 4
User-Land vs. Kernel-Land Multi-Layers of an Operating System
User-Land Your personal applications run within this
space In case your application crashes, it will
not affect the stability of the entire system. Kernel-Land
This is the “heart” of your O/S. Kernel Drivers Virtual Memory Manager
![Page 5: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/5.jpg)
2006 Black Security 5
Windows User-Land vs. Kernel-Land
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
![Page 6: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/6.jpg)
2006 Black Security 6
Kernel-Land
Kernel-Land Kernel Drivers Virtual Memory Manager Hardware Abstraction Layer Startup/Shutdown Procedure
![Page 7: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/7.jpg)
2006 Black Security 7
Windows User-Land vs. Kernel-Land
![Page 8: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/8.jpg)
2006 Black Security 8
Windows Rootkits
History User-Land
NTIllusion DLL User-Land Rootkit Vanquish – DLL Injection based
Romanian rootkit – Detour Patching Example
IAT Rootkit by Darkeagle(http://eagle.blacksecurity.org)
Kernel-Land Greg Hoglund’s NT Rootkit FU by fuzen_op
![Page 9: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/9.jpg)
2006 Black Security 9
Windows Rootkits
Expected Behaviors Resource Hooking & Monitoring
Registry/Process Hiding File I/O (ZwOpen,ZwClose, etc) Network NDIS/TDI MSGina Hooking Keystroke Logger (simple) Theft of Personal Data Remote Communication/Control
![Page 10: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/10.jpg)
2006 Black Security 10
Windows User-Land Rootkits
How does it work? Patching Static Binaries
Modifying binaries to hide results• Task Manager / Process Explorer• Netstat / ipconfig• More
Remote Code Injection Remote Thread Injection / DLL
Injection• Controlling each User-Land
processes
![Page 11: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/11.jpg)
2006 Black Security 11
Windows User-Land Rootkits How does it work?
Patching Static Binaries The Oldest “trick” in the book
• Replacing common Operating System utilities used for tracking down malicious activity, hindering those local tools from finding out what is “really happening”.
Common Issues• Can become tedious, may miss some of
the tools available. • Your rootkit package will become
increasingly larger and may risk being noticed.
• Cannot bypass file-system integrity checks. (Tripwire, Determina, etc)
![Page 12: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/12.jpg)
2006 Black Security 12
Windows User-Land Rootkits
How does it work? Remote Code Injection
Remote DLL Injection• Attacking each User-Land process
will allow us to control those processes.
• What’s stopping us from recursively injecting ourselves into every process we can?
![Page 13: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/13.jpg)
2006 Black Security 13
Windows User-Land Rootkits Remote Code Injection
Remote Thread Injection Foundational building block of DLL Injection Maximum size of remote thread is 4k
(Default size of a page of virtual memory)
One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.
![Page 14: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/14.jpg)
2006 Black Security 14
Windows User-Land Rootkits
![Page 15: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/15.jpg)
2006 Black Security 15
Windows User-Land Rootkits
Remote Code Injection How Can We Inject Our Thread?
Windows NT/2k/XP/2k3 Methodology • Our objective: copy some code to another
process's address space and then execute it in the context of this process.
• This technique involves the use of remote threads and the WriteProcessMemory API.
• Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.
![Page 16: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/16.jpg)
2006 Black Security 16
Windows User-Land Rootkits
Remote Code Injection What is the IAT Table?
PE (Portable Executable) Format• A global table that contains a list of all
the function pointers to any function mapped into the running process
• This table is unique per process so it must be duplicated within all processes.
![Page 17: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/17.jpg)
2006 Black Security 17
Windows User-Land Rootkits
Remote Code Injection What is function “hooking”?
Redirecting the “pointer” of the function to your malicious “fake” function.
Also called function proxying Two methods of Function Proxying
Pointer Patching (easily detected) Detour Patching (harder to detect)
![Page 18: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/18.jpg)
2006 Black Security 18
Rootkit Basics
Pointer Patching Operating Systems use Global
Tables to keep track of all the functions available from within a process.
By modifying one of these pointers to a function with a pointer to our “proxy” function, we can intercept the request and parse the results.
![Page 19: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/19.jpg)
2006 Black Security 19
Rootkit Basics
Pointer Patching Why is this so bad?
Rootkit detectors can read the operating system and compare those tables to original copies, looking for changes.
If it finds a discrepancy, it will report as “hooked”
![Page 20: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/20.jpg)
2006 Black Security 20
Rootkit Basics
Detour Patching What is detour patching?
By directly modifying the first few bytes immediately after the function located in memory, we can insert a “detour”
Detour: FAR JMP 0xDEADBEAF• Where 0xDEADBEAF is a 4-byte
pointer to your malicious proxy function
• Total patch size: 7 bytes
![Page 21: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/21.jpg)
2006 Black Security 21
Rootkit Basics
Detour Patching Why is this so bad?
Rootkit detectors can read the first few bytes looking for “inappropriate” FAR JMP calls.
So will rootkits ever be undetectable?
• That’s why blackhats are driven to continue our research for 0day
![Page 22: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/22.jpg)
2006 Black Security 22
Windows Kernel-Land Rootkits
Kernel-Land Rootkits A malicious Kernel Driver
Most of the functions you need to monitor are all accessible directly from Kernel-Land
Functions found in the SSDT (System Service Descriptor Table)
• similar to the User-Land IAT Table
![Page 23: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/23.jpg)
2006 Black Security 23
Windows Kernel-Land Rootkits
Kernel-Land Rootkits A malicious Kernel Driver
“Hook” any exported Kernel API functions in order to monitor the results it returns
Detour Patching Kernel API functions
Hooking interrupts
![Page 24: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/24.jpg)
2006 Black Security 24
Linux Rootkits
History User-Land
SSHEater-1.1 by Carlos Barros Kernel-Land
Static-X’s Adore-NG 2.4/2.6 kernel rootkit
Rebel’s phalanx (patches /dev/mem)[email protected]
![Page 25: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/25.jpg)
2006 Black Security 25
Linux Rootkits User-Land
Patch User binaries (as before) Contains same faults as Windows User-
Land binary patching Can still hook the GOT (Global Offset
table) Kernel-Land 2.4/2.6
Hook the SYS_CALL Table, Interrupt Descriptor Table, and Global Descriptor Table
Detour Patching Directly patch /dev/mem or /dev/kmem
![Page 26: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/26.jpg)
2006 Black Security 26
Linux Rootkits
User-Land Signal Injection – Injecting your
own thread into a running process using PTRACE_ATTACH and PTRACE_DETACH will allow your remote-thread to hook the GOT and other functions for a complete user-land runtime rootkit.
Example: SSHeater-1.1
![Page 27: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/27.jpg)
2006 Black Security 27
Linux User-Land Rootkits Remote Code Injection
How Can We Inject Our Thread? Linux / BSD Methodology
• Our objective: copy some code to another process's address space and then execute it in the context of this process.
• This technique involves the use of injecting remote signal handlers to take over the flow of execution(similar to how a debugger functions)
• By using ptrace-injection, we are able to PTRACE_ATTACH to the target process, inject our own malicious code, and then finally PTRACE_DETACH
http://linuxgazette.net/issue83/sandeep.htmlhttp://linuxgazette.net/issue85/sandeep.html
![Page 28: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/28.jpg)
2006 Black Security 28
Linux User-Land Rootkits Remote Code Injection
Linux Fluffy-Virus First public linux user-land injection proof of concept
code http://www.tty64.org/doc/infschedvirii.txt
Methodology Loader
• Attach to process & Inject both pre-virus and virus code
• Set EIP to pre-virus code Pre-Virus
• Register SIGALRM Signal Handler• Hand control back to process
Virus• SIGALRM Handler invoked• Begin our malicious code• Jump back to pre-virus code
![Page 29: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/29.jpg)
2006 Black Security 29
Linux Rootkits
Issues with User-Land Rootkits File Integrity tools such as Tripwire
cannot be tricked by changing your backdoored binaries alone
One Way to trick Tripwire Write your own remote patching
thread to inject into Tripwire to hide the results(this would take research)
![Page 30: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/30.jpg)
2006 Black Security 30
Linux Rootkits
Kernel-Land 2.4 Kernel – SYS_CALL table is
exported (so its easy to hook functions)
2.6 Kernel – SYS_CALL table is hidden
SuckIT – scans the IDT (Interrupt Descriptor Table) for FAR JMP *0xSCT[eax]
![Page 31: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/31.jpg)
2006 Black Security 31
Linux Rootkits
Kernel-Land Proxy system calls necessary to
trick the user File I/O Functions
• Look for read() of /etc/shadow• Hide other processes from /proc
snooping
Socket I/O Functions (sniffing)• Sniff username/passwords
![Page 32: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/32.jpg)
2006 Black Security 32
Linux Rootkits
Kernel-Land What does this mean?
Rootkits target specific installs• Rootkit targeting GRSEC• Rootkit targeting SELINUX• etc
![Page 33: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/33.jpg)
2006 Black Security 33
Linux Rootkits
Issues with Kernel-Land Rootkits Requires a stealthy way to load
your rootkit into the kernel. Rootkit is vulnerable to detection if
loader is not written properly What can we patch that is reliable?
hostname uname other binaries executed on startup
![Page 34: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/34.jpg)
2006 Black Security 34
Mac OSX Rootkits
History Still in early stages of research Nemo released WeaponX as an
original Proof-of-Concept Mac responded by hardening their
O/S Internals Nemo responded (like any self-
respecting blackhat) with his own improved rootkit
![Page 35: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/35.jpg)
2006 Black Security 35
Mac OSX Rootkits
Remote Code Injection How Can We Inject Our Thread?
Mac OSX Methodology • Our objective: copy some code to
another process's address space and then execute it in the context of this process.
• This technique involves the use of injecting remote signal handlers to take over the flow of execution(similar to how a debugger functions)
![Page 36: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/36.jpg)
2006 Black Security 36
Mach OsX Remote Injection /* get the task for the pid */ … [ Open Up the Process ] …
/* allocate memory for shellcode */ vm_allocate(task_address, size)
/* write shellcode */ vm_write(task,address,shellcode)
/* overwrite pointer */ vm_write(task + offset,pointer address)
![Page 37: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/37.jpg)
2006 Black Security 37
Mac OSX Rootkits
Kernel-Land WeaponX
SYSENT Table – exported so its easy to locate and “hook”
• Shortly after Nemo released WeaponX, Mac no longer exported the SYSENT Table
SYSENT – possible to utilize unix_syscall() which is an exported symbol to locate the unique location of the SYSENT Table.
![Page 38: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/38.jpg)
2006 Black Security 38
Extended
Rootkits to hide files in your Video Driver’s memory NIC Memory Sound Card memory BIOS/CMOS (eEye bootLoader) the sky is the limit
![Page 39: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/39.jpg)
2006 Black Security 39
Questions?
O
<|>
/\
![Page 40: 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org](https://reader030.vdocument.in/reader030/viewer/2022032702/56649ccd5503460f94997d45/html5/thumbnails/40.jpg)
2006 Black Security 40
About Us Black Security Research
http://blacksecurity.org [email protected]
Tim Shelton
Thanks to: Nemo & AndrewG
http://felinemenace.org Rebel Izik – TTY64 Project
http://tty64.org #black crew