2568945 rootkit basics
TRANSCRIPT
2006 Black Security 1
Rootkits: the basics
Tim Shelton[BL4CK] Black Security
[email protected]://blacksecurity.org
2006 Black Security 2
Introduction
Black Security Research Group Exploitation
Windows Linux / BSD / *NIX Embedded Systems
Information Security Research & Analysis
Application Security Development
2006 Black Security 3
Rootkits
Rootkits: Common Techniques Windows Rootkits & Malware
DLL Injection Process Injection User-land / Kernel-land Attacks
Linux / *BSD Rootkits User-land Rootkit Kernel-land Rootkit
Mac OSX Rootkits User-land Rootkit Kernel-land Rootkit
2006 Black Security 4
User-Land vs. Kernel-Land Multi-Layers of an Operating System
User-Land Your personal applications run within this
space In case your application crashes, it will
not affect the stability of the entire system. Kernel-Land
This is the “heart” of your O/S. Kernel Drivers Virtual Memory Manager
2006 Black Security 5
Windows User-Land vs. Kernel-Land
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
2006 Black Security 6
Kernel-Land
Kernel-Land Kernel Drivers Virtual Memory Manager Hardware Abstraction Layer Startup/Shutdown Procedure
2006 Black Security 8
Windows Rootkits
History User-Land
NTIllusion DLL User-Land Rootkit Vanquish – DLL Injection based
Romanian rootkit – Detour Patching Example
IAT Rootkit by Darkeagle(http://eagle.blacksecurity.org)
Kernel-Land Greg Hoglund’s NT Rootkit FU by fuzen_op
2006 Black Security 9
Windows Rootkits
Expected Behaviors Resource Hooking & Monitoring
Registry/Process Hiding File I/O (ZwOpen,ZwClose, etc) Network NDIS/TDI MSGina Hooking Keystroke Logger (simple) Theft of Personal Data Remote Communication/Control
2006 Black Security 10
Windows User-Land Rootkits
How does it work? Patching Static Binaries
Modifying binaries to hide results• Task Manager / Process Explorer• Netstat / ipconfig• More
Remote Code Injection Remote Thread Injection / DLL
Injection• Controlling each User-Land
processes
2006 Black Security 11
Windows User-Land Rootkits How does it work?
Patching Static Binaries The Oldest “trick” in the book
• Replacing common Operating System utilities used for tracking down malicious activity, hindering those local tools from finding out what is “really happening”.
Common Issues• Can become tedious, may miss some of
the tools available. • Your rootkit package will become
increasingly larger and may risk being noticed.
• Cannot bypass file-system integrity checks. (Tripwire, Determina, etc)
2006 Black Security 12
Windows User-Land Rootkits
How does it work? Remote Code Injection
Remote DLL Injection• Attacking each User-Land process
will allow us to control those processes.
• What’s stopping us from recursively injecting ourselves into every process we can?
2006 Black Security 13
Windows User-Land Rootkits Remote Code Injection
Remote Thread Injection Foundational building block of DLL Injection Maximum size of remote thread is 4k
(Default size of a page of virtual memory)
One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.
2006 Black Security 15
Windows User-Land Rootkits
Remote Code Injection How Can We Inject Our Thread?
Windows NT/2k/XP/2k3 Methodology • Our objective: copy some code to another
process's address space and then execute it in the context of this process.
• This technique involves the use of remote threads and the WriteProcessMemory API.
• Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.
2006 Black Security 16
Windows User-Land Rootkits
Remote Code Injection What is the IAT Table?
PE (Portable Executable) Format• A global table that contains a list of all
the function pointers to any function mapped into the running process
• This table is unique per process so it must be duplicated within all processes.
2006 Black Security 17
Windows User-Land Rootkits
Remote Code Injection What is function “hooking”?
Redirecting the “pointer” of the function to your malicious “fake” function.
Also called function proxying Two methods of Function Proxying
Pointer Patching (easily detected) Detour Patching (harder to detect)
2006 Black Security 18
Rootkit Basics
Pointer Patching Operating Systems use Global
Tables to keep track of all the functions available from within a process.
By modifying one of these pointers to a function with a pointer to our “proxy” function, we can intercept the request and parse the results.
2006 Black Security 19
Rootkit Basics
Pointer Patching Why is this so bad?
Rootkit detectors can read the operating system and compare those tables to original copies, looking for changes.
If it finds a discrepancy, it will report as “hooked”
2006 Black Security 20
Rootkit Basics
Detour Patching What is detour patching?
By directly modifying the first few bytes immediately after the function located in memory, we can insert a “detour”
Detour: FAR JMP 0xDEADBEAF• Where 0xDEADBEAF is a 4-byte
pointer to your malicious proxy function
• Total patch size: 7 bytes
2006 Black Security 21
Rootkit Basics
Detour Patching Why is this so bad?
Rootkit detectors can read the first few bytes looking for “inappropriate” FAR JMP calls.
So will rootkits ever be undetectable?
• That’s why blackhats are driven to continue our research for 0day
2006 Black Security 22
Windows Kernel-Land Rootkits
Kernel-Land Rootkits A malicious Kernel Driver
Most of the functions you need to monitor are all accessible directly from Kernel-Land
Functions found in the SSDT (System Service Descriptor Table)
• similar to the User-Land IAT Table
2006 Black Security 23
Windows Kernel-Land Rootkits
Kernel-Land Rootkits A malicious Kernel Driver
“Hook” any exported Kernel API functions in order to monitor the results it returns
Detour Patching Kernel API functions
Hooking interrupts
2006 Black Security 24
Linux Rootkits
History User-Land
SSHEater-1.1 by Carlos Barros Kernel-Land
Static-X’s Adore-NG 2.4/2.6 kernel rootkit
Rebel’s phalanx (patches /dev/mem)[email protected]
2006 Black Security 25
Linux Rootkits User-Land
Patch User binaries (as before) Contains same faults as Windows User-
Land binary patching Can still hook the GOT (Global Offset
table) Kernel-Land 2.4/2.6
Hook the SYS_CALL Table, Interrupt Descriptor Table, and Global Descriptor Table
Detour Patching Directly patch /dev/mem or /dev/kmem
2006 Black Security 26
Linux Rootkits
User-Land Signal Injection – Injecting your
own thread into a running process using PTRACE_ATTACH and PTRACE_DETACH will allow your remote-thread to hook the GOT and other functions for a complete user-land runtime rootkit.
Example: SSHeater-1.1
2006 Black Security 27
Linux User-Land Rootkits Remote Code Injection
How Can We Inject Our Thread? Linux / BSD Methodology
• Our objective: copy some code to another process's address space and then execute it in the context of this process.
• This technique involves the use of injecting remote signal handlers to take over the flow of execution(similar to how a debugger functions)
• By using ptrace-injection, we are able to PTRACE_ATTACH to the target process, inject our own malicious code, and then finally PTRACE_DETACH
http://linuxgazette.net/issue83/sandeep.htmlhttp://linuxgazette.net/issue85/sandeep.html
2006 Black Security 28
Linux User-Land Rootkits Remote Code Injection
Linux Fluffy-Virus First public linux user-land injection proof of concept
code http://www.tty64.org/doc/infschedvirii.txt
Methodology Loader
• Attach to process & Inject both pre-virus and virus code
• Set EIP to pre-virus code Pre-Virus
• Register SIGALRM Signal Handler• Hand control back to process
Virus• SIGALRM Handler invoked• Begin our malicious code• Jump back to pre-virus code
2006 Black Security 29
Linux Rootkits
Issues with User-Land Rootkits File Integrity tools such as Tripwire
cannot be tricked by changing your backdoored binaries alone
One Way to trick Tripwire Write your own remote patching
thread to inject into Tripwire to hide the results(this would take research)
2006 Black Security 30
Linux Rootkits
Kernel-Land 2.4 Kernel – SYS_CALL table is
exported (so its easy to hook functions)
2.6 Kernel – SYS_CALL table is hidden
SuckIT – scans the IDT (Interrupt Descriptor Table) for FAR JMP *0xSCT[eax]
2006 Black Security 31
Linux Rootkits
Kernel-Land Proxy system calls necessary to
trick the user File I/O Functions
• Look for read() of /etc/shadow• Hide other processes from /proc
snooping
Socket I/O Functions (sniffing)• Sniff username/passwords
2006 Black Security 32
Linux Rootkits
Kernel-Land What does this mean?
Rootkits target specific installs• Rootkit targeting GRSEC• Rootkit targeting SELINUX• etc
2006 Black Security 33
Linux Rootkits
Issues with Kernel-Land Rootkits Requires a stealthy way to load
your rootkit into the kernel. Rootkit is vulnerable to detection if
loader is not written properly What can we patch that is reliable?
hostname uname other binaries executed on startup
2006 Black Security 34
Mac OSX Rootkits
History Still in early stages of research Nemo released WeaponX as an
original Proof-of-Concept Mac responded by hardening their
O/S Internals Nemo responded (like any self-
respecting blackhat) with his own improved rootkit
2006 Black Security 35
Mac OSX Rootkits
Remote Code Injection How Can We Inject Our Thread?
Mac OSX Methodology • Our objective: copy some code to
another process's address space and then execute it in the context of this process.
• This technique involves the use of injecting remote signal handlers to take over the flow of execution(similar to how a debugger functions)
2006 Black Security 36
Mach OsX Remote Injection /* get the task for the pid */ … [ Open Up the Process ] …
/* allocate memory for shellcode */ vm_allocate(task_address, size)
/* write shellcode */ vm_write(task,address,shellcode)
/* overwrite pointer */ vm_write(task + offset,pointer address)
2006 Black Security 37
Mac OSX Rootkits
Kernel-Land WeaponX
SYSENT Table – exported so its easy to locate and “hook”
• Shortly after Nemo released WeaponX, Mac no longer exported the SYSENT Table
SYSENT – possible to utilize unix_syscall() which is an exported symbol to locate the unique location of the SYSENT Table.
2006 Black Security 38
Extended
Rootkits to hide files in your Video Driver’s memory NIC Memory Sound Card memory BIOS/CMOS (eEye bootLoader) the sky is the limit
2006 Black Security 40
About Us Black Security Research
http://blacksecurity.org [email protected]
Tim Shelton
Thanks to: Nemo & AndrewG
http://felinemenace.org Rebel Izik – TTY64 Project
http://tty64.org #black crew