2568945 rootkit basics

2006 Black Security 1

Rootkits: the basics

Tim Shelton[BL4CK] Black Security

[email protected]://blacksecurity.org


Introduction

Black Security Research Group Exploitation

Windows Linux / BSD / *NIX Embedded Systems

Information Security Research & Analysis

Application Security Development


Rootkits

Rootkits: Common Techniques Windows Rootkits & Malware

DLL Injection Process Injection User-land / Kernel-land Attacks

Linux / *BSD Rootkits User-land Rootkit Kernel-land Rootkit

Mac OSX Rootkits User-land Rootkit Kernel-land Rootkit


User-Land vs. Kernel-Land Multi-Layers of an Operating System

User-Land Your personal applications run within this

space In case your application crashes, it will

not affect the stability of the entire system. Kernel-Land

This is the “heart” of your O/S. Kernel Drivers Virtual Memory Manager


Windows User-Land vs. Kernel-Land

Executive

DeviceDrivers

Hardware Abstraction Layer (HAL)

Kernel

User

Kernel

Win32

User Apps

Subsystem DLL

System & ServiceProcesses

POSIXOS/2

Win32User/GDI

Environment Subsystems


Kernel-Land

Kernel-Land Kernel Drivers Virtual Memory Manager Hardware Abstraction Layer Startup/Shutdown Procedure


Windows User-Land vs. Kernel-Land


Windows Rootkits

History User-Land

NTIllusion DLL User-Land Rootkit Vanquish – DLL Injection based

Romanian rootkit – Detour Patching Example

IAT Rootkit by Darkeagle(http://eagle.blacksecurity.org)

Kernel-Land Greg Hoglund’s NT Rootkit FU by fuzen_op


Windows Rootkits

Expected Behaviors Resource Hooking & Monitoring

Registry/Process Hiding File I/O (ZwOpen,ZwClose, etc) Network NDIS/TDI MSGina Hooking Keystroke Logger (simple) Theft of Personal Data Remote Communication/Control


Windows User-Land Rootkits

How does it work? Patching Static Binaries

Modifying binaries to hide results• Task Manager / Process Explorer• Netstat / ipconfig• More

Remote Code Injection Remote Thread Injection / DLL

Injection• Controlling each User-Land

processes


Windows User-Land Rootkits How does it work?

Patching Static Binaries The Oldest “trick” in the book

• Replacing common Operating System utilities used for tracking down malicious activity, hindering those local tools from finding out what is “really happening”.

Common Issues• Can become tedious, may miss some of

the tools available. • Your rootkit package will become

increasingly larger and may risk being noticed.

• Cannot bypass file-system integrity checks. (Tripwire, Determina, etc)



How does it work? Remote Code Injection

Remote DLL Injection• Attacking each User-Land process

will allow us to control those processes.

• What’s stopping us from recursively injecting ourselves into every process we can?


Windows User-Land Rootkits Remote Code Injection

Remote Thread Injection Foundational building block of DLL Injection Maximum size of remote thread is 4k

(Default size of a page of virtual memory)

One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.



Remote Code Injection How Can We Inject Our Thread?

Windows NT/2k/XP/2k3 Methodology • Our objective: copy some code to another

process's address space and then execute it in the context of this process.

• This technique involves the use of remote threads and the WriteProcessMemory API.

• Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.



Remote Code Injection What is the IAT Table?

PE (Portable Executable) Format• A global table that contains a list of all

the function pointers to any function mapped into the running process

• This table is unique per process so it must be duplicated within all processes.



Remote Code Injection What is function “hooking”?

Redirecting the “pointer” of the function to your malicious “fake” function.

Also called function proxying Two methods of Function Proxying

Pointer Patching (easily detected) Detour Patching (harder to detect)


Rootkit Basics

Pointer Patching Operating Systems use Global

Tables to keep track of all the functions available from within a process.

By modifying one of these pointers to a function with a pointer to our “proxy” function, we can intercept the request and parse the results.


Rootkit Basics

Pointer Patching Why is this so bad?

Rootkit detectors can read the operating system and compare those tables to original copies, looking for changes.

If it finds a discrepancy, it will report as “hooked”


Rootkit Basics

Detour Patching What is detour patching?

By directly modifying the first few bytes immediately after the function located in memory, we can insert a “detour”

Detour: FAR JMP 0xDEADBEAF• Where 0xDEADBEAF is a 4-byte

pointer to your malicious proxy function

• Total patch size: 7 bytes


Rootkit Basics

Detour Patching Why is this so bad?

Rootkit detectors can read the first few bytes looking for “inappropriate” FAR JMP calls.

So will rootkits ever be undetectable?

• That’s why blackhats are driven to continue our research for 0day


Windows Kernel-Land Rootkits

Kernel-Land Rootkits A malicious Kernel Driver

Most of the functions you need to monitor are all accessible directly from Kernel-Land

Functions found in the SSDT (System Service Descriptor Table)

• similar to the User-Land IAT Table


Windows Kernel-Land Rootkits

Kernel-Land Rootkits A malicious Kernel Driver

“Hook” any exported Kernel API functions in order to monitor the results it returns

Detour Patching Kernel API functions

Hooking interrupts


Linux Rootkits

History User-Land

SSHEater-1.1 by Carlos Barros Kernel-Land

Static-X’s Adore-NG 2.4/2.6 kernel rootkit

Rebel’s phalanx (patches /dev/mem)[email protected]


Linux Rootkits User-Land

Patch User binaries (as before) Contains same faults as Windows User-

Land binary patching Can still hook the GOT (Global Offset

table) Kernel-Land 2.4/2.6

Hook the SYS_CALL Table, Interrupt Descriptor Table, and Global Descriptor Table

Detour Patching Directly patch /dev/mem or /dev/kmem


Linux Rootkits

User-Land Signal Injection – Injecting your

own thread into a running process using PTRACE_ATTACH and PTRACE_DETACH will allow your remote-thread to hook the GOT and other functions for a complete user-land runtime rootkit.

Example: SSHeater-1.1


Linux User-Land Rootkits Remote Code Injection

How Can We Inject Our Thread? Linux / BSD Methodology

• Our objective: copy some code to another process's address space and then execute it in the context of this process.

• This technique involves the use of injecting remote signal handlers to take over the flow of execution(similar to how a debugger functions)

• By using ptrace-injection, we are able to PTRACE_ATTACH to the target process, inject our own malicious code, and then finally PTRACE_DETACH

http://linuxgazette.net/issue83/sandeep.htmlhttp://linuxgazette.net/issue85/sandeep.html


Linux User-Land Rootkits Remote Code Injection

Linux Fluffy-Virus First public linux user-land injection proof of concept

code http://www.tty64.org/doc/infschedvirii.txt

Methodology Loader

• Attach to process & Inject both pre-virus and virus code

• Set EIP to pre-virus code Pre-Virus

• Register SIGALRM Signal Handler• Hand control back to process

Virus• SIGALRM Handler invoked• Begin our malicious code• Jump back to pre-virus code


Linux Rootkits

Issues with User-Land Rootkits File Integrity tools such as Tripwire

cannot be tricked by changing your backdoored binaries alone

One Way to trick Tripwire Write your own remote patching

thread to inject into Tripwire to hide the results(this would take research)


Linux Rootkits

Kernel-Land 2.4 Kernel – SYS_CALL table is

exported (so its easy to hook functions)

2.6 Kernel – SYS_CALL table is hidden

SuckIT – scans the IDT (Interrupt Descriptor Table) for FAR JMP *0xSCT[eax]


Linux Rootkits

Kernel-Land Proxy system calls necessary to

trick the user File I/O Functions

• Look for read() of /etc/shadow• Hide other processes from /proc

snooping

Socket I/O Functions (sniffing)• Sniff username/passwords


Linux Rootkits

Kernel-Land What does this mean?

Rootkits target specific installs• Rootkit targeting GRSEC• Rootkit targeting SELINUX• etc


Linux Rootkits

Issues with Kernel-Land Rootkits Requires a stealthy way to load

your rootkit into the kernel. Rootkit is vulnerable to detection if

loader is not written properly What can we patch that is reliable?

hostname uname other binaries executed on startup


Mac OSX Rootkits

History Still in early stages of research Nemo released WeaponX as an

original Proof-of-Concept Mac responded by hardening their

O/S Internals Nemo responded (like any self-

respecting blackhat) with his own improved rootkit


Mac OSX Rootkits

Remote Code Injection How Can We Inject Our Thread?

Mac OSX Methodology • Our objective: copy some code to

another process's address space and then execute it in the context of this process.

• This technique involves the use of injecting remote signal handlers to take over the flow of execution(similar to how a debugger functions)


Mach OsX Remote Injection /* get the task for the pid */ … [ Open Up the Process ] …

/* allocate memory for shellcode */ vm_allocate(task_address, size)

/* write shellcode */ vm_write(task,address,shellcode)

/* overwrite pointer */ vm_write(task + offset,pointer address)


Mac OSX Rootkits

Kernel-Land WeaponX

SYSENT Table – exported so its easy to locate and “hook”

• Shortly after Nemo released WeaponX, Mac no longer exported the SYSENT Table

SYSENT – possible to utilize unix_syscall() which is an exported symbol to locate the unique location of the SYSENT Table.


Extended

Rootkits to hide files in your Video Driver’s memory NIC Memory Sound Card memory BIOS/CMOS (eEye bootLoader) the sky is the limit


Questions?

O

<|>

/\


About Us Black Security Research

http://blacksecurity.org [email protected]

Tim Shelton

Thanks to: Nemo & AndrewG

http://felinemenace.org Rebel Izik – TTY64 Project

http://tty64.org #black crew

2568945 rootkit basics

Documents