ROOTKITs

by somma (fixbrain@gmail.com)

22000-00-00

Contents

Classification of ROOTKITs

Type II ROOTKITs

Type III ROOTKITs

Next Generation ROOTKITs

Classification of ROOTKITs

1st Generation ( Type I ) Does not modify OS / Process / etc…-> replace / modified system file -> UNIX login backdoor (binary modification)

2nd Generation ( Type II )Modifies which designed not to be modified

-> code of process, modules, OS code, kernel modules, etc…-> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc…

3rd Generation ( Type III )Modifies which designed to be modified-> data sections, heap, stack, etc…-> FU (Pioneer of DKOM - Direct Kernel Object Manipulation)

The NEXT Generationvirtualization ?

32000-00-00

Type II ROOTKITs

NTIllusion

Hacker defender

NTRootkit - The first windows NT kernel based ROOTKIT

Sony Rootkit

modifiescode section (e.g. Import table, Export table)user mode / Kernel mode APIskernel mode undocumented APIsISR (Interrupt Service Routine)MSR (Model Specific Register)…

42008-05-16

Type II ROOTKITs – cont.

API Hooking

52008-05-16

Type II ROOTKITs – cont.

SDT Hooking (http://somma.egloos.com/2731001)

62008-05-16

Type II ROOTKITs – cont.

IDT Hooking (http://somma.egloos.com/3365054)

72008-05-16

Type II ROOTKITs – cont.

DEMO- API Hooking (Ring 3) (CheatEngine)

- Code Injection (Ring 3) (WinMine.exe hacking)

- SDT hooking (Ring 0) (FxLoader / bkdp.sys)

- IDT hooking (Ring 0) (SDFP – app.exe / template.sys – real machine)

82008-05-16

Type III ROOTKITs

FU - The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation)

He4Hook - RAW IRP hooking on File system driver

PHIDE2

Layered driver (Filter driver)

modifiesdata sectionsIRP handlerskernel objects that allocated and managed dynamically

…

92008-05-16

Type III ROOTKITs – cont.

Break EPROCESS list

102008-05-16

Type III ROOTKITs – cont.

Break DRIVER_OBJECT list

112008-05-16

Type III ROOTKITs – cont.

DEMO- FU rootkit

- jeng_2SDT hook & DKOM example

122008-05-16

Fighting ROOTKITs

Check IAT (Import Address Table)Check inline hooks

Check System Service Dispatch Table (ntoskrnl.exe)Check Shadow table (win32k.sys)

Check Driver’s IRP handlerCheck MSR ( MSR_SYSENTER )…

how ?ECD (Explicit Compromise Detection)Cross View Based Detectionuse DKOM to find out ROOTKITs

- dump PspCidTable- trace OS Scheduler data base, etc…

Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx )

132008-05-16

Fighting ROOTKITs – cont.

DEMO- API Hook detection and API Hook removal

hook_shield PlgnPETest.dll

- Finding process FU hided by DKOM techniquedump PspCidTable

142008-05-16

Next Generation ROOTKITs

DEMO- Hypervisor based rootkit

152008-05-16

Q & A

162008-05-16