Upload
diana-stone
View
212
Download
0
Embed Size (px)
Citation preview
Rootkits in Rootkits in Windows XPWindows XPWhat they are and how they workWhat they are and how they work
What is a rootkit?What is a rootkit?
Name comes from UNIX Administrator Name comes from UNIX Administrator account “root” and “kit” refers to a account “root” and “kit” refers to a collection of tools.collection of tools.
Used to hide and preserve the presence Used to hide and preserve the presence of a hacker on a system.of a hacker on a system.
Classification of RootkitsClassification of Rootkits
Persistent Rootkits-stored on a fixed disk Persistent Rootkits-stored on a fixed disk and survive system rebootsand survive system reboots
Non-Persistent Rootkits-do not survive Non-Persistent Rootkits-do not survive rebootsreboots
User Mode vs Kernel User Mode vs Kernel Mode rootkitsMode rootkits
Processes in Windows XP run in one of two Processes in Windows XP run in one of two modes of execution:modes of execution: User Mode: limited access to systemUser Mode: limited access to system
Most applications run in user modeMost applications run in user mode User Mode rootkits are limited to altering the behavior of a User Mode rootkits are limited to altering the behavior of a
single processsingle process
Kernel Mode: full access to systemKernel Mode: full access to system Device drivers and operating system code run hereDevice drivers and operating system code run here Kernel Mode rootkits can alter the behavior of the entire Kernel Mode rootkits can alter the behavior of the entire
system system
How do rootkits work?How do rootkits work?
Rootkits hide and preserve the presence of a Rootkits hide and preserve the presence of a hacker on a system by:hacker on a system by: Altering the flow of execution:Altering the flow of execution:
HookingHooking Import Address Table HookingImport Address Table Hooking System Service Descriptor Table HookingSystem Service Descriptor Table Hooking Inline Function HookingInline Function Hooking
Layered filter driversLayered filter drivers
Altering kernel data used in system accountingAltering kernel data used in system accounting Direct Kernel Object Manipulation (DKOM)Direct Kernel Object Manipulation (DKOM)
Import Address Table Import Address Table (IAT) Hooking(IAT) Hooking
User Mode rootkitsUser Mode rootkits IAT is a table of pointers that point to IAT is a table of pointers that point to
memory locations of imported API memory locations of imported API functionsfunctions
Rootkits change a pointer in the table to Rootkits change a pointer in the table to point to some rootkit functionpoint to some rootkit function
Function is now “hooked” Function is now “hooked” Hook is limited to one processHook is limited to one process
System Service System Service Descriptor Table (SSDT) Descriptor Table (SSDT) HookingHooking
Kernel Mode rootkitsKernel Mode rootkits The SSDT is a single kernel table that The SSDT is a single kernel table that
stores pointers to system API functionsstores pointers to system API functions Hooks affect entire system instead of a Hooks affect entire system instead of a
single process like IAT hookssingle process like IAT hooks
Inline Function HookingInline Function Hooking
User mode rootkitsUser mode rootkits Directly alters imported functions in a Directly alters imported functions in a
process’s memory spaceprocess’s memory space Overwrites preamble with a JMP Overwrites preamble with a JMP
instruction to some rootkit codeinstruction to some rootkit code
Layered Filter DriversLayered Filter Drivers
Kernel mode rootkitsKernel mode rootkits Legitimately used by Firewalls and Anti-Legitimately used by Firewalls and Anti-
Virus ScannersVirus Scanners Layered filter driver rootkits can filter out Layered filter driver rootkits can filter out
certain files from a directory listingcertain files from a directory listing Accomplished at much lower level of the Accomplished at much lower level of the
OS than hookingOS than hooking
Direct Kernel Object Direct Kernel Object Manipulation (DKOM)Manipulation (DKOM)
Kernel mode rootkitsKernel mode rootkits Direct manipulation of \Device\Direct manipulation of \Device\
PhysicalMemory ObjectPhysicalMemory Object DKOM rootkits are able to hide things DKOM rootkits are able to hide things
from the entire systemfrom the entire system Most powerful of the techniquesMost powerful of the techniques
DKOM Example: Hiding a DKOM Example: Hiding a ProcessProcess
EPROCESS is a linked list that maintains EPROCESS is a linked list that maintains a list of active processesa list of active processes
A removed node is called a Ghost A removed node is called a Ghost ProcessProcess
The EndThe End