• Home

  • Documents

  • Rootkits in Windows XP What they are and how they work
13
Rootkits in Rootkits in Windows XP Windows XP What they are and how they What they are and how they work work

Rootkits in Windows XP What they are and how they work

Embed Size (px)

Citation preview

Page 1: Rootkits in Windows XP What they are and how they work

Rootkits in Rootkits in Windows XPWindows XPWhat they are and how they workWhat they are and how they work

Page 2: Rootkits in Windows XP What they are and how they work

What is a rootkit?What is a rootkit?

Name comes from UNIX Administrator Name comes from UNIX Administrator account “root” and “kit” refers to a account “root” and “kit” refers to a collection of tools.collection of tools.

Used to hide and preserve the presence Used to hide and preserve the presence of a hacker on a system.of a hacker on a system.

Page 3: Rootkits in Windows XP What they are and how they work

Classification of RootkitsClassification of Rootkits

Persistent Rootkits-stored on a fixed disk Persistent Rootkits-stored on a fixed disk and survive system rebootsand survive system reboots

Non-Persistent Rootkits-do not survive Non-Persistent Rootkits-do not survive rebootsreboots

Page 4: Rootkits in Windows XP What they are and how they work

User Mode vs Kernel User Mode vs Kernel Mode rootkitsMode rootkits

Processes in Windows XP run in one of two Processes in Windows XP run in one of two modes of execution:modes of execution: User Mode: limited access to systemUser Mode: limited access to system

Most applications run in user modeMost applications run in user mode User Mode rootkits are limited to altering the behavior of a User Mode rootkits are limited to altering the behavior of a

single processsingle process

Kernel Mode: full access to systemKernel Mode: full access to system Device drivers and operating system code run hereDevice drivers and operating system code run here Kernel Mode rootkits can alter the behavior of the entire Kernel Mode rootkits can alter the behavior of the entire

system system

Page 5: Rootkits in Windows XP What they are and how they work

How do rootkits work?How do rootkits work?

Rootkits hide and preserve the presence of a Rootkits hide and preserve the presence of a hacker on a system by:hacker on a system by: Altering the flow of execution:Altering the flow of execution:

HookingHooking Import Address Table HookingImport Address Table Hooking System Service Descriptor Table HookingSystem Service Descriptor Table Hooking Inline Function HookingInline Function Hooking

Layered filter driversLayered filter drivers

Altering kernel data used in system accountingAltering kernel data used in system accounting Direct Kernel Object Manipulation (DKOM)Direct Kernel Object Manipulation (DKOM)

Page 6: Rootkits in Windows XP What they are and how they work

Import Address Table Import Address Table (IAT) Hooking(IAT) Hooking

User Mode rootkitsUser Mode rootkits IAT is a table of pointers that point to IAT is a table of pointers that point to

memory locations of imported API memory locations of imported API functionsfunctions

Rootkits change a pointer in the table to Rootkits change a pointer in the table to point to some rootkit functionpoint to some rootkit function

Function is now “hooked” Function is now “hooked” Hook is limited to one processHook is limited to one process

Page 7: Rootkits in Windows XP What they are and how they work

System Service System Service Descriptor Table (SSDT) Descriptor Table (SSDT) HookingHooking

Kernel Mode rootkitsKernel Mode rootkits The SSDT is a single kernel table that The SSDT is a single kernel table that

stores pointers to system API functionsstores pointers to system API functions Hooks affect entire system instead of a Hooks affect entire system instead of a

single process like IAT hookssingle process like IAT hooks

Page 8: Rootkits in Windows XP What they are and how they work

Inline Function HookingInline Function Hooking

User mode rootkitsUser mode rootkits Directly alters imported functions in a Directly alters imported functions in a

process’s memory spaceprocess’s memory space Overwrites preamble with a JMP Overwrites preamble with a JMP

instruction to some rootkit codeinstruction to some rootkit code

Page 9: Rootkits in Windows XP What they are and how they work

Layered Filter DriversLayered Filter Drivers

Kernel mode rootkitsKernel mode rootkits Legitimately used by Firewalls and Anti-Legitimately used by Firewalls and Anti-

Virus ScannersVirus Scanners Layered filter driver rootkits can filter out Layered filter driver rootkits can filter out

certain files from a directory listingcertain files from a directory listing Accomplished at much lower level of the Accomplished at much lower level of the

OS than hookingOS than hooking

Page 10: Rootkits in Windows XP What they are and how they work

Direct Kernel Object Direct Kernel Object Manipulation (DKOM)Manipulation (DKOM)

Kernel mode rootkitsKernel mode rootkits Direct manipulation of \Device\Direct manipulation of \Device\

PhysicalMemory ObjectPhysicalMemory Object DKOM rootkits are able to hide things DKOM rootkits are able to hide things

from the entire systemfrom the entire system Most powerful of the techniquesMost powerful of the techniques

Page 11: Rootkits in Windows XP What they are and how they work

DKOM Example: Hiding a DKOM Example: Hiding a ProcessProcess

EPROCESS is a linked list that maintains EPROCESS is a linked list that maintains a list of active processesa list of active processes

A removed node is called a Ghost A removed node is called a Ghost ProcessProcess

Page 12: Rootkits in Windows XP What they are and how they work
Page 13: Rootkits in Windows XP What they are and how they work

The EndThe End


Rootkits. Agenda Introduction Definition of a Rootkit Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion

Rootkits. Agenda Introduction Definition of a Rootkit Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion

Documents
Rootkits: What they are and how to find them Part 3 Xeno Kovah – 2010 xkovah at gmail

Rootkits: What they are and how to find them Part 3 Xeno Kovah – 2010 xkovah at gmail

Documents
Rootkits: What they are and how to find them Part 3

Rootkits: What they are and how to find them Part 3

Documents
Construyendo rootkits basicos

Construyendo rootkits basicos

Education
Rootkits - DiVA portal351301/FULLTEXT01.pdf · Also, if a system crashes, rootkits can help it quickly resume and recover from errors. What makes rootkits significant now? With the

Rootkits - DiVA portal351301/FULLTEXT01.pdf · Also, if a system crashes, rootkits can help it quickly resume and recover from errors. What makes rootkits significant now? With the

Documents
An Overview of Unix Rootkits

An Overview of Unix Rootkits

Documents
Rootkits: What they are and how to find them Part 1

Rootkits: What they are and how to find them Part 1

Documents
Hunting Rootkits With Windbg

Hunting Rootkits With Windbg

Documents
Hide and Find Rootkits Linux

Hide and Find Rootkits Linux

Documents
January - Rootkits

January - Rootkits

Documents
Kernel-Land Rootkits

Kernel-Land Rootkits

Documents
Detecting hardware virtualization rootkits

Detecting hardware virtualization rootkits

Technology
HARDWARE-ASSISTED ROOTKITS & INSTRUMENTATION… · hardware-assisted rootkits & instrumentation: ... svc supervisor call ... event type event code ld_retired:

HARDWARE-ASSISTED ROOTKITS & INSTRUMENTATION… · hardware-assisted rootkits & instrumentation: ... svc supervisor call ... event type event code ld_retired:

Documents
Rootkits Investigation Procedures (PDF)

Rootkits Investigation Procedures (PDF)

Documents
Hacking exposed malware and rootkits

Hacking exposed malware and rootkits

Technology
Hidden Rootkits in Windows

Hidden Rootkits in Windows

Documents
Rootkits for JavaScript Environments - USENIX

Rootkits for JavaScript Environments - USENIX

Documents
Alexander Kornbrust- Oracle Rootkits 2.0

Alexander Kornbrust- Oracle Rootkits 2.0

Documents
VICE – Catch the hookers! · State of Current Rootkits • Until recently, rootkits were nothing more than Trojan programs such as ps, ls, top, du, and netstat • Advanced rootkits

VICE – Catch the hookers! · State of Current Rootkits • Until recently, rootkits were nothing more than Trojan programs such as ps, ls, top, du, and netstat • Advanced rootkits

Documents
Detecting Rootkits in Memory DumpsPersistent rootkits Persistent Rootkits wants to survive a reboot, hence the rootkit must be initiated from some ware • Registry keys (run keys,

Detecting Rootkits in Memory DumpsPersistent rootkits Persistent Rootkits wants to survive a reboot, hence the rootkit must be initiated from some ware • Registry keys (run keys,

Documents
Rootkits: What they are and how to find them Part 2

Rootkits: What they are and how to find them Part 2

Documents
NET Framework Rootkits: Backdoors inside your Framework · 2009. 11. 1. · 1 .NET Framework Rootkits – Backdoors Inside Your Framework.NET Framework Rootkits: Backdoors inside

NET Framework Rootkits: Backdoors inside your Framework · 2009. 11. 1. · 1 .NET Framework Rootkits – Backdoors Inside Your Framework.NET Framework Rootkits: Backdoors inside

Documents
User-mode rootkits

User-mode rootkits

Documents
Rootkits: Attacking Personal Firewalls

Rootkits: Attacking Personal Firewalls

Documents
Software Virtualization Based Rootkits

Software Virtualization Based Rootkits

Documents
Windows Nt Rootkits

Windows Nt Rootkits

Documents
“Rooting Out” Rootkits

“Rooting Out” Rootkits

Documents
Hardware-Assisted Rootkits & Instrumentation

Hardware-Assisted Rootkits & Instrumentation

Technology
Rootkits Crafting OS X Kernel Rootkits - beefchunk.combeefchunk.com/.../security/bh_us_08_dauganno_irk_os_x_rootkits.pdf · Types of Rootkits rootkit: ... • network • trivial

Rootkits Crafting OS X Kernel Rootkits - beefchunk.combeefchunk.com/.../security/bh_us_08_dauganno_irk_os_x_rootkits.pdf · Types of Rootkits rootkit: ... • network • trivial

Documents
Rootkits for JavaScript Environments

Rootkits for JavaScript Environments

Documents