Upload
george-freeman
View
215
Download
1
Embed Size (px)
Citation preview
Windows Rootkits – Userland API Hooking
Robert Vinson – IT Security Analyst – University of Iowa09/06/06
Presentation “structure”
typedef struct hook_slide {
slide_ptr IAT;
slide_ptr Inline;
slide_ptr Injection;
slide_ptr Detection;
} hSlides_t;
#include <presentation.h>#define GOOD 1struct RootkitPresentation {
slide_ptr Definition;slide_ptr Evolution;hSlides_t Userland_API_Hooking;slide_ptr Resources;slide_ptr References;
} rootkits;
If(do_presentation(rootkits) != GOOD)exit(QUICKLY);
exit(0);
rootkits.Definition
The Hacker Jargon File:• rootkit: /root´kit/, n.
• [very common] A kit for maintaining root; an automated cracking tool. What script kiddies use. After a cracker has first broken in and gained root access, he or she will install modified binaries such as a modified version login with a backdoor, or a version of ps that will not report the cracker's processes). This is a rootkit.
Wikipedia:• “A rootkit is a set of software tools intended to
conceal running processes, files or system data …”
0x00
rootkits.Evolution
The Roots:• Rootkits were originally for *nix systems. The goal
of these kits were to allow an attacker to maintain root access to a computer. This is where the “root” comes from in the compound word. These kits typically replaced/modified common administrative utilities to hide backdoor utilities.
The Branches:• Rootkits have grown into API hooking, kernel
hooking, DKOM (Direct Kernel Object Manipulation), and more…
0x00
rootkits.API_Hooking
IAT Hooking:• Overwrite Import Address Table entries.• To overwrite IAT entries, one must be in the same
address space of a process.
Inline Hooking:• Overwrite the first part of a function to jump to
another function.• To overwrite IAT entries, one must be in the same
address space of a process.
0x00
rootkits.API_Hooking.IAT
Definition - IAT:• The Import Address Table is a list of function
pointers.
• IAT function pointers are set when the Windows loader loads a program.
• A function pointer points to the address of a function contained in a .dll loaded into the address space of the process.
0x00
rootkits.Userland_API_Hooking.Inline
Definition – Inline Hooking:• Inline Hooking consists of modifying a function in
memory in order to change the flow of execution.
• First handful of bytes of a function are replaced with a statement which tells the IP (instruction pointer) to execute code somewhere else in memory.
0x00
rootkits.Userland_API_Hooking.Injection[0]
• Each process has its own view of memory.• Virtual Memory• Process A’s memory is protected from modification
by process B.
• How does one perform IAT or Inline hooking if A’s memory is completely inaccessible?• … wait for it… It’s not!
rootkits.Userland_API_Hooking.Injection[1]
Ways to Inject:• Modify the DLL Imports of a executable image (LordPE and
similar).• Use the registry key -HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Windows\AppInit_DLLs. (User32.dll loads DLLs listed in this key)
• Using SetWindowsHookEx()• Using CreateRemoteThread()
0x00
rootkits.Userland_API_Hooking.Detection
IAT Hooking:• Look in the IAT for function addresses that are not
in the typical range.
Inline Hooking:• Check first few bytes of a function for a jump.
0x00
rootkits.Resources
• Hacker Defender rootkit defeating common rootkit detectors• http://hxdef.org/download/brilliant.php
• Rootkit technology development• http://www.rootkit.com
• Rootkit detection• Strider - http://research.microsoft.com/rootkit• BlackLight - http://www.f-secure.com/blacklight• RootkitRevealer -
http://www.sysinternals.com/Utilities/RootkitRevealer.html• Sophos Anti-Rootkit http://www.sophos.com/products/free-
tools/sophos-anti-rootkit.html
0x00
rootkits.References
• Hoglund, Greg and James Butler. Rootkits: Subverting the Windows Kernel. Stoughton, MA: Addison-Wesley, 2006
• Portable Executable format - http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
0x00