1 / 12

Windows Rootkits – Userland API Hooking

Windows Rootkits – Userland API Hooking. Robert Vinson – IT Security Analyst – University of Iowa 09/06/06. Presentation “structure”. #include <presentation.h> #define GOOD 1 struct RootkitPresentation { slide_ptr Definition; slide_ptr Evolution; hSlides_t Userland_API_Hooking;

halden
Download Presentation

Windows Rootkits – Userland API Hooking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06

  2. Presentation “structure” #include <presentation.h> #define GOOD 1 struct RootkitPresentation { slide_ptr Definition; slide_ptr Evolution; hSlides_t Userland_API_Hooking; slide_ptr Resources; slide_ptr References; } rootkits; typedef struct hook_slide { slide_ptr IAT; slide_ptr Inline; slide_ptr Injection; slide_ptr Detection; } hSlides_t; If(do_presentation(rootkits) != GOOD) exit(QUICKLY); exit(0);

  3. rootkits.Definition The Hacker Jargon File: • rootkit: /root´kit/, n. • [very common] A kit for maintaining root; an automated cracking tool. What script kiddies use. After a cracker has first broken in and gained root access, he or she will install modified binaries such as a modified version login with a backdoor, or a version of ps that will not report the cracker's processes). This is a rootkit. Wikipedia: • “A rootkit is a set of software tools intended to conceal running processes, files or system data …” 0x00

  4. rootkits.Evolution The Roots: • Rootkits were originally for *nix systems. The goal of these kits were to allow an attacker to maintain root access to a computer. This is where the “root” comes from in the compound word. These kits typically replaced/modified common administrative utilities to hide backdoor utilities. The Branches: • Rootkits have grown into API hooking, kernel hooking, DKOM (Direct Kernel Object Manipulation), and more… 0x00

  5. rootkits.API_Hooking IAT Hooking: • Overwrite Import Address Table entries. • To overwrite IAT entries, one must be in the same address space of a process. Inline Hooking: • Overwrite the first part of a function to jump to another function. • To overwrite IAT entries, one must be in the same address space of a process. 0x00

  6. rootkits.API_Hooking.IAT Definition - IAT: • The Import Address Table is a list of function pointers. • IAT function pointers are set when the Windows loader loads a program. • A function pointer points to the address of a function contained in a .dll loaded into the address space of the process. 0x00

  7. rootkits.Userland_API_Hooking.Inline Definition – Inline Hooking: • Inline Hooking consists of modifying a function in memory in order to change the flow of execution. • First handful of bytes of a function are replaced with a statement which tells the IP (instruction pointer) to execute code somewhere else in memory. 0x00

  8. rootkits.Userland_API_Hooking.Injection[0] • Each process has its own view of memory. • Virtual Memory • Process A’s memory is protected from modification by process B. • How does one perform IAT or Inline hooking if A’s memory is completely inaccessible? • … wait for it… It’s not!

  9. rootkits.Userland_API_Hooking.Injection[1] Ways to Inject: • Modify the DLL Imports of a executable image (LordPE and similar). • Use the registry key -HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. (User32.dll loads DLLs listed in this key) • Using SetWindowsHookEx() • Using CreateRemoteThread() 0x00

  10. rootkits.Userland_API_Hooking.Detection IAT Hooking: • Look in the IAT for function addresses that are not in the typical range. Inline Hooking: • Check first few bytes of a function for a jump. 0x00

  11. rootkits.Resources • Hacker Defender rootkit defeating common rootkit detectors • http://hxdef.org/download/brilliant.php • Rootkit technology development • http://www.rootkit.com • Rootkit detection • Strider - http://research.microsoft.com/rootkit • BlackLight - http://www.f-secure.com/blacklight • RootkitRevealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html • Sophos Anti-Rootkit http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html 0x00

  12. rootkits.References • Hoglund, Greg and James Butler. Rootkits: Subverting the Windows Kernel. Stoughton, MA: Addison-Wesley, 2006 • Portable Executable format - http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx 0x00

More Related