1 / 13

Rootkits in Windows XP

Rootkits in Windows XP. What they are and how they work. What is a rootkit? . Name comes from UNIX Administrator account “root” and “kit” refers to a collection of tools. Used to hide and preserve the presence of a hacker on a system. Classification of Rootkits.

mtolson
Download Presentation

Rootkits in Windows XP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rootkits in Windows XP What they are and how they work

  2. What is a rootkit? • Name comes from UNIX Administrator account “root” and “kit” refers to a collection of tools. • Used to hide and preserve the presence of a hacker on a system.

  3. Classification of Rootkits • Persistent Rootkits-stored on a fixed disk and survive system reboots • Non-Persistent Rootkits-do not survive reboots

  4. User Mode vs Kernel Mode rootkits • Processes in Windows XP run in one of two modes of execution: • User Mode: limited access to system • Most applications run in user mode • User Mode rootkits are limited to altering the behavior of a single process • Kernel Mode: full access to system • Device drivers and operating system code run here • Kernel Mode rootkits can alter the behavior of the entire system

  5. How do rootkits work? • Rootkits hide and preserve the presence of a hacker on a system by: • Altering the flow of execution: • Hooking • Import Address Table Hooking • System Service Descriptor Table Hooking • Inline Function Hooking • Layered filter drivers • Altering kernel data used in system accounting • Direct Kernel Object Manipulation (DKOM)

  6. Import Address Table (IAT) Hooking • User Mode rootkits • IAT is a table of pointers that point to memory locations of imported API functions • Rootkits change a pointer in the table to point to some rootkit function • Function is now “hooked” • Hook is limited to one process

  7. System Service Descriptor Table (SSDT) Hooking • Kernel Mode rootkits • The SSDT is a single kernel table that stores pointers to system API functions • Hooks affect entire system instead of a single process like IAT hooks

  8. Inline Function Hooking • User mode rootkits • Directly alters imported functions in a process’s memory space • Overwrites preamble with a JMP instruction to some rootkit code

  9. Layered Filter Drivers • Kernel mode rootkits • Legitimately used by Firewalls and Anti-Virus Scanners • Layered filter driver rootkits can filter out certain files from a directory listing • Accomplished at much lower level of the OS than hooking

  10. Direct Kernel Object Manipulation (DKOM) • Kernel mode rootkits • Direct manipulation of \Device\PhysicalMemory Object • DKOM rootkits are able to hide things from the entire system • Most powerful of the techniques

  11. DKOM Example: Hiding a Process • EPROCESS is a linked list that maintains a list of active processes • A removed node is called a Ghost Process

  12. The End

More Related