130 likes | 325 Views
Rootkits in Windows XP. What they are and how they work. What is a rootkit? . Name comes from UNIX Administrator account “root” and “kit” refers to a collection of tools. Used to hide and preserve the presence of a hacker on a system. Classification of Rootkits.
E N D
Rootkits in Windows XP What they are and how they work
What is a rootkit? • Name comes from UNIX Administrator account “root” and “kit” refers to a collection of tools. • Used to hide and preserve the presence of a hacker on a system.
Classification of Rootkits • Persistent Rootkits-stored on a fixed disk and survive system reboots • Non-Persistent Rootkits-do not survive reboots
User Mode vs Kernel Mode rootkits • Processes in Windows XP run in one of two modes of execution: • User Mode: limited access to system • Most applications run in user mode • User Mode rootkits are limited to altering the behavior of a single process • Kernel Mode: full access to system • Device drivers and operating system code run here • Kernel Mode rootkits can alter the behavior of the entire system
How do rootkits work? • Rootkits hide and preserve the presence of a hacker on a system by: • Altering the flow of execution: • Hooking • Import Address Table Hooking • System Service Descriptor Table Hooking • Inline Function Hooking • Layered filter drivers • Altering kernel data used in system accounting • Direct Kernel Object Manipulation (DKOM)
Import Address Table (IAT) Hooking • User Mode rootkits • IAT is a table of pointers that point to memory locations of imported API functions • Rootkits change a pointer in the table to point to some rootkit function • Function is now “hooked” • Hook is limited to one process
System Service Descriptor Table (SSDT) Hooking • Kernel Mode rootkits • The SSDT is a single kernel table that stores pointers to system API functions • Hooks affect entire system instead of a single process like IAT hooks
Inline Function Hooking • User mode rootkits • Directly alters imported functions in a process’s memory space • Overwrites preamble with a JMP instruction to some rootkit code
Layered Filter Drivers • Kernel mode rootkits • Legitimately used by Firewalls and Anti-Virus Scanners • Layered filter driver rootkits can filter out certain files from a directory listing • Accomplished at much lower level of the OS than hooking
Direct Kernel Object Manipulation (DKOM) • Kernel mode rootkits • Direct manipulation of \Device\PhysicalMemory Object • DKOM rootkits are able to hide things from the entire system • Most powerful of the techniques
DKOM Example: Hiding a Process • EPROCESS is a linked list that maintains a list of active processes • A removed node is called a Ghost Process