Slides

Download Report

Transcript Slides 

Rootkits: the basics
Tim Shelton
[BL4CK] Black Security
[email protected]
http://blacksecurity.org
2006 Black Security
1
Introduction

Black Security Research Group

Exploitation



Windows
Linux / BSD / *NIX
Embedded Systems
Information Security Research &
Analysis
 Application Security Development

2006 Black Security
2
Rootkits

Rootkits: Common Techniques

Windows Rootkits & Malware




Linux / *BSD Rootkits



DLL Injection
Process Injection
User-land / Kernel-land Attacks
User-land Rootkit
Kernel-land Rootkit
Mac OSX Rootkits


User-land Rootkit
Kernel-land Rootkit
2006 Black Security
3
User-Land vs. KernelLand

Multi-Layers of an Operating System

User-Land



Your personal applications run within this
space
In case your application crashes, it will
not affect the stability of the entire system.
Kernel-Land



This is the “heart” of your O/S.
Kernel Drivers
Virtual Memory Manager
2006 Black Security
4
Windows User-Land vs. Kernel-Land
Environment Subsystems
System & Service
Processes
User Apps
OS/2
Subsystem DLL
Win32
POSIX
User
Kernel
Executive
Device
Drivers
Kernel
Win32
User/GDI
Hardware Abstraction Layer (HAL)
2006 Black Security
5
Kernel-Land

Kernel-Land
 Kernel
Drivers
 Virtual Memory Manager
 Hardware Abstraction Layer
 Startup/Shutdown Procedure
2006 Black Security
6
Windows User-Land vs. Kernel-Land
2006 Black Security
7
Windows Rootkits

History

User-Land




NTIllusion DLL User-Land Rootkit
Vanquish – DLL Injection based
Romanian rootkit – Detour Patching
Example
IAT Rootkit by Darkeagle
(http://eagle.blacksecurity.org)
Kernel-Land


Greg Hoglund’s NT Rootkit
FU by fuzen_op
2006 Black Security
8
Windows Rootkits

Expected Behaviors

Resource Hooking & Monitoring







Registry/Process Hiding
File I/O (ZwOpen,ZwClose, etc)
Network NDIS/TDI
MSGina Hooking
Keystroke Logger (simple)
Theft of Personal Data
Remote Communication/Control
2006 Black Security
9
Windows User-Land Rootkits

How does it work?

Patching Static Binaries

Modifying binaries to hide results
• Task Manager / Process Explorer
• Netstat / ipconfig
• More

Remote Code Injection

Remote Thread Injection / DLL
Injection
• Controlling each User-Land
processes
2006 Black Security
10
Windows User-Land Rootkits

How does it work?

Patching Static Binaries

The Oldest “trick” in the book
• Replacing common Operating System
utilities used for tracking down malicious
activity, hindering those local tools from
finding out what is “really happening”.

Common Issues
• Can become tedious, may miss some of
the tools available.
• Your rootkit package will become
increasingly larger and may risk being
noticed.
• Cannot bypass file-system integrity
checks. (Tripwire, Determina, etc)
2006 Black Security
11
Windows User-Land Rootkits

How does it work?

Remote Code Injection

Remote DLL Injection
• Attacking each User-Land process will
allow us to control those processes.
• What’s stopping us from recursively
injecting ourselves into every process
we can?
2006 Black Security
12
Windows User-Land Rootkits

Remote Code Injection
 Remote Thread Injection


Foundational building block of DLL Injection
Maximum size of remote thread is 4k
(Default size of a page of virtual memory)
One way to copy some code to another process's
address space and then execute it in the context
of this process involves the use of remote
threads and the WriteProcessMemory API.
Basically you copy the code to the remote
process directly now - via WriteProcessMemory and start its execution with
CreateRemoteThread.
2006 Black Security
13
Windows User-Land Rootkits
2006 Black Security
14
Windows User-Land Rootkits

Remote Code Injection

How Can We Inject Our Thread?

Windows NT/2k/XP/2k3 Methodology
• Our objective: copy some code to another
process's address space and then
execute it in the context of this process.
• This technique involves the use of remote
threads and the WriteProcessMemory
API.
• Basically you copy the code to the remote
process directly now - via
WriteProcessMemory - and start its
execution with CreateRemoteThread.
2006 Black Security
15
Windows User-Land Rootkits

Remote Code Injection

What is the IAT Table?

PE (Portable Executable) Format
• A global table that contains a list of all
the function pointers to any function
mapped into the running process
• This table is unique per process so it
must be duplicated within all
processes.
2006 Black Security
16
Windows User-Land Rootkits

Remote Code Injection

What is function “hooking”?
Redirecting the “pointer” of the
function to your malicious “fake”
function.
 Also called function proxying


Two methods of Function Proxying
 Pointer
Patching (easily detected)
 Detour Patching (harder to detect)
2006 Black Security
17
Rootkit Basics

Pointer Patching
 Operating
Systems use Global
Tables to keep track of all the
functions available from within a
process.
 By modifying one of these pointers
to a function with a pointer to our
“proxy” function, we can intercept
the request and parse the results.
2006 Black Security
18
Rootkit Basics

Pointer Patching

Why is this so bad?
 Rootkit
detectors can read the
operating system and compare
those tables to original copies,
looking for changes.
 If it finds a discrepancy, it will
report as “hooked”
2006 Black Security
19
Rootkit Basics

Detour Patching

What is detour patching?
 By
directly modifying the first few
bytes immediately after the
function located in memory, we can
insert a “detour”
 Detour: FAR JMP 0xDEADBEAF
• Where 0xDEADBEAF is a 4-byte
pointer to your malicious proxy
function
• Total patch size: 7 bytes
2006 Black Security
20
Rootkit Basics

Detour Patching

Why is this so bad?
 Rootkit
detectors can read the first
few bytes looking for
“inappropriate” FAR JMP calls.
 So will rootkits ever be
undetectable?
• That’s why blackhats are driven to
continue our research for 0day
2006 Black Security
21
Windows Kernel-Land Rootkits

Kernel-Land Rootkits

A malicious Kernel Driver
Most of the functions you need to
monitor are all accessible directly
from Kernel-Land
 Functions found in the SSDT
(System Service Descriptor Table)

• similar to the User-Land IAT Table
2006 Black Security
22
Windows Kernel-Land Rootkits

Kernel-Land Rootkits

A malicious Kernel Driver
“Hook” any exported Kernel API
functions in order to monitor the
results it returns
 Detour Patching Kernel API
functions
 Hooking interrupts

2006 Black Security
23
Linux Rootkits

History

User-Land


SSHEater-1.1 by Carlos Barros
Kernel-Land
 Static-X’s
Adore-NG 2.4/2.6 kernel
rootkit
 Rebel’s phalanx (patches
/dev/mem)
[email protected]
2006 Black Security
24
Linux Rootkits

User-Land




Patch User binaries (as before)
Contains same faults as Windows UserLand binary patching
Can still hook the GOT (Global Offset
table)
Kernel-Land 2.4/2.6



Hook the SYS_CALL Table, Interrupt
Descriptor Table, and Global Descriptor
Table
Detour Patching
Directly patch /dev/mem or /dev/kmem
2006 Black Security
25
Linux Rootkits

User-Land
Signal Injection – Injecting your
own thread into a running process
using PTRACE_ATTACH and
PTRACE_DETACH will allow your
remote-thread to hook the GOT
and other functions for a complete
user-land runtime rootkit.
 Example: SSHeater-1.1

2006 Black Security
26
Linux User-Land Rootkits

Remote Code Injection
 How Can We Inject Our Thread?

Linux / BSD Methodology
• Our objective: copy some code to another
process's address space and then execute it in
the context of this process.
• This technique involves the use of injecting
remote signal handlers to take over the flow of
execution
(similar to how a debugger functions)
• By using ptrace-injection, we are able to
PTRACE_ATTACH to the target process, inject
our own malicious code, and then finally
PTRACE_DETACH
http://linuxgazette.net/issue83/sandeep.html
http://linuxgazette.net/issue85/sandeep.html
2006 Black Security
27
Linux User-Land Rootkits

Remote Code Injection
 Linux Fluffy-Virus



First public linux user-land injection proof of concept
code
http://www.tty64.org/doc/infschedvirii.txt
Methodology

Loader
• Attach to process & Inject both pre-virus and virus
code
• Set EIP to pre-virus code

Pre-Virus
• Register SIGALRM Signal Handler
• Hand control back to process

Virus
• SIGALRM Handler invoked
• Begin our malicious code
• Jump back to pre-virus code
2006 Black Security
28
Linux Rootkits

Issues with User-Land Rootkits
File Integrity tools such as Tripwire
cannot be tricked by changing your
backdoored binaries alone
 One Way to trick Tripwire


Write your own remote patching
thread to inject into Tripwire to hide
the results
(this would take research)
2006 Black Security
29
Linux Rootkits

Kernel-Land
2.4 Kernel – SYS_CALL table is
exported (so its easy to hook
functions)
 2.6 Kernel – SYS_CALL table is
hidden

– scans the IDT (Interrupt
Descriptor Table) for FAR JMP
*0xSCT[eax]
 SuckIT
2006 Black Security
30
Linux Rootkits

Kernel-Land

Proxy system calls necessary to
trick the user

File I/O Functions
• Look for read() of /etc/shadow
• Hide other processes from /proc
snooping

Socket I/O Functions (sniffing)
• Sniff username/passwords
2006 Black Security
31
Linux Rootkits

Kernel-Land

What does this mean?
 Rootkits
target specific installs
• Rootkit targeting GRSEC
• Rootkit targeting SELINUX
• etc
2006 Black Security
32
Linux Rootkits

Issues with Kernel-Land Rootkits
Requires a stealthy way to load
your rootkit into the kernel.
 Rootkit is vulnerable to detection if
loader is not written properly
 What can we patch that is reliable?




hostname
uname
other binaries executed on startup
2006 Black Security
33
Mac OSX Rootkits

History
Still in early stages of research
 Nemo released WeaponX as an
original Proof-of-Concept
 Mac responded by hardening their
O/S Internals
 Nemo responded (like any selfrespecting blackhat) with his own
improved rootkit

2006 Black Security
34
Mac OSX Rootkits

Remote Code Injection

How Can We Inject Our Thread?
 Mac
OSX Methodology
• Our objective: copy some code to
another process's address space and
then execute it in the context of this
process.
• This technique involves the use of
injecting remote signal handlers to
take over the flow of execution
(similar to how a debugger functions)
2006 Black Security
35
Mach OsX Remote Injection
/* get the task for the pid */
… [ Open Up the Process ] …
/* allocate memory for shellcode */
vm_allocate(task_address, size)
/* write shellcode */
vm_write(task,address,shellcode)
/* overwrite pointer */
vm_write(task + offset,pointer address)
2006 Black Security
36
Mac OSX Rootkits

Kernel-Land

WeaponX
Table – exported so its
easy to locate and “hook”
 SYSENT
• Shortly after Nemo released
WeaponX, Mac no longer exported
the SYSENT Table
– possible to utilize
unix_syscall() which is an exported
symbol to locate the unique
location of the SYSENT Table.
 SYSENT
2006 Black Security
37
Extended

Rootkits to hide files in your





Video Driver’s memory
NIC Memory
Sound Card memory
BIOS/CMOS (eEye bootLoader)
the sky is the limit
2006 Black Security
38
Questions?
O
<|>
/\
2006 Black Security
39
About Us

Black Security Research

http://blacksecurity.org



[email protected]
Tim Shelton
Thanks to:




Nemo & AndrewG
http://felinemenace.org
Rebel
Izik – TTY64 Project
http://tty64.org
#black crew
2006 Black Security
40