Transcript Windows Rootkits - Userland API Hooking

Windows Rootkits –
Userland API Hooking
Robert Vinson – IT Security Analyst – University of Iowa
09/06/06
Presentation “structure”
#include <presentation.h>
#define GOOD 1
struct RootkitPresentation {
slide_ptr Definition;
slide_ptr Evolution;
hSlides_t Userland_API_Hooking;
slide_ptr Resources;
typedef struct hook_slide {
slide_ptr References;
slide_ptr IAT;
} rootkits;
slide_ptr Inline;
slide_ptr Injection;
If(do_presentation(rootkits) != GOOD)
exit(QUICKLY);
exit(0);
slide_ptr Detection;
} hSlides_t;
rootkits.Definition
The Hacker Jargon File:
• rootkit: /root´kit/, n.
• [very common] A kit for maintaining root; an automated
cracking tool. What script kiddies use. After a cracker has
first broken in and gained root access, he or she will
install modified binaries such as a modified version login
with a backdoor, or a version of ps that will not report the
cracker's processes). This is a rootkit.
Wikipedia:
• “A rootkit is a set of software tools intended to
conceal running processes, files or system data …”
0x00
rootkits.Evolution
The Roots:
• Rootkits were originally for *nix systems. The goal
of these kits were to allow an attacker to maintain
root access to a computer. This is where the “root”
comes from in the compound word. These kits
typically replaced/modified common administrative
utilities to hide backdoor utilities.
The Branches:
• Rootkits have grown into API hooking, kernel
hooking, DKOM (Direct Kernel Object
Manipulation), and more…
0x00
rootkits.API_Hooking
IAT Hooking:
• Overwrite Import Address Table entries.
• To overwrite IAT entries, one must be in the same
address space of a process.
Inline Hooking:
• Overwrite the first part of a function to jump to
another function.
• To overwrite IAT entries, one must be in the same
address space of a process.
0x00
rootkits.API_Hooking.IAT
Definition - IAT:
• The Import Address Table is a list of function
pointers.
• IAT function pointers are set when the Windows
loader loads a program.
• A function pointer points to the address of a
function contained in a .dll loaded into the
address space of the process.
0x00
rootkits.Userland_API_Hooking.Inline
Definition – Inline Hooking:
• Inline Hooking consists of modifying a function in
memory in order to change the flow of execution.
• First handful of bytes of a function are replaced
with a statement which tells the IP (instruction
pointer) to execute code somewhere else in
memory.
0x00
rootkits.Userland_API_Hooking.Injection[0]
• Each process has its own view of memory.
• Virtual Memory
• Process A’s memory is protected from modification
by process B.
• How does one perform IAT or Inline hooking if
A’s memory is completely inaccessible?
• … wait for it… It’s not!
rootkits.Userland_API_Hooking.Injection[1]
Ways to Inject:
• Modify the DLL Imports of a executable image
(LordPE and similar).
• Use the registry key HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs.
(User32.dll loads DLLs listed in this key)
• Using SetWindowsHookEx()
• Using CreateRemoteThread()
0x00
rootkits.Userland_API_Hooking.Detection
IAT Hooking:
•
Look in the IAT for function addresses that are not
in the typical range.
Inline Hooking:
•
0x00
Check first few bytes of a function for a jump.
rootkits.Resources
• Hacker Defender rootkit defeating common rootkit
detectors
• http://hxdef.org/download/brilliant.php
• Rootkit technology development
• http://www.rootkit.com
• Rootkit detection
• Strider - http://research.microsoft.com/rootkit
• BlackLight - http://www.f-secure.com/blacklight
• RootkitRevealer http://www.sysinternals.com/Utilities/RootkitRevealer.html
• Sophos Anti-Rootkit http://www.sophos.com/products/freetools/sophos-anti-rootkit.html
0x00
rootkits.References
• Hoglund, Greg and James Butler. Rootkits:
Subverting the Windows Kernel. Stoughton,
MA: Addison-Wesley, 2006
• Portable Executable format http://www.microsoft.com/whdc/system/platform
/firmware/PECOFF.mspx
0x00