Rootkits: the basics

Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org http://blacksecurity.org

2006 Black Security

1

Introduction

Black Security Research Group

Exploitation
  

Windows Linux / BSD / *NIX Embedded Systems

Information Security Research & Analysis  Application Security Development

2006 Black Security 2

Rootkits

Rootkits: Common Techniques

Windows Rootkits & Malware
  

DLL Injection Process Injection User-land / Kernel-land Attacks User-land Rootkit Kernel-land Rootkit User-land Rootkit Kernel-land Rootkit
2006 Black Security 3

Linux / *BSD Rootkits
 

Mac OSX Rootkits
 

User-Land vs. Kernel-Land

Multi-Layers of an Operating System

User-Land

Your personal applications run within this space In case your application crashes, it will not affect the stability of the entire system. This is the “heart” of your O/S. Kernel Drivers Virtual Memory Manager

Kernel-Land
  

2006 Black Security

4

Windows User-Land vs. Kernel-Land
Environment Subsystems
System & Service Processes User Apps
Subsystem DLL

OS/2

Win32

POSIX

User Kernel Executive
Device Drivers Kernel Win32 User/GDI

Hardware Abstraction Layer (HAL)

2006 Black Security

5

Kernel-Land

Kernel-Land
 Kernel

Drivers  Virtual Memory Manager  Hardware Abstraction Layer  Startup/Shutdown Procedure

2006 Black Security

6

Windows User-Land vs. Kernel-Land

2006 Black Security

7

Windows Rootkits

History

User-Land
 

NTIllusion DLL User-Land Rootkit Vanquish – DLL Injection based Romanian rootkit – Detour Patching Example IAT Rootkit by Darkeagle (http://eagle.blacksecurity.org) Greg Hoglund’s NT Rootkit FU by fuzen_op
2006 Black Security 8

Kernel-Land
 

Windows Rootkits

Expected Behaviors

Resource Hooking & Monitoring
      

Registry/Process Hiding File I/O (ZwOpen,ZwClose, etc) Network NDIS/TDI MSGina Hooking Keystroke Logger (simple) Theft of Personal Data Remote Communication/Control
2006 Black Security 9

Windows User-Land Rootkits

How does it work?

Patching Static Binaries

Modifying binaries to hide results
• Task Manager / Process Explorer • Netstat / ipconfig • More

Remote Code Injection

Remote Thread Injection / DLL Injection
• Controlling each User-Land processes
2006 Black Security 10

Windows User-Land Rootkits

How does it work?

Patching Static Binaries

The Oldest “trick” in the book
• Replacing common Operating System utilities used for tracking down malicious activity, hindering those local tools from finding out what is “really happening”.

Common Issues
• Can become tedious, may miss some of the tools available. • Your rootkit package will become increasingly larger and may risk being noticed. • Cannot bypass file-system integrity checks. (Tripwire, Determina, etc)
2006 Black Security 11

Windows User-Land Rootkits

How does it work?

Remote Code Injection

Remote DLL Injection
• Attacking each User-Land process will allow us to control those processes. • What’s stopping us from recursively injecting ourselves into every process we can?

2006 Black Security

12

Windows User-Land Rootkits

Remote Code Injection  Remote Thread Injection
 

Foundational building block of DLL Injection Maximum size of remote thread is 4k
(Default size of a page of virtual memory)

One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory and start its execution with CreateRemoteThread.
2006 Black Security 13

Windows User-Land Rootkits

2006 Black Security

14

Windows User-Land Rootkits

Remote Code Injection

How Can We Inject Our Thread?

Windows NT/2k/XP/2k3 Methodology
• Our objective: copy some code to another process's address space and then execute it in the context of this process. • This technique involves the use of remote threads and the WriteProcessMemory API. • Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.

2006 Black Security

15

Windows User-Land Rootkits

Remote Code Injection

What is the IAT Table?

PE (Portable Executable) Format
• A global table that contains a list of all the function pointers to any function mapped into the running process • This table is unique per process so it must be duplicated within all processes.

2006 Black Security

16

Windows User-Land Rootkits

Remote Code Injection

What is function “hooking”?
Redirecting the “pointer” of the function to your malicious “fake” function.  Also called function proxying

Two methods of Function Proxying
 Pointer

Patching (easily detected)  Detour Patching (harder to detect)
2006 Black Security 17

Rootkit Basics

Pointer Patching
 Operating

Systems use Global Tables to keep track of all the functions available from within a process.  By modifying one of these pointers to a function with a pointer to our “proxy” function, we can intercept the request and parse the results.

2006 Black Security

18

Rootkit Basics

Pointer Patching

Why is this so bad?
 Rootkit

detectors can read the operating system and compare those tables to original copies, looking for changes.  If it finds a discrepancy, it will report as “hooked”

2006 Black Security

19

Rootkit Basics

Detour Patching

What is detour patching?
 By

directly modifying the first few bytes immediately after the function located in memory, we can insert a “detour”  Detour: FAR JMP 0xDEADBEAF
• Where 0xDEADBEAF is a 4-byte pointer to your malicious proxy function • Total patch size: 7 bytes
2006 Black Security 20

Rootkit Basics

Detour Patching

Why is this so bad?
 Rootkit

detectors can read the first few bytes looking for “inappropriate” FAR JMP calls.  So will rootkits ever be undetectable?
• That’s why blackhats are driven to continue our research for 0day

2006 Black Security

21

Windows Kernel-Land Rootkits

Kernel-Land Rootkits

A malicious Kernel Driver
Most of the functions you need to monitor are all accessible directly from Kernel-Land  Functions found in the SSDT (System Service Descriptor Table)

• similar to the User-Land IAT Table

2006 Black Security

22

Windows Kernel-Land Rootkits

Kernel-Land Rootkits

A malicious Kernel Driver
“Hook” any exported Kernel API functions in order to monitor the results it returns  Detour Patching Kernel API functions  Hooking interrupts

2006 Black Security

23

Linux Rootkits

History

User-Land

SSHEater-1.1 by Carlos Barros Adore-NG 2.4/2.6 kernel

Kernel-Land
 Static-X’s

rootkit  Rebel’s phalanx (patches /dev/mem)
rebel@blacksecurity.org

2006 Black Security

24

Linux Rootkits

User-Land
  

Patch User binaries (as before) Contains same faults as Windows UserLand binary patching Can still hook the GOT (Global Offset table) Hook the SYS_CALL Table, Interrupt Descriptor Table, and Global Descriptor Table Detour Patching Directly patch /dev/mem or /dev/kmem
2006 Black Security 25

Kernel-Land 2.4/2.6

 

Linux Rootkits

User-Land
Signal Injection – Injecting your own thread into a running process using PTRACE_ATTACH and PTRACE_DETACH will allow your remote-thread to hook the GOT and other functions for a complete user-land runtime rootkit.  Example: SSHeater-1.1

2006 Black Security 26

Linux User-Land Rootkits

Remote Code Injection  How Can We Inject Our Thread?

Linux / BSD Methodology
• Our objective: copy some code to another process's address space and then execute it in the context of this process. • This technique involves the use of injecting remote signal handlers to take over the flow of execution • By using ptrace-injection, we are able to PTRACE_ATTACH to the target process, inject our own malicious code, and then finally PTRACE_DETACH
http://linuxgazette.net/issue83/sandeep.html http://linuxgazette.net/issue85/sandeep.html (similar to how a debugger functions)

2006 Black Security

27

Linux User-Land Rootkits

Remote Code Injection  Linux Fluffy-Virus
 

First public linux user-land injection proof of concept code http://www.tty64.org/doc/infschedvirii.txt Loader
• Attach to process & Inject both pre-virus and virus code • Set EIP to pre-virus code

Methodology

Pre-Virus
• Register SIGALRM Signal Handler • Hand control back to process

Virus
• SIGALRM Handler invoked • Begin our malicious code • Jump back to pre-virus code 2006 Black Security 28

Linux Rootkits

Issues with User-Land Rootkits
File Integrity tools such as Tripwire cannot be tricked by changing your backdoored binaries alone  One Way to trick Tripwire

Write your own remote patching thread to inject into Tripwire to hide the results
(this would take research)

2006 Black Security

29

Linux Rootkits

Kernel-Land
2.4 Kernel – SYS_CALL table is exported (so its easy to hook functions)  2.6 Kernel – SYS_CALL table is hidden

 SuckIT

– scans the IDT (Interrupt Descriptor Table) for FAR JMP *0xSCT[eax]
2006 Black Security 30

Linux Rootkits

Kernel-Land

Proxy system calls necessary to trick the user

File I/O Functions
• Look for read() of /etc/shadow • Hide other processes from /proc snooping

Socket I/O Functions (sniffing)
• Sniff username/passwords

2006 Black Security

31

Linux Rootkits

Kernel-Land

What does this mean?
 Rootkits

target specific installs

• Rootkit targeting GRSEC • Rootkit targeting SELINUX • etc

2006 Black Security

32

Linux Rootkits

Issues with Kernel-Land Rootkits
Requires a stealthy way to load your rootkit into the kernel.  Rootkit is vulnerable to detection if loader is not written properly  What can we patch that is reliable?

  

hostname uname other binaries executed on startup
2006 Black Security 33

Mac OSX Rootkits

History
Still in early stages of research  Nemo released WeaponX as an original Proof-of-Concept  Mac responded by hardening their O/S Internals  Nemo responded (like any selfrespecting blackhat) with his own improved rootkit

2006 Black Security 34

Mac OSX Rootkits

Remote Code Injection

How Can We Inject Our Thread?
 Mac

OSX Methodology

• Our objective: copy some code to another process's address space and then execute it in the context of this process. • This technique involves the use of injecting remote signal handlers to take over the flow of execution
(similar to how a debugger functions)
2006 Black Security 35

Mach OsX Remote Injection
/* get the task for the pid */ … [ Open Up the Process ] … /* allocate memory for shellcode */ vm_allocate(task_address, size) /* write shellcode */ vm_write(task,address,shellcode) /* overwrite pointer */ vm_write(task + offset,pointer address)

2006 Black Security

36

Mac OSX Rootkits

Kernel-Land

WeaponX
 SYSENT

Table – exported so its easy to locate and “hook”
• Shortly after Nemo released WeaponX, Mac no longer exported the SYSENT Table

 SYSENT

– possible to utilize unix_syscall() which is an exported symbol to locate the unique location of the SYSENT Table.
2006 Black Security 37

Extended

Rootkits to hide files in your
    

Video Driver’s memory NIC Memory Sound Card memory BIOS/CMOS (eEye bootLoader) the sky is the limit

2006 Black Security

38

Questions?

O <|> /\
2006 Black Security 39

About Us

Black Security Research

http://blacksecurity.org

redsand@blacksecurity.org

Tim Shelton Thanks to:
   

Nemo & AndrewG http://felinemenace.org Rebel Izik – TTY64 Project http://tty64.org #black crew

2006 Black Security

40