Scribd Logo
Upload

Welcome to Scribd!

  • About Rootkit

    Uploaded by

    Suping
    2 views16 pages

    Original Title

    about-rootkit

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views16 pages

    About Rootkit

    Uploaded by

    Suping

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    ROOTKITs

    by somma (fixbrain@gmail.com)
    Contents

    Classification of ROOTKITs

    Type II ROOTKITs

    Type III ROOTKITs

    Next Generation ROOTKITs

    2000-00-00 2
    Classification of ROOTKITs

    1st Generation ( Type I )


    Does not modify OS / Process / etc…
    -> replace / modified system file
    -> UNIX login backdoor (binary modification)

    2nd Generation ( Type II )


    Modifies which designed not to be modified
    -> code of process, modules, OS code, kernel modules, etc…
    -> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc…

    3rd Generation ( Type III )


    Modifies which designed to be modified
    -> data sections, heap, stack, etc…
    -> FU (Pioneer of DKOM - Direct Kernel Object Manipulation)

    The NEXT Generation


    virtualization ?

    2000-00-00 3
    Type II ROOTKITs

    NTIllusion

    Hacker defender

    NTRootkit
    - The first windows NT kernel based ROOTKIT

    Sony Rootkit

    modifies
    code section (e.g. Import table, Export table)
    user mode / Kernel mode APIs
    kernel mode undocumented APIs
    ISR (Interrupt Service Routine)
    MSR (Model Specific Register)

    2008-05-16 4
    Type II ROOTKITs – cont.

    API Hooking

    2008-05-16 5
    Type II ROOTKITs – cont.

    SDT Hooking (http://somma.egloos.com/2731001)

    2008-05-16 6
    Type II ROOTKITs – cont.

    IDT Hooking (http://somma.egloos.com/3365054)

    2008-05-16 7
    Type II ROOTKITs – cont.

    DEMO
    - API Hooking (Ring 3) (CheatEngine)

    - Code Injection (Ring 3) (WinMine.exe hacking)

    - SDT hooking (Ring 0) (FxLoader / bkdp.sys)

    - IDT hooking (Ring 0) (SDFP – app.exe / template.sys – real machine)

    2008-05-16 8
    Type III ROOTKITs

    FU
    - The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation)

    He4Hook
    - RAW IRP hooking on File system driver

    PHIDE2

    Layered driver (Filter driver)

    modifies
    data sections
    IRP handlers
    kernel objects that allocated and managed dynamically

    2008-05-16 9
    Type III ROOTKITs – cont.

    Break EPROCESS list

    2008-05-16 10
    Type III ROOTKITs – cont.

    Break DRIVER_OBJECT list

    2008-05-16 11
    Type III ROOTKITs – cont.

    DEMO
    - FU rootkit

    - jeng_2
    SDT hook & DKOM example

    2008-05-16 12
    Fighting ROOTKITs

    Check IAT (Import Address Table)


    Check inline hooks

    Check System Service Dispatch Table (ntoskrnl.exe)


    Check Shadow table (win32k.sys)

    Check Driver’s IRP handler


    Check MSR ( MSR_SYSENTER )

    how ?
    ECD (Explicit Compromise Detection)
    Cross View Based Detection
    use DKOM to find out ROOTKITs
    - dump PspCidTable
    - trace OS Scheduler data base, etc…
    Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx )

    2008-05-16 13
    Fighting ROOTKITs – cont.

    DEMO
    - API Hook detection and API Hook removal
    hook_shield
    PlgnPETest.dll

    - Finding process FU hided by DKOM technique


    dump PspCidTable

    2008-05-16 14
    Next Generation ROOTKITs

    DEMO
    - Hypervisor based rootkit

    2008-05-16 15
    Q&A

    2008-05-16 16

    You might also like