Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

WDM 드라이버의 기본 구조 What is WDM?
Devices and Drivers (Chapter 7) Khattab Alhabashi UNIX System Administration.
Operating System Security : David Phillips A Study of Windows Rootkits.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
CSCI 4717/5717 Computer Architecture
File Management Systems
1 Hardware and Software Architecture Chapter 2 n The Intel Processor Architecture n History of PC Memory Usage (Real Mode)
Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.
Instruction Representation II (1) Fall 2007 Lecture 10: Instruction Representation II.
Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.
Chapter 8: I/O Streams and Data Files. In this chapter, you will learn about: – I/O file stream objects and functions – Reading and writing character-based.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p
An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.
Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.
Hardware Definitions –Port: Point of connection –Bus: Interface Daisy Chain (A=>B=>…=>X) Shared Direct Device Access –Controller: Device Electronics –Registers:
1 Lecture 20: I/O n I/O hardware n I/O structure n communication with controllers n device interrupts n device drivers n streams.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Rootkits in Windows XP  What they are and how they work.
Contact Information Office: 225 Neville Hall Office Hours: Monday and Wednesday 12:00-1:00 and by appointment.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
CE Operating Systems Lecture 11 Windows – Object manager and process management.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Hidden Processes: The Implication for Intrusion Detection
13-Nov-15 (1) CSC Computer Organization Lecture 7: Input/Output Organization.
CSNB374: Microprocessor Systems Chapter 5: Procedures and Interrupts.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.
An Introduction to Device Drivers Ted Baker  Andy Wang COP 5641 / CIS 4930.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Chapter 1 Computers, Compilers, & Unix. Overview u Computer hardware u Unix u Computer Languages u Compilers.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.
7. IRQ and PIC ENGI 3655 Lab Sessions. Richard Khoury2 Textbook Readings  Interrupts ◦ Section
Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower than CPU.
Interrupt driven I/O Computer Organization and Assembly Language: Module 12.
VMM Based Rootkit Detection on Android
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
1 Device Controller I/O units typically consist of A mechanical component: the device itself An electronic component: the device controller or adapter.
Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
File System Department of Computer Science Southern Illinois University Edwardsville Spring, 2016 Dr. Hiroshi Fujinoki CS 314.
Operating Systems A Biswas, Dept. of Information Technology.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Rogue Wireless Router By Alex Crowell and James Kasten.
Introduction to Operating Systems Concepts
Introduction to Operating Systems
CS501 Advanced Computer Architecture
Microprocessor Systems Design I
Exceptional Control Flow
Chapter 2: System Structures
CSE451 I/O Systems and the Full I/O Path Autumn 2002
Exceptional Control Flow
Introduction to the Kernel and Device Drivers
Assembler Design Options
Hidden Processes: The Implication for Intrusion Detection
An Introduction to Device Drivers
Introduction to Operating Systems
Module IV Memory Organization.
Hiding Malware Rootkits
Operating Systems Lecture 3.
Modern PC operating systems
Lecture 8: Efficient Address Translation
Chapter 13: I/O Systems “The two main jobs of a computer are I/O and [CPU] processing. In many cases, the main job is I/O, and the [CPU] processing is.
Presentation transcript:

Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6)

Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to hide rootkit presence –Modify data that stores information about processes, files, etc. that would reveal presence of rootkit Last chapter –Modifying execution path via “hooking” This chapter –Modifying execution path via run-time patching

Patching Source-code –Modify source and recompile Binary –Modify result of compilation Memory –Modify code in memory as program executes “direct code-byte patch” –Hardest to detect –Often combined with low-level hardware manipulation such as page-table management –Must be able to read/write memory where functions reside (i.e. be within kernel) –Previously covered (in-line function hooking)

Run-time patching: Detours Detour patching –Call hooks modify tables and can be detected by anti-virus/anti-rootkit technology –Insert jump into function directly Functions in multiple tables handled in one step –Example: MigBot Detours two kernel functions: NtDeviceIoControlFile and SeAccessCheck Both are exported and have entries in the PE header Issues –Instruction alignment (leaving crumbs) »Add 1 byte NOPs –Overwriting important code

Run-time patching: Detours Overwriting important code –Must know which OS is being used to ensure you know what code is overwritten –Must also ensure no one else has tampered or patched the function already –Must save the instructions being removed by adding the jump FAR JMPRest of original function Rootkit codeRemoved instructionsFAR JMP

Run-time patching: Detours Other issues –Using NonPagedPool memory Rootkit code resides in driver memory that can be paged out Place code in non-paged memory Allows driver itself to be unloaded so that it can no longer be detected Rootkit driver only loaded long enough to apply patch –Patching addresses Relative FAR JMP instruction target calculated at run-time Need to patch this with desired offset at run-time

Run-time patching: Jump Templates Example: Hooking the Interrupt Descriptor Table (IDT) –Patch all entries in IDT with same detour code –Easier than patching every interrupt service routine (ISRs) Each ISR at a different address Hook every IDT entry, but include unique jump details to call back to original ISR See code in book

Run-time patching: Original IDT ISR ptr IDT 0 1 i ISR ptr Original ISR 0 Original ISR 1 Original ISR i

Run-time patching: Jump Templates ISR ptr IDT Call rootkit with param i ISR ptr Call rootkit with param 1 Call rootkit with param i FAR JMP to ISR 0 Original ISR 0 Rootkit code FAR JMP to ISR 1 Original ISR 1 FAR JMP to ISR i Original ISR i Jump templates

Variations Patching typically done at entry point –Easy to detect if placed in well-known place –Rootkit detection software often checks first 20 bytes of a function only –Solution: patch deep into function Good locations –Unique code byte strings (no false hits) –Within authentication functions –Kernel functions Integrity-checking functions Loader program that loads the kernel itself Network functions Firmware and BIOS

Layered drivers Ability to chain multiple drivers to avoid re- implementing functions that can be shared Example chain: keyboard drivers –Lowest-level driver deals with direct access to bus and hardware device –Next level deals with data formatting and error codes –Each level intercepts data from lower level, modifies it, and passes it on to higher level –Perfect for rootkits!

Keyboard chain example Keyboard class driver (Kbdclass) Keyboard port driver (i8042prt) 8042 keyboard controller Keyboard sniffer driver (rootkit) Keyboard driver chain

Details IRP (I/O request packet) –Contains stack specifying routines of the driver chain –I/O manager creates IRP and fills in IRP based on number of drivers in driver chain –Inject keyboard sniffer in chain, IRP automatically updated –Example: KLOG IRP header I/O Stack location #1 I/O Stack location #2 I/O Stack location #3 First driver to call Next driver to call Last driver to call

File filters Used for stealth –Rootkits store files in file system that must remain hidden Common approach –Hooking SSDT to hide local files –Does not hide files mounted via SMB Use layered file system drivers to hide all rootkit files –Install hook on all available drive letters (HookDriveSet in book) –Rootkit parses file name in QueryDirectory.FileInformationClass QueryBuffer Deletes entries associated with rootkit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.