Presentation is loading. Please wait.

Presentation is loading. Please wait.

BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey

Published byColeen Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey"— Presentation transcript:

1 BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com

2 Purpose  Present/discuss different techniques for hiding data on LIVE systems (NTFS)  Address methods of preventing and detecting this activity  What is NOT covered?  Maintenance tracks, boot sector, file slack, etc.

3 What is being hidden?  Data  Text  Output of commands (samdump, etc.)  Executables  Programs  Games  Rootkits

4 Who are we hiding it from?  Other users  Administrators  Investigators/forensics analysts

5 Altering files  File Changes  Name  Extension  Information regarding extensions and associations is maintained in the Registry  ‘assoc’ command  File Signature (this is NOT a hash)

6 Altering Names/Extensions Samdump.log -> C:\winnt\system32 \MSODBC32.DLL

7 Altering file signatures  First 20 bytes of the file  Change JFIF/GIF89a in graphics file to something else  Executables (.exe,.dll,.sys,.ocx,.scr) begin w/ “MZ”  Sigs.pl performs signature analysis

8 DOS Attributes  'Attrib' command  Explorer settings  'dir' switch (dir /a[:h])  Perl ignores (opendir/readdir, glob)  hfind.exe (FoundStone)

9 File Splitting  File Splitting  Almost as old as DOS  Many programs available  Malicious uses

10 File Splitting Original File Arbitrarily sized segments

11 “touching” files  Alter the creation, last access, last modification dates  'touch' in Unix  Microsoft SetFileTime() API  Used to hide from search tools  dir /t[:a]  afind.exe (FoundStone)  macmatch.exe (NTSecurity.nu)

12 File Binding  Elite Wrap  Saran Wrap, Silk Rope

13 OLE/COM  MS OLE/COM API  “Structured Storage”, “Compound files”  “File system within a file”  MergeStreams Demo  May discover using “strings” or “grep”  wd.exe

14 NTFS Alternate Data Streams  NTFS4 (NT) and NTFS5 (2K)  Creating  Using  Running executables hidden in ADSs  NTFS4 vs. NTFS5

15 Creating ADSs  Type command  Type notepad.exe > myfile.txt:np.exe  Cp.exe from Resource Kit  Bind to file or directory listing  Notepad myfile.txt:hidden.txt  Notepad :hidden.txt

16 Executing ADSs  Running executables hidden in ADSs  Native methods  NTFS4 - ‘start’ (FoundStone)  NTFS5 - several methods

17 Detecting ADSs  lads.exe, by Frank Heyne (heysoft.de)  sfind.exe (FoundStone)  streams.exe (SysInternals)  ads.pl (Perl)

18 Encryption  PGP  Fcrypt (ntsecurity.nu)  Perl (Crypt::TripleDES)

19 Steganography  The art of hiding information  S-Tools4  http://www.citi.umich.edu/u/provos/stego/

20 Registry  Licensing information  Software installation dates and information  Contains binary and string data types

21 "Hidden" Functionality  Registry keys  Used by various malware  The ubiquitous "Run" key  Services  ClearPagefileAtShutdown Registry key  StartUp directories

22 Rootkits  Kernel-mode vs. user-mode  API Hooking/DLL Injection  NTRootkit  HackerDefender (DLL Injection)  AFX Rootkit 2003 (DLL Injection)  Vanquish (DLL Injection)  FU (DKOM)

23 How to prevent/detect  Configuration Policies/Management  Monitoring  Event Logs  Additional monitoring applications  Scans

24 Questions?

25

Download ppt "BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey"

Similar presentations

COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Computer Forensics: Basics Media Analysis. Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin.

Computer Forensics: Basics Media Analysis. Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
Bypassing antivirus detection with encryption

Bypassing antivirus detection with encryption
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.

Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.

Similar presentations

Ads by Google