Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Published byVictor Benedict Cole Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to."— Presentation transcript:

1 Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6)

2 Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to hide rootkit presence –Modify data that stores information about processes, files, etc. that would reveal presence of rootkit Last chapter –Modifying execution path via “hooking” This chapter –Modifying execution path via run-time patching

3 Patching Source-code –Modify source and recompile Binary –Modify result of compilation Memory –Modify code in memory as program executes “direct code-byte patch” –Hardest to detect –Often combined with low-level hardware manipulation such as page-table management –Must be able to read/write memory where functions reside (i.e. be within kernel) –Previously covered (in-line function hooking)

4 Run-time patching: Detours Detour patching –Call hooks modify tables and can be detected by anti-virus/anti-rootkit technology –Insert jump into function directly Functions in multiple tables handled in one step –Example: MigBot Detours two kernel functions: NtDeviceIoControlFile and SeAccessCheck Both are exported and have entries in the PE header Issues –Instruction alignment (leaving crumbs) »Add 1 byte NOPs –Overwriting important code

5 Run-time patching: Detours Overwriting important code –Must know which OS is being used to ensure you know what code is overwritten –Must also ensure no one else has tampered or patched the function already –Must save the instructions being removed by adding the jump FAR JMPRest of original function Rootkit codeRemoved instructionsFAR JMP

6 Run-time patching: Detours Other issues –Using NonPagedPool memory Rootkit code resides in driver memory that can be paged out Place code in non-paged memory Allows driver itself to be unloaded so that it can no longer be detected Rootkit driver only loaded long enough to apply patch –Patching addresses Relative FAR JMP instruction target calculated at run-time Need to patch this with desired offset at run-time

7 Run-time patching: Jump Templates Example: Hooking the Interrupt Descriptor Table (IDT) –Patch all entries in IDT with same detour code –Easier than patching every interrupt service routine (ISRs) Each ISR at a different address Hook every IDT entry, but include unique jump details to call back to original ISR See code in book

8 Run-time patching: Original IDT ISR ptr IDT 0 1 i ISR ptr Original ISR 0 Original ISR 1 Original ISR i

9 Run-time patching: Jump Templates ISR ptr IDT Call rootkit with param 0 0 1 i ISR ptr Call rootkit with param 1 Call rootkit with param i FAR JMP to ISR 0 Original ISR 0 Rootkit code FAR JMP to ISR 1 Original ISR 1 FAR JMP to ISR i Original ISR i Jump templates

10 Variations Patching typically done at entry point –Easy to detect if placed in well-known place –Rootkit detection software often checks first 20 bytes of a function only –Solution: patch deep into function Good locations –Unique code byte strings (no false hits) –Within authentication functions –Kernel functions Integrity-checking functions Loader program that loads the kernel itself Network functions Firmware and BIOS

11 Layered drivers Ability to chain multiple drivers to avoid re- implementing functions that can be shared Example chain: keyboard drivers –Lowest-level driver deals with direct access to bus and hardware device –Next level deals with data formatting and error codes –Each level intercepts data from lower level, modifies it, and passes it on to higher level –Perfect for rootkits!

12 Keyboard chain example Keyboard class driver (Kbdclass) Keyboard port driver (i8042prt) 8042 keyboard controller Keyboard sniffer driver (rootkit) Keyboard driver chain

13 Details IRP (I/O request packet) –Contains stack specifying routines of the driver chain –I/O manager creates IRP and fills in IRP based on number of drivers in driver chain –Inject keyboard sniffer in chain, IRP automatically updated –Example: KLOG IRP header I/O Stack location #1 I/O Stack location #2 I/O Stack location #3 First driver to call Next driver to call Last driver to call

14 File filters Used for stealth –Rootkits store files in file system that must remain hidden Common approach –Hooking SSDT to hide local files –Does not hide files mounted via SMB Use layered file system drivers to hide all rootkit files –Install hook on all available drive letters (HookDriveSet in book) –Rootkit parses file name in QueryDirectory.FileInformationClass QueryBuffer Deletes entries associated with rootkit

Download ppt "Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
WDM 드라이버의 기본 구조 What is WDM?

WDM 드라이버의 기본 구조 What is WDM?
Devices and Drivers (Chapter 7) Khattab Alhabashi UNIX System Administration.

Devices and Drivers (Chapter 7) Khattab Alhabashi UNIX System Administration.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
CSCI 4717/5717 Computer Architecture

CSCI 4717/5717 Computer Architecture
File Management Systems

File Management Systems
1 Hardware and Software Architecture Chapter 2 n The Intel Processor Architecture n History of PC Memory Usage (Real Mode)

1 Hardware and Software Architecture Chapter 2 n The Intel Processor Architecture n History of PC Memory Usage (Real Mode)
Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.

Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.
Instruction Representation II (1) Fall 2007 Lecture 10: Instruction Representation II.

Instruction Representation II (1) Fall 2007 Lecture 10: Instruction Representation II.
Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.

Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.
Chapter 8: I/O Streams and Data Files. In this chapter, you will learn about: – I/O file stream objects and functions – Reading and writing character-based.

Chapter 8: I/O Streams and Data Files. In this chapter, you will learn about: – I/O file stream objects and functions – Reading and writing character-based.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p. 495 - 527.

I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p
An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.

An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.
Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.

Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.
Hardware Definitions –Port: Point of connection –Bus: Interface Daisy Chain (A=>B=>…=>X) Shared Direct Device Access –Controller: Device Electronics –Registers:

Hardware Definitions –Port: Point of connection –Bus: Interface Daisy Chain (A=>B=>…=>X) Shared Direct Device Access –Controller: Device Electronics –Registers:
1 Lecture 20: I/O n I/O hardware n I/O structure n communication with controllers n device interrupts n device drivers n streams.

1 Lecture 20: I/O n I/O hardware n I/O structure n communication with controllers n device interrupts n device drivers n streams.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Similar presentations

Ads by Google