Rootkits: the basics

Tim Shelton
[BL4CK] Black Security
[email protected]
http://blacksecurity.org

2006 Black Security 1

Introduction
 Black Security Research Group
 Exploitation
 Windows
 Linux / BSD / *NIX
 Embedded Systems
 Information Security Research &
Analysis
 Application Security Development

2006 Black Security 2

Rootkits
 Rootkits: Common Techniques
 Windows Rootkits & Malware
 DLL Injection
 Process Injection
 User-land / Kernel-land Attacks
 Linux / *BSD Rootkits
 User-land Rootkit
 Kernel-land Rootkit
 Mac OSX Rootkits
 User-land Rootkit
 Kernel-land Rootkit

2006 Black Security 3

User-Land vs. Kernel-
Land
 Multi-Layers of an Operating System
 User-Land
 Your personal applications run within this
space
 In case your application crashes, it will
not affect the stability of the entire system.
 Kernel-Land
 This is the “heart” of your O/S.
 Kernel Drivers
 Virtual Memory Manager

2006 Black Security 4

 Windows User-Land vs. Kernel-Land

Environment Subsystems
System & Service
Processes User Apps
OS/2 POSIX
Subsystem DLL
Win32

User
Kernel

Executive
Win32
Device
Kernel User/GDI
Drivers
Hardware Abstraction Layer (HAL)

2006 Black Security 5

Kernel-Land
 Kernel-Land
 Kernel Drivers
 Virtual Memory Manager

 Hardware Abstraction Layer

 Startup/Shutdown Procedure

2006 Black Security 6

Windows User-Land vs. Kernel-Land

2006 Black Security 7

Windows Rootkits
 History
 User-Land
 NTIllusion DLL User-Land Rootkit
 Vanquish – DLL Injection based
Romanian rootkit – Detour Patching
Example
 IAT Rootkit by Darkeagle
(http://eagle.blacksecurity.org)
 Kernel-Land
 Greg Hoglund’s NT Rootkit
 FU by fuzen_op

2006 Black Security 8

Windows Rootkits
 Expected Behaviors
 Resource Hooking & Monitoring
 Registry/Process Hiding
 File I/O (ZwOpen,ZwClose, etc)
 Network NDIS/TDI
 MSGina Hooking
 Keystroke Logger (simple)
 Theft of Personal Data
 Remote Communication/Control
2006 Black Security 9
Windows User-Land Rootkits
 How does it work?
 Patching Static Binaries
 Modifying binaries to hide results
• Task Manager / Process Explorer
• Netstat / ipconfig
• More
 Remote Code Injection
 Remote Thread Injection / DLL
Injection
• Controlling each User-Land processes

2006 Black Security 10

Windows User-Land Rootkits
 How does it work?
 Patching Static Binaries
 The Oldest “trick” in the book
• Replacing common Operating System
utilities used for tracking down malicious
activity, hindering those local tools from
finding out what is “really happening”.
 Common Issues
• Can become tedious, may miss some of
the tools available.
• Your rootkit package will become
increasingly larger and may risk being
noticed.
• Cannot bypass file-system integrity
checks. (Tripwire, Determina, etc)

2006 Black Security 11

Windows User-Land Rootkits
 How does it work?
 Remote Code Injection
 Remote DLL Injection
• Attacking each User-Land process
will allow us to control those
processes.
• What’s stopping us from recursively
injecting ourselves into every process
we can?

2006 Black Security 12

Windows User-Land Rootkits
 Remote Code Injection
 Remote Thread Injection
 Foundational building block of DLL Injection
 Maximum size of remote thread is 4k
(Default size of a page of virtual memory)
 One way to copy some code to another
process's address space and then execute it in
the context of this process involves the use of
remote threads and the WriteProcessMemory
API. Basically you copy the code to the remote
process directly now - via WriteProcessMemory -
and start its execution with
CreateRemoteThread.

2006 Black Security 13

Windows User-Land Rootkits

2006 Black Security 14

Windows User-Land Rootkits
 Remote Code Injection
 How Can We Inject Our Thread?
 Windows NT/2k/XP/2k3 Methodology
• Our objective: copy some code to another
process's address space and then
execute it in the context of this process.
• This technique involves the use of remote
threads and the WriteProcessMemory
API.
• Basically you copy the code to the remote
process directly now - via
WriteProcessMemory - and start its
execution with CreateRemoteThread.

2006 Black Security 15

Windows User-Land Rootkits
 Remote Code Injection
 What is the IAT Table?
 PE (Portable Executable) Format
• A global table that contains a list of all
the function pointers to any function
mapped into the running process
• This table is unique per process so it
must be duplicated within all
processes.

2006 Black Security 16

Windows User-Land Rootkits
 Remote Code Injection
 What is function “hooking”?
 Redirecting the “pointer” of the
function to your malicious “fake”
function.
 Also called function proxying

 Two methods of Function Proxying

 PointerPatching (easily detected)
 Detour Patching (harder to detect)

2006 Black Security 17

Rootkit Basics
 Pointer Patching
 Operating Systems use Global
Tables to keep track of all the
functions available from within a
process.
 By modifying one of these pointers

to a function with a pointer to our

“proxy” function, we can intercept
the request and parse the results.

2006 Black Security 18

Rootkit Basics
 Pointer Patching
 Why is this so bad?
 Rootkit detectors can read the
operating system and compare
those tables to original copies,
looking for changes.
 If it finds a discrepancy, it will

report as “hooked”

2006 Black Security 19

Rootkit Basics
 Detour Patching
 What is detour patching?
 By directly modifying the first few
bytes immediately after the
function located in memory, we
can insert a “detour”
 Detour: FAR JMP 0xDEADBEAF
• Where 0xDEADBEAF is a 4-byte
pointer to your malicious proxy
function
• Total patch size: 7 bytes

2006 Black Security 20

Rootkit Basics
 Detour Patching
 Why is this so bad?
 Rootkit detectors can read the first
few bytes looking for
“inappropriate” FAR JMP calls.
 So will rootkits ever be

undetectable?
• That’s why blackhats are driven to
continue our research for 0day

2006 Black Security 21

Windows Kernel-Land Rootkits
 Kernel-Land Rootkits
 A malicious Kernel Driver
 Most of the functions you need to
monitor are all accessible directly
from Kernel-Land
 Functions found in the SSDT

(System Service Descriptor Table)

• similar to the User-Land IAT Table

2006 Black Security 22

Windows Kernel-Land Rootkits
 Kernel-Land Rootkits
 A malicious Kernel Driver
 “Hook” any exported Kernel API
functions in order to monitor the
results it returns
 Detour Patching Kernel API

functions
 Hooking interrupts

2006 Black Security 23

Linux Rootkits
 History
 User-Land
 SSHEater-1.1 by Carlos Barros
 Kernel-Land
 Static-X’s Adore-NG 2.4/2.6 kernel
rootkit
 Rebel’s phalanx (patches

/dev/mem)
[email protected]

2006 Black Security 24

Linux Rootkits
 User-Land
 Patch User binaries (as before)
 Contains same faults as Windows User-
Land binary patching
 Can still hook the GOT (Global Offset
table)
 Kernel-Land 2.4/2.6
 Hook the SYS_CALL Table, Interrupt
Descriptor Table, and Global Descriptor
Table
 Detour Patching
 Directly patch /dev/mem or /dev/kmem

2006 Black Security 25

Linux Rootkits
 User-Land
 Signal Injection – Injecting your
own thread into a running process
using PTRACE_ATTACH and
PTRACE_DETACH will allow your
remote-thread to hook the GOT
and other functions for a complete
user-land runtime rootkit.
 Example: SSHeater-1.1

2006 Black Security 26

Linux User-Land Rootkits
 Remote Code Injection
 How Can We Inject Our Thread?
 Linux / BSD Methodology
• Our objective: copy some code to another
process's address space and then execute it in
the context of this process.
• This technique involves the use of injecting
remote signal handlers to take over the flow of
execution
(similar to how a debugger functions)
• By using ptrace-injection, we are able to
PTRACE_ATTACH to the target process, inject
our own malicious code, and then finally
PTRACE_DETACH
http://linuxgazette.net/issue83/sandeep.html
http://linuxgazette.net/issue85/sandeep.html

2006 Black Security 27

Linux User-Land Rootkits
 Remote Code Injection
 Linux Fluffy-Virus
 First public linux user-land injection proof of concept
code
 http://www.tty64.org/doc/infschedvirii.txt
 Methodology
 Loader
• Attach to process & Inject both pre-virus and virus
code
• Set EIP to pre-virus code
 Pre-Virus
• Register SIGALRM Signal Handler
• Hand control back to process
 Virus
• SIGALRM Handler invoked
• Begin our malicious code
• Jump back to pre-virus code

2006 Black Security 28

Linux Rootkits
 Issues with User-Land Rootkits
 File Integrity tools such as Tripwire
cannot be tricked by changing your
backdoored binaries alone
 One Way to trick Tripwire

 Write your own remote patching

thread to inject into Tripwire to hide
the results
(this would take research)

2006 Black Security 29

Linux Rootkits
 Kernel-Land
 2.4 Kernel – SYS_CALL table is
exported (so its easy to hook
functions)
 2.6 Kernel – SYS_CALL table is

hidden
 SuckIT– scans the IDT (Interrupt
Descriptor Table) for FAR JMP
*0xSCT[eax]

2006 Black Security 30

Linux Rootkits
 Kernel-Land
 Proxy system calls necessary to
trick the user
 File I/O Functions
• Look for read() of /etc/shadow
• Hide other processes from /proc
snooping
 Socket I/O Functions (sniffing)
• Sniff username/passwords

2006 Black Security 31

Linux Rootkits
 Kernel-Land
 What does this mean?
 Rootkits target specific installs
• Rootkit targeting GRSEC
• Rootkit targeting SELINUX
• etc

2006 Black Security 32

Linux Rootkits
 Issues with Kernel-Land Rootkits
 Requires a stealthy way to load
your rootkit into the kernel.
 Rootkit is vulnerable to detection if

loader is not written properly

 What can we patch that is reliable?

 hostname
 uname
 other binaries executed on startup
2006 Black Security 33
Mac OSX Rootkits
 History
 Still in early stages of research
 Nemo released WeaponX as an

original Proof-of-Concept
 Mac responded by hardening their

O/S Internals
 Nemo responded (like any self-

respecting blackhat) with his own

improved rootkit
2006 Black Security 34
Mac OSX Rootkits
 Remote Code Injection
 How Can We Inject Our Thread?
 Mac OSX Methodology
• Our objective: copy some code to
another process's address space and
then execute it in the context of this
process.
• This technique involves the use of
injecting remote signal handlers to
take over the flow of execution
(similar to how a debugger functions)

2006 Black Security 35

Mach OsX Remote Injection
/* get the task for the pid */
… [ Open Up the Process ] …

/* allocate memory for shellcode */

vm_allocate(task_address, size)

/* write shellcode */
vm_write(task,address,shellcode)

/* overwrite pointer */
vm_write(task + offset,pointer address)

2006 Black Security 36

Mac OSX Rootkits
 Kernel-Land
 WeaponX
 SYSENT Table – exported so its
easy to locate and “hook”
• Shortly after Nemo released
WeaponX, Mac no longer exported
the SYSENT Table
 SYSENT – possible to utilize
unix_syscall() which is an exported
symbol to locate the unique
location of the SYSENT Table.

2006 Black Security 37

Extended
 Rootkits to hide files in your
 Video Driver’s memory
 NIC Memory
 Sound Card memory
 BIOS/CMOS (eEye bootLoader)
 the sky is the limit

2006 Black Security 38

 Questions?

O
<|>
/\

2006 Black Security 39

About Us
 Black Security Research
 http://blacksecurity.org
 [email protected]
 Tim Shelton

 Thanks to:
 Nemo & AndrewG
http://felinemenace.org
 Rebel
 Izik – TTY64 Project
http://tty64.org
 #black crew

2006 Black Security 40