vice – catch the hookers! (plus new rootkit techniques)
DESCRIPTION
VICE – Catch the hookers! (Plus new rootkit techniques). Jamie Butler Greg Hoglund. Agenda. Introduction to Rootkits Where to Hook VICE detection Direct Kernel Object Manipulation (DKOM) No hooking required! Demonstration of FU rootkit. Operating System Design. User Land - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/1.jpg)
VICE – Catch the hookers!(Plus new rootkit techniques)
Jamie ButlerGreg Hoglund
![Page 2: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/2.jpg)
Agenda
• Introduction to Rootkits• Where to Hook• VICE detection• Direct Kernel Object Manipulation
(DKOM)– No hooking required!
• Demonstration of FU rootkit
![Page 3: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/3.jpg)
Operating System Design
• User Land– Operating system provides common API for
developers to use• Kernel32.dll• Ntdll.dll
• Kernel Mode– The low level kernel functions that implement
the services needed in user land– Protected memory containing objects such as
those for processes, tokens, ports, etc.
![Page 4: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/4.jpg)
Attack Scenario
• Attacker gains elevated access to computer system• Attacker installs a Rootkit• Rootkit’s functions
– Hide processes– Hide files– Hide network connections– Install a backdoor for future access to the system
• Rootkits act as a part of the operating system so they have access to kernel functions.
![Page 5: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/5.jpg)
State of Current Rootkits• Until recently, rootkits were nothing more than
Trojan programs such as ps, ls, top, du, and netstat• Advanced rootkits filter data
– Hook the Import Address Table (IAT) in processes
– Hook the System Call Table of the operating system (the functions exported by the kernel)
– Hook the Interrupt Descriptor Table (IDT) • Interrupts are used to signal to the kernel that it has work to
perform.• By hooking one interrupt, a clever rootkit can filter all
exported kernel functions.
![Page 6: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/6.jpg)
Import Address Table
Table Entry
FunctionName or Ordinal
0x11223344
IAT Hooks
![Page 7: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/7.jpg)
Table Entry
FunctionName or Ordinal
0x11223344
Some DLL
CODE
CODEIAT Hooks
![Page 8: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/8.jpg)
Some DLL
CODE
CODE
Some Rootkit
BAD CODE
IAT Hooks
![Page 9: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/9.jpg)
Some DLL
CODE
CODE
Some Rootkit
BAD CODE
IAT Hooks
![Page 10: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/10.jpg)
USER MODE KERNEL MODE
KiSystemServiceSystem Call
Table EntrySystem Service Descriptor Table
Call Number
0x11223344
![Page 11: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/11.jpg)
USER MODE KERNEL MODE
System Call
Table EntrySystem Service Descriptor Table
Call Number
0x11223344
Kernel or module
![Page 12: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/12.jpg)
USER MODE KERNEL MODE
System Call
System Service Descriptor Table
Kernel or module
Some rootkit
![Page 13: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/13.jpg)
USER MODE KERNEL MODE
System Call
System Service Descriptor Table
Kernel or module
Some rootkit
![Page 14: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/14.jpg)
USER MODE KERNEL MODE
System Call Kernel or module
Some rootkit
![Page 15: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/15.jpg)
Control Flow … aka Places to Hook
Kernel32
CreateFileWNTDLL
NtCreateFile
User Land Kernel
![Page 16: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/16.jpg)
Control Flow … aka Places to Hook
User Land Kernel
IDT
2E
&NtCreateFile
NtCreateFile{
push ebp
mov ebp, esp
xor eax, eax
push eax
…
}
System Call Table
![Page 17: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/17.jpg)
VICE
• VICE is a tool to detect rootkits– Designed originally to detect hooks
• Kernel System Call Hooks• Win32 API Hooks• In-line function patching
• VICE has an API so other it can be easily incorporated into other tools
![Page 18: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/18.jpg)
VICE Demonstrations
![Page 19: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/19.jpg)
• VICE
vs
hxdef rootkit
![Page 20: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/20.jpg)
• VICE
vs
Vanquish rootkit
![Page 21: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/21.jpg)
Consumers demand more…
• Corporations and many private consumers see the need for more security– Personal firewalls– Host based intrusion prevention systems
![Page 22: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/22.jpg)
Current HIDS/HIPS Functions
• To detect or prevent:– Processes running– Files that are created/deleted/modified– Network connections made– Privilege escalation
• Trusts the operating system to report these activities.
• If the underlying operating system is compromised, the HIDS/HIPS fails.
![Page 23: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/23.jpg)
What Makes HIDS/HIPS Possible?
• Querying kernel reporting functions• Hooking user land API functions
– Kernel32.dll– Ntdll.dll
• Hooking the System Call Table• Registering OS provided call-back
functions
![Page 24: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/24.jpg)
Problems with HIPS Design
• Required to be on the execution path of the attacker to allow/deny actions
• Looks just like the hooks rootkits use (dual technology)
• … who said an attacker has to use an API
![Page 25: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/25.jpg)
Operating System Design
• Intel has four privilege levels or rings
• Microsoft and many other OS vendors use only two rings
![Page 26: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/26.jpg)
Operating System Design
• By only using two privilege levels, there is no separation between the kernel itself and third party drivers or loadable kernel modules (LKM’s)
• Drivers can modify the memory associated with kernel objects such as those that represent a process’s token
![Page 27: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/27.jpg)
Next Generation Rootkit Techniques
• Direct Kernel Object Manipulation (DKOM) in memory– A device driver or loadable kernel module has
access to kernel memory– A sophisticated rootkit can modify the objects
directly in memory in a relatively reliable fashion to hide.
– Recall the goal of rootkits is to hide things: processes, files, and network connections.
![Page 28: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/28.jpg)
• DKOM Uses– Hide Processes– Add Privileges to Tokens– Add Groups to Tokens– Manipulate the Token to Fool the Windows
Event Viewer– Hide Ports
![Page 29: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/29.jpg)
The Implication of Hidden Processes
• The intruder has full control of the system.• Defeats a Host Based IDS/IPS that depends
upon the underlying operating system.• Will skew the results of forensic
examinations.
![Page 30: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/30.jpg)
Hiding Processes - WindowsKPRCB
*CurrentThread *NextThread *IdleThread
ETHREADKTHREAD
ApcState
EPROCESSKPROCESS
LIST_ENTRY { FLINK
BLINK }
EPROCESSKPROCESS
LIST_ENTRY { FLINK
BLINK }
EPROCESSKPROCESS
LIST_ENTRY { FLINK
BLINK }
![Page 31: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/31.jpg)
Hiding Processes - Windows
• Locate the Processor Control Block (KPRCB)– Located at 0xffdff120– fs register in kernel mode points to 0xffdff000
• Within the KPRCB is a pointer to the Current Thread block (ETHREAD)– Located at fs:[124] or 0xffdff124– An ETHREAD contains a KTHREAD structure
![Page 32: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/32.jpg)
Hiding Processes - Windows
• The KTHREAD structure contains a pointer to the EPROCESS block of the current process
• The EPROCESS block contains a LIST structure, which has a forward and backward pointer to active processes– This creates the doubly linked list of active
processes in Windows
![Page 33: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/33.jpg)
Hiding Processes - Windows
• To hide a process– Locate the EPROCESS block of the process to
hide– Change the process behind it to point to the
process after the process you are hiding– Change the process after it to point to the
process before the one you are trying to hide
Essentially, the list of active now processes points “around” the hidden process
![Page 34: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/34.jpg)
Hiding Processes - WindowsKPRCB
*CurrentThread *NextThread *IdleThread
ETHREADKTHREAD
ApcState
EPROCESSKPROCESS
LIST_ENTRY { FLINK
BLINK }
EPROCESSKPROCESS
LIST_ENTRY { FLINK
BLINK }
EPROCESSKPROCESS
LIST_ENTRY { FLINK
BLINK }
![Page 35: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/35.jpg)
Hiding Processes - Windows
• Why does the process continue to run?– Scheduling in the Windows kernel is thread based and
not process based.• Although scheduling code to run is based upon
threads, when the kernel reports what is running on the system, it reports based upon EPROCESS blocks which can be modified with no adverse affect. This is what current tools (IDS/IPS’s) rely upon to discover what is running on the system.
![Page 36: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/36.jpg)
Hiding Processes – LINUX
• The LINUX kernel contains an array of task_struct’s.
• A task_struct is similar to an EPROCESS block in Windows
• task_struct contains pointers to the prev_task and next_task
• task_struct also contains pointers to the prev_run and next_run for the running processes
![Page 37: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/37.jpg)
Hiding Processes – LINUX
• To hide a process, remove the process from the list of prev_task and next_task
• Leave next_run and prev_run alone
![Page 38: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/38.jpg)
Hiding Processes - LINUXtask_array
PIDProcess 0
State
*next_task*prev_task
*next_run*prev_run
*p_pptr (null)
*p_cptr *p_ysptr *p_osptr
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PID1901
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
![Page 39: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/39.jpg)
Hiding Processes – LINUXtask_array
PID1901
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PIDProcess 0
State
*next_task*prev_task
*next_run*prev_run
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
*p_pptr *p_cptr *p_ysptr *p_osptr
![Page 40: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/40.jpg)
Hiding Processes - LINUX
• To prevent the process from freezing
– The LINUX scheduler walks the list of task_struct’s to calculate the goodness value of the process to decide rather to schedule it or not.
– The LINUX scheduler must be modified to allocate time quantums to the parent of process of PID 0
![Page 41: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/41.jpg)
Synchronization Issues
• Modifying shared objects such as the active process list is not completely safe.– Rootkit could be swapped out– Multiprocessor issues
• In Windows, the list of active processes is protected by PspActiveProcessMutex.
• PsLoadedModuleResource guards the list of device drivers.
![Page 42: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/42.jpg)
Synchronization Issues
• Problem: These symbols are not exported by the operating system
• Need a way to find these and other symbols– Hardcoding addresses – very unreliable– Search for patterns in memory
• Functions within the kernel use PspActiveProcessMutex• Find the mutex’s use within functions with a relatively
consistent pattern.
Synchronization Research and Code done by Sherri Sparks from the University of Central Florida.
![Page 43: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/43.jpg)
Token Manipulation
• Add Privileges to Token• Add Groups to Token• Make the Owner of the Token Any User• Make Any Actions Taken by the Process
Appear to be Someone else such as System– Makes forensics difficult– Totally fakes out the Windows Event Viewer
![Page 44: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/44.jpg)
Tokens• Static Part
– TOKEN SOURCE– TokenId – AuthenticationId– ParentTokenId– ExpirationTime– TokenLock– ModifiedId– SessionId– UserAndGroupCount– RestrictedSidCount– PrivilegeCount– VariableLength– Etc…
![Page 45: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/45.jpg)
Tokens
• Variable Part– Privileges
• LUID• Attribute
– User and Groups• Pointer to SID• Attribute
– Restricted SID’s• Pointer to SID• Attribute
![Page 46: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/46.jpg)
Manipulating Tokens
• Difficult to just grow the token because you are not sure what is after the variable part in memory
• Although static portion has pointers to the privileges and groups, just changing these to point to newly allocated memory does not work due to crazy math in a SepDuplicateToken() function
![Page 47: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/47.jpg)
Manipulating Tokens
• There are a lot of Privileges in a token that are disabled
• We can discard these since they are disabled anyway and free up space for new privileges and groups– The “in-line” method
![Page 48: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/48.jpg)
Adding Privileges to Tokens with DKOM
• Typedef struct _LUID_AND_ATTRIBUTES{
DWORD Luid;DWORD Attributes;
}
![Page 49: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/49.jpg)
Adding Privileges to Tokens with DKOMStatic Portion
LUIDLUID 0x00000000
0x00000000
0x000000010x00000001
LUID
LUID
SID’s
Restricted SID’s
0x000000010x00000001
LUIDLUID
0x00000001LUID
0x00000001LUID
Disabled Priv’sEnabled Priv’sAdded Priv’s
![Page 50: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/50.jpg)
Adding Groups to Tokens with DKOM
• Typedef struct _SID_AND_ATTRIBUTES{
DWORD pSID;DWORD Attributes;
}
![Page 51: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/51.jpg)
Adding Groups to Tokens with DKOMStatic Portion
LUIDLUID 0x00000000
0x00000000
0x000000010x00000001
LUID
LUID
SID’s
Restricted SID’s
0x000000010x00000001
LUIDLUID
Disabled Priv’sEnabled Priv’sAdded SID’s
pSID 0x00000007
SIDSID
pSID 0x00000007
![Page 52: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/52.jpg)
Faking Out the Windows Event Viewer using DKOM
• Change one DWORD in Static Portion of Token– SYSTEM_LUID = 0x000003E7
• Make FIRST SID in Token the System SID• All logging of the Process now appears as
System• Useful if Detailed Process Tracking is
Enabled
![Page 53: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/53.jpg)
Detecting Hidden Processes in Windows
• Methodology: Examine each thread to ensure its corresponding process descriptor (EPROCESS) is appropriately linked.
• This requires patching the kernel in memory, in particular the SwapContext function.
• Hunt and Brubacher introduced Detours for intercepting Win32 binary functions.
![Page 54: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/54.jpg)
Detours• Overwrite beginning of target function (SwapContext)
with an unconditional jump to a Detour function• Detour function eventually calls a Trampoline function• The Trampoline function contains the overwritten
bytes of the target (SwapContext) function and calls the target (SwapContext) function
• The Target function returns to the Detour function• The Detour function returns to the source caller
(kernel dispatcher)
![Page 55: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/55.jpg)
Detours
SourceFunction
DetourFunction
TrampolineFunction
TargetFunction
1 2 3
45
![Page 56: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/56.jpg)
Patching the Windows kernel
• SwapContext function does context switching between threads in Windows
• Overwrite the first seven bytes of SwapContext with a jump to our Detour function
• The EDI register points to the KTHREAD of the thread to be scheduled to run
• Our Detour function follows the KTHREAD to the EPROCESS block and determines if it is still appropriately linked in the list of active processes.
![Page 57: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/57.jpg)
Other Ways to Detect Hidden Processes
• Klister by Joanna Rutkowska– Presented at Black Hat Las Vegas 2003– Looks at Thread Queues since threads must be
in one of four queues to be scheduled– Problem: Queue addresses are not exported so
the addresses must be hard coded for each version of the OS
![Page 58: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/58.jpg)
Detecting Hidden Processes in LINUX
• Injectso is a library similar to Detours except for LINUX
• When process state is Task_Running and it is placed in the LINUX run queue by setting the prev_run and next_run pointers appropriately, make sure it is properly linked by testing the next_task and prev_task of its neighbors.
![Page 59: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/59.jpg)
Tool Demonstration: Process Hiding
![Page 60: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/60.jpg)
Tool Demonstration: Gaining System Privilege
![Page 61: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/61.jpg)
Conclusion
• We have shown the evolution of rootkit technology and detection– No longer trojanized programs– No longer just hooking, which VICE detects– Now act as a part of the Trusted Computing
Base (TCB)– DKOM … what will it be used for next?
![Page 62: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/62.jpg)
Questions?
![Page 63: VICE – Catch the hookers! (Plus new rootkit techniques)](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815d33550346895dcb2e72/html5/thumbnails/63.jpg)
Thank you.Email: [email protected]
Attend the Black Hat Training “Aspects of Offensive Root-kit
Technology”