wonder walk in rootkit land by himanshu khokhar
TRANSCRIPT
![Page 1: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/1.jpg)
Wonder Walk in Rootkit
LandHimanshu Khokhar
![Page 2: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/2.jpg)
$ whoami
A computer security enthusiast
Currently doing graduation :p
Highly interested in malwares, OS related stuff
Find me here
Twitter : @rinne_parad0x
![Page 3: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/3.jpg)
Rootkits…What are they and why should you care ?
![Page 4: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/4.jpg)
According to Wikipedia
A rootkit is a collection of computer software,
typically malicious, designed to enable access to a computer or
areas of its software that would not otherwise be allowed (for
example, to an unauthorized user) and often masks its existence
or the existence of other software. The term rootkit is
a concatenation of "root" (the traditional name of the privileged
account on Unix-like operating systems) and the word "kit"
(which refers to the software components that implement the
tool). The term "rootkit" has negative connotations through its
association with malware.
![Page 5: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/5.jpg)
Types
User Mode
Kernel Mode
Hypervisor Level
Firmware Based
![Page 6: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/6.jpg)
Protection Rings
![Page 7: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/7.jpg)
User Mode Rootkits
Operates in User Land (Ring 3)
Can only control/manipulate user land data
Gives limited power
This is the focus of this talk.
![Page 8: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/8.jpg)
Kernel Mode Rootkits
Operates in Kernel land (Ring 0)
Can control everything in an OS
Very Powerful
![Page 9: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/9.jpg)
Diving into the user mode
rootkits
Basically, two types :
LD_PRELOAD based
ptrace() based
![Page 10: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/10.jpg)
LD_PRELOAD Based Rootkits
![Page 11: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/11.jpg)
LD_PRELOAD : An environment variable in Unix based
systems that allows the loading of shared objects before
loading any other shared objects.
Abuses the dynamic library loading functionality of
dynamically linked binaries.
FAILS against statically linked binaries.
![Page 12: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/12.jpg)
Demo time
![Page 13: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/13.jpg)
Compile it. Once statically and once dynamically (the default way)
![Page 14: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/14.jpg)
Static vs Dynamic Compilation
![Page 15: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/15.jpg)
![Page 16: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/16.jpg)
![Page 17: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/17.jpg)
What happens when we try to load it in
statically compiled binary?
![Page 18: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/18.jpg)
Moving onto the advanced part
![Page 19: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/19.jpg)
Adding code to the hijacked function
What we saw in the previous slides was that we can write custom
function to achieve what we want but most of the time, we just
want to filter out specific data or we want something to be done
when specific data is encountered.
In the last example, we provided our code for the function strcmpbut it is neither possible for us to write whole functionality of the
function to be hijacked/hooked so, now we will see how to call the
original function with desired arguments.
![Page 20: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/20.jpg)
A better version :p
![Page 21: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/21.jpg)
Compile and test it
![Page 22: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/22.jpg)
Hijacking rand()
About rand() :
rand() is a function in C library that is used to generate
pseudo-random numbers for various uses.
Seems a good target
![Page 23: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/23.jpg)
![Page 24: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/24.jpg)
![Page 25: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/25.jpg)
![Page 26: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/26.jpg)
ptrace based rootkits
![Page 27: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/27.jpg)
About ptrace()
man ptrace says, “The ptrace() system call provides a
means by which one process (the "tracer") may observe
and control the execution of another process (the
"tracee"), and examine and change the tracee's
memory and registers. It is primarily used to implement
breakpoint debugging and system call tracing. “
![Page 28: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/28.jpg)
About ptrace based rootkit
Pros :Works on statically compiled binaries too
Cons : Need to attach to the binary, cannot ptrace anything
while it is running. Big FAIL.
Too frustrating to write one :p Even writing a kernel mode rootkit to achieve the same is easier
Not worth the efforts. Seriously.
![Page 29: Wonder walk in Rootkit Land by Himanshu Khokhar](https://reader038.vdocuments.us/reader038/viewer/2022102917/5871989f1a28ab044e8b5315/html5/thumbnails/29.jpg)
Thank you