View
1.862
Download
6
Category
Preview:
DESCRIPTION
null Mumbai April 2012 Monthly Meet
Citation preview
Rootkit Internals By- Mr. Omkar Pardeshi
Malware Analyst & Developeromkar.r.pardeshi@gmail.com
Types of threats Tools to Analyze threats Methodology of analysis of Malwares. Rootkit internals. Fighting with Rootkit.
Topics Overview
Basic Worm-Replicate Trojan-Stand alone File infector-Infect Adware, Spyware, Backdoor , Boot Sector
Virus, Browser Hijacker, Macro Virus, Polymorphic
Virus, Scripting Virus, Logic Bombs,Metamorphic .
Classification of computer viruses
Sysinternal suit Procmon Process explorer. Regmon ,Regshot Pe view Systracer
Tools to analyze computer virus
1982 Siberian pipeline sabotage 2001 Magic Lantern 2005 Sony BMG copy protection rootkit
scandal digital rights management software called Extended Copy Protection.
Mark Russinovich 2004–2005 Greek wiretapping case Rootkit.Duqu.A
Trail of Rootkit
is just a technology Subverting standard operating system. the design goals of a rootkit are to provide
three services: 1>remote access.2> monitoring.3>concealment.
Rootkit
Real mode :-ring 3 -MS-DOS kernel .- Interrupt Service Routines (ISRs). &
Interrupt vector table(IVT) . protected mode:- ring 0 -system os loads in protected mode called
ring 0 or os kernel mode-unprivileged area called ring 3 or user mode.
Types
User mode
Kernel mode
User mode Rootkit Demo
What happen Exactly..?Os level
Process Level
Taskmgr
NTDLL
Ntoskernel.exe
NTDLL
AppInitHook
Taskmgr After inject
NtqueryInfo
result
DeliverModified result
Memory Level
`
AppInitHook
NTDLL
0x2000
0x6500 NtQuerySystemInformation
0x6000
0x6500
0x2100
NtQuerySystemInformation
Ret 0x2100
Call to ntdll
AppInit_DLLs -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows
Other ways SetWindowsHook. WriteProcessMemory+CreateRemoteThread Change in import table.
Dll injection
Code Injection-inject dll
-Create Remote thread.
-write physical memory
-Hooking
Lot of ways to inject your code
AppInit_DLLs DllMain Hook NtQuerySystemInformation HookedNtQuerySystemInformation
NtQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass,__inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength )
User mode Rootkit Demo Details
HookedNtQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass, __inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength )
Call to original NtQuerySystemInformation
PMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;
if (!wcsncmp(pNext->ImageName.Buffer, L"calc.exe", pNext->ImageName.Length))
Return result
Kernel Mode Rootkit Demo
What happen Exactly..?
In kernel
Get Address of SSDT Get offset address of functions from SSDT Save Address Write Address of our function into SSDT If query call is for our file deny access If not call original function from saved
address.
Algo For Kernel Fun hooking
Ways root kit to system-SSDT hook-Shadow SSDT hook w32k.sys-FS callback-Registry Callback-Interrupt Descriptor Table (IDT)-Register Notify Routines-Windows hook-Driver hook-Dispach hook-keyboard hook-System thread-list goes on
Welcome in Kernel mode
Gmer Rootkkit unhooker Sysrevaler Various rootkit scanners. To stay secure use updated AV & install all
the security patches.
Detection Tools
Questions…….?
Thank you
Recommended