Nytro Posted December 18, 2011 Report Posted December 18, 2011 The Rootkit ArsenalEscape and Evasion in theDark Corners of the SystemReverend Bill BlundenPreface: Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIXPart 1- FoundationsChapter 1Chapter 2Setting the Stage . ........ ..... .. .. .1.1 Forensic Evidence1.2 First Principles. . . . . . . . . . . . . . . . . . . . . .Semantics ....... ... ... ......... .. .Rootkits: The Kim Philby of System Software . . . .Who Is Using Rootkit Technology?The Feds ..The Spooks .... .. .The Suits .... ... .1.3 The Malware Connection.Infectious Agents . . .Adware and Spyware . . .Rise of the Botnets . . . .Malware versus Rootkits .Job Security: The Nature of the Software Industry .1.4 Closing Thoughts. . . . . . . . . . . . . . .Into the Catacombs: IA-32 . . . . . . . . . . . . . .2.1 IA-32 Memory Models.Physical Memory . . . . . .Flat Memory Model. . . . .Segmented Memory ModelModes of Operation. .2.2 Real Mode. . . . . . . . . .Case Study: MS-DOS ....Isn't This a Waste of Time? Why Study Real Mode? .The Real-Mode Execution EnvironmentReal-Mode Interrupts .. .... .. .Segmentation and Program Control . . .Case Study: Dumping the IVT . . . . . .Case Study: Logging Keystrokes with a TSR .Case Study: Hiding the TSR . . . . . . . . . .· ..... 3.3· . ..... 8· . .. ... 9.. 11· 13· 13· 13· 15· 15· 16· 17· 17· 19· 19· 21... . 23. 24· 25. 27· 27. 28.29. 30. ..... 32. 33· 35.38.40· 41.45v(ontentsChapter 3viCase Study: Patching the tree.com CommandSynopsis ........ .... ..... .. . .2.3 Protected Mode. . . . . . . . . . . . . . . . .The Protected-Mode Execution Environment.Protected-Mode Segmentation ..... .Protected-Mode Paging ......... .Protected-Mode Paging: A Closer Look .2.4 Implementing Memory Protection ....Protection through Segmentation . . . .Limit Checks . . .Type Checks . . . . . . . . . .Privilege Checks. . . . . . . .Restricted-Instruction ChecksGate Descriptors . . . . . . . . .Protected-Mode Interrupt TablesProtection through Paging . .Summary . .............. .Windows System Architecture . • . . . • • . . . . .3.1 Physical Memory . . . . . . . . . .Physical Address Extension (PAE) . . .Data Execution Prevention (DEP) ....Address Windowing Extensions (AWE) .Pages, Page Frames, and Page Frame Numbers3.2 Memory Protection .Segmentation . . . . . . . . . . . . . .. .... .Paging . . . . . . . . . . . . . . . . . .. . ... .Linear to Physical Address Translation .Longhand Translation . . .A Quicker Approach . . . .Another Quicker Approach3.3 Virtual Memory . . . . . . . .User Space Topography . ...Kernel Space Dynamic Allocation .Address Space Layout Randomization (ASLR) .3.4 User Mode and Kernel Mode .How versus Where . . . .Kernel-Mode ComponentsUser-Mode Components3.5 The Native API .. .. . .The IVT Grows Up ... .Hardware and the System Call MechanismSystem Call Data Structures . .The SYSENTER Instruction. . . . . . ..... 50.. .. 53· .54.54.57· 61.63. 66· 67.67· .68.68.69.70· 73. 74.76..... 79.80· 81.82.82.83.83.84.86· 91· 91.92.93.93.96· .97· .98100100101103· 105· 106· 107108. ..... 109Chapter 4The System Service Dispatch Tables .Enumerating the Native API . . .Nt*O versus Zw*O System Calls.The Life Cycle of a System Call .Other Kernel-Mode Routines . ..Kernel-Mode API Documentation3.6 The Boot Process . . . . . .Startup for BIOS Firmware . .Startup for EFI Firmware. . .The Windows Boot Manager .The Windows Boot Loader .Initializing the Executive.The Session Manager .Wininit.exe. . . . .Winlogon.exe. . . .The Major Players.3.7 Design Decisions .How Will Our Rootkit Execute at Run Time? .What Constructs Will Our Rootkit Manipulate? .Rootkit Basics . . . .4.1 Rootkit Tools ....Development ToolsDiagnostic Tools . .Reversing Tools . .Disk Imaging ToolsTool Roundup. . . .4.2 Debuggers. . . . .Configuring Cdb.exe .Symbol Files . . .Windows Symbols.Invoking Cdb.exe . .Controlling Cdb.exe .Useful Debugger Commands.Examine Symbols Command (x) .List Loaded Modules (1m and !lmi)Display Type Command (dt) .Unassemble Command (u) .Display Command (d*) . . .Registers Command (r) .. .The Kd.exe Kernel DebuggerDifferent Ways to Use a Kernel Debugger . .Configuring Kd.exe . . . .Preparing the Hardware . . . . . . . . . .Contents110113114116119122124124126126127130132134134· 134· 136137· . 138.... 141142· 142· 143· 144145147148150· 150· 151· 153· 154· 155155157158158159161161· . 162· 164· . 164viiContentsviiiPreparing the Software. . . . . . . . . . ' .Launching a Kernel Debugging Session . . .Controlling the Target. . . . . . . . . . . . .Useful Kernel-Mode Debugger Commands ..List Loaded Modules Command (1m)!process ... ... ... . .Registers Command (r) .. .Working with Crash Dumps . .Method 1 . ..... .Method 2 ..... .. .Crash Dump Analysis ..4.3 A Rootkit Skeleton. . . . .Kernel-Mode Driver Overview.A Minimal Rootkit .Handling IRPs .DeviceType .Function .Method .. .Access .. . .Communicating with User-Mode CodeSending Commands from User ModeSource Code Organization .. .Performing a Build ... ... .WDK Build Environments .Build.exe ... ...... .4.4 Loading a KMD . .... .. .The Service Control Manager (SCM) .Using sC.exe at the Command Line .Using the SCM Programmatically .Registry Footprint . . . . . . . . . .ZwSetSystemInformationO. . . . . . . . .Writing to the \Device\PhysicaIMemory Object.Modifying Driver Code Paged to Disk .Leveraging an Exploit in the Kernel .4.5 Installing and Launching a Rootkit. . .Launched by the Operating System . .Launched by a User-Mode Application.Use the SCM . ...... ... .... ... .. .. .. 166168169170170· .. .. 171· . .. . 173· .... 173· 174· 175175176176178181· 185· 186· 186· 186187190193194194· 195198· 198· 199.200.202. 203. 208.208· 210· 210· 211· 212. . . . . . . 212Use an Auto-Start Extensibility Point (ASEP) .. ....... 213Install the Launcher as an Add-On to an Existing Application . 215Defense in Depth . . . 216Kamikaze Droppers . . 216Rootkit Uninstall. . . . 219Contents4.6 Self-Healing Rootkits ..... . ... . .. .. .... .... .. 220Auto-Update . . . . . ..... . . .... . .. ... .. .. ... 2244.7 Windows Kernel-Mode Security . .. . . .... ... . . .. . . 225Kernel-Mode Code Signing (KMCS) .... . ... .... .... 225Kernel Patch Protection (KPP) . . . . . . . . . . . . . . . . . . . 229Restricted Access to \Device\PhysicaIMemory . . . . . . . . . . 2304.8 Synchronization . . . . . . . . . . . . . . . . . . . . . .. . . 230Interrupt Request Levels . . . . . . . . . . .. . .. 230Deferred Procedure Calls (DPCs) . . . . . .. ... . . . . . 234Implementation . . . . 2354.9 Commentary. . . . . . . . . . . . . . . . . . . . . ... . . .. 240Part II - System ModificationChapter 5 Hooking Call Tables. . . . . . . . . . . . . . . . . . . . . . 2435.1 Hooking in User Space: The lAT .... . . . . ... . . . . . . . 245DLL Basics ........ ..... . .... .. ... .. ..... 246Accessing Exported Routines. . . . .. . 247Load-Time Dynamic Linking . . . . . . 248Run-Time Dynamic Linking . . . .. . 249Injecting a DLL . . . . . . . . . . . 250The AppInit_DLLs Registry Value. . 250The SetWindowsHookExO API Call . . 251Using Remote Threads . . . . . . . . . 252PE File Format . . . . . . . . . . . . . . . 255The DOS HEADER. .... .. . .... .. . .. .. 255RVAs .... ..... . .. . .... . ...... . . .... .. 256The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 257Walking through a PE on Disk . . . . . . . . . . . . . . . . . . 260Hooking the IAT .... .... . ... . ... . .... .... 2655.2 Hooking in Kernel Space . . . . . . . . . . . . . . . . . . 269Hooking the IDT. . . . . . . . . . . . . . . . . . . . . . . . . . . 270Handling Multiple Processors - Solution 1 . . . . . . . . . . 271Naked Routines . . . . . . . . . . . . . . . . . . . . . . . . . . 276Issues with Hooking the IDT . . . . . . . . . . . . . . . . . . 278Hooking Processor MSRs . . . . . . . . . . . . . . 279Handling Multiple Processors - Solution 2 . . 282Hooking the SSDT. . . . . . . . . . . . . . 286Disabling the WP Bit - Technique 1 . . 288Disabling the WP Bit - Technique 2 . . 289Hooking SSDT Entries . . . . . . . . . . 291SSDT Example: Tracing System Calls. . ... 293SSDT Example: Hiding a Process. . . . . . . . . . . .... 296ixContentsChapter 6xSSDT Example: Hiding a Directory . . . . . . .SSDT Example: Hiding a Network Connection.Hooking IRP Handlers . . . . . . . . . . .Hooking the GDT - Installing a Call Gate5.3 Hooking Countermeasures . . . . .Checking for Kernel-Mode Hooks.Checking IA32 _ SYSENTER EIP.Checking INT Ox2E . . .Checking the SSDT . . . . . . .Checking IRP Handlers . . . . .Checking for User-Mode HooksParsing the PEB - Part 1. .Parsing the PEB - Part 2. .5.4 Counter-Countermeasures .Patching System Routines. . . . . . . . .Binary Patching versus Run-time PatchingThe Road Ahead . .6.1 Run-time Patching.Detour Patching . .Detour Jumps ...Example 1: Tracing CallsDetour Implementation.Acquire the Address of the NtSetValueKeyO .Initialize the Patch Metadata Structure . . . .· 301.305. 306. 308· 317· 318· 321. 322. 324. 325.327.330.336.337. .. . 339. 340.340.340· 341.344. 346· 351.354.354Verify the Original Machine Code against a Known Signature . 356Save the Original Prolog and Epilog Code.Update the Patch Metadata Structure. . .Lock Access and Disable Write ProtectionInject the Detours .The Prolog Detour .The Epilog Detour .Post-Game Wrap-UpExample 2: Subverting Group Policy. . .Detour Implementation. . . . . . . . .Initializing the Patch Metadata Structure .The Epilog Detour . . . . . . . . . . . . .Mapping Registry Values to Group Policies.Example 3: Granting Access Rights . . .Detour Implementation. . . . . . . . . .6.2 Binary Patching . . . . . . . . . . . . . . .Subverting the Master Boot Record . . . .The MBR in Depth .The Partition Table . . . . . . . . . . . .. 357. 357.358.358.359· 361. 365· ... 365. 367· . . . 367· . . . 368.373. 374. 376. 379.380.380. . 383Patch or Replace? ... . .. .Hidden Sectors . . . . . . . . .Bad Sectors and Boot Sectors .Rogue Partition .MBR Loader ...IA-32 Emulation. .Vbootkit ... .. .6.3 Instruction Patching Countermeasures .Contents.386. 387. 388. 389. 390. 393. 395.399Chapter 7 Altering Kernel Objects. . . . . . . . . . . . . . . . . . . . 4017.1 The Cost of Invisibility . . . . . . . . 401Issue 1: The Steep Learning Curve . . . . . 401Issue 2: Concurrency . . . . . . . . . . . . . 402Issue 3: Portability and Pointer Arithmetic . 403Branding the Technique: DKOM . . . . . . . 405Objects? ...... ... .. ... .. . ... .. ... . . ... 4057.2 Revisiting the EPROCESS Object . . 406Acquiring an EPROCESS Pointer . 406Relevant Fields in EPROCESS . . 409UniqueProcessId . . . 409ActiveProcessLinks. . 410Token . . . . . . . . . 411ImageFileName . . . . 4117.3 The DRIVER_SECTION Object. . 4117.4 The TOKEN Object . . . . . . . 414Authorization on Windows . . . . . 414Locating the TOKEN Object. . . . 416Relevant Fields in the TOKEN Object . . 4187.5 Hiding a Process. . . . . . . . . . 4227.6 Hiding a Driver . . . . . . . . . . 4287.7 Manipulating the Access Token. . 4327.8 Using No-FU . . . . . . . 4347.9 Countermeasures . . . . . . . . . 436Cross-View Detection . . . . . . . 436High-Level Enumeration: CreateToolhelp32SnapshotO . . 437High-Level Enumeration: PID Bruteforce . 439Low-Level Enumeration: Processes. . 442Low-Level Enumeration: Threads. . 444Related Software. . . . . . . . 451Field Checksums. . . . . . . . . . . . . 452Counter-Countermeasures . . . . . . . 4527.10 Commentary: Limits of the Two-Ring Model . 4537.11 The Last Lines of Defense . . . . . . . . . . . 454xi(ontentsChapter 8 Deploying Filter Drivers. . . . . . . . . . . . . . . .8.1 Filter Driver Theory. . . . . . . .Driver Stacks and Device Stacks. . . . . .The Lifecycle of an IRP . . . . . . . . . . .Going Deeper: The Composition of an IRPIRP Forwarding . . . . . . . . . .IRP Completion . . . . . . . . . . . . . . .8.2 An Example: Logging Keystrokes . . . . .The PS/2 Keyboard Driver and Device Stacks .Lifecycle of an IRP. . . . . . . . . . . . . . .Implementation . . . . . . . . . . . . . . . .8.3 Adding Functionality: Dealing with IRQLs.Dealing with the Elevated IRQL . .Sharing Nicely: The Global Buffer .The Worker Thread . . . . . . . . .Putting It All Together . . . . . . .8.4 Key Logging: Alternative Techniques .Set WindowsHookEx. . . . . . . .GetAsyncKeyState . . . . . . . .8.5 Other Ways to Use Filter DriversPart 111 - Anti-ForensicsChapter 9xiiDefeating Live Response . . . . . . . . . . . . . . .IDS, IPS, and Forensics . .Anti-Forensics ....Data Destruction . .Data Hiding . . . . .Data TransformationData Contraception.Data Fabrication ...File System Attacks9.1 The Live Incident Response ProcessThe Forensic Investigation ProcessCollecting Volatile Data . . .Performing a Port Scan . . . . . .Collecting Nonvolatile Data .. ..The Debate over Pulling the PlugCountermeasures . . . . . .9.2 RAM Acquisition .... .... .Software-Based Acquisition .. .KnTDD.exe.Autodump+ ..... . . .. .... . 457.458.458.460. 461.464.465.467.467.469.470. 475.475.477.479.483. 484.485.488.489. . . . 493. 494.495.496. 496.497.497.497.497.498.498.500.504.505.508.508· . 509· . 510. 510· .511Chapter 10LiveKd.exe . . . . . . . . .Crash Dumps . . . . . . . .Hardware-Based Acquisition.Countermeasures . . . . . . .Defeating File System Analysis. . . . . .10.1 File System Analysis . ..Forensic Duplication . . . .Recovering Deleted Files .Enumerating ADSes . . . .Acquiring File Metadata . .Removing Known Good Files.File Signature Analysis . . . .Static Analysis of an Unknown ExecutableRun-time Analysis of an Unknown Executable10.2 Countermeasures: Overview . .. . .. .10.3 Countermeasures: Forensic Duplication .Reserved Disk Regions . . . . . . . . . .Live Disk Imaging. . . . . . . . . . . . .10.4 Countermeasures: Deleted File Recovery.10.5 Countermeasures: Acquiring MetadataAltering Timestamps . . . . . . . . . . . .Altering Checksums . . . . . . . . . . . . .10.6 Countermeasures: Removing Known FilesMove Files into the "Known Good" List .Introduce "Known Bad" Files . .. .. . .Flood the System with Foreign Binaries .Keep Off a List Entirely by Hiding .Out-of-Band Hiding .. . . .. .In-Band Hiding .. . . ... .... .Application Layer Hiding: M42 . . .10.7 Countermeasures: File Signature Analysis10.B Countermeasures: Executable Analysis .Foiling Static Executable Analysis .Cryptors ...... .. .. . .Encryption Key Management. . . .Packers . ....... .. . . . .. .Augmenting Static Analysis CountermeasuresFoiling Run-time Executable Analysis .Attacks against the Debugger. . . . .Breakpoints . . . . . . . . . . . . . .Detecting a User-Mode Debugger . .Detecting a Kernel-Mode Debugger.Detecting a User-Mode or Kernel-Mode DebuggerContents· 513· 513· 514· 515... . 517· 517· 519· 521· 521. 523.527. 529. 530· 533.537· 538.538. 539· 542. 544.544.546· 547· 547.548. 548. 549. 549. 555.566· 567.568.568.571. 580· 581· 583· 585.586. 586· 587. 588· 588xi ii(ontentsChopter 11xivDetecting Debuggers via Code Checksums. .Land Mines .. . ...... .Obfuscation .......... . .Obfuscating Application Data.Obfuscating Application CodeThe Hidden Price Tag . . . .10.9 Borrowing Other Malware Tactics .Memory-Resident Rootkits .... .Data Contraception . . . . . . . . .The Tradeoff: Footprint versus Failover .Defeating Network Analysis . . . . • . . . . . . . .11 .1 Worst-Case Scenario: Full Content Data Capture ....11 .2 Tunneling: An Overview .HTTP.DNS ........ .ICMP ....... .Peripheral Issues .11.3 The Windows TCPIIP StackWindows Sockets 2 .Raw Sockets . . . . .Winsock Kernel API .NDIS ...... . . .Different Tools for Different Jobs.11 .4 DNS Tunneling.DNS Query . ... ....... .DNS Response . . . . . . . . . .11.5 DNS Tunneling: User Mode ...11 .6 DNS Tunneling: WSK Implementation.Initialize the Application's Context. ..Create a Kernel-Mode Socket . ....Determine a Local Transport Address .Bind the Socket to the Transport Address.Set the Remote Address (the C2 Client).Send the DNS Query . . . .Receive the DNS Response. . . . . . . .11.7 NDIS Protocol Drivers . . . . . . . . . .Building and Running the NDISProt 6.0 Example.An Outline of the Client CodeAn Outline of the Driver CodeThe ProtocolxxxO Routines.Missing Features. . . . . . . .· 589.590.590· 591· 592. 595. 596. 596· 597. 599. . . . 603. . . . . 604. 605.606.607.607.609· 610.611· 612· 613· 614· 616· 617· 617· 619· 621· 625.632.632· 634· 635· 636. 638.639· 641· 642. 646.649.652.656Chapter 12 Countermeasure Summary . . .12.1 Live Incident Response .12.2 File System Analysis . .12.3 Network Traffic Analysis12.4 Why Anti-Forensics? ..Port IV - End MaterialChapter 13Chapter 14AppendixThe Tao of Rootkits . . . . . . .Run Silent, Run Deep . . . . . .Development Mindset. . . . . .On Dealing with Proprietary Systems .Staking Out the Kernel . . . . . . . . .Walk before You Run: Patching System Code .Walk before You Run: Altering System Data StructuresThe Advantages of Self-Reliant CodeLeverage Existing WorkUse a Layered Defense .. . .. .Study Your Target . . . . . . . . .Separate Mechanism from Policy .Closing Thoughts . . . . . . . . . . . . .Chapter 2 ..... . .Project: KillDOS. .Project: HookTSR .Project: HideTSR .Project: PatchChapter 3 .SSDT .. . .Chapter 4 ... .Project: Skeleton (KMD Component).Project: Skeleton (User-Mode Component)Project: Installer .Project: Hoglund. . . . . . . . . . .Project: SD .... . . .. .. .. . .Project: HBeat (Client and Server) .Project: IRQL . . . . . .Chapter 5 . ..... . . . .Project: RemoteThread .Contents· . . . 659.660. 662. 663.664· .. . 669. 669. 670· 670.671· 672... 672· 673· 675· 675. 676· 676· .. . 677. 683. 683. 684· 691. 696. 697. 697.710· 710· 714· 721. 724.726· 729. 736. 739· 739xvContentsxviProject: ReadPE .. .. . ..... . .. .... ... 741Project: HookIAT . . .... ... . . 746Project: HookIDT . . . . . . . 750Project: HookSYS . . . . . . . 756Project: HookSSDT . . 760Project: HookIRP . . . . . . . . . . 772Project: HookGDT . .. ... . .. . 774Project: AntiHook (Kernel Space and User Space) . . . . . . . . 779Project: ParsePEB. . . . . . . . . . . . . . . . . . . . .. . . 790Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. 793Project: TraceDetour . . . . . 793Project: GPO Detour . . . . . . . . 801Project: AccessDetour. . . . . . . . . . 804Project: MBR Disassembly . . . . . . . . . . . . 811Project: LoadMBR. . . . . . . . . . . . . . . . . 813Chapter 7 . . . . . . . . . . . .. ... .. .. . ... . .... 816Project: No-FU (User-Mode Portion) .. .... . .... . .. . 816Project: No-FU (Kernel-Mode Portion) . ... ... ....... 821Project: TaskLister . . . 834Project: findFU . . . . .. ... ............... . 838Chapter 8 . . . . . . . . . .. .. ..... ...... . ... . . 843Project: KiLogr-VOl . . . . .. . . . . .... . 843Project: KiLogr-V02. . . .. ... .. . ..... 847Chapter 10 . . . . . . . . . .. . . . .. . . . . . . 854Project: TSMod . . . . . . . . . . 854Project: Slack .. . . . . . . . . . 858Project: MFT . . . . . . . . . . 860Project: Cryptor . .. . . . . . . . . 871Chapter 11 . . . .. .. . . . . . . . . 876Project: UserModeDNS . . 876Project: WSK-DNS . ....... . .... ... .. ... . .. 883Index . ............. . . .. . 895Download:http://www.mediafire.com/?7jl44499d94l3l9http://www.megaupload.com/?d=C4TS6FFBStiu ca mai e postata pe undeva pe aici, dar link-ul nu mai e valid iar cartea asta se merita descarcata. Quote
SilentPH Posted December 18, 2011 Report Posted December 18, 2011 Nytro esti pus pe treaba ? Gj ! Quote
Nytro Posted December 18, 2011 Author Report Posted December 18, 2011 Da... Ce sa faca omu la 06:30 AM cand nu are somn? Postez de azi-noapte Quote
