about rootkit
DESCRIPTION
TRANSCRIPT
![Page 2: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/2.jpg)
22000-00-00
Contents
Classification of ROOTKITs
Type II ROOTKITs
Type III ROOTKITs
Next Generation ROOTKITs
![Page 3: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/3.jpg)
Classification of ROOTKITs
1st Generation ( Type I ) Does not modify OS / Process / etc…-> replace / modified system file -> UNIX login backdoor (binary modification)
2nd Generation ( Type II )Modifies which designed not to be modified
-> code of process, modules, OS code, kernel modules, etc…-> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc…
3rd Generation ( Type III )Modifies which designed to be modified-> data sections, heap, stack, etc…-> FU (Pioneer of DKOM - Direct Kernel Object Manipulation)
The NEXT Generationvirtualization ?
32000-00-00
![Page 4: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/4.jpg)
Type II ROOTKITs
NTIllusion
Hacker defender
NTRootkit - The first windows NT kernel based ROOTKIT
Sony Rootkit
modifiescode section (e.g. Import table, Export table)user mode / Kernel mode APIskernel mode undocumented APIsISR (Interrupt Service Routine)MSR (Model Specific Register)…
42008-05-16
![Page 5: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/5.jpg)
Type II ROOTKITs – cont.
API Hooking
52008-05-16
![Page 6: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/6.jpg)
Type II ROOTKITs – cont.
SDT Hooking (http://somma.egloos.com/2731001)
62008-05-16
![Page 7: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/7.jpg)
Type II ROOTKITs – cont.
IDT Hooking (http://somma.egloos.com/3365054)
72008-05-16
![Page 8: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/8.jpg)
Type II ROOTKITs – cont.
DEMO- API Hooking (Ring 3) (CheatEngine)
- Code Injection (Ring 3) (WinMine.exe hacking)
- SDT hooking (Ring 0) (FxLoader / bkdp.sys)
- IDT hooking (Ring 0) (SDFP – app.exe / template.sys – real machine)
82008-05-16
![Page 9: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/9.jpg)
Type III ROOTKITs
FU - The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation)
He4Hook - RAW IRP hooking on File system driver
PHIDE2
Layered driver (Filter driver)
modifiesdata sectionsIRP handlerskernel objects that allocated and managed dynamically
…
92008-05-16
![Page 10: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/10.jpg)
Type III ROOTKITs – cont.
Break EPROCESS list
102008-05-16
![Page 11: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/11.jpg)
Type III ROOTKITs – cont.
Break DRIVER_OBJECT list
112008-05-16
![Page 12: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/12.jpg)
Type III ROOTKITs – cont.
DEMO- FU rootkit
- jeng_2SDT hook & DKOM example
122008-05-16
![Page 13: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/13.jpg)
Fighting ROOTKITs
Check IAT (Import Address Table)Check inline hooks
Check System Service Dispatch Table (ntoskrnl.exe)Check Shadow table (win32k.sys)
Check Driver’s IRP handlerCheck MSR ( MSR_SYSENTER )…
how ?ECD (Explicit Compromise Detection)Cross View Based Detectionuse DKOM to find out ROOTKITs
- dump PspCidTable- trace OS Scheduler data base, etc…
Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx )
132008-05-16
![Page 14: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/14.jpg)
Fighting ROOTKITs – cont.
DEMO- API Hook detection and API Hook removal
hook_shield PlgnPETest.dll
- Finding process FU hided by DKOM techniquedump PspCidTable
142008-05-16
![Page 15: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/15.jpg)
Next Generation ROOTKITs
DEMO- Hypervisor based rootkit
152008-05-16
![Page 16: About rootkit](https://reader035.vdocuments.mx/reader035/viewer/2022081413/546c2200b4af9f752c8b4ef7/html5/thumbnails/16.jpg)
Q & A
162008-05-16