blackhat windows security 2004 data hiding on a live system by harlan carvey [email protected]
TRANSCRIPT
![Page 1: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/1.jpg)
BlackHat Windows Security
2004
Data Hiding on a Live System
by Harlan Carveyby Harlan [email protected]@yahoo.com
![Page 2: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/2.jpg)
Purpose
Present/discuss different techniques for hiding data on LIVE systems (NTFS)
Address methods of preventing and detecting this activity
What is NOT covered? Maintenance tracks, boot sector, file slack, etc.
![Page 3: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/3.jpg)
What is being hidden?
Data Text Output of commands (samdump, etc.)
Executables Programs Games Rootkits
![Page 4: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/4.jpg)
Who are we hiding it from?
Other users
Administrators
Investigators/forensics analysts
![Page 5: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/5.jpg)
Altering files
File Changes Name Extension
Information regarding extensions and associations is maintained in the Registry
‘assoc’ command
File Signature (this is NOT a hash)
![Page 6: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/6.jpg)
Altering Names/Extensions
Samdump.log ->
C:\winnt\system32
\MSODBC32.DLL
![Page 7: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/7.jpg)
Altering file signatures
First 20 bytes of the file
Change JFIF/GIF89a in graphics file to something else
Executables (.exe, .dll, .sys, .ocx, .scr) begin w/ “MZ”
Sigs.pl performs signature analysis
![Page 8: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/8.jpg)
DOS Attributes
'Attrib' command
Explorer settings
'dir' switch (dir /a[:h])
Perl ignores (opendir/readdir, glob)
hfind.exe (FoundStone)
![Page 9: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/9.jpg)
File Splitting
File Splitting Almost as old as DOS Many programs available Malicious uses
![Page 10: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/10.jpg)
File Splitting
Original File Arbitrarily sized segments
![Page 11: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/11.jpg)
“touching” files
Alter the creation, last access, last modification dates
'touch' in Unix
Microsoft SetFileTime() API
Used to hide from search tools dir /t[:a] afind.exe (FoundStone) macmatch.exe (NTSecurity.nu)
![Page 12: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/12.jpg)
File Binding
Elite Wrap
Saran Wrap, Silk Rope
![Page 13: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/13.jpg)
OLE/COM
MS OLE/COM API
“Structured Storage”, “Compound files” “File system within a file”
MergeStreams Demo May discover using “strings” or “grep”
wd.exe
![Page 14: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/14.jpg)
NTFS Alternate Data Streams
NTFS4 (NT) and NTFS5 (2K)
Creating
Using
Running executables hidden in ADSs
NTFS4 vs. NTFS5
![Page 15: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/15.jpg)
Creating ADSs
Type command Type notepad.exe > myfile.txt:np.exe
Cp.exe from Resource Kit
Bind to file or directory listing Notepad myfile.txt:hidden.txt Notepad :hidden.txt
![Page 16: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/16.jpg)
Executing ADSs
Running executables hidden in ADSs
Native methods NTFS4 - ‘start’ (FoundStone) NTFS5 - several methods
![Page 17: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/17.jpg)
Detecting ADSs
lads.exe, by Frank Heyne (heysoft.de)
sfind.exe (FoundStone)
streams.exe (SysInternals)
ads.pl (Perl)
![Page 18: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/18.jpg)
Encryption
PGP
Fcrypt (ntsecurity.nu)
Perl (Crypt::TripleDES)
![Page 19: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/19.jpg)
Steganography
The art of hiding information S-Tools4 http://www.citi.umich.edu/u/provos/stego/
![Page 20: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/20.jpg)
Registry
Licensing information
Software installation dates and information
Contains binary and string data types
![Page 21: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/21.jpg)
"Hidden" Functionality
Registry keys
Used by various malware The ubiquitous "Run" key Services
ClearPagefileAtShutdown Registry key
StartUp directories
![Page 22: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/22.jpg)
Rootkits
Kernel-mode vs. user-mode
API Hooking/DLL Injection NTRootkit HackerDefender (DLL Injection) AFX Rootkit 2003 (DLL Injection) Vanquish (DLL Injection) FU (DKOM)
![Page 23: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/23.jpg)
How to prevent/detect
Configuration Policies/Management
Monitoring Event Logs Additional monitoring applications Scans
![Page 24: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/24.jpg)
Questions?
![Page 25: BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com](https://reader033.vdocuments.mx/reader033/viewer/2022051820/56649eda5503460f94be9728/html5/thumbnails/25.jpg)