 Hopefully this will work Okay, so what I'm going to talk about is root kits and also ways to detect your kits I've developed a freeware tool called vise that does that so if you came to See a bunch of hookers taken away by some policemen. You're in the wrong room So as he said my name is fuzan up If you came to black hat, you know, I'm also Jamie Butler. It's in your program. That's no secret I'm at root kid calm everything. I discuss here. You can download from root kid calm But wait till Monday or Tuesday of next week The source code for all the root kid stuff I will talk about is on root kid calm So you can have that and change it or whatever Vice the freeware tool currently is downloadable in binary format So what we go do we'll go talk about hooking and how a lot of really lame root kits Hook and user land and so forth Then we'll go talk about the tool vice to detect it Then we'll go talk about direct kernel object manipulation, which is incorporated into FU and a demonstration Pardon our voice today. It's pretty pretty dry So just we'll cover a few general overview of an operating system This this talk applies mainly to win 32 But you could also apply all the root cake technologies and concepts to a Linux or spark or whatever so in a win 32 type of environment, there's user land and That's supported by kernel 32. DLL and NT DLL DLL. So whenever you write a program That's the libraries you link to and you use the functionalities exported by those DLLs Once those DLLs get a hold of your request, they eventually call down to the kernel through some means we'll talk about in a moment The kernels what implements though the low-level functionality to allow these APIs to work So it's the current only all the work kernel 32 and everything is just basically a pass-through So tax scenario Rootkits are not about How to exploit a box there? There's been other talks here FX and Alvar and other talks at black hat Where are experts at shellcode and so forth so I won't talk about how to gain access the first time But a root kit is for is to maintain access so hide your presence You want a remote command-to-control channel? That is undetectable by IDS's and by the kernel itself and maybe Intrusion in the most part for the ones I write they'll exist in the kernel So they act as part of the kernel And we'll talk about while until recently most through kits were nothing more than a chosen program This is probably like an 80s thing they would They would replace ps or ls or something that when an administrator would run the command They would get a chosen version of the executable Of course companies have come along and for the large part solve this problem and Now rootkits evolve to filter data by hooking functions in memory This way they could achieve the same results by hooking a function You can change what that function returned So for instance if it's you're asking for a list of processes on the machine by hooking you can filter out your Your rogue process that you do not want displayed Hooking can be done at many different places the import address table is one And I think we'll have a diagram of that a moment. You can hook the system call table You can hook the erupt descriptor table really. This is only a few places. You could hope there's quite a multitude So this is just a diagram. I don't have a a light pan. So sorry I can't point out the relevant features on the slide But this is the green represents the big green box represents a program that's running and It needs functionality from another DLL. So it does it has stubs in its code Called the import address table when the loader loads the program into memory it will Set the appropriate function address for these functions there and other DLLs in this IIT table And that's a blow up there. They're either exported by function name or by ordinal and the one two One one two two three three four four represents the address in a different DLL that function would actually be located at So This is the normal control flow Code in your program goes and the application goes through the IIT the IIT calls Into some DLL Such as kernel 32, etc You can inject them with DLL into another process Through a couple different means we won't cover those but they're well documented And it's also a rootkit comm there's at least Three different rootkits that use DLL injection to hook things so in this case the The rootkit is changing the IIT entry so that the program control flow changes to it Instead of the original DLL Now here's an example of a system call hook so in the I Guess my left There's the system calls being made. That's an application asking The operating system do something on its behalf It passes through that major magic barrier there now. It's in kernel mode In kernel mode, there's a function called in the kernel in TS kernel There's a function called chaos system service chaos system service will resolve the the number of the function you're trying to call so for instance like ZW create key for creating a registry key. Maybe that's function number 3b It uses that as an index into the system service descriptor table and That just contains function pointers each there's a blow up of each table entry and They're merely Function points there index by call number the function is Represent here So you go through the call table to the function in question With this control flow Now if you have a rootkit Obviously, you can divert that control flow to yourself This is the same as a user land IT hook more or less It's just a little bit more complicated because not as many people seem to know how to write kernel code and Can get some things wrong? This is an example of a more advanced technique where After going through the system call table it still goes to the correct function Which is represented there at the top However, the function has been hooked by immediate jump and The immediate jump jumps to the rootkit and then the rootkit has control once again This is a lot more advanced technique. It's sometimes hard to get correct quick overview again in case This is an animated slide that represents it may be a little bit better So kernel 32 dot DLL runs for a while. This function represents create file W to create file on the file system It eventually calls into NT DLL calling the function NT create file That runs for a while and then it calls into the system So at each one of those places on the slide you could have hooked at the beginning of the function You could have hooked at where the function made the call you could Hook the IETs etc Once you're in the kernel Linux the the interrupt for requesting service of the kernel is an update on Windows it's into E So if you hit entry, then that's when you'll jump to a system chaos system service Which will resolve the number of the system call that you wanted and also where your user parameters are and so forth Just for reference in the EX register is the system call number in this case it would correspond to NT create file and In edx is a pointer to the user supplied parameters So once in the system call table again, it's just an address and It jumps off to the real the real function in question This slide is an anime, but you could have hooked in T create file by overriding push ebp move ESP into ebp and X or You would have to at least overwrite that many maybe the The push also Because a jump is a five-byte instruction. It's at least five bytes So you have to overwrite at least the first five bytes of the function so When we get back home, there's a whole lot of rootkits that are user mode rootkits and User mode rootkits aren't the way to go if you want to write a rootkit because they're they're fairly trivial to find By hooking the IT and so forth. They leave a really big footprint That you can look for Because you know the range of the DLL and so forth so you can look for jumps outside of acceptable Range and then flag those so vice was to take care of that also Hooking even in the curls Usually a bit. It's a little bit old school now. It's been around for at least six years probably in public source stuff And maybe in the Linux world even longer than that. I'm not familiar with that so Vice detects kernel hooks One three two API hooks and inline function patching what I mean by that is when you would Overwrite the first five bytes of a function. That's inline function patching Also, they're not on the slide is if the driver driver device drivers in memory have a table of function pointers also so there's Whenever you talk to a driver, you're talking through our request packet So like when you use net stat to list all the available ports You're talking actually under the hood to TCP IP dot sys and you're passing it RP underscore in J underscore query That's one of the orps. You'll pass down to the driver Well, there's a function pointer within the driver object that describes which function handles or the address of the function that handles that particular Erk See, you can also hook there. However, I haven't currently come across any public root kits that do that in the Windows world and I'm doubting it's done much than the Linux world. I'm not sure of the format of the LKM structure So I'll try to get to a vice demonstration now and show you how it works and that you can use it when you go home Okay, well, let's turn that key. I'll try to show it in a minute if I have extra time The key's not installed right now. So To save the day I have backup slides So here's vice versus hacker defender Hacker defenders are very a very good root kit. That's on the kit calm I believe it was written by holy father and He's a he's very knowledge. Well, I've discussed Rootkit stuff with him in email Here's the vice output. I'm not sure if it's completely readable But all these slides should be on your CD also the things there with the embers glue a Little icon. You'll see it's hooking. There's something hooking kernel 32. DLL and actually that turns out to be In this case up way up top of the screen is NT DLL So you might say well NT DLL is not a root kit. That's correct But the way it's on used in the system It actually hooks other Windows API as occasionally and so therefore it is a hook and that's what vice catches So the thing with the Swiss army knife a little icon That's that's all the functions that vice called hacker defender hooking when possible vice will output Where on the file system? You can find the the hooking module in question So that will allow you to go to the file system and delete that bad on DLL or whatever off of the system In this case, it couldn't resolve hacker defender vices You know a project still in the works and maybe in the future. We will be able to resolve that on the file system So you can see it hooking things like create process and so on so forth It also gives you the address and memory Vice does so if you wanted to go and reverse engineer it yourself and figure out exactly what their function does you can do this Here's vice versus vilequish vilequish is another popular root kit every kid calm and Love said about that How many red KDM's paper on frack 62? anyone Okay, he stated that vice could not catch his root kit called NT illusion Which is an entirely user land? root kit This was correct at the time he tested There was a bug and vice and vice had not had any development on it since it was first written in mid-April However, now that bug is fixed And as you can see it catches NT illusion That's not where the here is not only their cast catching the illusion it also lifts up where on the file system it is So you can go delete it So that that was sort of root kit spin and hooking We talked about how hooking is detectable and now we're going to go into a little bit more of What consumers are currently doing in the world of you know trying to prevent viruses trying to prevent root kids And so on and so forth Everyone's running to third-party personal firewalls and also host-based intrusion prevention systems So what are kids kids are host-based intrusion detection system hips being host-based intrusion prevention system What are they there for? They're there to detect what process is a rolling system. Maybe if the new process is started Block access, you know the things like net cat and so forth from running But files are created or deleted or modified that may be important to a hips like don't let anyone write to the Wnt or window system 32 directory because that's probably gonna be a bad thing Hips also keep track of network connections made and possibly deny those connections and They try to do a little bit with privilege escalation And they look for buffer overflows and so forth However for a lot of these different pieces of functionality Hips and the current security products rely on the operating system itself So if you lie to the operating system You lie to the hips Here's some different functionality that's built into the operating systems today that allow our hips to work If it allows the hips to work it can also probably You could use this as a starting point to where to look to try to unlink our hips for instance in your kernel So you can register a risk provided callback functions For instance, if you want to be notified every time a process is created you can register An address to be called in that case and the kernel will do so That works for threads also Images loaded into memory. There's all these all these different pieces that hips use to detect new things coming in to the kernel or coming Into the process listing You can hook these You could remove These are nothing more than a linked list of functions to call you could remove Hips product from that link list probably without a whole lot of problems Some hips actually hook the system call table you have to do that especially on Windows if you want to if you want to filter or in registry key access because there's no easily There's a user land API that you can call for a callback when a registry key changes or any of its children But it doesn't provide you much useful details. It just says hey something changed and you would have to reparse all the keys to figure out exactly what it was that changed and Therefore you'd have to sort of keep state like before and after That's not very useful. So hips for the most part. Just hope the system call table directly Hips can hook user land API functions how many saw the Frack article on bypassing third-party Windows Buffalo Flow protection Okay, that was done by myself and two other anonymous co-authors I'd like to thank and They know who they are So anyway Some products were hooking the user land API's and we wrote some shellcode and so forth a totally bypass Their their implementation of Buffalo Flow protection at the API level and then you can query the kernel, of course so if you want to Know what network connections are open you can query the kernel. I'll tell you well, there's a problem with a lot of these hips designs and it Goes back to the Frack article really requires that they'd be on the execution path of Any malicious code and they have to know where the execution path would be ahead of time so There's no reason that We have to use the API's In in the kernel or even in user land so the ones that we know that they're watching We don't use those API's and I'll introduce deek deek common a second which uses absolutely no API's to make its changes it may use to make API's once in a while to gather information but This is really the non information that would never be blocked anyway So let's talk about the operating system design quickly Intel has four Privilege levels or four rings as you see here demonstrated However Microsoft and other OS vendors Do not use all four of these rings. They only use two. There's ring zero, of course Which is completely privileged code, which is the kernel itself or device drivers or LPMs Then there's ring three Ring three is all applications So when you're running in ring three For instance Ring three is just ring three like the hips doesn't have any more Privilege than you do at that point if it's only implemented at ring three, which is the case of some of these One 32 buffer on-flow protection mechanisms When zero you have access to all of kernel memory So everything that the kernel uses like objects to keep track the kernel is more or less So, you know, it's a big accounting arm So it's keeping track of all the processes all the ports and so forth and it does this in Structures that it calls that Microsoft calls objects. So these are kernel objects not to be confused with C++ objects So once you have this no separation of powers, there's only two privileged levels Every single device driver has access to all these accounting objects that the kernel has access to Therefore you can modify it just as much as the kernel can you just have to be very careful how you do so You have to understand what the structures are How to find them what they do and how the kernel expects them to look So if you don't understand those important details, you may modify an object in memory and cause a blue screen There's so many third-party device drivers. I mean, there's your printer drivers your fax drivers all these different things and That really should be different levels of protection between the two between the kernel and the drivers So the next generation of root kit technology is Decom that's a play on obviously Microsoft's terminology, but in this case direct kernel object manipulation So what does it do? It modifies objects directly in memory Never going through API's so there's one on API's to For instance add a seed to a token in a Windows process Well, the first of all the kernel is going to see if you have the appropriate privilege to add that seed And it may stop you there also The hips or other third parties may wrap around That function flow the function control flow and try to intercept that call and limit you there But if you write just directly to the memory, there's nothing to stop you So you can use deco to hide a process add a privilege to a token add groups to tokens Cool application is to fake out the Windows event viewer so that if I if a user I Should say if a process spawns another process such as netcat if the administrator has Detailed process logging turned on any Windows event viewer. They will see An event that says that administrator or whoever you're logged in as you know just started Cmd or reged at 32 or whatever Well If you change your token to look like someone else's just by changing a couple bytes Then the administrator be thrown off because it'll look like you can make it look like system did it So system just spawn netcat now obviously that's gonna be a red flag to any Halfway competent administrator However, it's not a point at possibly the user account that you subverted It's going to be a red herring that they're going to have to chase for a couple weeks probably before they really figure out What happened and maybe they'll never figure it out So another thing of deco we could use it to hide ports currently the fu root kit does not hide ports But you can do it So obviously the implications of hidden processes hidden process can have Potentially full control of the system. There's no accountability defeats the Heads and hips type of paradigm and it can skew the results of forensics it all depends on how How advanced your forensics are but you only have to be overcome the slowest Forensic tools for the most case So how do you go about having a process in the Windows kernel? Here's a Here's a picture of how the objects look in memory the E product of the kernel has a processor control block It's represented there at the top within there's three key pointers One is to the current thread ones to the next thread ones to the idle thread So you need to find your current thread because that's going to lead you to your current process So you go to the processor control block follow that pointer to the current thread That's represented there by the E thread block that's sort in the middle of the diagram the E thread block or object contains a K thread object completely embedded within it at the beginning of the E thread object and that contains a pointer that Leads to the E process block every process in a Windows Operating system has to have at least one thread and it has an E process block so These structures are for the most part undocumented If some of them now are becoming a little bit more document, however, they change a lot between versions of service packs And also major versions of the operating system So you have to do at first when I did this two years ago is all reverse engineering Now you can use windy bug Load up the symbols appropriately for whatever version of the kernel you're using type DT space in T bang underscore object name and If you don't know what the object name is you can wildcard it to try to narrow it down I will tell you that not all the object members are documented like Microsoft may just say oh, it's a It's a P void and so you don't know what it actually leads to And of course that takes a bit more time to figure out so within the E process block there's a There's a list entry structure it contains two pointers the first one's called a flank and The second is called a blink a flank is a forward link and a blank is a backward link So this list of E processes if you would just keep following the flanks. It's completely circular Also, if you just keep keep following Well, you'd have to do like De-reference blank and then add for to get to the link behind you and keep following the chain that way You could go backwards through the list also So if you want to how to process the criminal Processor control block is located at a fixed address Also, if you don't trust that because I haven't verified that since 2000 You can use the FS register to always get the address of that curl Colonel processor control block also Within there we talked about that you can get the current thread running and there's the assembly command Well, you would just move that into like EAX the FS colon bracket 124 and That would get you to an E thread the E thread takes you to the K thread and the K thread takes you the E process block So to how to process All you need to do is change the E process block in front of you to point to the E process block behind you and the E Process block behind you to point to the E process block in front of you and I think I have a demonstration that graphic So here so I don't have a pointer But we're trying to hide the current process. So if you just it's the E process block that's in the center So you would want to modify the flink behind us to point to the flink in front of us and that's represented there Once you do that half the game's done now you have to change the Blink in front of us to point to the flink behind us like that So you just tell your neighbors. Hey You know point around us So why does this continue to run? well, it turns out that the the scheduler and windows is extremely advanced and It's thread-based But however the reporting mechanisms are process-based So you can edit the this E process block and all your threads still get scheduled because They're often their little thread cues and so they'll continue to run I'll just cover this really quickly because Linux isn't my strong point. I haven't looked at it since it came out with a new threading model in Linux 2.6 But within the Linux kernel you could do a similar thing. However, there's sort of a gotcha at the end The Linux kernel contains an array of tasks trucks So each task truck represents process a task truck contains a link list With the pointers previous task and next task that you can also follow around the circle And it contains two other vital pointers, which are previous run and next run to determine the list Are the ordering of when to schedule process? so How to process you just remove it from the previous task and the next task Like demonstrate in the E process block exact same concept you leave next run and previous run alone Does anybody know what happens when you get this far right? Speak up. Okay, the whole process freezes So nothing your process continues does not continue to run and the reason being is because the way that Processes get scheduled time on a Linux 2.4 kernel in which case the scheduler walks around the previous run and next run List so it follows the next or I'm sorry it follows the previous task or the next task list Walks around this link list Going to each task structure within memory Based upon it calculates a goodness value for the process and based upon the goodness value It assigns it in order or the number of jiffy's and so forth in which to run or to get CPU scheduling So that's when it puts it into previous run and next run The ordering there well if you're never in the in the next task listing Then you'll never get your goodness value calculated. So you'll never get scheduled again because This the scheduler can't see you This is probably all different in the 2.6 with the threading model There was a root kid on after I hit this problem There's a root kit that I found on lawn that was open source. It is a fairness more gear I believe is the name and This person had come across the exact same problem I was having and they figured out the only way to fix it was to Or the way they were going to fix it was to patch the scheduler so with this But the solution did was the inlet process is always the first process that has no No parent process So the parent processor or polar parent process in the task drop is null Well, they modify that to point to the hidden task drop That way they modify their scheduler to always go there and look at these hidden task drops and Calculate goodness value for them But if you go through all that effort, they'd probably be better ways to hide your process so You it should be noted that you can't just choose these listings arbitrarily and not expect some problems These lists especially on a multi-threaded environment or a multi CPU especially environment These lists are shared resources. So you have to Use some kind of synchronization objects to try to get access to these lists if you want to Completely modify or modify my completely safe manner In windows if you want to modify the list of active processes, there's a non-exported symbol called PSP active process Newtex the kernel every time grabs that newtex and Once it has it then it can modify the list PS loaded module resource is to guard the list of device drivers Problem is obviously as I said these symbols are not exported So we have to find another way to come up with synchronization One way you could do it is you could hard hard code these addresses of these newtexes and That would vary a lot between each version of the OS and Maybe potentially each reboot could also have an effect here This isn't probably the best solution another way you could go about it is to try to search For a known pattern in memory You know that there's going to be certain functions within the kernel that have to access these newtexes in order to operate safely So you could do a search