Hunting rootkits with windbg

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)


In these slides i will introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts.

Transcript of Hunting rootkits with windbg

  • 1. Hunting rootkits withWindbg v1.1Frank BoldewinMarch 2011

2. Scope of this TalkIn the next few slides the audience learnshow to hunt for rootkits with WindbggTo get a good overview of the different wayshow rootkits hide itself from beingrecognized several techniques from rootkitslike Runtime2, Rustock.B, Alipop, Stuxnet aswell as TDL3 and TDL4 are introducedOf course the techniques used to detect aspecial rootkit are not limited to the showncases. ;-)Prerequisites are a g q good understanding gabout Windows internals and basic Windbgskills 2 3. Finding SSDT hooksThe SSDT is a data array in kernel memory,that stores pointers to the native API pfunctions of Windows, e.g. NtCreateFileThese functions are handled in NTOSKRNLOlder rootkits used to hook some distinctivefunctions to hide its files or registry entrieswhen queried fh i d from usermode dAlmost every run-of-the-mill antirootkit toolis able to detect such hooks today3 4. Finding SSDT hooksViewing the SSDT manually4 5. Finding Shadow SSDT hooksThe Shadow SSDT is another array and storesppointers to functions in the Win32k.sysyTo view its entries we first have to switch toa GUI process context and reload thesymbols for the specific module!process 0 0 winlogon.exePROCESS 81ebf6f8 SessionId: ......process /p 81ebf6f8.reload reload5 6. Finding Shadow SSDT hooks6 7. Finding Shadow SSDT hooksTo f find SSDT and Shadow SSDT hooks automatically we canuse a Windbg script from Lionel dHauenens of Laboskopia 7 8. Runtime2 Rootkit Finding SSDT/Shadow SSDT hooks with aWindbg script 8 9. Rustock.B Rootkit SYSENTER_EIP hookThe SYSENTER_EIP (MSR 0x176) usually points toKiFastCallEntry to serve requests from the usermodeto access native functions in the SSDTThis pointer gets hooked by the Rustock.B rootkitIf Sysenter gets called Rustock checks in its own SDTtable if a function is hooked or not. Non hookednative functions have a null pointer. Hookedfunctions have a pointer to its own handlerhandler.To avoid easy hook detections the Sysenter_EIPaddress points to the same module (NTOSKRNL.EXE)as KiF tC llE t KiFastCallEntry.It overwrites a textstring FATAL_UNHANDLED_HARD_ERRORwith a 5 bytes jump to its real rootkit code.yj p9 10. Rustock.B Rootkit SYSENTER_EIP hook10 11. Rustock.B Rootkit SYSENTER_EIP hookAnother Laboskopia Windbg command shows us thehook automatically 11 12. Rustock.B Rootkit Finding hidden registry entriesTo find the hidden registry entries Rustock uses tosurvive a reboot, we walk the windows hive with the!reg command and its parameters !regA hive is a logical group of keys, subkeys, and valuesin the registry that has a set of supporting files + g gbackup copiesHives are stored as files on diskNextNe t to standard hives every user has his o n hi esstanda d hi es e eseown hivesfile 12 13. Rustock.B Rootkit Finding hidden registry entriesTable of standard hives and their supporting filesRegistry hive Supporting filesHKEY_CURRENT_CONFIG_ _ System, System.alt, System.log, System.sav y, y , yg, yHKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.logHKEY_LOCAL_MACHINESAMSam, Sam.log, Sam.savHKEY_LOCAL_MACHINESecurity Security, Security.log, Security.savHKEY_LOCAL_MACHINESoftware Software, Software.log, Software.savHKEY_LOCAL_MACHINESystem System, System.alt, System.log, System.savHKEY_USERS.DEFAULT Default, Default.log, Default.sav 13 14. Rustock.B Rootkit Finding hidden registry entries14 15. Rustock.B Rootkit Finding hidden registry entries15 16. Rustock.B Rootkit Finding the Hidden Registry Entry16 17. Rustock.B Rootkit pIofCallDriver HookHooks at pIofCallDriver are often used to filterspecial IRP requests to driversRustock filters any attempt to directly communicatewith NTFS.SYS or FASTFAT.SYS. These files arehidden, cant be copied, nor overwritten or renamed17 18. Rustock.B Rootkit IDT hooksThe Interrupt Descriptor Table (IDT) is a structurewhich is used when dispatching interruptsInterrupts can interrupt an execution of a program toto handle an eventInterrupts could be a result of a hardware signal orsoftware based using the INT instructionThe IDT descriptor table can handle 256 entriesThe descriptor to the table can be written with theinstruction LIDT and read with SIDTRustock hooks INT 2Eh, which is usually pointing toKiSystemService, a Zw* functions dispatcher andhandler for usermode INT 2Eh calls on old hardwarenot supporting fastcalls via the SYSENTER command 18 19. Rustock.B Rootkit SYSENTER_EIP hookRustock hooks INT 2Eh to communicate betweenusermode and kernelmode componentsThe IDT command shows us the pointer to thehandler. KiSystemService is ok, otherwise its hooked19 20. Alipop Rootkit GDT CallgateA callgate is a mechanism in Intel x86 arch to changeprivilege level of the CPUThe Alipop rootkit installs such a callgate to executecode with the highest privilege (Ring 0) fromusermode (Ring 3) without the need to have a driver,ge.g. by calling DeviceIOControlCallgate usage works by executing call far ptr from usermode codeInstallation of the callgate is done by the bootkit partof AlipopOther malware seen in the wild usedDevicePhysicalMemory to install a callgate in theGDT (works only on older windows versions)( y)20 21. ALIPOP Rootkit GDT Callgate21 22. ALIPOP Rootkit GDT Callgate22 23. TDL3 Rootkit ATAPI IRP hooksThe TDL3 rootkit usually infects the ATAPI driverwith a small loader for the real rootkit code in the PEresource area of atapi.sys and changes theentrypoint to its loader codeThe real rootkit part is being stored encrypted ondisk sectorsThe loader uses low level disk operations to read thesectors, decrypts the mini TDL file system and startsthe real rootkit codeTo hide and protect its sectors TDL3 uses IRPhooking in ATAPI.SYS23 24. TDL3 Rootkit ATAPI IRP hooks 24 25. TDL3 Rootkit ATAPI IRP hooks 25 26. TDL3 Rootkit Shared Memory structure (Kernel-/User mode)To share information with its usermode componentsTDL3 uses the structure KUSER_SHARED_DATAThis structure is accessable from kernel at address0xFFDF0000 and is mapped to userspace at0x7FFE0000Kernel mode has read/write access to this structure,usermode has only read accessAt KUSER_SHARED_DATA+0308h (SystemCallPad)TDL3 stores a pointer t an own structuret i t tot tThis structure stores a bunch of things likekernelbase, original ATAPI IRPs, TDL3 FS start, path,g, ,pto its config file 26 27. TDL3 Rootkit Shared Memory structure (Kernel-/User mode) 27 28. TDL3 Rootkit Shared Memory structure (Kernel-/User mode) 28 29. TDL3 Rootkit TDL mini FS (file system) 29 30. TDL3 Rootkit Traces in the system worker threadsDrivers requiring delayed processing usually use awork item, using IoQueueWorkItem with a pointer toits callback routineWhen a system worker thread processes the queueditem it gets removed and the callback gets invokedg gSystem worker threads run in the system processcontext (PID 4)TDL3 rootkit is using work items as wellootkit sing o kellWhenever work items have been processed or othersystem threads have been created this leaves traces yon the callstackAs TDL3 does not belong to any known module, theprocess thread view informs us about this problem30 31. TDL3 Rootkit Traces in the system worker threads 31 32. TDL4 Rootkit Finding TDL4 with its invalid device object 32 33. TDL4 Rootkit ATAPI DriverStartIO hookTDL4 rootkit hooks the ATAPI driver as well, but in alower level way than its precedessorAs more and more tools were easily able to dump itsfiles even from usermode viaIOCTL_SCSI_PASS_THROUGH_DIRECT calls directlyto the port device, TDL4 changed the hook method toDriverStartIOFor standard windows miniport drivers like atapi sys atapi.sys,any SCSI request dispatching is always reduced toDriverStartIOThisThi makes it a l t h dklot harder t dto dump th TDL4 filthe files33 34. TDL4 Rootkit ATAPI DriverStartIO hook34 35. TDL4 Rootkit Finding the Kernel Callback with a Windbg scriptRootkits often use kernelcallbacks to get notifiedwhen files are loaded, processes or threads arecreated as well as Registry events occur occur.TDL4 installs a kernelcallback to inject its usermodepayload in distinctive windows processes 35 36. TDL4 Rootkit Dropper dumping after TDL4 infection (beforereboot)36 37. TDL4 Rootkit Dumping injected user mode payload37 38. TDL4 Rootkit Finding inline hooks in user mode payload 38 39. Stuxnet Rootkit IoFsRegistrationChangeStuxnet mrxnet.sys driver adds a new device objectand attaches to the device chain with the objecttypeFileSystem (default fastfat ntfs cdfs) fastfat, ntfs,This makes it possible to control and intercept IRPrequestsA filesystem registration callback makes it possible toattach the device chain of newly created filesystems 39 40. Stuxnet Rootkit IoFsRegistrationChange 40 41. Questions?Thanks for good discussions and ideasMichael Hale LighEP_X0FF Cr4shMatthieu Suiche41