Wonder walk in Rootkit Land by Himanshu Khokhar
Transcript of Wonder walk in Rootkit Land by Himanshu Khokhar
Wonder Walk in Rootkit
LandHimanshu Khokhar
$ whoami
A computer security enthusiast
Currently doing graduation :p
Highly interested in malwares, OS related stuff
Find me here
Twitter : @rinne_parad0x
Rootkits…What are they and why should you care ?
According to Wikipedia
A rootkit is a collection of computer software,
typically malicious, designed to enable access to a computer or
areas of its software that would not otherwise be allowed (for
example, to an unauthorized user) and often masks its existence
or the existence of other software. The term rootkit is
a concatenation of "root" (the traditional name of the privileged
account on Unix-like operating systems) and the word "kit"
(which refers to the software components that implement the
tool). The term "rootkit" has negative connotations through its
association with malware.
Types
User Mode
Kernel Mode
Hypervisor Level
Firmware Based
Protection Rings
User Mode Rootkits
Operates in User Land (Ring 3)
Can only control/manipulate user land data
Gives limited power
This is the focus of this talk.
Kernel Mode Rootkits
Operates in Kernel land (Ring 0)
Can control everything in an OS
Very Powerful
Diving into the user mode
rootkits
Basically, two types :
LD_PRELOAD based
ptrace() based
LD_PRELOAD Based Rootkits
LD_PRELOAD : An environment variable in Unix based
systems that allows the loading of shared objects before
loading any other shared objects.
Abuses the dynamic library loading functionality of
dynamically linked binaries.
FAILS against statically linked binaries.
Demo time
Compile it. Once statically and once dynamically (the default way)
Static vs Dynamic Compilation
What happens when we try to load it in
statically compiled binary?
Moving onto the advanced part
Adding code to the hijacked function
What we saw in the previous slides was that we can write custom
function to achieve what we want but most of the time, we just
want to filter out specific data or we want something to be done
when specific data is encountered.
In the last example, we provided our code for the function strcmpbut it is neither possible for us to write whole functionality of the
function to be hijacked/hooked so, now we will see how to call the
original function with desired arguments.
A better version :p
Compile and test it
Hijacking rand()
About rand() :
rand() is a function in C library that is used to generate
pseudo-random numbers for various uses.
Seems a good target
ptrace based rootkits
About ptrace()
man ptrace says, “The ptrace() system call provides a
means by which one process (the "tracer") may observe
and control the execution of another process (the
"tracee"), and examine and change the tracee's
memory and registers. It is primarily used to implement
breakpoint debugging and system call tracing. “
About ptrace based rootkit
Pros :Works on statically compiled binaries too
Cons : Need to attach to the binary, cannot ptrace anything
while it is running. Big FAIL.
Too frustrating to write one :p Even writing a kernel mode rootkit to achieve the same is easier
Not worth the efforts. Seriously.
Thank you