| |
| |
| Preface | |
| |
| |
| Acknowledgments | |
| |
| |
| About the Authors | |
| |
| |
| About the Cover | |
| |
| |
| |
| Leave No Trace | |
| |
| |
| Understanding Attackers' Motives | |
| |
| |
| The Role of Stealth | |
| |
| |
| When Stealth Doesn't Matter | |
| |
| |
| What Is a Rootkit? | |
| |
| |
| Why Do Rootkits Exist? | |
| |
| |
| Remote Command and Control | |
| |
| |
| Software Eavesdropping | |
| |
| |
| Legitimate Uses of Rootkits | |
| |
| |
| How Long Have Rootkits Been Around? | |
| |
| |
| How Do Rootkits Work? | |
| |
| |
| Patching | |
| |
| |
| Easter Eggs | |
| |
| |
| Spyware Modifications | |
| |
| |
| Source-Code Modification | |
| |
| |
| The Legality of Software Modification | |
| |
| |
| What a Rootkit Is Not | |
| |
| |
| A Rootkit Is Not an Exploit | |
| |
| |
| A Rootkit Is Not a Virus | |
| |
| |
| Rootkits and Software Exploits | |
| |
| |
| Why Exploits Are Still a Problem | |
| |
| |
| Offensive Rootkit Technologies | |
| |
| |
| HIPS | |
| |
| |
| NIDS | |
| |
| |
| Bypassing the IDS/IPS | |
| |
| |
| Bypassing Forensic Tools | |
| |
| |
| Conclusion | |
| |
| |
| |
| Subverting the Kernel | |
| |
| |
| Important Kernel Components | |
| |
| |
| Rootkit Design | |
| |
| |
| Introducing Code into the Kernel | |
| |
| |
| Building the Windows Device Driver | |
| |
| |
| The Device Driver Development Kit | |
| |
| |
| The Build Environments | |
| |
| |
| The Files | |
| |
| |
| Running the Build Utility | |
| |
| |
| The Unload Routine | |
| |
| |
| Loading and Unloading the Driver | |
| |
| |
| Logging the Debug Statements | |
| |
| |
| Fusion Rootkits: Bridging User and Kernel Modes | |
| |
| |
| I/O Request Packets | |
| |
| |
| Creating a File Handle | |
| |
| |
| Adding a Symbolic Link | |
| |
| |
| Loading the Rootkit | |
| |
| |
| The Quick-and-Dirty Way to Load a Driver | |
| |
| |
| The Right Way to Load a Driver | |
| |
| |
| Decompressing the .sys File from a Resource | |
| |
| |
| Surviving Reboot | |
| |
| |
| Conclusion | |
| |
| |
| |
| The Hardware Connection | |
| |
| |
| Ring Zero | |
| |
| |
| Tables, Tables, and More Tables | |
| |
| |
| Memory Pages | |
| |
| |
| Memory Access Check Details | |
| |
| |
| Paging and Address Translation | |
| |
| |
| Page-Table Lookups | |
| |
| |
| The Page-Directory Entry | |
| |
| |
| The Page-Table Entry | |
| |
| |
| Read-Only Access to Some Important Tables | |
| |
| |
| Multiple Processes, Multiple Page Directories | |
| |
| |
| Processes and Threads | |
| |
| |
| The Memory Descriptor Tables | |
| |
| |
| The Global Descriptor Table | |
| |
| |
| The Local Descriptor Table | |
| |
| |
| Code Segments | |
| |
| |
| Call Gates | |
| |
| |
| The Interrupt Descriptor Table | |
| |
| |
| Other Types of Gates | |
| |
| |
| The System Service Dispatch Table | |
| |
| |
| The Control Registers | |
| |
| |
| Control Register Zero (CR0) | |
| |
| |
| Other Control Registers | |
| |
| |
| The EFlags Register | |
| |
| |
| Multiprocessor Systems | |
| |
| |
| Conclusion | |
| |
| |
| |
| The Age-Old Art of Hooking | |
| |
| |
| Userland Hooks | |
| |
| |
| Import Address Table Hooking | |
| |
| |
| Inline Function Hooking | |
| |
| |
| Injecting a DLL into Userland Processes | |
| |
| |
| Kernel Hooks | |
| |
| |
| Hooking the System Service Descriptor Table | |
| |
| |
| Hooking the Interrupt Descriptor Table | |
| |
| |
| Hooking the Major I/O Request Packet Function Table in the Device Driver Object | |
| |
| |
| A Hybrid Hooking Approach | |
| |
| |
| Getting into a Process' Address Space | |
| |
| |
| Memory Space for Hooks | |
| |
| |
| Conclusion | |
| |
| |
| |
| Runtime Patching | |
| |
| |
| Detour Patching | |
| |
| |
| Rerouting the Control Flow Using MigBot | |
| |
| |
| Checking for Function Bytes | |
| |
| |
| Keeping Track of the Overwritten Instructions | |
| |
| |
| Using NonPagedPool Memory | |
| |
| |
| Runtime Address Fixups | |
| |
| |
| Jump Templates | |
| |
| |
| The Interrupt Hook Example | |
| |
| |
| Variations on the Method | |
| |
| |
| Conclusion | |
| |
| |
| |
| Layered Drivers | |
| |
| |
| A Keyboard Sniffer | |
| |
| |
| I/O Request Packet (IRP) and Stack Locations | |
| |
| |
| The KLOG Rootkit: A Walk-through | |
| |
| |
| File Filter Drivers | |
| |
| |
| Conclusion | |
| |
| |
| |
| Direct Kernel Object Manipulation | |
| |
| |
| DKOM Benefits and Drawbacks | |
| |
| |
| Determining the Version of the Operating System | |
| |
| |
| User-Mode Self-Determination | |
| |
| |
| Kernel-Mode Self-Determination | |
| |
| |
| Querying the Operating System Version in the Registry | |
| |
| |
| Communicating with the Device Driver from Userland | |
| |
| |
| Hiding with DKOM | |
| |
| |
| Process Hiding | |
| |
| |
| Device-Driver Hiding | |
| |
| |
| Synchronization Issues | |
| |
| |
| Token Privilege and Group Elevation with DKOM | |
| |
| |
| Modifying a Process Token | |
| |
| |
| Faking out the Windows Event Viewer | |
| |
| |
| Conclusion | |
| |
| |
| |
| Hardware Manipulation | |
| |
| |
| Why Hardware? | |
| |
| |
| Modifying the Firmware | |
| |
| |
| Accessing the Hardware | |
| |
| |
| Hardware Addresses | |
| |
| |
| Accessing Hardware Is Not Like Accessing RAM | |
| |
| |
| Timing Considerations | |
| |
| |
| The I/O Bus | |
| |
| |
| Accessing the BIOS | |
| |
| |
| Accessing PCI and PCMCIA Devices | |
| |
| |
| Example: Accessing the Keyboard Controller | |
| |
| |
| The 8259 Keyboard Controller | |
| |
| |
| Changing the LED Indicators | |
| |
| |
| Hard Reboot | |
| |
| |
| Keystroke Monitor | |
| |
| |
| How Low Can You Go? Microcode Update | |
| |
| |
| Conclusion | |
| |
| |
| |
| Covert Channels | |
| |
| |
| Remote Command, Control, and Exfiltration of Data | |
| |
| |
| Disguised TCP/IP Protocols | |
| |
| |
| Beware of Traffic Patterns | |
| |
| |
| Don't Send Data "in the Clear" | |
| |
| |
| Use Time to Your Advantage | |
| |
| |
| Hide Under DNS Requests | |
| |
| |
| "Stego" on ASCII Payloads | |
| |
| |
| Use Other TCP/IP Channels | |
| |
| |
| Kernel TCP/IP Support for Your Rootkit Using TDI | |
| |
| |
| Build the Address Structure | |
| |
| |
| Create a Local Address Object | |
| |
| |
| Create a TDI Endpoint with Context | |
| |
| |
| Associate an Endpoint with a Local Address | |
| |
| |
| Connect to a Remote Server (Send the TCP Handshake) | |
| |
| |
| Send Data to a Remote Server | |
| |
| |
| Raw Network Manipulation | |
| |
| |
| Implementing Raw Sockets on Windows XP | |
| |
| |
| Binding to an Interface | |
| |
| |
| Sniffing with Raw Sockets | |
| |
| |
| Promiscuous Sniffing with Raw Sockets | |
| |
| |
| Sending Packets with Raw Sockets | |
| |
| |
| Forging the Source | |
| |
| |
| Bouncing Packets | |
| |
| |
| Kernel TCP/IP Support for Your Rootkit Using NDIS | |
| |
| |
| Registering the Protocol | |
| |
| |
| The Protocol Driver Callbacks | |
| |
| |
| Moving Whole Packets | |
| |
| |
| Host Emulation | |
| |
| |
| Creating Your MAC Address | |
| |
| |
| Handling ARP | |
| |
| |
| The IP Gateway | |
| |
| |
| Sending a Packet | |
| |
| |
| Conclusion | |
| |
| |
| |
| Rootkit Detection | |
| |
| |
| Detecting Presence | |
| |
| |
| Guarding the Doors | |
| |
| |
| Scanning the "Rooms" | |
| |
| |
| Looking for Hooks | |
| |
| |
| Detecting Behavior | |
| |
| |
| Detecting Hidden Files and Registry Keys | |
| |
| |
| Detecting Hidden Processes | |
| |
| |
| Conclusion | |
| |
| |
| Index | |