| |
| |
Preface | |
| |
| |
Acknowledgments | |
| |
| |
About the Authors | |
| |
| |
About the Cover | |
| |
| |
| |
Leave No Trace | |
| |
| |
Understanding Attackers' Motives | |
| |
| |
The Role of Stealth | |
| |
| |
When Stealth Doesn't Matter | |
| |
| |
What Is a Rootkit? | |
| |
| |
Why Do Rootkits Exist? | |
| |
| |
Remote Command and Control | |
| |
| |
Software Eavesdropping | |
| |
| |
Legitimate Uses of Rootkits | |
| |
| |
How Long Have Rootkits Been Around? | |
| |
| |
How Do Rootkits Work? | |
| |
| |
Patching | |
| |
| |
Easter Eggs | |
| |
| |
Spyware Modifications | |
| |
| |
Source-Code Modification | |
| |
| |
The Legality of Software Modification | |
| |
| |
What a Rootkit Is Not | |
| |
| |
A Rootkit Is Not an Exploit | |
| |
| |
A Rootkit Is Not a Virus | |
| |
| |
Rootkits and Software Exploits | |
| |
| |
Why Exploits Are Still a Problem | |
| |
| |
Offensive Rootkit Technologies | |
| |
| |
HIPS | |
| |
| |
NIDS | |
| |
| |
Bypassing the IDS/IPS | |
| |
| |
Bypassing Forensic Tools | |
| |
| |
Conclusion | |
| |
| |
| |
Subverting the Kernel | |
| |
| |
Important Kernel Components | |
| |
| |
Rootkit Design | |
| |
| |
Introducing Code into the Kernel | |
| |
| |
Building the Windows Device Driver | |
| |
| |
The Device Driver Development Kit | |
| |
| |
The Build Environments | |
| |
| |
The Files | |
| |
| |
Running the Build Utility | |
| |
| |
The Unload Routine | |
| |
| |
Loading and Unloading the Driver | |
| |
| |
Logging the Debug Statements | |
| |
| |
Fusion Rootkits: Bridging User and Kernel Modes | |
| |
| |
I/O Request Packets | |
| |
| |
Creating a File Handle | |
| |
| |
Adding a Symbolic Link | |
| |
| |
Loading the Rootkit | |
| |
| |
The Quick-and-Dirty Way to Load a Driver | |
| |
| |
The Right Way to Load a Driver | |
| |
| |
Decompressing the .sys File from a Resource | |
| |
| |
Surviving Reboot | |
| |
| |
Conclusion | |
| |
| |
| |
The Hardware Connection | |
| |
| |
Ring Zero | |
| |
| |
Tables, Tables, and More Tables | |
| |
| |
Memory Pages | |
| |
| |
Memory Access Check Details | |
| |
| |
Paging and Address Translation | |
| |
| |
Page-Table Lookups | |
| |
| |
The Page-Directory Entry | |
| |
| |
The Page-Table Entry | |
| |
| |
Read-Only Access to Some Important Tables | |
| |
| |
Multiple Processes, Multiple Page Directories | |
| |
| |
Processes and Threads | |
| |
| |
The Memory Descriptor Tables | |
| |
| |
The Global Descriptor Table | |
| |
| |
The Local Descriptor Table | |
| |
| |
Code Segments | |
| |
| |
Call Gates | |
| |
| |
The Interrupt Descriptor Table | |
| |
| |
Other Types of Gates | |
| |
| |
The System Service Dispatch Table | |
| |
| |
The Control Registers | |
| |
| |
Control Register Zero (CR0) | |
| |
| |
Other Control Registers | |
| |
| |
The EFlags Register | |
| |
| |
Multiprocessor Systems | |
| |
| |
Conclusion | |
| |
| |
| |
The Age-Old Art of Hooking | |
| |
| |
Userland Hooks | |
| |
| |
Import Address Table Hooking | |
| |
| |
Inline Function Hooking | |
| |
| |
Injecting a DLL into Userland Processes | |
| |
| |
Kernel Hooks | |
| |
| |
Hooking the System Service Descriptor Table | |
| |
| |
Hooking the Interrupt Descriptor Table | |
| |
| |
Hooking the Major I/O Request Packet Function Table in the Device Driver Object | |
| |
| |
A Hybrid Hooking Approach | |
| |
| |
Getting into a Process' Address Space | |
| |
| |
Memory Space for Hooks | |
| |
| |
Conclusion | |
| |
| |
| |
Runtime Patching | |
| |
| |
Detour Patching | |
| |
| |
Rerouting the Control Flow Using MigBot | |
| |
| |
Checking for Function Bytes | |
| |
| |
Keeping Track of the Overwritten Instructions | |
| |
| |
Using NonPagedPool Memory | |
| |
| |
Runtime Address Fixups | |
| |
| |
Jump Templates | |
| |
| |
The Interrupt Hook Example | |
| |
| |
Variations on the Method | |
| |
| |
Conclusion | |
| |
| |
| |
Layered Drivers | |
| |
| |
A Keyboard Sniffer | |
| |
| |
I/O Request Packet (IRP) and Stack Locations | |
| |
| |
The KLOG Rootkit: A Walk-through | |
| |
| |
File Filter Drivers | |
| |
| |
Conclusion | |
| |
| |
| |
Direct Kernel Object Manipulation | |
| |
| |
DKOM Benefits and Drawbacks | |
| |
| |
Determining the Version of the Operating System | |
| |
| |
User-Mode Self-Determination | |
| |
| |
Kernel-Mode Self-Determination | |
| |
| |
Querying the Operating System Version in the Registry | |
| |
| |
Communicating with the Device Driver from Userland | |
| |
| |
Hiding with DKOM | |
| |
| |
Process Hiding | |
| |
| |
Device-Driver Hiding | |
| |
| |
Synchronization Issues | |
| |
| |
Token Privilege and Group Elevation with DKOM | |
| |
| |
Modifying a Process Token | |
| |
| |
Faking out the Windows Event Viewer | |
| |
| |
Conclusion | |
| |
| |
| |
Hardware Manipulation | |
| |
| |
Why Hardware? | |
| |
| |
Modifying the Firmware | |
| |
| |
Accessing the Hardware | |
| |
| |
Hardware Addresses | |
| |
| |
Accessing Hardware Is Not Like Accessing RAM | |
| |
| |
Timing Considerations | |
| |
| |
The I/O Bus | |
| |
| |
Accessing the BIOS | |
| |
| |
Accessing PCI and PCMCIA Devices | |
| |
| |
Example: Accessing the Keyboard Controller | |
| |
| |
The 8259 Keyboard Controller | |
| |
| |
Changing the LED Indicators | |
| |
| |
Hard Reboot | |
| |
| |
Keystroke Monitor | |
| |
| |
How Low Can You Go? Microcode Update | |
| |
| |
Conclusion | |
| |
| |
| |
Covert Channels | |
| |
| |
Remote Command, Control, and Exfiltration of Data | |
| |
| |
Disguised TCP/IP Protocols | |
| |
| |
Beware of Traffic Patterns | |
| |
| |
Don't Send Data "in the Clear" | |
| |
| |
Use Time to Your Advantage | |
| |
| |
Hide Under DNS Requests | |
| |
| |
"Stego" on ASCII Payloads | |
| |
| |
Use Other TCP/IP Channels | |
| |
| |
Kernel TCP/IP Support for Your Rootkit Using TDI | |
| |
| |
Build the Address Structure | |
| |
| |
Create a Local Address Object | |
| |
| |
Create a TDI Endpoint with Context | |
| |
| |
Associate an Endpoint with a Local Address | |
| |
| |
Connect to a Remote Server (Send the TCP Handshake) | |
| |
| |
Send Data to a Remote Server | |
| |
| |
Raw Network Manipulation | |
| |
| |
Implementing Raw Sockets on Windows XP | |
| |
| |
Binding to an Interface | |
| |
| |
Sniffing with Raw Sockets | |
| |
| |
Promiscuous Sniffing with Raw Sockets | |
| |
| |
Sending Packets with Raw Sockets | |
| |
| |
Forging the Source | |
| |
| |
Bouncing Packets | |
| |
| |
Kernel TCP/IP Support for Your Rootkit Using NDIS | |
| |
| |
Registering the Protocol | |
| |
| |
The Protocol Driver Callbacks | |
| |
| |
Moving Whole Packets | |
| |
| |
Host Emulation | |
| |
| |
Creating Your MAC Address | |
| |
| |
Handling ARP | |
| |
| |
The IP Gateway | |
| |
| |
Sending a Packet | |
| |
| |
Conclusion | |
| |
| |
| |
Rootkit Detection | |
| |
| |
Detecting Presence | |
| |
| |
Guarding the Doors | |
| |
| |
Scanning the "Rooms" | |
| |
| |
Looking for Hooks | |
| |
| |
Detecting Behavior | |
| |
| |
Detecting Hidden Files and Registry Keys | |
| |
| |
Detecting Hidden Processes | |
| |
| |
Conclusion | |
| |
| |
Index | |