Table Of ContentThe Rootkit Arsenal
Escape and Evasion in the
Dark Corners of the System
Reverend Bill Blunden
Wordware Publishing, Inc.
Library of Congress Cataloging-in-Publication Data
Blunden, Bill, 1969-
The rootkit arsenal! by Bill Blunden.
p. cm.
Indudes bibliographical references and index.
ISBN 978-1-59822-061-2 (pbk. : alk. paper)
1. Computers- Access control. 2. Computer viruses. 3. Computer hackers. I. Title.
QA76.9.A25B5852009
005./3--{Jc22 2009008316
© 2009, Wordware Publishing, Inc.
An imprint of Jones and Bartlett Publishers
All Rights Reserved
HOO Summit Ave., Suite 102
Plano, Texas 75074
No part of this book may be reproduced in any form or by any means
without permission in writing from Wordware Publishing, Inc.
Printed in the United States of America
ISBN-13: 978-1-59822-061-2
ISBN-I0: 1-59822-061-6
10 9 8 7 6 5 4 3 2 1
0905
Microsoft, PowerPoint, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. Computrace is a registered trademark of Absolute Software, Corp .. EnCase is a
registered trademark of Guidance Software, Inc. Eudora is a registered trademark of Quakomm Incorporated. File
Scavenger is a registered trademark of QueTek Consulting Corporation. Ghost and PowerQuest are trademarks of
Symantec Corporation. GoToMyPC is a registered trademark ofCitrix Online, LLC. KeyCarbon is a registered trademark of
www.keycarbon.com. Metasploit is a registered trademark of Metasploit, LLC. OpenBoot is a trademark of Sun
Microsystems, Inc. PC Tattletale is a trademark of Parental Control Products, LLC. ProDiscover is a registered trademark of
Technology Pathways, LLC. Spector Pro is a registered trademark of SpectorSoft Corporation. Tripwire is a registered
trademark of Tripwire, Inc. VERlSIGN is a registered trademark of VeriSign, Inc. VMware is a registered trademark of
VMware, Inc. Wires hark is a registered trademark of Wireshark Foundation. Zango is a registered trademark of Zango, Inc.
Other brand names and product names mentioned in this book are trademarks or service marks of their respective
companies. Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe
on the property of others. The publisher recognizes and respects all marks used by companies, manufacturers, and
developers as a means to distinguish their products.
This book is sold as is, without warranty of any kind, either express or implied, respecting the contents of this book and
any disks or programs that may accompany it, induding but not limited to implied warranties for the book's quality,
performance, merchantability, or fitness for any particular purpose. Neither Jones and Bartlett Publishers nor its dealers or
distributors shall be liable to the purchaser or any other person or entity with respect to any liability, loss, or damage caused
or alleged to have been caused directly or indirectly by this book.
All inquiries for volume purchases of this book should be addressed to Wordware Publishing, Inc.,
at the above address. Telephone inquiries may be made by calling:
(972) 423-0090
Thi ' d dicated to Sun Wukong,
s book IS e , chl'ef-maker,
the quintessen tial mlS
Contents
Preface: Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIX
Part 1-Foundations
Chapter 1 Setting the Stage . ........ ..... .. .. . · ..... 3
1.1 Forensic Evidence .3
1.2 First Principles. . . . . . . . . . . . . . . . . . . . . . · . ..... 8
Semantics ....... ... ... ......... .. . · . .. ... 9
Rootkits: The Kim Philby of System Software . . . . .. 11
Who Is Using Rootkit Technology? · 13
The Feds .. · 13
The Spooks .... .. . · 13
The Suits .... ... . · 15
1.3 The Malware Connection. · 15
Infectious Agents . . . · 16
Adware and Spyware . . . · 17
Rise of the Botnets . . . . · 17
Malware versus Rootkits . · 19
Job Security: The Nature of the Software Industry. · 19
1.4 Closing Thoughts. . . . . . . . . . . . . . . · 21
Chapter 2 Into the Catacombs: IA-32 . . . . . . . . . . . . . . ... . 23
2.1 IA-32 Memory Models. . 24
Physical Memory . . . . . . · 25
Flat Memory Model. . . . . . 27
Segmented Memory Model · 27
Modes of Operation. . . 28
2.2 Real Mode. . . . . . . . . . .29
Case Study: MS-DOS .... . 30
Isn't This a Waste of Time? Why Study Real Mode? . . ..... 32
The Real-Mode Execution Environment . 33
Real-Mode Interrupts .. .... .. . · 35
Segmentation and Program Control . . . .38
Case Study: Dumping the IVT . . . . . . .40
Case Study: Logging Keystrokes with a TSR . · 41
Case Study: Hiding the TSR . . . . . . . . . . .45
v
(ontents
Case Study: Patching the tree.com Command .... 50
Synopsis ........ .... ..... .. . . .. .. 53
2.3 Protected Mode. . . . . . . . . . . . . . . . . · .54
The Protected-Mode Execution Environment. .54
Protected-Mode Segmentation ..... . .57
Protected-Mode Paging ......... . · 61
Protected-Mode Paging: A Closer Look. .63
2.4 Implementing Memory Protection .... . 66
Protection through Segmentation . . . . · 67
Limit Checks . . . .67
Type Checks . . . . . . . . . . · .68
Privilege Checks. . . . . . . . .68
Restricted-Instruction Checks .69
Gate Descriptors . . . . . . . . . .70
Protected-Mode Interrupt Tables · 73
Protection through Paging . . . 74
Summary . .............. . .76
Chapter 3 Windows System Architecture . • . . . • • . . . . . ..... 79
3.1 Physical Memory . . . . . . . . . . .80
Physical Address Extension (PAE) . . . · 81
Data Execution Prevention (DEP) .... .82
Address Windowing Extensions (AWE) . .82
Pages, Page Frames, and Page Frame Numbers .83
3.2 Memory Protection . .83
Segmentation . . . . . . . . . . . . . .. .... . .84
Paging . . . . . . . . . . . . . . . . . .. . ... . .86
Linear to Physical Address Translation . · 91
Longhand Translation . . . · 91
A Quicker Approach . . . . .92
Another Quicker Approach .93
3.3 Virtual Memory . . . . . . . . .93
User Space Topography . ... .96
Kernel Space Dynamic Allocation . · .97
Address Space Layout Randomization (ASLR) . · .98
3.4 User Mode and Kernel Mode . 100
How versus Where . . . . 100
Kernel-Mode Components 101
User-Mode Components 103
3.5 The Native API .. .. . . · 105
The IVT Grows Up ... . · 106
Hardware and the System Call Mechanism · 107
System Call Data Structures . . 108
The SYSENTER Instruction. . . . . . . . ..... 109
vi
Contents
The System Service Dispatch Tables . 110
Enumerating the Native API . . . 113
Nt*O versus Zw*O System Calls. 114
The Life Cycle of a System Call . 116
Other Kernel-Mode Routines . .. 119
Kernel-Mode API Documentation 122
3.6 The Boot Process . . . . . . 124
Startup for BIOS Firmware . . 124
Startup for EFI Firmware. . . 126
The Windows Boot Manager . 126
The Windows Boot Loader . 127
Initializing the Executive. 130
The Session Manager . 132
Wininit.exe. . . . . 134
Winlogon.exe. . . . 134
The Major Players. · 134
3.7 Design Decisions . · 136
How Will Our Rootkit Execute at Run Time? . 137
What Constructs Will Our Rootkit Manipulate? . · . 138
Chapter 4 Rootkit Basics . . . . .... 141
4.1 Rootkit Tools .... 142
Development Tools · 142
Diagnostic Tools . . · 143
Reversing Tools . . · 144
Disk Imaging Tools 145
Tool Roundup. . . . 147
4.2 Debuggers. . . . . 148
Configuring Cdb.exe. 150
Symbol Files . . . · 150
Windows Symbols. · 151
Invoking Cdb.exe . . · 153
Controlling Cdb.exe . · 154
Useful Debugger Commands. · 155
Examine Symbols Command (x) . 155
List Loaded Modules (1m and !lmi) 157
Display Type Command (dt) . 158
Unassemble Command (u) . 158
Display Command (d*) . . . 159
Registers Command (r) .. . 161
The Kd.exe Kernel Debugger 161
Different Ways to Use a Kernel Debugger . . · . 162
Configuring Kd.exe . . . . · 164
Preparing the Hardware . . . . . . . . . . · . 164
vii
Contents
Preparing the Software. . . . . . . . . .'. . .. 166
Launching a Kernel Debugging Session . . . 168
Controlling the Target. . . . . . . . . . . . . 169
Useful Kernel-Mode Debugger Commands .. 170
List Loaded Modules Command (1m) 170
!process ... ... ... . . · .. .. 171
Registers Command (r) .. . · . .. . 173
Working with Crash Dumps. . · .... 173
Method 1 . ..... . · 174
Method 2 ..... .. . · 175
Crash Dump Analysis .. 175
4.3 A Rootkit Skeleton. . . . . 176
Kernel-Mode Driver Overview. 176
A Minimal Rootkit . 178
Handling IRPs . 181
DeviceType . · 185
Function. · 186
Method .. . · 186
Access .. . . · 186
Communicating with User-Mode Code 187
Sending Commands from User Mode 190
Source Code Organization .. . 193
Performing a Build ... ... . 194
WDK Build Environments . 194
Build.exe ... ...... . · 195
4.4 Loading a KMD . .... .. . 198
The Service Control Manager (SCM) . · 198
Using sC.exe at the Command Line . · 199
Using the SCM Programmatically . .200
Registry Footprint . . . . . . . . . . .202
ZwSetSystemInformationO. . . . . . . . . . 203
Writing to the \Device\PhysicaIMemory Object. . 208
Modifying Driver Code Paged to Disk . .208
Leveraging an Exploit in the Kernel . · 210
4.5 Installing and Launching a Rootkit. . . · 210
Launched by the Operating System . . · 211
Launched by a User-Mode Application. · 212
Use the SCM . ...... ... .... ... .. . . . . . . . . 212
Use an Auto-Start Extensibility Point (ASEP) .. ....... 213
Install the Launcher as an Add-On to an Existing Application. 215
Defense in Depth . . . 216
Kamikaze Droppers . . 216
Rootkit Uninstall. . . . 219
viii
Contents
4.6 Self-Healing Rootkits ..... . ... . .. .. .... .... .. 220
Auto-Update . . . . . ..... . . .... . .. ... .. .. ... 224
4.7 Windows Kernel-Mode Security . .. . . .... ... . . .. . . 225
Kernel-Mode Code Signing (KMCS) .... . ... .... .... 225
Kernel Patch Protection (KPP). . . . . . . . . . . . . . . . . . . 229
Restricted Access to \Device\PhysicaIMemory . . . . . . . . . . 230
4.8 Synchronization . . . . . . . . . . . . . . . . . . . . . .. . . 230
Interrupt Request Levels . . . . . . . . . . .. . .. 230
Deferred Procedure Calls (DPCs) . . . . . .. ... . . . . . 234
Implementation . . . . 235
4.9 Commentary. . . . . . . . . . . . . . . . . . . . . ... . . .. 240
Part II - System Modification
Chapter 5 Hooking Call Tables. . . . . . . . . . . . . . . . . . . . . . 243
5.1 Hooking in User Space: The lAT .... . . . . ... . . . . . . . 245
DLL Basics ........ ..... . .... .. ... .. ..... 246
Accessing Exported Routines. . . . .. . 247
Load-Time Dynamic Linking. . . . . . 248
Run-Time Dynamic Linking . . . .. . 249
Injecting a DLL . . . . . . . . . . . 250
The AppInit_DLLs Registry Value. . 250
The SetWindowsHookExO API Call. . 251
Using Remote Threads. . . . . . . . . 252
PE File Format. . . . . . . . . . . . . . . 255
The DOS HEADER. .... .. . .... .. . .. .. 255
RVAs .... ..... . .. . .... . ...... . . .... .. 256
The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Walking through a PE on Disk . . . . . . . . . . . . . . . . . . 260
Hooking the IAT .... .... . ... . ... . .... .... 265
5.2 Hooking in Kernel Space . . . . . . . . . . . . . . . . . . 269
Hooking the IDT. . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Handling Multiple Processors - Solution 1 . . . . . . . . . . 271
Naked Routines . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Issues with Hooking the IDT . . . . . . . . . . . . . . . . . . 278
Hooking Processor MSRs. . . . . . . . . . . . . . 279
Handling Multiple Processors - Solution 2 . . 282
Hooking the SSDT. . . . . . . . . . . . . . 286
Disabling the WP Bit - Technique 1 . . 288
Disabling the WP Bit - Technique 2 . . 289
Hooking SSDT Entries. . . . . . . . . . 291
SSDT Example: Tracing System Calls. . ... 293
SSDT Example: Hiding a Process. . . . . . . . . . . .... 296
ix
