Windows Rootkits Userland API Hooking

1
Windows Rootkits Userland API Hooking

• Robert Vinson IT Security Analyst University
  of Iowa
• 09/06/06

2
Presentation structure
include ltpresentation.hgt define GOOD 1 struct
RootkitPresentation slide_ptr
Definition slide_ptr Evolution hSlides_t
Userland_API_Hooking slide_ptr
Resources slide_ptr References rootkits
typedef struct hook_slide slide_ptr
IAT slide_ptr Inline slide_ptr
Injection slide_ptr Detection hSlides_t
If(do_presentation(rootkits) !
GOOD) exit(QUICKLY) exit(0)
3
rootkits.Definition

• The Hacker Jargon File
• rootkit /rootkit/, n.
• very common A kit for maintaining root an
  automated cracking tool. What script kiddies use.
  After a cracker has first broken in and gained
  root access, he or she will install modified
  binaries such as a modified version login with a
  backdoor, or a version of ps that will not report
  the cracker's processes). This is a rootkit.
• Wikipedia
• A rootkit is a set of software tools intended to
  conceal running processes, files or system data
  

0x00
4
rootkits.Evolution

• The Roots
• Rootkits were originally for nix systems. The
  goal of these kits were to allow an attacker to
  maintain root access to a computer. This is
  where the root comes from in the compound word.
  These kits typically replaced/modified common
  administrative utilities to hide backdoor
  utilities.
• The Branches
• Rootkits have grown into API hooking, kernel
  hooking, DKOM (Direct Kernel Object
  Manipulation), and more

0x00
5
rootkits.API_Hooking

• IAT Hooking
• Overwrite Import Address Table entries.
• To overwrite IAT entries, one must be in the same
  address space of a process.
• Inline Hooking
• Overwrite the first part of a function to jump to
  another function.
• To overwrite IAT entries, one must be in the same
  address space of a process.

0x00
6
rootkits.API_Hooking.IAT

• Definition - IAT
• The Import Address Table is a list of function
  pointers.
• IAT function pointers are set when the Windows
  loader loads a program.
• A function pointer points to the address of a
  function contained in a .dll loaded into the
  address space of the process.

0x00
7
rootkits.Userland_API_Hooking.Inline

• Definition Inline Hooking
• Inline Hooking consists of modifying a function
  in memory in order to change the flow of
  execution.
• First handful of bytes of a function are replaced
  with a statement which tells the IP (instruction
  pointer) to execute code somewhere else in memory.

0x00
8
rootkits.Userland_API_Hooking.Injection0

• Each process has its own view of memory.
• Virtual Memory
• Process As memory is protected from modification
  by process B.
• How does one perform IAT or Inline hooking if As
  memory is completely inaccessible?
• wait for it Its not!

9
rootkits.Userland_API_Hooking.Injection1

• Ways to Inject
• Modify the DLL Imports of a executable image
  (LordPE and similar).
• Use the registry key -HKLM\Software\Microsoft\Wind
  ows NT\CurrentVersion\Windows\AppInit_DLLs.
  (User32.dll loads DLLs listed in this key)
• Using SetWindowsHookEx()
• Using CreateRemoteThread()
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

0x00
10
rootkits.Userland_API_Hooking.Detection

• IAT Hooking
• Look in the IAT for function addresses that are
  not in the typical range.
• Inline Hooking
• Check first few bytes of a function for a jump.

0x00
11
rootkits.Resources

• Hacker Defender rootkit defeating common rootkit
  detectors
• http//hxdef.org/download/brilliant.php
• Rootkit technology development
• http//www.rootkit.com
• Rootkit detection
• Strider - http//research.microsoft.com/rootkit
• BlackLight - http//www.f-secure.com/blacklight
• RootkitRevealer - http//www.sysinternals.com/Util
  ities/RootkitRevealer.html
• Sophos Anti-Rootkit http//www.sophos.com/products
  /free-tools/sophos-anti-rootkit.html

0x00
12
rootkits.References

• Hoglund, Greg and James Butler. Rootkits
  Subverting the Windows Kernel. Stoughton, MA
  Addison-Wesley, 2006
• Portable Executable format - http//www.microsoft.
  com/whdc/system/platform/firmware/PECOFF.mspx

0x00