[linuxkernelnewbies] My Root Kit Note - 大浪淘沙的专栏 - CSDNBlog

[Peter Teoh]

http://blog.csdn.net/StudyFromEveryOne/archive/2008/07/07/2623129.aspx by vxk My Root Kit Note 0. What the Root kit Real Mean For? Root Kit is a kind of tools to hide itself or other files or process from normal users' eyes or take privileges for whom could control it... 1. Live With Hooks: Hook and Anti-Hook To Hide Some Files or Process or Even Rebuild a Root kit’s Network may use hooking. 1.1 API HOOK It's a long time this kind of hooking existed working with IAT or EAT or some time maybe inline. But it is very easy to defeat them, only to read and map a file in correct way then do right relocations, And then you would get real API address or the right code of API’s entry point. 1.2 SSDT HOOK Sometimes when the API hook (base on pe-file structure) failed to defeat the hook-check, and some apiz wanted is non-exported, I got to SSDT way to hook, it is also a very long time since it turned to normal. And it is easy to find and fix too. One who can only read ntos kernel file and remap the SSDT could remove or check this kind of hooks. 1.3 IRP HOOK PDriverObject->MajorFunction [MajorFunction] =XX XX XX XX ZZ=MajorFunction*4+0x38 C7 46 ZZ [<80] XX XX XX XX mov dword ptr [esi+50h], offset [EMAIL PROTECTED] C7 86 ZZ[>=80] XX XX XX XX C7 43 ZZ [<80] XX XX XX XX mov dword ptr [ebx+50h], offset [EMAIL PROTECTED] C7 83 ZZ[>=80] XX XX XX XX Whatever FSD, TDI or other devices and drivers, they have the same thing IRP-Dispatch-Routine, which we hook only by rewrite an address in driver object structure, And it is more powerful then filter-driver(if a root kit is a filter driver it will be easy to find out. Even easily to bypass...)But still some one can read driver files ,and from the DrvierEntry point to get the real irps' VA (just taking a look at icesword by pjf),to make every one understand how to get real irps' VA,I give some details follow: 1.4 Interrupt Hook For an example, a key logger root kit hook keyboard interrupts. Many powerful root kits to make themselves more useful use interrupts hook. It is hard to find out an interrupt hook on the range out of KiTrapXX's range (910920 put a way to read KiTrapXX’s Address from file...), and also hard to recover. But there is a will there is a way... (I do not know how to get a real address of an ISR which is not set by ntos kernel. But keyboard driver can tell me the real keyboard interrupt, it is hardcode searching...not good way) 1.5 NDIS Open Block Hook A powerful root kit must support network in kernel mode. For this target, it may use TDI or NDIS，but TDI is easy to find or be defeated by anti-spy, so NDIS may be a good choice. Some root kit use IpFltDrv to reuse sock and do its own network，however, it is not nice ,many anti-spy can find the IpFltDrv changing, and IpFltDrv can only register one, it would be registered by others. As far as I see, the root kit [EMAIL PROTECTED] use protocols open block hooks to own the network. But actually it would crash when it were running with some anti-spy. So there is another way on Miniport layer，it is to hook NDISWAN Miniport Open Block, but there is a problem in how to get the list of NDIS miniport , see the NDIS IM Driver register course ,we know NdisIMRegisterLayeredMiniport can return a verb which is the a pointer to the list. And we can just register a fake IM to get the list pointer and then we could hook them just like hook protocol open blocks. To find this kind of hook must using hardcode search to find some VA from ndis.sys and tcpip.sys and ndiswan.sys. 1.6 Non-exported Inline Hook Anti-spy may use inline hook to hook some important non-exported kernel mode calls and makes root kit difficult to do its work. And root kit can also use inline hook to bypass some checks. To find or recover an inline hook must use remap files and redo relocations, then compare the mappings and memory just like SVV. The recover of an inline hook might turn to a BSOD in the end. 2. Kernel Network: TDI and NDIS，Blue or Goal  Every useful root kit must support networking with kernel socket. 2.1 TDI        Most of free versions of root kit are using TDI Client Technology to make a kernel socket. But with the time changing, it is not useful today. 2.2 NDIS        [EMAIL PROTECTED]/2k used registering NDIS Protocol to do its networking; [EMAIL PROTECTED] used NDIS Protocol Open Block Hooks to do the same thing. [EMAIL PROTECTED] (no public version) used NDIS Miniport Open Block Hooks, and iceberg wrote a full-version tcp sock based on NDIS Miniport Open Block Hooks. But in my project bdrk and winss (no public version and still in construction), NDIS Miniport Open Block Hooks sit many blue screens… 3. KDOM: Fast to Die or A Good Way ?        [EMAIL PROTECTED] brings a new way to hide process and get privileges and do some things only by modifying some structures in system memory.       Every coin has two faces, KDOM can do nearly every things but the target which will be modified is hard to get the right positions. And hardcode the offset or address may cause the system crashed. To find the KDOM modified is easy, only to use another link list or another database head… 4. Final        I am Chinese, and my English is very poor.        Contact me:                             [EMAIL PROTECTED]