Windows Rootkits – Userland API Hooking

Robert Vinson – IT Security Analyst – University of Iowa09/06/06

Presentation “structure”

typedef struct hook_slide {

slide_ptr IAT;

slide_ptr Inline;

slide_ptr Injection;

slide_ptr Detection;

} hSlides_t;

#include <presentation.h>#define GOOD 1struct RootkitPresentation {

slide_ptr Definition;slide_ptr Evolution;hSlides_t Userland_API_Hooking;slide_ptr Resources;slide_ptr References;

} rootkits;

If(do_presentation(rootkits) != GOOD)exit(QUICKLY);

exit(0);

rootkits.Definition

The Hacker Jargon File:• rootkit: /root´kit/, n.

• [very common] A kit for maintaining root; an automated cracking tool. What script kiddies use. After a cracker has first broken in and gained root access, he or she will install modified binaries such as a modified version login with a backdoor, or a version of ps that will not report the cracker's processes). This is a rootkit.

Wikipedia:• “A rootkit is a set of software tools intended to

conceal running processes, files or system data …”

0x00

rootkits.Evolution

The Roots:• Rootkits were originally for *nix systems. The goal

of these kits were to allow an attacker to maintain root access to a computer. This is where the “root” comes from in the compound word. These kits typically replaced/modified common administrative utilities to hide backdoor utilities.

The Branches:• Rootkits have grown into API hooking, kernel

hooking, DKOM (Direct Kernel Object Manipulation), and more…

0x00

rootkits.API_Hooking

IAT Hooking:• Overwrite Import Address Table entries.• To overwrite IAT entries, one must be in the same

address space of a process.

Inline Hooking:• Overwrite the first part of a function to jump to

another function.• To overwrite IAT entries, one must be in the same

address space of a process.

0x00

rootkits.API_Hooking.IAT

Definition - IAT:• The Import Address Table is a list of function

pointers.

• IAT function pointers are set when the Windows loader loads a program.

• A function pointer points to the address of a function contained in a .dll loaded into the address space of the process.

0x00

rootkits.Userland_API_Hooking.Inline

Definition – Inline Hooking:• Inline Hooking consists of modifying a function in

memory in order to change the flow of execution.

• First handful of bytes of a function are replaced with a statement which tells the IP (instruction pointer) to execute code somewhere else in memory.

0x00

rootkits.Userland_API_Hooking.Injection[0]

• Each process has its own view of memory.• Virtual Memory• Process A’s memory is protected from modification

by process B.

• How does one perform IAT or Inline hooking if A’s memory is completely inaccessible?• … wait for it… It’s not!

rootkits.Userland_API_Hooking.Injection[1]

Ways to Inject:• Modify the DLL Imports of a executable image (LordPE and

similar).• Use the registry key -HKLM\Software\Microsoft\Windows NT\

CurrentVersion\Windows\AppInit_DLLs. (User32.dll loads DLLs listed in this key)

• Using SetWindowsHookEx()• Using CreateRemoteThread()

0x00

rootkits.Userland_API_Hooking.Detection

IAT Hooking:• Look in the IAT for function addresses that are not

in the typical range.

Inline Hooking:• Check first few bytes of a function for a jump.

0x00

rootkits.Resources

• Hacker Defender rootkit defeating common rootkit detectors• http://hxdef.org/download/brilliant.php

• Rootkit technology development• http://www.rootkit.com

• Rootkit detection• Strider - http://research.microsoft.com/rootkit• BlackLight - http://www.f-secure.com/blacklight• RootkitRevealer -

http://www.sysinternals.com/Utilities/RootkitRevealer.html• Sophos Anti-Rootkit http://www.sophos.com/products/free-

tools/sophos-anti-rootkit.html

0x00

rootkits.References

• Hoglund, Greg and James Butler. Rootkits: Subverting the Windows Kernel. Stoughton, MA: Addison-Wesley, 2006

• Portable Executable format - http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

0x00