티스토리 뷰
Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration (by SIG^2)
NineKY 2008. 4. 12. 14:03따라가려면 한 몇달은 더 공부해야겠다.
Introduction
Win32 Kernel Rootkits modify the behaviour of the system by Kernel Native API hooking. This technique is typically implemented by modifying the ServiceTable entries in the Service Descriptor Table (SDT). Such modification ensures that a replacement (hook) function installed by a rootkit is called prior to the original native API. The replacement function usually calls the original native API and modifies the output before returning the results to the user-space program. This technique allows kernel rootkits to hide files, processes, and to prevent process termination.
This proof-of-concept tool demonstrates the possibility of defeating such rootkits by removing Kernel Native APIs hooks and restoring the ServiceTable entries back to their original state.
Kernel Native API Hooking by System Service Dispatch Table Modification
In Windows, user-space applications request for system services by calling the APIs exported by the various DLLs. For example, to write data to an open file, pipe or device, the WriteFile API that is exported by kernel32.dll is usually used. Within kernel32.dll, the implementation of WriteFile API in turn calls the ZwWriteFile native API that is exported by ntdll.dll. The work done by ZwWriteFile is actually performed in kernel-space. Hence, the implementation of ZwWriteFile in ntdll.dll contains only minimal code to transit into kernel-space using interrupt 0x2E. The disassembly of ZwWriteFile is shown below.
1- MOV EAX, 0ED 2- LEA EDX, DWORD PTR SS:[ESP+4] 3- INT 2E 4- RETN 24The magic number 0ED in line 1 is the Service Number for ZwWriteFile. It will be used to offset into the ServiceTable (System Service Dispatch Table) in kernel-space to locate the address of the function that implements the writefile service. The address of the ServiceTable can be found within the Service Descriptor Table (SDT). The Service Descriptor Table can be referenced using the exported KeServiceDescriptorTable symbol. This is a structure with the following definition.
typedef struct ServiceDescriptorTable { SDE ServiceDescriptor[4]; } SDT; typedef struct ServiceDescriptorEntry { PDWORD ServiceTable; PDWORD CounterTableBase; DWORD ServiceLimit; PBYTE ArgumentTable; } SDE;
The first member of the structure, SDT.ServiceDescriptor[0].ServiceTable, is an array of function pointers to the service functions. The DWORD value at ServiceTable[0xED] is a function pointer to NtWriteFile, which contains the actual code to write to files, pipes or devices. Hence, to modify the behaviour of the user-space WriteFile API, one simply needs to write a replacement function, load it into kernel space as a driver, and modify ServiceTable[0xED] to point to the replacement function. The replacement function needs to keep the original function pointer (original value of ServiceTable[0xED]) so that it can be called to perform the original defined function.
Example One - Process Hiding by Hooking ZwQuerySystemInformation
User-space programs can use the ToolHelp APIs to obtain a list of all running processes. The ToolHelp APIs in turn calls the ZwQuerySystemInformation native API exported by ntdll.dll to obtain the list. To hide processes, a kernel-space rootkit, which is loaded as a driver, can modify the function pointer at ServiceTable[0x97] (ZwQuerySystemInformation) to redirect the call to a replacement function. The replacement function first calls the original ZwQuerySystemInformation API to obtain an array containing information of all running process. The returned array is then modified to remove the entry containing the process to be hidden. Finally, the modified result is returned to the user-space program. This effectively prevents the user-space program from "seeing" the hidden process.
Example Two - Driver/Module Hiding by Hooking ZwQuerySystemInformation
User-space programs can obtain a list of all loaded drivers using the ZwQuerySystemInformation native API, specifying SystemModuleInformation as its first parameter. As mentioned earlier, ZwQuerySystemInformation is exported by ntdll.dll and can be called directly by user-space programs. In kernel-space, the ZwQuerySystemInformation native API obtains the list of loaded drivers by traversing the PsLoadedModuleList. A kernel-space rootkit can manipulate the results returned by ZwQuerySystemInformation by modifying ServiceTable[0x97] (ZwQuerySystemInformation) to point to a replacement fnuction. The replacement function will first call the original ZwQuerySystemInformation to get an array of all loaded drivers. The driver to be hidden (i.e. the rootkit) is then removed from the array. This manipulated array is returned to the user-space program.
SDT Restoring Technique Used by POC Code
This POC code restores the values of the ServiceTable entries by writing directly to \device\physicalmemory. Hence, it works entirely in user-space and do not need to load a driver. The following steps describe how the code works.
- Use NtOpenSection to get a handle to \device\physicalmemory with SECTION_MAP_READ | SECTION_MAP_WRITE access. If this fails, modify the DACL of \device\physicalmemory by adding SECTION_MAP_WRITE access permission to the current user. Try to open \device\physicalmemory again.
- Load ntoskrnl.exe into memory with proper alignment and locate the address of KeServiceDescriptorTable from the export table of ntoskrnl.exe
- Use NtMapViewOfSection to map in the physical memory page at the address of KeServiceDescriptorTable.
- Get the address of KeServiceDescriptorTable.ServiceDescriptor[0].ServiceTable from the page.
- Use NtMapViewOfSection to map in the physical memory page containing the running kernel's SerivceTable. This address is available at KeServiceDescriptorTable.ServiceDescriptor[0].ServiceTable.
- Use the address of KeServiceDescriptorTable.ServiceDescriptor[0].ServiceTable to offset into the loaded ntoskrnl.exe
- Loop through all entries in KeServiceDescriptorTable.ServiceDescriptor[0].ServiceTable, comparing the copy in the kernel memory with the copy in the loaded ntoskrnl.exe. Restore to kernel memory (i.e. into the mapped page) any discrepancies that are detected. This code works based on the fact that a complete original copy of the ServiceTable exists in ntoskrnl.exe.
Screen Dump
C:\>sdtrestore
SDTrestore Version 0.1 Proof-of-Concept by SIG^2 G-TEC (www.security.org.sg)
KeServiceDescriptorTable 8046DFA0
KeServiceDecriptorTable.ServiceTable 804742B8
KeServiceDescriptorTable.ServiceLimit 248
ZwAllocateVirtualMemory 10 --[hooked by unknown at F754CE74]--
ZwCreateFile 20 --[hooked by unknown at F754CA85]--
ZwCreateKey 23 --[hooked by unknown at F754CC5E]--
ZwCreateProcess 29 --[hooked by unknown at F754CDB7]--
ZwDeleteFile 34 --[hooked by unknown at F754C80C]--
ZwGetTickCount 4C --[hooked by unknown at F754CE27]--
ZwLoadDriver 55 --[hooked by unknown at F754CBF2]--
ZwQueryDirectoryFile 7D --[hooked by unknown at F754C6E8]--
ZwQuerySystemInformation 97 --[hooked by unknown at F754C623]--
ZwSetInformationFile C2 --[hooked by unknown at F754C8A8]--
Number of Service Table entries hooked = 10
WARNING: THIS IS EXPERIMENTAL CODE. FIXING THE SDT MAY HAVE GRAVE
CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION.
PROCEED AT YOUR OWN RISK. YOU HAVE BEEN WARNED.
Fix SDT Entries (Y/N)? : y
[+] Patched SDT entry 10 to 804A257F
[+] Patched SDT entry 20 to 80497EF9
[+] Patched SDT entry 23 to 804B2483
[+] Patched SDT entry 29 to 804A9212
[+] Patched SDT entry 34 to 804D0584
[+] Patched SDT entry 4C to 80463FF2
[+] Patched SDT entry 55 to 8052DC72
[+] Patched SDT entry 7D to 80498541
[+] Patched SDT entry 97 to 80493B5B
[+] Patched SDT entry C2 to 80498C08
Limitations
This version is tested only on English Win2K SP2 and SP4, WinXP SP0 and SP1.
THIS IS EXPERIMENTAL CODE. FIXING THE SDT MAY HAVE GRAVE CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION. IT IS RECOMMENDED THAT YOU USE THIS CODE ONLY ON A TEST SYSTEM. PROCEED AT YOUR OWN RISK.
Credits
- hoglund - original and first public NT ROOTKIT
- fuzen_op - FU Rootkit
- hf - Hacker Defender
- joanna - klister
- 90210//HI-TECH - phide
- 90210 - Thanks for the more stable way of finding the address of KiServiceTable.
Contacts
For further enquries or to submit malicious code for our analysis, email them to the following.
Overall-in-charge: Tan Chew Keong
'보안 > 분석' 카테고리의 다른 글
[Note] KeyBoard 메시지 전달 순서 (1) | 2008.05.29 |
---|---|
SSDT Recover에 대한 SIG^2 G-TEC Lab 코드 (0) | 2008.04.13 |
SDT Hooking 무력화에 대한 연구 (By Dual5651, dualpage.muz.ro) (0) | 2008.04.11 |
Using Files In A Driver [펌 MSDN] (0) | 2008.04.08 |
HOOK the ZwDeleteFile is Not Work -> How to?? [펌 www.rohitab.com] (1) | 2008.04.08 |
- Total
- Today
- Yesterday
- 지루박멸연구센타
- 열정의 힘을 믿는다
- Le4rN TO Cr4cK
- 디버깅에관한모든것(DebugLab)
- sysinternals
- FoundStone
- hashtab
- 보안-coderant
- 디바이스드라이버 개발자 포럼
- dualpage.muz.ro
- osronline.com - 드라이버 관련 정보 사이트
- NtInternals - NativeAPI Refere…
- pcthreat - spyware 정보 제공
- rootkit.com - 루트킷 관련 정보
- www.ntinternals.net
- WINE CrossRef. - source.winehq…
- tuts4you
- hex-rays
- idapalace
- idefense
- immunityinc
- threatexpert
- hdp.null2root.org
- www.crackstore.com
- crackmes.de
- www.who.is
- www.cracklab.ru
- community.reverse-engineering.…
- video.reverse-engineering.net
- SnD
- 클레이 키위
- reversengineering.wordpress.co…
- www.openrce.org
- www.woodmann.com
- PEID.Plusins.BobSoft
- roxik.com/pictaps/
- regexlib.com
- spyware-browser.com
- www.usboffice.kr
- regulator
- www.txt2re.com
- ietab.mozdev.org
- zesrever.xstone.org
- www.heaventools.com/PE-file-he…
- www.heaventools.com
- www.innomp3.com
- 울지않는벌새
- exetools.com-forum
- exetools.com
- utf8 conv
- robtex - IP trace
- onsamehost - same IP sites
- JpopSuki
- jsunpack.jeek.org
- wepawet.iseclab.org
- www.jswiff.com
- www.hackeroo.com
- winesearcher.co.kr
- khpga.org
- malwareurl.com
- anubis.iseclab.org
- www.crummy.com-eautifulSoup
- malwarebytes.org/forums
- bbs.janmeng.com
- blackip.ustc.edu.cn
- eureka.cyber-ta.org
- exploit-db.com
- 전세매매지수
- 다올저축은행
- ElasticSearch
- 주택구매력지수
- O365
- 시스템트래이딩
- 공공인프라
- ChatGPT
- PIR
- hai
- 실시간트래이딩
- logrotate
- 미국주식
- 군함도
- 맥쿼리인프라
- 레고랜드
- 신한저축은행
- 주식
- 사회간접자본
- 자동트래이딩
- 주식트래이딩
- CriticalSection
- Pivot
- ubuntu
- 매매가격지수
- 피봇
- INVOICE
- SBI저축은행
- ROA
- systemd
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |