The Rootkit Primer - Below Gotham Labs

Recommendations

Info

General Modification Tactics Ultimately, memory is populated by either code or data Modify Data Call Tables Kernel Objects Modify Existing Code In-Place Patching Detour Patching Introduce New Code Filter Drivers Hypervisors DLL & Thread Injection COM & BHO Objects © Below Gotham Labs, 2009 .reloc (relocation records) .idata (import section) .rsrc (module resources) .data (global/static data) .text (default code) Rootkits often employ a combination of tactics (e.g. bootkits) 12
Call Tables Call Table ~ array of function pointers Address_00 Address_01 Address_02 Address_03 Address_04 Address_05 Address_06 Address_07 © Below Gotham Labs, 2009 “Hooking” Algorithm* For each processor on the system Disable memory write protection Lock access to the call table Save the old function pointer Swap in the new function pointer Release the access lock Enable memory write protection *This algorithm is for Kernel-Mode call tables Hooking in User-Mode is less involved 13
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11: Kernel-Mode Modification User-Mode
Page 15 and 16: Kernel Objects The Windows OS is
Page 17 and 18: BOOL flag; if(flag) { //do somethin
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23 and 24: COM Objects Component Object Model
Page 25 and 26: Technique Countermeasures As in Gon
Page 27 and 28: Do We Need to Hide? Traditional roo
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33 and 34: Anti-Forensics Traditional rootkits
Page 35 and 36: Surviving Reboot To persist or not
Page 37 and 38: The Four Evil Masters Media Analysi
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

Create successful ePaper yourself

Delete template?

Save as template?