The Rootkit Primer - Below Gotham Labs

Recommendations

Info

Kernel Objects Object → Abstraction of a System Resource Operations are performed by the Object Manager subsystem Objects are implemented as C structures (blobs of related data) Examples: nt!_EPROCESS, nt!_DRIVER_OBJECT, nt!_TOKEN Can examine via a kernel debugger (cue the Star Wars music…) © Below Gotham Labs, 2009 16
BOOL flag; if(flag) { //do something } In-Place Patching © Below Gotham Labs, 2009 cmp DWORD PTR _flag, 0 je SHORT $LN2@routine ;do something $LN2@routine: Can alter code without diverting path of execution Replace je SHORT $LN2@routine (i.e. 0x74 0x24) With nop nop (i.e. 0x90 0x90) Code within the brackets is always executed! 17
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11 and 12: Kernel-Mode Modification User-Mode
Page 13 and 14: Call Tables Call Table ~ array of f
Page 15: Kernel Objects The Windows OS is
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23 and 24: COM Objects Component Object Model
Page 25 and 26: Technique Countermeasures As in Gon
Page 27 and 28: Do We Need to Hide? Traditional roo
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33 and 34: Anti-Forensics Traditional rootkits
Page 35 and 36: Surviving Reboot To persist or not
Page 37 and 38: The Four Evil Masters Media Analysi
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

Create successful ePaper yourself

Delete template?

Save as template?