The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

by Bill Blunden
Released March 2012
Publisher(s): Jones & Bartlett Learning
ISBN: 9781449626372

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description


While forensic analysis has proven to be a valuable investigative tool in the field of computer security, utilizing anti-forensic technology makes it possible to maintain a covert operational foothold for extended periods, even in a high-security environment. Adopting an approach that favors full disclosure, the updated Second Edition of The Rootkit Arsenal presents the most accessible, timely, and complete coverage of forensic countermeasures. This book covers more topics, in greater depth, than any other currently available. In doing so the author forges through the murky back alleys of the Internet, shedding light on material that has traditionally been poorly documented, partially documented, or intentionally undocumented.

The range of topics presented includes how to:
-Evade post-mortem analysis
-Frustrate attempts to reverse engineer your command & control modules
-Defeat live incident response
-Undermine the process of memory analysis
-Modify subsystem internals to feed misinformation to the outside
-Entrench your code in fortified regions of execution
-Design and implement covert channels
-Unearth new avenues of attack

Table of contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Part I: Foundations
    1. Chapter 1 Empty Cup Mind
      1. 1.1 An Uninvited Guest
      2. 1.2 Distilling a More Precise Definition
        1. The Attack Cycle
        2. The Role of Rootkits in the Attack Cycle
        3. Single-Stage Versus Multistage Droppers
        4. Other Means of Deployment
        5. A Truly Pedantic Definition
        6. Don’t Confuse Design Goals with Implementation
        7. Rootkit Technology as a Force Multiplier
        8. The Kim Philby Metaphor: Subversion Versus Destruction
        9. Why Use Stealth Technology? Aren’t Rootkits Detectable?
      3. 1.3 Rootkits != Malware
        1. Infectious Agents
        2. Adware and Spyware
        3. Rise of the Botnets
        4. Enter: Conficker
        5. Malware Versus Rootkits
      4. 1.4 Who Is Building and Using Rootkits?
        1. Marketing
        2. Digital Rights Management
        3. It’s Not a Rootkit, It’s a Feature
        4. Law Enforcement
        5. Industrial Espionage
        6. Political Espionage
        7. Cybercrime
        8. Who Builds State-of-the-Art Rootkits?
        9. The Moral Nature of a Rootkit
      5. 1.5 Tales from the Crypt: Battlefield Triage
      6. 1.6 Conclusions
    2. Chapter 2 Overview of Anti-Forensics
      1. Everyone Has a Budget: Buy Time
      2. 2.1 Incident Response
        1. Intrusion Detection System (and Intrusion Prevention System)
        2. Odd Behavior
        3. Something Breaks
      3. 2.2 Computer Forensics
        1. Aren’t Rootkits Supposed to Be Stealthy? Why AF?
        2. Assuming the Worst-Case Scenario
        3. Classifying Forensic Techniques: First Method
        4. Classifying Forensic Techniques: Second Method
        5. Live Response
        6. When Powering Down Isn’t an Option
        7. The Debate over Pulling the Plug
        8. To Crash Dump or Not to Crash Dump
        9. Postmortem Analysis
        10. Non-Local Data
      4. 2.3 AF Strategies
        1. Data Destruction
        2. Data Concealment
        3. Data Transformation
        4. Data Fabrication
        5. Data Source Elimination
      5. 2.4 General Advice for AF Techniques
        1. Use Custom Tools
        2. Low and Slow Versus Scorched Earth
        3. Shun Instance-Specific Attacks
        4. Use a Layered Defense
      6. 2.5 John Doe Has the Upper Hand
        1. Attackers Can Focus on Attacking
        2. Defenders Face Institutional Challenges
        3. Security Is a Process (and a Boring One at That)
        4. Ever-Increasing Complexity
      7. 2.6 Conclusions
    3. Chapter 3 Hardware Briefing
      1. 3.1 Physical Memory
      2. 3.2 IA-32 Memory Models
        1. Flat Memory Model
        2. Segmented Memory Model
        3. Modes of Operation
      3. 3.3 Real Mode
        1. Case Study: MS-DOS
        2. Isn’t This a Waste of Time? Why Study Real Mode?
        3. The Real-Mode Execution Environment
        4. Real-Mode Interrupts
        5. Segmentation and Program Control
        6. Case Study: Dumping the IVT
        7. Case Study: Logging Keystrokes with a TSR
        8. Case Study: Hiding the TSR
        9. Case Study: Patching the TREE.COM Command
        10. Synopsis
      4. 3.4 Protected Mode
        1. The Protected-Mode Execution Environment
        2. Protected-Mode Segmentation
        3. Protected-Mode Paging
        4. Paging with Address Extension
        5. A Closer Look at the Tables
        6. A Closer Look at the Control Registers
      5. 3.5 Implementing Memory Protection
        1. Protection Through Segmentation
        2. Limit Checks
        3. Type Checks
        4. Privilege Checks
        5. Restricted Instruction Checks
        6. Gate Descriptors
        7. The Protected-Mode Interrupt Table
        8. Protection Through Paging
        9. Summary
    4. Chapter 4 System Briefing
      1. 4.1 Physical Memory under Windows
        1. Land of the Lost (Memory)
        2. How Windows Uses Physical Address Extension
        3. Pages, Page Frames, and Page Frame Numbers
      2. 4.2 Segmentation and Paging under Windows
        1. Segmentation
        2. Paging
        3. Linear to Physical Address Translation
        4. A Quicker Approach
        5. Comments on EPROCESS and KPROCESS
      3. 4.3 User Space and Kernel Space
        1. 4-Gigabyte Tuning (4GT)
        2. To Each His Own
        3. Jumping the Fence
        4. User-Space Topography
        5. Kernel-Space Dynamic Allocation
        6. Address Windowing Extension
        7. PAE Versus 4GT Versus AWE
      4. 4.4 User Mode and Kernel Mode
        1. How Versus Where
        2. Kernel-Mode Components
        3. User-Mode Components
      5. 4.5 Other Memory Protection Features
        1. Data Execution Prevention
        2. Address Space Layout Randomization
        3. /GS Compiler Option
        4. /SAFESEH Linker Option
      6. 4.6 The Native API
        1. The IVT Grows Up
        2. A Closer Look at the IDT
        3. System Calls via Interrupt
        4. The SYSENTER Instruction
        5. The System Service Dispatch Tables
        6. Enumerating the Native API
        7. Nt*() Versus Zw*() System Calls
        8. The Life Cycle of a System Call
        9. Other Kernel-Mode Routines
        10. Kernel-Mode API Documentation
      7. 4.7 The BOOT Process
        1. Startup for BIOS Firmware
        2. Startup for EFI Firmware
        3. The Windows Boot Manager
        4. The Windows Boot Loader
        5. Initializing the Executive
        6. The Session Manager
        7. Wininit.exe
        8. Winlogon.exe
        9. Boot Process Recap
      8. 4.8 Design Decisions
        1. Hiding in a Crowd: Type 0
        2. Active Concealment: Type I and Type II
        3. Jumping Out of Bounds: Type III
        4. The Road Ahead
    5. Chapter 5 Tools of the Trade
      1. 5.1 Development Tools
        1. Diagnostic Tools
        2. Disk-Imaging Tools
        3. For Faster Relief: Virtual Machines
        4. Tool Roundup
      2. 5.2 Debuggers
        1. Configuring CDB.exe
        2. Symbol Files
        3. Windows Symbols
        4. Invoking CDB.exe
        5. Controlling CDB.exe
        6. Useful Debugger Commands
        7. Examine Symbols Command (x)
        8. List Loaded Modules (lm and !lmi)
        9. Display Type Command (dt)
        10. Unassemble Command (u)
        11. Display Commands (d*)
        12. Registers Command (r)
      3. 5.3 The KD.exe Kernel Debugger
        1. Different Ways to Use a Kernel Debugger
        2. Physical Host–Target Configuration
        3. Preparing the Hardware
        4. Preparing the Software
        5. Launching a Kernel–Debugging Session
        6. Controlling the Target
        7. Virtual Host-Target Configuration
        8. Useful Kernel-Mode Debugger Commands
        9. List Loaded Modules Command (lm)
        10. !process
        11. Registers Command (r)
        12. Working with Crash Dumps
        13. Method No. 1: PS/2 Keyboard Trick
        14. Method No. 2: KD.exe Command
        15. Method No. 3: NotMyFault.exe
        16. Crash Dump Analysis
    6. Chapter 6 Life in Kernel Space
      1. 6.1 A KMD Template
        1. Kernel-Mode Drivers: The Big Picture
        2. WDK Frameworks
        3. A Truly Minimal KMD
        4. Handling IRPs
        5. Communicating with User-Mode Code
        6. Sending Commands from User Mode
      2. 6.2 Loading a KMD
      3. 6.3 The Service Control Manager
        1. Using sc.exe at the Command Line
        2. Using the SCM Programmatically
        3. Registry Footprint
      4. 6.4 Using an Export Driver
      5. 6.5 Leveraging an Exploit in the Kernel
      6. 6.6 Windows Kernel-Mode Security
        1. Kernel-Mode Code Signing (KMCS)
        2. KMCS Countermeasures
        3. Kernel Patch Protection (KPP)
        4. KPP Countermeasures
      7. 6.7 Synchronization
        1. Interrupt Request Levels
        2. Deferred Procedure Calls
        3. Implementation
      8. 6.8 Conclusions
  7. Part II: Postmortem
    1. Chapter 7 Defeating Disk Analysis
      1. 7.1 Postmortem Investigation: An Overview
      2. 7.2 Forensic Duplication
        1. Countermeasures: Reserved Disk Regions
      3. 7.3 Volume Analysis
        1. Storage Volumes under Windows
        2. Manual Volume Analysis
        3. Countermeasures: Partition Table Destruction
        4. Raw Disk Access under Windows
        5. Raw Disk Access: Exceptions to the Rule
      4. 7.4 File System Analysis
        1. Recovering Deleted Files
        2. Recovering Deleted Files: Countermeasures
        3. Enumerating ADSs
        4. Enumerating ADSs: Countermeasures
        5. Recovering File System Objects
        6. Recovering File System Objects: Countermeasures
        7. Out-of-Band Concealment
        8. In-Band Concealment
        9. Enter: FragFS
        10. Application-Level Concealment
        11. Acquiring Metadata
        12. Acquiring Metadata: Countermeasures
        13. Altering Time Stamps
        14. Altering Checksums
        15. Identifying Known Files
        16. Cross-Time Versus Cross-View Diffs
        17. Identifying Known Files: Countermeasures
      5. 7.5 File Signature Analysis
        1. File Signature Analysis: Countermeasures
      6. 7.6 Conclusions
    2. Chapter 8 Defeating Executable Analysis
      1. 8.1 Static Analysis
        1. Scan for Related Artifacts
        2. Verify Digital Signatures
        3. Dump String Data
        4. Inspect File Headers
        5. Disassembly and Decompilation
      2. 8.2 Subverting Static Analysis
        1. Data Transformation: Armoring
        2. Armoring: Cryptors
        3. Key Management
        4. Armoring: Packers
        5. Armoring: Metamorphic Code
        6. The Need for Custom Tools
        7. The Argument Against Armoring
        8. Data Fabrication
        9. False-Flag Attacks
        10. Data Source Elimination: Multistage Loaders
        11. Defense In-depth
      3. 8.3 Runtime Analysis
        1. The Working Environment
        2. Manual Versus Automated Runtime Analysis
        3. Manual Analysis: Basic Outline
        4. Manual Analysis: Tracing
        5. Manual Analysis: Memory Dumping
        6. Manual Analysis: Capturing Network Activity
        7. Automated Analysis
        8. Composition Analysis at Runtime
      4. 8.4 Subverting Runtime Analysis
        1. Tracing Countermeasures
        2. API Tracing: Evading Detour Patches
        3. API Tracing: Multistage Loaders
        4. Instruction-Level Tracing: Attacking the Debugger
        5. Break Points
        6. Detecting a User-Mode Debugger
        7. Detecting a Kernel-Mode Debugger
        8. Detecting a User-Mode or a Kernel-Mode Debugger
        9. Detecting Debuggers via Code Checksums
        10. The Argument Against Anti-Debugger Techniques
        11. Instruction-Level Tracing: Obfuscation
        12. Obfuscating Application Data
        13. Obfuscating Application Code
        14. Hindering Automation
        15. Countering Runtime Composition Analysis
      5. 8.5 Conclusions
  8. Part III: Live Response
    1. Chapter 9 Defeating Live Response
      1. Autonomy: The Coin of the Realm
      2. Learning the Hard Way: DDefy
      3. The Vendors Wise Up: Memoryze
      4. 9.1 Live Incident Response: The Basic Process
      5. 9.2 User-Mode Loaders (UMLs)
        1. UMLs That Subvert the Existing APIs
        2. The Argument Against Loader API Mods
        3. The Windows PE File Format at 10,000 Feet
        4. Relative Virtual Addresses
        5. PE File Headers
        6. The Import Data Section (.idata)
        7. The Base Relocation Section (.reloc)
        8. Implementing a Stand-Alone UML
      6. 9.3 Minimizing Loader Footprint
        1. Data Contraception: Ode to The Grugq
        2. The Next Step: Loading via Exploit
      7. 9.4 The Argument Against Stand-Alone PE Loaders
    2. Chapter 10 Building Shellcode in C
      1. Why Shellcode Rootkits?
      2. Does Size Matter?
      3. 10.1 User-Mode Shellcode
        1. Visual Studio Project Settings
        2. Using Relative Addresses
        3. Finding Kernel32.dll: Journey into the TEB and PEB
        4. Augmenting the Address Table
        5. Parsing the kernel32.dll Export Table
        6. Extracting the Shellcode
        7. The Danger Room
        8. Build Automation
      4. 10.2 Kernel-Mode Shellcode
        1. Project Settings: $(NTMAKEENV)\makefile.new
        2. Project Settings: SOURCES
        3. Address Resolution
        4. Loading Kernel-Mode Shellcode
      5. 10.3 Special Weapons and Tactics
      6. 10.4 Looking Ahead
    3. Chapter 11 Modifying Call Tables
      1. 11.1 Hooking in User Space: The IAT
        1. DLL Basics
        2. Accessing Exported Routines
        3. Injecting a DLL
        4. Walking an IAT from a PE File on Disk
        5. Hooking the IAT
      2. 11.2 Call Tables in Kernel Space
      3. 11.3 Hooking the IDT
        1. Handling Multiple Processors: Solution #1
        2. Naked Routines
        3. Issues with Hooking the IDT
      4. 11.4 Hooking Processor MSRs
        1. Handling Multiple Processors: Solution #2
      5. 11.5 Hooking the SSDT
        1. Disabling the WP Bit: Technique #1
        2. Disabling the WP Bit: Technique #2
        3. Hooking SSDT Entries
        4. SSDT Example: Tracing System Calls
        5. SSDT Example: Hiding a Process
        6. SSDT Example: Hiding a Network Connection
      6. 11.6 Hooking IRP Handlers
      7. 11.7 Hooking the GDT: Installing a Call Gate
        1. Ode to Dreg
      8. 11.8 Hooking Countermeasures
        1. Checking for Kernel-Mode Hooks
        2. Checking IA32_SYSENTER_EIP
        3. Checking INT 0x2E
        4. Checking the SSDT
        5. Checking IRP Handlers
        6. Checking for User-Mode Hooks
        7. Parsing the PEB: Part I
        8. Parsing the PEB: Part II
      9. 11.9 Counter-Countermeasures
        1. Assuming the Worst Case
        2. Worst-Case Countermeasure #1
        3. Worst-Case Countermeasure #2
    4. Chapter 12 Modifying Code
      1. Types of Patching
      2. In-Place Patching
      3. Detour Patching
      4. Prologue and Epilogue Detours
      5. Detour Jumps
      6. 12.1 Tracing Calls
        1. Detour Implementation
        2. Acquire the Address of the NtSetValueKey()
        3. Initialize the Patch Metadata Structure
        4. Verify the Original Machine Code Against a Known Signature
        5. Save the Original Prologue and Epilogue Code
        6. Update the Patch Metadata Structure
        7. Lock Access and Disable Write-Protection
        8. Inject the Detours
        9. The Prologue Detour
        10. The Epilogue Detour
        11. Postgame Wrap-Up
      7. 12.2 Subverting Group Policy
        1. Detour Implementation
        2. Initializing the Patch Metadata Structure
        3. The Epilogue Detour
        4. Mapping Registry Values to Group Policies
      8. 12.3 Bypassing Kernel-Mode API Loggers
        1. Fail-Safe Evasion
        2. Kicking It Up a Notch
      9. 12.4 Instruction Patching Countermeasures
    5. Chapter 13 Modifying Kernel Objects
      1. 13.1 The Cost of Invisibility
        1. Issue #1: The Steep Learning Curve
        2. Issue #2: Concurrency
        3. Issue #3: Portability and Pointer Arithmetic
        4. Branding the Technique: DKOM
        5. Objects?
      2. 13.2 Revisiting the EPROCESS Object
        1. Acquiring an EPROCESS Pointer
        2. Relevant Fields in EPROCESS
        3. UniqueProcessId
        4. ActiveProcessLinks
        5. Token
        6. ImageFileName
      3. 13.3 The DRIVER_SECTION Object
      4. 13.4 The Token Object
        1. Authorization on Windows
        2. Locating the Token Object
        3. Relevant Fields in the Token Object
      5. 13.5 Hiding a Process
      6. 13.6 Hiding a Driver
      7. 13.7 Manipulating the Access Token
      8. 13.8 Using No-FU
      9. 13.9 Kernel-Mode Callbacks
      10. 13.10 Countermeasures
        1. Cross-View Detection
        2. High-Level Enumeration: CreateToolhelp32Snapshot()
        3. High-Level Enumeration: PID Bruteforce
        4. Low-Level Enumeration: Processes
        5. Low-Level Enumeration: Threads
        6. Related Software
        7. Field Checksums
      11. 13.11 Counter-Countermeasures
        1. The Best Defense: Starve the Opposition
        2. Commentary: Transcending the Two-Ring Model
        3. The Last Line of Defense
    6. Chapter 14 Covert Channels
      1. 14.1 Common Malware Channels
        1. Internet Relay Chat
        2. Peer-to-Peer Communication
        3. HTTP
      2. 14.2 Worst-Case Scenario: Full Content Data Capture
        1. Protocol Tunneling
        2. DNS
        3. ICMP
        4. Peripheral Issues
      3. 14.3 The Windows TCP/IP Stack
        1. Windows Sockets 2
        2. Raw Sockets
        3. Winsock Kernel API
        4. NDIS
        5. Different Tools for Different Jobs
      4. 14.4 DNS Tunneling
        1. DNS Query
        2. DNS Response
      5. 14.5 DNS Tunneling: User Mode
      6. 14.6 DNS Tunneling: WSK Implementation
        1. Initialize the Application’s Context
        2. Create a Kernel-Mode Socket
        3. Determine a Local Transport Address
        4. Bind the Socket to the Transport Address
        5. Set the Remote Address (the C2 Client)
        6. Send the DNS Query
        7. Receive the DNS Response
      7. 14.7 NDIS Protocol Drivers
        1. Building and Running the NDISProt 6.0 Example
        2. An Outline of the Client Code
        3. An Outline of the Driver Code
        4. The Protocol*() Routines
        5. Missing Features
      8. 14.8 Passive Covert Channels
    7. Chapter 15 Going Out-of-Band
      1. Ways to Jump Out-of-Band
      2. 15.1 Additional Processor Modes
        1. System Management Mode
        2. Rogue Hypervisors
        3. White Hat Countermeasures
        4. Rogue Hypervisors Versus SMM Rootkits
      3. 15.2 Firmware
        1. Mobo BIOS
        2. ACPI Components
        3. Expansion ROM
        4. UEFI Firmware
      4. 15.3 Lights-Out Management Facilities
      5. 15.4 Less Obvious Alternatives
        1. Onboard Flash Storage
        2. Circuit-Level Tomfoolery
      6. 15.5 Conclusions
  9. Part IV: Summation
    1. Chapter 16 The Tao of Rootkits
      1. The Dancing Wu Li Masters
      2. When a Postmortem Isn’t Enough
      3. The Battlefield Shifts Again
      4. 16.1 Core Stratagems
        1. Respect Your Opponent
        2. Five Point Palm Exploding Heart Technique
        3. Resist the Urge to Smash and Grab
        4. Study Your Target
      5. 16.2 Identifying Hidden Doors
        1. On Dealing with Proprietary Systems
        2. Staking Out the Kernel
        3. Kingpin: Hardware Is the New Software
        4. Leverage Existing Research
      6. 16.3 Architectural Precepts
        1. Load First, Load Deep
        2. Strive for Autonomy
        3. Butler Lampson: Separate Mechanism from Policy
      7. 16.4 Engineering a Rootkit
        1. Stealth Versus Development Effort
        2. Use Custom Tools
        3. Stability Counts: Invest in Best Practices
        4. Gradual Enhancement
        5. Failover: The Self-Healing Rootkit
      8. 16.5 Dealing with an Infestation
  10. Index
  11. Photo Credits

Product information

  • Title: The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition
  • Author(s): Bill Blunden
  • Release date: March 2012
  • Publisher(s): Jones & Bartlett Learning
  • ISBN: 9781449626372