Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Driver Based Global Hooks (aka Rookits)

Started by tibbar , Feb 15 2005 03:12 PM

Next

Please log in to reply

15 replies to this topic

#1 tibbar

First Sergeant

Members
1,423 posts

Posted 15 February 2005 - 03:12 PM

A lot of people here are interested in rootkits, but very little is ever said of kernel based rootkits.

One of the best sources of rootkit information is rootkit.com, and I have taken their basic class written by hogland et al, and extended it slightly to form a simple starting point for GSO members.

Most people are unfamilar with kernel mode programming, there is little accessable information about it, and most sources will say read the DDK help file.

In the end, driver development is about learning how to use the kernel api and understanding how kernel and userland fit together. Many of the usual userland niceties are gone, e.g. the c runtime library cannot be used, and no userland api calls work. If you make a mistake in the kernel, you see a BSOD...

For development in the kernel, the best way to experiment is by using a VMware virtual machine, and debugging it via a virtual com port, using windbg ("windbag").

See this link: hxxp://silverstr.ufies.org/lotr0/windbg-vmware.html for details on setting this up.

You will need a copy of the DDK ("Driver development kit"). Get the latest version (windows server 2003) and install all the samples that come with it. Generally driver work is done without an IDE (i.e. notepad...), but it is possible to get visual studio working with DDK via custom build events. Personally, i prefer notepad.

Also get a copy of windbg from microsoft.com (free) and a copy of dbgview from www.ntinternals.com (this should be run whilst rootkit is being installed to monitor dbgprint commands).

Now for the interesting stuff...

Whenever you call a userland api (e.g. CreateProcessW), it will eventually call a kernel mode api (in this case CreateProcessW from kernel32.dll calls NtCreateProcess from ntdll.dll, which calls the kernel api ZwCreateProcess).

If you look at the disassembly of ntdll functions, you will see most a just a stub that calls a kernel function...let's look at NtCreateProcess for a second.

.text:7C90D754                 public NtCreateProcess
.text:7C90D754 NtCreateProcess proc near              ; CODE XREF: RtlCreateUserProcess+C1p
.text:7C90D754                 mov     eax, 2Fh       ; NtCreateProcess
.text:7C90D759                 mov     edx, 7FFE0300h
.text:7C90D75E                 call    dword ptr [edx]
.text:7C90D760                 retn    20h
.text:7C90D760 NtCreateProcess endp

All it has done is to load the value 0x2F into EAX and then it calls a function living at address 0x7FFE0300. If you look at this address you find it is a either an interrupt 2eh or a sysenter command (among some other commands to load function parameters into registers).

What this does, is to pass execution to a kernel function referenced by the position 0x2F in a kernel structure known as KeServiceDescriptorTable.

The KeServiceDescriptorTable is basically a big table of function pointers. So what this means is the true kernel function ZwCreateProcess lives at the address held in KeServiceDescriptorTable at position 0x2F.

This leads to the obvious idea that if we want to modify the behaviour of certain usermode api, we can modify the api that they rely on in the kernel, by putting a pointer to our own function in this table (aka kernel hooking).

The attached project shows this method in action. There are some slight complications. These function positions in KeServiceDescriptorTable change between versions of Windows. One solution to this, is to hard code the function position for the functions you wish to hook.

I found this to be a poor approach, since the rootkit would not survive a service pack upgrade.

Instead, I have written a function GetDllFunctionAddress which will extract the required function position from system dll's like ntdll.

This is not necessary for all function you wish to hook though. Some functions are exported by Ntoskrnl.exe, and you can get the position directly from this. However, my approach will work for all kernel api, so it probably is simpler to do it this way.

The key functions to study are DriverEntry and OnUnload. These expose the hooking methodology.

The main idea is shown in the following code:

RtlInitUnicodeString(&dllName, L"\\SystemRoot\\system32\\ntdll.dll");
	functionAddress = GetDllFunctionAddress(functionName, &dllName);
	position = *((WORD*)(functionAddress+1));

	g_OriginalZwCreateProcessEx = (ZWCREATEPROCESSEX)(KeServiceDescriptorTable.ServiceTableBase[position]);

	_asm
	{
  CLI   	 //dissable interrupt
  MOV	EAX, CR0  //move CR0 register into EAX
  AND EAX, NOT 10000H //disable WP bit 
  MOV	CR0, EAX  //write register back
	}

	(ZWCREATEPROCESSEX)(KeServiceDescriptorTable.ServiceTableBase[position]) = MyZwCreateProcessEx;
	_asm 
	{
  MOV	EAX, CR0  //move CR0 register into EAX
  OR	EAX, 10000H  //enable WP bit  
  MOV	CR0, EAX  //write register back  
  STI   	 //enable interrupt
	}

In the function MyZwCreateProcessEx you will provide the addtional functionality that is required - i.e. you perform additional operations (e.g. not allow the process to be created if it is called iexplorer.exe) and the call the original function if required (g_OriginalZwCreateProcessEx).

I also attach a Visual Studio 7 project which will install the rootkit driver via the service manager. Usage is simple, type rootkit.exe load to install it, and rootkit.exe unload to uninstall.

I hope that this will provide members with a starting point to explore the world of kernel development.

Attached Files

global_kernel_hooks__rootkit_.zip 8.39K 181 downloads
Rootkit_Installer.zip 10.54K 165 downloads

If you want to read more about my security research, visit Tibbar.org

Back to top

#2 ch0pper

Private First Class

Members
65 posts

Posted 16 February 2005 - 01:56 AM

look very good m8

give me a email sumtime

you may want to check out
AttoCode project
http://hxdef.czweb.org/

sum new hook modules
there that we are working on
for the new hacker defender

ch0pper

hacker defender team

Back to top

#3 DumpZ

Staff Sergeant

Members
356 posts

Posted 30 March 2005 - 02:40 AM

look intressting lets have a look thanks

Back to top

#4 Guest_DiabloPatch_*

Guests

Posted 07 January 2006 - 02:17 PM

hmm thank a lot for this.

will probably get some confusions out of my way.

Back to top

#5 Guest_DiabloPatch_*

Guests

Posted 07 January 2006 - 06:23 PM

and the lil fix for tibbar his mention about the unmapping

just put this line: ZwUnmapViewOfSection(NtCurrentProcess(),&BaseAddress);

in front of both his ZwClose(&hSection);

code snippet:

if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
		{
			ZwUnmapViewOfSection(NtCurrentProcess(),&BaseAddress); //lil bug fix
			ZwClose(hSection);
			return functionAddress;
		}
	}

	ZwUnmapViewOfSection(NtCurrentProcess(),&BaseAddress); //lil bug fix
	ZwClose(hSection);
	return 0;

Back to top

#6 matiano

Private First Class

Members
59 posts

Posted 07 January 2006 - 06:37 PM

Good introduction tibbar !
You have me motivated to begin with kernel stuff coding

Back to top

#7 Guest_DiabloPatch_*

Guests

Posted 07 January 2006 - 07:05 PM

bleh stupid mistake

it's ZwUnmapViewOfSection(NtCurrentProcess(),&BaseAddress);

note the &

Just made this reply so in case any peep already started to wonder why he suddenly gets BSOD

Back to top

#8 MrWicked

Private

Members
1 posts

Posted 26 October 2007 - 10:07 AM

Hmmm interesting id like to download this and experiment but it isent allowing me to downlad :huh:

Back to top

#9 Ryan M

First Sergeant

Second Lieutenant
1,740 posts

Posted 26 October 2007 - 11:43 AM

Trial members can not download, read the rules.

There is no security on this earth. Only opportunity.
-Douglas MacArthur
GSO Compiled Exploit Database
----------------------------------------
[b]Mod at GovernmentSecurity

Back to top

#10 Jeremy

Commander in Chief

GSO Management
2,459 posts

Posted 26 October 2007 - 12:18 PM

Hmmm interesting id like to download this and experiment but it isent allowing me to downlad

Thanks for bumping an old topic for no reason!

Back to top

#11 buzzons

Retired GSO Second Lieutenant

Sergeant Major
1,818 posts

Posted 26 October 2007 - 03:06 PM

more bumps are good!

Back to top

#12 Guest_DiabloHorn_*

Guests

Posted 26 October 2007 - 03:16 PM

according to the rules, bumping up a old thread is not forbidden.

that a thread is old for you doesn't mean it's old for everyone.

Back to top

#13 Jeremy

Commander in Chief

GSO Management
2,459 posts

Posted 26 October 2007 - 03:22 PM

5. Searching before you post as to prevent duplicate threads.

I say his "bump" was a post that he could have easily searched the forum for an answer to. And bumping isnt itself against the rules, but useless posts are, and useless posts on old topics is double the annoyance.