1、1,電腦攻擊與防禦 The Attack and Defense of ComputersDr. 許 富 皓,2,Rootkit,3,for Windows by Bryce Cogswell et al. ,4,Categories of Rootkits Windows,User-mode Rootkits Kernel-mode Rootkits,5,User-mode Rootkits,6,Windows API wikipedia,The Windows API, informally WinAPI, is the name given by Microsoft to the cor
2、e set of application programming interfaces available in the Microsoft Windows operating systems. It is designed for use by C/C+ programs and is the most direct way to interact with a Windows system for software applications.,7,Windows API developerfusion,Windows can do lots of things: manage hardwa
3、re run programs display iconsMuch of these functions are carried out by DLL files. DLLs (Dynamic Linked Libraries) store functions, so other programs can access them. The advantage of using DLLs is that the same file can be accessed at the same time by different programs. The functions stored in the
4、 windows DLLs are called Windows API.,8,Native APIwikipedia,The Native API (with capitalized N) is the publicly incompletely documented application programming interface used internally by the Windows NT family of operating systems. Most of the Native API calls are implemented in ntoskrnl.exe and ar
5、e exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll. While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem are implemented using the
6、 Native API, as they are started early enough in the Windows NT Startup Process that the Windows API is not available yet.,9,Windows Library Files - user32.dll ,user32.dll is a file that contains Windows API functions related the Windows user interface, such as: Window handling basic UI functions an
7、d so forth. It is a core file for several versions of the Microsoft Windows operating system. If this file is damaged or deleted, the operating system will not work.,10,Native Applications answer,Applications that are linked directly against a Native API library are known as Native Applications the
8、primary reason for their existence is to perform low-level tasks such as direct disk I/O that cannot be achieved through the documented Windows API. Ordinary Windows applications are not linked directly against a Native API library, but to one or more of the WinAPI libraries with well-documented API
9、s This is to retain portability across Windows Platforms among other reasons.,11,User-mode Rootkits Utilizing Windows APIs,A user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs. These two APIs are used by file system exploration utilities, including Explorer an
10、d the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entrie
11、s.,12,API Hooking craigheffner,In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept monitorand modifya programs API calls, commonly called API hooking, effec
12、tively gives one full control over that process.,13,Usage of API Hooking craigheffner,API Hooking can be useful for a multitude of reasons, including debugging reverse engineeringand hacking.,14,Intercept API Calls,While there are several methods which can be used to intercept monitorand modifya pro
13、grams API calls, one of them is DLL redirection.,15,DLL Redirection craigheffner,Since an executable imports API functions from DLL files, DLL redirection allows us to tell a program that the DLLs it needs are located in a different directory than the originals.In this way we can create a DLL with t
14、he same name as the original, which exports the same function names as the original, but each function may contain whatever code we like.,16,User-mode Rootkits Utilizing Windows Native APIs,More sophisticated user-mode rootkits intercept file system registryand process enumeration functions of the N
15、ative API.This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a Native API enumeration.,17,Registry Microsoft,A central hierarchical database used in Microsoft Windows 9x Windows CE Windows NTand Windows 2000used to store information
16、necessary to configure the system for one or more users applications hardware devices.Registry data is stored in binary files.,18,Information Contained in the Registry Microsoft,The Registry contains information that Windows continually references during operation, such as profiles for each user the
17、 applications installed on the computer the types of documents that each application can create property sheet settings for folders and application icons what hardware exists on the system the ports that are being used.,19,Description of the Registry Microsoft,The Registry replaces most of the text-
18、based .ini files used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows operating systems, there are some differences among them.,20,What Does the Registry Look Like - Tim Smith ?,The Registry is stored on your
19、hard disk in several files but the only way to look at it and make changes is to use the regedit program. To access this, click on the Start Button and then on the Run option. Type regedit into the box that appears and press Enter. This will launch regedit and you will now have your first sight of t
20、he Registry.,21,Organization of Registry Tim Smith,The Registry is organized much like the files on a disk and will look familiar if you have ever used the Folders view in Windows Explorer. In the Registry, however, these folders are called keys. To open a key, simply click on the small plus (+) sym
21、bol next to it. You will then see that each key contains either more keys - called subkeysor values.,22,Key Overview Tim Smith,The keys are organized logically but there are thousands of them, which can be daunting the first time you sneak a peek at the Registry. To simplify things, be aware that th
22、ere are five root keys and these are the basic building blocks of the Registry.,23,Predefined Keys Microsoft,What follows is the predefined keys that are used by the system. HKEY_CURRENT_USER (abbr. HKCU) HKEY_USERS (abbr. HKU) HKEY_LOCAL_MACHINE (abbr. HKLM) HKEY_CLASSES_ROOT (abbr. HKCR) HKEY_CURR
23、ENT_CONFIG (abbr. HKCC) The maximum size of a key name is 255 characters.,24,Key Value wikipedia,Each of the predefined keys is divided into subkeys, which may contain further subkeys, and so on. Any key may contain values. These values can be: String Value Binary Value (0 and 1s) DWORD Value, a 32
24、bit unsigned integer (numbers between 0 and 4,294,967,295 232 1) Multi-String value Expandable String Value,25,Key Hierarchy wikipedia,Each key has a default value, which is in effect a value with the same name as the key. Registry keys and values are specified with a syntax similar to Windows filen
25、ames, using backslashes to indicate levels of hierarchy. e.g. HKEY_LOCAL_MACHINESoftwareMicrosoftWindows refers to the subkey “Windows“ of the subkey “Microsoft“ of the subkey “Software“ of the HKEY_LOCAL_MACHINE key.,26,Example (1),HKCU has subkeys and values. By pressing the + before the HKCU you
26、can see its subkeys.,Each value has a name and a datum.,27,Example (2),28,Key Specifying Applications to Run When a User Logs in wikipedia,HKLMSoftwareMicrosoftWindowsCurrentVersionRun (and the HKCU equivalent) specifies applications to run whenever a user logs in. These can include desirable progra
27、ms, such as printer monitoring programs or frequently-used tools. But a lot of malware uses this registry key to ensure it is automatically run. This key is a good place to start looking for evidence of malware if you think your computer has been infected.,29,Example,30,Spyware and Registry Tim Smit
28、h,Spyware often installs values in the Registry to make sure that its launched to monitor your computer when Windows starts up. When looking for advice on how to remove these programs you may be told to edit the Registry. Always make sure that the advice is coming from a trustworthy source such as R
29、egistry Guide for Windows or S. Sometimes the spyware also installs a small program to monitor the Registryand replace keys that you delete, so you should use software such as Spybot Search and Destroy to clean your computer entirely.,31,Kernel-mode Rootkits,32,Why Kernel-mode Rootkits Are More Powe
30、rful?,Kernel-mode rootkits can be even more powerful since, not only can they intercept the Native API in kernel-mode, but they can also directly manipulate kernel-mode data structures.,33,Example of Kernel-mode Rootkits,A common technique for hiding the presence of a malware process is to remove th
31、e process from the kernels list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manageror Process Explorer.,34,Rootkit Techniques by Ivo Ivanov,35,Techniques Involved,Step 1: Injecting tec
32、hniques Step 2: Interception Mechanisms,36,Injecting Techniques Ivo Ivanov,37,Injecting Techniques,Method 1: Registry Method 2: Global Windows Hooks Other Methods (omitted in this lecture) Injecting DLL by using CreateRemoteThread() API function Implanting through BHO add-ins MS Office add-ins,38,In
33、jecting Techniques - by Registry,39,In order to inject a DLL into processes that link with USER32.DLL, you simply can add the DLL name to the value of the following registry key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs Its value contains a single DLL nameor grou
34、p of DLLs separated either by comma or spaces. According to MSDN documentation, all DLLs specified by the value of that key are loaded by each Windows-based application running within the current logon session.,Inject a DLL into Processes,40,Invoke Registry Editor,41,Select the Appropriate Key,42,Ed
35、it the Selected Key,43,Load USER32-Related DLLs,It is interesting that the actual loading of these DLLs occurs as a part of USER32s initialization. USER32 reads the value of mentioned registry key and calls LoadLibrary() for these DLLs in its DllMain code. Restrictions: However this trick applies on
36、ly to applications that use USER32.DLL. Another restriction is that this built-in mechanism is supported only by NT and 2K operating systems.,44,Shortcomings (1),In order to activate/deactivate the injection process you have to reboot Windows. The DLL you want to inject will be mapped only into thes
37、e processes that use USER32.DLL, thus you cannot expect to get your hook injected into console applications, since they usually dont import functions from USER32.DLL.,45,Shortcomings (2),On the other hand you dont have any control over the injection process. It means that it is implanted into every
38、single GUI application, regardless you want it or not. It is a redundant overhead especially if you intend to hook few applications only.,46,Injecting Techniques by Hooks Chris Cummings MSDN,47,What Are Hooks?,Put shortly, a hook is a function you can create as part of a dllor your application to mo
39、nitor the goings on inside the windows operating system.,48,Objectives of Hooks (1),The idea is to write a function that is called every time a certain event in windows occurs for example when a user presses a key on the keyboardor moves the mouse. Hooks were provided by Microsoft primarily to help
40、program writers with the debugging of their applications. But they can be put to use in many different ways for example, write hidden key logging program to find out other users passwords to the internet!,49,Objectives of Hooks (2),The system supports many different types of hooks. Each hook type pr
41、ovides access to a different aspect of its message-handling mechanism. For example, an application can use the WH_MOUSE Hook to monitor the message traffic for mouse messages.,50,Categories of Hooks,There are 2 categories of hooks globalor local.,51,Global Hook,A global hook monitors the entire syst
42、em (all threads) or monitors messages for all threads in the same desktop as the calling thread.,52,Local Hook (Thread-specific Hook),A local hook (thread-specific hook) is one that monitors things happening only for a specific program (or thread)or monitors messages for only an individual thread.,5
43、3,Hook Setup (1),Both types of hooks are set up in the same way. The main difference being that for a local hook, the function to be called can be within the program it is monitoring.but with a global hook the function must be stored and loaded from a separate dll.,54,Hook Setup (2),If an applicatio
44、n installs a hook procedure for one of its own threads, the hook procedure can be in either the same module as the rest of the applications codeor in a DLL. If the application installs a hook procedure for a thread of a different application, the procedure must be in a DLL.,55,Hook Chain MSDN,The sy
45、stem maintains a separate hook chain for each type of hook. A hook chain is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the system passes the message to each hook procedure refe
46、renced in the hook chain, one after the other.,56,Action Taken by a Hook Procedure,The action a hook procedure can take depends on the type of hook involved. The hook procedures for some types of hooks can only monitor messages. Others can modify messages. The others can stop their progress through
47、the chain, preventing them from reaching the next hook procedureor the destination window.,57,Hook Procedures (Hook Functions) MSDN (1),To take advantage of a particular type of hook, the developer provides a hook procedureand uses the SetWindowsHookEx function to install it into the chain associate
48、d with the hook.,58,Hook Procedures (Hook Functions) MSDN (2),A hook procedure is the procedure to be called by windows when the event we specify happens. A hook for any event always takes the same form, but the values passed to it by windows can mean different things. For example if the hook is typ
49、e WH_KEYBOARD, windows will pass information to it relating to which key was pressed.,59,Hook Procedure Syntax,A hook procedure must have the following syntax: LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam ); HookProc is a placeholder for an application-defined name.,60,Arguments
50、 of a Hook Procedure,Your hook procedure should accept the following arguments:The nCode parameter is a hook code that the hook procedure uses to determine the action to perform. The value of the hook code depends on the type of the hook. Each type has its own characteristic set of hook codes. The values of the wParam and lParam parameters depend on the hook code, but they typically contain information about a message that was sent or posted.,