{"id":243,"date":"2014-10-15T07:28:15","date_gmt":"2014-10-15T07:28:15","guid":{"rendered":"http:\/\/www.adlice.com\/?p=243"},"modified":"2022-12-21T10:39:30","modified_gmt":"2022-12-21T10:39:30","slug":"userland-rootkits-part-1-iat-hooks","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/de\/userland-rootkits-part-1-iat-hooks\/","title":{"rendered":"Userland Rootkits: Part 1, IAT hooks"},"content":{"rendered":"\n

This is the first part of this series about Userland rootkits<\/strong>, I wanted to write on it and demonstrate how some rootkits do to hide files<\/strong> by using IAT hooks.<\/p>\n\n\n\n

This post is about a classic trick<\/strong>, known for decades. Malware specialists may know this already, so this is mostly an introduction for whom willing to learn the theory of rootkits, and have a demonstration. Call that beginners if you want \ud83d\ude42<\/p>\n\n\n\n


Import Address Table (IAT)<\/h4>\n\n\n\n

The IAT table<\/strong> is a pointer table that holds the address in memory (within the DLL that hosts it) for every function<\/strong> needed by a program.<\/p>\n\n\n\n

Example:<\/strong> Let’s say you write a program able to enumerate files in a folder. You’ll probably need FindFirstFile<\/a>\/FindNextFile<\/a>, so when you compile it, the compiler will look for address of those functions in kernel32.dll, and add the corresponding entries into your program’s import address table => kernel32.dll (FindFirstFile::0xAAAAAAAA, FindNextFile:0xBBBBBBBB).<\/p>\n\n\n\n

So when your program will call the functions, it will look into the table and directly jump at the address given by the table. If one is able to rewrite that address in the table (dynamically), it will be able to redirect the execution flow to a function (with same prototype) that will filters the results<\/strong>, and possibly modify them before returning to the caller.<\/p>\n\n\n\n

IAT patching can be used by malware or legit software to do many things, keylogging, protection, theft of credit cards,… Many (in)famous malware are using it, like Zeus trojan, Stuxnet, …<\/strong>
 
\"iattable\"<\/a><\/p>\n\n\n\n


Practical case: File hider<\/h4>\n\n\n\n

We’ll study how to detour IAT table of a proces to hide a file. Disclaimer: This is not a tutorial to make a rootkit, but a practical case for educational purpose only.<\/strong> Anyway, this is covered for decades on other websites…<\/p>\n\n\n\n

This rootkit is made in 2 steps:<\/p>\n\n\n\n