A forum for reverse engineering, OS internals and malware analysis 

 #17091  by Microwave89
 Sun Dec 09, 2012 8:21 pm
Hi.

Since I was unable to acquire a user mode RK for x64, I decided to give kernel land RKs a try.
In my house I then found a book "ROOTKITS" "Subverting Windows Kernel" back from 2006, written by James Butler and Greg Hoglund.
However, I have recently read some facts about the new kernel patch guard in x64 OSs, and now I doubt on the functionality of some of the rootkit techniques described in that book. These are:
- Kernel hooks on GDT, LDT, SSDT, IDT tables (IS gonna lead for sure to a bug check, ->http://msdn.microsoft.com/en-us/windows ... 87350.aspx)
- Runtime patching (does this also count among kernel patching?)
- DKOM (I would say that DKOM IS of course a kind of kernel patching, isn't it?)
But that that guy thinks different of it:
tzuk wrote:(Read about DKOM rootkits to see that rootkits do not need to patch the kernel to hide their processes. PatchGuard does not protect system data areas and a rootkit can simply "delete" the information associated with its processes. It will still execute, just won't show up in Task Manager.)

So which techniques I'm I still allowed to use for hiding files, drivers or processes without getting a CRITICAL_STRUCTURE_CORRUPTION bug check? (It's obvious that for example DKOM cannot be used for hiding files..)

And if you, EP_0XFF, read this, I dunno why you blasted my previous post in which I put a lot of effort, in trashcan like I would have been asking "eh guys tell me how to build an undetectable super VIRII!!!!". And I don't wanna comment that. But please, PLEASE, dont blast this one away, or just don't blast it away without telling me any constructive critics about what I've done wrong. Thank you.

Maybe someone knows a good book regarding rootkits, which is actual and takes microsofts patch guard into account?
Or a website it's worth to read?


Best regards

Microwave
 #17095  by EP_X0FF
 Mon Dec 10, 2012 3:35 am
Hello,
Microwave89 wrote:Since I was unable to acquire a user mode RK for x64, I decided to give kernel land RKs a try.
You got a direct tip how to create them in your previous thread.
Microwave89 wrote:In my house I then found a book "ROOTKITS" "Subverting Windows Kernel" back from 2006, written by James Butler and Greg Hoglund.
Patchguard or KPP introduced in 2005 with x64 Windows 2003 SP1/x64 XP. This book is obviously out of date and examples do not cover x64.
Microwave89 wrote:However, I have recently read some facts about the new kernel patch guard in x64 OSs, and now I doubt on the functionality of some of the rootkit techniques described in that book. These are:
- Kernel hooks on GDT, LDT, SSDT, IDT tables (IS gonna lead for sure to a bug check, ->http://msdn.microsoft.com/en-us/windows ... 87350.aspx)
Yes.
- Runtime patching (does this also count among kernel patching?)
- DKOM (I would say that DKOM IS of course a kind of kernel patching, isn't it?)
But that that guy thinks different of it:
tzuk wrote:(Read about DKOM rootkits to see that rootkits do not need to patch the kernel to hide their processes. PatchGuard does not protect system data areas and a rootkit can simply "delete" the information associated with its processes. It will still execute, just won't show up in Task Manager.)
It is partially true. Runtime patching means code modification of one of the listed kernel modules: ntoskrnl, ci.dll, hal.dll, kdcom.dll, pshed.dll, ndis.sys, tcpip.sys, clfs.sys (number depends of Windows version). KPP calculates hashes for several image sections (for example .pdata, .edata, .idata for ntoskrnl), system structures (both service tables, IDT, GDT) at the startup and then they are periodically checked for inconsistencies, found something wrong? - BSOD. DKOM is a direct kernel object manipulation. Under term "object" there can be anything, device, driver objects. KPP behaviour depends on version. This is not documented anywhere due to obvious reasons. But again obviously it can't control all kernel data. DKOH will be triggered as well -> http://www.kernelmode.info/forum/viewto ... f=14&t=717
So which techniques I'm I still allowed to use for hiding files, drivers or processes without getting a CRITICAL_STRUCTURE_CORRUPTION bug check? (It's obvious that for example DKOM cannot be used for hiding files..)
Write your driver, relying on documented methods. Your previous topic include link to hooking engine (enough to build user mode x64 rootkit), but you seems do not want to do anything yourself.

1. For file hiding it is enough to do simple FSD filter. http://www.kernelmode.info/forum/viewto ... =16&t=1543
2. Process hiding by EPROCESS list modification (like in Hoglund/Butlers book) will be triggered by KPP (not immediatelly, but after few minutes BSOD will be delivered, again behaviour can depend on Windows version -> http://www.kernelmode.info/forum/viewto ... 1&start=20). Modern rootkits do not need "processes". They use user mode code (usually dll) mapped into FW trusted process for network communication part, because no one want to fcuk with NDIS at low level. So KM->UM injection knowledge (and overall injection methods knowledge) required.

But again I guess you need a toy to play with it. Good luck with search.
Microwave89 wrote:And if you, EP_0XFF, read this, I dunno why you blasted my previous post in which I put a lot of effort, in trashcan like I would have been asking "eh guys tell me how to build an undetectable super VIRII!!!!". And I don't wanna comment that. But please, PLEASE, dont blast this one away, or just don't blast it away without telling me any constructive critics about what I've done wrong. Thank you.
Public discussion of the administration's will lead to your permanent ban. Take it as first and last warning.