API Hooking & Rootkits
The ultimate backdoor! Virtually undetectable access to the systems they exploit...
20 files
-
Thread Injection
By Teddy Rogers
Code-caving is the practice of injecting machine code into a remote process and making it execute. In this tutorial, I will cover a method of code-caving which I like to call thread injection. Thread injection is a seven step process.
373 downloads
0 comments
Updated
-
Stoned Bootkit
By Teddy Rogers
Stoned Bootkit is a research and scientific bootkit. It is loaded before Windows starts and is memory resident. Thus Stoned is executed beside the Windows kernel and has full access to the entire system. It gives the user back the control to the system, which was taken off by Windows Vista with the signed driver policy.
Stoned allows to load unsigned drivers, which is useful for hardware engineers and testers. You can also use it to create your own boot application, for example diagnostic tools or other solutions like backup, system restoration, etc.
The new thing about Stoned is that there is now a bootkit attacking all Windows versions from XP up to 7 and bypassing TrueCrypt's full volume encryption. Previous bootkits like the BootRoot which was presented at Black Hat USA 2005 or vbootkit from Black Hat Europe 2007 were only dedicated operating system attacks; however, my bootkit is now attacking multiple systems. I want to point out that my bootkit is not based on any other; however, there is great research work from other researchers and Black Hat speakers available.
Finally it is Stoned's one and single target to be the most sophisticated bootkit. It can also be used for malware developers to get full access to the system. It should be the most used bootkit in the wild for 2010. If you have any questions or concerns, please do not hesitate to contact me.
221 downloads
0 comments
Updated
-
Powerful x86/x64 Mini Hook-Engine
By Teddy Rogers
I wrote this little hook-engine for a much bigger article. Sometimes it seems such a waste to write valuable code for large articles whose topic isn't directly related to the code. This often leads to the problem that the code won't be found by the people who are looking for it.
Personally, I would've used Microsoft's Detour hook engine, but the free license only applies to x86 applications, and that seemed a little bit too restrictive to me. So, I decided to write my own engine in order to support x64 as well. I've never downloaded Detour nor have I ever seen its APIs, but from the general overview given by Microsoft it's easy to guess how it works.
As I said, this is only a part of something bigger. It's not perfect, but it can easily become such. Since this is not a beginner's guide about hooking, I assume that the reader already possesses the necessary knowledge to understand the material. If you never heard about this subject, you'd better start with another article. There's plenty of guides out there, no need to repeat the same things here.
As everybody knows there's only one easy and secure way to hook a Win32 API: to put an inconditional jump at the beginning of the code to redirect it to the hooked function. And by secure I just mean that our hook can't be bypassed. Of course, there are some other ways, but they're either complicated or insane or both. A proxy dll, for instance, might work in some cases, but it's rather insane for system dlls. Overwriting the IAT is unsecure for two reasons:
a) The program might use GetProcAddress to retrieve the address of an API (and in that case we should handle this API as well).
b) It's not always possible, there are many cases as for packed programs where the IAT gets built by the protection code and not by the Windows loader.
Ok, I guess you're convinced. Let's just say that there's a reason why Microsoft uses the method presented in this article.
263 downloads
0 comments
Updated
-
Peacomm.C - Cracking the Nutshell
By Teddy Rogers
On 22th August 2007 I received an email informing me about "New Member Confirmation", including Confirmation Number, Login-ID and Login-Password. To stay secure I should immediately change my Login info on a provided website link. So I've started investigating what surprises are awaiting people clicking on such kind of links. Next to a friendly message telling me that my download should start in some seconds, I also got a browser exploit for free, to ensure the "software package" gets really shipped. "Hey that's cool", I thought by myself. "It's like Kinder Surprise® - three in one!" Unfortunately, at this time I hadn't enough incentive for a deep analysis and so I just stored the malicious file called applet.exe in my archive for later fun with it. Last week I had enough free time to throw it into IDA and my debuggers. After approximately one hour of investigation it was clear for me that the time had come for a new research paper, as this malware disclosed several interesting techniques, especially in the rootkit area. The opponent for this paper is called "Peacomm.C" and outlines the currently latest variant of this infamous P2P malware. The security industry gave it also several other names like "Storm Worm", "Nuwar" or "Zhelatin". The first variant "Peacomm.A" was detected in the mid of January 2007 and since then it has grown to one of the most successful botnets ever seen in the wild. It uses an adjusted Overnet protocol for spreading and communication. Its main intense is spamming and DDoS attacking. Also the fast-flux service network which is being used by the criminals behind the attacks is really amazing and frightening at the same time. As its botnet activities are not the focus of this essay, I've included interesting other papers covering these topics.
138 downloads
0 comments
Updated
-
PE Injection Explained
By Teddy Rogers
This is not another article on DLL injection or shellcode injection (already a lot of is available online). The method described here allows to inject the complete image of the running process module in the memory of another process, basically this means having two different codes running in the same process (or having one PE hidden inside another).
This technique is more powerful than classic code injection technique because it does not require any shellcoding knowledge, the program code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don't need several files, the main exe self inject inside another process and calls itself in there. I don' know who invented this method (official researchers or underground?). The thing is, the technique is not very widespread on the Internet and generally the source code lacks some explanation. Here I provide complete explanation of the technique and implementation source code at the end of article.
273 downloads
0 comments
Updated
-
Inline Patching Protected Applications Through Hooking API Functions
By Teddy Rogers
Nice tutorial covering a method of inline patching protected applications through hooking API functions.
486 downloads
0 comments
Updated
-
Injecting a DLL Into a Running Process
By Teddy Rogers
In this tutorial I will show you how to inject a .DLL file into a running process using the CRT method. I am sure all of you have heard about it .
It is the easiest method I have ever done and I'm sure it will be easy to understand and follow along to.
It is vital that you have at least some C++ knowledge or you might not quite understand what is going on.
349 downloads
0 comments
Updated
-
Import Address Table Hooking
By Teddy Rogers
Hooking is the practice of re-directing the flow of a program causing it to execute a code-cave or function in an injected module in place of another piece of code. In this tutorial, I will cover a method of hooking known as IAT (Import Address Table) Hooking. IAT Hooking is a 4 step process (I assume you are able to manage to inject the attacking DLL on your own).
217 downloads
0 comments
Updated
-
IAT Patching (API Hooking)
By Teddy Rogers
IAT Patching is an API-Hooking mechanism in which the IAT (Import Address Table) is overwritten w/ user defined functions. It's fairly easy, nothing as effective as Madshi, y0da, or ELiCZ API Hooking method however it's ideal for quick instances where effectivness doesn't really "matter". If you would like to know more about how the operation or how I do the IAT patching then see doc/how.txt. The file /doc/api.txt contains the function prototypes and is similiar to MSDN documentation so check that out if your gonnause it.
241 downloads
0 comments
Updated
-
HookScout: Proactive Binary-Centric Hook Detection
By Teddy Rogers
In order to obtain and maintain control, kernel malware usually makes persistent control flow modifications (i.e., installing hooks). To avoid detection, malware developers have started to target function pointers in kernel data structures, especially those dynamically allocated from heaps and memory pools. Function pointer modification is stealthy and the attack surface is large; thus, this type of attacks is appealing to malware developers. In this paper, we first conduct a systematic study of this problem, and show that the attack surface is vast, with over 18,000 function pointers (most of them long-lived) existing within the Windows kernel. Moreover, to demonstrate this threat is realistic for closed-source operating systems, we implement two new attacks for Windows by exploiting two function pointers individually. Then, we propose a new proactive hook detection technique, and develop a prototype, called HookScout. Our approach is binary-centric, and thus can generate hook detection policy without access to the OS kernel source code. Our approach is also context-sensitive, and thus can deal with polymorphic data structures. We evaluated HookScout with a set of rootkits which use advanced hooking techniques and show that it detects all of the stealth techniques utilized (including our new attacks). Additionally, we show that our approach is easily deployable, has wide coverage and minimal performance overhead.
136 downloads
0 comments
Updated
-
Hooking DLL's Using PEB
By Teddy Rogers
When each dll is loaded new entry is created in PEB_LDR_DATA to describe state of .dll and also newly inserted data will be used later on to access .dll via GetModuleHandle and LoadLibrary.
This is advantage for us because we can load our .dll with faked export table and all calls to APIs will go trough our .dll and end up in real .dll.
198 downloads
0 comments
Updated
-
Function Hooking and Windows DLL Injection
By Teddy Rogers
In this tutorial I'll show you how to modify at runtime the behaviour of Windows programs.
228 downloads
0 comments
Updated
-
Enterprise Java Rootkits
By Teddy Rogers
In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. In "Byte Wars: The Impact of September 11 on Information Technology," Ed Yourdon cautions us to "remember that hardly anyone watches the programmers".
How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? In many ways malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. What's really scary is that a trojaned Struts or Log4j library could effect most of the financial industry all at once.
In this paper, we examine the techniques that malicious programmers can use to insert and hide these attacks in an enterprise Java application. We examine techniques for bootstrapping external attacks, avoid code review, avoiding statis analysis, trojaning libraries, and trojaning an enterprise build server. The point here is not to show how complex these attacks are, but rather how many opportunities there are and how simple and obvious they are to most developers.
131 downloads
0 comments
Updated
-
DLL Injection Method
By Teddy Rogers
In this tutorial i'll try to cover all of the known methods(or at least, those that I know =p) of injecting dll's into a process. Dll injection is incredibly useful for TONS of stuff(game hacking, function hooking, code patching, keygenning, unpacking, etc..). Though there are scattered tutorials on these techniques available throughout the web, I have yet to see any complete tutorials detailing all of them(there may even be more out there than I have here, of course), and comparing their respective strength's and weakness's. This is precisely what i'll attempt to do for you in this paper. You are free to reproduce or copy this paper, so long as proper credit is given and you don't modify it without speaking to me first.
242 downloads
0 comments
Updated
-
Defeating Kernal Native API Hookers
By Teddy Rogers
Win32 Kernal Rootkits modify the behaviour of the system by Kernal Native API hooking. This technique is typically implemented by modifiying the entries within the kernals System Service Dispatch Table.
166 downloads
0 comments
Updated
-
Anti-Forensics the Rootkit Connection
By Teddy Rogers
Conventional rootkits tend to focus on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. hooking, detour patching, covert channels, peer-to-peer communication, etc.). However, the technology required to survive a post-mortem analysis of secondary storage, which is just as vital in the grand scheme of things, recently doesn't seem to have garnered the same degree of coverage. In this paper, we'l examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.
132 downloads
0 comments
Updated
-
Advanced MacOS X Rootkits
By Teddy Rogers
The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This paper covers a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.
130 downloads
0 comments
Updated
-
A Journey to the Center of the Rustock.B Rootkit
By Teddy Rogers
On 27 December 2006 I found a sample of the Rustock.B Rootkit at www.offensivecomputing.net, which was only sparsely analyzed at this time. I was keen to study its behaviour, as I've heard a lot of stories about this infamous Rootkit. Rustock included several techniques to obfuscate the driver which could be stumbling blocks for the researcher. Analyzing the binary was quite fun. Recalling the work I've done over the last few days, it is clear that Rustock is quite different from most other Rootkits I've seen in the past. It is not much because Rustock uses new techniques, but rather because it combines dozens of known tricks from other malware which makes it very effective.
144 downloads
0 comments
Updated
-
9x/NT API Hooking via Import Tables
By Teddy Rogers
What we gonna do? Im gonna explain how to code an api hook for a little exe ive created which detects softice through CreateFileA.
140 downloads
0 comments
Updated
-
.NET Framework Rootkits (Revised 2009)
By Teddy Rogers
This paper introduces a new method that enables an attacker to change the .NET language.
The paper covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper.
This paper also introduces ".Net-Sploit" - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.
196 downloads
0 comments
Updated
-
Download Statistics