demystifying modern windows rootkits
play

Demystifying Modern Windows Rootkits Bill Demirkapi Independent - PowerPoint PPT Presentation

Nov 05, 2022 •116 likes •847 views

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher Demystifying Modern Windows Rootkits Black Hat USA 2020 1 Who Am I? 18 years old Sophomore at the Rochester Institute of Technology Windows

  1. Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher Demystifying Modern Windows Rootkits – Black Hat USA 2020 1

  2. Who Am I?  18 years old  Sophomore at the Rochester Institute of Technology  Windows Internals  Mostly self-taught (with guidance)  Strong “Game Hacking” background Demystifying Modern Windows Rootkits – Black Hat USA 2020 2

  3. What Is This Talk About? In this talk, we’ll go over…  Loading a rootkit.  Communicating with a rootkit.  Abusing legitimate network communications.  An example rootkit I wrote and the design choices behind it.  Executing commands from kernel.  Tricks to cover up the filesystem trace of your rootkit. Demystifying Modern Windows Rootkits – Black Hat USA 2020 3

  4. Introduction to Windows Rootkits Demystifying Modern Windows Rootkits – Black Hat USA 2020 4

  5. Windows Rootkits: An Overview Why would you want to use a rootkit?  Kernel drivers have significant access to the machine.  Same privilege level as a typical kernel anti-virus.  Less mitigations and security solutions targeting kernel malware.  Anti-Virus often have less visibility into operations performed by kernel drivers.  Kernel drivers are often ignored by anti-virus. Demystifying Modern Windows Rootkits – Black Hat USA 2020 5

  6. Example: Treatment by Anti-Virus Anti-virus tends to treat kernel drivers with significant trust compared to user-mode applications. Excerpt from Malwarebytes’ Process/Thread Handle callbacks Excerpt from Carbon Black’s Process/Thread Handle callbacks Demystifying Modern Windows Rootkits – Black Hat USA 2020 6

  7. Loading a Rootkit Demystifying Modern Windows Rootkits – Black Hat USA 2020 7

  8. Abuse Legitimate Drivers There are a lot of “vulnerable” drivers. With some reversing knowledge, finding a “0-day” in a driver can be trivial. Examples include…  Capcom’s Anti-Cheat driver  Intel’s NAL Driver  Microsoft themselves! Demystifying Modern Windows Rootkits – Black Hat USA 2020 8

  9. Abuse Legitimate Drivers Using legitimate drivers has quite a few benefits too:  You only need a few primitives to escalate privilege.  Finding a “vulnerable” driver is relatively trivial (OEM Drivers  ).  Difficult to detect due to compatibility reasons. Demystifying Modern Windows Rootkits – Black Hat USA 2020 9

  10. Abuse Legitimate Drivers Abusing legitimate drivers comes with some strong drawbacks too…  Major issue of compatibility across operating system versions depending on the primitives you have.  Much more likely to run into stability issues.  The last thing you want is your malware to BSOD a victim. Demystifying Modern Windows Rootkits – Black Hat USA 2020 10

  11. Just Buy a Certificate! For some red teamers, buying a legitimate code signing certificate might be a good option.  Useful for targeted attacks.  No stability concerns. But…  Potentially reveals your identity.  Can be blacklisted. Demystifying Modern Windows Rootkits – Black Hat USA 2020 11

  12. Abuse Leaked Certificates Instead of buying a certificate yourself, why not just use one from someone else?  There are quite a few public leaked certificates available to download.  Almost has all the benefits of buying one without deanonymization. But…  The leaked certificate you use can be detected in the future.  If the certificate was issued after July 29 th , 2015, it won’t work on secure boot machines running certain versions of Windows 10. Demystifying Modern Windows Rootkits – Black Hat USA 2020 12

  13. Abuse Leaked Certificates In most cases, Windows doesn’t care if your driver has a certificate that has expired or was revoked. Demystifying Modern Windows Rootkits – Black Hat USA 2020 13

  14. Abuse Leaked Certificates Several leaked certificates are already publicly posted, but it’s not impossible to find your own. Demystifying Modern Windows Rootkits – Black Hat USA 2020 14

  15. Abuse Leaked Certificates Oh and the best part…. most of them are undetected by the bulk of AV: Demystifying Modern Windows Rootkits – Black Hat USA 2020 15

  16. Communicating with a Rootkit Demystifying Modern Windows Rootkits – Black Hat USA 2020 16

  17. Beacon Out to a C2 A tried and true method that comes with some downsides is to “call home”.  Firewalls can block or flag outgoing requests to unknown/suspicious IP Addresses or ports.  Advanced Network Inspection can catch some exfiltration techniques that try to “blend in with the noise”. Demystifying Modern Windows Rootkits – Black Hat USA 2020 17

  18. Open a Port Some malware takes the route that the C2 connects to the victim directly to control it.  Relatively simple to setup. But…  Could be blocked off by a firewall.  Difficult to “blend in with the noise”. Demystifying Modern Windows Rootkits – Black Hat USA 2020 18

  19. Application Specific Hooking More advanced malware may opt to hook a specific application’s communication as a channel of communication.  Difficult to detect, especially if using legitimate protocol. But…  It’s not very flexible.  A machine might not have that service exposed. Demystifying Modern Windows Rootkits – Black Hat USA 2020 19

  20. Choosing a Communication Method What I want… 1. Limited detection vectors. 2. Flexibility for various environments. My assumptions… 1. Victims machines will have some services exposed. 2. Inbound and outbound access may be monitored. Demystifying Modern Windows Rootkits – Black Hat USA 2020 20

  21. Choosing a Communication Method Application Specific Hooking was perfect for my needs, except for the flexibility. Is there anyway we could change Application Specific Hooking to where it isn’t dependent on any single application? Demystifying Modern Windows Rootkits – Black Hat USA 2020 21

  22. Abusing Legitimate Communication What if instead of hooking an application directly, we…  Hook network communication, similar to tools like Wireshark.  Place a special indicator in “malicious” packets, a “magic” constant.  Send these “malicious” packets to legitimate ports on the victim machine.  Search packets for this “magic” constant to pass on data to our malware. Demystifying Modern Windows Rootkits – Black Hat USA 2020 22

  23. Hooking the User-Mode Network Stack Demystifying Modern Windows Rootkits – Black Hat USA 2020 23

  24. Hooking the Windows Winsock Driver  A significant amount of services on Windows can be found in user- mode, how can we globally intercept this traffic?  Networking relating to WinSock is handled by Afd.sys , otherwise known as the “Ancillary Function Driver for WinSock”.  Reversing a few functions in mswsock.dll revealed that a bulk of the communication was done through IOCTLs. If we could intercept these requests, we could snoop in on the data being received. Demystifying Modern Windows Rootkits – Black Hat USA 2020 24

  25. How Do Irps Know Where to Go? When you call NtDeviceIoControlFile on a file handle to a device, how does the kernel determine what function to call? Demystifying Modern Windows Rootkits – Black Hat USA 2020 25

  26. Standard Methods of Intercepting Irps There are a few ways we can intercept Irps, but let’s look at two common methods. 1. Replace the Major Function you’d like to hook in the driver’s object. 2. Perform a code hook directly on the dispatch handler. Demystifying Modern Windows Rootkits – Black Hat USA 2020 26

  27. Picking a method To pick the best method of hooking, here are a few common questions you should ask.  How many detection vectors are you potentially exposed to?  How "usable" is the method?  How expensive would it be to detect the method? Demystifying Modern Windows Rootkits – Black Hat USA 2020 27

  28. Hook a Driver Object  How many detection vectors are you potentially exposed to?  Memory artifacts.  How “usable” is the method?  For stability, by replacing a single function with an interlocked exchange, this method should be stable.  For compatibility, driver objects are well-documented and easy to find.  How expensive would it be to detect the method?  Inexpensive, all anti-virus would need to do is enumerate loaded drivers and check that the major functions are within the bounds of the driver. Demystifying Modern Windows Rootkits – Black Hat USA 2020 28

  29. Hook a Driver’s Dispatch Function  How many detection vectors are you potentially exposed to?  Memory artifacts.  How “usable” is the method?  Unless the function is exported, you will need to find the function yourself.  Not all drivers are compatible with this method due to PatchGuard.  HVCI incompatible.  How expensive would it be to detect the method?  Potentially inexpensive and several methods to detect hooking. Demystifying Modern Windows Rootkits – Black Hat USA 2020 29

  30. Hooking File Objects I wanted a method that was…  Undocumented.  Stable.  Relatively expensive to detect. What if instead of hooking the original driver object, we hooked the file object instead? Demystifying Modern Windows Rootkits – Black Hat USA 2020 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Demystifying DNA Demystifying DNA What is it? How do I get it? What is it? How do I

Demystifying DNA Demystifying DNA What is it? How do I get it? What is it? How do I

Demystifying DNA Demystifying DNA What is it? How do I get it? What is it? How do I get it? How do I get rid of it? How do I get rid of it? Alissa Bjerkhoel Litigation Coordinator, California Innocence Project Panel Attorney,

1.61k views • 124 slides
Demystifying SEO for Government Agencies Demystifying SEO for Government Agencies Why should you

Demystifying SEO for Government Agencies Demystifying SEO for Government Agencies Why should you

Drupal GovCon 2018 Demystifying SEO for Government Agencies Demystifying SEO for Government Agencies Why should you listen me? Jason Hamrick Senior Strategist Phase2 jhamrick@phase2technology.com Demystifying SEO for Government Agencies 2

418 views • 26 slides
Modern GUI Systems Beyond X Windows 1 CS 349 - Implementing GUIs Modern GUI (present) Desktop

Modern GUI Systems Beyond X Windows 1 CS 349 - Implementing GUIs Modern GUI (present) Desktop

Modern GUI Systems Beyond X Windows 1 CS 349 - Implementing GUIs Modern GUI (present) Desktop (WIMP) T ablet (T ouch/Pen) Hybrids Smartphones (WIMP+T ouch (T ouch) +Pen) CS 349 - Implementing GUIs 3 Is X Windows still applicable?

674 views • 34 slides
Modern SQL: Evolution of a dinosaur Markus Winand Krakw, 9-11 May 2018 Still using Windows

Modern SQL: Evolution of a dinosaur Markus Winand Krakw, 9-11 May 2018 Still using Windows

Modern SQL: Evolution of a dinosaur Markus Winand Krakw, 9-11 May 2018 Still using Windows 3.1? So why stick with SQL-92? @ModernSQL - https://modern-sql.com/ @MarkusWinand SQL:1999 WITH (Common Table Expressions) WITH (non-recursive)

1.33k views • 120 slides
Mastering Windows Presentation Foundation: Master the art of building modern desktop applications

Mastering Windows Presentation Foundation: Master the art of building modern desktop applications

Mastering Windows Presentation Foundation: Master the art of building modern desktop applications on Windows by Sheridan Yuen book Ebook Mastering Windows Presentation Foundation: Master the art of building modern desktop applications on Windows

680 views • 3 slides
Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN Computer Security Team EGI Technical Forum 2011, Lyon, France Outline Rootkits: Introduction Linux rootkits History Detection and monitoring

423 views • 26 slides
Windows 3.1? So why stick with SQL-92? @ModernSQL - https://modern-sql.com/ @MarkusWinand

Windows 3.1? So why stick with SQL-92? @ModernSQL - https://modern-sql.com/ @MarkusWinand

Still using Windows 3.1? So why stick with SQL-92? @ModernSQL - https://modern-sql.com/ @MarkusWinand SQL:1999 WITH (Common Table Expressions) WITH (non-recursive) The Problem Nested queries are hard to read: SELECT FROM (SELECT

1.93k views • 167 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Windows Presentation Foundation: What, Why and When A. WHY WPF : WPF is framework to build

Windows Presentation Foundation: What, Why and When A. WHY WPF : WPF is framework to build

Windows Presentation Foundation: What, Why and When A. WHY WPF : WPF is framework to build application for windows. It is designed for .NET influenced by modern display technologies like HTML and Flash and hardware acceleration. D ont take WPF

292 views • 7 slides
Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016 Agenda Today 1. How do they get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2

546 views • 35 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Demystifying Benchmarks How to Use Them to Better Evaluate Databases Peter Friedenbach,

Demystifying Benchmarks How to Use Them to Better Evaluate Databases Peter Friedenbach,

Flexible transactional scale for the connected world. Demystifying Benchmarks How to Use Them to Better Evaluate Databases Peter Friedenbach, Performance Architect | Clustrix Demystifying Benchmarks Outline A Brief History of Database

591 views • 20 slides
-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too seriously, I fuzz the Human brain! The capitalist "pig" degrees: Economics & MBA. Worked for the evil banking system! Security

833 views • 80 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics & MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
Reverse Engineering Windows AFD.sys Steven Vittitoe @bool101 bool@google.com Outline Why

Reverse Engineering Windows AFD.sys Steven Vittitoe @bool101 bool@google.com Outline Why

Reverse Engineering Windows AFD.sys Steven Vittitoe @bool101 bool@google.com Outline Why AFD.sys Winsock overview Interesting findings Input to AFD.sys Analysis Fuzzing Future What is AFD.sys? Default

568 views • 19 slides
Predictors of AfD party success in the 2017 Predictors of AfD party success in the 2017 elections

Predictors of AfD party success in the 2017 Predictors of AfD party success in the 2017 elections

18.3.2019 Predictors of AfD party success in the 2017 elections Predictors of AfD party success in the 2017 Predictors of AfD party success in the 2017 elections elections A Bayesian modeling approach A Bayesian modeling approach Sebastian

589 views • 30 slides
Earnings Conference Call February 23th, 2018 Forward-Looking Statement The information herein

Earnings Conference Call February 23th, 2018 Forward-Looking Statement The information herein

Fourth Quarter and Full 2017 Earnings Conference Call February 23th, 2018 Forward-Looking Statement The information herein contained (Information) has been prepared by Grupo Herdez, S.A.B. de C.V., its associates, subsidiaries and/or

256 views • 10 slides
Ja Janm nm tam am Celebrating 5246 th birthday of Lor ord d K a 24th August

Ja Janm nm tam am Celebrating 5246 th birthday of Lor ord d K a 24th August

Ja Janm nm tam am Celebrating 5246 th birthday of Lor ord d K a 24th August 2019 Janmtam Celebrating 5246th Birth Anniversary of r Ka 24 24 th th August t 2019 19 Ka Vande Jagad-gurum

582 views • 25 slides
Data science for business Sebastian Sauer

Data science for business Sebastian Sauer

10.5.2019 Data science for business Data science for business Sebastian Sauer file:///Users/sebastiansaueruser/Documents/Publikationen/blog_ses/data_se/public/slides/data-science-business/intro-data-science-talk-2019-05-14.html#31 1/27

302 views • 27 slides
Classifying conges.on in Ark measurements Steven Bauer MIT

Classifying conges.on in Ark measurements Steven Bauer MIT

Classifying conges.on in Ark measurements Steven Bauer MIT March 31, 2015 How Ark (and the Ark community) could further my research We should

331 views • 19 slides
Mission Operations HONR 269i To the Moon and Back: The Apollo Program The Vital Link The

Mission Operations HONR 269i To the Moon and Back: The Apollo Program The Vital Link The

Mission Operations HONR 269i To the Moon and Back: The Apollo Program The Vital Link The Trench Booster (3) RETRO FIDO GUIDO Surgeon CAPCOM EECOM CNC TELMU Control INCO Procedures AFD Flight FAO Network Flight Mission

727 views • 27 slides
MDBs in the Green Finance Ecosystem: how development finance institutions and the public and

MDBs in the Green Finance Ecosystem: how development finance institutions and the public and

MDBs in the Green Finance Ecosystem: how development finance institutions and the public and private sectors work together to meet green finance goals Sixth Annual Green Bank Congress Rethinking development finance for climate 2018 Green Bank

748 views • 30 slides

More recommend