Overview
Syllabus
Intro
BLACK HAT WINDOWS 2000 SECURITY
Structure of NT System Module
A Driver can register multiple 'Device Objects
Filtering data using device-chains
Many techniques No Devices Required
Hooking System-Calls in the Syscall Table
Placing the System Call Hook
Hiding Files and Directories
Hiding Processes, Threads, and Drivers via 'snip'
Hooking Software Interrupts
Registering a Network Sniffer
Making it so that the driver cannot be unloaded
What needs to be done to support dynamic unloading
A bit-better driver query
Watch for memory reads that would reveal the rootkit dev/physmem, etc.
Hide or redirect file-access to the SYS file
Runtime Kernel Patching
Search Memory for Process Structures and Alter the Security Descriptor
Altering CODE Hot-Patching Code Addresses
Make a function-call do nothing, simple RET patch
Loading a Module via kmem
Write code into leftover space around page boundary or in unused section within PE file
Kernel Buffer-Overflows
Exception Handling or graceful shutdown or disabling of driver
Difficulty for drivers that have Callbacks to IRP completion routines, other drivers, etc.
Integrity Check Modules
Load Protection with a Password
Intercept LoadModule and log the names (audit)
Kernel-space 'Virus'-scanning
Watch the SYSCALL tables
Taught by
Black Hat