Explore kernel mode rootkits in Windows 2000 through this Black Hat conference talk. Delve into advanced techniques for manipulating the Windows kernel, including hooking system calls, hiding files and processes, and runtime kernel patching. Learn about driver structure, device objects, and filtering data using device chains. Discover methods for registering network sniffers, altering security descriptors, and implementing load protection. Gain insights into kernel buffer overflows, exception handling, and kernel-space virus scanning. Understand the challenges of dynamic unloading and strategies for maintaining rootkit persistence.
Overview
Syllabus
Intro
BLACK HAT WINDOWS 2000 SECURITY
Structure of NT System Module
A Driver can register multiple 'Device Objects
Filtering data using device-chains
Many techniques No Devices Required
Hooking System-Calls in the Syscall Table
Placing the System Call Hook
Hiding Files and Directories
Hiding Processes, Threads, and Drivers via 'snip'
Hooking Software Interrupts
Registering a Network Sniffer
Making it so that the driver cannot be unloaded
What needs to be done to support dynamic unloading
A bit-better driver query
Watch for memory reads that would reveal the rootkit dev/physmem, etc.
Hide or redirect file-access to the SYS file
Runtime Kernel Patching
Search Memory for Process Structures and Alter the Security Descriptor
Altering CODE Hot-Patching Code Addresses
Make a function-call do nothing, simple RET patch
Loading a Module via kmem
Write code into leftover space around page boundary or in unused section within PE file
Kernel Buffer-Overflows
Exception Handling or graceful shutdown or disabling of driver
Difficulty for drivers that have Callbacks to IRP completion routines, other drivers, etc.
Integrity Check Modules
Load Protection with a Password
Intercept LoadModule and log the names (audit)
Kernel-space 'Virus'-scanning
Watch the SYSCALL tables
Taught by
Black Hat
