0
www.CodeEngn.comJuly 21, 2007Sammuel koodual5651@hotmail.comNull @ RootHook the Planet
www.CodeEngn.com1) What is a kernel hook used for?2) Get into the Ring0!3) Review4) Hook the planet!5) Hook me, If you can...
www.CodeEngn.com1) Kernel hooks are global (relatively speaking).2) Rootkit / Protection / Detection software are both in ...
www.CodeEngn.comHow to make code run on Ring0?- Call gate: CPL change 3 from to 0- Software Interrupt: API Call, Exception...
www.CodeEngn.com□ Code of exe file is located into Paged Memory,In contrast, Code of sys file is located into NonPaged Mem...
www.CodeEngn.com1. Compile C code by DDK 2. Assemble Asm code by KmdKit
www.CodeEngn.comYou can link DDK to Visual Studio.If you use Visual Studio.net as IDE, You can use this way.1. Download dd...
www.CodeEngn.comIf you use Visual Studio 6.0 as IDE, You can use this way.1) Download easysys from this url :http://source...
www.CodeEngn.comSimple Device Driver :
www.CodeEngn.com1. Using SCM API 2. Using Undocumented APIPro :By using this way, you can load aDriver into the kernel wit...
www.CodeEngn.comI/O Request Packets (IRP)ReturnCreate UserMDL request(IRP)Address of UserMDLCommunicate by UserMDLCreate N...
www.CodeEngn.com
www.CodeEngn.com1) KPCR (Kernel`s Processor Control Region)2) EPROCESS (Executable Process)3) TEB (Thread Environment Bloc...
www.CodeEngn.comETHREADKTHREADETHREADKTHREADKPROCESS(PCB)ETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKT...
www.CodeEngn.comIn Kernel Level, FS:0 = KPCR = 0xFFDFF000KPCR ( Kernel`s Processor Control Region )
www.CodeEngn.com
www.CodeEngn.com□ In Windows Kernel, Each process isrepresented as an EPROCESS intoKernel Memory.□ List of active processe...
www.CodeEngn.comETHREAD: KTHREAD:
www.CodeEngn.comUSER ADDRESS SPACE 2G (0x00000000 ~ 0x7FFFFFFF)TEB(0x7FFDEOOO)TIBTEB(0x7FFDEOOO)TIBDLLDLLDLLDLLLDR_MODULEL...
www.CodeEngn.comTEB ( Thread Environment Block )In UserLevel, FS:0 = TEB = 0x7ffde000 (1stProcess)□ UserMode Application c...
www.CodeEngn.comPEB ( Process Environment Block )□ UserMode Application can accessthis structure directly.□ This structure...
www.CodeEngn.com
www.CodeEngn.com1) Win32 UserLevel API Global Hooking2) SSDT(System Service Distpach Table) hooking3) IDT(Interrupt Descri...
www.CodeEngn.comWin32 UserLevel API Global Hooking Motivation□ Is there no way to Dll Injection without read/write process...
www.CodeEngn.comConcept□ In Windows, DLL memory and mapped memory are shared.□ If we can modify memory of DLL without Page...
www.CodeEngn.com1. Get the EPROCESS of explorer.exe2. Attach to explorer.exe3. Get the PEB from EPROCESS4. Find Kernel32.d...
www.CodeEngn.comMOV EAX,DWORD PTR FS:[18]MOV EAX,DWORD PTR DS:[EAX+30]MOVZX EAX,BYTE PTR DS:[EAX+2]Original IsDebuggerPres...
www.CodeEngn.comPAYLOAD:DLL loading code :pushadpushfdpush KSD + 0x8 + sizeof(DLL loadcode)call [KUSER_SHARED_DATA]popfdpo...
www.CodeEngn.comDemonstration
www.CodeEngn.comSSDT(System Service Distpach Table) hooking Motivation□ Is there no way to hook Native API as easier as IA...
www.CodeEngn.comConcept□ Native system services`s addresses are listed in SSDT.□ KeServiceDescriptorTable is exported by t...
www.CodeEngn.com1. Build the function that has same prototype with Native API tohook.2. Get the index number of Native API...
www.CodeEngn.com□ The KeServiceDescriptorTable is a table exported by the kernel,This table contains the core system servi...
www.CodeEngn.com
www.CodeEngn.com□ A system service dispatch is triggered when an INT 2E or SYSENTERinstruction is called.□ Lower version t...
www.CodeEngn.comWhat is the CR0 trick?□ The WP bit controls whether the processor will allow writes tomemory pages marked ...
www.CodeEngn.comWhat is the MDL?MDL (Memory Descriptor List):1) Create the memory into our domain.- MmCreateMdl()2) MDL bu...
www.CodeEngn.comHow to get index number?ZwWriteFile in Ntdll.dll :InvalidateRect in user32.dll :
www.CodeEngn.comDemonstration
www.CodeEngn.comIDT(Interrupt Descriptor Table) hooking Motivation□ IDT is used to handle interrupts, so there are many ta...
www.CodeEngn.comConcept□ We can use sidt,lidt instruction for getting and saving IDTinformation.
www.CodeEngn.com□ Handler Address =MAKELONG(LowOffset,HiOffset);□ If DPL value of gate is 3, It can be calledfrom both Use...
www.CodeEngn.com□ The SIDT instruction is used to find the IDT in memory,It returns the address of the IDTINFO structure.T...
www.CodeEngn.comSelector :#define KGDT_NULL 0#define KGDT_R0_CODE 8#define KGDT_R0_DATA 16#define KGDT_R3_CODE 24#define K...
www.CodeEngn.comThere are so many interrupts :
www.CodeEngn.comDemonstration
www.CodeEngn.com0ne byte hooking Motivation□ I`m so lazy person to restore original codes of hooked function J□ Inline hoo...
www.CodeEngn.comConcept□ Some functions in Windows XP later versions of theOS have MOV EDI, EDI instruction.□ MOV EDI,EDI ...
www.CodeEngn.com1. Get address of function.2. Hook IDT (INT 0xFF) for all processors.3. Make memory region of function to ...
www.CodeEngn.comDemonstration
www.CodeEngn.comBlind hooking by using DRx Motivation□ I want to hook function without memory or table patching.□ Are ther...
www.CodeEngn.comConcept□ We can use DR0 ~ DR3 for set addresses to hook.□ We can set handler at INT 0x01 (Debug Exception).
www.CodeEngn.com1. Get address of function.2. Hook IDT (INT 0x01) for all processors.3. Set addresses at DR0 ~ DR3.4. Set ...
www.CodeEngn.comtypedef struct tagDebugReg7{unsigned L0 :1; //unsigned G0 :1; //unsigned L1 :1; //unsigned G1 :1; //unsign...
www.CodeEngn.comLx?Gx?GD?RWx? 00(execute), 01(write), 11(read & write).LENx? 00(byte), 01(word), 11(dword).
www.CodeEngn.comtypedef structDebugReg6{unsigned B0 :1;unsigned B1 :1;unsigned B2 :1;unsigned B3 :1;unsigned undefined1 :9...
www.CodeEngn.comDemonstration
www.CodeEngn.com
www.CodeEngn.com1) SDT Restore2) SDT Relocation3) KiFastCallEntry imitation4) Bypassing Sysenter hook
www.CodeEngn.comSDT Restore Motivation□ I want to be free from SDT hooking!□ Is there no way to restore SDT?
www.CodeEngn.comConcept□ We can write to Kernel memory from User space bywriting directly to devicephysicalmemory□ We can ...
www.CodeEngn.com1. Use NtOpenSection to get a handle devicePhysicalmemorywith SECTION_MAP_READ | SECTION_MAP_WRITE access....
www.CodeEngn.comDemonstration
www.CodeEngn.comSDT Relocation Motivation□ How about change SDT as new thing?□ Is there no way to make SDT hook localy?
www.CodeEngn.comConcept□ Windows doesn`t use KeServiceDescriptorTable for gettingaddress of ServiceTable. Actually, Window...
www.CodeEngn.com1. Copy the SerivceTable from ntoskrnl.exe2. Tracing threads of seleted process, and make NewSDT at eachth...
www.CodeEngn.comProcess AThread 1Thread 1Thread 1Thread 1Ntoskrnl.exeKeServiceDescriptorTableWin32k.sysKeServiceDescriptor...
www.CodeEngn.comProcess AThread 1Thread 1Thread 1Thread 1Ntoskrnl.exeKeServiceDescriptorTableWin32k.sysKeServiceDescriptor...
www.CodeEngn.com□ When UserThread is maded, ETHREAD->ServiceTable of thatUserThread doesn`t have KeServiceDescriptorTableS...
www.CodeEngn.comPsConvertToGuiThread():
www.CodeEngn.comDemonstration
www.CodeEngn.comKiFastCallEntry Imitation Motivation□ Is there no way to bypass SDT hooking by hooking?□ Is there no way t...
www.CodeEngn.comConcept□ The SYSENTER instruction passes control to the addressspecified in one of the Model-Specific Regi...
www.CodeEngn.com1. Copy the KeServiceDescriptorTable from ntoskrnl.exe,Copy the KeServiceDescriptorTableShadow from Win32k...
www.CodeEngn.comHow we can do it?
www.CodeEngn.comWhat is the thing that I did?
www.CodeEngn.comDemonstration
www.CodeEngn.comBypassing sysenter hook Motivation□ Is there no way to bypass sysenter hook?□ Is there more way to bypass ...
www.CodeEngn.comConcept□ In Windows XP, Defaultly, Windows use sysenter to handlesystem call, but using int 0x2e is possib...
www.CodeEngn.com1. Hook IDT (INT 0x2E) for all processors.2. Modify the code of KiFastSystemCall()3. Hadling system call J...
www.CodeEngn.comBefore:After:
www.CodeEngn.comHow we can do it?
www.CodeEngn.com
www.CodeEngn.comWhat is the thing that I did?
www.CodeEngn.com?http://dualpage.muz.ro
Upcoming SlideShare
Loading in...5
×

[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹

584

Published on

2007 CodeEngn Conference 01

Hook the Planet을 주제로 Windows 커널단의 후킹에 대한 전반적인 설명을 한다.

http://codeengn.com/conference/01

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
584
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹"

  1. 1. www.CodeEngn.comJuly 21, 2007Sammuel koodual5651@hotmail.comNull @ RootHook the Planet
  2. 2. www.CodeEngn.com1) What is a kernel hook used for?2) Get into the Ring0!3) Review4) Hook the planet!5) Hook me, If you can!6) ?
  3. 3. www.CodeEngn.com1) Kernel hooks are global (relatively speaking).2) Rootkit / Protection / Detection software are both in Ring Zero.3) By using kernel hook, We can study the behavior of the system.4) By using kernel hook, we can get performance data for specifictasks and generating statics.
  4. 4. www.CodeEngn.comHow to make code run on Ring0?- Call gate: CPL change 3 from to 0- Software Interrupt: API Call, Exception, ..- Device Driver: It doesn`t mean Usermode driverbut Kernelmode drvier, becauseKernelmode driver run on Level0,however, Usermode driver run onLevel3.
  5. 5. www.CodeEngn.com□ Code of exe file is located into Paged Memory,In contrast, Code of sys file is located into NonPaged Memory.□ Both exe file and sys file has PE(Portable Executable) file format.□ DPL of CS in sys file has value 0, however, DPL of CS in exe filehas value 3. It means CS of sys file can access all of instructionsand memorys, In contrast, CS of exe file has limited access right.Header of 1stDriver.sys : Header of cmd.exe :
  6. 6. www.CodeEngn.com1. Compile C code by DDK 2. Assemble Asm code by KmdKit
  7. 7. www.CodeEngn.comYou can link DDK to Visual Studio.If you use Visual Studio.net as IDE, You can use this way.1. Download ddkbuild.bat fromhttp://www.hollistech.com/Resources/ddkbuild/ddkbuild.htm2. Copied it at c:progra~microsoft visu~vc7bin3. Edit ddkbuild.batset WNETBASE= C:WinDDK (Directory that DDK installed)4. Making Project1. Select makefile project.2. Build cmdline : ddkbuild -WNET checked .3. output / arrangement cmd skip4. Build cmdline : ddkbuild -WNET chekced . -cZ
  8. 8. www.CodeEngn.comIf you use Visual Studio 6.0 as IDE, You can use this way.1) Download easysys from this url :http://sourceforge.net/projects/easysys/2) Easysys :It`sSo easy!!
  9. 9. www.CodeEngn.comSimple Device Driver :
  10. 10. www.CodeEngn.com1. Using SCM API 2. Using Undocumented APIPro :By using this way, you can load aDriver into the kernel withouthaving to create registry key.Con :1) The problem with this approach isThat the driver will be pageable.Sometimes when memory ispaged out, it cannot be accessed;It will occur BSOD(Blue Screen OfDeath) with system crash.2) Once it is loaded, it cannot beUnloaded until reboot.1) When a driver is loaded usingthe SCM, it is non-pageable.This means your callback functions,IRP-handling functions, and otherImportant code will not vanish fromMemory.2) You can select start mode of Driver.SERVICE_BOOT_START(0x0): Driver will be loaded by systemloader.SERVICE_SYSTEM_START(0x1): Load Driver when IoInitSystem iscalled.SERVICE_AUTO_START(0x2): Load by SCMSERVICE_DEMAND_START(0x3): Load by calling StartService() API.SERVICE_DISABLED(0x4): Makes driver can not be loaded.
  11. 11. www.CodeEngn.comI/O Request Packets (IRP)ReturnCreate UserMDL request(IRP)Address of UserMDLCommunicate by UserMDLCreate Named Event & Regist itEvent Signal□ Communicate by IRP□ Communicate by IRP & UserMDL□ Communicate by IRP & EventReset Event
  12. 12. www.CodeEngn.com
  13. 13. www.CodeEngn.com1) KPCR (Kernel`s Processor Control Region)2) EPROCESS (Executable Process)3) TEB (Thread Environment Block)4) ETHREAD (Executable Thread)
  14. 14. www.CodeEngn.comETHREADKTHREADETHREADKTHREADKPROCESS(PCB)ETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADETHREADKTHREADThreadListHeadHandle TableObjectTable VadVad VadVadRootVad SDTServiceTableKERNEL ADDRESS SPACE 2G (0x80000000 ~ 0xFFFFFFFF)ActiveProcessLinkEPROCESS of Another ProcessKPCRKPCRB
  15. 15. www.CodeEngn.comIn Kernel Level, FS:0 = KPCR = 0xFFDFF000KPCR ( Kernel`s Processor Control Region )
  16. 16. www.CodeEngn.com
  17. 17. www.CodeEngn.com□ In Windows Kernel, Each process isrepresented as an EPROCESS intoKernel Memory.□ List of active processes is obtainedby traversing a doubly linked listreferenced in the EPROCESSStructure of each process.□ We can access EPROCESS byCurrentThread of KPRCB structure.□ The Windows scheduling algorithmis not executed at process.
  18. 18. www.CodeEngn.comETHREAD: KTHREAD:
  19. 19. www.CodeEngn.comUSER ADDRESS SPACE 2G (0x00000000 ~ 0x7FFFFFFF)TEB(0x7FFDEOOO)TIBTEB(0x7FFDEOOO)TIBDLLDLLDLLDLLLDR_MODULELDR_MODULELDR_MODULELDR_MODULEPEB_LDR_DATAProcess ImageStack Heap0x40000000 ~ 0x7FFFFFFF0x00000000 ~ 0x3FFFFFFF
  20. 20. www.CodeEngn.comTEB ( Thread Environment Block )In UserLevel, FS:0 = TEB = 0x7ffde000 (1stProcess)□ UserMode Application can accessthis structure directly.□ GetCurrentProcessId() functionuse this structure for getting PID.□ We can get PEB address from thisstructure.
  21. 21. www.CodeEngn.comPEB ( Process Environment Block )□ UserMode Application can accessthis structure directly.□ This structure have loadedmodules list.□ This structure haveProcessParameters information.□ IsDebuggerPresent() function usethis structure.
  22. 22. www.CodeEngn.com
  23. 23. www.CodeEngn.com1) Win32 UserLevel API Global Hooking2) SSDT(System Service Distpach Table) hooking3) IDT(Interrupt Descriptor Table) hooking4) 0ne byte hooking5) Blind hooking by using DRx
  24. 24. www.CodeEngn.comWin32 UserLevel API Global Hooking Motivation□ Is there no way to Dll Injection without read/write process memory,and CreateRemoteThread() API?□ Is there no way to hook Win32 API globaly?
  25. 25. www.CodeEngn.comConcept□ In Windows, DLL memory and mapped memory are shared.□ If we can modify memory of DLL without PageFault(Copy-On-Write),It will be applied to all processes.□ If we have chance to execute our code by victim process self,We don`t need CreateRemoteThread() anymore.□ In Windows, There is a region that will get mapped into every processaddress space, The name of this area is KUSER_SHARED_DATA.
  26. 26. www.CodeEngn.com1. Get the EPROCESS of explorer.exe2. Attach to explorer.exe3. Get the PEB from EPROCESS4. Find Kernel32.dll address from Ldr in PEB.5. Find IsDebuggerPresent() address fromIMAGE_EXPORT_DIRECTORYof kernel32.dll6. Modify IsDebuggerPresent() code to jmpKUSER_SHARED_DATA+0x8with CR0 trick.7. Now just waiting for victim process call IsDebuggerPresent()Process
  27. 27. www.CodeEngn.comMOV EAX,DWORD PTR FS:[18]MOV EAX,DWORD PTR DS:[EAX+30]MOVZX EAX,BYTE PTR DS:[EAX+2]Original IsDebuggerPresent() code:Modifed IsDebuggerPresent() code:MOV EAX , KUSER_SHARED_DATA+0x8JMP EAX
  28. 28. www.CodeEngn.comPAYLOAD:DLL loading code :pushadpushfdpush KSD + 0x8 + sizeof(DLL loadcode)call [KUSER_SHARED_DATA]popfdpopadjmp [KUSER_SHARED_DATA+0x4]
  29. 29. www.CodeEngn.comDemonstration
  30. 30. www.CodeEngn.comSSDT(System Service Distpach Table) hooking Motivation□ Is there no way to hook Native API as easier as IAT hook?□ Is there no way to hook Native API globaly?
  31. 31. www.CodeEngn.comConcept□ Native system services`s addresses are listed in SSDT.□ KeServiceDescriptorTable is exported by the ntoskrnl.exe□ Windows XP later versions of the OS make the SSDTread-only, but we can bypass this protection withCR0 trick or MDL.□ We can get index number of Native API that we want to hookfrom ntdll.dll
  32. 32. www.CodeEngn.com1. Build the function that has same prototype with Native API tohook.2. Get the index number of Native API.3. Get address of SSDT by referencing KeServiceDescriptorTable.4. Make SSDT memory area writeable.5. KeServiceDescriptorTable->ServiceTableBase[index] =HookFunction;Process
  33. 33. www.CodeEngn.com□ The KeServiceDescriptorTable is a table exported by the kernel,This table contains the core system services implemented in ntoskrnl.exe.□ There is another table in Windows Kernel, calledKeServiceDescriptorTableShadow,that contains the address of USER & GDI services implemented inwin32k.sys.This table is not exported.□ ServiceTable pointer of ETHREAD is not always have same value with KSDT.
  34. 34. www.CodeEngn.com
  35. 35. www.CodeEngn.com□ A system service dispatch is triggered when an INT 2E or SYSENTERinstruction is called.□ Lower version than Windows 2000, Windows use INT 2E for service dispatch,Higher than Windows XP, Windows use SYSENTER for service dispatch.□ Normally, System call from UserLevel through ntdll.dll, but direct systemcall is possible.□ In Windows XP, we can use INT 2E instruction.□ System call number is contained in the EAX register.
  36. 36. www.CodeEngn.comWhat is the CR0 trick?□ The WP bit controls whether the processor will allow writes tomemory pages marked as read-only.□ Setting WP(Write Protection) to zero disables memory protection.
  37. 37. www.CodeEngn.comWhat is the MDL?MDL (Memory Descriptor List):1) Create the memory into our domain.- MmCreateMdl()2) MDL build for NonPage- MmBuildMdlForNonPagedPool()3) Change the flags of the MDL- MdlFlags |=MDL_MAPPED_TO_SYSTEM_VA4) Lock that page- MmMapLockedPages()
  38. 38. www.CodeEngn.comHow to get index number?ZwWriteFile in Ntdll.dll :InvalidateRect in user32.dll :
  39. 39. www.CodeEngn.comDemonstration
  40. 40. www.CodeEngn.comIDT(Interrupt Descriptor Table) hooking Motivation□ IDT is used to handle interrupts, so there are many tasty things.□ IDT hooking is more powerful than SDT hooking.
  41. 41. www.CodeEngn.comConcept□ We can use sidt,lidt instruction for getting and saving IDTinformation.
  42. 42. www.CodeEngn.com□ Handler Address =MAKELONG(LowOffset,HiOffset);□ If DPL value of gate is 3, It can be calledfrom both User and Kernel level.□ There are 3 types of gate.- Interrupt Gate (X 1 1 0)- Trap Gate (X 1 1 1)- Task Gate (0 1 0 1)
  43. 43. www.CodeEngn.com□ The SIDT instruction is used to find the IDT in memory,It returns the address of the IDTINFO structure.The LIDT instruction is used for saving information into IDT.□ The IDT specifies how to process interrupts such as those firedwhen a key pressed, when a page fault occurs.□ The Total number of IDT gates is 256.
  44. 44. www.CodeEngn.comSelector :#define KGDT_NULL 0#define KGDT_R0_CODE 8#define KGDT_R0_DATA 16#define KGDT_R3_CODE 24#define KGDT_R3_DATA 32#define KGDT_TSS 40#define KGDT_R0_PCR 48#define KGDT_R3_TEB 56#define KGDT_VDM_TILE 64#define KGDT_LDT 72#define KGDT_DF_TSS 80#define KGDT_NMI_TSS 88
  45. 45. www.CodeEngn.comThere are so many interrupts :
  46. 46. www.CodeEngn.comDemonstration
  47. 47. www.CodeEngn.com0ne byte hooking Motivation□ I`m so lazy person to restore original codes of hooked function J□ Inline hooking is so static.
  48. 48. www.CodeEngn.comConcept□ Some functions in Windows XP later versions of theOS have MOV EDI, EDI instruction.□ MOV EDI,EDI doesn`t take the effect to code flow.□ MOV EDI,EDI (=0x8B,0xFF) -> INT 0xFF (=0xCD,0xFF)□ We can set handler at INT 0xFF manually.
  49. 49. www.CodeEngn.com1. Get address of function.2. Hook IDT (INT 0xFF) for all processors.3. Make memory region of function to hook writeable.4. Overwrite MOV EDI,EDI with 0xCD, the int opcodemaking INT 0xFF.Process
  50. 50. www.CodeEngn.comDemonstration
  51. 51. www.CodeEngn.comBlind hooking by using DRx Motivation□ I want to hook function without memory or table patching.□ Are there no way to hook dinamically?
  52. 52. www.CodeEngn.comConcept□ We can use DR0 ~ DR3 for set addresses to hook.□ We can set handler at INT 0x01 (Debug Exception).
  53. 53. www.CodeEngn.com1. Get address of function.2. Hook IDT (INT 0x01) for all processors.3. Set addresses at DR0 ~ DR3.4. Set hook type(E/W/RW) at DR7.Process
  54. 54. www.CodeEngn.comtypedef struct tagDebugReg7{unsigned L0 :1; //unsigned G0 :1; //unsigned L1 :1; //unsigned G1 :1; //unsigned L2 :1; //unsigned G2 :1; //unsigned L3 :1; //unsigned G3 :1; //unsigned GL :1; //unsigned GE :1; //unsigned undefined1 :3; // 001unsigned GD :1; //unsigned undefined2 :2; // 00unsigned RW0 :2;unsigned LEN0 :2;unsigned RW1 :2;unsigned LEN1 :2;unsigned RW2 :2;unsigned LEN2 :2;unsigned RW3 :2;unsigned LEN3 :2;} DebugReg7;ADDRESS 1DR0:ADDRESS 2DR1:ADDRESS 3DR2:ADDRESS 4DR3:
  55. 55. www.CodeEngn.comLx?Gx?GD?RWx? 00(execute), 01(write), 11(read & write).LENx? 00(byte), 01(word), 11(dword).
  56. 56. www.CodeEngn.comtypedef structDebugReg6{unsigned B0 :1;unsigned B1 :1;unsigned B2 :1;unsigned B3 :1;unsigned undefined1 :9;unsigned BD :1;unsigned BS :1;unsigned BT :1;unsigned undefined2 :16;} DebugReg6;When Interrupt1 was occurredby DR0 ~ DR3.When Interrupt1 was occurredby Gd bit.When Interrupt1 was occurredby TF bit.
  57. 57. www.CodeEngn.comDemonstration
  58. 58. www.CodeEngn.com
  59. 59. www.CodeEngn.com1) SDT Restore2) SDT Relocation3) KiFastCallEntry imitation4) Bypassing Sysenter hook
  60. 60. www.CodeEngn.comSDT Restore Motivation□ I want to be free from SDT hooking!□ Is there no way to restore SDT?
  61. 61. www.CodeEngn.comConcept□ We can write to Kernel memory from User space bywriting directly to devicephysicalmemory□ We can get original copy of the ServiceTable by loadingntoskrnl.exe into memory.
  62. 62. www.CodeEngn.com1. Use NtOpenSection to get a handle devicePhysicalmemorywith SECTION_MAP_READ | SECTION_MAP_WRITE access.2. Load ntoskrnl.exe into memory.3. Use NtMapViewOfSection to map in the physical memory page.4. Get the address of ServiceTable from the page.5. Use the address of ServiceTable to offset into the loadedntoskrnl.exe6. comparing the copy in the kernel memory with the copy in theloaded ntoskrnl.exeProcess
  63. 63. www.CodeEngn.comDemonstration
  64. 64. www.CodeEngn.comSDT Relocation Motivation□ How about change SDT as new thing?□ Is there no way to make SDT hook localy?
  65. 65. www.CodeEngn.comConcept□ Windows doesn`t use KeServiceDescriptorTable for gettingaddress of ServiceTable. Actually, Windows useETHREAD->ServiceTable to get address of ServiceTable.□ When new thread is created, we can know this by usingPsSetCreateThreadNotifyRoutine()
  66. 66. www.CodeEngn.com1. Copy the SerivceTable from ntoskrnl.exe2. Tracing threads of seleted process, and make NewSDT at eachthread.3. Regist PsSetCreateThreadNotifyRoutine()Process
  67. 67. www.CodeEngn.comProcess AThread 1Thread 1Thread 1Thread 1Ntoskrnl.exeKeServiceDescriptorTableWin32k.sysKeServiceDescriptorTableShadowProcess BThread 1Thread 1Thread 1Thread 1
  68. 68. www.CodeEngn.comProcess AThread 1Thread 1Thread 1Thread 1Ntoskrnl.exeKeServiceDescriptorTableWin32k.sysKeServiceDescriptorTableShadowProcess BThread 1Thread 1Thread 1Thread 1MyDriver.sysNew SDT 1New SDT 1New SDT 1New SDT 1New SDT 1
  69. 69. www.CodeEngn.com□ When UserThread is maded, ETHREAD->ServiceTable of thatUserThread doesn`t have KeServiceDescriptorTableShadow.What is the problem?Where does problem come from?□ This problem is caused by PsConvertToGuiThread() that called byKiFastCallEntry().
  70. 70. www.CodeEngn.comPsConvertToGuiThread():
  71. 71. www.CodeEngn.comDemonstration
  72. 72. www.CodeEngn.comKiFastCallEntry Imitation Motivation□ Is there no way to bypass SDT hooking by hooking?□ Is there no way to handle syscall by myself?
  73. 73. www.CodeEngn.comConcept□ The SYSENTER instruction passes control to the addressspecified in one of the Model-Specific Registers(MSRs).The Name of this register is IA32_SYSENTER_EIP,We can read and write to this register, By usingRDMSR , WRMSR instruction.
  74. 74. www.CodeEngn.com1. Copy the KeServiceDescriptorTable from ntoskrnl.exe,Copy the KeServiceDescriptorTableShadow from Win32k.sys2. Change IA32_SYSENTER_EIP for all processors.3. Hadling system call JProcess
  75. 75. www.CodeEngn.comHow we can do it?
  76. 76. www.CodeEngn.comWhat is the thing that I did?
  77. 77. www.CodeEngn.comDemonstration
  78. 78. www.CodeEngn.comBypassing sysenter hook Motivation□ Is there no way to bypass sysenter hook?□ Is there more way to bypass SDT hook?
  79. 79. www.CodeEngn.comConcept□ In Windows XP, Defaultly, Windows use sysenter to handlesystem call, but using int 0x2e is possible.□ We can modify the code of KiFastSystemCall() in thentdll.dll by using Win32 UserLevel API global hook.
  80. 80. www.CodeEngn.com1. Hook IDT (INT 0x2E) for all processors.2. Modify the code of KiFastSystemCall()3. Hadling system call JProcess
  81. 81. www.CodeEngn.comBefore:After:
  82. 82. www.CodeEngn.comHow we can do it?
  83. 83. www.CodeEngn.com
  84. 84. www.CodeEngn.comWhat is the thing that I did?
  85. 85. www.CodeEngn.com?http://dualpage.muz.ro
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×