Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)<br />Александр Матросов<...
Who we are?<br /><ul><li>malware researchers at ESET</li></ul>- rootkits analysis<br />- developing cleaning tools<br />- ...
План мастер-класса<br /><ul><li>Эволюция современных руткит-программ
Этапы установки на x86/x64
Буткити обход проверки подписи
Отладка буткита наэмуляторе Bochs
Хуки в режиме ядра
 Отладка с использованием WinDbg
Файловая система TDL4
TdlFsReader, как инструмент криминалистической экспертизы</li></li></ul><li> Evolution of rootkits<br />
 Evolution of rootkits functionality<br />x86<br />x64<br />Dropper<br />Rootkit<br />Rootkit<br />Rootkit<br />bypass HIP...
64-bit OS rootkit<br /><ul><li>Kernel-Mode Code Signing Policy
It is difficult to load unsigned kernel-mode driver
Kernel-Mode Patch Protection (Patch Guard):
 SSDT (System Service Dispatch Table)
 IDT (Interrupt Descriptor Table)
 GDT ( Global Descriptor Table)
MSRs (Model Specific Registers)</li></li></ul><li> Evolution of TDL rootkits<br />
 Evolution of TDL rootkits<br />
 Installation x86/x64<br />
Installation stages<br />exploit<br />payload<br />dropper<br />rootkit<br />
Dropper layouts<br />
Dropped modules<br />
Installation x86<br />
Installation x64<br />
Bootkit and bypassing driver signature check<br />
Types of integrity checks<br /><ul><li>PnP Device Installation Signing Requirements
 Kernel-Mode Code Signing Policy
 Enforced on 64-bit version of Windows Vista and later versions</li></li></ul><li>Kernel-mode Code Signing Policy Enforcem...
Boot process of Windows OS<br />
Code integrity check<br />
Boot Configuration Data (BCD)<br />
BCD Example<br />
BCD Elements controlling KMCSP <br />(before KB2506014)<br />
Subverting KMCSP<br /><ul><li> Abusing vulnerable signed legitimate kernel-mode driver
 Switch off kernel-mode code signing checks by altering BCD data:
 abuse WinPeMode
 disable signing check
 patch Bootmgr and OS loader</li></li></ul><li>Abusing Win PE mode: TDL4 modules<br />int 13h – service provided by BIOS t...
Abusing Win PE mode: workflow<br />
MS Patch (KB2506014)<br /><ul><li>BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode
 Size of the export directory of kdcom.dllhas been changed</li></li></ul><li>Bypassing KMCSP: another attempt<br />Patch b...
Bypassing KMCSP: Result<br />Bootmgr fails to verify OS loader’s integrity<br />MS10-015<br />kill TDL3 <br />
Debugging bootkit with Bochs<br />
Bochs support starting from IDA 5.5<br />
DEMO<br />
Kernel-mode hooks<br />
Stealing Miniport Driver Object<br />Before Infection<br />After Infection<br />
Stealing Miniport Device Object<br />
Filtering Disk Read/Write Requests<br /><ul><li> Filtered requests:
IOCTL_ATA_PASS_THROUGH_DIRECT
IOCTL_ATA_PASS_THROUGH;
IRP_MJ_INTERNAL_DEVICE_CONTROL
 To protect:
Infected MBR;
Hidden file system from being read or overwritten</li></li></ul><li>Debugging bootkit with WinDbg<br />
WinDbg and kdcom.dll<br />WinDbg<br />KDCOM.DLL<br />NTOSKRNL<br />KdDebuggerInitialize<br />RETURN_STATUS<br />Data packe...
TDL4 and kdcom.dll<br />original call<br />fake call<br />
TDL4 and kdcom.dll<br />original export table<br />fake export table<br />
Upcoming SlideShare
Loading in …5
×

Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

2,206 views
2,063 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,206
On SlideShare
0
From Embeds
0
Number of Embeds
223
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Stores boot loader parametersWas introduced for the first time in Windows Vista as a replacement of boot.ini file to conform with UEFI specificationHas the same physical layout as registry hive
  • Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

    1. 1. Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)<br />Александр Матросов<br />Евгений Родионов<br />
    2. 2. Who we are?<br /><ul><li>malware researchers at ESET</li></ul>- rootkits analysis<br />- developing cleaning tools<br />- tracking new rootkit techniques<br />- research cybercrime groups <br />http://www.joineset.com/<br />
    3. 3. План мастер-класса<br /><ul><li>Эволюция современных руткит-программ
    4. 4. Этапы установки на x86/x64
    5. 5. Буткити обход проверки подписи
    6. 6. Отладка буткита наэмуляторе Bochs
    7. 7. Хуки в режиме ядра
    8. 8. Отладка с использованием WinDbg
    9. 9. Файловая система TDL4
    10. 10. TdlFsReader, как инструмент криминалистической экспертизы</li></li></ul><li> Evolution of rootkits<br />
    11. 11. Evolution of rootkits functionality<br />x86<br />x64<br />Dropper<br />Rootkit<br />Rootkit<br />Rootkit<br />bypass HIPS and AV <br />self-defense<br />self-defense<br />privilege escalation <br />Surviving reboot<br />surviving reboot<br />bypass signature check <br />install rootkit driver <br />injecting payload<br />bypass MS PatchGuard<br />injecting payload<br />Kernel mode<br />User mode<br />
    12. 12. 64-bit OS rootkit<br /><ul><li>Kernel-Mode Code Signing Policy
    13. 13. It is difficult to load unsigned kernel-mode driver
    14. 14. Kernel-Mode Patch Protection (Patch Guard):
    15. 15. SSDT (System Service Dispatch Table)
    16. 16. IDT (Interrupt Descriptor Table)
    17. 17. GDT ( Global Descriptor Table)
    18. 18. MSRs (Model Specific Registers)</li></li></ul><li> Evolution of TDL rootkits<br />
    19. 19. Evolution of TDL rootkits<br />
    20. 20. Installation x86/x64<br />
    21. 21.
    22. 22. Installation stages<br />exploit<br />payload<br />dropper<br />rootkit<br />
    23. 23. Dropper layouts<br />
    24. 24. Dropped modules<br />
    25. 25. Installation x86<br />
    26. 26. Installation x64<br />
    27. 27. Bootkit and bypassing driver signature check<br />
    28. 28. Types of integrity checks<br /><ul><li>PnP Device Installation Signing Requirements
    29. 29. Kernel-Mode Code Signing Policy
    30. 30. Enforced on 64-bit version of Windows Vista and later versions</li></li></ul><li>Kernel-mode Code Signing Policy Enforcement<br />
    31. 31. Boot process of Windows OS<br />
    32. 32. Code integrity check<br />
    33. 33. Boot Configuration Data (BCD)<br />
    34. 34. BCD Example<br />
    35. 35. BCD Elements controlling KMCSP <br />(before KB2506014)<br />
    36. 36. Subverting KMCSP<br /><ul><li> Abusing vulnerable signed legitimate kernel-mode driver
    37. 37. Switch off kernel-mode code signing checks by altering BCD data:
    38. 38. abuse WinPeMode
    39. 39. disable signing check
    40. 40. patch Bootmgr and OS loader</li></li></ul><li>Abusing Win PE mode: TDL4 modules<br />int 13h – service provided by BIOS to communicate to IDE HDD controller<br />
    41. 41. Abusing Win PE mode: workflow<br />
    42. 42. MS Patch (KB2506014)<br /><ul><li>BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode
    43. 43. Size of the export directory of kdcom.dllhas been changed</li></li></ul><li>Bypassing KMCSP: another attempt<br />Patch bootmgr and OS loader (winload.exe) to disable KMCSP<br />
    44. 44. Bypassing KMCSP: Result<br />Bootmgr fails to verify OS loader’s integrity<br />MS10-015<br />kill TDL3 <br />
    45. 45. Debugging bootkit with Bochs<br />
    46. 46. Bochs support starting from IDA 5.5<br />
    47. 47. DEMO<br />
    48. 48. Kernel-mode hooks<br />
    49. 49. Stealing Miniport Driver Object<br />Before Infection<br />After Infection<br />
    50. 50. Stealing Miniport Device Object<br />
    51. 51. Filtering Disk Read/Write Requests<br /><ul><li> Filtered requests:
    52. 52. IOCTL_ATA_PASS_THROUGH_DIRECT
    53. 53. IOCTL_ATA_PASS_THROUGH;
    54. 54. IRP_MJ_INTERNAL_DEVICE_CONTROL
    55. 55. To protect:
    56. 56. Infected MBR;
    57. 57. Hidden file system from being read or overwritten</li></li></ul><li>Debugging bootkit with WinDbg<br />
    58. 58. WinDbg and kdcom.dll<br />WinDbg<br />KDCOM.DLL<br />NTOSKRNL<br />KdDebuggerInitialize<br />RETURN_STATUS<br />Data packet<br />KdSendPacket<br />RETURN_CONTROL<br />Data Packet<br />KdReceivePacket<br />KD_RECV_CODE_OK<br />
    59. 59. TDL4 and kdcom.dll<br />original call<br />fake call<br />
    60. 60. TDL4 and kdcom.dll<br />original export table<br />fake export table<br />
    61. 61. DEMO<br />
    62. 62. kd> !object DeviceHarddisk0 <br />Object: e1022d10 Type: (8a5e54f0) Directory <br />ObjectHeader: e1022cf8 (old version) <br />HandleCount: 1 PointerCount: 8 <br />Directory Object: e10116f0 Name: Harddisk0 <br />Hash Address Type Name <br />---- ------- ---- ---- <br />21 8a5c9ab8 Device DR0 <br />24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1 <br />33 e101abe8 SymbolicLink Partition0 <br />8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2 <br />34 e1011258 SymbolicLink Partition1 <br />35 e101a078 SymbolicLink Partition2 <br />
    63. 63. kd> !devobj DeviceHarddisk0DR0 <br />Device object (8a5c9ab8) is for: <br />DR0 DriverDisk DriverObject 8a5cd730 <br />Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050 <br />Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98 <br />ExtensionFlags (0000000000) <br />AttachedDevice (Upper) 8a5c9890 DriverPartMgr<br />AttachedTo (Lower) 89fd902889fd9028: is not a device object <br />
    64. 64. kd> !devstack8a5c9ab8 <br />!DevObj !DrvObj !DevExtObjectName<br />8a5c9890 DriverPartMgr 8a5c9948 <br />> 8a5c9ab8 DriverDisk 8a5c9b70 DR0 <br />Invalid type for DeviceObject 0x89fd9028 <br />
    65. 65. kd> dt _DEVICE_OBJECT 0x89fd9028 <br />ntdll!_DEVICE_OBJECT <br />+0x000 Type : 0n0 <br />+0x002 Size : 0xfb8 <br />+0x004 ReferenceCount : 0n0 <br />+0x008 DriverObject : 0x899574f0_DRIVER_OBJECT <br />+0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT <br />+0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT <br />+0x014 CurrentIrp : (null) <br />+0x018 Timer : (null) <br />+0x01c Flags : 0x5050 <br />+0x020 Characteristics : 0x100 <br />+0x024 Vpb : (null) <br />+0x028 DeviceExtension : 0x89fd90e0 Void <br />+0x02c DeviceType : 7 <br />
    66. 66. kd> !drvobj0x899574f0 <br />Driver object (899574f0) is for: <br />899574f0: is not a driver object <br />
    67. 67. TDL hidden file system<br />
    68. 68. TDL’s hidden storage<br /><ul><li> Reserve space in the end of the hard drive (not visible at file system level analysis)
    69. 69. Encrypted contents (stream cipher: RC4, XOR-ing)
    70. 70. Implemented as a hidden volume in the system
    71. 71. Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)</li></li></ul><li>TDL3/TDL3+ Rootkit Device Stack<br />
    72. 72. TDL4 Device Stack<br />
    73. 73. TDL4 File System Layout<br />
    74. 74. TdlFsReader, how forensic tool<br />
    75. 75. TdlFsReader, how forensic tool<br />
    76. 76. TdlFsReader architecture<br />TdlFileReader<br />TdlFsRecognizer<br />TdlFsDecryptor<br />User mode<br />Kernel mode<br />TdlSelfDefenceDisabler<br />LowLevelHddReader<br />
    77. 77. TdlFsReader architecture<br />TdlFsRecognizer<br />TdlFsDecryptor<br />FsCheckVersion<br />TdlCheckVersion<br />FsStructureParser<br />TdlDecryptor<br />TdlSelfDefenceDisabler<br />TdlUnHooker<br />HddBlockReader<br />
    78. 78. DEMO<br />
    79. 79. References<br /><ul><li> “The Evolution of TDL: Conquering x64”</li></ul>http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf<br /><ul><li> “Rooting about in TDSS”</li></ul>http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf<br /><ul><li> “TDL3: The Rootkit of All Evil?”</li></ul>http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf<br /><ul><li> Follow ESET Threat Blog</li></ul>http://blog.eset.com<br />
    80. 80. Questions<br />
    81. 81. Thank you for your attention ;)<br />AleksandrMatrosov<br />matrosov@eset.sk<br />@matrosov<br />Eugene Rodionov<br />rodionov@eset.sk<br />@vxradius<br />
    82. 82. Конкурс «Лучший реверсер» уже начался !<br /><ul><li>Нужно зарегистрироваться на стенде конкурса
    83. 83. Скачать crackmephd.esetnod32.ru
    84. 84. Прислать ключи и краткое описание процесса прохождения на email:phd@esetnod32.ru
    85. 85. Получить призы:</li></ul>Amazon Kindle DX<br />Amazon Kindle 3 Wi-Fi <br />ESET Smart Security (3 года)<br />

    ×