Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
Upcoming SlideShare
Loading in...5
×
 

Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

on

  • 2,232 views

 

Statistics

Views

Total Views
2,232
Views on SlideShare
2,017
Embed Views
215

Actions

Likes
0
Downloads
30
Comments
0

6 Embeds 215

http://amatrosov.blogspot.com 196
http://xss.yandex.net 11
http://amatrosov.blogspot.ru 5
http://static.slidesharecdn.com 1
http://translate.googleusercontent.com 1
http://amatrosov.blogspot.nl 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Stores boot loader parametersWas introduced for the first time in Windows Vista as a replacement of boot.ini file to conform with UEFI specificationHas the same physical layout as registry hive

Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4 Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4 Presentation Transcript

  • Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)
    Александр Матросов
    Евгений Родионов
  • Who we are?
    • malware researchers at ESET
    - rootkits analysis
    - developing cleaning tools
    - tracking new rootkit techniques
    - research cybercrime groups
    http://www.joineset.com/
  • План мастер-класса
    • Эволюция современных руткит-программ View slide
    • Этапы установки на x86/x64 View slide
    • Буткити обход проверки подписи
    • Отладка буткита наэмуляторе Bochs
    • Хуки в режиме ядра
    • Отладка с использованием WinDbg
    • Файловая система TDL4
    • TdlFsReader, как инструмент криминалистической экспертизы
  • Evolution of rootkits
  • Evolution of rootkits functionality
    x86
    x64
    Dropper
    Rootkit
    Rootkit
    Rootkit
    bypass HIPS and AV
    self-defense
    self-defense
    privilege escalation
    Surviving reboot
    surviving reboot
    bypass signature check
    install rootkit driver
    injecting payload
    bypass MS PatchGuard
    injecting payload
    Kernel mode
    User mode
  • 64-bit OS rootkit
    • Kernel-Mode Code Signing Policy
    • It is difficult to load unsigned kernel-mode driver
    • Kernel-Mode Patch Protection (Patch Guard):
    • SSDT (System Service Dispatch Table)
    • IDT (Interrupt Descriptor Table)
    • GDT ( Global Descriptor Table)
    • MSRs (Model Specific Registers)
  • Evolution of TDL rootkits
  • Evolution of TDL rootkits
  • Installation x86/x64
  • Installation stages
    exploit
    payload
    dropper
    rootkit
  • Dropper layouts
  • Dropped modules
  • Installation x86
  • Installation x64
  • Bootkit and bypassing driver signature check
  • Types of integrity checks
    • PnP Device Installation Signing Requirements
    • Kernel-Mode Code Signing Policy
    • Enforced on 64-bit version of Windows Vista and later versions
  • Kernel-mode Code Signing Policy Enforcement
  • Boot process of Windows OS
  • Code integrity check
  • Boot Configuration Data (BCD)
  • BCD Example
  • BCD Elements controlling KMCSP
    (before KB2506014)
  • Subverting KMCSP
    • Abusing vulnerable signed legitimate kernel-mode driver
    • Switch off kernel-mode code signing checks by altering BCD data:
    • abuse WinPeMode
    • disable signing check
    • patch Bootmgr and OS loader
  • Abusing Win PE mode: TDL4 modules
    int 13h – service provided by BIOS to communicate to IDE HDD controller
  • Abusing Win PE mode: workflow
  • MS Patch (KB2506014)
    • BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode
    • Size of the export directory of kdcom.dllhas been changed
  • Bypassing KMCSP: another attempt
    Patch bootmgr and OS loader (winload.exe) to disable KMCSP
  • Bypassing KMCSP: Result
    Bootmgr fails to verify OS loader’s integrity
    MS10-015
    kill TDL3
  • Debugging bootkit with Bochs
  • Bochs support starting from IDA 5.5
  • DEMO
  • Kernel-mode hooks
  • Stealing Miniport Driver Object
    Before Infection
    After Infection
  • Stealing Miniport Device Object
  • Filtering Disk Read/Write Requests
    • Filtered requests:
    • IOCTL_ATA_PASS_THROUGH_DIRECT
    • IOCTL_ATA_PASS_THROUGH;
    • IRP_MJ_INTERNAL_DEVICE_CONTROL
    • To protect:
    • Infected MBR;
    • Hidden file system from being read or overwritten
  • Debugging bootkit with WinDbg
  • WinDbg and kdcom.dll
    WinDbg
    KDCOM.DLL
    NTOSKRNL
    KdDebuggerInitialize
    RETURN_STATUS
    Data packet
    KdSendPacket
    RETURN_CONTROL
    Data Packet
    KdReceivePacket
    KD_RECV_CODE_OK
  • TDL4 and kdcom.dll
    original call
    fake call
  • TDL4 and kdcom.dll
    original export table
    fake export table
  • DEMO
  • kd> !object DeviceHarddisk0
    Object: e1022d10 Type: (8a5e54f0) Directory
    ObjectHeader: e1022cf8 (old version)
    HandleCount: 1 PointerCount: 8
    Directory Object: e10116f0 Name: Harddisk0
    Hash Address Type Name
    ---- ------- ---- ----
    21 8a5c9ab8 Device DR0
    24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1
    33 e101abe8 SymbolicLink Partition0
    8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2
    34 e1011258 SymbolicLink Partition1
    35 e101a078 SymbolicLink Partition2
  • kd> !devobj DeviceHarddisk0DR0
    Device object (8a5c9ab8) is for:
    DR0 DriverDisk DriverObject 8a5cd730
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050
    Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98
    ExtensionFlags (0000000000)
    AttachedDevice (Upper) 8a5c9890 DriverPartMgr
    AttachedTo (Lower) 89fd902889fd9028: is not a device object
  • kd> !devstack8a5c9ab8
    !DevObj !DrvObj !DevExtObjectName
    8a5c9890 DriverPartMgr 8a5c9948
    > 8a5c9ab8 DriverDisk 8a5c9b70 DR0
    Invalid type for DeviceObject 0x89fd9028
  • kd> dt _DEVICE_OBJECT 0x89fd9028
    ntdll!_DEVICE_OBJECT
    +0x000 Type : 0n0
    +0x002 Size : 0xfb8
    +0x004 ReferenceCount : 0n0
    +0x008 DriverObject : 0x899574f0_DRIVER_OBJECT
    +0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT
    +0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT
    +0x014 CurrentIrp : (null)
    +0x018 Timer : (null)
    +0x01c Flags : 0x5050
    +0x020 Characteristics : 0x100
    +0x024 Vpb : (null)
    +0x028 DeviceExtension : 0x89fd90e0 Void
    +0x02c DeviceType : 7
  • kd> !drvobj0x899574f0
    Driver object (899574f0) is for:
    899574f0: is not a driver object
  • TDL hidden file system
  • TDL’s hidden storage
    • Reserve space in the end of the hard drive (not visible at file system level analysis)
    • Encrypted contents (stream cipher: RC4, XOR-ing)
    • Implemented as a hidden volume in the system
    • Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
  • TDL3/TDL3+ Rootkit Device Stack
  • TDL4 Device Stack
  • TDL4 File System Layout
  • TdlFsReader, how forensic tool
  • TdlFsReader, how forensic tool
  • TdlFsReader architecture
    TdlFileReader
    TdlFsRecognizer
    TdlFsDecryptor
    User mode
    Kernel mode
    TdlSelfDefenceDisabler
    LowLevelHddReader
  • TdlFsReader architecture
    TdlFsRecognizer
    TdlFsDecryptor
    FsCheckVersion
    TdlCheckVersion
    FsStructureParser
    TdlDecryptor
    TdlSelfDefenceDisabler
    TdlUnHooker
    HddBlockReader
  • DEMO
  • References
    • “The Evolution of TDL: Conquering x64”
    http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
    • “Rooting about in TDSS”
    http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf
    • “TDL3: The Rootkit of All Evil?”
    http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf
    • Follow ESET Threat Blog
    http://blog.eset.com
  • Questions
  • Thank you for your attention ;)
    AleksandrMatrosov
    matrosov@eset.sk
    @matrosov
    Eugene Rodionov
    rodionov@eset.sk
    @vxradius
  • Конкурс «Лучший реверсер» уже начался !
    • Нужно зарегистрироваться на стенде конкурса
    • Скачать crackmephd.esetnod32.ru
    • Прислать ключи и краткое описание процесса прохождения на email:phd@esetnod32.ru
    • Получить призы:
    Amazon Kindle DX
    Amazon Kindle 3 Wi-Fi
    ESET Smart Security (3 года)