Your SlideShare is downloading. ×
  • Like
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

  • 5,506 views
Published

В рамках мастер-класса будет рассмотрены следующие вопросы: …

В рамках мастер-класса будет рассмотрены следующие вопросы:
методы внедрения и работы руткита TDL4;
инструментарий и методы сбора данных для проведения криминалистической экспертизы зараженной машины;
отладка буткит-составляющей на ранней стадии загрузки системы с использованием эмулятора Bochs;
анализ зараженной машины при помощи WinDbg;
удаление руткита из системы после сбора всех необходимых данных.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
5,506
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
49
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Stores boot loader parametersWas introduced for the first time in Windows Vista as a replacement of boot.ini file to conform with UEFI specificationHas the same physical layout as registry hive

Transcript

  • 1. Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)
    Александр Матросов
    Евгений Родионов
  • 2. Who we are?
    • malware researchers at ESET
    - rootkits analysis
    - developing cleaning tools
    - tracking new rootkit techniques
    - research cybercrime groups
    http://www.joineset.com/
  • 3. План мастер-класса
    • Эволюция современных руткит-программ
    • 4. Этапы установки на x86/x64
    • 5. Буткити обход проверки подписи
    • 6. Отладка буткита наэмуляторе Bochs
    • 7. Хуки в режиме ядра
    • 8. Отладка с использованием WinDbg
    • 9. Файловая система TDL4
    • 10. TdlFsReader, как инструмент криминалистической экспертизы
  • Evolution of rootkits
  • 11. Evolution of rootkits functionality
    x86
    x64
    Dropper
    Rootkit
    Rootkit
    Rootkit
    bypass HIPS and AV
    self-defense
    self-defense
    privilege escalation
    Surviving reboot
    surviving reboot
    bypass signature check
    install rootkit driver
    injecting payload
    bypass MS PatchGuard
    injecting payload
    Kernel mode
    User mode
  • 12. 64-bit OS rootkit
    • Kernel-Mode Code Signing Policy
    • 13. It is difficult to load unsigned kernel-mode driver
    • 14. Kernel-Mode Patch Protection (Patch Guard):
    • 15. SSDT (System Service Dispatch Table)
    • 16. IDT (Interrupt Descriptor Table)
    • 17. GDT ( Global Descriptor Table)
    • 18. MSRs (Model Specific Registers)
  • Evolution of TDL rootkits
  • 19. Evolution of TDL rootkits
  • 20. Installation x86/x64
  • 21.
  • 22. Installation stages
    exploit
    payload
    dropper
    rootkit
  • 23. Dropper layouts
  • 24. Dropped modules
  • 25. Installation x86
  • 26. Installation x64
  • 27. Bootkit and bypassing driver signature check
  • 28. Types of integrity checks
    • PnP Device Installation Signing Requirements
    • 29. Kernel-Mode Code Signing Policy
    • 30. Enforced on 64-bit version of Windows Vista and later versions
  • Kernel-mode Code Signing Policy Enforcement
  • 31. Boot process of Windows OS
  • 32. Code integrity check
  • 33. Boot Configuration Data (BCD)
  • 34. BCD Example
  • 35. BCD Elements controlling KMCSP
    (before KB2506014)
  • 36. Subverting KMCSP
    • Abusing vulnerable signed legitimate kernel-mode driver
    • 37. Switch off kernel-mode code signing checks by altering BCD data:
    • 38. abuse WinPeMode
    • 39. disable signing check
    • 40. patch Bootmgr and OS loader
  • Abusing Win PE mode: TDL4 modules
    int 13h – service provided by BIOS to communicate to IDE HDD controller
  • 41. Abusing Win PE mode: workflow
  • 42. MS Patch (KB2506014)
    • BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode
    • 43. Size of the export directory of kdcom.dllhas been changed
  • Bypassing KMCSP: another attempt
    Patch bootmgr and OS loader (winload.exe) to disable KMCSP
  • 44. Bypassing KMCSP: Result
    Bootmgr fails to verify OS loader’s integrity
    MS10-015
    kill TDL3
  • 45. Debugging bootkit with Bochs
  • 46. Bochs support starting from IDA 5.5
  • 47. DEMO
  • 48. Kernel-mode hooks
  • 49. Stealing Miniport Driver Object
    Before Infection
    After Infection
  • 50. Stealing Miniport Device Object
  • 51. Filtering Disk Read/Write Requests
    • Filtered requests:
    • 52. IOCTL_ATA_PASS_THROUGH_DIRECT
    • 53. IOCTL_ATA_PASS_THROUGH;
    • 54. IRP_MJ_INTERNAL_DEVICE_CONTROL
    • 55. To protect:
    • 56. Infected MBR;
    • 57. Hidden file system from being read or overwritten
  • Debugging bootkit with WinDbg
  • 58. WinDbg and kdcom.dll
    WinDbg
    KDCOM.DLL
    NTOSKRNL
    KdDebuggerInitialize
    RETURN_STATUS
    Data packet
    KdSendPacket
    RETURN_CONTROL
    Data Packet
    KdReceivePacket
    KD_RECV_CODE_OK
  • 59. TDL4 and kdcom.dll
    original call
    fake call
  • 60. TDL4 and kdcom.dll
    original export table
    fake export table
  • 61. DEMO
  • 62. kd> !object DeviceHarddisk0
    Object: e1022d10 Type: (8a5e54f0) Directory
    ObjectHeader: e1022cf8 (old version)
    HandleCount: 1 PointerCount: 8
    Directory Object: e10116f0 Name: Harddisk0
    Hash Address Type Name
    ---- ------- ---- ----
    21 8a5c9ab8 Device DR0
    24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1
    33 e101abe8 SymbolicLink Partition0
    8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2
    34 e1011258 SymbolicLink Partition1
    35 e101a078 SymbolicLink Partition2
  • 63. kd> !devobj DeviceHarddisk0DR0
    Device object (8a5c9ab8) is for:
    DR0 DriverDisk DriverObject 8a5cd730
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050
    Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98
    ExtensionFlags (0000000000)
    AttachedDevice (Upper) 8a5c9890 DriverPartMgr
    AttachedTo (Lower) 89fd902889fd9028: is not a device object
  • 64. kd> !devstack8a5c9ab8
    !DevObj !DrvObj !DevExtObjectName
    8a5c9890 DriverPartMgr 8a5c9948
    > 8a5c9ab8 DriverDisk 8a5c9b70 DR0
    Invalid type for DeviceObject 0x89fd9028
  • 65. kd> dt _DEVICE_OBJECT 0x89fd9028
    ntdll!_DEVICE_OBJECT
    +0x000 Type : 0n0
    +0x002 Size : 0xfb8
    +0x004 ReferenceCount : 0n0
    +0x008 DriverObject : 0x899574f0_DRIVER_OBJECT
    +0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT
    +0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT
    +0x014 CurrentIrp : (null)
    +0x018 Timer : (null)
    +0x01c Flags : 0x5050
    +0x020 Characteristics : 0x100
    +0x024 Vpb : (null)
    +0x028 DeviceExtension : 0x89fd90e0 Void
    +0x02c DeviceType : 7
  • 66. kd> !drvobj0x899574f0
    Driver object (899574f0) is for:
    899574f0: is not a driver object
  • 67. TDL hidden file system
  • 68. TDL’s hidden storage
    • Reserve space in the end of the hard drive (not visible at file system level analysis)
    • 69. Encrypted contents (stream cipher: RC4, XOR-ing)
    • 70. Implemented as a hidden volume in the system
    • 71. Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
  • TDL3/TDL3+ Rootkit Device Stack
  • 72. TDL4 Device Stack
  • 73. TDL4 File System Layout
  • 74. TdlFsReader, how forensic tool
  • 75. TdlFsReader, how forensic tool
  • 76. TdlFsReader architecture
    TdlFileReader
    TdlFsRecognizer
    TdlFsDecryptor
    User mode
    Kernel mode
    TdlSelfDefenceDisabler
    LowLevelHddReader
  • 77. TdlFsReader architecture
    TdlFsRecognizer
    TdlFsDecryptor
    FsCheckVersion
    TdlCheckVersion
    FsStructureParser
    TdlDecryptor
    TdlSelfDefenceDisabler
    TdlUnHooker
    HddBlockReader
  • 78. DEMO
  • 79. References
    • “The Evolution of TDL: Conquering x64”
    http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
    • “Rooting about in TDSS”
    http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf
    • “TDL3: The Rootkit of All Evil?”
    http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf
    • Follow ESET Threat Blog
    http://blog.eset.com
  • 80. Questions
  • 81. Thank you for your attention ;)
    AleksandrMatrosov
    matrosov@eset.sk
    @matrosov
    Eugene Rodionov
    rodionov@eset.sk
    @vxradius
  • 82. Конкурс «Лучший реверсер» уже начался !
    • Нужно зарегистрироваться на стенде конкурса
    • 83. Скачать crackmephd.esetnod32.ru
    • 84. Прислать ключи и краткое описание процесса прохождения на email:phd@esetnod32.ru
    • 85. Получить призы:
    Amazon Kindle DX
    Amazon Kindle 3 Wi-Fi
    ESET Smart Security (3 года)