Defeating x64: The Evolution of the TDL Rootkit

Alex Matrosov
Alex MatrosovPrincipal REsearch Scientist at Cylance Inc.
Defeating x64: The Evolution of the TDL Rootkit Aleksandr Matrosov Eugene Rodionov
Who we are?  Malware researchers at ESET - rootkits analysis - developing cleaning tools - tracking new rootkit techniques - research cybercrime groups http://www.joineset.com/
Agenda  Evolution of TDL rootkits  Installation on x86 vs. x64  TDL bootkit or how to bypass driver signature check  How to debug bootkit with Bochs emulator  Kernel-mode hooks  TDL hidden file system layout  Payload injection  TdlFsReader as a forensic tool
Evolution of rootkits
Evolution of rootkits features x86 Dropper Rootkit bypassing HIPS/AV self-defense privilege escalation surviving reboot installing rootkit driver Kernel mode injecting payload User mode
Evolution of rootkits features x86 x64 Dropper Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot installing rootkit bypassing signature driver injecting payload check Rootkit bypassing MS PatchGuard Kernel mode User mode injecting payload
Obstacles for 64-bit rootkits o Kernel-Mode Code Signing Policy  It is “difficult” to load unsigned kernel-mode driver o Kernel-Mode Patch Protection (Patch Guard):  SSDT (System Service Dispatch Table)  IDT (Interrupt Descriptor Table)  GDT ( Global Descriptor Table)  MSRs (Model Specific Registers)
Evolution of TDL rootkits TDL3/TDL3+ TDL4 Kernel-mode code Base independent piece of PE image in the hidden representation code in hidden file system file system Surviving after reboot Infecting disk Infecting MBR of the disk miniport/random kernel-mode driver Self-defense Kernel-mode hooks, registry Kernel-mode hooks, MBR monitoring monitoring Injecting payload into tdlcmd.dll cmd.dll/cmd64.dll processes in the system x64 support   Complexity  
Evolution of TDL rootkits TDL3/TDL3+ TDL4 Bypassing HIPS AddPrintProcessor AddPrintProvidor, AddPrintProvidor ZwConnectPort Privilege Escalation  MS10-092 Installation mechanism by loading kernel-mode driver by loading kernel-mode driver overwriting MBR of the disk Number of installed 4 10 modules
Installation on x86 vs. x64
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Installation stages exploit payload dropper rootkit
Dropped modules Dropped modules Description mbr original contents of the infected hard drive boot sector ldr16 16-bit real-mode loader code ldr32 fake kdcom.dll for x86 systems ldr64 fake kdcom.dll for x64 systems drv32 the main bootkit driver for x86 systems drv64 the main bootkit driver for x64 systems cmd.dll payload to inject into 32-bit processes cmd64.dll payload to inject into 64-bit processes cfg.ini configuration information bckfg.tmp encrypted list of C&C URLs
Installation on x86 Adjust fail SeLoadDriver success privilege Copy itself into Check OS WinXP Vista/Win7 PrintProcessor version director Set IMAGE_FILE_DLL Exploitation success flag in the PE header Fail fail install MS10-092 Copy itself into Call %TMP% directory AddPrintProvidorW API Create Call manifest requesting DeletePrintProvidorW admin privilege API Call ShellExecute
Installation on x64 Prepare hidden FS image Write FS image, fail patch MBR and Adjust success SE_SHUTDOWN_PRIVILEGE Exploitation success MS10-092 fail Call ZwRaiseHardError to create BSOD Copy itself into %TMP% directory Restart Dropper Create manifest requesting admin privilege Call success ShellExecute Report to C&C fail
TDL bootkit or how to bypass driver signature check
Types of integrity checks o PnP Device Installation Signing Requirements o Kernel-Mode Code Signing Policy Enforced on 64-bit version of Windows Vista and later versions 64-bit Windows Vista and 32-bit Windows Vista later and later Boot-start driver   Non boot-start PnP driver   Non boot-start, non-PnP driver   (except stream protected media drivers)
Subverting KMCSP o Abusing vulnerable signed legitimate kernel-mode driver o Switching off kernel-mode code signing checks by altering BCD data: abusing WinPe Mode disabling signing check patching Bootmgr and OS loader
Boot process of Windows OS real mode real mode Load MBR Load MBR real mode real mode Load VBR Load VBR real mode/ real mode/ protected mode protected mode Load Load ntldr bootmgr real mode/ Load kernel Load protected mode and boot winload.exe or start drivers winresume.exe Load kernel Boot Process of pre Boot Process of post and boot Windows Vista OS Windows Vista OS start drivers MBR – Master Boot Record VBR – Volume Boot Record
Code integrity check Non boot-start OS kernel kernel-mode drivers OS kernel Bootmgr OS loader dependencies Boot-start drivers
Boot Configuration Data (BCD) BCD BCD BCD Object1 Object2 BCD BCD BCD Element1 Element2 Element3 Windows boot Inheritable manager Windows boot BCD Object Application loader Device Ntldr
BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
Abusing Win PE mode: TDL4 modules Module name Description mbr (infected) infected MBR loads ldr16 module and restores original MBR in memory ldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64 ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address space ldr64 implementation of ldr32 module functionality for 64-bit OS int 13h – service provided by BIOS to communicate to IDE HDD controller
Abusing Win PE mode: workflow Load infected MBR Continue kernel Infected mbr is initialization loaded and executed Load ”drv32” Call or “drv64" Load “ldr16” from KdDebuggerInitialize1 hidden file system “ldr16” is from loaded kdcom.dll loaded and executed substitute Hook BIOS int 13h kdcom.dll Load ntoskrnl.exe, with”ldr32” handler and hal.dll,kdcom.dll,b or “ldr64" restore original Original mbr is ootvid.dll ant etc MBR loaded and executed distrort /MININT option Load VBR Load winload.exe VBR is loaded and executed Substitute EmsEnabled option with WinPe Load bootmgr read bcd Bootmgr is loaded and executed
MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
Bypassing KMCSP: another attempt Patch Bootmgr and OS loader (winload.exe) to disable KMCSP:
Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
Debugging the bootkit with Bochs
Bochs support starting from IDA 5.5
•DEMO
Kernel-mode hooks
Storage Device Stack Disk PDO Disk PDO (Partition 1) (Partition 2) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO driver object (Partition 0) Hard drive Disk Lower Lower Filter Filter driver object Hard drive port/miniport Disk PDO driver object
Stealing Miniport Driver Object Disk PDO Disk PDO (Partition 1) (Partition 1) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO Before Infection driver object (Partition 0) After Infection Hard drive Disk Lower Lower Filter Filter driver object Hard drive Fake port/miniport Disk PDO driver object TDL4 “Real” driver object Disk PDO Stolen Objects
Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
Filtering Disk Read/Write Requests o Filtered requests:  IOCTL_ATA_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH;  IRP_MJ_INTERNAL_DEVICE_CONTROL o To protect:  Infected MBR;  Hidden file system from being read or overwritten SCSI request block Bootkit driver hooks Infected MBR or hidden file Otherwise system is read/written Bootkit driver: Bootkit driver: Counterfeit data and call corresponding complete request miniport’s handler
TDL hidden file system
TDL’s hidden storage o Reserve space in the end of the hard drive (not visible at file system level analysis) o Encrypted contents (stream cipher: RC4, XOR-ing) o Implemented as a hidden volume in the system o Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
TDL3/TDL3+ Rootkit Device Stack TDL3 Driver object DeviceXXXXXXXX TDL3 Physical device object DriverObject ... XXXXXXXX – random 8-character ASCII string ?globalrootdeviceXXXXXXXXYYYYYYYYfile_name - for user-mode components deviceXXXXXXXXYYYYYYYYfile_name – for kernel-mode components
TDL4 Device Stack DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
TDL4 File System Layout One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction
Payload injection
Injecting payload into target process Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN user-mode kernel-mode TDL4 driver TDL4 hidden storage Payload1 Payload2 Payload3 PayloadN
Injecting workflow Set Exit from work item ImageLoadNotifyRoutine On loading kernel32.dll Go back in the context of System process Queue special kernel-mode Detach from target process APC Initialize IAT and call payload’s entry point In the context of the target process Queue user-mode APC Queue work item Allocate user-mode buffer with code In the context of System process and path to the payload Attach to target process Map image of the payload In the context of the target process
TDL4 cleaning approach
How to remove TDL o Defeat self defense:  Disable WORK_ITEM checking infected MBR and kernel-mode hooks  Remove hooks of storage miniport device object o Restore original MBR
Debugging bootkit with WinDbg
WinDbg and kdcom.dll KdDebuggerInitialize1 RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
TDL4 and kdcom.dll
TDL4 and kdcom.dll
How to debug TDL4 with WinDbg o Patch ldr16 to disable kdcom.dll substitution o Reboot the system and attach to it with WinDbg oManually load drv32/drv64 “TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
TdlFsReader as a forensic tool
TdlFsReader as a forensic tool
TdlFsReader architecture TdlFileReader TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
TdlFsReader architecture TdlFsRecognizer TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
•DEMO
Conclusion o Win64/Olmarik (TDL4) is the first widely spread rootkit targeting Win x64 o Return to old-school techniques of infecting MBR o The only possible way of debugging bootkit is to use emulators (Bochs, QEMU) o TDL4 is highly resistant to forensic analysis o TdlFsReader will be shared amongst malware researchers
References  “The Evolution of TDL: Conquering x64” http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  “Rooting about in TDSS” http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf  “TDL3: The Rootkit of All Evil?” http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf  Follow ESET Threat Blog http://blog.eset.com
Questions
Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius
1 of 65

Defeating x64: The Evolution of the TDL Rootkit

Download to read offline
Technology

n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.

Alex Matrosov
Alex MatrosovPrincipal REsearch Scientist at Cylance Inc.

Recommended

Defeating x64: Modern Trends of Kernel-Mode Rootkits by
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
4.3K views59 slides
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy by
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
2.7K views38 slides
Smartcard vulnerabilities in modern banking malware by
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
1.7K views63 slides
Bootkits: past, present & future by
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
2.2K views44 slides
Win32/Duqu: involution of Stuxnet by
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
1.9K views15 slides
Проведение криминалистической экспертизы и анализа руткит-программ на примере... by
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
1.1K views60 slides

More Related Content

What's hot

Genode Architecture by
Genode ArchitectureGenode Architecture
Genode ArchitectureVasily Sartakov
1K views58 slides
Genode Compositions by
Genode CompositionsGenode Compositions
Genode CompositionsVasily Sartakov
1.1K views63 slides
Genode Components by
Genode ComponentsGenode Components
Genode ComponentsVasily Sartakov
926 views55 slides
101 1.2 boot the system by
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the systemAcácio Oliveira
239 views18 slides
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012) by
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)Matthias Brugger
10.9K views31 slides
Android Custom Kernel/ROM design by
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM designMuhammad Najmi Ahmad Zabidi
5.5K views45 slides

What's hot(20)

Genode Architecture by Vasily Sartakov
Genode ArchitectureGenode Architecture
Genode Architecture
Vasily Sartakov1K views
Genode Compositions by Vasily Sartakov
Genode CompositionsGenode Compositions
Genode Compositions
Vasily Sartakov1.1K views
Genode Components by Vasily Sartakov
Genode ComponentsGenode Components
Genode Components
Vasily Sartakov926 views
101 1.2 boot the system by Acácio Oliveira
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the system
Acácio Oliveira239 views
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012) by Matthias Brugger
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
Matthias Brugger10.9K views
Android Custom Kernel/ROM design by Muhammad Najmi Ahmad Zabidi
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM design
Muhammad Najmi Ahmad Zabidi5.5K views
Upgrade Ubuntu 18.04 Security with Secureboot by Jonathan MICHEL-VILLAZ
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
Jonathan MICHEL-VILLAZ130 views
Init of Android by Tetsuyuki Kobayashi
Init of AndroidInit of Android
Init of Android
Tetsuyuki Kobayashi2.3K views
Android crash debugging by Ashish Agrawal
Android crash debuggingAndroid crash debugging
Android crash debugging
Ashish Agrawal49.3K views
Workshop su Android Kernel Hacking by Develer S.r.l.
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.2.5K views
Android Boot Time Optimization by Kan-Ru Chen
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
Kan-Ru Chen13.1K views
Hunting malware with volatility v2.0 by Frank Boldewin
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
Frank Boldewin1.7K views
LCA13: Android Kernel Upstreaming: Overview & Status by Linaro
LCA13: Android Kernel Upstreaming: Overview & StatusLCA13: Android Kernel Upstreaming: Overview & Status
LCA13: Android Kernel Upstreaming: Overview & Status
Linaro1.4K views
Hunting rootkits with windbg by Frank Boldewin
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
Frank Boldewin1.9K views
Kernel_Crash_Dump_Analysis by Buland Singh
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh1.9K views
[ArabBSD] Unix Basics by Mohammed Farrag
[ArabBSD] Unix Basics[ArabBSD] Unix Basics
[ArabBSD] Unix Basics
Mohammed Farrag1K views
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu... by Nicolas Collery
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery52 views
Changes by Yhorledy Cardenas
ChangesChanges
Changes
Yhorledy Cardenas311 views
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections by NoSuchCon
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon624 views
Lecture2 process structure and programming by Mohammed Farrag
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programming
Mohammed Farrag898 views

Viewers also liked

HexRaysCodeXplorer: make object-oriented RE easier by
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
2.6K views27 slides
Modern malware techniques for attacking RBS systems in Russia by
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
2.9K views54 slides
Festi botnet analysis and investigation by
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
1.4K views53 slides
Reconstructing Gapz: Position-Independent Code Analysis Problem by
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
4.6K views89 slides
Advanced Evasion Techniques by Win32/Gapz by
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
4.4K views65 slides
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon by
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
2.1K views81 slides

Viewers also liked(14)

HexRaysCodeXplorer: make object-oriented RE easier by Alex Matrosov
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov2.6K views
Modern malware techniques for attacking RBS systems in Russia by Alex Matrosov
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov2.9K views
Festi botnet analysis and investigation by Alex Matrosov
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov1.4K views
Reconstructing Gapz: Position-Independent Code Analysis Problem by Alex Matrosov
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov4.6K views
Advanced Evasion Techniques by Win32/Gapz by Alex Matrosov
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov4.4K views
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon by Alex Matrosov
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov2.1K views
BERserk: New RSA Signature Forgery Attack by Alex Matrosov
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov2.6K views
Object Oriented Code RE with HexraysCodeXplorer by Alex Matrosov
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov2.8K views
42054960 by andres castillo
4205496042054960
42054960
andres castillo147 views
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky by CODE BLUE
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE36.1K views
Win32/Flamer: Reverse Engineering and Framework Reconstruction by Alex Matrosov
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov2.4K views
HexRaysCodeXplorer: object oriented RE for fun and profit by Alex Matrosov
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov2.8K views
Моделирование угроз для BIOS и UEFI by Aleksey Lukatskiy
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Aleksey Lukatskiy8.2K views
Secret of Intel Management Engine by Igor Skochinsky by CODE BLUE
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE177.4K views

Similar to Defeating x64: The Evolution of the TDL Rootkit

Kernel Mode Threats and Practical Defenses by
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
653 views52 slides
Joanna Rutkowska Subverting Vista Kernel by
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernelguestf1a032
1.2K views53 slides
淺談探索 Linux 系統設計之道 by
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
11.2K views91 slides
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs... by
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...DefconRussia
1.3K views54 slides
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ... by
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld
4.7K views60 slides
Security Challenges of Antivirus Engines, Products and Systems by
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
1.1K views41 slides

Similar to Defeating x64: The Evolution of the TDL Rootkit(20)

Kernel Mode Threats and Practical Defenses by Priyanka Aash
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash653 views
Joanna Rutkowska Subverting Vista Kernel by guestf1a032
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a0321.2K views
淺談探索 Linux 系統設計之道 by National Cheng Kung University
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
National Cheng Kung University11.2K views
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs... by DefconRussia
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
DefconRussia1.3K views
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ... by VMworld
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld4.7K views
Security Challenges of Antivirus Engines, Products and Systems by Antiy Labs
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs1.1K views
Docker at the gate by Tony Deng
Docker at the gateDocker at the gate
Docker at the gate
Tony Deng214 views
Smartcard Vulnerabilities In Modern Banking Malwaremalware by Positive Hack Days
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days909 views
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht by Felipe Prado
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado126 views
Bootkits: Past, Present & Future - Virus Bulletin by ESET
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
ESET16.4K views
Building by Satpal Parmar
BuildingBuilding
Building
Satpal Parmar1.5K views
4 implementation by hanmya
4 implementation4 implementation
4 implementation
hanmya404 views
Malware Analysis and Defeating using Virtual Machines by intertelinvestigations
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations1.4K views
The Container Security Checklist by LibbySchulze
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
LibbySchulze193 views
[HackInTheBox] Breaking virtualization by any means by Moabi.com
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
Moabi.com2.1K views
Windows 2008 R2 Virtualization by Eduardo Castro
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 Virtualization
Eduardo Castro1.4K views
Security best practices for hyper v and server virtualisation [svr307] by Louis Göhl
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
Louis Göhl1.8K views
Hadoop: Code Injection, Distributed Fault Injection by Cloudera, Inc.
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault Injection
Cloudera, Inc.2.8K views
Security on a Container Platform by All Things Open
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open726 views
Linux device driver by chatsiri
Linux device driverLinux device driver
Linux device driver
chatsiri1.1K views

Recently uploaded

SUPPLIER SOURCING.pptx by
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptxangelicacueva6
16 views1 slide
Mini-Track: Challenges to Network Automation Adoption by
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation AdoptionNetwork Automation Forum
13 views27 slides
PRODUCT LISTING.pptx by
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptxangelicacueva6
14 views1 slide
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
34 views35 slides
Democratising digital commerce in India-Report by
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-ReportKapil Khandelwal (KK)
18 views161 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
11 views29 slides

Recently uploaded(20)

SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva616 views
Mini-Track: Challenges to Network Automation Adoption by Network Automation Forum
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation Adoption
Network Automation Forum13 views
PRODUCT LISTING.pptx by angelicacueva6
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptx
angelicacueva614 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum34 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)18 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc11 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining58 views
Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
Zero to Automated in Under a Year by Network Automation Forum
Zero to Automated in Under a YearZero to Automated in Under a Year
Zero to Automated in Under a Year
Network Automation Forum15 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld19 views
NET Conf 2023 Recap by Lee Richardson
NET Conf 2023 RecapNET Conf 2023 Recap
NET Conf 2023 Recap
Lee Richardson10 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge38 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal14 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp59 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum27 views
Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica413 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10300 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson92 views
6g - REPORT.pdf by Liveplex
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdf
Liveplex10 views

Defeating x64: The Evolution of the TDL Rootkit

  • 1. Defeating x64: The Evolution of the TDL Rootkit Aleksandr Matrosov Eugene Rodionov
  • 2. Who we are?  Malware researchers at ESET - rootkits analysis - developing cleaning tools - tracking new rootkit techniques - research cybercrime groups http://www.joineset.com/
  • 3. Agenda  Evolution of TDL rootkits  Installation on x86 vs. x64  TDL bootkit or how to bypass driver signature check  How to debug bootkit with Bochs emulator  Kernel-mode hooks  TDL hidden file system layout  Payload injection  TdlFsReader as a forensic tool
  • 5. Evolution of rootkits features x86 Dropper Rootkit bypassing HIPS/AV self-defense privilege escalation surviving reboot installing rootkit driver Kernel mode injecting payload User mode
  • 6. Evolution of rootkits features x86 x64 Dropper Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot installing rootkit bypassing signature driver injecting payload check Rootkit bypassing MS PatchGuard Kernel mode User mode injecting payload
  • 7. Obstacles for 64-bit rootkits o Kernel-Mode Code Signing Policy  It is “difficult” to load unsigned kernel-mode driver o Kernel-Mode Patch Protection (Patch Guard):  SSDT (System Service Dispatch Table)  IDT (Interrupt Descriptor Table)  GDT ( Global Descriptor Table)  MSRs (Model Specific Registers)
  • 8. Evolution of TDL rootkits TDL3/TDL3+ TDL4 Kernel-mode code Base independent piece of PE image in the hidden representation code in hidden file system file system Surviving after reboot Infecting disk Infecting MBR of the disk miniport/random kernel-mode driver Self-defense Kernel-mode hooks, registry Kernel-mode hooks, MBR monitoring monitoring Injecting payload into tdlcmd.dll cmd.dll/cmd64.dll processes in the system x64 support   Complexity  
  • 9. Evolution of TDL rootkits TDL3/TDL3+ TDL4 Bypassing HIPS AddPrintProcessor AddPrintProvidor, AddPrintProvidor ZwConnectPort Privilege Escalation  MS10-092 Installation mechanism by loading kernel-mode driver by loading kernel-mode driver overwriting MBR of the disk Number of installed 4 10 modules
  • 13. Installation stages exploit payload dropper rootkit
  • 14. Dropped modules Dropped modules Description mbr original contents of the infected hard drive boot sector ldr16 16-bit real-mode loader code ldr32 fake kdcom.dll for x86 systems ldr64 fake kdcom.dll for x64 systems drv32 the main bootkit driver for x86 systems drv64 the main bootkit driver for x64 systems cmd.dll payload to inject into 32-bit processes cmd64.dll payload to inject into 64-bit processes cfg.ini configuration information bckfg.tmp encrypted list of C&C URLs
  • 15. Installation on x86 Adjust fail SeLoadDriver success privilege Copy itself into Check OS WinXP Vista/Win7 PrintProcessor version director Set IMAGE_FILE_DLL Exploitation success flag in the PE header Fail fail install MS10-092 Copy itself into Call %TMP% directory AddPrintProvidorW API Create Call manifest requesting DeletePrintProvidorW admin privilege API Call ShellExecute
  • 16. Installation on x64 Prepare hidden FS image Write FS image, fail patch MBR and Adjust success SE_SHUTDOWN_PRIVILEGE Exploitation success MS10-092 fail Call ZwRaiseHardError to create BSOD Copy itself into %TMP% directory Restart Dropper Create manifest requesting admin privilege Call success ShellExecute Report to C&C fail
  • 17. TDL bootkit or how to bypass driver signature check
  • 18. Types of integrity checks o PnP Device Installation Signing Requirements o Kernel-Mode Code Signing Policy Enforced on 64-bit version of Windows Vista and later versions 64-bit Windows Vista and 32-bit Windows Vista later and later Boot-start driver   Non boot-start PnP driver   Non boot-start, non-PnP driver   (except stream protected media drivers)
  • 19. Subverting KMCSP o Abusing vulnerable signed legitimate kernel-mode driver o Switching off kernel-mode code signing checks by altering BCD data: abusing WinPe Mode disabling signing check patching Bootmgr and OS loader
  • 20. Boot process of Windows OS real mode real mode Load MBR Load MBR real mode real mode Load VBR Load VBR real mode/ real mode/ protected mode protected mode Load Load ntldr bootmgr real mode/ Load kernel Load protected mode and boot winload.exe or start drivers winresume.exe Load kernel Boot Process of pre Boot Process of post and boot Windows Vista OS Windows Vista OS start drivers MBR – Master Boot Record VBR – Volume Boot Record
  • 21. Code integrity check Non boot-start OS kernel kernel-mode drivers OS kernel Bootmgr OS loader dependencies Boot-start drivers
  • 22. Boot Configuration Data (BCD) BCD BCD BCD Object1 Object2 BCD BCD BCD Element1 Element2 Element3 Windows boot Inheritable manager Windows boot BCD Object Application loader Device Ntldr
  • 23. BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
  • 24. BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
  • 25. Abusing Win PE mode: TDL4 modules Module name Description mbr (infected) infected MBR loads ldr16 module and restores original MBR in memory ldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64 ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address space ldr64 implementation of ldr32 module functionality for 64-bit OS int 13h – service provided by BIOS to communicate to IDE HDD controller
  • 26. Abusing Win PE mode: workflow Load infected MBR Continue kernel Infected mbr is initialization loaded and executed Load ”drv32” Call or “drv64" Load “ldr16” from KdDebuggerInitialize1 hidden file system “ldr16” is from loaded kdcom.dll loaded and executed substitute Hook BIOS int 13h kdcom.dll Load ntoskrnl.exe, with”ldr32” handler and hal.dll,kdcom.dll,b or “ldr64" restore original Original mbr is ootvid.dll ant etc MBR loaded and executed distrort /MININT option Load VBR Load winload.exe VBR is loaded and executed Substitute EmsEnabled option with WinPe Load bootmgr read bcd Bootmgr is loaded and executed
  • 27. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 28. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 29. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 30. Bypassing KMCSP: another attempt Patch Bootmgr and OS loader (winload.exe) to disable KMCSP:
  • 31. Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
  • 32. Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
  • 33. Debugging the bootkit with Bochs
  • 34. Bochs support starting from IDA 5.5
  • 37. Storage Device Stack Disk PDO Disk PDO (Partition 1) (Partition 2) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO driver object (Partition 0) Hard drive Disk Lower Lower Filter Filter driver object Hard drive port/miniport Disk PDO driver object
  • 38. Stealing Miniport Driver Object Disk PDO Disk PDO (Partition 1) (Partition 1) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO Before Infection driver object (Partition 0) After Infection Hard drive Disk Lower Lower Filter Filter driver object Hard drive Fake port/miniport Disk PDO driver object TDL4 “Real” driver object Disk PDO Stolen Objects
  • 39. Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
  • 40. Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
  • 41. Filtering Disk Read/Write Requests o Filtered requests:  IOCTL_ATA_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH;  IRP_MJ_INTERNAL_DEVICE_CONTROL o To protect:  Infected MBR;  Hidden file system from being read or overwritten SCSI request block Bootkit driver hooks Infected MBR or hidden file Otherwise system is read/written Bootkit driver: Bootkit driver: Counterfeit data and call corresponding complete request miniport’s handler
  • 42. TDL hidden file system
  • 43. TDL’s hidden storage o Reserve space in the end of the hard drive (not visible at file system level analysis) o Encrypted contents (stream cipher: RC4, XOR-ing) o Implemented as a hidden volume in the system o Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
  • 44. TDL3/TDL3+ Rootkit Device Stack TDL3 Driver object DeviceXXXXXXXX TDL3 Physical device object DriverObject ... XXXXXXXX – random 8-character ASCII string ?globalrootdeviceXXXXXXXXYYYYYYYYfile_name - for user-mode components deviceXXXXXXXXYYYYYYYYfile_name – for kernel-mode components
  • 45. TDL4 Device Stack DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
  • 46. TDL4 File System Layout One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction
  • 48. Injecting payload into target process Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN user-mode kernel-mode TDL4 driver TDL4 hidden storage Payload1 Payload2 Payload3 PayloadN
  • 49. Injecting workflow Set Exit from work item ImageLoadNotifyRoutine On loading kernel32.dll Go back in the context of System process Queue special kernel-mode Detach from target process APC Initialize IAT and call payload’s entry point In the context of the target process Queue user-mode APC Queue work item Allocate user-mode buffer with code In the context of System process and path to the payload Attach to target process Map image of the payload In the context of the target process
  • 51. How to remove TDL o Defeat self defense:  Disable WORK_ITEM checking infected MBR and kernel-mode hooks  Remove hooks of storage miniport device object o Restore original MBR
  • 53. WinDbg and kdcom.dll KdDebuggerInitialize1 RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
  • 56. How to debug TDL4 with WinDbg o Patch ldr16 to disable kdcom.dll substitution o Reboot the system and attach to it with WinDbg oManually load drv32/drv64 “TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
  • 57. TdlFsReader as a forensic tool
  • 58. TdlFsReader as a forensic tool
  • 59. TdlFsReader architecture TdlFileReader TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
  • 60. TdlFsReader architecture TdlFsRecognizer TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
  • 62. Conclusion o Win64/Olmarik (TDL4) is the first widely spread rootkit targeting Win x64 o Return to old-school techniques of infecting MBR o The only possible way of debugging bootkit is to use emulators (Bochs, QEMU) o TDL4 is highly resistant to forensic analysis o TdlFsReader will be shared amongst malware researchers
  • 63. References  “The Evolution of TDL: Conquering x64” http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  “Rooting about in TDSS” http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf  “TDL3: The Rootkit of All Evil?” http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf  Follow ESET Threat Blog http://blog.eset.com
  • 65. Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius