Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)<br />Александр Матросов<...
Who we are?<br /><ul><li>malware researchers at ESET</li></ul>- rootkits analysis<br />- developing cleaning tools<br />- ...
План мастер-класса<br /><ul><li>Эволюция современных руткит-программ
Этапы установки на x86/x64
Буткити обход проверки подписи
Отладка буткита наэмуляторе Bochs
Хуки в режиме ядра
 Отладка с использованием WinDbg
Файловая система TDL4
TdlFsReader, как инструмент криминалистической экспертизы</li></li></ul><li> Evolution of rootkits<br />
 Evolution of rootkits functionality<br />x86<br />x64<br />Dropper<br />Rootkit<br />Rootkit<br />Rootkit<br />bypass HIP...
64-bit OS rootkit<br /><ul><li>Kernel-Mode Code Signing Policy
It is difficult to load unsigned kernel-mode driver
Kernel-Mode Patch Protection (Patch Guard):
 SSDT (System Service Dispatch Table)
 IDT (Interrupt Descriptor Table)
 GDT ( Global Descriptor Table)
MSRs (Model Specific Registers)</li></li></ul><li> Evolution of TDL rootkits<br />
 Evolution of TDL rootkits<br />
 Installation x86/x64<br />
Installation stages<br />exploit<br />payload<br />dropper<br />rootkit<br />
Dropper layouts<br />
Dropped modules<br />
Installation x86<br />
Installation x64<br />
Bootkit and bypassing driver signature check<br />
Types of integrity checks<br /><ul><li>PnP Device Installation Signing Requirements
 Kernel-Mode Code Signing Policy
 Enforced on 64-bit version of Windows Vista and later versions</li></li></ul><li>Kernel-mode Code Signing Policy Enforcem...
Boot process of Windows OS<br />
Code integrity check<br />
Boot Configuration Data (BCD)<br />
BCD Example<br />
BCD Elements controlling KMCSP <br />(before KB2506014)<br />
Subverting KMCSP<br /><ul><li> Abusing vulnerable signed legitimate kernel-mode driver
 Switch off kernel-mode code signing checks by altering BCD data:
 abuse WinPeMode
 disable signing check
 patch Bootmgr and OS loader</li></li></ul><li>Abusing Win PE mode: TDL4 modules<br />int 13h – service provided by BIOS t...
Abusing Win PE mode: workflow<br />
MS Patch (KB2506014)<br /><ul><li>BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode
 Size of the export directory of kdcom.dllhas been changed</li></li></ul><li>Bypassing KMCSP: another attempt<br />Patch b...
Bypassing KMCSP: Result<br />Bootmgr fails to verify OS loader’s integrity<br />MS10-015<br />kill TDL3 <br />
Debugging bootkit with Bochs<br />
Bochs support starting from IDA 5.5<br />
DEMO<br />
Kernel-mode hooks<br />
Stealing Miniport Driver Object<br />Before Infection<br />After Infection<br />
Stealing Miniport Device Object<br />
Filtering Disk Read/Write Requests<br /><ul><li> Filtered requests:
IOCTL_ATA_PASS_THROUGH_DIRECT
IOCTL_ATA_PASS_THROUGH;
IRP_MJ_INTERNAL_DEVICE_CONTROL
 To protect:
Infected MBR;
Hidden file system from being read or overwritten</li></li></ul><li>Debugging bootkit with WinDbg<br />
WinDbg and kdcom.dll<br />WinDbg<br />KDCOM.DLL<br />NTOSKRNL<br />KdDebuggerInitialize<br />RETURN_STATUS<br />Data packe...
TDL4 and kdcom.dll<br />original call<br />fake call<br />
TDL4 and kdcom.dll<br />original export table<br />fake export table<br />
Upcoming SlideShare
Loading in …5
×

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

6,068 views

Published on

В рамках мастер-класса будет рассмотрены следующие вопросы:
методы внедрения и работы руткита TDL4;
инструментарий и методы сбора данных для проведения криминалистической экспертизы зараженной машины;
отладка буткит-составляющей на ранней стадии загрузки системы с использованием эмулятора Bochs;
анализ зараженной машины при помощи WinDbg;
удаление руткита из системы после сбора всех необходимых данных.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

  1. 1. Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4)<br />Александр Матросов<br />Евгений Родионов<br />
  2. 2. Who we are?<br /><ul><li>malware researchers at ESET</li></ul>- rootkits analysis<br />- developing cleaning tools<br />- tracking new rootkit techniques<br />- research cybercrime groups <br />http://www.joineset.com/<br />
  3. 3. План мастер-класса<br /><ul><li>Эволюция современных руткит-программ
  4. 4. Этапы установки на x86/x64
  5. 5. Буткити обход проверки подписи
  6. 6. Отладка буткита наэмуляторе Bochs
  7. 7. Хуки в режиме ядра
  8. 8. Отладка с использованием WinDbg
  9. 9. Файловая система TDL4
  10. 10. TdlFsReader, как инструмент криминалистической экспертизы</li></li></ul><li> Evolution of rootkits<br />
  11. 11. Evolution of rootkits functionality<br />x86<br />x64<br />Dropper<br />Rootkit<br />Rootkit<br />Rootkit<br />bypass HIPS and AV <br />self-defense<br />self-defense<br />privilege escalation <br />Surviving reboot<br />surviving reboot<br />bypass signature check <br />install rootkit driver <br />injecting payload<br />bypass MS PatchGuard<br />injecting payload<br />Kernel mode<br />User mode<br />
  12. 12. 64-bit OS rootkit<br /><ul><li>Kernel-Mode Code Signing Policy
  13. 13. It is difficult to load unsigned kernel-mode driver
  14. 14. Kernel-Mode Patch Protection (Patch Guard):
  15. 15. SSDT (System Service Dispatch Table)
  16. 16. IDT (Interrupt Descriptor Table)
  17. 17. GDT ( Global Descriptor Table)
  18. 18. MSRs (Model Specific Registers)</li></li></ul><li> Evolution of TDL rootkits<br />
  19. 19. Evolution of TDL rootkits<br />
  20. 20. Installation x86/x64<br />
  21. 21.
  22. 22. Installation stages<br />exploit<br />payload<br />dropper<br />rootkit<br />
  23. 23. Dropper layouts<br />
  24. 24. Dropped modules<br />
  25. 25. Installation x86<br />
  26. 26. Installation x64<br />
  27. 27. Bootkit and bypassing driver signature check<br />
  28. 28. Types of integrity checks<br /><ul><li>PnP Device Installation Signing Requirements
  29. 29. Kernel-Mode Code Signing Policy
  30. 30. Enforced on 64-bit version of Windows Vista and later versions</li></li></ul><li>Kernel-mode Code Signing Policy Enforcement<br />
  31. 31. Boot process of Windows OS<br />
  32. 32. Code integrity check<br />
  33. 33. Boot Configuration Data (BCD)<br />
  34. 34. BCD Example<br />
  35. 35. BCD Elements controlling KMCSP <br />(before KB2506014)<br />
  36. 36. Subverting KMCSP<br /><ul><li> Abusing vulnerable signed legitimate kernel-mode driver
  37. 37. Switch off kernel-mode code signing checks by altering BCD data:
  38. 38. abuse WinPeMode
  39. 39. disable signing check
  40. 40. patch Bootmgr and OS loader</li></li></ul><li>Abusing Win PE mode: TDL4 modules<br />int 13h – service provided by BIOS to communicate to IDE HDD controller<br />
  41. 41. Abusing Win PE mode: workflow<br />
  42. 42. MS Patch (KB2506014)<br /><ul><li>BcdOsLoaderBoolean_WinPEMode no longer influence kernel-mode
  43. 43. Size of the export directory of kdcom.dllhas been changed</li></li></ul><li>Bypassing KMCSP: another attempt<br />Patch bootmgr and OS loader (winload.exe) to disable KMCSP<br />
  44. 44. Bypassing KMCSP: Result<br />Bootmgr fails to verify OS loader’s integrity<br />MS10-015<br />kill TDL3 <br />
  45. 45. Debugging bootkit with Bochs<br />
  46. 46. Bochs support starting from IDA 5.5<br />
  47. 47. DEMO<br />
  48. 48. Kernel-mode hooks<br />
  49. 49. Stealing Miniport Driver Object<br />Before Infection<br />After Infection<br />
  50. 50. Stealing Miniport Device Object<br />
  51. 51. Filtering Disk Read/Write Requests<br /><ul><li> Filtered requests:
  52. 52. IOCTL_ATA_PASS_THROUGH_DIRECT
  53. 53. IOCTL_ATA_PASS_THROUGH;
  54. 54. IRP_MJ_INTERNAL_DEVICE_CONTROL
  55. 55. To protect:
  56. 56. Infected MBR;
  57. 57. Hidden file system from being read or overwritten</li></li></ul><li>Debugging bootkit with WinDbg<br />
  58. 58. WinDbg and kdcom.dll<br />WinDbg<br />KDCOM.DLL<br />NTOSKRNL<br />KdDebuggerInitialize<br />RETURN_STATUS<br />Data packet<br />KdSendPacket<br />RETURN_CONTROL<br />Data Packet<br />KdReceivePacket<br />KD_RECV_CODE_OK<br />
  59. 59. TDL4 and kdcom.dll<br />original call<br />fake call<br />
  60. 60. TDL4 and kdcom.dll<br />original export table<br />fake export table<br />
  61. 61. DEMO<br />
  62. 62. kd> !object DeviceHarddisk0 <br />Object: e1022d10 Type: (8a5e54f0) Directory <br />ObjectHeader: e1022cf8 (old version) <br />HandleCount: 1 PointerCount: 8 <br />Directory Object: e10116f0 Name: Harddisk0 <br />Hash Address Type Name <br />---- ------- ---- ---- <br />21 8a5c9ab8 Device DR0 <br />24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1 <br />33 e101abe8 SymbolicLink Partition0 <br />8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2 <br />34 e1011258 SymbolicLink Partition1 <br />35 e101a078 SymbolicLink Partition2 <br />
  63. 63. kd> !devobj DeviceHarddisk0DR0 <br />Device object (8a5c9ab8) is for: <br />DR0 DriverDisk DriverObject 8a5cd730 <br />Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050 <br />Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98 <br />ExtensionFlags (0000000000) <br />AttachedDevice (Upper) 8a5c9890 DriverPartMgr<br />AttachedTo (Lower) 89fd902889fd9028: is not a device object <br />
  64. 64. kd> !devstack8a5c9ab8 <br />!DevObj !DrvObj !DevExtObjectName<br />8a5c9890 DriverPartMgr 8a5c9948 <br />> 8a5c9ab8 DriverDisk 8a5c9b70 DR0 <br />Invalid type for DeviceObject 0x89fd9028 <br />
  65. 65. kd> dt _DEVICE_OBJECT 0x89fd9028 <br />ntdll!_DEVICE_OBJECT <br />+0x000 Type : 0n0 <br />+0x002 Size : 0xfb8 <br />+0x004 ReferenceCount : 0n0 <br />+0x008 DriverObject : 0x899574f0_DRIVER_OBJECT <br />+0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT <br />+0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT <br />+0x014 CurrentIrp : (null) <br />+0x018 Timer : (null) <br />+0x01c Flags : 0x5050 <br />+0x020 Characteristics : 0x100 <br />+0x024 Vpb : (null) <br />+0x028 DeviceExtension : 0x89fd90e0 Void <br />+0x02c DeviceType : 7 <br />
  66. 66. kd> !drvobj0x899574f0 <br />Driver object (899574f0) is for: <br />899574f0: is not a driver object <br />
  67. 67. TDL hidden file system<br />
  68. 68. TDL’s hidden storage<br /><ul><li> Reserve space in the end of the hard drive (not visible at file system level analysis)
  69. 69. Encrypted contents (stream cipher: RC4, XOR-ing)
  70. 70. Implemented as a hidden volume in the system
  71. 71. Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)</li></li></ul><li>TDL3/TDL3+ Rootkit Device Stack<br />
  72. 72. TDL4 Device Stack<br />
  73. 73. TDL4 File System Layout<br />
  74. 74. TdlFsReader, how forensic tool<br />
  75. 75. TdlFsReader, how forensic tool<br />
  76. 76. TdlFsReader architecture<br />TdlFileReader<br />TdlFsRecognizer<br />TdlFsDecryptor<br />User mode<br />Kernel mode<br />TdlSelfDefenceDisabler<br />LowLevelHddReader<br />
  77. 77. TdlFsReader architecture<br />TdlFsRecognizer<br />TdlFsDecryptor<br />FsCheckVersion<br />TdlCheckVersion<br />FsStructureParser<br />TdlDecryptor<br />TdlSelfDefenceDisabler<br />TdlUnHooker<br />HddBlockReader<br />
  78. 78. DEMO<br />
  79. 79. References<br /><ul><li> “The Evolution of TDL: Conquering x64”</li></ul>http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf<br /><ul><li> “Rooting about in TDSS”</li></ul>http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf<br /><ul><li> “TDL3: The Rootkit of All Evil?”</li></ul>http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf<br /><ul><li> Follow ESET Threat Blog</li></ul>http://blog.eset.com<br />
  80. 80. Questions<br />
  81. 81. Thank you for your attention ;)<br />AleksandrMatrosov<br />matrosov@eset.sk<br />@matrosov<br />Eugene Rodionov<br />rodionov@eset.sk<br />@vxradius<br />
  82. 82. Конкурс «Лучший реверсер» уже начался !<br /><ul><li>Нужно зарегистрироваться на стенде конкурса
  83. 83. Скачать crackmephd.esetnod32.ru
  84. 84. Прислать ключи и краткое описание процесса прохождения на email:phd@esetnod32.ru
  85. 85. Получить призы:</li></ul>Amazon Kindle DX<br />Amazon Kindle 3 Wi-Fi <br />ESET Smart Security (3 года)<br />

×