This document describes how NCC Group developed techniques to detect and enumerate port knocking hooks on Windows Server 2003 hosts that were being used by the Shell Crew malware. They reverse engineered the Windows TCPIP.SYS driver to understand how firewall hook drivers work and identified how to retrieve the list of hooked functions from memory. This allowed them to create a kernel driver and Volatility plugin to detect the hooks on live systems and memory dumps. They also implemented the port knocking protocol to develop a network scanner. Their work helped with an incident response and provided tools to analyze compromised systems.
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
1. From Problem to Solution
A Story…… Leatherhead Tech Team Meeting: January 8, 2015
NCC Group Cyber Defence Operations
NCC Group Technical Security Consulting
2. Backstory….
We were dealing with the compromise of REDACTED who had been
owned by Shell Crew
http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf
This crew uses the Derusbi trojan family to maintain access which
supports a form of port-knocking:
3. Backstory Part II….
We wanted a way to detect their port knocking hooks on Windows
Server 2003 hosts
There were no tools to enumerate these hooks
There was no documentation on how to enumerate these hooks
4. Understanding: How the hooks are done
Rarely used feature of Windows 2000, XP / Server 2003 called
Firewall-Hook Drivers
http://msdn.microsoft.com/en-us/library/windows/hardware/ff546499%28v=vs.85%29.aspx
Windows Kernel driver
Sits low in the IP stack (TCPIP.SYS) on Microsoft Windows
Set by specific IOCTL - IOCTL_IP_SET_FIREWALL_HOOK
5. Understanding: How it works
Code Project Example
http://www.codeproject.com/Articles/8675/An-Adventure-How-to-implement-a-Firewall-Hook-Driv
Blog Posts
https://briolidz.wordpress.com/2011/12/20/network-traffic-filtering-technologies-for-windows/
http://kosh.la/?p=28
Windows CE 1.0 Header file – no enumeration function
http://en.verysource.com/code/3388445_1/ntddip.h.html
6. Approach: How to enumerate
Reverse engineer TCPIP.SYS (Zsolt) to understand hooking function
Identified where the list of hooks is set when sending the IOCTL
Identified that list of hooks are held in a global variable
Identified the list was a set of function pointers to hooks in drivers
9. Approach: How to enumerate
We now know
Global variable is a list of function
pointers in other kernel drivers
Hint: UpdateFirewallQ() walks through the
Hook List (FQBlock) to see if a hook is
already registered.
Hook List location is relative to code section
of TCPIP.SYS in memory
10. Approach: How to enumerate
Hook List location is relative to code section of TCPIP.SYS in
memory
Public Microsoft Debug symbols (PDB) a huge help..
11. Approach: How to enumerate
So…
Find TCPIP.SYS in memory
Find its code section
Calculate memory address of Hook List
Walk list to get address of hooking functions
Work out which kernel drivers these addresses are in
14. Implementation – RAM Dumps
Walk through the code
https://github.com/nccgroup/WindowsFirewallHookDriverEnumeration/blob/master/Volatility/fwhooks.py
15. Team Effort…
David C + Cyber Defence Operations
REDACTED incident response & malware analysis and reversing
Pete B from Exploit Development Group
malware analysis
Zsolt from Technical Security Consulting
on host hooking enumeration technique research
16. Summary
We can enumerate what is hooking
on live machines
on acquired RAM dumps
we released the Volatility plugin as open source
https://github.com/nccgroup/WindowsFirewallHookDriverEnumeration
But there is more….
Cyber Defence Operations (David C) & Exploit Development
Group (Pete B) implemented the knocking protocol
… so we have a network scanner too!
17. Europe
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
Amsterdam
Copenhagen
Munich
Zurich
North America
Atlanta
Austin
Chicago
Mountain View
New York
San Francisco
Seattle
Australia
Sydney
Thanks! Questions?
Ollie Whitehouse
ollie.whitehouse@nccgroup.com