This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Haydn Shaughnessy, Co-Founder, The Disruption House. Presented at Crowdsourcing Week Europe 2015. For more information or to join the next event: http://crowdsourcingweek.com/
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
This presentation briefs about the Linux Kernel Module and Character Device Driver. This also contains sample code snippets. Also briefs about character driver registration and access.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Mistakes to avoid when designing DLLs and thoughts about other platforms to deliever with your DLL.
Some compilers provide mechanisms to automatically export all functions and variables in a library that have external linkage. Avoid using any such mechanisms. Export exactly the interface that you need to export, and no more.
Course 102: Lecture 25: Devices and Device Drivers Ahmed El-Arabawy
This lecture discusses the concept of Linux device Drivers and Kernel Loadable Modules in general. It shows how to handle them such as loading/unloading ,and querying for their info. It also discusses the role of device files and how it binds to device drivers in the Linux Kernel
Video for this lecture on youtube:
http://www.youtube.com/watch?v=5qhgMyPyvVE
Check the other Lectures and courses in
http://Linux4EnbeddedSystems.com
or Follow our Facebook Group at
- Facebook: @LinuxforEmbeddedSystems
Lecturer Profile:
Ahmed ElArabawy
- https://www.linkedin.com/in/ahmedelarabawy
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
2. WinDbg v. OllyDbg
• OllyDbg is the most popular user-mode
debugger for malware analysts
• WinDbg can be used in either user-mode
or kernel-mode
• This chapter explores ways to use WinDbg
for kernel debugging and rootkit analysis
4. Device Drivers
• Windows device drivers allow third-party
developers to run code in the Windows kernel
• Drivers are difficult to analyze
– They load into memory, stay resident, and
respond to requests from applications
• Applications don't directly access kernel
drivers
– They access device objects which send requests
to particular devices
5. Devices
• Devices are not physical hardware
components
• They are software representations of
those components
• A driver creates and destroys devices,
which can be accessed from user space
6. Example: USB Flash Drive
• User plugs in flash drive
• Windows creates the "F: drive" device object
• Applications can now make requests to the
F: drive
– They will be sent to the driver for that USB flash
drive
• User plugs in a second flash drive
– It may use the same driver, but applications
access it through the G: device object
7. Loading Drivers
• Drivers must be loaded into the kernel
– Just as DLLs are loaded into processes
• When a driver is first loaded, its
DriverEntry procedure is called
– Just like DLLMain for DLLs
8. DriverEntry
• DLLs expose functionality through the export
table; drivers don't
• Drivers must register the address for callback
functions
– They will be called when a user-space software
component requests a service
– DriverEntry routine performs this registration
– Windows creates a driver object structure, passes it
to DriverEntry which fills it with callback functions
– DriverEntry then creates a device that can be
accessed from user-land
9. Example: Normal Read
• Normal read request
– User-mode application obtains a file handle
to device
– Calls ReadFile on that handle
– Kernel processes ReadFile request
– Invokes the driver's callback function handling
I/O
10. Malicious Request
• Most common request from malware is
DeviceIoControl
– A generic request from a user-space module
to a device managed by a driver
– User-space program passes in an arbitrary-
length buffer of input data
– Received an arbitrary-length buffer of data as
output
13. Ntoskrnl.exe & Hal.dll
• Malicious drivers rarely control hardware
• They interact with Ntoskrnl.exe & Hal.dll
– Ntoskrnl.exe has code for core OS functions
– Hal.dll has code for interacting with main
hardware components
• Malware will import functions from one or
both of these files so it can manipulate
the kernel
20. VMware
• In the virtual machine, enable kernel
debugging
• Configure a virtual serial port between VM
and host
• Configure WinDbg on the host machine
21. Boot.ini
• The book activates kernel debugging by
editing Boot.ini
• But Microsoft abandoned that system
after Windows XP
• The new system uses bcdedit
27. Reading from Memory
• dx addressToRead
• x can be
– da Displays as ASCII text
– du Displays as Unicode text
– dd Displays as 32-bit double words
• da 0x401020
– Shows the ASCII text starting at 0x401020
29. Editing Memory
• ex addressToWrite dataToWrite
• x can be
– ea Writes as ASCII text
– eu Writes as Unicode text
– ed Writes as 32-bit double words
30. Using Arithmetic Operators
• Usual arithmetic operators + - / *
• dwo reveals the value at a 32-bit location
pointer
• du dwo (esp+4)
– Shows the first argument for a function, as a
wide character string
31. Setting Breakpoints
• bp sets breakpoints
• You can specify an action to be performed
when the breakpoint is hit
• g tells it to resume running after the
action
• bp GetProcAddress "da dwo(esp+8); g"
– Breaks when GetProcAddress is called, prints
out the second argument, and then continues
– The second argument is the function name
32. No Breakpoints with LiveKD
• LiveKD works from a memory dump
• It's read-only
• So you can't use breakpoints
33. Listing Modules
• lm
– Lists all modules loaded into a process
• Including EXEs and DLLs in user space
• And the kernel drivers in kernel mode
– As close as WinDbg gets to a memory map
34. Reading from Memory
• dd nt
• Shows the start of module "nt"
• dd nt L10
• Shows the first 0x10 words of "nt"
35.
36. Online Help
• .hh dd
– Shows help
about "dd"
command
– But there
are no
examples
43. Symbols are Labels
• Including symbols lets you use
– MmCreateProcessAddressSpace
• instead of
– 0x8050f1a2
44. Searching for Symbols
• moduleName!symbolName
– Can be used anywhere an address is expected
• moduleName
– The EXE, DLL, or SYS filename (without
extension)
• symbolName
– Name associated with the address
• ntoskrnl.exe is an exception, and is named nt
– Ex: u nt!NtCreateProcess
• Unassembles that function (disassembly)
45. Demo
• Try these
– u nt!ntCreateProcess
– u nt!ntCreateProcess L10
– u nt!ntCreateProcess L20
46. Deferred Breakpoints
• bu newModule!exportedFunction
– Will set a breakpoint on exportedFunction as
soon as a module named newModule is loaded
• $iment
– Function that finds the entry point of a
module
• bu $iment(driverName)
– Breaks on the entry point of the driver before
any of the driver's code runs
47. Searching with x
• You can search for functions or symbols
using wildcards
• x nt!*CreateProcess*
– Displays exported functions & internal
functions
48. Listing Closest Symbol with ln
• Helps in figuring out where a call goes
• ln address
– First lines show two closest matches
– Last line shows exact match
49. Viewing Structure Information with dt
• Microsoft symbols include type
information for many structures
– Including undocumented internal types
– They are often used by malware
• dt moduleName!symbolName
• dt moduleName!symbolName address
– Shows structure with data from address
52. Initialization Function
• The DriverInit function is called first
when a driver is loaded
• See labelled line in previous slide
• Malware will sometimes place its entire
malicious payload in this function
53. Configuring Windows Symbols
• If your debugging machine is connected to
an always-on broadband link, you can
configure WinDbg to automatically
download symbols from Microsoft as
needed
• They are cached locally
• File, Symbol File Path
– SRC*c:websymbols*http://
msdl.microsoft.com/download/symbols
56. Which command sets a
breakpoint?
A. u nt
B. u nt!NtCreateProcess
C. bu $iment(Fastfat)
D. u $iment(Fastfat)
E. x nt!*
57. Which command shows the
assembly code at the entry point
of a driver?
A. u nt
B. u nt!NtCreateProcess
C. bu $iment(Fastfat)
D. u $iment(Fastfat)
E. x nt!*
58. Which command shows the type
information for a structure?
A. u nt
B. u nt!NtCreateProcess
C. x nt!*
D. ln 805717aa
E. dt nt!_DRIVER_OBJECT
59. Which command lists all the
functions in Ntoskrnl.exe?
A. u nt
B. u nt!NtCreateProcess
C. x nt!*
D. ln 805717aa
E. dt nt!_DRIVER_OBJECT
61. Kernel Mode and User Mode Functions
• We'll examine a program that writes to
files from kernel space
• An unusual thing to do
• Fools some security products
– Kernel mode programs cannot call user-mode
functions like CreateFile and WriteFile
– Must use NtCreateFile and NtWriteFile
62. User-Space Code
Creates a service with the CreateService
function
dwServiceType is 0x01 (Kernel driver)
65. Kernel-Mode Code
• Set WinDbg to Verbose mode (View,
Verbose Output)
• Doesn't work with LiveKD
• You'll see every kernel module that loads
• Kernel modules are not loaded or
unloaded often
– Any loads are suspicious
– Except Kmixer.sys in VMware machines
69. Kernel-Mode Filenames
• Tracing this function, it eventually creates
this file
– DosDevicesC:secretfile.txt
• This is a fully qualified object name
– Identifies the root device, usually DosDevices
70. Finding Driver Objects
• Applications work with devices, not drivers
• Look at user-space application to identify
the interesting device object
• Use device object in User Mode to find driver
object in Kernel Mode
• Use !devobj to find out more about the
device object
• Use !devhandles to find application that use
the driver
72. Rootkit Basics
• Rootkits modify the internal functionality of
the OS to conceal themselves
– Hide processes, network connections, and other
resources from running programs
– Difficult for antivirus, administrators, and security
analysts to discover their malicious activity
• Most rootkits modify the kernel
• Most popular method:
– System Service Descriptor Table (SSDT) hooking
73. System Service Descriptor Table (SSDT)
• Used internally by Microsoft
– To look up function calls into the kernel
– Not normally used by third-party applications or
drivers
• Only three ways for user space to access
kernel code
– SYSCALL
– SYSENTER
– INT 0x2E
74. SYSENTER
• Used by modern versions of Windows
• Function code stored in EAX register
• More info about the three ways to call
kernel code is in links Ch 10j and 10k
76. SSDT Table Entries
• Rootkit changes the values in the SSDT so rootkit
code is called instead of the intended function
• 0x25 would be changed to a malicious driver's
function
77. Hooking NtCreateFile
• Rootkit calls the original NtCreateFile, then
removes files it wants to hide
• This prevents applications from getting a
handle to the file
• Hooking NtCreateFile alone won't hide a file
from DIR, however
78. Rootkit Analysis in Practice
• Simplest way to detect SSDT hooking
– Just look at the SSDT
– Look for values that are unreasonable
– In this case, ntoskrnl.exe starts at address
804d7000 and ends at 806cd580
– ntoskrnl.exe is the Kernel!
• lm m nt
– Lists modules matching "nt" (Kernel modules)
– Shows the SSDT table
79. Win 2008
• lm m nt failed on my Win 2008 VM
• This command shows the SSDT
• dps nt!KiServiceTable L poi nt!
KiServiceLimit
• Link Ch 10l
80. SSDT Table
• Marked entry is hooked
• To identify it, examine a clean system's SSDT
81. Finding the Malicious Driver
• lm
– Lists open modules
– In the kernel, they are all drivers
82.
83. Interrupts
• Interrupts allow hardware to trigger
software events
• Driver calls IoConnectInterrupt to
register a handler for an interrupt code
• Specifies an Interrupt Service Routine (ISR)
– Will be called when the interrupt code is
generated
• Interrupt Descriptor Table (IDT)
– Stores the ISR information
– !idt command shows the IDT
84.
85. Loading Drivers
• If you want to
load a driver to
test it, you can
download the
OSR Driver
Loader tool
86. Kernel Issues for Windows Vista,
Windows 7, and x64 Versions
• Uses BCDedit instead of boot.ini
• x64 versions starting with XP have PatchGuard
– Prevents third-party code from modifying the
kernel
– Including kernel code itself, SSDT, IDT, etc.
– Can interfere with debugging, because debugger
patches code when inserting breakpoints
• There are 64-bit kernel debugging tools
– Link Ch 10c
87. Driver Signing
• Enforced in all 64-bit versions of Windows
starting with Vista
• Only digitally signed drivers will load
• Effective protection!
• Kernel malware for x64 systems is
practically nonexistent
– You can disable driver signing enforcement by
specifying nointegritychecks in BCDEdit