DOCSLIB.ORG

Tricks of the Hackers: API Hooking and DLL Injection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

24.09.2009 API Hooking Tricks of the Hackers: 2 API Hooking and DLL Injection Intercepting API calls is a mechanism for testing Dr. Wolfgang Koch monitoring Friedrich Schiller University Jena and reverse engineering Department of Mathematics and as well as for altering the behavior of the Computer Science operating system Jena, Germany or of 3rd party products, [email protected] without having their source code available. API Hooking Literature Books 3 4 Intercepting API calls is a mechanism for “The Windows-API Book” : Jeffrey Richter, altering the behavior of programs or of the Christophe Nasarre operating system WINDOWS via C/C++ 5th edition widely used by hackers and other “bad guys” Redmond, Wash : Microsoft Press, 2008 ISBN-13: 978-0-7356-2424-5 820 p. + Companion content Web page 1 24.09.2009 Literature Books Literature 5 6 Ivo Ivanov: API hooking revealed, 2002 The WDM Bible : http://www.codeproject.com/KB/system/hooksys.aspx Walter Oney Robert Kuster: Three Ways to Inject Your Code Programming the Microsoft Windows Driver Model into Another Process, 2003 2nd edition http://www.codeproject.com/KB/threads/winspy.aspx Redmond, Wash : Microsoft Press, 2003 Seung-Woo Kim - Intel® Software Network: Intercepting ISBN: 0-7356-1803-8 System API Calls, 2004 http://software.intel.com/en-us/articles/ intercepting-system-api-calls/ 846 p. + CD-ROM Literature Literature Executable File Format 7 8 Anton Bassov: Microsoft MSDN man pages and “ white papers ”: Process-wide API spying - an ultimate hack, 2004 http://msdn.microsoft.com/library http://www.codeproject.com/KB/system/api_spying_hack.aspx An In-Depth Look into the Win32 Portable Executable Kernel-mode API spying - an ultimate hack, 2005 File Format, Matt Pietrek, MSDN Magazine, Feb. 2002 http://www.codeproject.com/KB/system/kernelspying.aspx http://msdn.microsoft.com/en-us/magazine/cc301805.aspx Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode Microsoft Portable Executable and Common Object microsoft.public.development.device.drivers File Format Specification, Revision 8.0 - May 2006 http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx 2 24.09.2009 API Hooking API Hooking 9 10 API Routine Call: API - Application Programming Interface Wikipedia: ... push Parameter_2 push Parameter_1 API - is an interface that defines the ways by which an call <Addr_of_API_Routine> application program may request services from mov eax, Result libraries and/or operating systems . ... An API determines the vocabulary and calling // API Routine (in DLL) conventions the programmer should employ to use push ebp mov esp, ebp the services. It may include specifications for routines , ... // service data structures , object classes and protocols … ret API Hooking API Hooking 11 12 API Routine Call - hooked: API Routine Call – hooked (2): // proxy function //proxy function push ebp push ebp ... ... // other stuff ... ... // pre proc. push Parameter_2 ret push Parameter_2 call original API push Parameter_1 push Parameter_1 ... // post proc. ret callcall <Addr_of_API_Routine><Addr_of_new_Routine > call <Addr_of_API_Routine><Addr_of_new_Routine > mov eax, Result mov eax, Result ... ... //API Routine (in DLL) //API Routine (in DLL) push ebp push ebp mov esp, ebp mov esp, ebp We would have to overwrite every ... // service • Parameters of the API routine ... // service call to the API routine in the code ret • Win32 API : _stdcall – ret n ret 3 24.09.2009 API Hooking API Hooking 13 14 API Routine Call – hooked Hooking API Routine Calls different way – overwriting code // proxy function call <Addr_of_API_Routine > (0xE8) push ebp ... ... // other stuff we would have to overwrite every call to the push Parameter_2 ret push Parameter_1 API routine in the code call <Addr_of_API_Routine> mov eax, Result In Windows executables indirect calls are applied: ... call ind(Ptr_To_Addr_of_API_Routine ) //API Routine (in DLL) jmppush< Addr_of_proxy_ebp The Pointer points to the address of the API Routine mov esp,Routine ebp > Difficulties when calling or jumping ... // service in the Import Address Table (IAT), where the addresses to the original API routine. ret of all functions, imported by the module, are stored. API Hooking API Hooking Locating the IAT 15 16 In Windows executables indirect calls are applied: see Portable Executable File Format: call ind(Ptr_To_Addr_of_API_Routine ) IMAGE_DOS_HEADER * dosheader = (IMAGE_DOS_HEADER *) hMod; (0xFF,0x15) IMAGE_OPTIONAL_HEADER * opthdr = (IMAGE_OPTIONAL_HEADER *) Reason: ((BYTE*)hMod + dosheader->e_lfanew + 24); The actual address of the API Routine is not known at compile time. IMAGE_IMPORT_DESCRIPTOR * descriptor = (IMAGE_IMPORT_DESCRIPTOR *) ((BYTE*) hMod + opthdr-> The Import Address Table is filled in, when a Library DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]. (a DLL) is loaded. VirtualAddress ); Now we can change the addresses in the IAT while (descriptor->FirstThunk){ (only one per API routine) to our proxy functions. char * dllname = (char *)((BYTE*)hMod + descriptor->Name); 4 24.09.2009 API Hooking IAT_Entry_Addresses API Hooking IAT_Entry_Addresses 17 18 while (descriptor->FirstThunk){ IATentryaddress = (DWORD*) char * dllname = (char *)((BYTE*)hMod + descriptor->Name); ((BYTE*) hMod + descriptor->FirstThunk) + x; IMAGE_THUNK_DATA * thunk = (IMAGE_THUNK_DATA *) ((BYTE*) hMod + descriptor->OriginalFirstThunk); Now we can overwrite IAT entries of the target module with int x=0; the addresses of our user-defined proxy functions. while (thunk->u1.Function) { Each IAT entry replacement normally requires a separate char * functionname = (char*) ((BYTE*) hMod + (DWORD)thunk->u1.AddressOfData + 2); proxy function - a proxy function must know which particular DWORD * IATentryaddress = (DWORD*) ((BYTE*) hMod + API function it replaces so that it can invoke the original callee. descriptor->FirstThunk) + x; x++; thunk++; } Anton Bassov proposed the following method descriptor++; } API Hooking API Hooking 19 20 Anton Bassov proposed the following method 4 (unique) functions, one structure, 4 (unique) functions, one structure : 22 bytes of allocated (executable) memory per IAT entry: ProxyProlog(), ProxyEpilog() - Assembler Prolog(), Epilog() - normal C code 0xFF15 Addr_RelFkt struct RelocatedFunction 2 4 16 Bytes struct RelocatedFunction{ DWORD proxyptr; 0xFF15 Addr_RelFkt – DWORD functionptr; indirect call: call ind(Addr_RelFkt) char * dllname; i.e. calls RelocatedFunction.proxyptr char * functionname; Trick: The return address of this proxy function – on top of the }; stack – is the address of our struct RelocatedFunction !!! 5 24.09.2009 API Hooking Modifying IAT Entries API Hooking Modifying IAT Entries 21 22 while(thunk->u1.Function) { uchar * mptr = malloc(22); // <allocate memory> char * functionname = ... ; // <fill in memory and store original API address> DWORD * IATentryaddress = ... + x; struct RelocatedFunction * reloc = (struct RelocatedFunction *) (mptr+6); if ( alter(functionname) ){ <allocate memory> reloc->proxyptr = (DWORD) ProxyProlog; <fill in memory and store original API address> reloc->functionptr = *IATentryaddress; // orig. <modify *IATentryaddress > reloc->functionname = functionname; } reloc->dllname = dllname; mptr[0]= 0xFF; mptr[1]= 0x15; // JMP ind x++; thunk++; memmove( &mptr[2], &reloc, 4); } API Hooking Modifying IAT Entries API Hooking Modifying IAT Entries 23 24 uchar * mptr = malloc(22); Usually the IAT is writeable … . if (! WriteProcessMemory( GetCurrentProcess(), // < modify *IATentryaddress > IATentryaddress, &mptr, 4, NULL)) { DWORD byteswritten; DWORD dwOldProt; if ( VirtualProtect (IATentryaddress, 4, WriteProcessMemory ( GetCurrentProcess(), PAGE_READWRITE, &dwOldProt)) { IATentryaddress, WriteProcessMemory( GetCurrentProcess(), &mptr, 4, &byteswritten); IATentryaddress, &mptr, 4, NULL); VirtualProtect(IATentryaddress, 4, dwOldProt, Usually the IAT is writeable (it is filled in, when a Library &dwOldProt); } is loaded), but not the Export Directory. } 6 24.09.2009 API Hooking ProxyProlog API Hooking ProxyProlog 25 26 ProxyProlog() saves registers and flags and calls Prolog(). ProxyProlog() saves registers and flags and calls Prolog(). Then it restores the registers and flags and calls (in fact: returns to) __declspec(naked) void ProxyProlog() the original API routine (Prolog modifies the return address). creates pure function code without a stack frame __declspec(naked) void ProxyProlog() – intended for assembler code. { _asm{ push eax; push ebx; push ecx; push edx } I work with cygwin and gcc, there is no __declspec(naked). _asm{ mov ebx,esp; pushf; add ebx,16 } I just define void ProxyProlog() _asm{ push ebx; call Prolog; pop ebx; popf } and instad of reloc->proxyptr = (uint) ProxyProlog; _asm ( pop edx; pop ecx; pop ebx; pop eax; ret) I have } reloc->proxyptr = (uint)((BYTE*)ProxyProlog +3); API Hooking ProxyProlog API Hooking Prolog 27 28 ProxyProlog() saves registers and flags and calls Prolog(). Prolog () does the preprocessing part to the hooked routines _asm{ mov ebx,esp; pushf; add ebx,16 } – for example monitoring all API calls. _asm{ push ebx; call Prolog ; pop ebx; popf } It has access to the actual parameters of the routine as well as to the DLL name and the function name. Prolog is defined as void Prolog(DWORD * stackptr); – it has one parameter – If necessary Prolog() prepares for the call of the ebx , which holds the address of the top of stack post-processing part – ProxyEpilog() and Epilog() (the contents of esp ) just before saving the registers – Prolog() returns to ProxyProlog(),
Recommended publications
  • Advance Dynamic Malware Analysis Using Api Hooking

    Advance Dynamic Malware Analysis Using Api Hooking

    www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume – 5 Issue -03 March, 2016 Page No. 16038-16040 Advance Dynamic Malware Analysis Using Api Hooking Ajay Kumar , Shubham Goyal Department of computer science Shivaji College, University of Delhi, Delhi, India [email protected] [email protected] Abstract— As in real world, in virtual world also there are type of Analysis is ineffective against many sophisticated people who want to take advantage of you by exploiting you software. Advanced static analysis consists of reverse- whether it would be your money, your status or your personal engineering the malware’s internals by loading the executable information etc. MALWARE helps these people into a disassembler and looking at the program instructions in accomplishing their goals. The security of modern computer order to discover what the program does. Advanced static systems depends on the ability by the users to keep software, analysis tells you exactly what the program does. OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool B. Dynamic Malware Analysis (ADVANCE DYNAMIC MALWARE ANAYSIS USING API This is done by watching and monitoring the behavior of the HOOKING) that will inform you about every task that malware while running on the host. Virtual machines and software (malware) is doing over your machine at run-time Sandboxes are extensively used for this type of analysis. The Index Terms— API Hooking, Hooking, DLL injection, Detour malware is debugged while running using a debugger to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on I.
  • Cygwin User's Guide

    Cygwin User's Guide

    Cygwin User’s Guide Cygwin User’s Guide ii Copyright © Cygwin authors Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .4 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select . .7 1.7 What’s new and what changed in Cygwin . .7 1.7.1 What’s new and what changed in 3.2 .
  • Userland Hooking in Windows

    Userland Hooking in Windows

    Your texte here …. Userland Hooking in Windows 03 August 2011 Brian MARIANI SeniorORIGINAL Security SWISS ETHICAL Consultant HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch SOME IMPORTANT POINTS Your texte here …. This document is the first of a series of five articles relating to the art of hooking. As a test environment we will use an english Windows Seven SP1 operating system distribution. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch WHAT IS HOOKING? Your texte here …. In the sphere of computer security, the term hooking enclose a range of different techniques. These methods are used to alter the behavior of an operating system by intercepting function calls, messages or events passed between software components. A piece of code that handles intercepted function calls, is called a hook. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch THE WHITE SIDE OF HOOKING TECHNIQUES? YourThe texte control here …. of an Application programming interface (API) call is very useful and enables programmers to track invisible actions that occur during the applications calls. It contributes to comprehensive validation of parameters. Reports issues that frequently remain unnoticed. API hooking has merited a reputation for being one of the most widespread debugging techniques. Hooking is also quite advantageous technique for interpreting poorly documented APIs. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch THE BLACK SIDE OF HOOKING TECHNIQUES? YourHooking texte here can …. alter the normal code execution of Windows APIs by injecting hooks. This technique is often used to change the behavior of well known Windows APIs.
  • Cygwin User's Guide

    Cygwin User's Guide

    Cygwin User’s Guide i Cygwin User’s Guide Cygwin User’s Guide ii Copyright © 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .5 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select .
  • An Encrypted Payload Protocol and Target-Side Scripting Engine

    An Encrypted Payload Protocol and Target-Side Scripting Engine

    An Encrypted Payload Protocol and Target-Side Scripting Engine Dino A. Dai Zovi [email protected] Abstract into the remote process and then triggering the vulnera- Modern exploit payloads in commercial and open-source bility (the injection vector) in order to cause the remote penetration testing frameworks have grown much more process to execute the injected code (the payload). Tra- advanced than the traditional shellcode they replaced. ditionally, these payloads have been written in processor- These payloads permit interactive access without launch- specific assembly language, assembled, and extracted by ing a shell, network proxying, and many other rich fea- hand into reusable machine code components. These tures. Available payload frameworks have several lim- payloads were typically small and executed an operating itations, however. They make little use of encryption to system shell, causing them to be commonly referred to secure delivery and communications, especially in earlier as shellcode. Common shellcode variants included func- stage payloads. In addition, their richer features require tionality such as restoring dropped privileges, breaking a constant network connection to the penetration tester, out of chroot environments, and attaching the shell to making them unsuitable against mobile clients, such as an inbound or outbound network connection. This style laptops, PDAs, and smart phones. of payload construction was both labor and skill inten- This work introduces a first-stage exploit payload that sive. is able to securely establish an encrypted channel using With the growth of commercial penetration testing ElGamal key agreement and the RC4 stream cipher. The services and especially commercial penetration test- key agreement implementation requires only modular ing products, exploit payloads have gotten considerably exponentiation and RC4 also lends itself to an implemen- more capable and complex.
  • Contents in This Issue

    Contents in This Issue

    APRIL 2006 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT LEAP YEAR Problems for AV vendors: some thoughts Although the hype surrounding OSX/Leap-A far outweighs the number of reported infections, the 3 NEWS virus does present a number of new ideas that we may well see again. Glyn Kennington investigates. More updating woes page 4 Spy couple sentenced ‘Real’ computer virus MR AND MRS ROOTKIT Viewers of the German version of the Mr. and Mrs. Smith movie DVD were surprised to find a little 3 VIRUS PREVALENCE TABLE more than they had bargained for on their DVDs thanks to the presence of a new protection system. VIRUS ANALYSES The protection software was found to be using 4 A small step for Mac OS X rootkit-like techniques to hide itself. Elia Florio discusses the security issues associated with the 6 Not a feeble attempt Settec DRM case. page 10 10 FEATURE LINUX COMPARATIVE Stories from the DRM world: the Settec case The main competition amongst products this month seemed to be to determine 13 COMPARATIVE REVIEW which could have the least useful Red Hat Linux 9 documentation – find out which products redeemed themselves by achieving a VB 100%. page 13 20 END NOTES & NEWS This month: anti-spam news & events and Sorin Mustaca takes an indepth look at PayPal phishing. ISSN 1749-7027 COMMENT ‘I see drowning in • Analysing proactive technologies, including heuristics and behaviour blockers so as to penetrate new malware as systems despite these barriers. one of the main • Interfering with anti-virus solutions, for instance, by issues facing the blocking automatic updates.
  • A Brief Survey on Rootkit Techniques in Malicious Codes

    A Brief Survey on Rootkit Techniques in Malicious Codes

    A Brief Survey on Rootkit Techniques in Malicious Codes Sungkwan Kim, Junyoung Park, Kyungroul Lee Ilsun You Soonchunhyang University Korean Bible University Shinchang-myun, Asan-si, Republic of Korea Seoul, Republic of Korea fcarpedm, wwkim3, [email protected] [email protected] Kangbin Yim∗ Soonchunhyang University Shinchang-myun, Asan-si, Republic of Korea [email protected] Abstract Nowadays, malicious codes are significantly increasing, leading to serious damages to information systems. It is worth to note that these codes generally depend on the rootkit techniques to make it more difficult for themselves to be analyzed and detected. Therefore, it is of paramount importance to research the rootkits to effectively defend against malicious codes. In this paper, we explore and survey the rootkit techniques both in user-level and kernel-level. Several rootkit samples are also utilized for the test and verification purpose. Keywords: rootkit, malicious codes, keyboard security 1 Introduction The superlative invention of the Internet in the 20th century has generated innovative developments in the computer industry. While internet speed is increasing, adverse effects are also increasing. A com- puter virus, which would have taken a long time to propagate in former days, can now spread throughout the world currently in a few seconds or minutes. In the past, the spreading technology was very simple and the path was limited, thus enabling an account technician sufficient time to protect against the virus. However, malicious codes have been intelligently armed with self-deformation and concealment, cre- ating many problems such as Distributed Denial of Services Attacks (DDoS), SPAM, and hijacking of personal information[2].
  • Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO?

    Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO?

    Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO? Udi Yavo . CTO and Co-Founder, enSilo . Former CTO, Rafael Cyber Security Division . Researcher . Author on BreakingMalware Tomer Bitton . VP Research and Co-Founder, enSilo . Low Level Researcher, Rafael Advanced Defense Systems . Malware Researcher . Author on BreakingMalware AGENDA . Hooking In a Nutshell . Scope of Research . Inline Hooking – Under the hood - 32-bit function hooking - 64-bit function hooking . Hooking Engine Injection Techniques . The 6 Security Issues of Hooking . Demo – Bypassing exploit mitigations . 3rd Party Hooking Engines . Affected Products . Research Tools . Summary HOOKING IN A NUTSHELL . Hooking is used to intercept function calls in order to alter or augment their behavior . Used in most endpoint security products: • Anti-Exploitation – EMET, Palo-Alto Traps, … • Anti-Virus – Almost all of them • Personal Firewalls – Comodo, Zone-Alarm,… • … . Also used in non-security products for various purposes: • Application Performance Monitoring (APM) • Application Virtualization (Microsoft App-V) . Used in Malware: • Man-In-The-Browser (MITB) SCOPE OF RESEARCH . Our research encompassed about a dozen security products . Focused on user-mode inline hooks – The most common hooking method in real-life products . Hooks are commonly set by an injected DLL. We’ll refer to this DLL as the “Hooking Engine” . Kernel-To-User DLL injection techniques • Used by most vendors to inject their hooking engine • Complex and leads security issues Inline Hooking INLINE HOOKING – 32-BIT FUNCTION HOOKING Straight forward most of the time: Patch the Disassemble Allocate Copy Prolog Prolog with a Prolog Code Stub Instructions JMP INLINE HOOKING – 32-BIT FUNCTION HOOKING InternetConnectW before the hook is set: InternetConnectW After the hook is set: INLINE HOOKING – 32-BIT FUNCTION HOOKING The hooking function (0x178940) The Copied Instructions Original Function Code INLINE HOOKING – 32-BIT FUNCTION HOOKING .
  • Towards a General Defense Against Kernel Queue Hooking Attacks

    Towards a General Defense Against Kernel Queue Hooking Attacks

    Towards a General Defense against Kernel Queue Hooking Attacks Jinpeng Wei 1 and Calton Pu 2 1Florida International University, 11200 SW 8th Street, Miami, FL, 33199 USA, [email protected] 2Georgia Institute of Technology, 266 Ferst Dr, Atlanta, GA 30332 USA, [email protected] Abstract Kernel queue hooking (KQH) attacks achieve stealthy malicious function execution by embedding malicious hooks in dynamic kernel schedulable queues (K-Queues). Because they keep kernel code and persistent hooks intact, they can evade detection of state-of-the-art kernel integrity monitors. Moreover, they have been used by advanced malware such as the Rustock spam bot to achieve malicious goals. In this paper, we present a systematic defense against such novel attacks. We propose the Precise Lookahead Checking of function Pointers approach that checks the legitimacy of pending K-Queue callback requests by proactively checking function pointers that may be invoked by the callback function. To facilitate the derivation of specifications for any K-Queue, we build a unified static analysis framework and a toolset that can derive from kernel source code properties of legitimate K-Queue requests and turn them into source code for the runtime checker. We implement proof-of-concept runtime checkers for four K-Queues in Linux and perform a comprehensive experimental evaluation of these checkers, which shows that our defense is effective against KQH attacks. Keywords : control flow integrity; kernel queue hooking; rootkits; runtime defense; static analysis 1 Introduction Rootkits have become one of the most dangerous threats to systems security. Because they run at the same privilege level as the operating systems kernel, they can modify the OS behavior 1 in arbitrary ways.
  • Evasive Internet Protocol: End to End Performance

    Evasive Internet Protocol: End to End Performance

    EVASIVE INTERNET PROTOCOL: END TO END PERFORMANCE By Maaz Khan Submitted in partial fulfillment of the requirements for the Degree of Master of Science Thesis Advisor: Prof. Michael Rabinovich Department of Electrical Engineering and Computer Science CASE WESTERN RESERVE UNIVERSITY August 2011 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of Maaz Khan ______________________________________________________ Masters candidate for the ________________________________degree *. Michael Rabinovich (signed)_______________________________________________ (chair of the committee) Mehmet Koyuturk ________________________________________________ Vincenzo Liberatore ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ 06/09/2011 (date) _______________________ *We also certify that written approval has been obtained for any proprietary material contained therein. Contents Contents i List of Figures iii Abstract iv Chapter 1 Introduction 1 1.1 Basic Approach . 2 1.2 Security and feasibility . 3 Chapter 2 Architecture 6 2.1 Delegation of Authority . 6 2.2 T-Address . .8 2.3 Datagrams . 9 2.4 Obtaining a Destination T-address. 13 Chapter 3 Packet Modification using Netfilter Framework 15 3.1 The Packet Buffer . 15 3.1.1 SKB basic management functiuons . 18 3.2 The Netfilter API . .20 i 3.2.1 Netfilter Hooks . .21 3.2.2 Registering and Unregistering hook functions . .23 Chapter 4 Implementation 27 4.1 Components . 28 4.2 Changing the MSS . 31 Chapter 5 Performance 33 5.1 Experiment Setup . 33 5.2 TCP v/s EIP Performance . ..35 5.3 UDP v/s EIP Performance . .39 Chapter 6 Conclusion 43 References 44 ii List of Figures 1. T-Address . .. .. .. .. 9 2. Type-1 Datagram . .. .. .. 11 3. Type-2 Datagram . 11 4.
  • Countering Kernel Rootkits with Lightweight Hook Protection

    Countering Kernel Rootkits with Lightweight Hook Protection

    Countering Kernel Rootkits with Lightweight Hook Protection ZhiWang XuxianJiang WeidongCui PengNing NC State University NC State University Microsoft Research NC State University [email protected] [email protected] [email protected] [email protected] ABSTRACT stealing private information, escalating privileges of malicious pro- Kernel rootkits have posed serious security threats due to their stealthy cesses, and disabling defense mechanisms. manner. To hide their presence and activities, many rootkits hi- Given the serious security threats, there has been a long line of jack control flows by modifying control data or hooks in the kernel research on rootkit defense. Specifically, prior research efforts can space. A critical step towards eliminating rootkits is to protect such be roughly classified into three categories. In the first category, hooks from being hijacked. However, it remains a challenge be- systems such as Panorama [33], HookFinder [32], K-Tracer [15], cause there exist a large number of widely-scattered kernel hooks and PoKeR [24] focus on analyzing rootkit behaviors. Systems and many of them could be dynamically allocated from kernel heap in the second category are primarily designed for detecting rootk- and co-located together with other kernel data. In addition, there is its based on certain symptoms exhibited by rootkit infection. Ex- a lack of flexible commodity hardware support, leading to the so- amples are Copilot [20], SBCFI [21], and VMwatcher [13]. In called protection granularity gap – kernel hook protection requires the third category, systems such as SecVisor [26], Patagonix [16], byte-level granularity but commodity hardware only provides page- and NICKLE [23] have been developed to preserve kernel code level protection.
  • The Fileless Attack SURVIVAL GUIDE

    The Fileless Attack SURVIVAL GUIDE

    The Fileless Attack SURVIVAL GUIDE Protect Your Company from Attacks Antivirus Can’t Block THE FILELESS ATTACK SURVIVAL GUIDE 1 Table of Contents 3 Executive Summary 5 Introduction 8 Types of fileless attack techniques 10 How attackers use them to… 11 ......Gain initial access 13 ......Escalate privileges 15 ......Execute payloads 17 ......Gain persistence 19 ......Achieve lateral movement 21 Practical tips for preventing and mitigating fileless attacks 22 Fileless Attack Checklist THE FILELESS ATTACK SURVIVAL GUIDE 2 Executive Summary Attacks are constantly evolving. One of the most damaging trends we’ve seen of late is the increasingly widespread adoption of fileless attack techniques. These techniques are designed to silently infect target systems without ever downloading malicious programs or leaving behind any obvious trace, primarily by using a victim company’s trusted software and system tools against it. To clarify what actually constitutes a fileless attack and explain how it can work, here are three things every business leader should know: 1 Fileless attacks exploit a fundamental gap in traditional endpoint security Traditionally, attacks involving malware have revolved around attackers gaining access to a victim’s computer (typically by either exploiting a software vulnerability or tricking the victim into downloading something he or she shouldn’t), and then installing an executable file (the “payload”) that does the damage. The problem with this approach from an attacker’s perspective is that antivirus solutions are built to scan and block any suspicious files that land on the computer. By not installing malicious files, however, attackers can simply bypass these solutions. All they need to do is hijack otherwise legitimate system tools and processes to do their dirty work for them.