電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓

1. 電腦攻擊與防禦 The Attack and Defense of Computers Dr.許 富 皓

2. Rootkit

3. for Windows by [Bryce Cogswell et al.]

4. Categories of Rootkits – Windows • User-mode Rootkits • Kernel-mode Rootkits

5. User-mode Rootkits

6. Windows API [wikipedia] • The Windows API, informally WinAPI, is the name given by Microsoft to the core set of application programming interfaces available in the Microsoft Windows operating systems. • It is designed for use by C/C++programs and is the most direct way to interact with a Windows system for software applications.

7. Windows API[developerfusion] • As you know, windows can do lots of things. Manage hardware, run programs, display icons. Much of these functions are carried out by DLL files. • DLLs (Dynamic Linked Libraries) store functions, so other programs can access them. • The advantage of using DLLs is that the same file can be accessed at the same time by different programs. • The functions stored in the windows DLLs are called Windows API.

8. Native API[wikipedia] • Lower level access to a Windows system, mostly required for device drivers, is provided by the Native API in current versions of Windows.

9. Windows Library Files -- user32.dll [answers.com] • user32.dllis a DLL that implements the Windows User APIClient Library. • It is a core file for several versions of the Microsoft Windows operating system. If this file is damaged or deleted, the operating system will not work.

10. Windows Library Files -- ntdll.dll [answers.com] • The Native API (with capitalized N) is the publicly mostly undocumented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft. • Most of them are in ntdll.dll and ntoskrnl.exe (and it's variants).

11. User-mode Rootkits – Utilizing Windows APIs • A user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFileAPIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. • When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

12. API Hooking [craigheffner] • In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. • Thus, the ability to intercept, monitor, and modify a program's API calls, commonly called API hooking, effectively gives one full control over that process. • This can be useful for a multitude of reasons, including debugging, reverse engineering, and hacking.

13. Intercept API Calls • While there are several methods which can be used to intercept, monitor, and modify a program's API calls, one of them is DLL redirection.

14. DLL Redirection [craigheffner] • Since an executable imports API functions from DLL files, DLL redirection allows us to tell a program that the DLLs it needs are located in a different directory than the originals; in this way we can create a DLL with the same name as the original, which exports the same function names as the original, but each function may contain whatever code we like.

15. User-mode Rootkits – Utilizing Windows Native APIs • More sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. • This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a Native API enumeration.

16. Registry [Microsoft] • A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure • the system for one or more users. • applications. • hardware devices. • Registry data is stored in binary files.

17. Information Contained in the Registry [Microsoft] • The Registry contains information that Windows continually references during operation, such as • profiles for each user. • the applications installed on the computer. • the types of documents that each can create. • property sheet settings for folders and application icons. • what hardware exists on the system and the ports that are being used.

18. Description of the Registry [Microsoft] • The Registry replaces most of the text-based .ini files used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. • Although the Registry is common to several Windows operating systems, there are some differences among them.

19. What Does the Registry Look Like -- [Tim Smith] ? • The Registry is stored on your hard disk in several files but the only way to look at it and make changes is to use the regedit program. • To access this, click on the Start Button and then on the Run option. • Type regedit into the box that appears and press Enter. • This will launch regedit and you will now have your first sight of the Registry.

20. Organization of Registry [Tim Smith] • The Registry is organized much like the files on a disk and will look familiar if you have ever used the Folders view in Windows Explorer. • In the Registry, however, these folders are called keys. • To open a key, simply click on the small plus (+) symbol next to it. You will then see that each key contains either more keys - called subkeys - or values.

21. Key Overview [Tim Smith] • The keys are organized logically but there are thousands of them, which can be daunting the first time you sneak a peek at the Registry. • To simplify things, be aware that there are five root keys and these are the basic building blocks of the Registry.

22. Predefined Keys [Microsoft] • What follows is the predefined keys that are used by the system. • HKEY_CURRENT_USER (abbr. HKCU) • HKEY_USERS (abbr. HKU) • HKEY_LOCAL_MACHINE (abbr. HKLM) • HKEY_CLASSES_ROOT (abbr. HKCR) • HKEY_CURRENT_CONFIG(abbr. HKCC) • The maximum size of a key name is 255 characters.

23. Key Value [wikipedia] • Each of the predefined keys is divided into subkeys, which may contain further subkeys, and so on. • Any key may contain values. These values can be: • String Value • Binary Value (0 and 1's) • DWORD Value, a 32 bit unsigned integer (numbers between 0 and 4,294,967,295 [232 – 1]) • Multi-String value • Expandable String Value

24. Key Hierarchy [wikipedia] • Each key has a default value, which is in effect a value with the same name as the key. • Registry keys and values are specified with a syntax similar to Windows' filenames, using backslashes to indicate levels of hierarchy. • E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE key.

25. Example (1) HKCU has subkeys and values. By pressing the + before the HKCU you can see its subkeys.

26. Example (2)

27. Key Specifying Applications to Run When a User Logs in [wikipedia] • HKLM\Software\Microsoft\Windows\CurrentVersion\Run (and the HKCU equivalent) specifies applications to run whenever a user logs in. • These can include desirable programs, such as printer monitoring programs or frequently-used tools, but a lot of malware uses this registry key to ensure it is automatically run. • This key is a good place to start looking for evidence of malware if you think your computer has been infected.

28. Example

29. Spyware and Registry [Tim Smith] • Spyware often installs values in the Registry to make sure that it's launched to monitor your computer when Windows starts up. • When looking for advice on how to remove these programs you may be told to edit the Registry. • Always make sure that the advice is coming from a trustworthy source such as Registry Guide for Windows or Systweak.com. • Sometimes the spyware also installs a small program to monitor the Registry and replace keys that you delete, so you should use software such as Spybot Search and Destroy to clean your computer entirely.

30. Kernel-mode Rootkits

31. Kernel-mode Rootkits • Kernel-mode rootkits can be even more powerful since, not only can they intercept the Native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. • A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

32. Rootkit Techniques by [Ivo Ivanov]

33. Techniques Involved • Step 1: Injecting techniques • Step 2: Interception Mechanisms

34. Injecting Techniques [Ivo Ivanov]

35. Injecting Techniques • Method 1: Registry • Method 2: Global Windows Hooks • Other Methods(omitted in this lecture) • Injecting DLL by using CreateRemoteThread()API function • Implanting through BHO add-ins • MS Office add-ins

36. Inject by Registry

37. Inject a DLL into Processes • In order to inject a DLL into processes that link with USER32.DLL, you simply can add the DLL name to the value of the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs • Its value contains a single DLL name or group of DLLs separated either by comma or spaces. • According to MSDN documentation, all DLLs specified by the value of that key are loaded by each Windows-based application running within the current logon session.

38. Invoke Registry Editor

39. Select the Appropriate Key

40. Edit the Selected Key

41. Load USER32-Related DLLs • It is interesting that the actual loading of these DLLs occurs as a part of USER32's initialization. • USER32 reads the value of mentioned registry key and calls LoadLibrary() for these DLLs in its DllMain code. • Restrictions: • However this trick applies only to applications that use USER32.DLL. • Another restriction is that this built-in mechanism is supported only by NT and 2K operating systems.

42. Shortcomings • In order to activate/deactivate the injection process you have to reboot Windows. • The DLL you want to inject will be mapped only into these processes that use USER32.DLL, thus you cannot expect to get your hook injected into console applications, since they usually don't import functions from USER32.DLL. • On the other hand you don't have any control over the injection process. It means that it is implanted into every single GUI application, regardless you want it or not. It is a redundant overhead especially if you intend to hook few applications only.

43. Inject by Hooks [Chris Cummings]

44. What Are Hooks? • Put shortly, a hook is a function you can create as part of a dll or your application to monitor the 'goings on' inside the windows operating system. • The idea is to write a function that is called every time a certain event in windows occurs – • for example when a user presses a key on the keyboard or moves the mouse. • Hooks were provided by Microsoft primarily to help program writers with the debugging of their applications, but they can be put to use in many different ways – • for example, writehidden key logging program to find out other users’ passwords to the internet!

45. Types of Hooks • There are 2 types of hooks - global or local. • A local hook is one that monitors things happening only for a specific program (or thread). • A global hook monitors the entire system (all threads). • Both types of hooks are set up in the same way, the main difference being that for a local hook, the function to be called can be within the program it is monitoring, but with a global hook the function must be stored and loaded from a separate dll.

46. Hook-related Functions

47. The SetWindowsHookEx Function • SetWindowsHookEx is the function provided by Microsoft to install a hook. It accepts the following arguments: • SetWindowsHookEx returns a handle (i.e. an identifier) for the current hook, so you can use UnhookWindowsHookEx to remove the hook later on.

48. SetWindowsHookEx Example [Michel Leunen] // Hood Function (Callback Procedure) Declaration LRESULT CALLBACK MouseProc(int code, WPARAM wParam, LPARAM lParam); // Global variables HHOOK HookHandle; HINSTANCE DllInstance; bool IsInRect=false;  bool InstallMouseHook()  { HookHandle=SetWindowsHookEx(WH_MOUSE,     reinterpret_cast<HOOKPROC>(MouseProc),DllInstance,0); if (HookHandle==NULL) return false;   else  return true; } //-------------------------------------------------------------------- bool RemoveMouseHook() {  if(UnhookWindowsHookEx(HookHandle)==0)        return false;   else  return true; } 

49. Types of Hooks used in idHook Parameter of a Hook Function • Types of Hooks appearing in a hook function.

50. The Hook Function • The hook function is the procedure to be called by windows when the event we specify happens. A hook for any event always takes the same form, but the values passed to it by windows can mean different things. • For example if the hook is type WH_KEYBOARD, windows will pass information to it relating to which key was pressed. Your hook procedure should accept the following arguments: • A hook function returns a value of type longword. What you should set it to depends on the type of hook, or you can just set it to the value that CallNextHookEx returns.