Last time I made a brief incursion in rootkit universe making a little modification to the FU rootkit. This time instead of modifying a publicly available rootkit, I’ll cover a step that most rootkits that include a kernel component usually have: a kernel mode driver. Building a kernel driver skeleton (like the one we will cover here) doesn’t require any dark-foo-ninja-skill but certainly makes for an interesting experience.
Pay no attention to that man behind the curtain…
For the last couple of months I’ve been playing with rootkits and today I’ll cover one of my recent ramblings. This time around I’ll show you how I updated Jamie Butler’s FU rootkit to make it work under Windows 7. FU was released in 2005 as a PoC (Proof of Concept) to show how instead of using function detours or API hooking, an attacker might go directly to the lowest bounds of the OS and directly manipulate kernel objects. As it’s description acknowledges:
“The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.”
This technique was branded as Direct Kernel Object Manipulation (DKOM). By manipulating structures within the OS kernel, the attacker has full control over how the system behaves and beside subverting the system from its roots can play in even conditions against kernel mode components that most AV systems include these days.
Posted in Rootkits.
– 2009/11/03
Happy Birthday MoreNOPs!
Although with a one day offset, today we celebrate MoreNOPs’s first birthday. Even thought this little project began in May 2008 in a modest Blogger platform it wasn’t until October 21st 2008 when this whole domain came to life. I’ve learned a lot during this year and l hope this tiny project will continue to serve as a small internet footprint of what a security enthusiast can achieve with a little dedication. Veteran readers will notice that alongside blowing candels, I changed the blog theme to something more confortable and stylish named ‘Stunning Silence’. All the design credit goes to Brandon Wang and the folks at Wordpress.org.
While I’ve got a couple of ideas already on the way I notice I haven’t posted in a while. Partly because I’ve been reading Bill Blunden’s masterpiece The Rootkit Arsenal which made me think of stealth malware as a pretty cool area to take a look at in the future :-). Also I’m now back at univesity full time which means I’m quite damn busy usually. Let’s hope I can sneak some time to keep meandering around properly!
Then, all in all, I’ll personally enjoy a happy (no pun intended) birthday which I extend to everyone that ever took something that I posted here as interesting or contributed somehow to the project! See you around fellas! :-]
– 2009/10/21
Advanced Windows Buffer Overflows: Take #3
Yet another warm summer day in the Basque Country and yet another refreshing take of VRT’s very own awbo challenges. Today we will unveil a possible solutions for the 3rd test a.k.a. awbo4. The rules here remain the same as in the others: no NOP sleds, no static stack return addresses. If we feed the binary to IDA we will straightforwardly notice that the binary itself doesn’t look too complex. In the main function it just calls one function at 0×00401050 which further analysis will show as a wrapper to read user input from stdin. I want to mention at this point that my lack of reversing skills got me stuck understanding how file input was read that I lost a couple of reversing sessions just doing so until finally olly’s handle list enlightened me.
Posted in Community, Exploits, Reversing.
– 2009/08/17
