demonstrating a rootkit attack
15 years 11 months ago #28378
by sose
sose
Network Engineer
analysethis.co/index.php/forum/index
demonstrating a rootkit attack was created by sose
I need to demonstrate a rootkit attack as a CEH instructor. can someone pls give me an attack methodology and where to download a rootkit
thanks
thanks
sose
Network Engineer
analysethis.co/index.php/forum/index
15 years 10 months ago #28824
by sose
sose
Network Engineer
analysethis.co/index.php/forum/index
Replied by sose on topic Re: demonstrating a rootkit attack
need to apply the netstat command to test a rootkit installation
sose
Network Engineer
analysethis.co/index.php/forum/index
15 years 9 months ago #29180
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: demonstrating a rootkit attack
Hi Sose,
You can visit rootkit.com and download Hacker Defender, the AFX rootkit or the Fu rootkit.
All of these will help you demo a rootkit attack. All these rootkits are kernel level rootkits. Fu uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). This makes the process invisible to Windows.
Hacker defender and the others use function hooking. This means that they subvert the functions that Windows uses to query information. Functions that read the disk / registry / process list. They 'hook' these functions and filter their output to remove traces of the rootkit.
Hope that helps,
Cheers,
You can visit rootkit.com and download Hacker Defender, the AFX rootkit or the Fu rootkit.
All of these will help you demo a rootkit attack. All these rootkits are kernel level rootkits. Fu uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). This makes the process invisible to Windows.
Hacker defender and the others use function hooking. This means that they subvert the functions that Windows uses to query information. Functions that read the disk / registry / process list. They 'hook' these functions and filter their output to remove traces of the rootkit.
Hope that helps,
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
15 years 9 months ago #29181
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: demonstrating a rootkit attack
Hi Sose,
You can visit rootkit.com and download Hacker Defender, the AFX rootkit or the Fu rootkit.
All of these will help you demo a rootkit attack. All these rootkits are kernel level rootkits. Fu uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). This makes the process invisible to Windows.
Hacker defender and the others use function hooking. This means that they subvert the functions that Windows uses to query information. Functions that read the disk / registry / process list. They 'hook' these functions and filter their output to remove traces of the rootkit.
Hope that helps,
Cheers,
You can visit rootkit.com and download Hacker Defender, the AFX rootkit or the Fu rootkit.
All of these will help you demo a rootkit attack. All these rootkits are kernel level rootkits. Fu uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). This makes the process invisible to Windows.
Hacker defender and the others use function hooking. This means that they subvert the functions that Windows uses to query information. Functions that read the disk / registry / process list. They 'hook' these functions and filter their output to remove traces of the rootkit.
Hope that helps,
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
15 years 9 months ago #29199
by sose
sose
Network Engineer
analysethis.co/index.php/forum/index
Replied by sose on topic Re: demonstrating a rootkit attack
thank sahir
now I am thinking in semantics and I about fitting the pieces.
I have read about the Fu which uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). which makes the process invisible to Windows.
I tried a debugger to actually see the EPROCEESS block and study literatures about kernel debugging and I found out alot.
let’s look at a program say Microsoft Word which when executed as a process could give birth to other instance of the same process(documents). - document 1(process1),document2(process2) and document 3(process3)
The question now is how comes about process 1, 2 and 3 in Microsoft word, and how does process 1 know what set of resources are been allotted to the program Microsoft Word while executing the program. Actually, it is the Window API functions such as createprocess, ntcreateprocess, createprocessasuser that are responsible for creating process 1, 2 and 3 within the Microsoft Word program. Each Windows process is represented by what we call the Executive Process Block (a.k.a Eprocess). Eprocess block has the ‘attributes’ of the process and other related data structure like Kernel Process Block (KProcess) and Process Environment Block (PEB).
In order to understand all these terms, we need to download a debugging tool for Windows and start windbg.exe in the kernel debugging mode. I used a debugging tool called Livekd .Some of these commands will give you a clear view of the data structure.
dt_Eprocess command gives the Eprocess data structure
dt_Kprocess gives the Kernel Process Block
!process give the address of PEB
When you use a debugging tool to view the kernel process block, you will see fields like:
dispatcher
Resident kernel stack count
Default thread quantum
Thread seed
Attribute field like the image filename and image base address are two field in the Process block that will let process 1, 2 and 3 know the resources used by the Microsoft Word program. Since the createprocess function creates the instances of process 1, 2 and 3 lets now see the stages of the process creation
Stage 1: open EXE and create section object
Stage 2: create Windows Process Object
Stag 3: create Window Thread Object
Stage 4: notify Windows subsystem
Stage 5: start execution of the internal thread
In our example above since Microsoft Word is an executable file in Windows (winword.exe), it is used directly in the createprocess. However if the image is a non windows program createprocess goes through a series of steps to find a Windows support image to run it, then the createprocess calls a second function call ntcreateprocess to create a Windows Process Object which will run the image
sose
have a super week
now I am thinking in semantics and I about fitting the pieces.
I have read about the Fu which uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). which makes the process invisible to Windows.
I tried a debugger to actually see the EPROCEESS block and study literatures about kernel debugging and I found out alot.
let’s look at a program say Microsoft Word which when executed as a process could give birth to other instance of the same process(documents). - document 1(process1),document2(process2) and document 3(process3)
The question now is how comes about process 1, 2 and 3 in Microsoft word, and how does process 1 know what set of resources are been allotted to the program Microsoft Word while executing the program. Actually, it is the Window API functions such as createprocess, ntcreateprocess, createprocessasuser that are responsible for creating process 1, 2 and 3 within the Microsoft Word program. Each Windows process is represented by what we call the Executive Process Block (a.k.a Eprocess). Eprocess block has the ‘attributes’ of the process and other related data structure like Kernel Process Block (KProcess) and Process Environment Block (PEB).
In order to understand all these terms, we need to download a debugging tool for Windows and start windbg.exe in the kernel debugging mode. I used a debugging tool called Livekd .Some of these commands will give you a clear view of the data structure.
dt_Eprocess command gives the Eprocess data structure
dt_Kprocess gives the Kernel Process Block
!process give the address of PEB
When you use a debugging tool to view the kernel process block, you will see fields like:
dispatcher
Resident kernel stack count
Default thread quantum
Thread seed
Attribute field like the image filename and image base address are two field in the Process block that will let process 1, 2 and 3 know the resources used by the Microsoft Word program. Since the createprocess function creates the instances of process 1, 2 and 3 lets now see the stages of the process creation
Stage 1: open EXE and create section object
Stage 2: create Windows Process Object
Stag 3: create Window Thread Object
Stage 4: notify Windows subsystem
Stage 5: start execution of the internal thread
In our example above since Microsoft Word is an executable file in Windows (winword.exe), it is used directly in the createprocess. However if the image is a non windows program createprocess goes through a series of steps to find a Windows support image to run it, then the createprocess calls a second function call ntcreateprocess to create a Windows Process Object which will run the image
sose
have a super week
sose
Network Engineer
analysethis.co/index.php/forum/index
Time to create page: 0.139 seconds