Friday, May 17, 2013

Rootkits Part 2 - Windows kernel overview

Rootkits Part 2 - Windows kernel Overview

Now I know I said I was going to write about how rootkits work for this post, but I figured it would be better to get an understanding of the Windows Kernel and then just get right to it and write a simple rootkit.

Through writing the rootkit you will gain an understanding of how they work, which is better than just reading about it.  But first things first, you must have a understanding of the Windows kernel first.


Im sure most of you have an idea of what the kernel is from previous posts, but just to re-iterate.  The Kernel is the core of an OS whether it be Windows, Linux or Mac OSX and even mobile OSs.  

Windows Architecture:

In the above image we can see that there is the User Mode and then the Kernel Mode.

From Microsoft Technet:
A Pentium microprocessor has four privilege levels, also known as rings, that control such things as memory access and access to certain sensitive CPU instructions (such as those related to security). Every thread executes at one of these privilege levels. Ring 0 is the most privileged level, with complete access to all memory and CPU instructions. Ring 3 is the least privileged level.
In order to maintain compatibility with non-Intel systems, the Windows operating systems support only two levels of privilege--Ring 0 and Ring 3. When a thread is running in Ring 0, it is said to be in kernel mode. When a thread is running in Ring 3, it is said to be in user mode. Low-level operating system code executes in kernel mode, whereas, in general, user application code runs in user mode.
Note that an application thread will switch from user mode to kernel mode when making certain API function calls that require a higher privilege level, such as those that involve accessing files or performing graphics-related functions. In fact, some user threads can spend more time in kernel mode than in user mode!
However, when the kernel mode code is completed, the user thread is automatically switched back to user mode. This prevents the programmer from being able to write instructions that run in kernel mode--the programmer can call only system functions that run in kernel mode.

some of the core services provided by the kernel include process management, memory management, I/O managers,Cache manager, Scheduler, Security reference monitor, Lightweight Procedure Call and others. So what exactly do these services do?  

Process management as you might imagine manages process and thread creation.

Memory manager deals with virtual address's, pagefaults, physical frame, and pagefile management.

I/O manager deals with plug & Play as well as power, it also maps user requests into IRP requests, implements services for drivers and configures and manages I/O devices.

The Cache manager deals with file-based chaching for the buffer file system I/O and is built over the memory manager.

The Scheduler Schedules thread execution on each processor.

Security reference monitor handles token management and access checks

Lightweight Procedure Call deals with user mode system services and RPC (Native)

Kernel Organization:

The Kernel is organized into roughly three main things

NTOS (Kernel mode services) - which include runtime library, Scheduling, service execution, object management, I/O services, memory and processes.  There is more to it than that but it is overwhelming.

Hardware Adaptation Layer (HAL) - provides insulation of NTOS and drivers from hardware dependencies  IT also provides device access, timers, interrupt servicing, clocks and spinlocks.

Drivers - These are Kernel extensions and are mainly for device access.

Ok so that will be it for this post... I hope it gave you a decent understanding of the kernel and a little knowledge on organization and some services.  We will learn more about the kernel and what we can do with it as we progress and start building rootkits.

If you want to read up on the Windows kernel, just Google search or check out some of the links below.

Rootkits Part 1 - Types of rootkits

Rootkits Part 1 - Types of rootkits

Alright this should be a fairly short post to give you a basic understanding of the various types of rootkits.

If you havent read the first part of the blog series I would suggest you do so. It can be found here.

Lets begin --->

So rootkits come in a few different types and each has its own set of things it can and cannot do.

Types of rootkits:

  • User Mode rootkits
  • Kernel Mode
  • Bootkits
  • Hypervisor
  • Firmware

User Mode:

User mode rootkits live at the application level, so they run with the same permissions as most applications and do not have direct access to the kernel.  These rootkits can patch standard APIs to modify and hook other applicatons thus changeing their behavior.

Kernel Mode:

Kernel Mode rootkits run at the kernel level and are thus able to do basically whatever they want.  These live in Ring0 and usually come in the form of device drivers (windows) or loadable modules (*nix).  If the rootkit has a bug in anyway it can crash the system or cause an issue that may lead to the rootkits discovery, that being said these actually are harder to detect as they run at the same level as the OS and can subvert some of the OSs operations. 


Bootkits are a different form of Kernel mode rootkit, these are usually used to replace the bootloader and attack encryption keys using what is called the "Evil Maid Attack"  These are becoming common for cybercriminals and are used to lock a user out of their system and demand ransom to gain back control. 


These rootkits run at ring -1, and are virtualized so they have a higher privileged level than even rin0 rootkits (Kernel Mode).  "A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in CPU instructions." ~ Wikipedia


These rootkits are based in the firmware of chips, or the hardware.  These are extremely hard to detect because firmware code isnt normaly inspected for rootkits and yes these rootkits have been seen in the wild.  These can hide in the NIC, HardDrive, System BIOS or wherever else.  The new EFI that replaced the BIOS even has a rootkit for it already called "Dreamboot". 

So now you have an idea of the different types of rootkits that are out there, this is just to give you a quick understanding of them.  We will mainly focus on User and Kernel Mode rootkits, maybe venture into hypervisor rootkits who knows.

Next up we sill dig a little more into how rootkits work

Feel free to leave feedback in comments or drop me a line on Twitter.

Thursday, May 16, 2013

Rootkits Part 0 - What, Why and Who

Rootkit Series Part 0

Sure you have heard about rootkits before and recently there have been a few advanced rootkits in the news, but do you know how they are used, why, or how they can be detected? For most people the answer is no, and if you are someone who is interested in writing rootkits or just want to learn more about them I hope you find this series interesting and informative.

Keep in mind this series is for educational purposes only and to promote infosec education through hands on learning, if you use this info in any illegal way I am not responsible for your actions.

Lets dig in and explain WTF a rootkit is, who uses them and some basic usage.

What is a rootkit?

The term "rootkit" has been around for a while (10+ years).  You can think of a rootkit as basically
a set of programs that allow an attacker to remain undetected in a system and maintain root access.

As our good friend Wikipedia puts it:
"A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

The thing is rootkits for the most part are not actually malicious, the intent may be but the code itself isnt.

Rootkits are used by "Good" and "Bad" guys alike, many companies have rootkit technology on systems to monitor things, law enforcement uses them sometimes and "rootkit" technology has many other legitimate uses other than what you hear in the news or
usually think of when you hear rootkit.

So now we have an idea of what a rootkit is to an extent. Now you may be wondering about why someone would use them and what some
legit uses would be.  Ill attempt to answer that now, if anything is unclear use your good friend Google or drop me a line.

Why rootkits?

Rootkits are mainly used to maintain access to a system and remain undetected, you may be thinking well isnt that the point of a trojan and other malware (RATs, Backdoors, Etc...) well yes and no.  Rootkits are made specifically to hide activity of your malware and to maintain a high level of access as mentioned earlier they of course can be tailored for your needs just like malware.  Keep in mind if you just want to get in steal data and get out without a trace a rootkit may not be the best option, most of the time you will leave your rootkit behind and it may eventually be detected and could lead back to you or your operation (unless you are able to wipe it).

Rootkits have for the most part two main functions, they can be used as a remote command an control and/or used for software eavesdropping   There are many things you can do with rootkits but these are the most common functions as of now.

Remote Control:

Think of this as having the ability to control the remote system, this could be a command shell, sending commands, controlling files, and many other things we will go into later.

Software Eavesdropping:

This is basically as it sounds, you can sniff network traffic, log keystrokes, gather passwords, crypto keys and just watch what a user is doing.  This is very useful for gathering inelegance for further exploitation of other systems on the network and a whole plethora of other things good or bad.


As we have mentioned there are legitimate uses for rootkits.  Law enforcement agencies may use them to "bug" a suspects computer system to gather evidence of CP, music and software piracy, computer trespass  and other computer related "crimes".

Nation States may use rootkits for military puropses. You can think of Stuxnet as a hybrid malware, it used a rootkit like component to remain undetected in systems.  Most of the major advanced attacks seen most likely used some sort of rootkit like functionality to remain hidden and undetected in the target systems.

Im sure you can think of the illegitimate uses of rootkits on your own. But ill just throw some examples of how it has been used by nation states, cyber criminals and others.

The following is a list of "legit" and not so legit uses: (these all have some sort of rootkit like component and/or functionality)

  • GhostNet
  • Zeus
  • Magic Lantern (FBI)
  • Aurora (china?)
  • Stuxnet
  • Flame
  • Red October
  • Avatar Rootkit
  • Spyeye (actually had a component to kill Zeus)

The list goes on and on.

As you can see Rootkits are uses not just by cyber criminals but as mentioned Nation States use them for cyber espionage and other operations military and civilian. There are even companies that sell rootkits legitimately used as monitoring software.

So we now have an idea of what a rootkit is, who may be using it and some basic uses for a rootkit.

Thats all for this post, I tried to keep it short and simple, we will go into more detail of uses and will eventually write a simple rootkit for our good friend Windows and maybe *nix in later posts. Feel free to give me feedback and if I missed something or got some detail wrong let me know and as always suggestions are encouraged.

Next post we will discuss the different types of rootkits.


Greetz to u all

I will be writing a short multipart tutorial series about rootkits.

What I hope to cover:

+ What a rootkit is
+ Types of rootkits
+ How they are used by attackers
+ Building a simple rootkit (possibly going more advanced later on)
+ How to identify rootkits on a system
+ Some other stuff I haven't thought of yet

Suggestions are welcome, just drop a comment, email me or find me on twitter.

Twitter: @Es07er1K

Should have the first post up soon.