Rootkits: Subverting the Windows Kernel

nazarijo (Jose Nazario) writes "A group of people out there, let's call them 'elite hacker d00ds,' are able to skillfully craft Windows rootkits that evade almost any known detection system. Some people want to know how this is done, be they aspiring elite hackers, security professionals who have to try and find these rootkits, or just interested parties. If you're one of them, Grog Hoglund and James Butler's new book, Rootkits: Subverting the Windows Kernel is for you. It's focused like a laser on how to defeat detection at various levels in the Windows OS once you're in." Read on for the rest of Nazario's review.

Rootkits: Subverting the Windows Kernel
author	Grog Hoglund and James Butler
pages	352
publisher	Addison-Wesley Longman
rating	9
reviewer	Jose Nazario
ISBN	0321294319
summary	A highly technical tour of how to develop and detect Windows rootkits

Some may wonder if Hoglund and Butler are being irresponsible by writing a book that shows you how to bypass detection. If you look closely, however, you'll see that all of the methods they outline are detectable by current rootkit revealing mechanisms. And they also show you how to detect many new rootkits in the process. I consider this book to be a responsible contribution to the community, professionals and amateurs alike, in the finest tradition full disclosure.

The book is organized into three major sections, even if it's note explicitly marked as such. The first section serves as an introduction to the topic and some of the high level concepts you'll need to know about Windows, control mechanisms, and where you can introduce your code. The second part is a highly technical tour of the techniques used to hook your rootkit in and hide it, And the third section is really one chapter covering detection of rootkits.

The first few chapters, which serve to introduce the topic, get technical right away. Chapter 2, for example, shows you some basic mechanisms for hooking in your rootkit. If you're getting lost at this point, you'll want to probably augment your reading with a Win32 internals book. The resources listed by the authors, though, are great. By this point you can also see that the writing is clear and the examples contribute perfectly to the topic. Hardware hooking basics are covered in chapter 3, which should give you some indication of the book's pace (quick!).

By the time you get to chapter 4 and discussing how to hook into both userland and the kernel, you're getting at some very valuable material. Although the book focuses on kernel hooking, a brief description of userland hooking is provided. Chapter 5 covers runtime patching, a black art that's not well known. This is almost worth the full price of admission, but the material gets even better.

In chapters 6-9 you get into some serious deep voodoo and dark arts. In these chapters you'll learn the basics of direct kernel object manipulation, layered device drivers (which can save you a lot of work), hardware manipulation, and network handling. All of these are techniques used by rootkit authors to varying degrees and effect, so you should become familiar with them. The code examples are clear and functional, and you'll learn enough to write a basic rootkit in only about 150 pages. Simple keyboard sniffers and covert channels are described in the code examples. Useful stuff.

I can't say I found many errors or nits in the book. There's some problems at times getting the code formatting just right, and what appear to be a few stray characters here and there, but nothing too obvious to me. Then again, I'm not a Windows kernel programmer, so I don't feel qualified to comment on the correctness of the code.

In the finest tradition of using a blog and dynamic website to assist your readers, the authors have set up rootkit.com, which nicely supplements their book. Most of the resources they mention in the book are available here, as well as a great array of contributors and evolving techniques. Without the book the site is still useful, but together they're a great combination. Too many books lose their value once you read them, and some books stay with you because you're having difficulty understanding the authors. Rootkits will stay near you while you develop your skills because it's a lot of material in a small space, and although it's very clearly written, there is a deep amount of material to digest. You'll be working with this one for a while.

My only major wish for this book is for it to have covered detection more significantly. One chapter covers how to detect rootkits, and although you may be able to look for some specific telltale signs of rootkits depending on how they were introduced, a more complete coverage of this approach would have made the book even more worthwhile.

Rootkits is an invaluable contribution in the wider understanding of advanced attack and hacker techniques. Previously, much of this material was known to only a handful of people, and assembling your own knowledge base was difficult. Hoglund and Butler write clearly, use great code examples, and deliver an excellent book on a high technical and specialized topic. If you're interested in learning how to write your own rootkit or detect someone else's rootkit on your system, you should definitely start with this book.

---

You can purchase Rootkits: Subverting the Windows Kernel from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

It is an interesting book

[confusion]

Hopefully the hax0rs are not the only ones reading this. There are some valuable lessons for MS and security providers.

Jerry
http://www.cyvin.org/ [cyvin.org]

My opinion

[Umbral Blot]

I own this book and I thought it was great. I am not a rootkit creator, but I am woking with drivers, and the information this book gives is great for a driver developer. This book is very straight forward and understandable, even for someone with little driver experiance, unlike many resources for driver developers. Also it gives actual source code to illustrate concepts, unlike many books which spend too much time covering concepts and too little getting those concepts to do actual work for you.

Wow

[ryanr]

I don't think I've ever seen Jose be so complimentary about a book before. Nice job, guys. I have the book as well, and I like what I've seen so far, but I haven't read enough yet to comment meaningfully.

I will point out though that the rootkit.com site has been around for a few years now, and obviously predates the book. In fact, I hope the book will explain in greater detail a lot of the technical topics from the site that are often only presented via code.

Re:I wonder...

[ndansmith]

If they are not banned outright, don't be suprised if your FBI file is augmented when you check this book out from the library.

Fat bloated kernels

[drgonzo59]

The lesson in this article should be also that there is something wrong with the Windows kernel if there can be written whole books about how to make rootkits for it. The same can go for the Linux kernel. (Yeah that's right, I bashed _the_ penguin on the head, mod me down!)

Kernels are so big and bloated that there is almost %100 chance of there being some exploitable whole in them. If the "good hackers" discover it, it will be patched, if the "bad hackers" discover it, they will make rookits.

A lot of the code that is not tested and buggy is in the drivers, and I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space. The machines are fast enough to switch contexts between the display, mouse, sound, disk and communication with the ports. The kernel should be very small and only implement the security policies and handle communications between devices. If the hacker manages to exploit a hole in the display driver, the driver will not crash the system. These are called secure microkernels or separation kernels. I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security. In 18 months, the speed will double anyway ;)

Check out this [nist.gov]paper from NIST that talks about this. Also, more general info about it here [acumeninfo.com]

Shameless plug

[republican gourd]

Since its vaguely on topic, and I'd like feedback if I can get it, here is some shameless whoring for a Free rootkit detection program I wrote:

Heres the URL [elifulkerson.com]

This is a multithreaded script that establishes socket connections between the threads and tries to pass a keyphrase between them. The assumption is that even if windows is compromised, a successfull TCP connection will indicate that the port is really not in use, regardless of what netstat says. Unless a rootkit is slick enough to make multiple programs share a port regardless of SO_REUSEADDR, this should catch it. The drawback, unfortunately, is that it can take a significant amount of time to scan 65,000 odd ports in this manner. Anyway, its GPL, so have at it.

The need for ROM kernels

[G4from128k]

The core problem with detecting a rootkit is that the detection software would seem to need to run inside the infected codespace. Unless the detector is 100% self-contained (e.g., involves NO calls to OS API during the detection process) the detector is itself detectable and defeatable by a skilled rootkit. Since invoking any software on a running system means calling APIs of that system (to read the executable, spawn a new process, etc.) and those APIs are not trustworthy on a rooted system, detection seems like a tricky problem.

The solution is either to boot the detector from its own media (inconvenient if you want to scan your system for rootkits on any regular basis) or to create a ROM core to the OS that is totally incorruptible. To be safe, this core needs to be not patchable or modifiable by any software running outside the ROM.

The point is that no computer can trust code fragments stored of writable media. The only way to really secure a system is with hardware (i.e., functionality embedded in a chip) or ROM-based software.

Moving to ROM isn't without its challenges. The writers of the code will actually need to be very good at their jobs because they won't be able to fix the problem later with a simple patch. But maybe the core of an OS should be this way -- based on very well-written code that does not need patching.

Re:Although good for security experts,

[g0bshiTe]

I doubt it would do them much good, I suppose you would have to have more technical knowledge than the average script kiddie to make effective use of this title.

Not to mention know how to read.

Linux is NOT UNIX!

[Anonymous Coward]

Linux isn't the only kernel, *cough* (UNIX Clone) that has or can have rootkits, other UNIX(tm) variants too - including FreeBSD and somewhat possible on OpenBSD; but Linux being the most common for such in-securities by clueless admins running clueless windows-like/wannabe Linux distros. Odd that they call this a 'rootkit' for MS Windows though, doesn't make sense as there is no 'root' user by default in MS Windows.

-Linux, for those who hate MS.

-*BSD, for those who love UNIX.

Re:Rootkit Sleuthing IRL

[Monstard]

Wow, I read up on rootkits. Amazing. And hacker defender reads like a manifesto on hacking PCs.

As I Mac user I keep hearing about how much more secure Macs are than PC's, and sort of believe that. But in reality, what is the true security of a Mac vs. a PC? I mean, I *want* to believe I have the more secure system, but complacency is the surest way to hack a system. So, anybody know the real deal.

If a Mac hacker was as motivated as any PC hacker, could a rootkit like hacker defender be installed just as easily on a Mac?

Re:Fat bloated kernels

[drgonzo59]

The point of the post of was that in 1992 the top of the line might have been 60MHz machines, now you can overclock a pentium to 6Ghz, so we are talking about 100x speedup. The bus+memory didn't speed up as much, but still it many times faster. So in 1992 you couldn't do context switches fast enough, today you can and you might not notice much of a difference.

The problem is that people do want performance, but after their box gets rooted and their hard drive erased, they tend to change their priorities. I sure could have lived with a 10% slowdown and play Quacke at 90 fps instead of 100 fps if that meant that I had a more secure OS and my box did get rooted.

In 1992 for Linus, performance was very important. I don't think he anticipated the popularity of Linux and that one day people would be using it on their desktops and they will be connected to the net, and script kiddies will turn them into zombies.

But it is not 1992 anymore and I think it is time to reconsider. Security is becoming more and more important and slowdown can be compensated by just buying a faster CPU next year.

Re:Fat bloated kernels

[SLi]

(no, 20% efficiency/speed lost is NOT an acceptable loss)

I've been wondering about this. In a huge number of cases I would gladly swap 20% or even 50% of the speed for absolute guaranteed security. And in my opinion in lots of cases it would be the obviously correct choice (if there was such a choice, that is). What makes people value their security so little?

Re:Fat bloated kernels

[grozzie2]

The kernel should be very small and only implement the security policies and handle communications between devices.

This is all fine and dandy in theory, but, out here in the real world, device drivers still have to talk to hardware directly. When a device driver sends commands to hardware that will effectively pre-empt data bus operations at the hardware level (outside of cpu control), you have to sit back and go 'gotta trust the driver code'. Unless the kernel has full knowledge of the consequences of all hardware i/o operations, it's really pointless to run it thru a mapping layer so that the kernel actually does the io on behalf of a higher level program.

I remember once many years ago, somebody showing me a shiny new install of WindowNT, and they were telling me it was a secure, crash proof box. I chuckled, and took a look at some of the installed hardware. I then proceeded to sit down, start 'debug', write a value to one video port, and another value to another video port. Screen went blank, machine sat there for a while, then it reset. It's not hard to set a video card into a state where it's going to assert wait on the memory bus until an event occurs, yet pre-program the device so that the event will never occur. At that point, the main bus is effectively dead, the cpu can no longer access memory, game over. This 'exploit' took advantage of a not so well known flaw in Video Seven graphics controllers.

The hardware attached to the various busses on modern computers has the ability to halt/corrupt the bus. As long as that's the case, there's no point trying to put a kernel layer in between to 'protect' the system, unless the kernel layer has full knowledge of all aspects of the hardware in question, and will prevent such conditions from being set up. This is typically the responsibility of [drum roll] the device driver for the device [/drum roll].

If you are suffering from driver instability problems, then, you are part of the problem. You chose to buy the cheapest crap, and then sit back blaming 'somebody else' because the driver support is crap. You had the opportunity to vote with your wallet, buy stuff that's well supported, and doesn't have stability problems. If the market as a whole actually used this 'vote with the wallet' clout, the state of affairs would be different, because only vendors providing good support would survive in the marketplace. Sadly, that's not the case. The market is driven by 'the cheapest price' and you get what you pay for.

The computer I'm using to write this, doesn't have any driver stability problems. I paid a little extra to get a set of video cards (plural, I have 3 displays on this computer) that would operate cleanly, and not cause problems in a multi-display environment. I paid a little extra for a motherboard that's known to be solid and reliable. I paid a little extra for a disk that doesn't have a history of failures.

I voted with my wallet, because I understand, it's not physically possible for an operating system running on the cpu to recover from problems generated in the hadware. If a given device corrupts a data bus, or asserts reset at the wrong time, there are going to be problems. The key is, buy the devices that dont do that, and choose the ones that have a track record of good software support in the form of drivers.

I have zero sympathy for folks that complain about buggy drivers all the time. It was your choice to buy the crap hardware. You saved a few bucks, and bought a stack of aggrivation. That's your choice, but, there were other choices. You could have chosen to make informed purchases, and buy based in quality rather than price.

As long as the operating system is something that runs ON TOP OF THE HARDWARE, it's going to be subject to the problems of the hardware. The software support for the hardware is part and parcel of the package. Isolating drivers up to user space is NOT going to solve the problem, because that driver is still going to be manipulating dat

Yes, rootkits are now in Malware

[ErikTheRed]

I found an interesting pop-up generating piece of malware several weeks ago that appeared to use rootkit-type techniques to hide itself. It was invisible from the process lists (including the nicer command line ones) and the filesystem. I was able to track it down and delete it (unfortunately, the machine was several hundred miles away and I was working on it remotely, otherwise I would have booted off a CD and made a copy of the little bugger), but it was a royal pain in the ass to do.

For the interested (some of the details might be slightly off because I've consumed a lot of booze between then and now, but the overall gist is correct), I found the malware by using SysInternals RegMon to find the process ID that kept replacing the registry entries that loaded it. That Process ID couldn't be killed by any of the tools I could find (because they check to see if the pid is valid before trying to terminate it, and it had stealthed itself to the point where the ID appeared to be invalid ... grrr). So I used ProcMon to kill any threads associated with the pid - the process was invisible, but you could still find the threads by which libraries they were using and kill them there (use the search command). Once the threads were killed, I could overwrite the loader file (you couldn't read it, copy it, list it, etc., but it would give you an error if you tried to overwrite it while the threads were running).

Re:Why are you reviewing this book?

[slavemowgli]

Oh, I sure do. I once briefly worked in a clinic for neurosurgery once (this was a summer job during school; I wasn't actually involved with the medical side of things in any way) - it was rather scary at times.

We also a considerable amount of accident victims, too, though, and in the case of those, I think that even a 33% chance to improve isn't so bad, because otherwise, they'd have a 100% chance of dying.

Re:Yes, rootkits are now in Malware

[value_added]

Your post reminds me of something I read on the NTBugTraq mailing list. I don't have a link so I'll quote it below.

CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. CWS is widely discussed on the web, but it's poorly understood and procedures to remove it are often lengthy, cumbersome and ineffective. ... The shield-DLL installs itself to the following registry value in NT4-type systems:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls

Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based application running within the current logon session." IOW, any ad-ware found here runs concurrently with _every_ program launched. It is truly astonishing that such a registry location exists.

Here's what the CWS shield-DLL manages to do:

1. It prevents almost all registry editors from displaying it as an AppInit_Dlls value. This list includes, but is not limited to: Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns, HijackThis, and, my favorite (because I wrote it), the "Silent Runners.vbs" script. The _only_ program known to display it, for unknown reasons, is the freeware Registrar Lite 2.0, available here: http://www.resplendence.com/reglite/ [resplendence.com]

2. It prevents all GUI and command line tools from listing it or deleting it. This list includes, but is not limited to: Windows Explorer, DIR, ATTRIB, CACLS, and DEL.

3. The .DLL file has eccentric security permissions (SYNCHRONIZE and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed from memory, an Admin must reset security to delete the file.

4. It has a unique name on every system it infects.

5. It ensures that a BHO starts up with IE at every boot.

6. If the BHO is deleted, it restores the BHO under a new name at the next boot.

I'm sure you'd agree it's interesting reading. The conclusions one can draw are numerous, but I can't resist the comment that every time the folks at at Systernals decide to write a program, Microsoft should feel embarrassed.

I have a Palladium prediction

[TheNarrator]

I think when the Palladium platform is released, it will eventually be hacked or otherwise subverted by rootkit hackers. The rootkits will use the DRM restrictions of Palladium to prevent any tool from removing the rootkit. People who's computers get infected by these Palladium rootkits will be forced to throw entire computers out.

Re:I have a Palladium prediction

[ryanr]

I've not heard of any proposal for nonvolitile storage for Palladium. So worst case, you'd have to reformat your hard drive and reinstall. Or are you being sarcastic?

To address part of your point though, I DO believe that it will be possible for someone to find a hole inthe Palladium software, and install a rootkit on the "Secure" side. If they do it right, then you might have to reformat to get rid of it.

Re:Fat bloated kernels

[billsoxs]

I'll take this one on. Let's start with minimal microkernel, then build ontop of that an OpenBSD like subsystem. (just because it has the resources that I'm aware of, and will be using.)

Now, all the absolutely vital system components that could be used for the exploitation of the system for a rootkit. Mark those system immutable.

Wouldn't this also stop auto updates and similar? Of course provided that your code is perfect the first time there would be no need - but as a previous post pointed out - we is human and we makes mistakes