Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: demonstrating a rootkit attack

demonstrating a rootkit attack 8 years 4 days ago #28378

  • sose
  • sose's Avatar
  • Offline
  • Honored Member
  • Posts: 813
  • Thank you received: 4
  • Karma: 3
I need to demonstrate a rootkit attack as a CEH instructor. can someone pls give me an attack methodology and where to download a rootkit

thanks
sose
Network Engineer
analysethis.co/index.php/forum/index
The administrator has disabled public write access.

Re: demonstrating a rootkit attack 7 years 10 months ago #28824

  • sose
  • sose's Avatar
  • Offline
  • Honored Member
  • Posts: 813
  • Thank you received: 4
  • Karma: 3
need to apply the netstat command to test a rootkit installation
sose
Network Engineer
analysethis.co/index.php/forum/index
The administrator has disabled public write access.

Re: demonstrating a rootkit attack 7 years 9 months ago #29180

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Hi Sose,

You can visit rootkit.com and download Hacker Defender, the AFX rootkit or the Fu rootkit.

All of these will help you demo a rootkit attack. All these rootkits are kernel level rootkits. Fu uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). This makes the process invisible to Windows.

Hacker defender and the others use function hooking. This means that they subvert the functions that Windows uses to query information. Functions that read the disk / registry / process list. They 'hook' these functions and filter their output to remove traces of the rootkit.

Hope that helps,

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: demonstrating a rootkit attack 7 years 9 months ago #29181

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Hi Sose,

You can visit rootkit.com and download Hacker Defender, the AFX rootkit or the Fu rootkit.

All of these will help you demo a rootkit attack. All these rootkits are kernel level rootkits. Fu uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). This makes the process invisible to Windows.

Hacker defender and the others use function hooking. This means that they subvert the functions that Windows uses to query information. Functions that read the disk / registry / process list. They 'hook' these functions and filter their output to remove traces of the rootkit.

Hope that helps,

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: demonstrating a rootkit attack 7 years 9 months ago #29199

  • sose
  • sose's Avatar
  • Offline
  • Honored Member
  • Posts: 813
  • Thank you received: 4
  • Karma: 3
thank sahir

now I am thinking in semantics and I about fitting the pieces.

I have read about the Fu which uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). which makes the process invisible to Windows.

I tried a debugger to actually see the EPROCEESS block and study literatures about kernel debugging and I found out alot.

let’s look at a program say Microsoft Word which when executed as a process could give birth to other instance of the same process(documents). - document 1(process1),document2(process2) and document 3(process3)

The question now is how comes about process 1, 2 and 3 in Microsoft word, and how does process 1 know what set of resources are been allotted to the program Microsoft Word while executing the program. Actually, it is the Window API functions such as createprocess, ntcreateprocess, createprocessasuser that are responsible for creating process 1, 2 and 3 within the Microsoft Word program. Each Windows process is represented by what we call the Executive Process Block (a.k.a Eprocess). Eprocess block has the ‘attributes’ of the process and other related data structure like Kernel Process Block (KProcess) and Process Environment Block (PEB).


In order to understand all these terms, we need to download a debugging tool for Windows and start windbg.exe in the kernel debugging mode. I used a debugging tool called Livekd .Some of these commands will give you a clear view of the data structure.


dt_Eprocess command gives the Eprocess data structure
dt_Kprocess gives the Kernel Process Block
!process give the address of PEB




When you use a debugging tool to view the kernel process block, you will see fields like:

dispatcher

Resident kernel stack count

Default thread quantum

Thread seed


Attribute field like the image filename and image base address are two field in the Process block that will let process 1, 2 and 3 know the resources used by the Microsoft Word program. Since the createprocess function creates the instances of process 1, 2 and 3 lets now see the stages of the process creation





Stage 1: open EXE and create section object


Stage 2: create Windows Process Object


Stag 3: create Window Thread Object


Stage 4: notify Windows subsystem


Stage 5: start execution of the internal thread



In our example above since Microsoft Word is an executable file in Windows (winword.exe), it is used directly in the createprocess. However if the image is a non windows program createprocess goes through a series of steps to find a Windows support image to run it, then the createprocess calls a second function call ntcreateprocess to create a Windows Process Object which will run the image



sose
have a super week
sose
Network Engineer
analysethis.co/index.php/forum/index
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup