This document discusses different types and generations of rootkits. Type I rootkits replace or modify system files without altering operating system code. Type II rootkits modify operating system code through techniques like API and SDT hooking. Type III rootkits use direct kernel object manipulation to modify dynamically allocated data and objects. Next generation rootkits may use virtualization. Detection methods include checking for import address table, inline hook, and system service dispatch table modifications.
3. Classification of ROOTKITs
1st
Generation ( Type I )
Does not modify OS / Process / etc…
-> replace / modified system file
-> UNIX login backdoor (binary modification)
2nd
Generation ( Type II )
Modifies which designed not to be modified
-> code of process, modules, OS code, kernel modules, etc…
-> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc…
3rd
Generation ( Type III )
Modifies which designed to be modified
-> data sections, heap, stack, etc…
-> FU (Pioneer of DKOM - Direct Kernel Object Manipulation)
The NEXT Generation
virtualization ?
32000-00-00
4. Type II ROOTKITs
NTIllusion
Hacker defender
NTRootkit
- The first windows NT kernel based ROOTKIT
Sony Rootkit
modifies
code section (e.g. Import table, Export table)
user mode / Kernel mode APIs
kernel mode undocumented APIs
ISR (Interrupt Service Routine)
MSR (Model Specific Register)
…
42008-05-16
9. Type III ROOTKITs
FU
- The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation)
He4Hook
- RAW IRP hooking on File system driver
PHIDE2
Layered driver (Filter driver)
modifies
data sections
IRP handlers
kernel objects that allocated and managed dynamically
…
92008-05-16
12. Type III ROOTKITs – cont.
DEMO
- FU rootkit
- jeng_2
SDT hook & DKOM example
122008-05-16
13. Fighting ROOTKITs
Check IAT (Import Address Table)
Check inline hooks
Check System Service Dispatch Table (ntoskrnl.exe)
Check Shadow table (win32k.sys)
Check Driver’s IRP handler
Check MSR ( MSR_SYSENTER )
…
how ?
ECD (Explicit Compromise Detection)
Cross View Based Detection
use DKOM to find out ROOTKITs
- dump PspCidTable
- trace OS Scheduler data base, etc…
Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx )
132008-05-16
14. Fighting ROOTKITs – cont.
DEMO
- API Hook detection and API Hook removal
hook_shield
PlgnPETest.dll
- Finding process FU hided by DKOM technique
dump PspCidTable
142008-05-16