Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Anti-forensic Rootkits
This is …
• Data Hiding
– Put the data on disk but put it somewhere the
forensic analyst is unlikely to look
– E.g. Defilers toolkit, runefs,
• Data Misdirection
– Provide the forensic analyst false data that is
indistinguishable from the real thing
– No public examples… until now.
• The Aim
– Gather the “best” evidence available
• Encrypted volumes
C opyright Se curity-Asse ssm e nt.com
2006
Digital Forensics Acquisition
Live imaging is now common practice
• Tools
– Helix (dd/netcat)
– Prodiscover IR
– Encase EEE/FIM
– FTK
– Smart
– …
• DD
– Used by WFT & Helix to collect Memory and Disk
– http://users.erols.com/gmgarner/forensics/
Live Imaging.wmv
Un-trusted
Un-trusted
Trusted?
Un-trusted
Trusted
C opyright Se curity-Asse ssm e nt.com
2006
The Live Imaging Process
Easy Solution…
Add Encryption
Trusted
Trusted • Encase
– SAFE public key
encryption
architecture
Trusted
• DD
Trusted? – Cryptcat
• Prodiscover IR
Un-trusted – Twofish
Encryption
Trusted
C opyright Se curity-Asse ssm e nt.com
2006
What Happens When You Read a File?
1
Application
R eadfile ()
( Win 32 API )
N tR eadfile ()
(Kernel 32 .dll )
1. Readfile() called on File1.txt
offset 0
User Mode
Int 2E
(N tdll .dll ) 2. Transition to Kernel mode
Kernel Mode
2 3. NtReadFile() processed
KiSystemService
( N toskrnl .exe )
4 4. I/O Subsystem called
C all N tR eadFile () 3 Initiate I /O Operation 5. I/O Request Packet (IRP)
( N toskrnl .exe ) ( driver .sys )
generated
File System D river
6
(ntfs .sys , … ) 5
6. Data at File1.txt offset 0
Volume manager disk driver
7 requested from ntfs.sys
( ftdisk .sys , dmio .sys )
• \\.\PhysicalMemory
– Contains what is in physical memory
– Only sees memory it can access safely
– Changes as it is read
• \\.\PhysicalDriveX
– The raw data on the disk
– Ignores software cache
– Could change as it is read
1 2 3
Disk Array
Dll
User Mode KiSystemService
Kernel Mode (Ntoskrnl.exe)
Call NtReadFile()
(Ntoskrnl.exe)
E.g. NtRootkit
( Kernel32.dll )
Int 2E ( Ntdll.dll )
User Mode KiSystemService
Kernel Mode (Call
Ntoskrnl .exe)
NtReadFile()
(Ntoskrnl .exe)
Initiate I /O Operation
( driver .sys )
• Driver replacement
File System Driver
(ntfs.sys , …) E.g. replace ntfs.sys
Volume manager disk driver
with ntfss.sys
(ftdisk. sys, dmio. sys)
1 2 3
Disk Array
Disk Array
Initiate I /O Operation
(driver .sys )
1 2 3
Disk Array
Cluster Area
• \\.\PhysicalMemory
3
View of Memory
• Doesn’t hide
– Memory mapped files
– Memory paged to disk
– Communicate
User Mode (Ntoskrnl .exe )
Call NtReadFile()
Kernel Mode (Ntoskrnl .exe)
Initiate I /O Operation
directly with IRP
(driver .sys ) hook
File System Driver
(ntfs.sys , …)
– Encrypt
communications
Volume manager disk driver
(ftdisk .sys, dmio.sys) – Confirm user land
matches kernel
Ddefy Disk Filter Driver
(ddefy.sys )
I/O Manager land
IRP Hook
Disk Driver (disk .sys)
Disk port driver (atapi, scsiport .sys )
• Challenges
Disk miniport driver
– Stability
1 2 3 – OS Specific
Disk Array
http://www.security-assessment.com
darren.bilby@security-assessment.com