Low Down and Diry - Anti-Forensic Rootkits PDF

Low Down and Dirty:
Anti-forensic Rootkits
Presented by Darren Bilby

Blackhat Japan 2006
C opyright Se curity-Asse ssm e nt.com

2006
Agenda
• Anti-forensics Overview
• Digital Forensics Acquisition
• The Live Imaging Process
• How Live Forensics Tools Work
• DDefy Introduction
• NTFS Basics
• DDefy Disk Forensics Demonstration
• DDefy Challenges
• DDefy Memory Forensics Demonstration
• Better Methods for Live Imaging
2006
This is Not…
• A demonstration of 0day rootkit techniques
This is …
• Showing flaws in current and proposed forensic

techniques
• Showing how evidence could be manipulated and

people wrongly convicted through bad forensic
methodologies

2006
Digital Anti-forensics

2006
Anti-Forensics Methods
• Data Contraception
– Prevent evidence data from existing somewhere that
can be analyzed
– E.g. Memory only malware, memory only exploitation
• Data Hiding
– Put the data on disk but put it somewhere the
forensic analyst is unlikely to look
– E.g. Defilers toolkit, runefs,

2006
Anti-Forensics Overview
• Data Destruction
– Destroy any evidence before someone gets a chance
to find it
– E.g. Disk wiping, wipe, srm, evidence eliminator,
necrofile
• Data Misdirection
– Provide the forensic analyst false data that is
indistinguishable from the real thing
– No public examples… until now.

2006
Digital Forensics Acquisition
• Need to gather an evidential copy of a system
• The Aim
– Gather the “best” evidence available
• Gather volatile information

– memory, process list, network connections, open
files…
• Power off machine and image disk

2006
• What really happens…
• Two Competing Aims

– Gather the “best” evidence available
– Allow the system to continue operation in an
unhindered manner
• Results in “Live Imaging”

– Taking a copy of a system while that system is still
functioning in a live environment

2006
Reasons for “Live Imaging”
• Business critical systems that cannot be shut
down
• Shutting down systems may create legal liability

for examiners through:
– damaging equipment
– unintentional data loss
– hampering operations
• Judge instructs that evidence gathering must be

conducted using the least intrusive methods
available
• Encrypted volumes
2006
Live imaging is now common practice
• Tools
– Helix (dd/netcat)
– Prodiscover IR
– Encase EEE/FIM
– FTK
– Smart
– …

2006
Live Imaging Demonstration
• Helix Open Source Forensics CD
– Contains many forensics tools
– http://www.e-fense.com/helix/
• Windows Forensic Toolchest

– Collect live data including Memory
– http://www.foolmoon.net/security/wft/
• DD
– Used by WFT & Helix to collect Memory and Disk
– http://users.erols.com/gmgarner/forensics/

2006
Live Imaging.wmv

2006
• Files hidden by rootkits can be found in the
forensic disk image
– Sleuthkit / Autopsy / Pyflag
• Processes hidden by rootkits can be found in the

forensic memory image
– Ptfinder

2006
The Live Imaging Process
Trusted
Un-trusted
Un-trusted
Trusted?
Un-trusted
Trusted
2006
The Live Imaging Process
Easy Solution…
Add Encryption
Trusted
Trusted • Encase
– SAFE public key
encryption
architecture
Trusted
• DD
Trusted? – Cryptcat
• Prodiscover IR
Un-trusted – Twofish
Encryption
Trusted
2006
What Happens When You Read a File?
1
Application
R eadfile ()
( Win 32 API )
N tR eadfile ()
(Kernel 32 .dll )
1. Readfile() called on File1.txt
offset 0
User Mode
Int 2E
(N tdll .dll ) 2. Transition to Kernel mode
Kernel Mode
2 3. NtReadFile() processed
KiSystemService
( N toskrnl .exe )
4 4. I/O Subsystem called
C all N tR eadFile () 3 Initiate I /O Operation 5. I/O Request Packet (IRP)
( N toskrnl .exe ) ( driver .sys )
generated
File System D river
6
(ntfs .sys , … ) 5
6. Data at File1.txt offset 0
Volume manager disk driver
7 requested from ntfs.sys
( ftdisk .sys , dmio .sys )
I/O Manager 7. Data at D: offset 2138231

D isk D river ( disk .sys )
8
D isk port driver requested from dmio.sys
D isk miniport driver
8. Data at disk 2 offset 139488571

1 2 3 requested from disk.sys
D isk Array

2006
How do the Live Forensics Tools Work?
Read special device object files
• \\.\PhysicalMemory
– Contains what is in physical memory
– Only sees memory it can access safely
– Changes as it is read
• \\.\PhysicalDriveX
– The raw data on the disk
– Ignores software cache
– Could change as it is read

2006
Readfile()
dd.exe NtReadfile()
(Win32 API)
(Kernel32.dll)
Int 2E (Ntdll.dll)
User Mode KiSystemService
Kernel Mode (Ntoskrnl.exe)
Call NtReadFile()
(Ntoskrnl.exe)
Initiate I/O Operation

(driver.sys)
File System Driver

(ntfs.sys, …)

(ftdisk.sys, dmio.sys)
Disk Driver (disk.sys)

I/O Manager
Disk port driver (atapi, scsiport.sys)
Disk miniport driver
1 2 3
Disk Array

2006
• All tested live forensics tools utilize this method

– DD (GM Garner)
– FTK Imager
– Prodiscover IR
• Example live imaging command
psexec \\target –u Administrator –p password dd.exe

if=\\.\PhysicalDrive0
of=\\mymachine\share$\target.drive0.dd bs=8k conv=noerror

2006
Aim: Get an accurate low level copy of disk and

memory.
Good Things about Live Forensics Tools:
• Bypass standard rootkit techniques so a hacker can’t hide

their files
• Bypass major parts of the Windows driver stack including the
File System Driver and Volume Manager Driver

2006
DDefy Anti-forensic Rootkit

2006
DDefy: The Idea
• Live forensics tools trust a bad kernel to give
them clean data
• Lets create a rootkit that hooks below the forensic

tools
• Provide the forensic tool a valid but “cleansed”

version of the system
• Implement as low as we can get while still being

practical
• Implement instead of claiming theory

2006
DDefy: The Challenge
From Live forensics tool documentation:
Q. Can't a rootkit be written to avoid detection?
A. While it is theoretically possible to create a rootkit to alter

the lower level disk sector read command, it would be
extremely difficult and would require significant
information about the specific machine being rooted.
Any attempt to determine which sectors contain the data the
rootkit is trying to hide would need to keep track of virtually
the complete disk data structure on the system to keep the
normal operation of the system from overwriting the files. If
the cracker tried to mark a section of disk "bad" to prevent
the system from altering the hidden files, it would no longer
be available to read using the rooted disk sector commands.
We believe it is impractical to create this low level
rootkit.
2006
DDefy: Implementation
• The Aim: When someone does live forensics on
my system they should get a valid image, but not
my sensitive data.
• Proof of concept for 2K/XP/2k3

• Kernel mode Rootkit
• Upper Disk Filter Driver

• Intercepts IRP_MJ_READ I/O Request Packets
sent to the disk and modifies the return data

2006
DDefy Disk Forensics Demo
Disk Capture with DDefy.wmv

Disk Analysis with DDefy.wmv

2006
DDefy: Results
• Any data that is stored on the physical disk can be
hidden from a live forensics or detection tool
• There is no way to completely prevent this
• Live forensic imaging is still a useful tool

– but it needs to be used with full knowledge of the
limitations
• Image the disk offline whenever possible

2006
DDefy: Challenges
1. Where do we intercept? (hook)
2. How do we understand the file system without a

file system?
3. How do we ensure we give our investigator a

valid image?
4. How do we avoid detection?

2006
Where do we Intercept?

2006
Public Userland (Ring 3) Rootkits
dd.exe
Readfile()
NtReadfile()
• Binary replacement
eg modified Exe or
(Win32 API)
(Kernel32.dll)
Int 2E (Ntdll.dll)
Dll
Call NtReadFile()
(Ntoskrnl.exe)

(driver.sys)
• Binary modification
File System Driver in memory eg
(ntfs.sys, …)
He4Hook

I/O Manager
• User land hooking eg
Disk miniport driver Hacker Defender
1 2 3
– IAT hooking
Disk Array

2006
Kernel (Ring 0) Rootkits
dd .exe
Readfile ()
NtReadfile ()
• Kernel SDT Hooking
(Win 32 API)
E.g. NtRootkit
( Kernel32.dll )
Int 2E ( Ntdll.dll )
Kernel Mode (Call
Ntoskrnl .exe)
NtReadFile()
(Ntoskrnl .exe)
Initiate I /O Operation
( driver .sys )
• Driver replacement
File System Driver
(ntfs.sys , …) E.g. replace ntfs.sys
with ntfss.sys
(ftdisk. sys, dmio. sys)
• Direct Kernel Object

I/O Manager
Disk port driver ( atapi, scsiport .sys )
Disk miniport driver Manipulation –

1 2 3
DKOM
Disk Array
E.g. Fu, FuTo

2006
dd.exe
Readfile()
NtReadfile()
• IO Request Packet
(IRP) Hooking
(Win32 API)
(Kernel32.dll)
Int 2E (Ntdll.dll)
Call NtReadFile() – IRP Dispatch Table
(Ntoskrnl.exe)
E.g. He4Hook (some

(driver.sys)
File System Driver

(ntfs.sys, …)
versions)

(ftdisk.sys, dmio.sys) • Disk Firmware
Disk Driver (disk.sys) • BIOS?
I/O Manager
1 2 3
Disk Array

2006
dd.exe
Readfile()
NtReadfile()
• Filter Drivers
(Win32 API)
(Kernel32.dll)
Int 2E (Ntdll.dll)
KiSystemService
– The official
User Mode
Call NtReadFile() Microsoft method
(Ntoskrnl.exe)

• Types
– File system filter
(driver.sys)
File System Driver

(ntfs.sys, …) – Volume filter
– Disk Filter
– Bus Filter
I/O Manager

E.g. Clandestine File
System Driver (CFSD)
1 2 3
Disk Array

2006
DDefy: Where Do We Intercept?
• Wherever we want
• The Windows driver model leaves us a lot of scope
• Personally I like disk filter drivers or IRP hooks because

– a) They are simple to implement
– b) They’re not detected by most rootkit detectors

2006
DDefy: Where We Hook
Forensic Acquisition Readfile ()
Application (Win 32 API) NtReadfile ()
(Kernel32.dll)
Int 2E (Ntdll.dll )
Kernel Mode (Ntoskrnl . exe)
Call NtReadFile()
(Ntoskrnl .exe)
(driver .sys )
File System Driver

(ntfs.sys , …)

Request X bytes at disk relative offset Y

Ddefy Disk Filter Driver
I/O Manager
(ddefy.sys )
Return sanitized data

Disk port driver (atapi, scsiport .sys )
1 2 3
Disk Array

2006
How Do We Understand the File System?
• NTFS is my target
• Easy thanks to recent publications (File System
Forensics – B. Carrier)
• Ask the operating system to give us most of the

information anyway
• We could do this ourselves, but I assume ntfs.sys

is a better NTFS interpreter than I am

2006
Boot Sector
Master File Table
1 ROOT Index – File1.txt, File2.txt, File3.mpg

2 File1.txt This is the file1.txt contents
3 File2.txt This is the file2.txt contents
4 File3.mpg Cluster Pointers – 334,336
5 Windows Index – win.ini, win.dat …..
6 Program Files Index – Accessories, Common Files...
Cluster Area
334 File3.mpg contents 1
336 File3.mpg contents 1

2006
• To completely hide a file from \\.\PhysicalDrive0

with DDefy we have to fake:
– Directory Entry (Index)

– Master File Table (MFT) Entry
– MFT Data (for small files)
– Data in Clusters (for larger files)

2006
DDefy: The Process
DeviceIOControl ()
Ddefy Client 1. Determine drive info and NTFS characteristics for partition
(Win32 API)
2. Determine Filename and Directory entry position on disk

User Mode
Kernel Mode
3. Determine clusters containing file data and their position on disk
4. HideData(Disk 0, Offset A , Length B , replace with Nulls )
5. HideData(Disk 0, Offset C , Length D , replace with “fakefile .txt”)
6. Monitor for file changes and update

(ddefy.sys )

2006
Avoiding Detection
• This is all irrelevant if the forensic analyst finds
“hacker.exe” running in memory
• So how does the forensics guy get his process

listing? Network connections etc?
• \\.\PhysicalMemory
• Can we clean this up with some kernel

modifications?

2006
DDefy: Memory Interception
• Standard rootkit SSDT hook on
NtMapViewofSection for all accesses to
\\.\PhysicalMemory
• Modifies process and thread list
• Could be implemented using ShadowWalker

technique (Sparks & Butler)

2006
DDefy: Copying Memory
DD
1 MapViewofFile () 2 MapViewofFile ()
(Win 32 API) ( Kernel32.dll)
Int 2E (Ntdll .dll)
KiSystemService
User Mode
Kernel Mode
Call (Ntoskrnl .exe )
NtMapViewofSection ()
(Ntoskrnl . exe)
3
View of Memory

2006
DDefy: Manipulating Memory
1 MapViewofSection () 2 MapViewofSection ()
DD
(Win 32 API) (Kernel32.dll)
Int 2E (Ntdll .dll)
KiSystemService
User Mode (Ntoskrnl .exe )
Kernel Mode Call DDefyMapSection ()
(Ntoskrnl .exe)
Modified Copy of Memory 4

3
Call NtMapViewofSection ()
View of Memory
(Ntoskrnl .exe)

2006
DDefy Memory Forensics Demo
Mem Capture with DDefy.wmv

Mem Analysis with DDefy.wmv

2006
DDefy Memory Interception
• Detectable
– Ongoing rootkit detection arms race
• Doesn’t hide
– Memory mapped files
– Memory paged to disk

2006
Some solutions…

2006
A Better Way of Acquiring Disk Data
Forensic Acquisition Readfile () NtReadfile ()
• Method
– Install IRP hook
Application (Win 32 API) (Kernel
Int 2E32.dll)
(Ntdll .dll)
KiSystemService
– Communicate
User Mode (Ntoskrnl .exe )
Call NtReadFile()
Kernel Mode (Ntoskrnl .exe)
directly with IRP
(driver .sys ) hook
File System Driver
(ntfs.sys , …)
– Encrypt
communications
(ftdisk .sys, dmio.sys) – Confirm user land
matches kernel
(ddefy.sys )
I/O Manager land
IRP Hook
Disk Driver (disk .sys)
Disk port driver (atapi, scsiport .sys )
• Challenges
– Stability
1 2 3 – OS Specific
Disk Array

2006
What it Means
• Live forensic imaging is a broken concept
• Data gathered via live imaging cannot be trusted
• Manipulation of evidence is both possible and

probable
• However, live imaging is still useful if combined

with the right knowledge

2006
Future Work
• Defeating cross view rootkit detection tools in a
generic way
• Implementation of an open source imaging tool to

defeat these anti-forensic techniques

2006
Questions ?
http://www.security-assessment.com
darren.bilby@security-assessment.com

2006
Resources
• Windows System Internals 4th Edition– D. Solomon, M.
Russinovich
• Rootkits – G. Hoglund, J. Butler
• Shadow Walker – Phrack 63
• Primary Windows Rootkit Resource
http://www.rootkit.com
• Joanna Rutkowska – Stealth Malware Detection
http://www.invisiblethings.org
• Windows Driver Development Resource
http://www.osronline.com

2006

Low Down and Diry - Anti-Forensic Rootkits PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Low Down and Diry - Anti-Forensic Rootkits PDF

Caricato da

Copyright:

Formati disponibili

Low Down and Dirty:

Presented by Darren Bilby

C opyright Se curity-Asse ssm e nt.com

• Showing flaws in current and proposed forensic

• Showing how evidence could be manipulated and

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

• Gather volatile information

• Power off machine and image disk

C opyright Se curity-Asse ssm e nt.com

• Two Competing Aims

• Results in “Live Imaging”

C opyright Se curity-Asse ssm e nt.com

• Shutting down systems may create legal liability

• Judge instructs that evidence gathering must be

C opyright Se curity-Asse ssm e nt.com

• Windows Forensic Toolchest

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

• Processes hidden by rootkits can be found in the

C opyright Se curity-Asse ssm e nt.com

I/O Manager 7. Data at D: offset 2138231

8. Data at disk 2 offset 139488571

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

Initiate I/O Operation

File System Driver

Volume manager disk driver

Disk Driver (disk.sys)

Disk miniport driver

C opyright Se curity-Asse ssm e nt.com

• All tested live forensics tools utilize this method

• Example live imaging command

psexec \\target –u Administrator –p password dd.exe

C opyright Se curity-Asse ssm e nt.com

Aim: Get an accurate low level copy of disk and

Good Things about Live Forensics Tools:

• Bypass standard rootkit techniques so a hacker can’t hide

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

• Lets create a rootkit that hooks below the forensic

• Provide the forensic tool a valid but “cleansed”

• Implement as low as we can get while still being

• Implement instead of claiming theory

Q. Can't a rootkit be written to avoid detection?

A. While it is theoretically possible to create a rootkit to alter

• Proof of concept for 2K/XP/2k3

• Upper Disk Filter Driver

C opyright Se curity-Asse ssm e nt.com

Disk Capture with DDefy.wmv

C opyright Se curity-Asse ssm e nt.com

• There is no way to completely prevent this

• Live forensic imaging is still a useful tool

• Image the disk offline whenever possible

C opyright Se curity-Asse ssm e nt.com

2. How do we understand the file system without a

3. How do we ensure we give our investigator a

4. How do we avoid detection?

C opyright Se curity-Asse ssm e nt.com

C opyright Se curity-Asse ssm e nt.com

Initiate I/O Operation