1. Purpose

A lot of commercial products and rootkits change function pointers in the SSDT kernel to take control over the operating system. But currently no techniques exists to hide these hooks. This short article describes two mechanisms to hide SSDT hooks which anti-rootkit scanner will currently not detect.


2. Hide SSDT hooks by modifying the EAT of loaded drivers

The first step is to create a complete copy of the unmodified SSDT. Then an image load callback is registered with PsSetLoadImageNotifyRoutine(). The callback is used to parse the IAT (import address table) of new loaded driver. If during parsing an import KeServiceDescriptorTable is found the address is changed to the SSDT copy. Now NtReadFile(), NtCreateFile() and NtMapViewOfSection() are hooked by modifying the real SSDT. The hook handlers of these three functions are used to ensure that it is difficult to get a pointer to the real SSDT.

This technique bypasses about ninety percent of all anti-rootkit tools. Some tools detect the image load callback with is suspicious.

Of course there exists mechanism to detect the SSDT modification. One of them is to remove the image load callback or just compare the SSDT address with the bounds of the kernel image.

3. Hide SSDT hooks by manipulating the KTHREAD structure

The second technique equals to the one described above. Again some copies of kernel structures are made. But now the service table pointer of each thread is changed to one of the copies. If you disassemble KiSystemService you see the resolving of function pointers by using the ServiceTable pointer of the current thread's KTHREAD structure. The ServiceTable pointer is set by KeInitThread() and later by PsConvertToGuiThread(). Depending on the thread type the address of KTHREAD either points to the SSDT or the SSDT-Shadow. The shadow structure contains pointers to functions which are used by GUIs and therefore PsConvertToGuiThread() will change normally the ServiceTable pointer to the SSDT-Shadow. Below you find the KTHREAD structure:

kd> dt !_kthread
nt!_KTHREAD
[...]
+0x0e0 ServiceTable : Ptr32 Void
[...]

To stealth the SSDT hooks by manipulating the KTHREAD structure a copy of the SSDT and the SSDT-Shadow is made. For the next step the SSDT or SSDT-Shadow copy is modified to get control over certain system functions. Now the ServiceTable pointers to the corresponding structures in PsConvertToGuiThread() and KeInitThread() are changed to the copies by modifying the loaded kernel code. Furthermore all threads are enumerated and again the ServiceTable pointers are exchanged.

We have tested the detection of the hidden hooks with anti-rootkit tools like RootkitUnhooker, GMER, SVV and some more tools. None of them detected the kernel code and KTHREAD modification.

4. Results

The demo shows the loading of a driver example which hooks NtOpenProcess() by exchanging the ServiceTable pointer of new and existing threads. After hooking the latest RootkitUnhooker version is started to check any detections. You will see no detection success of the SSDT or SSDT-Shadow modification.

http://rapidshare.com/files/161590863/hidessdthooks.avi.html

5. Conclusion

We have shown the existence of hiding techniques for SSDT hooks although the main kernel structures are known by most security experts and anti-rootkit developers. It is recommended to update latest anti-rootkit tools with KTHREAD checking mechanisms.

6. Developers
xrayn and joe

7. References
http://www.forum.joebox.org/viewtopic.php?id=38

read comments (14) / write comment

recent comments:

Nothing new	cpg	13.Nov:10:25
I don't get the point	USForce	11.Nov:09:46
KernelDetective	gamingmaster	11.Nov:04:44
http://rapidshare.com/files/161590863/hidessdthooks.avi.html	caDs1qW7	09.Nov:15:45
video download	xrayn	09.Nov:13:14

. . .

views: 15434   printer-friendly version