Work Work Work
 Alex Ionescu (AlexIonescu) <aionescu gmail com> |
Sunday, June 4 2006 12:37.04 CDT |
Sorry for the lack of updates lately, I've been swamped with paid work (can you guess? Rootkit Detection of course).
I seem to have found an API that no commercial rootkit currently in the wild hooks. With it, all the rootkit files can be scanned for and found, although the code to do this is extremly complicated (You basically have to re-implement FindFirst/NextFile on top of it). I'm guessing the fact it's so complex is one of the reason why no commercial rootkit currently hooks it: they probably don't know how to modify it.
Another nice thing is that once I have the filename, although most rootkits hook CreateFile or OpenFile so that you can't get a handle to the file, they don't hook NtDeleteFile which lets you delete it by name without a handle. They also don't hook NtSetInformationFile, which is another method to delete the file (and can also be done with MoveFileEx).
So it's quite trivial to rename the file, and then CreateFile on it. If you can't rename for some reason, then create a symbolic link. No commercial rootkit I've seen protects against this.
Another thing about commercial rootkits: not only do they cost large amounts of money and make false promises of "Government use", but they also are a danger to system stability. One of the ones I've tried didn't close handles properly, so after a couple of TinyKRNL compilations (DDK Build spawns ~500 compiler processes during the build), the system was out of handles. Other commercial rootkits completely dismiss SEH, so passing NULL to a Native API will now BSOD your system.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |