Ok, I'm hooked....

I just finished reading this discussion https://www.wilderssecurity.com/showthread.php?p=495427#post495427

I think I am "hooked" on the discussion. So, could one of the experts explain what hooks are? I read so much discussions where this term is thrown around but what exactly does the term mean?

Many represenatives from security companies use this term as part of their marketing but no one has explained to me what exactly "hooking the API" or "global hooks" are.

So I ask the experts, "What exactly are hooks?"



Starrob

 

A hook is simply an interception - a middle-man. In terms of hooking a function in a program it simply means intercepting calls made to that function.

Before:
[Program] -> [Original function] -> [Back to program]

After hooking:
[Program] -> [Hooked function] -> [Original function] -> [Back to program]

The hooked function can analyse the way it is being called, and optionally pass control over to the original function to resume normal functionality.

API monitors are a common example of programs that use hooks...

 

a filter before the actual writing so to speak.

 

and to be complete: you have categories like Kernel Driven Applications..which I believe are practicaly Ring 0 . and Api Hook apps which are ring 2-3 and pollers are of another stadium.

my question is: would a ring2-3 program like a2 or boclean take completely care of ring0 Rootkit?

cause of the difference of rings/levels?

hope I receive an answer cause that would undirectly give answers on a lot of questions...even Regdefend (Thanx Jason )

 

Hi,

In so far as "chained hooks are concerned, this article elaborates:

http://www.macadamian.com/column/windowshooks.html

"If a hook has more than one filter function attached, Windows maintains a chain of filter functions. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end."

Rich

 

Ring 0 is the first in order

 

sorry I'm not logging in...

but a lot of windows processes are ring0 (off course they are) ... therefore practicaly unheard off to CLEAN virii/malware in Windows SystemRestore.
..

 

I would imagine it would depend a lot on what point the app detects the malware. The trojan would have to enter the system, and execute, in userspace, then escalating it's privileges. If the program can catch it before it escalates it's privileges then it should be able to catch it just fine. If the trojan can do it's dirty work before the scanner has the chance to notice, it may not be effective, no matter what level it works. Not knowing the ins and outs of the programs you mention I can't really give a definite answer, but the makers of BOClean have said that rootkits are not a problem, and they've been handling them since the beginning.

If you want an extra tool for the arsenel, you may want to check out Samurai (a hardening tool). It's been suggested that you could use it's anti-rootkit option to expose the rootkit and eliminate it with your scanner of choice. See post #24 in this thread.

 

First of all .. Thanx Notok for clarifying.

Yes, Stuff can penetrate through usermode to KernelMode through startup..hence they try to hide (rootkits)..

First question is answered: is an ondemand scanner necessary..off course it is.

Second question: when rootkit is present .. will a program that HOOKS into his own process :CLEAN it (from his hooking mode=not kernel mode..) in practically deepest level available ..

This is been discussed before actualy..but it didn't satisfied my needs

 

So I guess this is the best definition:


"In the Microsoft® WindowsÔ operating system, a hook is a mechanism by which a function can intercept events (messages, mouse actions, keystrokes) before they reach an application. The function can act on events and, in some cases, modify or discard them. Functions that receive events are called filter functions and are classified according to the type of event they intercept. For example, a filter function might want to receive all keyboard or mouse events. For Windows to call a filter function, the filter function must be installed, that is attached to a Windows hook (for example, to a keyboard hook). Attaching one or more filter functions to a hook is known as setting a hook. If a hook has more than one filter function attached, Windows maintains a chain of filter functions. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end."

Does any one know what gives one hook precedence over another? What if you have two hooks that want to do opposite things....which one RuLeZ?


Starrob

 

There can be various Hooks Starrob...just watch PG which kind hooks there are...and sometimes those hooks are 'getting hooked' on other areas.

That's another question eventualy but that was a valid question

Very good question about a lot of undocumented areas"
And to be completely honest: best way to find out would be the links that would dissapear here cause it's against the TOS and we don't want that.

..

But still the best thing to find out is the very hard way and not recommended for everyone...just my two cents.

 

Here is a interesting article:


http://msdn.microsoft.com/msdnmag/issues/02/10/cuttingedge/


Here is one quote from the article:


"A given event can have more than one filter function attached. In this case, Windows maintains a last-in-first-out (LIFO) chain of the filter functions. The most recently installed function is at the beginning of the chain, and the function installed first is at the end. [Editor's Update - 5/12/2004: The text originally stated that the function installed last would be at the end of the chain. This has been fixed.] Each hook function is responsible for passing control to the next one in the chain when finished. If the filter function doesn't call the next hook, the operating system takes control of the flow and considers the event-hooking phase completed."


I guess another way to ask this question would be:


Can the function at the beginning of the chain do things to completely fool hooks at the end of the chain so the hooks at the end of the chain are not getting the proper information to do what they are designed to do?

If that is true then how can any security software claim to have hooks that can deal with Rootkits, if the Rootkit is at the beginning of the chain?

Starrob

 

first of all you will need to have a driver as close to ring0. that's my own opinion and therefore not everybodies opinion...as long as I don't get any proof I don't think it's possible to completely get rid of rootkit with a program that 'just' hooks into your system...

at least I hope someone will enlighten me.

 

A quote from article http://msdn.microsoft.com/library/d...suserinterface/windowing/hooks/usinghooks.asp

"The system maintains a separate hook chain for each type of hook. A hook chain is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the system passes the message to each hook procedure referenced in the hook chain, one after the other. The action a hook procedure can take depends on the type of hook involved. The hook procedures for some types of hooks can only monitor messages; others can modify messages or stop their progress though the chain, preventing them from reaching the next hook procedure or the destination window."


What if you have malware that has a hook that can stop the progress through the chain.....how then can any security software that uses hooks get rid of it if the malware won't even pass the message on to the security software?

Also which type of hook can modify messages or stop their progress through the chain?




Starrob



Starrob

 

Hi Starrob,

This would be my analysis of the situation:

1) A progam (e.g. ProcessGuard) establishes a filter at a given hook.

2) This hook, in PG's case, prevents other programs from executing that are unauthorized.

3) An unauthorized program can never execute and establish its own filter.

4) An authorized program can execute and establish its own hook. If, a rootkit is authorized (by accident) it will be able to establish its own filter. This new filter, if it is on the same hook as the one used by PG, will take precedence. As such, it could, potentially, modify the behavior of PG. This is why it is important to install PG on a clean system (e.g. one with no rootkits).

5) A rootkit may have to get by other lines of defense, e.g. AV, AT, registry monitor, in order to instantiate itself, so it may be possible to stop this event even if it is mistakenly allowed by PG (this is just a possibility that may be discussed further).

Conclusion: A rootkit cannot establish itself, i.e. create a filter, unless it is either on the system prior to installing PG, or is mistakenly allowed to execute. In this case, other means to uninstall rootkits (e.g. rootkitrevealer) may assist - though I know there are no guarantees.

Open to comments.

Rich

 

I must be misunderstanding the question. When you hook any Native API, you intercept it and then you can do anything with it before passing it on.

So if you installed Regdefend, and then allowed to run another program that hooked the same API, the new program could easily arrange to cause changes to registry keys to be invisible to Regdefend.

That is the gist of the original thread I gather. Running tools like KprocCheck
allow you to see which application is the first in the chain to hook ...

 

"This hook?" Which hook in particular are you talking about?

I believe PG's hooks more than just to say zwcreatefile to detect starting processes , that's just the tip of the iceberg.

I doubt there is anything special about the hooks PG makes( please correct me if I'm wrong), as mentioned before it's a matter of the last program gaining priority, so if you run SSM which starts after PG, SSM will take control of Zwterminateprocess and Zwwritevirtualmemory instead of PG.

What is critical to note is that Even without execution protection, PG makes sure it's tough (impossible?) to establish hooks that circumvent PG's control over the APIs it hooks. The key thing to prevent PG's hooks from being circumvented or removed lies in making sure programs don't have the rights to install kernel/driver (not exactly sure about the details of this one but I believe this is where PG's real value lies) and access to physical memory. Any program that is allowed either of these 2 rights, can replace or remove (in the case of access physical memory) PG's hooks.

So run all the programs you want, as long as you don't grant them these 2 rights.

A program that is never run cannot be work. What's your point?

Essentially correct. But please note, running a program is fine, it's authorising them the rights to install drives, or access physical memory that is a big No No.

That's a given. In theory no program can execute on your computer without your permission unless you make a mistake or there is a bug (even without PG!), but this isn't interesting nor is the discussion about this.

A more interesting question I would pose is this. If you run Ewido/Whatever Antivirus/Antitrojan, there might be multiple hooks to the same native windows API (zwcreatefile seems to be popular?).

On first thought it doesn't matter. Because of load order (PG driver's load first), Ewido's guard hooks last and hence has the first shot of intercepting this particular hook. In theory as long as Ewido is not malicious and passes on the info next to PG, all things are fine.

Right? But what if for some reason you think Ewido (no offense to the Ewido guys, I'm just randomly picking names) is not as technically "good" as PG, you want PG to have the first shot . Maybe you are afraid that Ewido will slip up somehow and allow the malware to slip in before PG gets it's chance. Is there any way to guarantee that?

I also did a bit of testing, it's unclear to me, how this LIFO works. What does "installed" in this context mean? Is restrarting a program enough? My tests don't seem to create a consistent answer.

Rootkitrevealer does not uninstall rootkits.

You probably might use tools like Samurai or KprocCheck to flush out SDT entries.

Which brings me to the question what is SDT??

 

No, you did not misunderstand. That is the type of answer that I am looking for. So, I take it virtually all security software can be fooled by a rootkit that gets installed last because it would be the first in the chain.




Starrob

 

SSDT is System Service Dispatch Table, I think. See http://www.sysinternals.com/Information/NativeApi.html

 

you can have programs that hooks (so eg they cannot be terminated eg Boclean-A2) or you can have programs that go deeper (kernel driven, must install driver eg Ewido).

I've been reading those papers over and over again and still no clue. if it's possible for a program that hooks (not necessary kerneldriven) can clean ring0 rootkit (kernel driven so to speak)

/edit: I must be stupid..

 

I am not completely sure if the developers of many security products even know and even if they do know they are not talking. I think maybe the best defense against rootkits are preventing installation in the first place.

To me most talk about rootkit removal after installation is mostly big speculation until someone comes forward and answers these types of questions.



Starrob

 

Thanx Starrob, this is the third time I ask and no one doesn't even make an effort for explaining .. I don't understand.. all those experts here .. with all due respect.

Look I have a day to day job which is very time consuming, I mean it's hard to stay on top and I don't have the time to study this c++ or whatever cause I'm fedup when I get home.
DOES THAT MEAN I have to stay ignorant? I read a lot of things, on whitehat/blackhat sites if you will but man ..

Thanx anyway Starrob, this says more about them then about us!!

 

Good. Now tell me what it is

On a serious note, there's a lot list of Native APIs listed on the webpage. It says there is about "240 Native APIs in Win2K, up from around 200 in NT 3.5.1"!!!

I got 56 of them hooked by various security software. I suppose more is better <grins> .

 

LOL, I guess it is I surely hope so

 

Windows XP is an extremely complex operating system and I doubt anyone on this planet knows how to "secure" it - from rootkits or otherwise. However, one fact is very clear - at least to me - if a program cannot execute on a system, it cannot install itself as a rootkit. Therefore, the primary effort should always be to prevent unauthorized programs (any type of executable) from executing. Of course, once they get started there may be ways to prevent them from fully completing their work - e.g. from installing drivers/services, instantiating themselves in the registry, modifying system files, etc., - but to stop them from initially executing should be the primary objective. A top-grade anti-malware tool (e.g. KAV) and products like ProcessGuard and WormGuard, go a long way toward this objective. They cannot be perfect because Windows XP (and its spaghetti-like architecture which heavily lends itself to malicious attacks) doesn't allow for this.

Of course, staying away from sites that may contain malicious software (as best one can) goes without saying. It is no different than anything else in life. You try to stay out of trouble, but if you accidently get into trouble (my wife was recently hit by a car that was doing a left turn), well that is when your insurance policy comes in handy. There is no way on earth to prevent accidents from happening. That is why they are called accidents. And anyone who suggests to people that they should not have insurance policies on their PC still has a lot to learn about life.

Rich