Ok, I'm hooked....

Hi Notok,

From what I can make out from Microsoft's documentation, the first hook in a chain needs to call the subsequent hook in order for the next hook to execute its function. Therefore, it appears, that it is possible for a hook to bypass PG's protection, if it is allowed to instantiate itself as the first event in the chain.

http://msdn.microsoft.com/library/d...kreference/hookfunctions/setwindowshookex.asp

The more I read about this, the more I wonder what MS's designers were thinking when they designed this really super-awful operating system. This is a mess that no superman will ever be able to undo and secure. Our only hope is that somehow humans learn to telepathically communicate with each other (as in "Forbidden Planet") and it therefore becomes possible to completely free ourselves from the Internet (and MS). Of course, if this should happen, there is the issue with the id.

I think I've had enough of hooks to last me a lifetime.

Rich

 

Just from reading around a tiny bit, I think eventually the way most Rootkits will be removed is by using some type of Rootkit detector in combination with a scanner. I think I read somewhere where they are building rootkits that can evade any type of rootkit detector by simply detecting when a rootkit detector is in use and temporarily revealing itself in order that the detector can not find it.....that is where the scanner supposedly comes in and detects the rootkit after it is revealed.

Am I wrong or right in this type of explanation?




Starrob

 

Correct me if I am wrong but if some malware does not call the subsequent hook (in this case PG) then it would be in effect blocking itself from functioning. I finally started to understand this by Notok PG is "dumb' expanation. PG is only there to pass on or block. It seems to me if the malware does not pass to the next hook then it is effectively blocking itself. If it does try to pass on altered info it will then have to deal with PG Allow/block prompts. Is this correct?

The main danger it seems is someone finding a way to skip different hooks in the chain or finding a method to jump to a API that is not monitored. Is this correct?

Maybe the reluctance of developers to name what they hook is due to the fact that someone might find a way to circumvent the things that are hooked but then again malware authors probably know already how to discover what a programs hooks.....This situation appears to me sort of like government agencies classifying everything secret. A lot of what is secret is easily obtained by what are called "spies" simply by doing enough reading in what is already public knowledge and putting the pieces together so the "secret" label is not so much for blocking "spies" but to keep the public in the dark.

I guess it is easier to sell software when the public is kept in the dark just like it was easier to sell the US public on the war in Iraq by keeping them in the dark. Keeping people in the dark is the salesman's best tool I think.

Me personally, I like salesman that don't attempt to keep me in the dark about things that are publicly known. If they use the "buzz words" for the sale then they can explain it. I personally only found two vendors that made or make attempts to explain rather than just simply give the company line but then again I only have talked to a very few vendors so maybe there are more willing to explain than I know.



Starrob

 

This is my understanding. That if some prior hook (e.g. some malware) does not call the next hook in the chain, e.g. PG), then PG effectively does not get its opportunity to perform its function. This is based upon my cursory reading of the documentation in my prior post.

Yes. The first hook in the chain performs its function (which I guess could be anything allowed within a functional procedure) and then passes control (and optionally some parameters) to PG. PG will then do what it is supposed to do along based upon the parameters it is receiving - which I guess could be bogus.

Yes. This is how I understand it. Which is why:

1) The system has to be (should be) clean when PG is installed.
2) New (unauthorized) programs have to be carefully alloewed to execute because an error could allow a rootkit to be installed first in the chain. However, I would be extremely surprised that such a rootkit exists at this time - but then again surprises to happen.

I believe that security is a cat-and-mouse game and I can certainly understand why developers would not reveal too much about what they are doing. In time, any secret can be uncovered, but why make it easy?

This is a very complex subject and I doubt much is "firmly known" and understood. There is the "MS documentation" - and then there is information (or code "eccentricities") that is discovered while actually working with the operating system - stuff that probably the MS developers themselves aren't aware of. So I guess, sometimes it is tough call. What to talk about? How to talk about it? And to whom?

However, I do strongly believe this - the true source of the problem is MS and the way they designed the operating system. It is like maze with an impossible number of possible paths for malicious work. Until pressure is put on MS (and it can only come from financial institutions who are losing their shirts because of the Windows security disastor) and they correct this mess (I have no idea how they can), we can only appreciate those who try to clean up the mess for what amounts to peanuts in actual cash. Can you imagine personally trying to plug Windows in the way ProcessGuard does for $29? That's the price of one good meal - and for this, we at least get a chance to stop some pretty nasty software from continually infiltrating our private home. I guess I am more on the grateful end of the equation.

Certainly, I am grateful to Wilders and all of the moderators and members who have so graciously and unselfishly shared their information. So thanks Starrob for starting this thread and piquing my own interest in this subject. I am sure there is a lot more to come.

Cya,
Rich

 

I assume then that a program like PG protects against the folowing:

1) System Hooks using SetWindowsHookEx.
2)CreateRemoteThread
3) Manipulating thread's context using VirtualAllocEx/WriteProcessMemory
4) Redirecting the Import Address Table
5) Inserting an unconditional jump (This is the type of function redirection used by the Microsoft Detours Library [DETOURS]




Starrob

 

I don't think you're wrong. That would be a possibility to get unnoticed.
rtkt dot com mentions some ot those new techniques but it's like learning some mathematical language: you have to learn the basics. but the basics is not known by everyone...certainly not me. so I am doubting I will put in again three years of study just to know what's going on.
that's a pain in the ass and therefor I understand if you're qualified with this all why it's hard to explain this all in public. But I was hoping someone would break the taboo...but I can live with it.

to Rich, I can truely follow what you're saying. And certainly why pg needs to be installed in clean environment.

as pg will block all hooks, if you don't check block drivers/services/rootkits: you'll still get infected with a rootkit...so I doubt all this hooking takes place with rootkits in the firstplace. Cause the main issue with rootkits is to install a driver and not a hook.

This can sound stupid so don't shoot but it's having a lot of power I guess...and for that matter, all those guys who refuse to tell whats going on .. are not far behind M$'s own vision... so it comes down to that too (personal opinion).

 

Well, I been reading around and apparently not all rootkits install drivers. I think it is the Kernel level rootkits that install drivers.

I have been reading about rootkits on one particular website in which I might not be able to post the link here which talks about User mode rootkits. User mode rootkits operate on ring 3 with lower priviledges and they target directly the user's applications instead of the system itself. They don't use any administrative privilege to be able to perform its stealth as they reside directly inside processes that are owned by the current user. Apparently the advantage of these types of rootkits is that they are more "portable'....which means it is easier for them to operate on different Windows Operating systems.


Starrob

 

Hi Starrob, I am not talking about usermode rootkits that can be handled by practicaly all players. and you are right, there are user rootkits too. it's a good supplement to discuss.

I don't this link is forbidden here, feel free to delete (mods, admins,...) but for anyone having some thoughts on user/kernel rootkits:

link removed - contains direct links to malware - Blue

my question would be this about usermode rootkits: if you have a limited account user (with no writing/deleting/...capacities) would a user rootkit still get admin priviledge?

edit: the link is very basic and I think you all know it...

 

I've been reading a dutch!! website: quote:

4 different rootkits: memory rootkit, persistent rootkit, usermode and kernel mode rootkit...

 

sorry blue really not intended to post malwarelinks.

 

Yes.....they talk about how it is possible in that link. The User mode rootkit waits around until the user uses the Run as command to use programs as a Administrator (.i.e updating Windows) then it captures the Administrator password.



Starrob

 

ok, thanx Starrob.

/edit so usermode rootkits are easily defeated? if I *don't use admin priviledge* what does he do then? lol

nothing I guess...it's from the moment you use admin priviledge it can do it's stuff.

wtf

 

Infinity,

No problem, that's part of why we're here - to provide a second set of eyes on these things. In this case, it was links on that page, not the page itself. Just being on the safe side.

Blue

 

Yeah, you couldn't slip in any hooks "behind" PG if it was installed first, not unless there was some kind of exploit in PG itself that allowed bypass. Like I say, PG is a "dumb" blocker, anything going through that channel would be blocked and alerted to until you set permissions otherwise. I did verify this w/ a security software developer.. without some magical exploit, I don't think there would be any way to slip a hook "behind" the first.

From what I've gathered, there's different kinds of rootkits for different goals. Some will just hook specific applications, which don't require drivers, and others are system-wide.. those do need drivers. The usermode rootkits, which do not need admin rights to install a driver, can hook applications to do things like snag passwords. The kernel mode (driver) rootkits are going to do a lot more, including things like changing, or adding to, Windows functions.

Could a usermode rootkit gain admin privs? My guess would be that with the right combination of things anything is possible, but for the most part they don't need to.. either you make a usermode rootkit (which can function under any account) or you make a kernel mode rootkit (admin accounts don't have direct access to kernel functions), depending on what you want to do. Any rootkit is going to enter the system in user-mode (again, unless there's some kind of magical exploit), it's what it does from there that distinguishes the two. Kernel mode is just for the very core components of Windows.. it provides the 'higher' functions of Windows (ie, the Windows executive) that make sure the programs actually can run and the interface with the hardware. A driver would just give your process a way to go around anything else, including hooked APIs, by offering alternatives to what Windows already offers.. hence PG's protection against driver installs.

 

I am reading at another website which is talking about how advanced Rootkits:

1) Hook Import Address Table (IAT) in processes
2) Hook the System Call Table of operating system
3) Hook the Interuppt Descriptor Table (IDT)


Now out to find out what all these things mean. I think the next time I go out to work on the ships, I will bring a few books about programming out with me. I'll have 4 months to read. I think I want to start understanding what software is going on my computer because I want to know exactly what I require.

 

yes Notok, excellent. I still believe that pg is one of the best things ever.

But I am about to give up cause the same questions come back everytime and I don't want to botter any longer ... but I promis I'll find out more ... yesterday I felt realy bad...but today the sun is shining again

Have a great day and lets kill them anyway right? ...

 

IDT = Interrupt Dispatch Table. If I understand correctly, it's a table of contents for your hardware with the associated interrupt routine (which goes about letting the hardware do it's thing). When one of your hardware components wants CPU time (interrupting the CPU), Windows reffers to the IDT to find out what to do with it, basically.

I'll see about looking the others up another day..

 

very true Starrob. what I see is if you undestand all this: you can create things and that's why everybody is affraid to loose money ... or they can't cause their bounded to friends (which is normal, I would too) and I hope one day I'll see you with a yellow sign

who do you trust, .. ? valid questions .. all of them...

 

Thanx Notok !

/edit: I won't leave it all up to you, don't worry... I'll address this here too so we learn again and again...

 

I am not sure how far I'll go with it but I know the subject can't be as complex as Differential Equations http://www.sosmath.com/diffeq/diffeq.html or Thermodynamics http://physics.about.com/cs/thermodynamics/ or how about my worst subject Strenght of Materials http://www.engineersedge.com/strength_of_materials.htm or if you really want to get down and dirty Electrical Engineering.....my brother dropped out of Electrical Engineering courses to be a Mechanical Engineer. He could not keep up with all the Indians and Chinese that are a wiz at those subjects.

Yeah....I am a engineer as is my brother. The stuff that I studied in college gave me a headache that lasts until this day....the subjects are just as tough....if not more so than the windows operating system. If I took a different path in life, I could have been a Nuclear Engineer in some power plant somewhere. So, I am not as in awe of programmers as some.....after all programming is not nuclear sceince....is it?

If I put my mind to it, I can learn it.....I would only learn it to make my computing more secure though.....I have no interest in going further and writing programs.

I would like to thank the few programmers and or security gurus that do give me information here and there. Thanks Notok, Infinity, Pollmaster, Richrf for making this thread at least half way interesting too. To bad more could not or would not participate.



Starrob

 

Are you sure about that?

Kernel--> Hook 1 (SSM) ---->Hook 2 (PG with execution protection)

When I start a new application, SSM gets the first shot, if I deny it from starting , PG's execution protection is silent.

So it seems hook 1 can affect what is being sent to hook 2.

Is it really that impossible for a evil hook 1 to do what SSM does in scenario 1, and yet not actually block the app from starting?

In that scenario a evil hook 1, would faithfully pass down information to PG for everything EXCEPT for events triggered by something it was trying to hide.

If we are talking about trustworthy hooks 1 and 2, then I agree, it would take some magically exploit to somehow take advantage of the fact that PG isn't first.

Yes. Another way I suppose is that you do a comparison between the 2 results when you use a rootkit detector and a normal tripwire application.
Any differences will flag the rootkit . If you can force the rootkit to 'uncloak' you win.

 

Pollmaster, can you elaborate a little about the tripwire application? do you mean child/parent control?

/edit: you mean like ssm and pg. no prbs

 

No. Basically i mean any system intergrity tool that does checksumming.

I believe that the idea of kernel rootkits was that they could even fool such tools, as long as you didn't run on a clean parition.

But if it "uncloaked" when scanned by a rootkit detector tool, it would give a different set of results from the original scans, that would give it away.

 

true. drweb has a good one (old kaspersky checksummer was nice too, inspector)

that would be too easy indeed and therefor not a good rootkit in terms of malware efficiency.

it can be fooled way to easy imho...what could do it is to have realtime AND kerneldriven revealer and I truely believe Regdefend is capable of doing this (this has been discussed here...there is just no way to get rid of it if you're not in Kernelmode...

 

Infinity, I have no clue what you are saying.