Testing for Rootkits

Discussion in 'other anti-malware software' started by Joeythedude, Aug 29, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
  2. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    A search of Wiki can give you many answers :)
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    had a look at that but it doesn't answer my question :)
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    As far as i'm aware, Rootkits require a Driver/SYS file to run, in the Kernel-mode anyway. Here's a couple of User-mode Rootkit examples though that " appear " not to.


    Here's what my infamous hxdef100.exe says in it's Read Me file

    hxd.png

    -

    These switches are available:

    -:installonly - only install service, but not run
    -:refresh - use to update settings from inifile
    -:noservice - doesn't install services and run normally
    -:uninstall - removes hxdef from the memory and kills all
    running backdoor connections
    stopping hxdef service does the same now

    -

    No mention of .SYS etc in this User-mode AFX Rootkit test

    -


    " User-mode rootkits on Windows systems generally operate by overwriting files on the system itself, as well as by using techniques such as DLL injection and API hooking. These rootkits operate in the same fashion and context as a user on the system, hence the moniker "user-mode. "

    " To develop a better understanding of some of these user-mode rootkits, we'll take a look at how an example rootkit is configured and employed, as well as what effect it has on the "victim" system. This way, we'll know what to look for when we suspect that there may be a rootkit on a system. "


    " Before we launch our rootkit, we're going to run InControl5 so that we can see what changes this rootkit makes to the system when it is installed. "

    Figure 7-11. InControl5 report showing files added by afx_example.exe installation. - http://www.ubookcase.com/book/Addis...ncident.Recovery/0321200985/ch07lev1sec4.html

    ctl5.gif

    -

    There are 8 file types with the "SYS" extension name - http://www.file-extensions.org/sys-file-extension-system-device-driver
     
  5. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Very interesting. Thanks.
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi StevieO,

    Just noticed this and wanted to clarify the -:noservice switch usage. It's an on-demand switch. All files, including hxdefdrv.sys and hackerdefenderdrv100.sys, are written to the system. When activated, it only runs until the system is restarted. When it is activated, the drivers are active...

    8/30/2009 22:16:32 Create new process Permitted
    Process: c:\windows\system32\cmd.exe
    Target: c:\test\hxdef100.exe
    Cmd line: hxdef100.exe -:noservice
    Rule: [App]*

    8/30/2009 22:16:33 Load kernel driver Permitted
    Process: c:\test\hxdef100.exe
    Target: c:\windows\system32\drivers\hackerdefenderdrv100.sys
    Rule: [App]*

    8/30/2009 22:16:38 Create file Permitted
    Process: c:\test\hxdef100.exe
    Target: C:\test\hxdefdrv.sys
    Rule: [File Group]All Executable Files -> [File]*; *.sys

    8/30/2009 22:16:39 Create registry key Permitted
    Process: c:\test\hxdef100.exe
    Target: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HackerDefenderDrv100
    Rule: [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    8/30/2009 22:16:39 Set registry value Permitted
    Process: c:\test\hxdef100.exe
    Target: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HackerDefenderDrv100\ImagePath
    Data: \??\C:\test\hxdefdrv.sys
    Rule: [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*; ImagePath

    8/30/2009 22:16:39 Load kernel driver Permitted
    Process: c:\test\hxdef100.exe
    Target: c:\test\hxdefdrv.sys
    Rule: [App]*


    Playing with Hacker Defender again brings back some good memories. It was an awesome "tool" in its time and triggered serious Windows HIPS development.
     
    Last edited: Aug 31, 2009
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    nick s

    Hi there.

    Thanx for that.

    Yes indeed, Holy Father and his Hacker Defender RK's definately gave the security world a much needed big kick up the rear, and long over due too ! It's never been the same since, or ever will be either.

    Regards,

    S
     
Loading...
Thread Status:
Not open for further replies.