Testing for Rootkits

Do Rootkits have to include a driver / *sys file ?

https://www.wilderssecurity.com/showpost.php?p=1530311&postcount=34

 

A search of Wiki can give you many answers

 

had a look at that but it doesn't answer my question

 

As far as i'm aware, Rootkits require a Driver/SYS file to run, in the Kernel-mode anyway. Here's a couple of User-mode Rootkit examples though that " appear " not to.


Here's what my infamous hxdef100.exe says in it's Read Me file



-

These switches are available:

-:installonly - only install service, but not run
-:refresh - use to update settings from inifile
-:noservice - doesn't install services and run normally
-:uninstall - removes hxdef from the memory and kills all
running backdoor connections
stopping hxdef service does the same now

-

No mention of .SYS etc in this User-mode AFX Rootkit test

-


" User-mode rootkits on Windows systems generally operate by overwriting files on the system itself, as well as by using techniques such as DLL injection and API hooking. These rootkits operate in the same fashion and context as a user on the system, hence the moniker "user-mode. "

" To develop a better understanding of some of these user-mode rootkits, we'll take a look at how an example rootkit is configured and employed, as well as what effect it has on the "victim" system. This way, we'll know what to look for when we suspect that there may be a rootkit on a system. "


" Before we launch our rootkit, we're going to run InControl5 so that we can see what changes this rootkit makes to the system when it is installed. "

Figure 7-11. InControl5 report showing files added by afx_example.exe installation. - http://www.ubookcase.com/book/Addis...ncident.Recovery/0321200985/ch07lev1sec4.html



-

There are 8 file types with the "SYS" extension name - http://www.file-extensions.org/sys-file-extension-system-device-driver

 

Very interesting. Thanks.

 

Hi StevieO,

Just noticed this and wanted to clarify the -:noservice switch usage. It's an on-demand switch. All files, including hxdefdrv.sys and hackerdefenderdrv100.sys, are written to the system. When activated, it only runs until the system is restarted. When it is activated, the drivers are active...

8/30/2009 22:16:32 Create new process Permitted
Process: c:\windows\system32\cmd.exe
Target: c:\test\hxdef100.exe
Cmd line: hxdef100.exe -:noservice
Rule: [App]*

8/30/2009 22:16:33 Load kernel driver Permitted
Process: c:\test\hxdef100.exe
Target: c:\windows\system32\drivers\hackerdefenderdrv100.sys
Rule: [App]*

8/30/2009 22:16:38 Create file Permitted
Process: c:\test\hxdef100.exe
Target: C:\test\hxdefdrv.sys
Rule: [File Group]All Executable Files -> [File]*; *.sys

8/30/2009 22:16:39 Create registry key Permitted
Process: c:\test\hxdef100.exe
Target: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HackerDefenderDrv100
Rule: [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

8/30/2009 22:16:39 Set registry value Permitted
Process: c:\test\hxdef100.exe
Target: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HackerDefenderDrv100\ImagePath
Data: \??\C:\test\hxdefdrv.sys
Rule: [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*; ImagePath

8/30/2009 22:16:39 Load kernel driver Permitted
Process: c:\test\hxdef100.exe
Target: c:\test\hxdefdrv.sys
Rule: [App]*

Playing with Hacker Defender again brings back some good memories. It was an awesome "tool" in its time and triggered serious Windows HIPS development.

 

nick s

Hi there.

Thanx for that.

Yes indeed, Holy Father and his Hacker Defender RK's definately gave the security world a much needed big kick up the rear, and long over due too ! It's never been the same since, or ever will be either.

Regards,

S