Table of Contents for
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition
Published by
Jones & Bartlett Learning, 2012
- Cover
- Title Page
- Copyright
- The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
- Contents
- Preface
- Part I: Foundations
- Chapter 1 Empty Cup Mind
- Chapter 2 Overview of Anti-Forensics
- Chapter 3 Hardware Briefing
- Chapter 4 System Briefing
- Chapter 5 Tools of the Trade
- Chapter 6 Life in Kernel Space
- Part II: Postmortem
- Chapter 7 Defeating Disk Analysis
- Chapter 8 Defeating Executable Analysis
- Part III: Live Response
- Chapter 9 Defeating Live Response
- Chapter 10 Building Shellcode in C
- Chapter 11 Modifying Call Tables
- Chapter 12 Modifying Code
- Chapter 13 Modifying Kernel Objects
- Chapter 14 Covert Channels
- Chapter 15 Going Out-of-Band
- Part IV: Summation
- Chapter 16 The Tao of Rootkits
- Index
- Photo Credits
Contents
1.2 Distilling a More Precise Definition
The Role of Rootkits in the Attack Cycle
Single-Stage Versus Multistage Droppers
Don’t Confuse Design Goals with Implementation
Rootkit Technology as a Force Multiplier
The Kim Philby Metaphor: Subversion Versus Destruction
Why Use Stealth Technology? Aren’t Rootkits Detectable?
1.4 Who Is Building and Using Rootkits?
It’s Not a Rootkit, It’s a Feature
Who Builds State-of-the-Art Rootkits?
1.5 Tales from the Crypt: Battlefield Triage
Chapter 2 Overview of Anti-Forensics
Everyone Has a Budget: Buy Time
Intrusion Detection System (and Intrusion Prevention System)
Aren’t Rootkits Supposed to Be Stealthy? Why AF?
Assuming the Worst-Case Scenario
Classifying Forensic Techniques: First Method
Classifying Forensic Techniques: Second Method
When Powering Down Isn’t an Option
The Debate over Pulling the Plug
To Crash Dump or Not to Crash Dump
2.4 General Advice for AF Techniques
Low and Slow Versus Scorched Earth
Shun Instance-Specific Attacks
2.5 John Doe Has the Upper Hand
Attackers Can Focus on Attacking
Defenders Face Institutional Challenges
Security Is a Process (and a Boring One at That)
Isn’t This a Waste of Time? Why Study Real Mode?
The Real-Mode Execution Environment
Segmentation and Program Control
Case Study: Logging Keystrokes with a TSR
Case Study: Patching the TREE.COM Command
The Protected-Mode Execution Environment
A Closer Look at the Control Registers
3.5 Implementing Memory Protection
Protection Through Segmentation
The Protected-Mode Interrupt Table
4.1 Physical Memory under Windows
How Windows Uses Physical Address Extension
Pages, Page Frames, and Page Frame Numbers
4.2 Segmentation and Paging under Windows
Linear to Physical Address Translation
Comments on EPROCESS and KPROCESS
4.3 User Space and Kernel Space
Kernel-Space Dynamic Allocation
4.5 Other Memory Protection Features
Address Space Layout Randomization
The System Service Dispatch Tables
Nt*() Versus Zw*() System Calls
The Life Cycle of a System Call
Active Concealment: Type I and Type II
Jumping Out of Bounds: Type III
For Faster Relief: Virtual Machines
List Loaded Modules (lm and !lmi)
5.3 The KD.exe Kernel Debugger
Different Ways to Use a Kernel Debugger
Physical Host–Target Configuration
Launching a Kernel-Debugging Session
Virtual Host–Target Configuration
Useful Kernel-Mode Debugger Commands
List Loaded Modules Command (lm)
Method No. 1: PS/2 Keyboard Trick
Chapter 6 Life in Kernel Space
Kernel-Mode Drivers: The Big Picture
Communicating with User-Mode Code
Sending Commands from User Mode
6.3 The Service Control Manager
Using sc.exe at the Command Line
Using the SCM Programmatically
6.5 Leveraging an Exploit in the Kernel
6.6 Windows Kernel-Mode Security
Kernel-Mode Code Signing (KMCS)
Chapter 7 Defeating Disk Analysis
7.1 Postmortem Investigation: An Overview
Countermeasures: Reserved Disk Regions
Countermeasures: Partition Table Destruction
Raw Disk Access: Exceptions to the Rule
Recovering Deleted Files: Countermeasures
Enumerating ADSs: Countermeasures
Recovering File System Objects
Recovering File System Objects: Countermeasures
Acquiring Metadata: Countermeasures
Cross-Time Versus Cross-View Diffs
Identifying Known Files: Countermeasures
File Signature Analysis: Countermeasures
Chapter 8 Defeating Executable Analysis
8.2 Subverting Static Analysis
Data Source Elimination: Multistage Loaders
Manual Versus Automated Runtime Analysis
Manual Analysis: Basic Outline
Manual Analysis: Memory Dumping
Manual Analysis: Capturing Network Activity
Composition Analysis at Runtime
8.4 Subverting Runtime Analysis
API Tracing: Evading Detour Patches
API Tracing: Multistage Loaders
Instruction-Level Tracing: Attacking the Debugger
Detecting a User-Mode Debugger
Detecting a Kernel-Mode Debugger
Detecting a User-Mode or a Kernel-Mode Debugger
Detecting Debuggers via Code Checksums
The Argument Against Anti-Debugger Techniques
Instruction-Level Tracing: Obfuscation
Countering Runtime Composition Analysis
Chapter 9 Defeating Live Response
Autonomy: The Coin of the Realm
9.1 Live Incident Response: The Basic Process
UMLs That Subvert the Existing APIs
The Argument Against Loader API Mods
The Windows PE File Format at 10,000 Feet
The Import Data Section (.idata)
The Base Relocation Section (.reloc)
Implementing a Stand-Alone UML
9.3 Minimizing Loader Footprint
Data Contraception: Ode to The Grugq
The Next Step: Loading via Exploit
9.4 The Argument Against Stand-Alone PE Loaders
Chapter 10 Building Shellcode in C
Visual Studio Project Settings
Finding Kernel32.dll: Journey into the TEB and PEB
Parsing the kernel32.dll Export Table
Project Settings: $(NTMAKEENV)\makefile.new
10.3 Special Weapons and Tactics
Chapter 11 Modifying Call Tables
11.1 Hooking in User Space: The IAT
Walking an IAT from a PE File on Disk
11.2 Call Tables in Kernel Space
Handling Multiple Processors: Solution #1
Handling Multiple Processors: Solution #2
Disabling the WP Bit: Technique #1
Disabling the WP Bit: Technique #2
SSDT Example: Tracing System Calls
SSDT Example: Hiding a Process
SSDT Example: Hiding a Network Connection
11.7 Hooking the GDT: Installing a Call Gate
Checking for Kernel-Mode Hooks
Acquire the Address of the NtSetValueKey()
Initialize the Patch Metadata Structure
Verify the Original Machine Code Against a Known Signature
Save the Original Prologue and Epilogue Code
Update the Patch Metadata Structure
Lock Access and Disable Write-Protection
Initializing the Patch Metadata Structure
Mapping Registry Values to Group Policies
12.3 Bypassing Kernel-Mode API Loggers
12.4 Instruction Patching Countermeasures
Chapter 13 Modifying Kernel Objects
Issue #1: The Steep Learning Curve
Issue #3: Portability and Pointer Arithmetic
13.2 Revisiting the EPROCESS Object
13.3 The DRIVER_SECTION Object
Relevant Fields in the Token Object
13.7 Manipulating the Access Token
High-Level Enumeration: CreateToolhelp32Snapshot()
High-Level Enumeration: PID Bruteforce
Low-Level Enumeration: Processes
Low-Level Enumeration: Threads
The Best Defense: Starve the Opposition
Commentary: Transcending the Two-Ring Model
14.2 Worst-Case Scenario: Full Content Data Capture
Different Tools for Different Jobs
14.6 DNS Tunneling: WSK Implementation
Initialize the Application’s Context
Determine a Local Transport Address
Bind the Socket to the Transport Address
Set the Remote Address (the C2 Client)
Building and Running the NDISProt 6.0 Example
15.1 Additional Processor Modes
Rogue Hypervisors Versus SMM Rootkits
15.3 Lights-Out Management Facilities
15.4 Less Obvious Alternatives
Chapter 16 The Tao of Rootkits
When a Postmortem Isn’t Enough
Five Point Palm Exploding Heart Technique
Resist the Urge to Smash and Grab
On Dealing with Proprietary Systems
Kingpin: Hardware Is the New Software
Butler Lampson: Separate Mechanism from Policy
Stealth Versus Development Effort
Stability Counts: Invest in Best Practices
Failover: The Self-Healing Rootkit