Xeno Kovah – Jan. 2013 xkovah at gmail
Subject line starting with "UMD:"
1

All materials is licensed under a Creative
Commons “ Share Alike ” license.
• http://creativecommons.org/licenses/by-sa/3.0/
2

• Persistence
• Type 1 – use system features
– Hiding in plain sight
• Hiding with filesystem attributes
• Trojan DLL + forwarded exports
• Type 2 – change things that shouldn't be changed
– Inline hooks
• A userspace OR kernel technique
3

The Persistence of Memory

• Malware executes in memory
• Malware generally wants to stick around across reboots
• So naturally it would like to persist on disk
• But beyond just persisting, it needs to be
invoked across reboots
• Windows includes a number of registry locations where code can register that it would like to be executed at a particular time
5

• This tool examines an (AFAIK) exhaustive list of locations that code can register itself to either be automatically executed on system startup, or executed when some common process like
IE is started.
6

• This tool examines an (AFAIK) exhaustive list of locations that code can register itself to either be automatically executed on system startup, or executed when some common process like
IE is started.
7

• Autoruns is not registry hiding aware.
• That's part of why we're going to do homeworks designed around registry key hiding
8

• SCM is invoked as sc.exe, or it can be invoked programatically with APIs like CreateService()
– In the development environment setup the load.bat
uses sc.exe to register and load the HelloKernel.sys
kernel driver as a service.
• SCM can be used to register a kernel or userspace program to load on system boot or on demand.
• A side-effect of using SCM is that it creates a registry entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
9

Malware can also persist by infecting the binaries which are executed in the earliest stages of bootup. Examining these requires more specialized tools & knowledge
10
From http://www.stoned-vienna.com/downloads/Presentation.pdf

Type 1 Stealth Malware:
Use legitimate system features
Hiding in plain sight

• This means to make your software look like legitimate software, to a cursory examination
– Somewhat related to trojans, though there need not necessarily be any sort of install-time subterfuge. More focused on if someone stumbles upon it later.
• Strategies include naming your files like legitimate MS or 3 rd party software,
12

• The key feature of such malware is that if you know where the malware is, you can see it with normal tools.
– Because of that, we're not going to spend much time on them
• They rely more on AV bypassing to stay on home systems, and lack of application whitelisting or even new application installation awareness to stay on enterprise systems.
13

• Stuxnet named its drives mrxnet.sys and mrxcls.sys. There are legitimate Microsoft files named mrxsmb.sys and mrxdav.sys.
– However, later versions were signed by stolen
RealTek Semiconductor & JMicron Technology certificates, so those two aspects in some way run counter to each other
• Zeus and other crimeware do not hide their files/registry keys (though they do often protect them)
14

• The " attrib +h " command on Windows can set the hidden file flag, which will make the file not visible if the user is running
Explorer.exe with the default folder options.
15

• Use "dir /AH" to see hidden files, and "dir /AS" to see system files. Or edit explorer's folder options as shown below.
(On Windows 7 hit "alt" once to show the tools menu)
Check
Uncheck
Uncheck
16

• NTFS supports "Alternate Data Streams" (ADS)
• An ADS can be created and opened with normal file access APIs, and will just have a name starting with a colon. E.g. if you have a file foo.txt you can just do "notepad foo.txt:bar" and you will be editing a new
"bar" ADS associated with the foo.txt file
17

• No built in way to see ADS on XP. Post-Vista they added a /r flag to dir command, but still no way to see in explorer.exe
• On XP, LADS
(http://www.heysoft.de/en/software/lads.php
) is the way to go, though the good rootkit detectors will allow for viewing ADS too.
18

• Windows will hide the ".exe", ".txt", ".jpg" extensions by default.
19

• Stuxnet used forwarded exports for the
93 of 109 exports in s7otbxdx.dll which it didn't need to intercept.
20
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

21
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

STEALTH MALWARE
(will cut you!)
Malware that hides by changing something that shouldn't legitimately change

(CC BY-NC-SA 2.0) image by thrill kills sunday pills http://www.flickr.com/photos/27086700@N03/2994587384/in/photostream/
23

Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
1
… push 1234 call SomeFunc() add esp, 4
…
…
SomeFunc: mov edi, edi push ebp mov ebp, esp sub esp, 0x20
… ret
2
24

Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
WickedWickedDll.dll
1
… push 1234 call SomeFunc() add esp, 4
…
…
SomeFunc: jmp EvilFunc sub esp, 0x20
… ret
4
3
EvilFunc :
<stuff>
… mov edi, edi push ebp mov ebp, esp jmp SomeFunc+5
25

Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
WickedWickedDll.dll
1
… push 1234 call SomeFunc() add esp, 4
…
…
SomeFunc: jmp EvilFunc sub esp, 0x20
… ret
4
3
EvilFunc :
<stuff>
… mov edi, edi push ebp mov ebp, esp jmp SomeFunc+5
26

• We call the act of redirecting program execution "hooking"
• Because you're hooking into the program to make it come to you
27

• Depends on what they're trying to hide, but the principle always is:
• Well dang, I guess we're going to need to learn how programs view "stuff"
28

Or better yet
29

• FindFirstFile () http://msdn.microsoft.com/enus/library/windows/desktop/aa364418(v=vs.8
5).aspx
• FindNextFile () http://msdn.microsoft.com/enus/library/windows/desktop/aa364428(v=vs.8
5).aspx
• FindClose () - http://msdn.microsoft.com/enus/library/windows/desktop/aa364413(v=vs.8
5).aspx
30

(but that OST Intro x86 didn't tell you)
• Going to be in the updated version, "Intro x86-
64" recorded in Feb
• Argument 1 is in rcx
• Argument 2 is in rdx
• Argument 3 is in r8
• Argument 4 is in r9
• Any further arguments are on the stack
• Return value is still in rax
31

• Windbg uses function name notation like
"module!function"
• I will set breakpoints on things like
– kernel32!FindFirstFileExW, kernel32!FindFirstFileW, kernel32!FindFirstFileA, kernel32!FindNextFileW, kernel32!FindNextFileA
• The W or A at the end means the "Wide" (unicode) or ASCII string version
32

• See http://en.wikipedia.org/wiki/DLL_injection for more ways that this can be achieved on Windows/*nix
• We're going to use the AppInit_DLLs way of doing this for simplicity
• Note: AppInit_DLLs' behavior has changed in releases > XP, it now has to be enabled with Administrator level permissions.
• Must set the DLL in question in the registry key:
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\AppInit_DLLs
– Use comma delimitation if there is an existing entry
• Must also set the following key to 1
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\LoadAppInit_DLLs
• Must also set the following key to 0
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\RequireSignedAppInit_DLLs
33

• http://www.codeproject.com/KB/vista/api-hooks.aspx
– This will hook NtQuerySystemInformation(), which is what taskmgr.exe uses in order to list the currently running processes. It will replace this with
HookedNtQuerySystemInformation(), which will hide calc.exe
– I modified that code to use IAT hooking rather than inline (which is much simpler actually)
• Steps:
– Compile AppInitHookIAT.dll
– Place at C:\tmp\AppInitHookIAT.dll for simplicity
– Use regedit.exe to add C:\tmp\AppInitHookIAT.dll as the value for the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\AppInit_DLLs and set the other values from the previous slide
– Start calc.exe, start taskmgr.exe, confirm that calc.exe doesn't show up in the list of running processes.
– Remove C:\tmp\AppInitHookIAT.dll from AppInit_DLLs and restart taskmgr.exe.
– Confirm calc.exe shows up in the list of running processes.
– (This is a basic "userspace rootkit" technique. Because of this, all entries in this registry key should always be looked upon with suspicion.)
34

• From the Stuxnet Dossier: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa pers/w32_stuxnet_dossier.pdf
• "~WTR4141.tmp then loads ~WTR4132.tmp, but before doing so, it attempts to hide the files on the removable drive. Hiding the files on the removable drive as early in the infection process as possible is important for the threat since the rootkit functionality is not installed yet, as described in the Windows Rootkit Functionality section.
Thus, ~WTR4141.tmp implements its own less-robust technique in the meantime.
• WTR4141.tmp hooks the following APIs from kernel32.dll and
Ntdll.dll:
• From Kernel32.dll
– FindFirstFileW
– FindNextFileW
– FindFirstFileExW
• From Ntdll.dll
– NtQueryDirectoryFile
– ZwQueryDirectoryFile"
35

• Use AppInit_DLLs DLL injection with inline or IAT hooking to hide any registry key named "UMDRK" from Regedit.exe on Windows 7 64 bit. But in particular make sure you hide
– HKLM\SYSTEM\CurrentControlSet\Services\UMDRK
36

• 1) Convert the module finding inline asm to C code (you're not allowed to use inline asm when it's 64 bit assembly with microsoft compilers). Start from the __readgsqword() intrinsic
• 2) Figure out which Windows APIs are used to list registry entries & create fake versions that behave differently when they are trying to view the specified key
• 3) Set up a MitM situation either through inline assembly manipulation, or through IAT entry changing
• NOTE1: Your solution should cause the specified registry key to be hidden, but should *not* cause any subsequent registry keys to be hidden
• NOTE2: Your solution should be generic, and not build in assumptions based on analyzing regedit (e.g. not just skipping directly to some offset to make some modification.) It must programmatically find the location(s) to change. You should probably test it against some other registry reading tools to make sure it is actually generic enough.
37

• Win 7 x64 (VM recommended)
– to test on
• VisualStudio 2010 Express
– to compile code
• WinDbg x86-64 aka "amd64"
– to look at structure definitions
• PEView & CFF Explorer
– to look at PE headers
• Process Monitor
– helpful for inferring what functions map to what registry actions that are done by regedit to read the key
38

FYI, the one change I made to the template projects, that you wouldn't have seen in the instructions for setting up the dev env, was to change the project to make a DLL, like so:
39

For easy install enter the following into a file named
"install.reg" that you can double click
(you will still need to make C:\tmp and copy your compiled file to C:\tmp before running this)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\tmp\\StudentAppInitHookIAT.dll"
"LoadAppInit_DLLs"=dword:00000001
"RequireSignedAppInit_DLLs"=dword:00000000
Windows Registry Editor Version 5.00
OR
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\tmp\\StudentAppInitHookInline.dll"
"LoadAppInit_DLLs"=dword:00000001
"RequireSignedAppInit_DLLs"=dword:00000000
40

(you will still need to make C:\tmp and copy your compiled file to C:\tmp before running this)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
Windows Registry Editor Version 5.00
OR
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
41