Not always you have all the tools needed for detecting rootkits or such malicious activities for your customer .
A forensics investigator must be ready for all situations, reverse engineers knew this entry already (Specially in case of their activities for malware industry) .
Well, you might already know generally, rootkits have dealing with low-level & in fact kernel components, SSDT (system service dispatch table) is a well-known table in windows that points to proper addresses for specified kernel services .
also, you already know that basically, most of rootkits for stealth purposes will modify this table for setting a kernel-level hook (aka ring0 hook) in windows kernel substructure & then install themselves as a device driver for better stealth, whether it comes to processes, files, registry entries or even network connections .
This type of modification is an almost well-known and old technique which is described by Greg Hoglund in "Rootkits, subverting the windows kernel" book, but as greg stated at Open-RCE, nevertheless of the oldness related to SSDT modifcation of rootkits, most computer general user didn't aware about it, & in today malwares it can be effective yet .
Nowadays, Different variant of malwares, implement this technique for stealth pruposes .
There are various tools for analyzing & deep level inspection of your system, basically this tools called "Anti-Rootkits", however there maybe others tools in this area that not call anti-Rootkits but will scan low-level system components for detect hooks , or table modifications related to high critical system components (p.s : SSDT, Shadow SSDT , IAT, IDT, IVT, ....) .
I'm writing this entry for situations you have not a ready to use tool for scanning & reporting system modification, but just have a kernel debugger (Microsoft Windbg).
Windbg is a kernel-level debugger which can debug and step through both user-mode & kernel-mode codes .
You know, in 32-bit system virtual memory devided into 2 segments, 2-GB for user space & 2-GB for kernel space (however it can be modify ...) & according to this concept, User-Space have addresses between 0x00000000 upto 0x7FFFFFFF and kernel-Space addresses have addresses ranges from 0x80000000 to 0xFFFFFFFF.
by this short description I'm going to shoot my debugger out & inspect some cool stuff with it .
First of all, before we dive into internals related to ssdt, I'll advice you to setup your symbol path as the following :
srv*D:\Kernel Symbols*http://msdl.microsoft.com/download/symbols
where "D:\Kernel Symbols" in upside is my hard drive path for saving required symbols & you can change it to your desired path .
Ok, let's dive in it .
The command required for see what's going on within SSDT is as follow :
dps nt!KiServiceTable l11c
let me show it to you :
In this image as you see there're bunch on well-known Ntxx functions with their addresses in Ntoskrnl.exe.
Output is as follow :
8082c96c 808cc106 nt!NtAcceptConnectPort
8082c970 80918390 nt!NtAccessCheck
8082c974 8091bbc6 nt!NtAccessCheckAndAuditAlarm
8082c978 809183c2 nt!NtAccessCheckByType
8082c97c 8091bc00 nt!NtAccessCheckByTypeAndAuditAlarm
8082c980 809183f8 nt!NtAccessCheckByTypeResultList
8082c984 8091bc44 nt!NtAccessCheckByTypeResultListAndAuditAlarm
8082c988 8091bc88 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
8082c98c 8093cbcc nt!NtAddAtom
8082c990 8093d900 nt!NtSetBootOptions
8082c994 80913740 nt!NtAdjustGroupsToken
8082c998 80913398 nt!NtAdjustPrivilegesToken
8082c99c 808fc3d4 nt!NtAlertResumeThread
8082c9a0 808fc384 nt!NtAlertThread
8082c9a4 8093d1f2 nt!NtAllocateLocallyUniqueId
8082c9a8 808dd9fa nt!NtAllocateUserPhysicalPages
8082c9ac 8093c80e nt!NtAllocateUuids
8082c9b0 808d0590 nt!NtAllocateVirtualMemory
8082c9b4 808d800e nt!NtAreMappedFilesTheSame
8082c9b8 89be5580
8082c9bc 80829dd4 nt!NtCallbackReturn
8082c9c0 8093de3e nt!NtDeleteBootEntry
8082c9c4 8089e96c nt!NtCancelIoFile
8082c9c8 80860e4e nt!NtCancelTimer
8082c9cc 80935e16 nt!NtClearEvent
8082c9d0 b9f8e818 d347bus+0xd818
8082c9d4 8091c100 nt!NtCloseObjectAuditAlarm
8082c9d8 8094ad12 nt!NtCompactKeys
8082c9dc 80920614 nt!NtCompareTokens
8082c9e0 808cc7f4 nt!NtCompleteConnectPort
8082c9e4 8094af66 nt!NtCompressKey
8082c9e8 808cc0a6 nt!NtConnectPort
8082c9ec 8086d104 nt!NtContinue
8082c9f0 809691c6 nt!NtCreateDebugObject
8082c9f4 808e5e28 nt!NtCreateDirectoryObject
8082c9f8 80935e66 nt!NtCreateEvent
8082c9fc 8093e184 nt!NtCreateEventPair
8082ca00 808a0eca nt!NtCreateFile
8082ca04 8089f75c nt!NtCreateIoCompletion
8082ca08 808fce5c nt!NtCreateJobObject
8082ca0c 808fcb94 nt!NtCreateJobSet
8082ca10 b9f8e7d0 d347bus+0xd7d0
8082ca14 808a0fd8 nt!NtCreateMailslotFile
8082ca18 8093e57c nt!NtCreateMutant
8082ca1c 808a0f04 nt!NtCreateNamedPipeFile
8082ca20 b9f82a20 d347bus+0x1a20
8082ca24 808ccbc2 nt!NtCreatePort
8082ca28 808f8ae4 nt!NtCreateProcess
8082ca2c 808f8a2e nt!NtCreateProcessEx
8082ca30 8093e99c nt!NtCreateProfile
8082ca34 808d2e9e nt!NtCreateSection
8082ca38 8093bf2c nt!NtCreateSemaphore
8082ca3c 808ec6a8 nt!NtCreateSymbolicLinkObject
8082ca40 808f88cc nt!NtCreateThread
8082ca44 8093de4c nt!NtCreateTimer
8082ca48 809209bc nt!NtCreateToken
8082ca4c 808ccbe6 nt!NtCreateWaitablePort
8082ca50 89be6100
8082ca54 8096a3f2 nt!NtDebugContinue
8082ca58 8093d850 nt!NtDelayExecution
8082ca5c 8093d082 nt!NtDeleteAtom
8082ca60 8093de3e nt!NtDeleteBootEntry
8082ca64 8089eab2 nt!NtDeleteFile
8082ca68 8094b5de nt!NtDeleteKey
8082ca6c 8091c20c nt!NtDeleteObjectAuditAlarm
8082ca70 8094b7ae nt!NtDeleteValueKey
8082ca74 808a1090 nt!NtDeviceIoControlFile
8082ca78 80939eaa nt!NtDisplayString
8082ca7c 89be5b30
8082ca80 809145de nt!NtDuplicateToken
8082ca84 8093d900 nt!NtSetBootOptions
8082ca88 b9f832a8 d347bus+0x22a8
8082ca8c 8093d8f2 nt!NtEnumerateSystemEnvironmentValuesEx
8082ca90 b9f8e910 d347bus+0xd910
8082ca94 808db71a nt!NtExtendSection
8082ca98 8091478a nt!NtFilterToken
8082ca9c 8093ce36 nt!NtFindAtom
8082caa0 8089eb7e nt!NtFlushBuffersFile
8082caa4 808de28e nt!NtFlushInstructionCache
8082caa8 8094be62 nt!NtFlushKey
8082caac 808d41d8 nt!NtFlushVirtualMemory
8082cab0 808de230 nt!NtFlushWriteBuffer
8082cab4 808ddd9c nt!NtFreeUserPhysicalPages
8082cab8 808da9f6 nt!NtFreeVirtualMemory
8082cabc 808a10c4 nt!NtFsControlFile
8082cac0 808f8dde nt!NtGetContextThread
8082cac4 808effc8 nt!NtGetDevicePowerState
8082cac8 808c0e76 nt!NtGetPlugPlayEvent
8082cacc 80849498 nt!NtGetWriteWatch
8082cad0 80920308 nt!NtImpersonateAnonymousToken
8082cad4 808ccc50 nt!NtImpersonateClientOfPort
8082cad8 808ff058 nt!NtImpersonateThread
8082cadc 80949106 nt!NtInitializeRegistry
8082cae0 808efdae nt!NtInitiatePowerAction
8082cae4 808fca58 nt!NtIsProcessInJob
8082cae8 808effb4 nt!NtIsSystemResumeAutomatic
8082caec 808cce5c nt!NtListenPort
8082caf0 808abea6 nt!NtLoadDriver
8082caf4 8094ce9a nt!NtLoadKey
8082caf8 8094cae4 nt!NtLoadKey2
8082cafc 808a10f8 nt!NtLockFile
8082cb00 8093a49c nt!NtLockProductActivationKeys
8082cb04 8094b012 nt!NtLockRegistryKey
8082cb08 808de396 nt!NtLockVirtualMemory
8082cb0c 808e5c1e nt!NtMakePermanentObject
8082cb10 808e4018 nt!NtMakeTemporaryObject
8082cb14 808dce5a nt!NtMapUserPhysicalPages
8082cb18 808dd3aa nt!NtMapUserPhysicalPagesScatter
8082cb1c 808d9a7e nt!NtMapViewOfSection
8082cb20 8093de3e nt!NtDeleteBootEntry
8082cb24 808a1d10 nt!NtNotifyChangeDirectoryFile
8082cb28 8094ce64 nt!NtNotifyChangeKey
8082cb2c 8094bf64 nt!NtNotifyChangeMultipleKeys
8082cb30 808e5efa nt!NtOpenDirectoryObject
8082cb34 80935f66 nt!NtOpenEvent
8082cb38 8093e25c nt!NtOpenEventPair
8082cb3c 808a1fc8 nt!NtOpenFile
8082cb40 8089f834 nt!NtOpenIoCompletion
8082cb44 808fcfe2 nt!NtOpenJobObject
8082cb48 b9f8e794 d347bus+0xd794
8082cb4c 8093e654 nt!NtOpenMutant
8082cb50 8091bcce nt!NtOpenObjectAuditAlarm
8082cb54 89be4cc0
8082cb58 80914fd6 nt!NtOpenProcessToken
8082cb5c 80914bdc nt!NtOpenProcessTokenEx
8082cb60 808d1ec2 nt!NtOpenSection
8082cb64 8093c026 nt!NtOpenSemaphore
8082cb68 808ec88e nt!NtOpenSymbolicLinkObject
8082cb6c 89be4fc0
8082cb70 80914ff4 nt!NtOpenThreadToken
8082cb74 80914d4c nt!NtOpenThreadTokenEx
8082cb78 8093df6e nt!NtOpenTimer
8082cb7c 8096c494 nt!NtPlugPlayControl
8082cb80 808f0dfc nt!NtPowerInformation
8082cb84 8091f3ba nt!NtPrivilegeCheck
8082cb88 8091afe0 nt!NtPrivilegeObjectAuditAlarm
8082cb8c 8091b1cc nt!NtPrivilegedServiceAuditAlarm
8082cb90 89be59c0
8082cb94 8093601e nt!NtPulseEvent
8082cb98 8089ed5c nt!NtQueryAttributesFile
8082cb9c 8093d900 nt!NtSetBootOptions
8082cba0 8093d900 nt!NtSetBootOptions
8082cba4 80867e36 nt!NtQueryDebugFilterState
8082cba8 80937bf0 nt!NtQueryDefaultLocale
8082cbac 80938850 nt!NtQueryDefaultUILanguage
8082cbb0 808a1caa nt!NtQueryDirectoryFile
8082cbb4 808e5f9a nt!NtQueryDirectoryObject
8082cbb8 808a1ff8 nt!NtQueryEaFile
8082cbbc 809360e6 nt!NtQueryEvent
8082cbc0 8089ee94 nt!NtQueryFullAttributesFile
8082cbc4 8093d0aa nt!NtQueryInformationAtom
8082cbc8 808a2864 nt!NtQueryInformationFile
8082cbcc 808fd4b4 nt!NtQueryInformationJobObject
8082cbd0 808cceba nt!NtQueryInformationPort
8082cbd4 808f4862 nt!NtQueryInformationProcess
8082cbd8 808f3490 nt!NtQueryInformationThread
8082cbdc 809150d4 nt!NtQueryInformationToken
8082cbe0 80937fee nt!NtQueryInstallUILanguage
8082cbe4 8093ee1e nt!NtQueryIntervalProfile
8082cbe8 8089f8dc nt!NtQueryIoCompletion
8082cbec b9f832c8 d347bus+0x22c8
8082cbf0 8094a310 nt!NtQueryMultipleValueKey
8082cbf4 8093e6fc nt!NtQueryMutant
8082cbf8 808ebdc8 nt!NtQueryObject
8082cbfc 8094a976 nt!NtQueryOpenSubKeys
8082cc00 8093eeac nt!NtQueryPerformanceCounter
8082cc04 808a35fc nt!NtQueryQuotaInformationFile
8082cc08 808e0024 nt!NtQuerySection
8082cc0c 808e7a86 nt!NtQuerySecurityObject
8082cc10 8093c0de nt!NtQuerySemaphore
8082cc14 808ec92e nt!NtQuerySymbolicLinkObject
8082cc18 8093d91c nt!NtQuerySystemEnvironmentValue
8082cc1c 8093d8e4 nt!NtQuerySystemEnvironmentValueEx
8082cc20 809388d0 nt!NtQuerySystemInformation
8082cc24 8093a076 nt!NtQuerySystemTime
8082cc28 8093e026 nt!NtQueryTimer
8082cc2c 8093a108 nt!NtQueryTimerResolution
8082cc30 b9f8e866 d347bus+0xd866
8082cc34 808e06b2 nt!NtQueryVirtualMemory
8082cc38 808a3ae6 nt!NtQueryVolumeInformationFile
8082cc3c 808f8b2a nt!NtQueueApcThread
8082cc40 8086d14c nt!NtRaiseException
8082cc44 8093bd50 nt!NtRaiseHardError
8082cc48 808a4286 nt!NtReadFile
8082cc4c 808a47f0 nt!NtReadFileScatter
8082cc50 808cd942 nt!NtReadRequestData
8082cc54 808dbd06 nt!NtReadVirtualMemory
8082cc58 808f9fee nt!NtRegisterThreadTerminatePort
8082cc5c 8093e834 nt!NtReleaseMutant
8082cc60 8093c20e nt!NtReleaseSemaphore
8082cc64 8089fbd4 nt!NtRemoveIoCompletion
8082cc68 8096a372 nt!NtRemoveProcessDebug
8082cc6c 8094ab68 nt!NtRenameKey
8082cc70 8094cd4a nt!NtReplaceKey
8082cc74 808ccfc2 nt!NtReplyPort
8082cc78 808cdf8a nt!NtReplyWaitReceivePort
8082cc7c 808cd992 nt!NtReplyWaitReceivePortEx
8082cc80 808cd2ac nt!NtReplyWaitReplyPort
8082cc84 808eff46 nt!NtRequestDeviceWakeup
8082cc88 808ca520 nt!NtRequestPort
8082cc8c 808ca84c nt!NtRequestWaitReplyPort
8082cc90 808efd54 nt!NtRequestWakeupLatency
8082cc94 809361f8 nt!NtResetEvent
8082cc98 80849980 nt!NtResetWriteWatch
8082cc9c 80949536 nt!NtRestoreKey
8082cca0 808fc32e nt!NtResumeProcess
8082cca4 808fc210 nt!NtResumeThread
8082cca8 809495d8 nt!NtSaveKey
8082ccac 80949668 nt!NtSaveKeyEx
8082ccb0 80949734 nt!NtSaveMergedKeys
8082ccb4 808cb83a nt!NtSecureConnectPort
8082ccb8 8093d900 nt!NtSetBootOptions
8082ccbc 8093d900 nt!NtSetBootOptions
8082ccc0 89be5860
8082ccc4 8096d02a nt!NtSetDebugFilterState
8082ccc8 8093bbfa nt!NtSetDefaultHardErrorPort
8082cccc 80937d40 nt!NtSetDefaultLocale
8082ccd0 809385b2 nt!NtSetDefaultUILanguage
8082ccd4 808a250c nt!NtSetEaFile
8082ccd8 809362b8 nt!NtSetEvent
8082ccdc 80936382 nt!NtSetEventBoostPriority
8082cce0 8093e518 nt!NtSetHighEventPair
8082cce4 8093e448 nt!NtSetHighWaitLowEventPair
8082cce8 80969d3c nt!NtSetInformationDebugObject
8082ccec 808a2e30 nt!NtSetInformationFile
8082ccf0 808fe1c2 nt!NtSetInformationJobObject
8082ccf4 80949edc nt!NtSetInformationKey
8082ccf8 808eb33e nt!NtSetInformationObject
8082ccfc 808f5758 nt!NtSetInformationProcess
8082cd00 89be56e0
8082cd04 80921736 nt!NtSetInformationToken
8082cd08 8093e980 nt!NtSetIntervalProfile
8082cd0c 8089fb72 nt!NtSetIoCompletion
8082cd10 808fb15a nt!NtSetLdtEntries
8082cd14 8093e4b4 nt!NtSetLowEventPair
8082cd18 8093e3dc nt!NtSetLowWaitHighEventPair
8082cd1c 808a35da nt!NtSetQuotaInformationFile
8082cd20 89be2700
8082cd24 8093dba0 nt!NtSetSystemEnvironmentValue
8082cd28 8093d8e4 nt!NtQuerySystemEnvironmentValueEx
8082cd2c 80936c1e nt!NtSetSystemInformation
8082cd30 b9f8e0b0 d347bus+0xd0b0
8082cd34 8093b37e nt!NtSetSystemTime
8082cd38 808efc68 nt!NtSetThreadExecutionState
8082cd3c 80860fde nt!NtSetTimer
8082cd40 8093a850 nt!NtSetTimerResolution
8082cd44 8093c6c4 nt!NtSetUuidSeed
8082cd48 809497ee nt!NtSetValueKey
8082cd4c 808a3ef0 nt!NtSetVolumeInformationFile
8082cd50 80939e6e nt!NtShutdownSystem
8082cd54 8084ea60 nt!NtSignalAndWaitForSingleObject
8082cd58 8093ebca nt!NtStartProfile
8082cd5c 8093ed74 nt!NtStopProfile
8082cd60 89be5420
8082cd64 89be52c0
8082cd68 8093ef98 nt!NtSystemDebugControl
8082cd6c 808fed56 nt!NtTerminateJobObject
8082cd70 89be4e50
8082cd74 89be5150
8082cd78 808fc498 nt!NtTestAlert
8082cd7c 8085d374 nt!NtTraceEvent
8082cd80 8093d90e nt!NtTranslateFilePath
8082cd84 808ac03a nt!NtUnloadDriver
8082cd88 80949ab6 nt!NtUnloadKey
8082cd8c 80949cac nt!NtUnloadKeyEx
8082cd90 808a149c nt!NtUnlockFile
8082cd94 808de924 nt!NtUnlockVirtualMemory
8082cd98 808da88c nt!NtUnmapViewOfSection
8082cd9c 80922aee nt!NtVdmControl
8082cda0 80969aa4 nt!NtWaitForDebugEvent
8082cda4 808e80dc nt!NtWaitForMultipleObjects
8082cda8 808e7ff2 nt!NtWaitForSingleObject
8082cdac 8093e378 nt!NtWaitHighEventPair
8082cdb0 8093e314 nt!NtWaitLowEventPair
8082cdb4 808a4cee nt!NtWriteFile
8082cdb8 808a52d2 nt!NtWriteFileGather
8082cdbc 808cd96a nt!NtWriteRequestData
8082cdc0 89be5f50
8082cdc4 8082cff4 nt!NtYieldExecution
8082cdc8 8093f3f0 nt!NtCreateKeyedEvent
8082cdcc 8093f4da nt!NtOpenKeyedEvent
8082cdd0 8093f58c nt!NtReleaseKeyedEvent
8082cdd4 8093f7e8 nt!NtWaitForKeyedEvent
8082cdd8 808f3210 nt!NtQueryPortInformationProcess
Seems there's some hooks ,installed on my system's kernel, let me describe it .
Look at entries I made them Bold style mid Red color .
As you can See, there's no proper function names exported from Ntoskrnl for them .
in this case case, sometimes you might see an unknown name like this :
8082cd30 b9f8e0b0 d347bus+0xd0b0
or sometimes you might see something look likes that :
8082cd74 89be5150
Addresses without a proper function name .
this is because the malware or even security product that is installed in your system or anyone else, will modify the function addresses with it's desire function to do what the malware / security product saying .
In major cases related to malwares, they're attempting to allocate a new addresse ranges out of ntoskrnl kernel base address , in this case, you should have special attention to addresses & if there' are entries out of kernel base address (0x80000000 to 0xFFFFFFFF), you must know, something suspicious attempting to hide itself & in most cases it's a rootkit .
No comments:
Post a Comment