Effective file hiding : Bypassing Raw File System I/O Rootkit Detector
@ :: worthy ::???? Apr 06 2007, 08:51 (UTC+0) |
cardmagic writes: 0. Something else :
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
???-----------------???????????????????---------------------
???|???DarkSpy?????|??<1> ---->recover | FILE SYSTEM IMAGE |
???-----------------??<2>----->call--->|??dispatch code????|
??????????????????????<2><-----return--|-------------------|
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c |
|