PDA

View Full Version : rootin' out the rootkits


WaxfordSqueers
January 27th, 2008, 03:02
I've been bugging Ricardo over in Our Tools regarding Paimei...trying to get it running. Thought I'd give him a break.

Ricardo suggested I needed a clean install, or a VM, since I seem to be the only one who can't get Paimei running with all apps. He theorized that something might be hooking a module or app I was using, and screwing up Paimei. The exercise was not wasted, however, since I have a concern about rootkits.

Two questions I have here are not Paimei related and it's getting into the malware area, but my interest is in the reversing arena. It is a noob-like question, however, involving the IDT. I need to start learning that stuff, and I was hoping someone could make a suggestion that would lower the learning curve.

Question 1)I ran several rootkit apps including rootkit revealer, gmer and raide. Raide showed up a lot of hooks, 95% of which were related to the Sygate personal firewall and Alcohol 120%. The latter uses a rootkit-like driver to hide itself from protection system. The version I am running is lightweight in that respect, however.

I completely uninstalled Sygate and Alcohol, and made sure none of their drivers were left behind. I ran raide again, and it cut the hooks dramatically, to about 21. The remaining hooks are mainly related to NDIS.sys, which I'm sure is about my wireless router. There are only five problems remaining involving Interrupts 1, 3 and 14, and a hidden app.

The interrupt info is as follows:

Interrupt 1(0x01) has been hooked by an unknown module.
Interrupt 3(0x03) has been hooked by an unknown module.
Interrupt 14(0x0e) has been hooked by an unknown module.

There is a message with them that, "No action can be taken against IDT hooks".

I'm really dumb when it comes to interrupts and I need to read on that, I am hoping someone who reads this can make a suggestion that might point me in the right direction. For example, why would an app want to hook and interrupt like 1 or 3 if it isn't a debugger?

One clue comes from this blurb:

Interrupt 14
The PC interrupt used to reroute messages from the serial port to the network interface card (NIC); used by some terminal-emulation programs.

That could mean it is related to the router as well...but why the serial port?

Question 2)I get two other messages from raide claiming:

Found a hidden process. ∞ogonui.exe:3000 is hidden
using PspCidTable Remove method. This method is commonly used by FUTo.

Found a hidden process. LOGOJUI.EXE:3980 is hidden
using PspCidTable Remove method. This method is commonly used by FUTo.

Sometimes, this file shows up correctly as logonui.exe and other times it shows up with a distorted name, like shown above. I don't know if that's a problem in raide or if it's micro$oft being silly.

I searched Google a fair amount for info on the file and there is a mention relating it to msgina.dll, which seems to be a genuine Microsoft NT logon file. As usual, with the malware crowd, no one seems to know exactly what it is. BTW.. the reference to Futo comes from the rootkit supplied by the raide site.

From a reverse engineering perspective, how would I go about finding a hidden file? I'm asking here first because the best answers come from here.

Anyway, uninstalling Sygate and Alcohol made no difference to the way Paimei works for me. I got it going on Notepad and Minesweeper, but so far, nothing else. Anyone interested can view the Paimei thread in the Tools section.

deroko
January 27th, 2008, 07:34
Hi, int 0e is page fault handler.

Basically there are a few reasons why app would like to hook those handlers:
int 0x1 - disable hwbps and single stepping, or bsod system if int 1 occurs in protected app, or for r3->r0 transition :???:
int 0x3 - disable software interupt 3 (commonly known as software breakpoint), where hook can determine cause of action when int 3h is generated in protected process (bsod, emulate opcodes, or r3-r0 and vice-verse transition)
int 0xe - well with hook of this handler protected app can allow ring3 code to play with r0 memory if pde->pte are properly modified.

Also hooks of int1/int3/int 0e can be used from some debugger framework, as direct access to int1/int3/int 0e can increase loader/unpacker speed + no need to hide loader/debugger from r3 detection stuff

When it comes to finding hiden file, well, I would highly recommend Rootkit Unhooker or IceSword, that should solve problem with finding hiden files. If there is hook of NtQueryDirectoryInformation, then hook for hiding files is located there (basic file hiding).

WaxfordSqueers
January 27th, 2008, 20:53
Quote:
[Originally Posted by deroko;72300]Hi, int 0e is page fault handler. Basically there are a few reasons why app would like to hook those handlers:...snip...
How's it goin' deroko? Thanks for response.

I'd like to see what raide is seeing, but I'm so dumb about this at the moment that I don't even know where to begin reading or looking. Googling this tends to bring hits from programmers who are looking from a different angle. Could I use sice to see the hooks and maybe trace them to their origin?

Quote:
[Originally Posted by deroko;72300]When it comes to finding hiden file, well, I would highly recommend Rootkit Unhooker or IceSword, that should solve problem with finding hiden files. If there is hook of NtQueryDirectoryInformation, then hook for hiding files is located there (basic file hiding).
I'll check those out...thanks. Raide lists the funcs being hooked. I guess the best way is to BP on one of them and see if I'm diverted to the app. Or, would the app detect the BP?

BTW..I forgot to mention that raide asked if I wanted to dump the process address space of the process 'hidden using PspCidTable Remove method'. I got the dump and disassembled it, and in one part I got this code:

Code:

00401440 push eax ; uType
00401441 push offset Caption ; "RAIDE"
00401446 push offset Text ; "Failed to map memory"
0040144B push 0 ; hWnd
0040144D call ds:MessageBoxA ; MessageBoxA:


Unless I'm seriously mistaken, raide detected and dumped itself.

Anyway. while searching for raide (what happened to www.rootkit.com ?). I came across this URL which explains F-secure's Blacklight and what the PspCidTable Remove method is about:

http://www.uninformed.org/?v=3&a=7&t=txt

deroko
January 27th, 2008, 21:53
Quote:
[Originally Posted by WaxfordSqueers;72313]How's it goin' deroko?


not bad watching movies all day long

Quote:

I'd like to see what raide is seeing, but I'm so dumb about this at the moment that I don't even know where to begin reading or looking.


ah I completly forgot that you are sice user int1/int3/int 0e are probably softice hooks. Actually I'm 100% sure that those are sice hooks You may use wARK by ntoskrnl, and view IDT and simply in sice type(you won't see those hooks by typing idt in sice as it doesn't show own hooks):

Code:

u address


I didn't use raid, but I'm sure it will display address to which hook is pointing. you can view this address either from sice or by using livekd (very usefull for live memory exploring when debugger can't be used)

Quote:

I'll check those out...thanks. Raide lists the funcs being hooked. I guess the best way is to BP on one of them and see if I'm diverted to the app. Or, would the app detect the BP?


I doubt that it will detect BP, but you can always use hardware breaks to break there


Quote:

Unless I'm seriously mistaken, raide detected and dumped itself.


it hides itself so malware can't detect it, but it can detect itself, and lists itself as hidden process as it is still process in the system

Quote:

what happened to www.rootkit.com ?


Was asking myself same question today, as I wanted to check something on rootkit.com

Kayaker
January 27th, 2008, 23:39
Since raide was mentioned.. if anyone is interested, here's an IDA idb file (freeware 4.9 format) of the raide.sys driver I made some time ago. Most of the functionality is defined, though it's not 100% definitive down to the last nop or anything. For general interest only if the movies get boring

As deroko mentions, there's also a (randomly named) process created, which raide ignores (via PE.TimeDateStamp) in the hidden process listing.

It's attached as a RAR file, which is really a rar, not a faked zip file. I changed the attachment options so you can now upload rar files to the board (don't know why we didn't do that before).

JMI
January 28th, 2008, 00:10
Good idea with adding .rar files to the upload form permissions, Kayaker. I'm not sure why we didn't do it already either.



Regards,

Maximus
January 28th, 2008, 09:20
!!! Impressive analysis, Kayaker.

deroko
January 28th, 2008, 09:20
tnx Kayaker

Kayaker
January 29th, 2008, 22:48
Thanks. It was fun to analyze not only because it used some innovative techniques but also that the code wasn't further obfuscated from reversing in any particular way. Nice and logical layout as a POC code should be.

Be warned though that Raide doesn't work properly on Win2K, the hardcoded EPROCESS / ETHREAD offsets are wrong. You can confirm that by following that part of the code where the offsets are initialized and which returns Win2K: (MajorVersion = 5) (MinorVersion = 0) and comparing with a correct definition from WinDbg or say http://computer.forensikblog.de/en/.

If someone really wanted it to work on Win2K they could fix the binary to use the proper offsets, as I had done once to confirm the problem.

Unfortunately, Raide never went past the beta POC (proof of concept) stage, though I'm sure some of the techniques were applied to other rootkit unhookers later.

WaxfordSqueers
January 30th, 2008, 16:13
Quote:
[Originally Posted by Kayaker;72359]If someone really wanted it to work on Win2K they could fix the binary to use the proper offsets, as I had done once to confirm the problem.
I appreciate your response to my original problem, Kayaker, that lead off to Raide. I found myself so overwhelmed with new stuff, with the Paimei, Python and IPC all leading in different directions, that I decided to pull back and focus on IPC for the time. I hope to study your Raide IDC later.

I am reprogramming myself to live another 60 years, so I'll have enough time to learn all this stuff. First, I'll need to hook the DNA code that terminates humans at 80 or 90, if they're lucky, and insert my own code that will make me younger, better looking and smarter. After the 60 years, I'll re-evaluate, if I don't get hit by a bus in the interm, or get hooked up with Britney Spears.

Kayaker
January 30th, 2008, 16:39
Quote:
[Originally Posted by WaxfordSqueers;72373]or get hooked up with Britney Spears.


..that'll kill you sooner

(and sorry about hijacking the thread, but that's what we do best)

JMI
January 30th, 2008, 20:00
Which is exactly what I was going to warn him about. But, if you must, for God's sake, don't let her drive!

Regards,

WaxfordSqueers
January 30th, 2008, 20:17
Quote:
[Originally Posted by Kayaker;72376](and sorry about hijacking the thread, but that's what we do best)
don't ever worry about that...your comments are always appreciated.

WaxfordSqueers
January 30th, 2008, 20:21
Quote:
[Originally Posted by JMI;72377]Which is exactly what I was going to warn him about.
I was actually comparing Britney to getting hit by a bus. I'm not sure which would be worse.