Rookits

Rookit overview:

IAT

API	Allocated memory
VirtualAlloc	0x72120010
OpenProcess	0x72122200
ListProcesses	0x721211000 malicious process overwrites and injects own i.e 0x6660000 which directs back to evil.dll

Hook

SSDT / IDT

Similar to IAT - but sits within the kernel space - therefore uses system drivers instead

eliminate legitimate entries pointing within ntoskrnl.exe and win32k.sys using: | egrep –v ‘(ntoskrnl.exe | win32k.sys)’

API	Allocated memory
VirtualAlloc	0x72120010
OpenProcess	0x72122200
ListProcesses	0x721211000 malicious process overwrites and injects own i.e 0x6660000 which directs back to evil.sys

DKOM

DKOM is an advanced process hiding technique -

unlinking an EPROCESS from doubly linked list - Unlinks it's own exe process and sits within the unlinked memory mapping which is then used to listen to the calls bypassing

DKOM is still active in Linux and container attacks

Inline Hooking

Inject evil.dll -> jump to ntdll.dll -> MitM attack again

ntdll.dll can communicate with kernel space :)

Userland

TDL

Identifying rootkits with Volatility:

Vol2 module	Vol3 module	Description of use
apihooks	N/a	find userland IAT, inline and trampoline hooks
idt	N/a	display interrupt descriptor table entries
ssdt	windows.ssdt	display system service descriptor table entries
driverirp	windows.driverirp	identify I/O Request Packets (IRP) hooks
pscview	N/a	Find hidden processes via cross-view techniques
modules	windows.modules	View list of loaded kernel drivers
modscan	windows.modscan	Find drivers via pool tag scanning