Rookits
Rookit overview:
VirtualAlloc
0x72120010
OpenProcess
0x72122200
ListProcesses
0x721211000 malicious process overwrites and injects own i.e 0x6660000 which directs back to evil.dll
Hook
Similar to IAT - but sits within the kernel space - therefore uses system drivers instead
eliminate legitimate entries pointing within ntoskrnl.exe and win32k.sys using:
| egrep –v ‘(ntoskrnl.exe | win32k.sys)’
VirtualAlloc
0x72120010
OpenProcess
0x72122200
ListProcesses
0x721211000 malicious process overwrites and injects own i.e 0x6660000 which directs back to evil.sys
DKOM is an advanced process hiding technique -
unlinking an EPROCESS from doubly linked list - Unlinks it's own exe process and sits within the unlinked memory mapping which is then used to listen to the calls bypassing
DKOM is still active in Linux and container attacks
Inject evil.dll -> jump to ntdll.dll -> MitM attack again
ntdll.dll can communicate with kernel space :)
Identifying rootkits with Volatility:
apihooks
N/a
find userland IAT, inline and trampoline hooks
idt
N/a
display interrupt descriptor table entries
ssdt
windows.ssdt
display system service descriptor table entries
driverirp
windows.driverirp
identify I/O Request Packets (IRP) hooks
pscview
N/a
Find hidden processes via cross-view techniques
modules
windows.modules
View list of loaded kernel drivers
modscan
windows.modscan
Find drivers via pool tag scanning
Last updated