Effective file hiding : Bypassing Raw File System I/O Rootkit Detector
来源:互联网 发布:剑灵雪域公主数据 编辑:程序博客网 时间:2024/04/30 13:04
By: cardmagic
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c
0. Something else :
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
----------------- ---------------------
| DarkSpy | <1> ---->recover | FILE SYSTEM IMAGE |
----------------- <2>----->call--->| dispatch code |
<2><-----return--|-------------------|
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c
- Effective file hiding : Bypassing Raw File System I/O Rootkit Detector
- Effective file hiding : Bypassing Raw File System I/O Rootkit Detector
- Bypassing Raw File System I/O Rootkit Detector
- RawFS (Raw File System)
- linux file I/O
- Linux file I/O
- C++ File I/O
- FILE I/O
- Multithreaded File I/O
- FILE I/O
- Python File I/O
- I/O 1.0 File
- File I/O
- C++ File I/O
- I/O----File类
- Python File I/O
- Perl - File I/O
- 3-File I\O
- 华山之巅,摆平.NET――ASP.NET调试库损坏导致程序运行异常
- 数据库
- 随机生成自定义数量的无重复的随机数
- 统计代码行数源码
- 不要用过去决定未来
- Effective file hiding : Bypassing Raw File System I/O Rootkit Detector
- java
- 工程中处理symbian版本号的示例代码
- hibernate annotation对jpa主键one-to-one映射关系支持的有问题
- JavaScript的方法和技巧(转)
- 破解无线网络
- 在MonthCalendar控件中选中日期
- 我的资料
- Hibernate入门 - 基础配置
