SlideShare une entreprise Scribd logo

Defeating x64: The Evolution of the TDL Rootkit

Alex Matrosov
Alex Matrosov

n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.

Technologie
1  sur  65
Télécharger pour lire hors ligne
Defeating x64: The Evolution of the TDL Rootkit Aleksandr Matrosov Eugene Rodionov
Who we are?  Malware researchers at ESET - rootkits analysis - developing cleaning tools - tracking new rootkit techniques - research cybercrime groups http://www.joineset.com/
Agenda  Evolution of TDL rootkits  Installation on x86 vs. x64  TDL bootkit or how to bypass driver signature check  How to debug bootkit with Bochs emulator  Kernel-mode hooks  TDL hidden file system layout  Payload injection  TdlFsReader as a forensic tool
Evolution of rootkits
Evolution of rootkits features x86 Dropper Rootkit bypassing HIPS/AV self-defense privilege escalation surviving reboot installing rootkit driver Kernel mode injecting payload User mode
Evolution of rootkits features x86 x64 Dropper Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot installing rootkit bypassing signature driver injecting payload check Rootkit bypassing MS PatchGuard Kernel mode User mode injecting payload
Obstacles for 64-bit rootkits o Kernel-Mode Code Signing Policy  It is “difficult” to load unsigned kernel-mode driver o Kernel-Mode Patch Protection (Patch Guard):  SSDT (System Service Dispatch Table)  IDT (Interrupt Descriptor Table)  GDT ( Global Descriptor Table)  MSRs (Model Specific Registers)
Evolution of TDL rootkits TDL3/TDL3+ TDL4 Kernel-mode code Base independent piece of PE image in the hidden representation code in hidden file system file system Surviving after reboot Infecting disk Infecting MBR of the disk miniport/random kernel-mode driver Self-defense Kernel-mode hooks, registry Kernel-mode hooks, MBR monitoring monitoring Injecting payload into tdlcmd.dll cmd.dll/cmd64.dll processes in the system x64 support   Complexity  
Evolution of TDL rootkits TDL3/TDL3+ TDL4 Bypassing HIPS AddPrintProcessor AddPrintProvidor, AddPrintProvidor ZwConnectPort Privilege Escalation  MS10-092 Installation mechanism by loading kernel-mode driver by loading kernel-mode driver overwriting MBR of the disk Number of installed 4 10 modules
Installation on x86 vs. x64
Installation stages exploit payload dropper rootkit
Dropped modules Dropped modules Description mbr original contents of the infected hard drive boot sector ldr16 16-bit real-mode loader code ldr32 fake kdcom.dll for x86 systems ldr64 fake kdcom.dll for x64 systems drv32 the main bootkit driver for x86 systems drv64 the main bootkit driver for x64 systems cmd.dll payload to inject into 32-bit processes cmd64.dll payload to inject into 64-bit processes cfg.ini configuration information bckfg.tmp encrypted list of C&C URLs
Installation on x86 Adjust fail SeLoadDriver success privilege Copy itself into Check OS WinXP Vista/Win7 PrintProcessor version director Set IMAGE_FILE_DLL Exploitation success flag in the PE header Fail fail install MS10-092 Copy itself into Call %TMP% directory AddPrintProvidorW API Create Call manifest requesting DeletePrintProvidorW admin privilege API Call ShellExecute
Installation on x64 Prepare hidden FS image Write FS image, fail patch MBR and Adjust success SE_SHUTDOWN_PRIVILEGE Exploitation success MS10-092 fail Call ZwRaiseHardError to create BSOD Copy itself into %TMP% directory Restart Dropper Create manifest requesting admin privilege Call success ShellExecute Report to C&C fail
TDL bootkit or how to bypass driver signature check
Types of integrity checks o PnP Device Installation Signing Requirements o Kernel-Mode Code Signing Policy Enforced on 64-bit version of Windows Vista and later versions 64-bit Windows Vista and 32-bit Windows Vista later and later Boot-start driver   Non boot-start PnP driver   Non boot-start, non-PnP driver   (except stream protected media drivers)
Subverting KMCSP o Abusing vulnerable signed legitimate kernel-mode driver o Switching off kernel-mode code signing checks by altering BCD data: abusing WinPe Mode disabling signing check patching Bootmgr and OS loader
Boot process of Windows OS real mode real mode Load MBR Load MBR real mode real mode Load VBR Load VBR real mode/ real mode/ protected mode protected mode Load Load ntldr bootmgr real mode/ Load kernel Load protected mode and boot winload.exe or start drivers winresume.exe Load kernel Boot Process of pre Boot Process of post and boot Windows Vista OS Windows Vista OS start drivers MBR – Master Boot Record VBR – Volume Boot Record
Code integrity check Non boot-start OS kernel kernel-mode drivers OS kernel Bootmgr OS loader dependencies Boot-start drivers
Boot Configuration Data (BCD) BCD BCD BCD Object1 Object2 BCD BCD BCD Element1 Element2 Element3 Windows boot Inheritable manager Windows boot BCD Object Application loader Device Ntldr
BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
Abusing Win PE mode: TDL4 modules Module name Description mbr (infected) infected MBR loads ldr16 module and restores original MBR in memory ldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64 ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address space ldr64 implementation of ldr32 module functionality for 64-bit OS int 13h – service provided by BIOS to communicate to IDE HDD controller
Abusing Win PE mode: workflow Load infected MBR Continue kernel Infected mbr is initialization loaded and executed Load ”drv32” Call or “drv64" Load “ldr16” from KdDebuggerInitialize1 hidden file system “ldr16” is from loaded kdcom.dll loaded and executed substitute Hook BIOS int 13h kdcom.dll Load ntoskrnl.exe, with”ldr32” handler and hal.dll,kdcom.dll,b or “ldr64" restore original Original mbr is ootvid.dll ant etc MBR loaded and executed distrort /MININT option Load VBR Load winload.exe VBR is loaded and executed Substitute EmsEnabled option with WinPe Load bootmgr read bcd Bootmgr is loaded and executed
MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
Bypassing KMCSP: another attempt Patch Bootmgr and OS loader (winload.exe) to disable KMCSP:
Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
Debugging the bootkit with Bochs
Bochs support starting from IDA 5.5
•DEMO
Kernel-mode hooks
Storage Device Stack Disk PDO Disk PDO (Partition 1) (Partition 2) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO driver object (Partition 0) Hard drive Disk Lower Lower Filter Filter driver object Hard drive port/miniport Disk PDO driver object
Stealing Miniport Driver Object Disk PDO Disk PDO (Partition 1) (Partition 1) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO Before Infection driver object (Partition 0) After Infection Hard drive Disk Lower Lower Filter Filter driver object Hard drive Fake port/miniport Disk PDO driver object TDL4 “Real” driver object Disk PDO Stolen Objects
Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
Filtering Disk Read/Write Requests o Filtered requests:  IOCTL_ATA_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH;  IRP_MJ_INTERNAL_DEVICE_CONTROL o To protect:  Infected MBR;  Hidden file system from being read or overwritten SCSI request block Bootkit driver hooks Infected MBR or hidden file Otherwise system is read/written Bootkit driver: Bootkit driver: Counterfeit data and call corresponding complete request miniport’s handler
TDL hidden file system
TDL’s hidden storage o Reserve space in the end of the hard drive (not visible at file system level analysis) o Encrypted contents (stream cipher: RC4, XOR-ing) o Implemented as a hidden volume in the system o Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
TDL3/TDL3+ Rootkit Device Stack TDL3 Driver object DeviceXXXXXXXX TDL3 Physical device object DriverObject ... XXXXXXXX – random 8-character ASCII string ?globalrootdeviceXXXXXXXXYYYYYYYYfile_name - for user-mode components deviceXXXXXXXXYYYYYYYYfile_name – for kernel-mode components
TDL4 Device Stack DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
TDL4 File System Layout One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction
Payload injection
Injecting payload into target process Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN user-mode kernel-mode TDL4 driver TDL4 hidden storage Payload1 Payload2 Payload3 PayloadN
Injecting workflow Set Exit from work item ImageLoadNotifyRoutine On loading kernel32.dll Go back in the context of System process Queue special kernel-mode Detach from target process APC Initialize IAT and call payload’s entry point In the context of the target process Queue user-mode APC Queue work item Allocate user-mode buffer with code In the context of System process and path to the payload Attach to target process Map image of the payload In the context of the target process
TDL4 cleaning approach
How to remove TDL o Defeat self defense:  Disable WORK_ITEM checking infected MBR and kernel-mode hooks  Remove hooks of storage miniport device object o Restore original MBR
Debugging bootkit with WinDbg
WinDbg and kdcom.dll KdDebuggerInitialize1 RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
TDL4 and kdcom.dll
TDL4 and kdcom.dll
How to debug TDL4 with WinDbg o Patch ldr16 to disable kdcom.dll substitution o Reboot the system and attach to it with WinDbg oManually load drv32/drv64 “TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
TdlFsReader as a forensic tool
TdlFsReader as a forensic tool
TdlFsReader architecture TdlFileReader TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
TdlFsReader architecture TdlFsRecognizer TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
•DEMO
Conclusion o Win64/Olmarik (TDL4) is the first widely spread rootkit targeting Win x64 o Return to old-school techniques of infecting MBR o The only possible way of debugging bootkit is to use emulators (Bochs, QEMU) o TDL4 is highly resistant to forensic analysis o TdlFsReader will be shared amongst malware researchers
References  “The Evolution of TDL: Conquering x64” http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  “Rooting about in TDSS” http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf  “TDL3: The Rootkit of All Evil?” http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf  Follow ESET Threat Blog http://blog.eset.com
Questions
Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius

Recommandé

TDL3 Rootkit Background
TDL3 Rootkit BackgroundTDL3 Rootkit Background
TDL3 Rootkit BackgroundDavid Sweigert
 
Linux device driver
Linux device driverLinux device driver
Linux device driverchatsiri
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Unix ppt
Unix pptUnix ppt
Unix pptsudhir saurav
 
Common linux ubuntu commands overview
Common linux ubuntu commands overviewCommon linux ubuntu commands overview
Common linux ubuntu commands overviewAmeer Sameer
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - LinuxEmertxe Information Technologies Pvt Ltd
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
 

Recommandé

TDL3 Rootkit Background
TDL3 Rootkit BackgroundTDL3 Rootkit Background
TDL3 Rootkit BackgroundDavid Sweigert
 
Linux device driver
Linux device driverLinux device driver
Linux device driverchatsiri
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Unix ppt
Unix pptUnix ppt
Unix pptsudhir saurav
 
Common linux ubuntu commands overview
Common linux ubuntu commands overviewCommon linux ubuntu commands overview
Common linux ubuntu commands overviewAmeer Sameer
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - LinuxEmertxe Information Technologies Pvt Ltd
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modulesDheryta Jaisinghani
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmertxe Information Technologies Pvt Ltd
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Les 12 fl_db
Les 12 fl_dbLes 12 fl_db
Les 12 fl_dbFemi Adeyemi
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
Understanding binder in android
Understanding binder in androidUnderstanding binder in android
Understanding binder in androidHaifeng Li
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Adrian Huang
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Linux kernel
Linux kernelLinux kernel
Linux kernelMahmoud Shiri Varamini
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”GlobalLogic Ukraine
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoCMacpaul Lin
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformSZ Lin
 
Linux Kernel Live Patching
Linux Kernel Live PatchingLinux Kernel Live Patching
Linux Kernel Live PatchingGlobalLogic Ukraine
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSTomas Vondra
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 

Contenu connexe

Tendances

Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Understanding binder in android
Understanding binder in androidUnderstanding binder in android
Understanding binder in androidHaifeng Li
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Adrian Huang
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”GlobalLogic Ukraine
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoCMacpaul Lin
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformSZ Lin
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSTomas Vondra
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 

Tendances (20)

Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Les 12 fl_db
Les 12 fl_dbLes 12 fl_db
Les 12 fl_db
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
Understanding binder in android
Understanding binder in androidUnderstanding binder in android
Understanding binder in android
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux Kernel
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 
“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIX
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoC
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure Platform
 
Linux Kernel Live Patching
Linux Kernel Live PatchingLinux Kernel Live Patching
Linux Kernel Live Patching
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFS
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 

En vedette

Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 

En vedette (20)

Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
42054960
4205496042054960
42054960
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 

Similaire à Defeating x64: The Evolution of the TDL Rootkit

Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernelguestf1a032
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...DefconRussia
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
Docker at the gate
Docker at the gateDocker at the gate
Docker at the gateTony Deng
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtFelipe Prado
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
4 implementation
4 implementation4 implementation
4 implementationhanmya
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist LibbySchulze
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationEduardo Castro
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 

Similaire à Defeating x64: The Evolution of the TDL Rootkit (20)

Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
101 1.2 boot the system
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the system
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
Docker at the gate
Docker at the gateDocker at the gate
Docker at the gate
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Building
BuildingBuilding
Building
 
4 implementation
4 implementation4 implementation
4 implementation
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 Virtualization
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 

Dernier

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Defeating x64: The Evolution of the TDL Rootkit

  • 1. Defeating x64: The Evolution of the TDL Rootkit Aleksandr Matrosov Eugene Rodionov
  • 2. Who we are?  Malware researchers at ESET - rootkits analysis - developing cleaning tools - tracking new rootkit techniques - research cybercrime groups http://www.joineset.com/
  • 3. Agenda  Evolution of TDL rootkits  Installation on x86 vs. x64  TDL bootkit or how to bypass driver signature check  How to debug bootkit with Bochs emulator  Kernel-mode hooks  TDL hidden file system layout  Payload injection  TdlFsReader as a forensic tool
  • 5. Evolution of rootkits features x86 Dropper Rootkit bypassing HIPS/AV self-defense privilege escalation surviving reboot installing rootkit driver Kernel mode injecting payload User mode
  • 6. Evolution of rootkits features x86 x64 Dropper Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot installing rootkit bypassing signature driver injecting payload check Rootkit bypassing MS PatchGuard Kernel mode User mode injecting payload
  • 7. Obstacles for 64-bit rootkits o Kernel-Mode Code Signing Policy  It is “difficult” to load unsigned kernel-mode driver o Kernel-Mode Patch Protection (Patch Guard):  SSDT (System Service Dispatch Table)  IDT (Interrupt Descriptor Table)  GDT ( Global Descriptor Table)  MSRs (Model Specific Registers)
  • 8. Evolution of TDL rootkits TDL3/TDL3+ TDL4 Kernel-mode code Base independent piece of PE image in the hidden representation code in hidden file system file system Surviving after reboot Infecting disk Infecting MBR of the disk miniport/random kernel-mode driver Self-defense Kernel-mode hooks, registry Kernel-mode hooks, MBR monitoring monitoring Injecting payload into tdlcmd.dll cmd.dll/cmd64.dll processes in the system x64 support   Complexity  
  • 9. Evolution of TDL rootkits TDL3/TDL3+ TDL4 Bypassing HIPS AddPrintProcessor AddPrintProvidor, AddPrintProvidor ZwConnectPort Privilege Escalation  MS10-092 Installation mechanism by loading kernel-mode driver by loading kernel-mode driver overwriting MBR of the disk Number of installed 4 10 modules
  • 11.
  • 12.
  • 13. Installation stages exploit payload dropper rootkit
  • 14. Dropped modules Dropped modules Description mbr original contents of the infected hard drive boot sector ldr16 16-bit real-mode loader code ldr32 fake kdcom.dll for x86 systems ldr64 fake kdcom.dll for x64 systems drv32 the main bootkit driver for x86 systems drv64 the main bootkit driver for x64 systems cmd.dll payload to inject into 32-bit processes cmd64.dll payload to inject into 64-bit processes cfg.ini configuration information bckfg.tmp encrypted list of C&C URLs
  • 15. Installation on x86 Adjust fail SeLoadDriver success privilege Copy itself into Check OS WinXP Vista/Win7 PrintProcessor version director Set IMAGE_FILE_DLL Exploitation success flag in the PE header Fail fail install MS10-092 Copy itself into Call %TMP% directory AddPrintProvidorW API Create Call manifest requesting DeletePrintProvidorW admin privilege API Call ShellExecute
  • 16. Installation on x64 Prepare hidden FS image Write FS image, fail patch MBR and Adjust success SE_SHUTDOWN_PRIVILEGE Exploitation success MS10-092 fail Call ZwRaiseHardError to create BSOD Copy itself into %TMP% directory Restart Dropper Create manifest requesting admin privilege Call success ShellExecute Report to C&C fail
  • 17. TDL bootkit or how to bypass driver signature check
  • 18. Types of integrity checks o PnP Device Installation Signing Requirements o Kernel-Mode Code Signing Policy Enforced on 64-bit version of Windows Vista and later versions 64-bit Windows Vista and 32-bit Windows Vista later and later Boot-start driver   Non boot-start PnP driver   Non boot-start, non-PnP driver   (except stream protected media drivers)
  • 19. Subverting KMCSP o Abusing vulnerable signed legitimate kernel-mode driver o Switching off kernel-mode code signing checks by altering BCD data: abusing WinPe Mode disabling signing check patching Bootmgr and OS loader
  • 20. Boot process of Windows OS real mode real mode Load MBR Load MBR real mode real mode Load VBR Load VBR real mode/ real mode/ protected mode protected mode Load Load ntldr bootmgr real mode/ Load kernel Load protected mode and boot winload.exe or start drivers winresume.exe Load kernel Boot Process of pre Boot Process of post and boot Windows Vista OS Windows Vista OS start drivers MBR – Master Boot Record VBR – Volume Boot Record
  • 21. Code integrity check Non boot-start OS kernel kernel-mode drivers OS kernel Bootmgr OS loader dependencies Boot-start drivers
  • 22. Boot Configuration Data (BCD) BCD BCD BCD Object1 Object2 BCD BCD BCD Element1 Element2 Element3 Windows boot Inheritable manager Windows boot BCD Object Application loader Device Ntldr
  • 23. BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
  • 24. BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
  • 25. Abusing Win PE mode: TDL4 modules Module name Description mbr (infected) infected MBR loads ldr16 module and restores original MBR in memory ldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64 ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address space ldr64 implementation of ldr32 module functionality for 64-bit OS int 13h – service provided by BIOS to communicate to IDE HDD controller
  • 26. Abusing Win PE mode: workflow Load infected MBR Continue kernel Infected mbr is initialization loaded and executed Load ”drv32” Call or “drv64" Load “ldr16” from KdDebuggerInitialize1 hidden file system “ldr16” is from loaded kdcom.dll loaded and executed substitute Hook BIOS int 13h kdcom.dll Load ntoskrnl.exe, with”ldr32” handler and hal.dll,kdcom.dll,b or “ldr64" restore original Original mbr is ootvid.dll ant etc MBR loaded and executed distrort /MININT option Load VBR Load winload.exe VBR is loaded and executed Substitute EmsEnabled option with WinPe Load bootmgr read bcd Bootmgr is loaded and executed
  • 27. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 28. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 29. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 30. Bypassing KMCSP: another attempt Patch Bootmgr and OS loader (winload.exe) to disable KMCSP:
  • 31. Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
  • 32. Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity
  • 33. Debugging the bootkit with Bochs
  • 34. Bochs support starting from IDA 5.5
  • 37. Storage Device Stack Disk PDO Disk PDO (Partition 1) (Partition 2) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO driver object (Partition 0) Hard drive Disk Lower Lower Filter Filter driver object Hard drive port/miniport Disk PDO driver object
  • 38. Stealing Miniport Driver Object Disk PDO Disk PDO (Partition 1) (Partition 1) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO Before Infection driver object (Partition 0) After Infection Hard drive Disk Lower Lower Filter Filter driver object Hard drive Fake port/miniport Disk PDO driver object TDL4 “Real” driver object Disk PDO Stolen Objects
  • 39. Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
  • 40. Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
  • 41. Filtering Disk Read/Write Requests o Filtered requests:  IOCTL_ATA_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH;  IRP_MJ_INTERNAL_DEVICE_CONTROL o To protect:  Infected MBR;  Hidden file system from being read or overwritten SCSI request block Bootkit driver hooks Infected MBR or hidden file Otherwise system is read/written Bootkit driver: Bootkit driver: Counterfeit data and call corresponding complete request miniport’s handler
  • 42. TDL hidden file system
  • 43. TDL’s hidden storage o Reserve space in the end of the hard drive (not visible at file system level analysis) o Encrypted contents (stream cipher: RC4, XOR-ing) o Implemented as a hidden volume in the system o Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
  • 44. TDL3/TDL3+ Rootkit Device Stack TDL3 Driver object DeviceXXXXXXXX TDL3 Physical device object DriverObject ... XXXXXXXX – random 8-character ASCII string ?globalrootdeviceXXXXXXXXYYYYYYYYfile_name - for user-mode components deviceXXXXXXXXYYYYYYYYfile_name – for kernel-mode components
  • 45. TDL4 Device Stack DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
  • 46. TDL4 File System Layout One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction
  • 48. Injecting payload into target process Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN user-mode kernel-mode TDL4 driver TDL4 hidden storage Payload1 Payload2 Payload3 PayloadN
  • 49. Injecting workflow Set Exit from work item ImageLoadNotifyRoutine On loading kernel32.dll Go back in the context of System process Queue special kernel-mode Detach from target process APC Initialize IAT and call payload’s entry point In the context of the target process Queue user-mode APC Queue work item Allocate user-mode buffer with code In the context of System process and path to the payload Attach to target process Map image of the payload In the context of the target process
  • 51. How to remove TDL o Defeat self defense:  Disable WORK_ITEM checking infected MBR and kernel-mode hooks  Remove hooks of storage miniport device object o Restore original MBR
  • 53. WinDbg and kdcom.dll KdDebuggerInitialize1 RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
  • 56. How to debug TDL4 with WinDbg o Patch ldr16 to disable kdcom.dll substitution o Reboot the system and attach to it with WinDbg oManually load drv32/drv64 “TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
  • 57. TdlFsReader as a forensic tool
  • 58. TdlFsReader as a forensic tool
  • 59. TdlFsReader architecture TdlFileReader TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
  • 60. TdlFsReader architecture TdlFsRecognizer TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
  • 62. Conclusion o Win64/Olmarik (TDL4) is the first widely spread rootkit targeting Win x64 o Return to old-school techniques of infecting MBR o The only possible way of debugging bootkit is to use emulators (Bochs, QEMU) o TDL4 is highly resistant to forensic analysis o TdlFsReader will be shared amongst malware researchers
  • 63. References  “The Evolution of TDL: Conquering x64” http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  “Rooting about in TDSS” http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf  “TDL3: The Rootkit of All Evil?” http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf  Follow ESET Threat Blog http://blog.eset.com
  • 65. Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius