ROOTKIT Test 2

For the purpose of this test, we use two demonstrations  which illustrate some rootkits methods, technology or behaviour.

a.The first demonstration illustrates an hidden process method via Eprocess  (physical memory access, ntoskrnl mapping etc).
We use a file which can let us to hide objects:



We launch the file (and the related libraries):




Once executed, it renames explorer.exe and hides itself (test.exe):





Test.exe is detected as hidden by most rootkit detectors as it shown by these examples:

b.The second tool (BadRKDemo) was designed by the DarkSpy team in order to demonstrate that some rootkits detectors (like IceSword, RootKitRevealer, F-Secure BlackLight, Gmer, BitDefender anti-rootkit, ProcessMaster etc) are unable to detect a service/driver hidden from the Service Control Manager.

The service/driver is not shown by service/driver tools (even by Devicetree), or by "net start" or "sc query" command .


-with DriverView and ServiWin (Nirsoft tools):







-with service and driver manager:








Here the listed driver with DarkSpy:




But F-Secure Blacklight, RootkitRevealer and other detectors are unable to detect the hidden service and its kernel driver:


-IceSword for instance is unable to detect the service (and also the driver):




If we check the system with Sysinternals tools:

-with LogOrder, the driver is displayed:




-with WinObj, the driver was detected once time, and not detected during another test (the demo seems not stable):






-with Autorun, the service is not detected:


















-with accesschk, the service is not detected:





But the registry keys are displayed:




-with AccessEnum, we can't reach the service registry key:



In the same way with RegEdit:




The same problem with IceSword:




But the rootkit is alive! HELP!HELP!HELP!

And RootkitRevealer does not give us an indication of hidden service:




With DarkSpy, the key can be touched and deleted if necessary:




But without DarkSpy and programmer's tools, how could we know that a rootkit and its hidden service are running if most useful rootkis detectors are unable to alert us?


We need to get help from OSR, but also from Asia with OSRLoader:

This service tool is very useful to start, stop, register, unregister services and for more other informations.

We just need to click on the "active service" button in order to see running service (the real driver is located in System32 and is named BadRKDemo.sys):





Now if we click on the stop button we get an error:



Translation: the specified service does not exist as an installed service.

Since we don't add the " # " for the typed driver and service, we get errors popup messages.
If we type the correct name, we get a success, and then we can stop and unregister the service with OSRLoader:







Or via the command line:






Here's some BadRKDemo actions:

The API functions used for the service control manager subversion:








And here the creation of the registry key (service) and the accessed/modifed/created files:


IE Dlls:
DLL Path    Company Name    File Description   
--------------------------------------------------
No changes Found           

Loaded Drivers:
Driver File    Company Name    Description   
--------------------------------------------------

Monitored RegKeys
Registry Key    Value   
--------------------------------------------------
HklmSYSTEMCurrentControlSetServices    #BadRKDemo#   

Kernel31 Api Log
   
--------------------------------------------------
***** Installing Hooks *****   
719f70df     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)   
719f7cc4     RegOpenKeyExA (Protocol_Catalog9)   
719f737e     RegOpenKeyExA (0000001A)   
719f724d     RegOpenKeyExA (Catalog_Entries)   
719f78ea     RegOpenKeyExA (000000000001)   
719f78ea     RegOpenKeyExA (000000000002)   
719f78ea     RegOpenKeyExA (000000000003)   
719f78ea     RegOpenKeyExA (000000000004)   
719f78ea     RegOpenKeyExA (000000000005)   
719f78ea     RegOpenKeyExA (000000000006)   
719f78ea     RegOpenKeyExA (000000000007)   
719f78ea     RegOpenKeyExA (000000000008)   
719f78ea     RegOpenKeyExA (000000000009)   
719f78ea     RegOpenKeyExA (000000000010)   
719f78ea     RegOpenKeyExA (000000000011)   
719f78ea     RegOpenKeyExA (000000000012)   
719f78ea     RegOpenKeyExA (000000000013)   
719f78ea     RegOpenKeyExA (000000000014)   
719f78ea     RegOpenKeyExA (000000000015)   
719f78ea     RegOpenKeyExA (000000000016)   
719f78ea     RegOpenKeyExA (000000000017)   
719f78ea     RegOpenKeyExA (000000000018)   
719f78ea     RegOpenKeyExA (000000000019)   
719f78ea     RegOpenKeyExA (000000000020)   
719f78ea     RegOpenKeyExA (000000000021)   
719f2623     WaitForSingleObject(794,0)   
719f83c6     RegOpenKeyExA (NameSpace_Catalog5)   
719f737e     RegOpenKeyExA (00000005)   
719f7f5b     RegOpenKeyExA (Catalog_Entries)   
719f80ef     RegOpenKeyExA (000000000001)   
719f80ef     RegOpenKeyExA (000000000002)   
719f80ef     RegOpenKeyExA (000000000003)   
719f80ef     RegOpenKeyExA (000000000004)   
719f2623     WaitForSingleObject(78c,0)   
719e1afa     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)   
719e1996     GlobalAlloc()   
7c80b511     ExitThread()   
4014f0     GetVersionExA()   
4015da     GetCommandLineA()   
4016be     GetCurrentProcessId()=3288   
7c826cab     CreateFileA(C:WINDOWSsystem32BadRKDemo.sys)   
4010a7     WriteFile(h=7d8)   
77db5f5e     WaitForSingleObject(7d8,2bf20)   
77e7fb8e     RegOpenKeyExA (HKLMSoftwareMicrosoftRpc)   
401339     ExitProcess()   


DirwatchData
   
--------------------------------------------------
WatchDir Initilized OK   
Watching C:DOCUME~1ADMINI~1.POSLOCALS~1Temp   
Watching C:WINDOWS   
Watching C:Program Files   
Modifed: C:WINDOWSsystem32configIDT.LOG   
Created: C:WINDOWSsystem32BadRKDemo.sys   
Modifed: C:WINDOWSsystem32BadRKDemo.sys   
Modifed: C:WINDOWSsystem32   
Modifed: C:WINDOWSsystem32configsystem.LOG   






NB: the easiest way to mitigate risks of rootkit infection is to run under a limited account.

Under an administrator account, locking the service database can be helpful to block any new created service from running, but does not prevent the service from being created:



More reliable and effective is the integration of an HIPS in the line defense: most of them restricts administrator rights and privileges (phisical memory access, installing service/driver etc).