Introduction to NT kernel: HIPS and modern Trojans

Security software was not as complex as it was many years ago.
At that time, the sky was blue, the water was clear, the trojan was running on R3, and the soft killer relied on signatures. At that time, I opened the task manager to check whether there were any Trojans.
However, with the popularity of the NT kernel (2000/XP...), a new trojan named Rootkit was born. (The meaning of Rootkit does not refer to Trojans. Its meaning is extended compared with its original meaning, but many Trojans use Rootkit Technology)
At that time, Hacker Defender (hxdef100) was the most representative. In China, it was the famous gray pigeon.
The common feature of such Trojans is that they can well hide themselves, escape regular analysis methods and kill soft detection, including hiding key locations in the Registry and hiding files, at one time, these Trojans left the kill software helpless, and users were confused, because they could no longer be found by conventional detection methods.
Therefore, a tool named ARK was invented, including ARK-Anti-Rookit and the Anti-Rootkit tool. At that time, it represented Icesword and DarkSpy in China, and RootkitDetector in foreign countries. These ARK tools also use Rootkit Technology, so they can discover traces of Rootkit Trojans. To curb Rootkit Trojans, some kill software also applies the Rootkit Technology in its own kill software. At the same time, the increasingly complex file shelling technology has stretched the traditional signature Anti-Virus engine. Many anti-virus software have greatly improved the heuristic engine and integrated the prototype of the original HIPS, that is, simple registry control and other functions. At the same time, some early HIPS tools began to gradually apply Rootkit Technology, such as WinPatrol and SSM.
Today, Rootkit technology has been widely used in Trojans, security software, and rogue software. Almost all modern Trojans are Rootkit Trojans, and almost all security software uses Rootkit Technology. The Notorious "XX surfing the Internet" also applies Rootkit Technology in a large number.
The following "Trojan" means Rootkit Trojan.
----------------------------------------------------------------------
Body

How can a modern Trojan hide itself? How does HIPS monitor system actions?
To solve this problem, we will first introduce an interface.
A brief introduction is as follows:
Take household appliances as an example. When we want to use a DVD player to watch TV, we only need to insert the interface of the DVD player into the TV. We do not need to know how the interface gets laid after it is connected to the TV, therefore, anyone will use a DVD player.
If there is no interface, the player must know the circuit board to which the cable of the player is inserted. Do you want to filter the cable or perform other processing, there are only a few people who will use the DVD player.

In another example, a class teacher leads a class. He wants to know who has not handed in his homework and does not need to translate it one by one. He only needs to find the "interface" of the Study Committee member to tell him: "I want to check homework ". Then, the Study Committee Members do not have to translate their own books. They only need to tell the course representatives of different subjects these "interfaces" and tell them: "You should count the assignments of different subjects .", Representatives of different subjects will go to the next interface-the group leaders: "check your group's homework .", After checking assignments, the team lead will report the situation to the class representatives, the class representatives to the Study Committee members, and the Study Committee members to the class teachers.
In this way, the class teacher does not have to pay enough effort to complete the homework. In the whole process, everyone is only responsible for explaining the commands at the previous layer to the next layer until the bottom layer executes the commands.




Now we will introduce the NT kernel:
Refer to our commonly used download tool Xunlei. if there is no interface, when thunder stores files, it is necessary to first convert the file into a binary system, and then calculate the number of cylinders in which the available space begins on the disk... details such as the slice number, and then check what the partition file system is. After the check, different recording methods are used for the corresponding file system, and even the hard disk brand needs to be checked, then, the corresponding control current is used to make the hard disk magnetization the small magnetic block in the specified area into "1" or "0"

Now let's look at a Windows NT kernel:
(The details are not shown in detail. This figure shows the basic flowchart of some operations performed by applications in the Windows NT kernel operating system ).




When an interface is available, Thunder only needs to call the corresponding Win32 API to inform the System of the location and content of the file. Then, the Win32 API will be interpreted as a Native API by the Windows system, the kernel calls the KiSystemService processing program, finds the NtWriteFile Function Location in SSDT, and then continues to call it. It is further interpreted as a driver command and passed to the file system driver (FSD ), before that, if a filter driver exists, the filter driver is used to explain the filter driver to the next layer, and the FSD layer is reached, until it is interpreted as controlling the read/write current of the hard disk. all you need to do for each interface is to explain the previous command to the next interface. In the end, it is difficult to directly use the current control, which can be implemented by calling a simple and easy-to-remember interface. therefore, it is so easy to write software.

Next, we will introduce the concept of running level (ring ). on x86 processors (mainly IntelAMD's mainstream processors), there can be four run-level ring0-3, Windows NT series systems (XP/2003 ......) two of them are used: ring3 and ring0. The user runs at ring3 level, while ring3 programs are not allowed to directly access the hardware, this is also to prevent system crashes or hardware faults caused by incorrect program operations. correspondingly, the system kernel runs at the ring0 level and has the access privilege to all the memory areas. It can also directly access the hardware.
Now we have added the concept of running level, and then let's look at the figure again:



It may be a bit messy. (replace the following "functions" with "functions" for ease of understanding .)
1. first, the application generates a request. For example, if you want to modify the registry, the application calls the registry operation related functions in the Win32 API. (RegOpenKey, etc.) is actually calling the corresponding functions in advapi32.dll.
(Win32 API functions are mainly located in libraries such as kernel32.dll advapi32.dll user32.dll gdi32.dll)

2. The functions in advapi32.dll are called, so he continues to explain and calls the functions in ntdll. dll (Native API interface ).
(All Native API functions are encapsulated in ntdll. dll, but ntdll. dll is not the real performer. His task is to upload the call to the kernel .)

3. ntdll. the functions in the dll are called (NtCreateKey and so on), So he saves the corresponding function number to the eax register, and then uses the SYSENTER command, resulting in "self-trapping" (early use of the method that triggers Int 2e interruption, but their results are the same.) The KiSystemService handler will run.
(This is like you get money in the bank. You put the deposit in the chute below the glass and ask the clerk to take the deposit and then give you money, it seems that you have taken out the money, but it is actually the money offered by the bank. ntdll. dll is the money collector. He puts the function code (deposit form) in the eax register (the grouve below the glass), and then triggers self-traps to trigger KiSystemService (called the clerk ), the clerk will actually process the transaction (execute the corresponding function ).)

4. kiSystemService extracts the function code from the eax register and searches for the corresponding Native identifier in a structure called SDT). It records the location of key system functions, including file operations and registry operations, process operations. there is also a Shadow SSDT in win32k. sys records functions related to the user's graphic interface. Although they are not very critical, they also include setting system hooks and other "special" functions, the other two SDT locations are reserved, that is, there is a possibility of manually creating SDT. (but this is basically meaningless)

5. after finding the location, call this function, that is, the actual operations on this function in the kernel are executed. Of course, the next step is an interface layer after layer, but usually, this is the last interface that is easy to control. (some advanced Trojans use Object hooks, that is, some lower-level interfaces may be controlled.) for registry operations, they are interpreted as Cm *** series of functions, of course, it is still necessary to convert it into a file.

6. finally, we will explain a special type of call, that is, calling the driver object. Many functions will eventually involve hardware operations, such as writing files. when writing a file, the system will call the file system driver (FSD). If there is a file system filter driver (FSD FilterDriver), the file system will first filter the driver, after their explanations, FSD is finally passed to the underlying file system driver (FSD). FSD is the lowest interface that is easy to control file operations. in the previous example, the Registry Modification Operation was finally interpreted as a file write operation (because the essence of modifying the registry is to modify the Hive file), which should also be further explained through FSD, continue to pass to the next interface.

In this way, we can understand that blocking any link during the transfer of these calls may cause failure. these functions can be controlled through "hooks.
There are many ways to hook, but there is only one purpose, that is, to get a notification earlier than the original function, and then decide whether to continue to pass it on, or you can decide whether to pass back the results that contain unfavorable information.
(This is equivalent to impersonating a Study Committee member. The class teacher asks you to check your homework. You ask the real Study Committee member to check your homework. The real Study Committee member reports you to a list containing you, you remove your name and submit it to the class teacher. in this way, you can bypass the check .)

For example, if a modern Trojan hides itself, they can modify the location of the File operation function in SSDT (Nt *** File series) and point it to themselves, then they call the real file operation function. When returning information, they only need to erase the information they contain ., when such a call result is returned to the application, it does not contain itself (the gray pigeon), and the application naturally does not know the existence of the gray pigeon.


[

You can select Win32 API hooks and ntdll hooks. dll functions, but this is not safe, because they are all at the ring3 level (remember our figure ?), That is to say, the hook you set can be easily bypassed or eliminated by a common program.
Therefore, most people choose to hook SSDT/Shadow SSDT, or install a file filter driver. These actions are protected by ring0, which cannot be found or modified by common programs. (Object Hook is also more advanced)
Similarly, HIPS software uses the same means as modern Trojans to monitor key actions.

Figure: S