The tail line of the arms-Rootkit Technology

1. "assistant" that cannot be evicted"
Network Administrator John is looking for his manual anti-virus toolkit, because he accidentally turned to God when installing a network management tool, after clicking the "Next" button, I was surprised that the installation program's interface contains the line of "Install CNNIC Network Real Name" in an invisible corner, and there is a small check mark at the beginning. So the famous "right-hand assistant of Chinese Netizens" took it for granted that he had built his house on his machine.
Zhang, who had been scolded by the manufacturer for 18 times, finally turned out the most proud tools icesword and super patrol when he went out to repair the machine. As a result, he found a red alarm in the process list and ssdt list, xiao Zhang smiled and dealt with these malicious scammers who could not be uninstalled by general users. He was experienced. Now, the CNNIC process is terminated, ssdt also restored its initial state, and then Mr. Zhang went to delete the Registry Startup item-a sudden error message shocked Mr. Zhang. Then he fixed his eyes and his smile solidified: "An error occurred while deleting the item ". No, right? John hurried to delete the CNNIC directory, and the result was completely stuck there. The system prompts an error and clearly told him that "the file cannot be deleted and the file may be in use ". What's going on? John has no clue at all ......
Darwin's theory of evolution tells us that "the best choice of things and the survival of the fittest" is also a process of making such a choice in this secure and intrusive online world ......

2. Internet entangled by AIDS
What is rootkit? If you were a reader of this magazine a few years ago, you must have read the article about rootkit written by XiaoJin, a technological product that can be called "HIV and AIDS" at that time, however, in this cruel game of "survival of the fittest", only rootkit is left, today's rootkit is equivalent to the cold virus of the Year-because it is so common that when users access the Internet, the attackers always keep following it to serve the servers.

TIPS: What is rootkit?
Rootkit itself is also a type of Trojan backdoor or malicious program, but it is special. Why? Because you cannot find it.
Like the rules in nature, the most popular virus has the least damage to biology, for example, a common cold, but the least popular virus is the most desperate. Rootkit Trojans are AIDS in the information world. Once infected, it is difficult to eliminate them by General means, because they do the same thing as in nature, undermining the integrity of the system's own detection-it may be hard to understand the terminology aside, but it can be imagined in concert with the AIDS picture that AIDS has damaged the human immune system, causing white blood cells to be powerless to it, we can only watch the human body become slowly damaged. The computer system does not have the immune function, but it provides the relevant detection function for its own environment-enumeration process, file list, level permission protection, etc, most anti-virus software and Process Tools depend on the detection functions provided by the system to operate, and Rootkit Trojans need to be destroyed.

To understand the principles of Rootkit Trojans, we must start with the system principles. We know that the operating system consists of the Kernel and Shell, the kernel is responsible for all practical work, including CPU task scheduling, Memory Allocation Management, device management, and file operations. The shell is an interface based on the interaction functions provided by the kernel, it is responsible for instruction delivery and interpretation. Because the kernel and the shell are responsible for different tasks and their processing environments are also different, the processor provides multiple different processing environments called the running level (Ring ), the Ring reduces the number of computer resources that can be accessed by program commands in sequence to protect computers from Accidental damages. The kernel runs at the Ring 0 level and has the most complete and lowest-level management functions, in the shell, it can only have three levels of Ring, which has very few functions. Almost all commands need to be passed to the kernel to determine whether to execute them, once a command transmission that may cause damage to the system (for example, memory read/write beyond the specified range) is found, the kernel returns an "unauthorized" flag, the program that sends this command may be terminated, which is the source of most common "illegal operations" to protect the computer from damages, if the operating level of the shell is the same as that of the kernel, a casual click may damage the entire system.

Due to the existence of the Ring, except for programs loaded by the system kernel, the general programs called by the shell can only run at the Ring Level 3, that is, all their operation commands depend on Kernel authorization. General process viewing tools and anti-virus software are no exception. Due to the existence of this mechanism, the process we can see is actually "seen" in the kernel and commands through the relevant interfaces (remember the API ?) Feedback to the application, so that there is an inevitable data channel. Although it is difficult to be tampered with in general, it cannot avoid unexpected occurrence, rootkit is an unexpected program like "Manufacturing. Simply put, Rootkit is essentially an application that is "Beyond authorization". It tries to make itself run at the same level as the kernel, or even enter the kernel space, in this way, it has the same access permissions as the kernel, so it can modify the kernel commands. The most common is to modify the API of the kernel enumeration process, let the data they return always "miss" the information of the Rootkit's own process. The general process tool will naturally "see" the Rootkit. More advanced Rootkit also tamper with more APIs, so that users cannot see the process (process API is blocked) or files (file read/write API is blocked ), the opened port is invisible (the Sock API of the network component is blocked), and the related network packets are not blocked (the ndis api of the network component is blocked, fortunately, the data indication of the network device is not controlled by the kernel. Otherwise, I am afraid the Rootkit will make it unavailable! The system we use runs with the support of kernel functions. If the kernel becomes untrusted, can the programs that depend on it run trust it?

This concept was written three years ago. In today's online world, more and more Trojans and backdoors are wiped out under the Suppression of Anti-Virus products, just as they are invested in five poisonous insects in a sealed box, let them kill each other, no matter what the outcome is, there will always be a tenacious survival, and the surviving poison worm is the strongest and most terrible,, anti-Virus products do not always survive, but non-Virus products that survive must be Rootkit.
The technology used by the only surviving drug worm quickly became the focus of everyone's research and learning. Therefore, rootkit stepped down the mysterious stage in just a few years and became more and more "common, the Network has finally become a new "AIDS village". In such a "civilian" atmosphere, rootkit finally has its name "civilian: drive Trojan, drive Trojan, and drive Trojan, and so on. The name of this trojan is also abbreviated as "rk". It is often used for communication between high people. Ordinary Internet users are completely unaware of the existence of such things, or they are limited to a vague concept ......

 

Since everyone has to control the native API layer, do they have something in common? The answer is yes. Windows, as a standard system, must have a standard interface between the native API and the user-layer API for data transmission, and restrict the user to use other unknown operations for the purpose, this interface is named "ntdll. dll is responsible for the dynamic link library file. All user-layer API processing is implemented by calling the relevant API entries in this DLL file, however, it is only an interface that provides a jump from the user layer to the kernel layer. It is not the final execution body. After an API call is converted to an API function in ntdll, the System will implement a function called "SSDT" (System Service Descriptor handler. This process is called by the system service. For example, if a shell program needs to run a new process, it will call the CreateProcess API function exported by kernel32.dll. The next step is the execution process in kernel32.dll, in fact, it only wraps the request again, deformation it into its own parameter, and CALLS ntdll. the NtCreateProcess function exported in dll, and then ntdll. dll enters the kernel state through an interrupt request int 2Eh (Sysenter), and transfers our initial new process request to the "service number" to the kernel world, under normal conditions, API calls must first be implemented through the transformation of a function address description table. SSDT is the table, which records a large address index, the content is the address location exported by hundreds of native APIs in the kernel. In addition, there are some useful information. In this example, based on the correspondence between the service number recorded in SSDT and the function, the system determines what function we want to use and the position information of this function in the kernel, and finally implements the function. Call. After the function is executed, the result is passed back through the ntdll interface layer by layer until the requesting program receives a status code indicating the processing result, the call process of this system service is over.

 

Based on the above principle, both malicious programs and Anti-Virus products will give priority to tampering with SSDT content to achieve the effect. Simply put, for example, if a malicious program modifies the native API address in SSDT corresponding to the service number that obtains the process identity to the driver entry at the Ring0 layer, each time the system executes this function, all requests and parameters are logged and tampered with by the third-party module due to the error guidance of SSDT, so a variety of strange phenomena will happen. Taking the rootkit Technology that hides its own processes as an example, the principle is that the native API Service Number of the Process in SSDT is directed to its own module by tampering with the native API Service Number of the process, then, the module will be transferred to the real system service separately (if this operation is not performed or the operation is incorrect, the corresponding system service will be voided or even cause a system crash ), and process the data returned by the real system service. For example, if you delete the data with the name of your own process, the final returned data will naturally be "invisible" to the process.

 

By manipulating ssdt, the rootkit that uses this technology has been rampant for a while, whether it is a trojan or a rogue plug-in or malware. The authors who earned money behind the scenes also had a solid year of success. However, it was not a long time. The concept of anti-rootki T (Anti-rootkit, or "Ark") was proposed, ark tools were also born, such as domestic icesword and super patrol. The service number is incorrect. The super patrol and later Ark directly provided the "one-click recovery" function. With just a few mouse clicks, the hooks mounted by all third-party programs on ssdt were "decoupled ", in a short period of time, the obstacles under rk were removed. Within a period of time, the momentum of rk was quickly overwhelmed. The short-term world was peaceful, short-term, and good.

 

For ssdt hooks, all current anti-rootkit tools can easily find and remove the hooks (unhook, unhook), such as icesword, rku, and super patrol. To run icesword, first click "process" and check whether there are processes marked in red. If there are any processes, ssdt hook exists in your system, the red process is a file hidden by the underlying driver. Remember its location and terminate it. Click here to go to The ssdt list and you will find some columns marked in red. Remember its "module where the current service function is located". This is the underlying driver file that implements ssdt hook. Then, use the super patrol to switch to the advanced mode and restore the ssdt to the initial state. All its defenses are removed. Now, you can directly find the file you just recorded and delete it.

Further test: Shadow ssdt hook
The author of rk is unwilling to do so, whether it is a technical struggle or a loss of interest. Anyway, since Ark has made me lose my face or lose my wallet, "One day, longdeshui, let's see the Yangtze river flow back! ", Some people began to try to crack the anti-rootkit tool and vowed to fight against it. Others began a new exploration. In the end, both parties achieved results: first, pjf's masterpiece, icesword, was successfully decompiled. Although it was not the original C language code but the Assembly statement, for those who studied rootkit, assembly was in their eyes, it's just as easy as reading online novels. Soon, someone can see the author's detection logic and bypass icesword and other rootkit tools using similar detection methods, even some rk have begun to monitor the Ark in turn. Once the corresponding Ark driver is loaded, the system immediately begins to burn everything-making the user machine a classic blue screen and crashing, even when users look at the blue screen several times, they usually give up. Another blue screen is caused by a deeper problem, which will be mentioned below.

Researchers from another direction also reported that in Windows, apart from the SSDT (KeServiceDescriptorTable) that everyone is playing, another hidden data segment similar to the SSDT structure works at the same time. It is called "Shadow SSDT" (SSDT ing ), this "KeServiceDescriptorTableShadow" function is not exported from the system kernel, but it is visible through the external system-level debugger. Shadow SSDT is similar to SSDT itself, but it mainly provides system service functions based on the graphical user interface (GUI) and saves a list of services identical to SSDT, of course, this is also provided for GUI-based program calls. Shadow SSDT is arranged in win32k. in sys, it is rarely mentioned in the literature, so it is almost a forgotten corner. The authors of Rootkit soon discovered that controlling it can also achieve a certain effect, because Shadow SSDT also has all the functions of SSDT, but it only requires some more steps to use it, so RK has a new gameplay. This time, it's ARK dumb's turn, at that time, ARK did not achieve the Shadow SSDT step at all. Therefore, the Rootkit that only hooked Shadow SSDT could survive without any law, allowing users to discover how malicious programs can recover SSDT, this type of Rootkit is always not affected!

 

In this case, the ARK tool with the Shadow SSDT detection function will not end, for example, the well-known RootKit Unhooker (RKU), its powerful SSDT and its Shadow detection decoupling function, helping many people solve these new moles, so the Rootkit authors began to seek new ways to survive. Because of the late appearance of such hooks, many popular arks did not cover this part. Therefore, we can only operate on them using tools such as RKU and. Run RKU (Rootkit Unhooker). It is an English software, but the operation is very simple. Click "Shadow SSDT". If there is a Shadow SSDT Hook in the system, you will find that "Services/Hooked" in the status bar at the bottom of the software is no longer in the "xxx/0" status, at the same time, in the row displayed by the Hook function, the "Hooked" column is "Yes". Now, write down the location and address of the file and click "UnHooked ALL". Next, delete the file.

 

 

 

Approaching the peak: Inline Hook. What is the most ridiculous thing in the world? It was a road card that was deliberately messed up and went in the wrong direction. Why didn't I notice a problem? Or have the men's and women's restrooms been replaced by a prank by a friend? If you visit the temple one day and find that there is a pure Taoist chanting in it, you will be amazed. This is ridiculous! In the field of fanatic Rootkit, similar ridiculous elements are being spread, that is, the advanced Hook form-Inline Hook.

 

 

 

In the initial operation process, all function operations configured with hooks will eventually be processed in the original function module. After all, third-party program writers are not Windows System writers, in order to ensure the normal operation of the system, the most sensible way is to let the intercepted function requests go through the layer-by-layer detection of Self-compiled modules and find harmless, immediately send the request for normal work to the place where it is working, so that the system can complete the entire workflow. Therefore, everyone is playing the idea of ssdt and other places, it is to put a foot in this road, and strive to trip the passers-by WHO are not pleasing to the eye. But now there are security guards who will cut foot on the road. What should I do? However, meeting the challenge is exactly what every investigator is interested in, so the absurd idea brings out a terrible technology, which is the inline hook.

 

 

As a matter of fact, inline Hook has long existed as an advanced Hook Technology. Some special programs on the user layer, such as game plug-ins, in order to obtain the most complete and reliable data, they no longer use the incorrect path card method to transfer data, because it is likely that the handler set by the program writer for this issue will eventually fail. So how can we make this handler unable to meet the trigger condition? That is, do not hook this program, but if you do not hook the program, how do you obtain the relevant data? In this mode of thinking, a new hook technology was born: although it is playing with hooks, it is not intended to hook the target program, instead, the corresponding API functions in the system are destroyed. Because the author of any common program absolutely trusts the system API, when their program requests to call the relevant API and sends parameters together, the corresponding module providing this API is hooked up, its "prophet"-The proviser gets the data content first, and then it has to look at the author's programming skills to determine the life and death of the program, because the author cannot write the corresponding system functions by himself, he must try to send the data back to the original function execution module. If this step is slightly incorrect, the program that calls this API will crash and exit.

 

For this reason, Inline Hook is a more complex technology than general hooks, unless the author has a deep programming skills and a deep understanding of the system, otherwise, using this technology in large quantities is prone to problems. Not only is it difficult for victims, but attackers cannot obtain the data they need. Since the use of Inline hooks on the user layer (Ring 3) requires such attention, is there anyone who eats crabs in the Rootkit world? The answer is yes. When both SSDT and Shadow SSDT are blocked, Rootkit Technology finally took a step towards Inline Hook. Imagine that when all the detection tools are at the mark of "Hu Shi SSDT", a Rootkit has already replaced the sensitive functions in the system kernel with its own functions, when the function operation request at the user layer finds the execution subject of the corresponding kernel state function through the normal SSDT, but does not know that the execution subject has been replaced by the Rootkit impersonate, what will happen? Although all the detection tools report normal conditions, the Rootkit has already been installed in the machine. If the Rootkit preset the logic of damaging behavior at a certain time point, the user will wait until the moment the system goes wrong, I still don't know what happened!

 

The Inline hook at ring 0 is very concealed. Unless the investigator has a deep understanding of the system, he cannot find out why he wants to break his head, let alone the concept of killing a process is confusing to common users. However, using inline hook requires a price. Due to the complexity of the kernel, especially because functions at this layer must be called frequently by all programs, in many cases, if the hooks are not fully considered, an inline hook function is accidentally called directly, causing serious consequences. Therefore, whether the rootkit using inline Hook can work normally and stably is closely connected to the author horizontally, an immature user-layer inline hook program is followed by the program to be monitored, leading to memory errors and abnormal exit of illegal operations, there is no error detection module here to ensure that your program will stop before it will cause a kernel crash-this is already the bottom layer, A wrong memory read/write will directly lead to kernel-level crashes, which is commonly known as "bsod, blue screen of dealth ). As a result, the cost of immature inline hook rootkit is that the system becomes unstable. in the user's opinion, the symptoms displayed by the computer are inexplicably easy blue screens, this is the consequence of the immature rootkit, but the cost is borne by the affected users.
However, the currently popular inline hook rootkit has basically appeared after numerous blue screen tests on the developer's machine, users do not frequently use blue screens because of the existence of these rootkit, and it has become the mainstream technology of the current rootkit.

 

 

To deal with the inline Hook, you can do it either by yijian, rku, or wsyscheck. Take xiaojian as an example, click "extended functions" on the main interface of the program, and then click "ssdt check ", you will suddenly feel dazzled, so right-click and choose "filter suspicious items" to display the exception section only (note the snipesword. sys, which is the drive of xiaojian itself. Do not make a mistake.) If the system has an exception, related descriptions such as hook and inline-hook will be listed in "hook type, first, you can right-click and select "Restore all hooks", and refresh it once. If the exception items are still listed, right-click the corresponding project column and choose "Restore selected inline-hook.

 

 

 

 

Tightly wound parasitic vine: FSD hook .. as rk and ark struggle progresses, ssdt hook (including Shadow hook) roads have been cleared, and inline Hook has also been pulled out, but some users are surprised to find that, they still cannot delete these files that are already exposed under their eyes. Why? Before explaining this question, let's take a look at some concepts. The operating system has done a lot of work behind the scenes to allow users to directly access the computer world by tapping the keyboard, clicking the mouse, and inserting a USB flash drive, these functions are aggregated at the underlying layer and finally an available operating platform is established. The part responsible for managing disk data and reading and writing files is called the "File System" (file system, FS). Windows operating systems use IOs (input/output supervisor, input/output hypervisor) technology for file system management. It takes over all storage devices, such as hard disks, removable disks, and optical drives.

 

IOS is a hierarchical management solution that displays the read and write operations of various applications on the user layer, the next layer is followed by the interface layer called "installable File System (IFS)". This layer is the final convergence of the following layers, that is, we can see the disk drive letters, drive letters, USB flash drive letters, Network Disk ing letters, and other icons on the screen and operate on them. After ifs, It is the layer where various file system drivers are located, that is, "FSD" (File System driver, file system driver). This layer is directly connected to IOS, it is used to accept and process data in the task assignment. the next layer of FSD goes directly to iOS, And the next layer of IOS begins to develop towards hardware. The goal of this rootkit is to reach the last layer before IOs: FSD.

FSD is the most in-depth area open to programmers in Windows (the driver provided by the operating system and the hardware vendor, the permissions at this layer are very high. With this level of control, developers can master the most comprehensive file read/write operation control. Therefore, when all the roads were blocked by the anti-rootkit tool, the rootkit author began to resist by blocking their tools to directly kill the obtained rootkit.

 

 

FSD is not an absolute ban. Before that, anti-virus vendors and Disk Data Encryption vendors have already been dedicated to this layer. Some people are dedicated to writing their own FSD, and more people, FSD Filter Driver (File System Driver Filter) is compiled to analyze their sensitive data for other work. One of the key points of the Filter Driver is to hook FSD, that is, "FSD Hook ". After FSD is mastered by you, you can control others' file read/write requests by manipulating its data. For Rootkit, they can set some sensitive files, such as their own driver files and user-layer related files, to the user layer, which cannot be read and written by programs other than themselves, it is directly reflected that it cannot be edited, renamed, or deleted. With this technology, the Rootkit authors can smile again, because even if the user finds it by various means and terminates its process, he cannot operate on the protected files. However, hooks are always hooks, and some people always decouple them. After the ARK tool used to restrain FSD Hook Technology appeared, some people gave up on FSD, which is very difficult to operate, this layer can easily cause system instability. However, some people continue.

 

 

 

How can I clear this type of Rootkit? Take the easiest Wsyscheck as an example. Run Wsyscheck first (you will find an interesting phenomenon: IceSword cannot detect Wsyscheck hooks because it uses Inline and FSD hooks ), click "kernel check", select "FSD check", and check whether there are items marked as "Yes" in "code exception". If Yes, right-click the item on the interface, select "Restore all functions ". The Wsyscheck Process List does not use the IceSword logic. Therefore, do not be too nervous if you see a red list, it only indicates that this program is an application without system signature verification and has special types (such as services and loading drivers). It is not a "bad guy identification" like IceSword ".

 

To eliminate CNNIC and Rootkit using the FSD Inline Hook Technology, the first choice should be 360 security guard. However, if 360 security guard is not added to the identified Rootkit, you have to use the "". The solution is similar to the one mentioned above. You only need to "decouple" it. The key is, you must also check whether the user-Layer Program of Rootkit also uses hooks, such as thread injection.

There are more RK and more arks. Is this a good thing or a bad thing? The answer is naturally the latter. Both RK and ARK must perform the same action, that is, entering the system kernel level and achieving the goal, therefore, incompatibility often occurs between several arks. For example, after running the, Wsyscheck often reports an error and exits, if the user runs IceSword when Wsyscheck is enabled, he will be very likely to see the blue white screen.

 

Iii. Conclusion
Although the popularization of harmonious networks is promoted everywhere, does "Healthy Internet access" only refer to those gambling drugs? In the face of interests, the sense of justice of developers becomes increasingly small. Our online world is closely followed by the attackers. The battle for technology is becoming increasingly fierce, but the computer knowledge of users will not automatically fill in with the development of the times. In the end, the masses of Internet users will become victims of all these technical competitions. When will this absurd development direction be met?