|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] HITB trip report
From: Joanna Rutkowska (joanna
invisiblethings.org)
Date: Mon Oct 03 2005 - 15:16:02 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dave Aitel wrote:
> Joanna Rutkowska's talk on Windows kernel rootkit finding was good - her
> basic hypothesis (which I agree with) is that if you enumerate all the
> places in the kernel people can hook, you can write a reliable rootkit
> detector. My stance is that there's just not enough entropy in the
> kernel to truly hide in.
basically Dave claims that it is possible to write custom backdoors
which would hijack code pointers (which are located in data section so
we cannot check their integrity with a tool like SVV) in a *specific*
applications (like a web server process or so) and will act as a
sniffer, because the code pointer would point to a function processing
the packets received from the network... I agree with his point of view,
with the following restrictions however:
1) it may be extremely difficult to do it in an application written in C
(we need to be quite lucky so that application we're exploiting actually
calls the packet processing function via a code pointer)
2) in case of application written in C++ it should be easy to write
program for checking the integrity of VPTR tables (check if all pointers
point to code located in a valid code section).
3) this is definitely a good way for writing a network/application
sniffer, but is probably not enough to implement for example a key
stroke logger... And it is definitely not enough to implement classic
rootkit functionality like files, registry or process hiding... On the
other hand, sometimes it may be not necessary for the malware to survive
the reboot and then we don't need to worry about files/registry hiding...
Anyway, it would be interesting to see if anybody actually make use of
this idea in the wild (or just in a working proof-of-concept) so I could
add appropriate checks into the OMCD document ;)
>
> Overall - professionally organized, well put-together conference. Hotel
> was 5 star...and it showed. Conference is largely under-priced, even
> including plane ticket price.
Yes, the conference was really great :)
regards,
joanna.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]