Direct kernel object manipulation

Last updated

Direct kernel object manipulation (DKOM) is a common rootkit technique for Microsoft Windows to hide potentially damaging third-party processes, drivers, files, and intermediate connections from the task manager and event scheduler.

Contents

Overview

At its very core, a rootkit that employs DKOM hides itself from the Object Manager or Task manager. By modifying the linked list containing a list of all active threads and processes, this type of rootkit can essentially hide all traces from the Object Manager by wrapping the pointer away from the rootkit itself. This is possible due to the fact that kernel modules and loadable drivers have direct access to the kernel memory from its privileged access. When the system kernel pings to find the list of all processes running in the system, it relies on the EPROCESS to find them. However, because a Windows Kernel is thread based and not process based, pointers can be freely modified without any unintended effects. [1] By modifying linked list pointers to wrap around the rootkit process itself, the rootkit becomes invisible to the Windows event viewer and any system integrity applications that rely on this list. This allows DKOM rootkits to have free rein over the targeted system.

DKOM Uses [2]

Hiding from the Object Manager

Each process is represented as an object and is interconnected with one another in the operating system. Within each process, there is a pre-allocated set of space that contains the address of the current, next, and mutex_locked thread. This vital information is listed in the EPROCESS in memory; the section in the object manager contains a double linked list of all known processes running, which is also known as the EPROCESS. However, DKOM's take advantage of this structure by modifying the front link (FLINK) to point to the previous node of the processor that we want to hide, and pointing the back link (BLINK) of the hidden processor to the previous structure. [3] By modifying a subsection of the EPROCESS block, the list of currently active processes points around the hidden process. This essentially hides any paper trail of a given process or injector from the scrutiny of the scheduler because the process is hidden; yet it runs indefinitely because the thread it is in is active due to the round-robin policy. [2]

The main issue with this type of rootkit is that hidden processes are still able to run despite various context switches. [3] In a Windows scheduler, threads are segregated to perform tasks, not processes. Rather, a thread calls multiple processes during a given time frame. This process is controlled by the round-robin nature of the scheduler and threads are put on idle to allow other threads to be active. Even though a process becomes invisible to the task manager, the process still runs concurrently with the system because the threads are active. [4] This makes detecting hidden processes created by the rootkit extremely difficult.

Detection

Detecting rootkits is separated into many complex layers that include integrity checking and behavioral detection. By checking the CPU usage, ongoing and outgoing network traffic, or the signatures of drivers, simple anti-virus tools can detect common rootkits. However, this is not the case with a kernel type rootkit. Because of how these types of rootkits can hide from the system table and event viewer, detecting them requires looking for hooked functions. Not only is this very difficult to implement, but it also requires iterating through each and every node in the EPROCESS. However, even though the presence of any malicious processes is not physically present in the handler, calls are made to it in the background. These processes point to threads, network connections points to processes, and drivers point to threads. For a DKOM rootkit to be viable, it has to hide its presence from every single reference in the EPROCESS. [5] This means that the rootkit has to routinely update any linkers to point away from itself. By iterating through each and every entity in the scheduler (threads, object headers etc), detecting a DKOM rootkit is possible. Certain memory patterns or behaviors may appear in the scheduler, and if one is found, the actual rootkit can be eventually found as well. [5]

See also

Related Research Articles

Timeline of computer viruses and worms computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Rootkit Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

In computing, the Windows Driver Model (WDM) – also known at one point as the Win32 Driver Model – is a framework for device drivers that was introduced with Windows 98 and Windows 2000 to replace VxD, which was used on older versions of Windows such as Windows 95 and Windows 3.1, as well as the Windows NT Driver Model.

Antivirus software Computer software to defend against malicious computer viruses

Antivirus software, or antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

NTLDR is the boot loader for all releases of Windows NT operating system up to and including Windows XP and Windows Server 2003. NTLDR is typically run from the primary hard disk drive, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

Norton Internet Security, developed by Symantec Corporation, was a computer program that provided malware protection and removal during a subscription period. It used signatures and heuristics to identify viruses. Other features included a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Architecture of Windows NT Overview of the architecture of the Microsoft Windows NT line of operating systems

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, they use packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

Mark Russinovich Spanish-born American software engineer

Mark Eugene Russinovich is a Spanish-born American software engineer who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006.

The Windows NT booting process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize. In Windows Vista and later, this process has changed significantly; see Windows NT 6 startup process for information about what has changed.


The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Task Manager (Windows)

Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of running processes, CPU and GPU load, commit charge, I/O details, logged-in users, and Windows services. Task Manager can also be used to set process priorities, processor affinity, start and stop services, and forcibly terminate processes.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system. However in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

Kernel Patch Protection

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.

Storm Worm Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Windows Vista has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.

Mebroot is a master boot record based rootkit used by botnets including Torpig. It is a sophisticated Trojan horse that uses stealth techniques to hide itself from the user. The Trojan opens a back door on the victim's computer which allows the attacker complete control over the computer.

Alureon is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.

References

  1. https://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf Butler, Jamie. DKOM, HBGary. Retrieved 5/14/2014.
  2. 1 2 http://bsodtutorials.blogspot.com/2014/01/rootkits-direct-kernel-object.html Miller, Harry. "BSOD Tutorials: Rootkits". BSODTUTORIALS, 27 January 2014. Retrieved 5/1/2014
  3. 1 2 http://fluxius.handgrep.se/2011/01/02/ring-0f-fire-rootkits-and-dkom/ FlUxIuS Ring Of Fire: Rootkits. WordPress, 2 January 2011. Retrieved 5/5/2014
  4. https://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf Florio, Elia. "When Malware Meets Rootkits". Symantec, December 2005. Retrieved 5/09/2014
  5. 1 2 http://jessekornblum.com/presentations/dodcc11-2.pdf jessekornblum. Windows Memory Forensics,. KYRUS Technology, (2006). Retrieved 5/14/2014
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.