«
»

Taking over processes with the NTIllusion Rootkit

Oct 8th, 2009 by carrumba

booksBesides the old SkypeTrojan rootkit I’ve found other documents and tidbits from that time (it was in about 2005/2006). For example Kodmaker wrote an article about rootkits in the Windows user space for the Phrack magazine, how to inject code into a running process, how to take over applications, how to extract account data from network traffic etc. At that time my understanding of rootkits was rather small. I knew what they do but building one by myself, working in the kernel space, provoking bluescreen after bluescreen and programming Windows kernel modules was too intimidating. But user space rootkits in a language I spoke and having more or less the same effect with less pain as with Ring 0 rootkits sounded like fun.

Even nowadays after four or five years this document is still valid. I can’t tell you how it works as a rootkit if it still as effective as then but code injection should still be feasible. So if you ever wanted to learn how to sniff user account data from a network stream or taking over processes I heavily recomend you to read this article. It explains the basics, it’s less pain because you work in userspace and instant gratification if you copy/paste it right.

This paper describes how to build a windows user land rootkit. The first
part deal with the basis and describe a few methods to show how code
injection and code interception are possible, while the rest of the paper
covers the strategy that makes stealth possible in userland. A bigger
version of the paper is also available at [1] so that novice peoples can
refer to a preliminary article about injection and interception basics.

Table of contents

1. Introduction
2. Code Injection and interception
2.1. System Hooks
2.2. CreateRemoteThread
2.3. Manipulating thread’s context
2.4. Redirecting the Import Address Table
2.5. Inserting an unconditional jump (jmp)
3. User land take over
3.1. User land vs Kernel land rootkits
3.2. Restrictions…
3.3. …and constraints
3.4. Setting a global hook to take over userland
3.5. Local application take over
4. Replacement functions
4.1. Process hiding
4.2. File hiding
4.3. Registry
4.4. Netstat like tools.
4.4.1. The case of windows 2000
4.4.1.1. Hooking GetTcpTable
4.4.1.2. Defeating netstat
4.4.1.2. Defeating Fport
4.4.2. The case of windows XP
4.5. Global TCP backdoor / password grabber
4.6. Privilege escalation
4.7. Module stealth

You find the complete article here.

tags: , ,

posted in Reading material, Stuff

Leave a comment


But please respect the commenting rules. Critizism is appreciated and also general comments of course. If you're rude, I have to delete your comment. Also use your personal/nick name but avoid using business names. Have fun and thanks for participating the discussion.