Search blog.co.uk

About me

tibbar

tibbar

Calendar

<<  <  July 2008  >  >>
Mo Tu We Th Fr Sa Su
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Last comments

Kernel Mode Ircbot
by tibbar @ 2006-04-06 - 20:00:27

The world of malware and rootkits has evolved a lot over the last two years, the most significant developments have been in the sophistication of rootkits.

In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the operating system, and allows the attacked to hide certain files and programs from the user. It usually will also provide a hidden backdoor into the system, and will hide network connections made through the backdoor from the user.

Windows rootkits have been generally mixed between "usermode" rootkits - these are ones that run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits, which are actually device drivers running at the highest priviledge level (ring 0).

Now generally, the kernel mode rootkits will hide files, hide network connections and the most sophisticated ones will provide a kernel mode backdoor. This means all the functionality is held within a single driver (.sys file), and it is extremely difficult to detect whether one is installed on a machine.

However, the attacker will rarely be able to provide all the functionality they need purely in a driver, and still need to rely on usermode applications, for things like ftp servers, irc bots etc...

So I thought it would be interesting to see how hard it is, to actually provide this part of the attackers toolkit directly within the kernel mode driver.

One of the developers from rootkit.com called Valerino released a kernel mode socket library, that allows you to create sockets from a kernel mode driver, with reasonable ease. His post is here:
http://www.rootkit.com/newsread.php?newsid=416

I have used this library to create what I believe is the world's first kernel mode ircbot. It's extremely basic in its' current form and will just join a channel plus responding to its' name. But it is a framework that can be built upon and you could in theory write an extremely complex ircbot in this fashion.

Here's a screenshot of the system internals app "DebugView" that allows you to see kernel messages. I have set the ircbot to ouput text received on irc into the debug messages:

As I have very limited time for development, I thought I would share this one with the world...the source lives at:

http://tibbar.gso.googlepages.com/KIrcBot.rar

and I have set this up in Visual Studio 2003. There are two build modes: usermode and kernelmode.

I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a usermode executable. The reason for doing this, is that it is notoriously hard to develop kernel mode applications and the test process is very slow - by allowing usermode builds, the code can be perfected in usermode, before beginning the kernel mode tests.

If you want to compile using the DDK, the batch file should be used.

Finally, if you want to support my releases, then I would be grateful if you could take some time to visit any sponsors on this page that are of interest to you.

Tibbar.

21 comments | Trackbacks (4) | Permalink | Recommend this post
Tags:

 
Disable ads
 

Trackback address for this post:

authimage

Comments, Trackbacks: Hide subcomments

Trackback from:Lavasoft Weblog [Visitor]

Kernel mode IRC bot …
Today again, Jan, one of my colleagues here at Lavasoft pointed me to an article. This article is based on this blog entry. Seemingly someone took the time to write a kernel-mode module that communicates via IRC. Nothing really sophisticated, given th...

SpannerITWks [Visitor]

07/04/06 @ 13:44

Hi,

Well this should quieten down those peeps who say RK's are not a real threat and we can all just ignore them.

Here's more evidence -

Malware Evolution: 2005, part two by Yury Mashevsky Virus Analyst, Kaspersky Lab

" An average of 6 rootkits per month were detected in 2000, but by the end of 2005, Kaspersky Lab analysts were detecting 32 such programs a month. This almost quadruple increase is shown in the graph below: "

" Throughout last year, kernel-mode rootkits gradually gained in popularity over user-mode rootkits "

http://www.viruslist.com/en/analysis?pubid=182974451

Spanner

Trackback from:Greyhats - Blog sur la sécurité et l'informatique en général [Visitor]

Evolution dans le monde des rootkits pour Windows
Jusqu'alors, les rootkits noyau pour Windows souffraient d'une limitation importante : pour communiquer avec l'extérieur, ils devaient passer par une application utilisatrice. Il n'était pas possible pour eux d'envoyer, de recevoir ou d'écouter...

Panic [Visitor]
http://www.egocrew.de
07/04/06 @ 22:23

Nice Article, i will now check your source. Well, this is the next generation, i guess....

Steo [Visitor]
http://www.antirootkit.com
13/04/06 @ 18:26

Tibbar,
nice article. Will have a good look at it. Thanks,

regards
Steo.

| Show this thread
Affeni Bort [Visitor]

21/02/08 @ 10:33

"Windows rootkits have been generally mixed between "usermode" rootkits - these are ones that run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits, which are actually device drivers running at the highest priviledge level (ring 0)..."

"I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a usermode executable. The reason for doing this, is that it is notoriously hard to develop buy cialis kernel mode applications and the test process is very slow - by allowing usermode builds, the code can be perfected in usermode, before beginning the kernel mode tests."

lol

|
DefconHaya [Visitor]
http://footmenfrenzy.blogspot.com/
14/04/06 @ 13:48

Very interesting !
Let's just hope that kernel-mode RK's doesn't become so popular.

Good Luck !

Trackback from:c64allstars [Visitor]

Kernel Mode IRCBot
A little bit older, but still very interesting is the blog entry of Tibbar concerning a Kernel Mode IRCBot:
One of the developers from rootkit.com called Valerino released a kernel mode socket library, that allows you to create sockets from a kernel mo...

flykoo [Visitor]
http://www.flykoo.com
02/11/06 @ 18:14

Wow, thanks. Interesting article, good work!

Regards
flykoo

airman [Visitor]
http://cheapairfares.proboards86.com
14/01/07 @ 13:16

Hey Tibbar!
Thanks for useful info!

mugg [Visitor]

09/03/07 @ 23:05

What's up with the 'build -D KERNELMODE' line in the batch file. DDK no likey:


C:\VX\Rootkits\KernelIRCbot>build -nmake "-D KERNELMODE"


BUILD: Adding /Y to COPYCMD so xcopy ops won't hang.


BUILD: Object root set to: ==> objfre_wxp_x86


BUILD: Compile and Link for i386


BUILD: Computing Include file dependencies:


BUILD: Examining c:\kbot\kernelircbot directory for files to compile.


c:\kbot\kernelircbot - 4 source files (1,733 lines)


BUILD: Saving c:\winddk\3790\build.dat...


BUILD: Compiling c:\vx\rootkits\kernelircbot directory


NMAKE : U1073: don't know how to make 'KERNELMODE'


BUILD: nmake.exe failed - rc = 2
v
BUILD: Compile errors: not linking c:\kbot\kernelircbot directory


BUILD: Done

Khamis [Visitor]
http://to0.net/uae/games/
30/03/07 @ 10:43

thank you

xavier [Visitor]
http://monguide.mine.nu
02/04/07 @ 12:52

Here are related links:

http://www.google.com/search?hl=en&q=Windows+rootkits&btnG=Google+Search

Cheers

Mike [Visitor]
http://www.discount-cutlery.info
10/06/07 @ 08:29

Cool site.

Trackback from:Roulette Killer [Visitor]

Roulette Killer
Very cool Blog you have here, keep it up.

Thanks,
B

prajith, from martial arts world [Visitor]
http://www.worldofmartialart.com
05/10/07 @ 11:22

nice article, fine.

KVK [Visitor]
http://kvk.110mb.com
06/10/07 @ 11:54

Congratulations a good site!!! Thanks. Please try site with free online games and earn money and prizes.

F0rg3 [Visitor]

13/10/07 @ 20:38

Stinky Spammers..they have no respect for privacy and content..shame shame..

Nice info..but i would like you to re-upload the source as it is no more available where you put it..please kindly use rapidshare or megaupload and if you need an account ..pm me.ok? Cheers

Memozza [Visitor]
http://fcoolpage1.bravehost.com
07/11/07 @ 20:20

Very interesting page

Martial Artist blogger [Visitor]
http://www.worldofmartialart.com/martial_arts_blog/
08/11/07 @ 03:55

Nice. Good Article and a lot of comments

東京 デリヘル [Visitor]
http://www.fuzoku-annai1.com
13/11/07 @ 02:37

Great site

大阪 デリヘル [Visitor]
http://www.fuzoku-annai.com
13/11/07 @ 02:38

Thank you

An [Visitor]
http://inacura.channelflow.org/
16/12/07 @ 00:33

[...]The world of malware and rootkits has evolved a lot over the last two years, the most significant developments have been in the sophistication of rootkits.[...]
daihatsu

Maria [Visitor]
http://music-collection.net
18/12/07 @ 06:55

Thank U so much Admin.Nice article

fanni [Visitor]
http://www.my-batteries.co.uk
07/03/08 @ 09:12

Very interesting ! Will have a good look at it. Let's just hope that kernel-mode RK's doesn't become so popular.
Good Luck

Leave a comment :

Your email address will not be displayed on this site.
Your URL will be displayed.
Allowed XHTML tags: <!, p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, a, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small, img>
URLs, email, AIM and ICQs will be converted automatically.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)
All comments on this blog will be moderated by the author.
Validation code:
Please enter the above code here:
For protection from spambots (case-sensitive).

Recent Posts

  1. Reflecting on better times
    by tibbar on 2008-07-21
  2. CodeCrypter 1 Year On
    by tibbar on 2006-12-26
  3. Hooking drivers
    by tibbar on 2006-12-22
  4. linux server framework
    by tibbar on 2006-10-19
  5. ReactOS
    by tibbar on 2006-07-15
  6. update
    by tibbar on 2006-06-18
  7. What comes next?
    by tibbar on 2006-04-11
  8. codeCrypter next release plans
    by tibbar on 2006-03-31
  9. jotti scan
    by tibbar on 2006-03-23
  10. codeCrypter
    by tibbar on 2006-03-01