Manuel Jirado High Voltage Power Supply

Splicer Kit

Simple Antirootkit

1. SST: references
2. Algorithm
3. Memory mapped files
4. Implementation
5. Demonstration
6. How to build

Written by:
Victor Milokum, Development Leader of Network Security Team.

http://www.apriorit.com

1. SST: references

This article is a logical continuation to the article "Driver to Hide Processes and Files" http://www.codeproject.com/KB/system/hide-driver.aspx by Ivan Romananko. You can find all necessary information about System Service Table (SST) and its hooking in it.

In this article I would like to present how to write your own unhooker that will restore original SST hooked by drivers like Ivan's one.

2. Algorithm

My goal is to write a simple driver for SST hooking detection and removing purposes.

This means that our driver should not use various Zw-functions and SST table because I suppose that SST table is corrupted by unknown rootkits.

I do not care about filter drivers and function code splicers for now, but maybe I will come back to them in future.

The simplest way to detect and remove hooks is to compare SST that is placed in memory with the initial SST from ntoskernel.exe file.

So the goal is:

1. to find ntoskernel module in memory;
2. to find the section of ntoskernel where SST is placed and to calculate relative offset of SST in the section;
3. to find this section in the ntoskernel.exe file;
4. to calculate real address of SST in the file;
5. to read values from the file and to compare them with SST.

But before the implementation I would like to present some additional information.

3. Memory mapped files in kernel mode

"A memory-mapped file is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource". (c) Wiki

Yeah, we want to parse the PE file and memory mapped files are very useful for this task.

And it is easy enough to use mapped files API from the kernel mode, because it is very similar to Win32 API. Instead of CreateFileMapping and MapViewOfSection functions in kernel mode driver should access

NTSTATUS ZwCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL );

and

NTSTATUS ZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Win32Protect );

functions.

But if we use these functions we will break our own rule not to use SST. Also, it is good for antirootkit to use extremely low level functions in the hope of being invisible to the possible rootkits.

With regard to this we can use undocumented functions of Memory Manager (Mm), of course at our own risk:

NTSTATUS
MmCreateSection ( OUT PVOID *SectionObject, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL, IN PFILE_OBJECT File OPTIONAL ); NTSTATUS
MmMapViewOfSection( IN PVOID SectionToMap, IN PEPROCESS Process, IN OUT PVOID *CapturedBase, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset, IN OUT PSIZE_T CapturedViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSTATUS
MmUnmapViewOfSection( IN PEPROCESS Process, IN PVOID BaseAddress ); NTSTATUS drv_MapAllFileEx(HANDLE hFile OPTIONAL, drv_MappedFile * pMappedFile, LARGE_INTEGER * pFileSize, ULONG Protect)
{ NTSTATUS status = STATUS_SUCCESS; PVOID section = 0; PCHAR pData=0; LARGE_INTEGER offset; offset.QuadPart = 0; // check zero results if (!pFileSize->QuadPart) goto calc_exit; status = MmCreateSection (&section, SECTION_MAP_READ, 0, // OBJECT ATTRIBUTES pFileSize, // MAXIMUM SIZE Protect, 0x8000000, hFile, 0 ); if (status!= STATUS_SUCCESS) goto calc_exit; status = MmMapViewOfSection(section, PsGetCurrentProcess(), (PVOID*)&pData, 0, 0, &offset, &pFileSize->LowPart, ViewUnmap, 0, Protect); if (status!= STATUS_SUCCESS) goto calc_exit; calc_exit: if (NT_SUCCESS(status)) { pMappedFile->fileSize.QuadPart = pFileSize->QuadPart; pMappedFile->pData = pData; pMappedFile->section = section; } else { if (pData) MmUnmapViewOfSection(PsGetCurrentProcess(), pData); if (section) { ObMakeTemporaryObject(section); ObDereferenceObject(section); } } return status;
}

This example demonstrates an alternative approach to the usage of mapped files through MmCreateSection/MmMapViewOfSection functions.

The presented approach is pretty good because it doesn't utilize Zw* functions and even handles at all, but it has one restriction. If you start this sample from DriverEntry it will work fine, but if you start it from the IRP_MJ_DEVICE_CONTROL handler you will see that MmCreateSection function fails with STATUS_ACCESS_DENIED. Why?

The answer is: Zw* functions do one good thing - they set previous mode to KernelMode and this allows to utilize kernel mode pointers and handles as parameters for them (for more information see Nt vs. Zw - Clearing Confusion On The Native API article - http://www.osronline.com/article.cfm?id=257)

So, the presented above function can be called only from DriverEntry or from the system thread.

4. Algorithm implementation

I designed the following structure to save all ntoskernel parsing results:

#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _Drv_VirginityContext
{ drv_MappedFile m_mapped; HANDLE m_hFile; UCHAR m_SectionName[IMAGE_SIZEOF_SHORT_NAME+1]; ULONG m_sstOffsetInSection; char * m_mappedSST; ULONG m_imageBase; char * m_pSectionStart; char * m_pMappedSectionStart; char * m_pLoadedNtAddress;
}Drv_VirginityContext;

And I implemented the chosen algorithm as follows:

static NTSTATUS ResolveSST(Drv_VirginityContext * pContext, SYSTEM_MODULE * pNtOsInfo)
{ PIMAGE_SECTION_HEADER pSection = 0; PIMAGE_SECTION_HEADER pMappedSection = 0; NTSTATUS status = 0; PNTPROC pStartSST = KeServiceDescriptorTable->ntoskrnl.ServiceTable; char * pSectionStart = 0; char * pMappedSectionStart = 0; // Drv_ResolveSectionAddress function detects // to which section pStartSST belongs // pSection will contain the section of ntoskernel.exe that contains SST pContext->m_pLoadedNtAddress = (char*)pNtOsInfo->pAddress; status = Drv_ResolveSectionAddress(pNtOsInfo->pAddress, pStartSST, &pSection); if (!NT_SUCCESS(status)) goto clean; // save section name to context memcpy(pContext->m_SectionName, pSection->Name, IMAGE_SIZEOF_SHORT_NAME); // calculate m_sstOffsetInSection - offset of SST in section pSectionStart = (char *)pNtOsInfo->pAddress + pSection->VirtualAddress; pContext->m_sstOffsetInSection = (char*)pStartSST - pSectionStart; // find section in mapped file - on disk! status = Drv_FindSection(pContext->m_mapped.pData, pSection->Name, &pMappedSection); if (!NT_SUCCESS(status)) goto clean; pMappedSectionStart = (char *)pContext->m_mapped.pData + pMappedSection->PointerToRawData; pContext->m_mappedSST = pMappedSectionStart + pContext->m_sstOffsetInSection; { // don´t forget to save ImageBase PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)pContext->m_mapped.pData; PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((char*)dosHeader + dosHeader->e_lfanew); pContext->m_imageBase = pNTHeader->OptionalHeader.ImageBase; } pContext->m_pSectionStart = pSectionStart; pContext->m_pMappedSectionStart = pMappedSectionStart;
clean: return status;
}

And here is the function that returns real value of SST:

void Drv_GetRealSSTValue(Drv_VirginityContext * pContext, long index, void ** ppValue)
{ char * pSST = pContext->m_mappedSST; ULONG * pValue = ((ULONG *) pSST) + index; // now pValue points to the mapped SST entry // but entry contains offset from the beginning of ntoskernel file, // so correct it *ppValue = (void*)(*pValue + (ULONG)pContext->m_pLoadedNtAddress – pContext->m_imageBase);
}

After that it is quite simple to implement main functionality:

virtual NTSTATUS ExecuteReal()
{ CAutoVirginity initer; NT_CHECK(initer.Init(&m_virginityContext)); // now we are ready to scan   for(int i = 0, sstSize = Drv_GetSizeOfNtosSST(); i < sstSize; ++i) { void ** pCurrentHandler = Drv_GetNtosSSTEntry(i); void * pRealHandler = 0; Drv_GetRealSSTValue(&m_virginityContext, i, &pRealHandler); if (pRealHandler != *pCurrentHandler) { // oops, we found the difference! // unhook this entry Drv_HookSST(pCurrentHandler, pRealHandler); } } return NT_OK;
}

This tiny cycle completely removes all SST hooks and brings SST to its initial state.

6. Demonstration

For testing purposes I developed simple console utility named unhooker.exe. This utility can be started without parameters; in this case it shows information about its abilities:

1. "stat" command shows statistics about SST hooking;
2. "unhook" command cleans SST;

This sample demonstrates how to use utility to detect and erase hooks:

Have fun!

6. How to build

Build steps are the same as in the "Hide Driver" article. They are:

1. Install Windows Driver Developer Kit 2003 - http://www.microsoft.com/whdc/devtools/ddk/default.mspx
2. Set global environment variable "BASEDIR" to path of installed DDK. Go here: Computer -> Properties -> Advanced -> Environment variables ->System Variables -> New

And set it like this: BASEDIR -> c:winddk3790
(You have to restart your computer after this.)

If you choose Visual Studio 2003, then you can simply open UnhookerMain.sln and build all.

Downloads (solution and sources)

About the Author

Apriorit is worldwide provider of professional consulting and software development services.

Company operates in the advanced IT fields like Virtualization, Corporate Security, Driver Development.

www.apriorit.com

Klein Tools 94051 Cable Splicer Kit. 1 Kit $40.64 Manufacturer: Klein Tools. 1 Kit. Includes = Scissors, Splicer's Knife, Pouch Customers also search for: Discount 94051 Cable Splicer Kit, Buy 94051 Cable Splicer Kit, Wholesale 94051 Cable Splicer Kit, 092644940514, 46037, Scissors Shears and Trimmers

Klein Tools 40946037 94051 Cable Splicer Kit $58.6 Includes: Scissors Splicer s Knife Pouch. Many designs available match your personal style. Satisfaction ensured.

Gardner Bender NO.6NO.0000 AWG Aluminum Splicer Reducer GSPA40 $29.31 Splicer or reducer

Turning Point Cruiser and Shears Cable Splicer Kit $81.06 This professional cable-stripping set includes an innovative knife that electricians and telecom engineers can use to remove the plastic jacket from cable up to 50 mm OD. The tools have high-carbon stainless steel blades.Set includes one (1) cable-stripping knife and one (1) pair of shearsErgonomic modern handles and finger holders allow for both right- and left-handed usersVersatile blade guardKnife strips wires of varying size, from gauge AWG 10 to 20Vacuum-hardened and precision-ground blade for long-lasting edgeOne-hand operationModel: OSNU993CE Blade materials: High-carbon stainless steelHandle materials: Nylon, fiberglassCruiser dimensions: 6.8 inches deepShears dimensions: 3 inches wide x 5.5 inches deepCase dimensions: 1.5 inches high x 7.2 inches wide x 4.3 inches deep

Campbell Hausfeld MP3314 3/8-in Hose Repair Kit $4.99 3/8-in Hose Repair Kit - MP3314. (1) Hose Splicer. (1) Hose End. (3) Hose Clamps

Plews lubrimatic Plews lubrimatic Hose Splicer 21-467 $1.34 Hose splicer Barb-type 1 per card 3/8? i.d. hose Brand #: Plews/Lubrimatic 21-467 UPC: 028893214670 Keywords: air hose repair fitting splicer

Western Enterprises 31235 Splicer Spiral $19.01 Connection Type: Barb/Barb. Hose I.D.: 3/16 [Min] 3/16 [Max]. Pressure: 200.00 PSIG [Max]. Material: Brass. Shape: Straight. Style: Spiral Hex. Type: Splicer.

Western Enterprises 31248 Splicer Barb $22.04 Connection Type: Barb/Barb. Hose I.D: 1/2 [Min] 1/2 [Max]. Pressure: 200.00 PSIG [Max]. Material: Brass. Shape: Straight. Style: Barb Round. Type: Splicer.

Western Enterprises Splicer Spiral. Each $2.75 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 3/16 in [Min], 3/16 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Spiral Hex Packing Type = Splicer Customers also search for: Discoun

Western Enterprises Barb Splicer. Each $1.22 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 1/4 in [Min], 1/4 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Round Packing Type = Splicer Customers also search for: Discount

Western Enterprises Splicer Barb. Each $1.18 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 3/8 in [Min], 3/8 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Round Packing Type = Splicer Customers also search for: Discount

Klein Tools Splicer Pouch. Each $10.14 Manufacturer: Klein Tools. Each. Riveted and stitched for extra durability Specially designed to hold a pair of electrician?s scissors (Klein No. 2100-5 or 2100-7), and Cat. No. 44200 cable-splicer?s knife Height = 7 1/4 in Width = 2 in No. of Compartmen

Thomas & Betts Thomas & Betts Cable Splicer reducer ASR2506 $13.44 Cable splicer/reducer Splicer/reducer with solid barrier wire stop, all aluminum body, tin plated for low contact resistance For copper and aluminum conductors UL listed 250 kcmil to 6 Str AWG Brand #: Thomas & Betts ASR2506 UPC: 783786133239 Keywords: reducer splicer cable wire stop

Plews lubrimatic Plews lubrimatic 1 4 inid Hose Splicer 21-423 $1.04 1/4?id hose splicer Barb-type 1 per card 1/4? i.d. hose Brand #: Plews/Lubrimatic 21-423 UPC: 028893214236 Keywords: air hose repair fitting splicer

Powerfields Double Post Rope Splicer 1/4 in $5.49 An effective double post splicer for 1/4" electric rope. Features: Durable and reliable 6mm splice provides strong union on hefty wire ropes Size: 4 Count

Powerfields Single Post Rope Splicer 1/4in $6.49 Powerfields Single Post Rope Splicer 1/4" Stainless steel splice buckle for splicing tolls of Hot Rope or Hot Braid. Also used to terminate at end of run. Provides a strong connection with maximum conductivity. 4 pack.

Western Enterprises 312D38 We D38 Splicer $45.07 Connection Type: Barb/Barb. Hose I.D.: 3/4 [Min] 3/4 [Max]. Pressure: 200.00 PSIG [Max]. Material: Brass. Shape: Straight. Style: Barb Hex. Type: Splicer.

Western Enterprises 312238 We 238 Splicer $19.38 Connection Type: Barb/Barb. Hose I.D.: 3/8 [Min] 3/8 [Max]. Pressure: 200.00 PSIG [Max]. Material: Brass. Shape: Straight. Style: Spiral Hex. Type: Splicer.

Western Enterprises 31234 We 34 Splicer $18.85 Material: Brass. Connection Type: Barb/Barb. Shape: Straight. Style: Spiral Hex. Type: Splicer. Hose I.D.: 1/4 in. [Min] 1/4 in. [Max]. Pressure: 200.00 PSIG [Max].

Western Enterprises 31238 We 38 Splicer $18.01 Connection Type: Barb/Barb. Hose I.D.: 3/16 [Min] 3/16 [Max]. Pressure: 200.00 PSIG [Max]. Material: Brass. Shape: Straight. Style: Barb Hex. Type: Splicer.

Western Enterprises 312139 We 139 Splicer $17.88 Connection Type: Barb/Barb. Hose I.D.: 5/16 in [Min] 5/16 in [Max]. Pressure: 200.00 PSIG [Max]. Material: Brass. Shape: Straight. Style: Barb Hex. Type: Splicer.

Western Enterprises 31253 We 53 Splicer $18.68 Material: Brass. Connection Type: Barb/Barb. Pressure: 200.00 PSIG [Max]. Shape: Straight. Style: Barb No Stop. Type: Splicer. Hose I.D.: 1/8 in. [Min] 1/8 in. [Max].

5 mm x 5 mm Coupler/Splicer by PowerTank for Jeep $4.99 Allows joining of 5 mm lines 5 mm x 5 mm Coupler/Splicer by PowerTank for Jeep

Bioshock 2: Series 2 Lady Smith Splicer Action Figure $15.99 The second assortment from the #1 selling video game includes the Ladysmith Splicer with removable mask, tommygun, and rolling pin accessories.

Gardner Bender 1410 AWG Aluminum Splicer Reducer GSPA0 $24.96 Dual rated aluminum splicer/reducer made from high strength aluminum alloy

Western Enterprises We C-38 Splicer. Each $5.34 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 1/2 in [Min], 1/2 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Hex Packing Type = Splicer Customers also search for: Discount We

Western Enterprises We D-38 Splicer. Each $28.74 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 3/4 in [Min], 3/4 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Hex Packing Type = Splicer Customers also search for: Discount We

Western Enterprises We 53 Splicer. Each $2.49 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 1/8 in [Min], 1/8 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb No Stop Packing Type = Splicer Customers also search for: Discoun

Western Enterprises We 34 Splicer. Each $2.6 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 1/4 in [Min], 1/4 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Spiral Hex Packing Type = Splicer Customers also search for: Discount

Western Enterprises We 37 Splicer. Each $1.06 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 1/4 in [Min], 1/4 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Hex Packing Type = Splicer Customers also search for: Discount We

Western Enterprises We 38 Splicer. Each $1.76 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 3/16 in [Min], 3/16 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Hex Packing Type = Splicer Customers also search for: Discount

Western Enterprises We 39 Splicer. Each $4.28 Manufacturer: Western Enterprises. Each. Connection Type = Barb/Barb Hose I.D. = 3/16 in [Min], 1/4 in [Max] Pressure = 200.00 PSIG [Max] Material = Brass Case Shape = Straight Style = Barb Hex Packing Type = Splicer Customers also search for: Discount W