1. To visit protected / private sections of the forum you must be connected with your user account. If you are not yet a member of our forum, you can create it now for free!.

User Tag List

Thread: [c] kBox ring0 rootkit (DKOM,x86)

Results 1 to 10 of 10

  1. #1
    MindfreaK's Avatar
    Back from Abyss
    Join Date Apr 2010
    Location Germany
    Posts 655
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    4 Post(s)

    [c] kBox ring0 rootkit (DKOM,x86)

    The title says pretty much everything. It hides at this time only processes by manipulating the opaque EPROCESS structure maybe if i get good feedback i will continue developing it .

    It works also with the latest version of Windows 8 ( from xp to 8 ). There is a CompatibilityCheck included in the driver that should check all struct field offsets so there should never be a BSoD. And last but not least i want to meantion that this Driver does not use any second thread. This means it uses a Callback to get new created processes ( they are then hidden before they are even displayed a millisecond ).

    Have fun & guess who is back =)
    ~MindfreaK
    Attached Files
  2. #2
    A1sS4wa's Avatar
    Junior Member
    Join Date Nov 2012
    Location France
    Posts 14
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    Very good code. It is always effective to manipulate the list of EPROCESS to hide your process. The callback via PsSetCreateProcessNotifyRoutine is also effective to see the new processes. However, your attack could be detected relatively easily ( if we know what we are looking for, particularly in the EPROCESS list ;-). But like few people do it, it is still ok. ).
  3. #3
    MindfreaK's Avatar
    Back from Abyss
    Join Date Apr 2010
    Location Germany
    Posts 655
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    4 Post(s)
    But u forgot that there is no list those eprocess structs r linked with each other so to detect an unlinked struct u would need to scan blind in memory
  4. Likes stain liked this post
  5. #4
    A1sS4wa's Avatar
    Junior Member
    Join Date Nov 2012
    Location France
    Posts 14
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    Ok MindfreaK, I see what you mean. But, about what you said, I'm not sure to understand you.
    You said that the EPROCESS is not part of a linked list... Well, you've right, EPROCESS is a part of double-linked list! You should check at the "Rootkits: Subverting the Windows Kernel" book to get more information (read page 180 would be enought) [If you don't have it, go to google book, this page if freely aviable]. It's clearly written that it's a double linked list. In addition, in your own code, and I especially talk about the hide function in process.c, to hide a process, you just make disconnect the node of the wanted process from the double linked list... And, to do so, you just add the size of the offset that separates two nodes... Well, as the size used is always the same, there is nothing to search blindly! You just need to search if there is or not a gap ;-). But, as I said, very few antiviruses software are looking for such structures... And your code is good enough to bypass most of them.
  6. #5
    MindfreaK's Avatar
    Back from Abyss
    Join Date Apr 2010
    Location Germany
    Posts 655
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    4 Post(s)
    I no need for a book.. So i meant there is no list coz it looks more like a circle and if i unlink a struct u dont know where the struct is so u will need to scan memory for itt.. Its nothing new that dkom and all those other common methods are easy to detect but what did u expect for public. Its cooll to talk to u coz the most ppl doesnt even know whats dkom lol
    Last edited by MindfreaK; 31-01-2013 at 21:57.
  7. #6
    I know a lot more than you think
    Join Date Jun 2008
    Location 0x40000
    Posts 1,535
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    Nice and clean code. Haven't done much dkom myself, but you could think about zero'ing the struct of the process and rebuilding the linked list so there is no gap. If you would just walk the EPROCESS list and find out which is the lowest end and which the highest end, wouldn't you be able to put the latest entry in the gap you made and just update the first and last entry? Don't get me wrong though, the code is good; just some ideas.
  8. #7
    A1sS4wa's Avatar
    Junior Member
    Join Date Nov 2012
    Location France
    Posts 14
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    I understand better what you meant Mindfreak. I do not think EPROCESS is a circular list. The proof of that is in the code you use to hide a process or the one about scrolling elements (this is the same principle). You didn't move by some successive dereferencings. There is nothing in the style of : (*tempory_node) = tempory_node->next in a while loop… You just add, node after node, the same offset. So, you’re sure to never come back at your starting point (which would be different if you made a dereferencing).

    The technique you use, as you said, is not new but still works, that's it that's fine. Antiviruses don’t work when it’s starting to be painfull for their developpers… It is also very pleasant to talk with you, it's good to see people able to accept "good reviews" on their code.

    About your idea SqUeEzEr, I like it! I think it’s good enough to really bypass protections and what I said. But, I’m not sure to understand all of what you said. For, me, what I think is that, from the node to hide, we rise all nodes below ours, from that node to the lastest. But we don't shift the nodes by changing their links as do kbox (nothing wrong against, just an idea to improve it) but we make a rewriting of each node. The rewriting is done by the following on its previous. Like that, we simulate smoothly the shift to hide our process. Is it good for you?

    MindfreaK, what do you thing about?
  9. #8
    MindfreaK's Avatar
    Back from Abyss
    Join Date Apr 2010
    Location Germany
    Posts 655
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    4 Post(s)
    The problem with this idea is that the EPROCESS structs are only for enumerating and information about processes. This means if i would ZeroMemory the struct of the process thats hidden it will (maybe) bsod at the termination of the process because the flink and blink in the activeprocesslist doesnt point to a valid pointer. I'm not sure but it could be possible****. Rebuilding the struct would be pretty funny as ark's wont notify it that easily. While the Process field in the kthread struct is pointing to an EPROCESS struct of the orginal link there will be a copy in the linked list of the struct of each process so ark's can't look for the deltadifference between those structs. By utilizing this i guess you need to rebuild the list for any process because of the memory allocation what makes it difficult and you would need to unlink every EPROCESS from orginal => Problem: How does we input our rebuild link ?
    Solution: A new rebuild list for every unlinked process in the orginal link , but this let me think about stabillity as this is a hudge amount of memory and this can be confusing at implementation lol.
    NextProblem: DeltaDifference from orginal struct to the first/last of the rebuild list :/

    //Edit: squeezer im happy for every improvement ideas =)


    **** I forgot about the Token field in the struct thats necessery for access rights. This means if i zero the struct it will definitly BSoD because Windows can't look up the AccessRight Token ... That's the complicated part in DKOM hehe getting it invisible for ark's lol
    Last edited by MindfreaK; 01-02-2013 at 18:34.
  10. #9
    A1sS4wa's Avatar
    Junior Member
    Join Date Nov 2012
    Location France
    Posts 14
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    Well, what you said is very interesting. I like it. Indeed your intuition about zeroing the list may result in a BDOS made me think about. It would be too bad to create a BDOS. If you do that, you are directly found! The problem in the linked list is not specifically about breaking the list. The executability is ensured by the threads. The problem is, as you said, if you zero the structure, even temporarily, the system could hang on it. However, we don?t have many solutions... To keep the idea of the last time, at the beginning, we can allocate a first copy of the list of the current process in the system (without the wanted process to hide). Once this is done, we dump (by rewritting) directly the allocated list on the real list instead of zero all the nodes and we just zero the last node, whatever the last node is (normally, if we only hide a process, only one disappears, so we have to zero just one node). However, there was still the problem of temporary instability induced when we rewrite the list. We can try to have a higher priority with an APC which would be supposed to "block" other threads when we access to our modified list. It's no guaranteed that it works. The kernel can use such a list at a higher level? But it may already be a good start if we?ve got Bdos on the system with dumping? Nevertheless, you still have got a problem with kthread structure. But, you already have this problem with DKOM? To modify it directly in the kernel will be difficult? There should have been protections about and the probability of a BDos when we do that is high? Too high? But before an antivirus looks at this list. The Eprocess list is not watched yet, so...

    * I though about at the end of the message... When we break the list, we create instability, less to rewrite it, but we create some... If the code is well written and fast enough, I think it can pass. It may be better at first than trying to take control of all processors and verify their actions, etc...
  11. #10
    MindfreaK's Avatar
    Back from Abyss
    Join Date Apr 2010
    Location Germany
    Posts 655
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    4 Post(s)
    As i allready said it has to BSoD ( != BDos lol) because in the kthread struct is a field named Process that points to an eprocess struct iff we rebuild the list there might be a invalid pointer around that points to the zerod struct at the end => BSoD

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. DKOM process hider 2
    By LttCoder in forum C Snippets
    Replies: 25
    Last Post: 23-03-2017, 03:56
  2. Agony ring0 rootkit
    By -silent- in forum C Malware Sources
    Replies: 22
    Last Post: 09-01-2012, 10:31
  3. ring0 apis
    By counterstrikewi in forum Delphi Help
    Replies: 3
    Last Post: 16-03-2010, 08:27
  4. DKOM process hider 1
    By LttCoder in forum C Snippets
    Replies: 0
    Last Post: 10-04-2009, 23:21

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts