Trojan Executable Redirection

Once an attacker has gained root access to a system, all active monitoring and integrity assess systems are also compromised. Even if audit data and cryptographic checksums are stored in a hardware-secure location, the ability to monitor the target is completely compromised. The only

in a separate, compartmented hardware subsystem. This, of course, is almost never the case

Exploiting(especiallySoftwarewith standardHow to BreakissueCodePCs). The closest most systems will be to compartmented may h

when the administrator pulls a hard drive and runs an integrity assessment on a separate close

ByGreg Hoglund,Gary McGraw

system. In fact, this is the only way to use a program like Tripwire securely (a popular, but

fundamentally flawed, integrity assessment package).

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Redirection and the Problem with Tripwire

Pages: 512

Call hooks of the sort we show in this chapter can be used to hide facts about a system. What h when you want to replace one file with another or to execute a Trojan program in place of the o Call hooks can alter the logic of the call and provide additional functions, backdoors, and even r

the target of a request.

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? Consider Tripwire, a popular security program that monitors systems for rootkits and Trojans. T

What tools can be used to break software? This book provides the answers.

Tripwire program reads the contents of every file on a system and makes a cryptographic hash

file data. The idea is that any alteration to the file contents will result in a new hash being gene Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

This means the next time the security administrator audits the file with Tripwire, the new hash techniques used by bad guys to break software. If you want to protect your software from

detected and the file will be flagged as altered. This is a good idea in principle, but it doesn't wo attack, you must first learn how real attacks are really carried out.

all in practice (at least against attackers in the know).

This must-have book may shock you—and it will certainly educate you.Getting beyond the

Let's explore what happens when a hacker installs a kernel rootkit on the target system. This ex script kiddie treatment found in many hacking books, you will learn about

will illustrate a hacker replacing a target executable program with a Trojan version. The hacker

defeat Tripwire so that the security administrator doesn't detect the backdoor. The target OS is

Windows 2000.

Why software exploit will continue to be a serious problem

For the sake of brevity, assume the attacker has found a command execution vulnerability in a When network security mechanisms do not work

script on a Windows 2000 Web server. The first task in attacking the system will be the constru

an executableAttack patternsusing this vulnerability. The attacker compiles a device driver for Windows 2000

includes code that will hook the following system calls:

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

ZwOpenFile

Rootkits

ZwCreateSection

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

The driver is set up to hook these two calls and, on startup, opens a handle to the Trojan execu

For our example, let's assume the attacker wants to replace the command shell cmd.exe with a

version called evil_cmd.exe. When a program or the administrator attempts to launch cmd.ex

will get the Trojan instead. Unfortunately, the use of Tripwire will not detect the Trojan behavio

phFile,

DesiredAccess,

ObjectAttributes,

pIoStatusBlock,

•Table of Contents

•Index

ShareMode,

Exploiting Software How to Break Code

Publisher: Addison Wesley

Pub Date: February 17, 2004

if(*phFile)

ISBN: 0-201-78695-8

Pages: 512

{

DbgPrint("rootkit: file handle is 0x%X\n", *phFile);

/* ___________________________________________________

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

. TESTING ONLY

What tools can be used to break software? This book provides the answers.

. If name starts w/ cmd.exe lets redirect to a Trojan

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from

. ___________________________________________________ */ attack, you must first learn how real attacks are really carried out.

if( !wcsncmp(

This must-have book may shock you—and it will certainly educate you.Getting beyond the

script kiddie treatment found in many hacking books, you will learn about

ObjectAttributes->ObjectName->Buffer,

L"\\??\\C:\\WINNT\\SYSTEM32\\cmd.exe",

Why software exploit will continue to be a serious problem

29))

When network security mechanisms do not work

Attack patterns{

Reverse engineeringWatchProcessHandle(*phFile);

Classic attacks against server software

}

Surprising attacks against client software

}

Techniques for crafting malicious input

DbgPrint("rootkit: ZwOpenFile : rc = %x\n", rc);

The technical details of buffer overflows return rc;

Rootkits

}

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.

Our hook of ZwOpenFile checks the name of the file being opened to determine whether it's the we are interested in. If so, the file handle is saved for later use. The call hook simply calls the o

ZwOpenFile and allows execution to continue.

If an attempt is made to create a process using this file handle, our code will redirect to a Troja Before a process can be created, a memory section must first be set up. A memory section is lik

DbgPrint("AllocationAttributes & SEC_RESERVE\n");

if(AllocationAttributes & SEC_COMMIT)

DbgPrint("AllocationAttributes & SEC_COMMIT\n");

if(AllocationAttributes & SEC_NOCACHE)

•Table of Contents

• Index DbgPrint("AllocationAttributes & SEC_NOCACHE\n");

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

DbgPrint("ZwCreateSection hFile == 0x%X\n", hFile);

Publisher: Addison Wesley

#ifPub1 Date: February 17, 2004

ISBN: 0-201-78695-8

if(hFile)

Pages: 512

{

HANDLE newFileH = CheckForRedirectedFile( hFile );

How does software break? How do attackers make software break on purpose? Why are if(newFileH){

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. hFile = newFileH;

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

}

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out.

}

This must-have book may shock you—and it will certainly educate you.Getting beyond the

#endif

script kiddie treatment found in many hacking books, you will learn about

rc=((ZWCREATESECTION)(OldZwCreateSection)) (

Why software exploit will continue to be a serious problem

phSection,

When network security mechanisms do not work

DesiredAccess,

Attack patterns

ObjectAttributes,

Reverse engineering

MaximumSize,

Classic attacks against server software

SectionPageProtection,

Surprising attacks against client software

AllocationAttributes,

Techniques for crafting malicious input

hFile);

The technical details of buffer overflows

Rootkits if(phSection)

Exploiting Softwareis {filled with the tools, concepts, and knowledge necessary to break

software.

DbgPrint("section handle 0x%X\n", *phSection);

}

DbgPrint("rootkit: ZwCreateSection : rc = %x\n", rc);

return rc;

HANDLE CheckForRedirectedFile( HANDLE hFile )

{

if(hFile == gFileHandle)

{

•Table of Contents

DbgPrint("rootkit: Found redirected filehandle - from %x to %x\n",

•Index

Exploiting Software How to Break Code

gRedirectFileHandle);

ByGreg Hoglund,Gary McGraw

return gRedirectFileHandle;

Publisher: Addison Wesley

}

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

return NULL;

Pages: 512

}

void SetTrojanRedirectFile( HANDLE hFile )

How does software break? How do attackers make software break on purpose? Why are

{

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. gRedirectFileHandle = hFile;

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

}

techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.