本文探讨了现代文件检测器中常用的 Raw I/O 基础隐藏文件检测方法,并以 DarkSpy 和 Icesword 为例进行详细说明。通过直接向文件系统发送 I/O 请求包来获取系统文件的真实视图,这种方法能够有效对抗原生调用挂钩和文件系统过滤驱动程序的隐藏行为。文章还提出了一种绕过理论,即通过对 IofCompleteRequest 的代码修补来过滤 I/O 内容,以实现对现代 Raw I/O 基础文件检测器的绕过。
cardmagic writes:
0. Something else :
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
----------------- ---------------------
| DarkSpy | <1> ---->recover | FILE SYSTEM IMAGE |
----------------- <2>----->call--->| dispatch code |
<2><-----return--|-------------------|
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c
扫一扫
1062
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
