本文探讨了基于 Raw I/O 的文件隐藏技术,并介绍了一种绕过现代检测器的方法。通过分析 DarkSpy 的工作原理,讨论了如何通过 IofCompleteRequest 代码修补来拦截 I/O 处理过程,实现对 Raw I/O 基础文件检测器的规避。
By: cardmagic
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c
0. Something else :
After reading Hoglund's post, I finally decide to write this article.
Actually in China, many smart rootkit/antirootkit writers have their own interesting materials,but unfortunately they are unable to publiish them becuase of various reasons(business contract,language barrier or even related to some secret organization).
The main idea of this post comes to me when I designed DarkSpy, but after I finishing coding of the bus level file hider, it was discarded.
Hopefully it will still be useful for some guys here:)
Okay, now lets discuss the main topic :
1. Raw I/O based hidden file detection:
This kind of file detection is used very commonly in modern detetors. such as DarkSpy/Icesword.
The main idea for this detection method is to directly send I/O request packet to file system ,
so that detector will get the real view of system files.
this is effective for hiding by native routine call hooking and file system filter driver.
In addition, DarkSpy has added two great points into this(The second one makes DarkSpy's file detecion better than Icesword ^_^ )
a) Implement IofCallDriver itself,and directly call the original file system dispach routines,
this will bypass hiding by the file system dispath routing hooking.
b) Recover the whole file system file image in the memory before each I/O, this is against the
hiding by inline code patching of file system dispatch routines.
2. The Bypassing theory:
Here we will only discuss the real hider ( not file stream stuff),and we will describe the the bypassing theory with DarkSpy, because DarkSpy is very typical in raw I/O based file detectors.Let's look at basic flow of DarkSpy file detection first.
----------------- ---------------------
| DarkSpy | <1> ---->recover | FILE SYSTEM IMAGE |
----------------- <2>----->call--->| dispatch code |
<2><-----return--|-------------------|
From the figure above, we can see it's almost impossible to do something in file system, because DarkSpy has recoverred the whole image, even directly call the dispatch code without system routine's help.
Now start changing our point of view and brainstorm, can we intercept the I/O processing besides file system?
The answer is true, because file system will call many system routines.
But we must pick an appropriate call that has the chance to reach the I/O content,which one will be the best? IofCallDriver maybe first come to your mind...but unfortunately DarkSpy has implemented it inside,because IofCallDriver is very easy to implement :)
So we have to pick another choice which is
a) hard to implement
b) will be called by file system
c) able to touch the I/O content
which one will be the best ?
Oh,yes, you got it, it's IofCompleteRequest. Okay... this is our idea...
Through IofCompleteRequest code patching , check if we are called by file system,if yes, we will filter the I/O content. Thus,we will be sure to bypass all modern raw I/O based file detector.
3. The Main Code:
Please check --
http://www.rootkit.com/vault/cardmagic/hidefile.c
扫一扫
1062
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
