Kernel Mode Rootkits: Stealth and Subversion of Trust presented at BlackHatWindows 2001

by Greg Hoglund,

Summary : This talk will draw upon the work of www.rootkit.com, a group of individuals that have maintained and distributed a kernel-mode rootkit for Windows NT/2000. The talk will cover the following details:
0. What is a rootkit?
1. How kernel-mode affects host-security
2. How to subvert file-access and fool file-integrity analysis. a. trojan file handles
3. How to talk directly to the network without a TCP/IP stack. a. NIDS layer communications
4. How to modify trusted system-calls. a. hook software interrupts. b. hook NTDLL
5. How to inject code into the kernel. a. ZwLoadDriver. b. The Registry. c. infection of device drivers. d. SystemLoadAndCallImage
6. How to deploy rootkit-code like a virus. a. software interrupts as a covert channel. b. viral infection of system drivers
7. How to subvert the Windows NT/2000 EventLog. a. stealing file handles b. patching eventlog functions
8. Subverting Access-Control. a. SeAccessCheck. b. Backdoors.
9. Spawning win32 processes.
10. Stealth. a. Hiding threads from a debugger. b. Hiding processes under NT/2000. c. Hiding drivers under NT/2000.
11. How to detect a rootkit
12. Sample rootkit code available
Greg Hoglund is an accomplished software engineer and researcher. He has written and been involved in many commercial security products. Hoglund
currently works for Click To Secure, Inc. where his work is focused on automated software-security analysis and the product known as 'Hailstorm'. Hoglund recently contributed to 'Hack Proofing Your Network/Internet Tradecraft' published by Syngress. His other work includes research and speaking about software vulnerabilities, buffer overflows, and issues related to NT security.
Their Presentation! Complete mirror of Rootkit.com with source code (Zip 1,554k)
Panel Discussion
The Black Hat Time Machine: What happens next year?
The panel of experts will discuss what new tools and projects they are working on, what other tools may be released from the "underground" and how this will all impact our jobs. Plenty of time for Q&A.