Old Rootkit Detection

Well in my quest to move my old kd-team.com tools and papers to my new blog here is another one from the old website. Two ways to detect rootkits, one of them doesn’t work anymore (assuming all rootkits hook the function used back then) the other one I don’t know haven’t tested it latley. Here are the readme’s and the source codes.

Bruteforcing process id’s and using openprocess() to detect possible rootkits.
The readme

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn’t read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don’t just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Detect Hidden Processes

This is a little program to detect if a rootkit is hiding a process.
It will only work if the rootkit does NOT hook ntOpenProcess()
Bit of theorie:

Normally a rootkit works with the concept of “what they can’t see , they can’t touch”.
With this in our mind we only need to find a way to access what we can’t see. In other
words just guess what could exist.

This mapped to the technical aspect of it means that normally when a rootkit hides the
process it’s intended to hide, it hides everything that could possibly give feedback
to the user about the process. So we could assume the rootkit would not be concerned
about functions like OpenProcess() or ntOpenProcess() since for that the user must
know what PID it wants. This leads us to thinking that if we just guess aka bruteforce
the possible pids we could know if they are hidden.

so the basic concept is:

– do a openProcess() on all processes and display the pids where it succeeds.
– compare the output to the PIDs in your taskmgr

If something appears in the list from this app that is NOT in the list of your taskmgr.
it COULD mean you have a rootkit.
We say COULD cause there are some system PIDs that are not show by default.
get something like process explorer from http://www.sysinternals.com to be sure.

Just as with our detectcon, since this is a POC for this technique the comparison
you’ll have to do it manually. Maybe in the future we’ll automate it.

On a sidenode. This technique will not work very long since most rootkits update every
second. So as soon as this is known most mayor rootkits will properly hook openProcess()
Greetz,

KD-Team

p.s There is a minor bug in sometimes a process has got 4 pids.
We are not sure how this comes since haven’t researched it yet.

The Source

/*
Hidden Process Detector
Made By: DiabloHorn (Proud Member Of KD-TEAM)
Thanks to all those great sites and offcourse google that helped me out.
Special thx to:
- Swiv
- wingcom
- n0limit
- Forge
- MSDN for the nice info they have there.
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <tchar.h>
#include <tlhelp32.h>
#include "psapi.h"

#pragma comment(lib,"psapi")

void PrintProcessNameAndID(DWORD);
void ListP();
void ExtraInf();
void showBadAssProc();
DWORD determineHighestPID();
void Usage(char *);



void main(int argc, char *argv[])
{
	if(argc==1)
	{
		Usage(argv[0]);
	}
	//ListP();
	for(int i=1;i<argc;i++)
	{
		if (argv&#91;i&#93;&#91;0&#93; == '-')
		{
			switch (argv&#91;i&#93;&#91;1&#93;)
			{
				case '?':
							Usage(argv&#91;0&#93;);
							break;
				case 'L':
				case 'l':
							ListP();
							break;
				case 'S':
				case 's':
							ExtraInf();
							break;
				case 'B':
				case 'b':
							showBadAssProc();
							break;
				default:
							Usage(argv&#91;0&#93;);
							break;
			}
		}
		else
		{
			Usage(argv&#91;0&#93;);
		}
	}
}

void Usage(char *imageName)
{
	printf("\tHidden Process Detector\n");
	printf("\tMade By: DiabloHorn (Proud Member of: KD-Team)\n");
	printf("\t\tUse as: %s -<options>\n",imageName);
	printf("\t\tOptions:\n");
	printf("\t\t\t-? = Show this help\n");
	printf("\t\t\t-l = List all running processes\n");
	printf("\t\t\t-s = show info on Process like Path\n");
	printf("\t\t\t-b = List the bad ass processes\n");
}

void ListP()
{

    DWORD aProcesses[1024];
	DWORD cbNeeded;
	DWORD cProcesses;
    unsigned int i;
	unsigned int totalProcs = 0;

    if (!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
        return;

    cProcesses = cbNeeded / sizeof(DWORD);

    for ( i = 0; i < cProcesses; i++ )
	{
        PrintProcessNameAndID(aProcesses&#91;i&#93;);
		totalProcs += 1;
	}

	printf("Total Processes: %i\n",totalProcs);


}
void PrintProcessNameAndID( DWORD processID )
{
    TCHAR szProcessName&#91;MAX_PATH&#93; = TEXT("<unknown>");

    HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, processID );

    if (NULL != hProcess)
    {
        HMODULE hMod;
        DWORD cbNeeded;

        if ( EnumProcessModules(hProcess, &hMod, sizeof(hMod),
             &cbNeeded) )
        {
            GetModuleBaseName( hProcess, hMod, szProcessName,
                               sizeof(szProcessName)/sizeof(TCHAR) );
        }
    }
    _tprintf( TEXT("%s\t(PID: %u)\tHex: %xh\n"), szProcessName, processID,processID );

    CloseHandle( hProcess );
}

void ExtraInf()
{
	HANDLE hSnapshot;
	MODULEENTRY32 me;
	DWORD pId=0;

	printf("Enter Process Id: ");
	scanf("%d",&pId);

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId);
	if(hSnapshot == NULL)
	{
		printf("Module Snapshot Failed\n");
	}
	else
	{
		printf("Module Snapshot succeeded\n");
	}
	if (!Module32First(hSnapshot, &me))
	{
		printf("Gathering Module information failed\n");
	}

	printf("Module ID: %u\n", me.th32ModuleID);
	printf("Global usage count: %u\n", me.GlblcntUsage);
	printf("Module usage count: %u\n", me.ProccntUsage);
	printf("Base address: 0x%Xh\n", me.modBaseAddr);
	printf("Base size: %u\n", me.modBaseSize);
	printf("Full path: %s\n", me.szExePath);

	CloseHandle(hSnapshot);
}

void showBadAssProc()
{
	int testPIDS = determineHighestPID() * 2;
    unsigned int i;
	HANDLE hReadp;
	char hidProcName[MAX_PATH];

	for(i = 0;i<testPIDS;i++)
	{
			hReadp = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, i);

			if(hReadp == NULL)
			{
				//decomment if you want to see failures which is of no use.
				//printf("OpenProcess() Failed on %i\n",i);
				CloseHandle(hReadp);
			}
			else
			{
				printf("OpenProcess() succeeded on %i ",i);

				if(GetModuleFileNameEx(hReadp,NULL,hidProcName,sizeof(hidProcName)) != 0)
				{
					printf("%s\n",hidProcName);
				}

				printf("\n");
				CloseHandle(hReadp);
				ZeroMemory(hidProcName,sizeof(hidProcName));
			}

			CloseHandle(hReadp);
			ZeroMemory(hidProcName,sizeof(hidProcName));
	}


}

DWORD determineHighestPID()
{

    DWORD aProcesses&#91;1024&#93;;
	DWORD cbNeeded;
	DWORD cProcesses;
    unsigned int i;
	DWORD highestPID = 0;

    if (!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
        return 0;

    cProcesses = cbNeeded / sizeof(DWORD);

    for ( i = 0; i < cProcesses; i++ )
	{
		if(aProcesses&#91;i&#93; > highestPID)
		{
			highestPID = aProcesses[i];
		}
	}

	return highestPID;
}

//bool matchPID(int pidN)
//{

//}

This one uses bind() to detect possible rootkits.
The readme

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn’t read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don’t just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Detect Hidden Connections

This is a little program to detect if a rootkit is hiding a port.
It will only work when the rootkit uses a port based and listening backdoor,
if the backdoor works on triggers with icmp or ack packages we don’t garantee this toold will work.
Bit of theorie:

Normally a rootkit intercepts the functions that show which ports are in listening state so when calling those
functions it won’t show the ones hidden by the rootkit. But as or our knowledge the bind() function doesn’t get
intercepted by any rootkit at the moment. so when trying to bind to a port where a rootkit has hidden a backdoor
the bind fails. Meaning that if on that port the bind fails and in netstat the port doesn’t show up. Well you can assume
you got yourself a hidden port found.
This program will not work if the bind of the backdoor uses: setsockopt(SO_REUSEADDR).
Since this is a POC it will only work on TCP you are all free to mod it and add nice things to it:)

Greetz,

KD-Team

The source

/*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn’t read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don’t just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
*/
#include
#include
#include
#include

void BindPort();

void main(int argc,char *argv[])
{
if(argc > 1)
{
printf(“\t\tDetect Hidden Connections\n”);
printf(“\tWritten By: Kd-Team\n”);
printf(“\tThis is just a POC to show\n”);
printf(“\tHowto detect hidden tcp ports\n”);
printf(“\tUsually rootkits hide them\n”);
printf(“\tThis DOES NOT WORK WHEN:\n”);
printf(“\t\”setsockopt(SO_REUSEADDR)\” is set\n”);
printf(“\tRead readme.txt for more info\n”);
printf(“\tUsage: %s\n”,argv[0]);
printf(“\tWhen this output’s ports that netstat doesn’t\n”);
printf(“\tthat would theoretically be a indication\n”);
printf(“\tthat the port is hidden\n”);
}
else
{
BindPort();
}
}
void BindPort()
{
WSADATA wsa;
SOCKET hLstnSock;
struct sockaddr_in ServAddr;

if(WSAStartup(MAKEWORD(2,0),&wsa) != 0)
{
printf(“WSAStartup() failed\n”);
}

memset(&ServAddr,0,sizeof(ServAddr));
ServAddr.sin_family = AF_INET;
ServAddr.sin_addr.s_addr = htonl(INADDR_ANY);

for(int i=0;i<65536;i++) { ServAddr.sin_port = htons(i); hLstnSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,0,0,0); if(hLstnSock == SOCKET_ERROR) { printf("socket() %d failed\n",WSAGetLastError()); WSACleanup(); } if(bind(hLstnSock,(struct sockaddr *)&ServAddr,sizeof(ServAddr)) < 0) { printf("port: %i bind() %d failed\n",i,WSAGetLastError()); closesocket(hLstnSock); } else { //printf("port %i succeeded\n",i); just uncomment this if you wanna know on what ports the bind succeeded. closesocket(hLstnSock); } } WSACleanup(); } [/sourcecode]