|Managed Code Rootkits|
Author: Erez Metula
It is something of a shame when good technical information has to be bundled up into something the looks like a hot topic. Rootkits are a relatively new phenomena. The idea is that you write some code that exploits a weakness in an operating system and so take it over by placing the code higher up the hierarchy.
Managed code is supposed to be "safe" in the sense that it can't crash or interfere other processes running on the machine. It is also supposed to be more secure than native code but a moments thought should indicate to you that this can't really be true. Manged coded is compiled to byte code which is inherently easier to recompile, especially so in the case of .NET, and anything you can decompile and understand is a target for modification - and this is the subject of this book. The idea is that with the help of a Managed Code Rootkit or MCR you can take over a machine and make it do exactly what you want - dangerous and exciting stuff.
However before we can get to any exciting stuff we have to work thought the basics in Chapter 1. This explains what managed code is all about using .NET, Java and the Dalvik system as examples. Although the book is supposed to be general it does tend to focus on the .NET system and the other two are mentioned as further examples. There is some waffle in this chapter but it also explains the architecture of a VM-based system. Chapter 2 is some more waffle on how attackers might use an MCR. You probably don't need to read this chapter if you have an imagination but it might help you see the bigger picture.
Part II of the book starts off with some basics on how to work with a managed system. It explains how to disassemble and use an assembler. With these two tools, plus some utilities that let you explore byte code, you can do mostly what you want/ The first part of the chapter is actually a very nice description of how the .NET system works and its a shame that it can't be presented in a more general context in a book called say "Advanced .NET". From this point the book demonstrates how to modify the runtime. This goes much as you would expect - disassemble the runtime, modify the code from the disassembly, compile the new code and replace the runtime by the modified DLL. This is quite straightforward and most readers could have invented it for themselves. The surprise was how easy it is to replace a core DLL by a modified version. Until I read this book I'd believed that code signing made this impossible - apparently not. Not doubt at some point Microsoft will notice this vulnerability and patch it and then the book with have to be re-written. The same cycle of runtime modification is also explained for Java and the Dalvik VM.
Once you have the mechanism to change the runtime modules you can more or less do anything you like and the book then goes on to explain ways of doing things in a more systematic way. Chapter 5 is a lot more waffly than Chapter 4, which had a lot of exact technical things to explain. In this chapter the why and how of changing the runtime is expanded. Chapter 6 formalizes things into a "Malware API" and Chapter 7 describes a tool that can be used to automate much of the whole process of code modification. Chapter 8 takes us into advanced techniques - thread injection, state manipulation and hiding you modifications as native code. Again there are a lot of things discussed here that really should be in an advanced programmer's course. It is a shame that it has to be wrapped up in terms of how to attack a system rather than this is how it all works.
Part III of the book attempts to undo the general tone of being one of the bad guys - it's on countermeasures. This is a very short section comprising two chapters - one on detection/prevention and one on other things you could use these techniques for. The detection/prevention chapter is fairly simple in that all it says is that you can detect changes to the runtime and restore the originals. If it really is this simple why doesn't the system do this for us?
Overall this is a good book. There are parts that are basically filler material that go over ideas in such generality that the discussion is far from technical. This is needed partly to make the book look a little more "high brow" and partly to lift it from being just a hackers' handbook. However, the most valuable parts of the book are where the author gets onto specifics.
I have to admit that while a lot of the ideas in the book are the simple application of techniques that you should already know, e.g. how to disassemble IL, I learned a lot from reading it. I repeat that it is a shame that so much high quality technical information has to be wrapped up in the activity of creating malware, but this seems to be the current ethos. The comparison between the .NET and Java systems are particularly interesting.
If you read this book carefully you will learn a lot of things that go on under the cover and you will discover that making an MCR is so easy that any programmer can do it.
Not a perfect book by any means, but a useful one if you want to see how things work inside.
|Last Updated ( Sunday, 28 August 2011 )|