This document discusses malware analysis and rootkits. It covers various types of malware threats, tools used to analyze malware, and methodologies for analyzing malware and rootkit internals. Specific rootkits discussed include boot sector viruses, rootkit concealment techniques like SSDT and IDT hooking, and ways to fight rootkits like using rootkit detection tools.

1. By- Mr. Omkar Pardeshi
Malware Analyst & Developer
omkar.r.pardeshi@gmail.com

2.  Types of threats
 Tools to Analyze threats
 Methodology of analysis of Malwares.
 Rootkit internals.
 Fighting with Rootkit.

3. Basic
 Worm-Replicate
 Trojan-Stand alone
 File infector-Infect
Adware, Spyware, Backdoor , Boot Sector Virus
, Browser Hijacker, Macro Virus, Polymorphic
Virus, Scripting Virus, Logic
Bombs,Metamorphic .

4.  Sysinternal suit
 Procmon Process explorer.
 Regmon ,Regshot
 Pe view
 Systracer

5.  1982 Siberian pipeline sabotage
 2001 Magic Lantern
 2005 Sony BMG copy protection rootkit
scandal digital rights management software
called Extended Copy Protection.
 Mark Russinovich
 2004–2005 Greek wiretapping case
 Rootkit.Duqu.A

6.  is just a technology
 Subverting standard operating system.
 the design goals of a rootkit are to provide
three services:
1>remote access.
2> monitoring.
3>concealment.

7.  Real mode :-ring 3
-MS-DOS kernel .
- Interrupt Service Routines (ISRs). & Interrupt
vector table(IVT) .
 protected mode:- ring 0
-system os loads in protected mode called ring
0 or os kernel mode
-unprivileged area called ring 3 or user mode.

8. User mode
Kernel mode

10. Os level

11. NTDLL
NTDLL Deliver
NtqueryInfo Modified
Ntoskernel. result
Taskmgr exe
AppInitHook
result
Taskmgr After inject

12. 0x2000
0x2100 `
0x6500 NtQuerySystemInformation
NTDLL
0x6000
0x6500 NtQuerySystemInformation Call to ntdll
Ret 0x2100
AppInitHook

13.  AppInit_DLLs -
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NT CurrentVersionWindows
 Other ways
 SetWindowsHook.
 WriteProcessMemory+CreateRemoteThread
 Change in import table.

14.  Code Injection
-inject dll
-Create Remote thread.
-write physical memory
-Hooking

15.  AppInit_DLLs
 DllMain
 Hook NtQuerySystemInformation
 HookedNtQuerySystemInformation
NtQuerySystemInformation(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength )

16.  HookedNtQuerySystemInformation(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength )
Call to original NtQuerySystemInformation
PMY_SYSTEM_PROCESS_INFORMATION pNext =
(PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;
if (!wcsncmp(pNext->ImageName.Buffer, L"calc.exe", pNext-
>ImageName.Length))
Return result

20.  Get Address of SSDT
 Get offset address of functions from SSDT
 Save Address
 Write Address of our function into SSDT
 If query call is for our file deny access
 If not call original function from saved
address.

21.  Ways root kit to system
-SSDT hook
-Shadow SSDT hook w32k.sys
-FS callback
-Registry Callback
-Interrupt Descriptor Table (IDT)
-Register Notify Routines
-Windows hook
-Driver hook
-Dispach hook
-keyboard hook
-System thread
-list goes on

22.  Gmer
 Rootkkit unhooker
 Sysrevaler
 Various rootkit scanners.
 To stay secure use updated AV & install all
the security patches.

23.  Questions…….?