User Mode Rootkits - Process Hiding

If a user mode rootkit with no kernel component wants to hide itself from programs such as Task Manager or Process Explorer, it is possible to do so. Programs such as Task Manager will use the NtQuerySystemInformation API to retrieve a list of current processes.

Return Oriented Programming

NX bit Modern operating systems make use of the NX bit to mark memory pages as non executable. The CPU will not run instructions on those pages. What this means is, if we write a payload into the memory and it’s on such non executable memory region (such as the stack), the program will crash.

Import Address Table Hooking

Import Address Table hooking is a method to redirect execution of a function. I’ve previously covered inline hooking, so be sure to read that as well. PE format Portable Executable is the file format used on Windows for executables, libraries, and certainly more things I can’t remember right now.

Structured Exception Handling Exploits

SEH SEH (Structured Exception Handling) is the mechanism Windows uses for exceptions. They are implemented as a linked list, and each node contains a pointer to an exception handler. The last node is the default handler, which crashes the application. Thread Environment Block The TEB is a data structure containing information about the current thread, and that includes the current SEH frame.

Modifying Firmware On Embedded Devices

Lately I have been analyzing some embedded devices such as routers, and want to share how to emulate, extract, and modify firmware. We may want to do this for several reasons, such as enabling SSH/telnet to debug a service remotely, adding new features and looking for security vulnerabilities.