?
Solved

How do Windows rootkits use DLL injection to hide the processes ?

Posted on 2006-04-10
3
Medium Priority
?
591 Views
Last Modified: 2006-11-18
I want to get more info on

1. What's DLL injection?
2. How does it work in context of rootkits?
3. Does it work on user level or kernel rootkits?
4. How does it hide the processes  / listening ports information ?
0
Comment
Question by:Bestkid
3 Comments
 
LVL 7

Expert Comment

by:sachinwadhwa
ID: 16416834
0
 
LVL 1

Expert Comment

by:SPH
ID: 16418230
There is a very good article on this at Security Focus: http://www.securityfocus.com/infocus/1850
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 750 total points
ID: 16422442
Most rootkit's for windows require admin rights to install (see Sony's CD rootkits: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html and http://xinn.org/Sony-DRM.html)
A dll injection and or hook is faily simple: http://www.codeproject.com/dll/DLL_Injection_tutorial.asp (see also PwDump and it's ilk http://www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm )
http://en.wikipedia.org/wiki/Rootkit
http://www.sysinternals.com/Utilities/RootkitRevealer.html
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7ECMTYDataSvcParams%5E%7Earg+Name=%22ID%22+Value=%221032274950%22/%5E%7Earg+Name=%22ProviderID%22+Value=%22A6B43178-497C-4225-BA42-DF595171F04C%22/%5E%7Earg+Name=%22lang%22+Value=%22en%22/%5E%7Earg+Name=%22cr%22+Value=%22US%22/%5E%7EsParams%5E%7E/sParams%5E%7E/CMTYDataSvcParams%5E
http://research.microsoft.com/rootkit/

basically rootkits work because they are taking advantage of the debugging abilities of your processors interaction between bios and memory. Your able to intercept, modify, and then transmit data because the processor "trusts" the root kit. There are very legitimate uses for debuggers such as soft ice, they do help you to track down bug's and issues in your code as it executes, your able to stop, pause, read, modify anything you want. http://en.wikipedia.org/wiki/Debugger  http://en.wikipedia.org/wiki/Softice
The articles linked above can explain better than I. Most DLL injection requires you to have admin rights, especially with XP and 2003's DEP security enhancments, however there is always a way... http://www.foofus.net/fizzgig/pwdump/#about
-rich
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question