Ghost in the Shell: A Counter-intelligence Method for Spying while Hiding in (or from) the Kernel with APCs
MetadataShow full item record
Advanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not detectable by the infiltrator. Rootkits can not only hide malware, they can also hide the detection and analysis operations of the defenders from malware. This thesis presents a rootkit based on Asynchronous Procedure Calls (APC). This allows the counter-intelligence software to exist inside the kernel and avoid detection. Two techniques are presented to defeat current detection methods: Trident, using a kernel-mode driver to inject payloads into the user-mode address space of processes, and Sidewinder, moving rapidly between user-mode threads without intervention from any kernel-mode controller. Finally, an implementation of the explored techniques is discussed. The Dark Knight framework is outlined, explaining the loading process that employs Master Boot Record (MBR) modifications and the primary driver that enables table hooking, kernel object manipulation, virtual memory subversion, payload injection, and subterfuge. A brief overview of Host-based Intrusion Detection Systems is also presented to outline how the Dark Knight system can be used in conjunction with for immediate reactive investigations.