How to get address of NtEnumerateKey?

Hi All,

I am enumerating the keys in my kernel module, but I am failing because other driver already hooks NtEnumerateKey in SSDT.

In order to enumerate keys I want to restore the address of NtEnumerateKey in SSDT. So please tell me how I can get the original address of NtEnumerateKey in NtOsKrnl.Exe as the function is not exported?

I found that this address is different for different OS. And I don’t want to hardcode the addresses. Is their any way to find address programmatically?

Thanks & Regards,
Amit.

Do you know which other driver is hooking it? If so set your load order
before theirs hooks and store the address… ?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 02 May 2007 11:06
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get address of NtEnumerateKey?

Hi All,

I am enumerating the keys in my kernel module, but I am failing because
other driver already hooks NtEnumerateKey in SSDT.

In order to enumerate keys I want to restore the address of
NtEnumerateKey in SSDT. So please tell me how I can get the original
address of NtEnumerateKey in NtOsKrnl.Exe as the function is not
exported?

I found that this address is different for different OS. And I don’t
want to hardcode the addresses. Is their any way to find address
programmatically?

Thanks & Regards,
Amit.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

But, It’s a rootkit.

Then why don’t you remove it. It is not safe to do software development on
an infected machine.

/Daniel

wrote in message news:xxxxx@ntdev…
> But, It’s a rootkit.
>

So, what’s your point?

Once you have a rootkit installed, you’ve lost the game. It’s too late
at this point to provide security too your user.

Why bother fight a lost battle?

xxxxx@yahoo.com wrote:

But, It’s a rootkit.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

if you are doing it for the sake of doing or for learning purpose

then like already stated find the loadorder load your driver before
the rootkit is able
to do anything and then protect your fort

there is a neat mskb that shows how to find the loadorder of boot
loading drivers

and there are articles that enumerate how to modify edit registry to
make your driver load lets says as

finding the original address i think some one already quoted ssdt
restore from sig

it is open source find how are they doing it and emulate plagiarise that code

otherwise this is a lost game simply fdisk format reinstall

raj

On 5/2/07, MM wrote:
> So, what’s your point?
>
> Once you have a rootkit installed, you’ve lost the game. It’s too late
> at this point to provide security too your user.
>
> Why bother fight a lost battle?
>
>
>
>
>
> xxxxx@yahoo.com wrote:
>
> >But, It’s a rootkit.
> >
> >—
> >Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
> >
> >To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

MM wrote:

So, what’s your point?

Once you have a rootkit installed, you’ve lost the game. It’s too late
at this point to provide security too your user.

Why bother fight a lost battle?

Is it really so hard to guess that he’s trying to write a rootkit
detector/remover?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Assuming you’re working from user mode, just use the symbols via DbgHelp
or DIA. If you’re talking about doing this from the kernel, this is
much more complicated problem (with non-deterministic dynamics) than can
probably be addressed via e-mail.

mm

>> xxxxx@probo.com 2007-05-02 12:32 >>>
MM wrote:
So, what’s your point?

Once you have a rootkit installed, you’ve lost the game. It’s too
late
at this point to provide security too your user.

Why bother fight a lost battle?

Is it really so hard to guess that he’s trying to write a rootkit
detector/remover?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

No Message Collected >>>

> Once you have a rootkit installed, you’ve lost the game. It’s too late

at this point to provide security too your user.

Why bother fight a lost battle?

Actually, the battle only starts at this point …

Basically, there are 3 types of security problems - prevention, detection and cleaning. You seem to be aware only of prevention, but the OP, apparently, tries to solve detection/removal problem.

Detection in itself is not so complex task, but identification and cleaning may prove to be much more challengeing…

Anton Bassov

I am writing a rootkit detector. So I want to enumarate keys hidden by rootkit. I want to detect it not remove or cleane.

>Basically, there are 3 types of security problems - prevention, detection and cleaning. You seem to be aware only of prevention, but the OP, apparently, tries to solve detection/removal problem.

With regards to User mode I agree completely with respect to your three
points of security. However, regarding kernel mode rootkits, prevention
is key. After the system has been compromised at this level
detection/removal in a live system is a fools errand. During an audit,
the file system and registry need to be inspected off-line; there are no
secure alternative.

Detection in itself is not so complex task, but identification and cleaning may prove to be much more challengeing…

This is very true on a live system, especially cleaning. Regarding what the OP is wanting to do…
Trying to dynamically locate the original address of a function that isn’t exported and remove a hook
that was placed by some random malware is to say the least a crash prone approach if even possible.

Once a system has a rootkit in it, no system calls can be trusted.

Usually, I’m one of the people who beat the drum about “compromised system = game over”. Unfortunately, there really is no reliable way to do this, and lots of people have pointed out why. But that’s not terribly helpful, if you’ve already decided to go down this path.

The best approach (to an awful problem) is probably to carry a table of known addresses of NtEnumerateKey in your component. You can probably search the PE/COFF headers of the in-memory image of NTOSKRNL.EXE and find the timestamp field, and use that as a key in your table. You’ll need to update your code every time a new version of the kernel is released, but frankly that is easier than all of the other approaches. It isn’t general, but it’s easy and reliable. In fact, you’ll probably need a table that maps (kernel-timestamp, system-service-index) -> address. You could even sample the first 32 bytes or so of each function’s implementation, store that in your table, and verify that the bytes match in the running kernel, to reduce the chance of getting it wrong. The PE/COFF module timestamps are the key though – declared version numbers are unreliable, but these timestamps are reliable.

You’ll have to be very careful about making sure that you’re using the timestamp field correctly, that you pulled it from the right location, and that the kernel was loaded at the same virtual address range that you expected. This is all horrible stuff for a driver or other system component, but since you’re *already* starting with a tainted kernel, hey, you can only go up, right?

Disclaimer: I do NOT endorse this approach, or make any promises about its safety, blah blah blah, and my employer certainly does not, either. I’m just pointing out what may be a viable approach. If you use this, you use it at your own risk.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, May 02, 2007 6:06 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get address of NtEnumerateKey?

Hi All,

I am enumerating the keys in my kernel module, but I am failing because other driver already hooks NtEnumerateKey in SSDT.

In order to enumerate keys I want to restore the address of NtEnumerateKey in SSDT. So please tell me how I can get the original address of NtEnumerateKey in NtOsKrnl.Exe as the function is not exported?

I found that this address is different for different OS. And I don’t want to hardcode the addresses. Is their any way to find address programmatically?

Thanks & Regards,
Amit.

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> This is very true on a live system, especially cleaning. Regarding what the OP

is wanting to do…

The main issue here is not what you want to do but how “well” the rootkit is written, i.e. how advanced it’s self- hiding scheme is and what it does in order to avoid identification…

Anton Bassov

see if windbg is able to detect it

with !chkimg -d

lkd> !chkimg -d nt
80502604-80502607 4 bytes - nt!KiServiceTable+7c
[8c 41 57 80:c0 7f de 81]
4 errors : nt (80502604-80502607)
lkd> u poi(nt!KiServiceTable+7c)
81de7fc0 8b542420 mov edx,dword ptr [esp+20h]
81de7fc4 52 push edx
81de7fc5 8b542420 mov edx,dword ptr [esp+20h]
81de7fc9 a12cefe281 mov eax,dword ptr ds:[81E2EF2Ch]
81de7fce 52 push edx
81de7fcf 8b542420 mov edx,dword ptr [esp+20h]
81de7fd3 8b08 mov ecx,dword ptr [eax]
81de7fd5 52 push edx
lkd> u

this is a hook by norton on nt!NtConnectPort

you can check this thread especially chris carrs last reply in this thread
http://www.osronline.com/showThread.cfm?link=95441

and then the journey starts just now

On 5/3/07, xxxxx@hotmail.com wrote:
> > This is very true on a live system, especially cleaning. Regarding what the OP
> > is wanting to do…
>
> The main issue here is not what you want to do but how “well” the rootkit is written, i.e. how advanced it’s self- hiding scheme is and what it does in order to avoid identification…
>
> Anton Bassov
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Hmm, I would also say “game over” but there are always some ways which can work until rootkit authors implement countermeasusres.

What about MS symbol server? It’d need user mode component. It shouldn’t be so hard to download correct PDB for kernel image (using timestamp Arlie mentioned) and find all necessary symbols including unexported ones. If network or symbol server isn’t available, hardcoded table Arlie recommended can be used as backup solution. However, to be successful with hardcoded approach, code would have updated rather often. Always, when there is a new kernel hotfix available at Windows Update.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Arlie Davis[SMTP:xxxxx@microsoft.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, May 03, 2007 3:55 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to get address of NtEnumerateKey?

Usually, I’m one of the people who beat the drum about “compromised system = game over”. Unfortunately, there really is no reliable way to do this, and lots of people have pointed out why. But that’s not terribly helpful, if you’ve already decided to go down this path.

The best approach (to an awful problem) is probably to carry a table of known addresses of NtEnumerateKey in your component. You can probably search the PE/COFF headers of the in-memory image of NTOSKRNL.EXE and find the timestamp field, and use that as a key in your table. You’ll need to update your code every time a new version of the kernel is released, but frankly that is easier than all of the other approaches. It isn’t general, but it’s easy and reliable. In fact, you’ll probably need a table that maps (kernel-timestamp, system-service-index) -> address. You could even sample the first 32 bytes or so of each function’s implementation, store that in your table, and verify that the bytes match in the running kernel, to reduce the chance of getting it wrong. The PE/COFF module timestamps are the key though – declared version numbers are unreliable, but these timestamps are reliable.

You’ll have to be very careful about making sure that you’re using the timestamp field correctly, that you pulled it from the right location, and that the kernel was loaded at the same virtual address range that you expected. This is all horrible stuff for a driver or other system component, but since you’re *already* starting with a tainted kernel, hey, you can only go up, right?

Disclaimer: I do NOT endorse this approach, or make any promises about its safety, blah blah blah, and my employer certainly does not, either. I’m just pointing out what may be a viable approach. If you use this, you use it at your own risk.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, May 02, 2007 6:06 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get address of NtEnumerateKey?

Hi All,

I am enumerating the keys in my kernel module, but I am failing because other driver already hooks NtEnumerateKey in SSDT.

In order to enumerate keys I want to restore the address of NtEnumerateKey in SSDT. So please tell me how I can get the original address of NtEnumerateKey in NtOsKrnl.Exe as the function is not exported?

I found that this address is different for different OS. And I don’t want to hardcode the addresses. Is their any way to find address programmatically?

Thanks & Regards,
Amit.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> Hmm, I would also say “game over” but there are always some ways which can work

until rootkit authors implement countermeasusres.

Indeed, there are some workarounds possible…

Unfortunately, I am unable to say that much on the topic due to NDA that I have signed, but still I will
drop a hint about the possible direction of work - INT 1 exception may be used for the purposes other than debugging…

Anton Bassov

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@hotmail.com[SMTP:xxxxx@hotmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, May 04, 2007 1:58 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to get address of NtEnumerateKey?

Unfortunately, I am unable to say that much on the topic due to NDA that I have signed, but still I will
drop a hint about the possible direction of work - INT 1 exception may be used for the purposes other than debugging…

Yes, to make customer OS a battlefield between rootkits and antirootkits

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

>Yes, to make customer OS a battlefield between rootkits and antirootkits

I believe the technical term for this is a “Norton Loop”. (at least in
usermode)

From above discussion I have conclude that there are following ways for me…

1> Create a table of address for function according to OS version and use them while enumeration keys.

2> Get the address by searching function signature ie bit pattern in function and use that address.
3> Read PE structures and resolve the addresses of the function.

What do you think which is better?