User Tools

Site Tools


windowsscope

Detecting the HackerDefender rootkit using WindowsSCOPE

10/04/2012

HackerDefender is a user-mode rootkit capable of hiding files, processes, system services, system drivers, registry keys and open ports. The HackerDefender rootkit also installs a hidden backdoor that can be used to access the infected computer. This rootkit involves system hooking of various APIs at the user or application space.

In this post, we perform a detailed forensic investigation of the HackerDefender rootkit in order to reverse engineer its functionality. Based on the research we have already done on this rootkit, we know that it is only visible while active in a system’s live memory (versus detection through disk-based investigation). For this reason, we use the WindowsSCOPE Pro 1.0 forensic and cyber analysis tool suite to view the system’s user-level and kernel-level volatile state. We expect both of them to be affected by HackerDefender. The tool’s comparison feature will also be useful in comparing changes in system state caused by the rootkit over time.

We use a virtual machine running Windows XP SP3. Two virtual memory snapshots are taken before and after installing the rootkit. Fig. 1 shows all the running processes on the infected machine.

Fig. 1. Running process on the infected machine

No suspicious process can be detected. However, a suspicious driver called “hxdefdrv.sys” is present in the driver list. This is the driver loaded by the HackerDefender rootkit as shown in Fig. 2.

Fig. 2. Suspicious driver

Note that HackerDefender configuration file offers the attacker the possibility to change the name of this driver to make it harder to detect. Here we kept the default driver name. Many rootkits proceed by hooking kernel APIs. Relevant DLLs to look at in order to find the HackerDefender hooks are kernel32.dll, ntdll.dll and advapi32.dll. We first compare the code of the kernel32 DLL dumped while analysing the winlogon.exe process after and before installing the rootkit. This is done using the compare feature of WindowsSCOPE. The comparison shows that the instructions at address 0x7C801810 are different. This is shown in Fig. 3. We disassemble the code of kernel32.dll on the infected computer and look around memory address 0x7C801810.

Fig. 3. Comparison of kernel32.dll on the sane and infected machines

The instruction at address 0x7C801812 is a JMP to the address 0x7FF93924, which is outside the kernel32.dll memory space (see Fig. 4). This is clearly a sign of a hook. In fact the instruction at this address should be a PUSH according to the original snapshot.

Fig. 4. Hook in the kernel32.dll

A look at the export table of kernel32.dll (Fig. 5) shows that 0x7C801812 is the export address of the ReadFile API. Hence we can conclude that the ReadFile API is hooked by the HackerDefender rootkit.

Fig. 5. Export table of kernel32.dll

Similar analysis in ntdll.dll and advapi32.dll show that the following APIs are hooked by HackerDefender:

  • Advapi32.EnumServiceStatusA
  • Advapi32.EnumServiceGroupW
  • Advapi32.EnumServiceStatusExA
  • Ntdll.NtQuerySystemInformation
  • Ntdll.NtQueryDirectoryFile
  • Ntdll.NtVdmControl
  • Ntdll.NtResumeThread
  • Ntdll.NtEnumerateKey
  • Ntdll.NtEnumerateValueKey
  • Ntdll.NtReadVirtualMemory
  • Ntdll.NtQueryVolumeInformationFile
  • Ntdll.NtDeviceIoControlFile
  • Ntdll.NtOpenProcess
  • Ntdll.NtCreateFile

The different JMP instruction used to hook the ntdll.dll APIs are shown in Fig. 6.

Fig. 6. Export table of kernel32.dll

The HackerDefender rootkit is one of the most popular Windows rootkits. Its kernel hooking capabilities make it hard to detect without dedicated tools. With its live memory acqusition and analysis, WindowsSCOPE enabled the detection and investigation of the behaviour of such a rootkit.

windowsscope.txt · Last modified: 2012/05/02 13:48 by al1108