Description:

This is Part 2 of the rootkits primer created by Corey from WatchGuard . Begin by watching Part 1 , if you have not done so already. In this video Corey dives deeper into how rookits work under the hood. There are many techniques a rootkits use in the wild to cover their presence. These include - Import address table (IAT) hooks, system service descriptor table (SSDT) hooking, writing layered filter drivers, direct kernel object manipulation and inline function hooking.The Hacker Defender rootkit uses inline function hooking to hide itself and its activites from the user. Inline function hooking is more advanced than IAT or SSDT hooking. Instead of replacing pointers in a table, which we will show in a later article is easy to detect, an inline function hook replaces several bytes in the original function. Usually the rootkit adds an unconditional jump from the original function to the rootkit code. Many Windows API functions begin with a standard preamble. For an inline function hook, the rootkit saves the original bytes in the function it is overwriting in order to preserve the same functional behavior. Then, it overwrites a portion of the original with a jump to the rootkit code. Notice that the rootkit can safely overwrite the first five bytes of the function because that is the same amount of space required for many types of jumps or for a call instruction, and it is on an even instruction boundary. Now the rootkit can jump to the original code plus some offset and modify what the original operating system function returned. Inline function hooking has many legitimate uses as do most rootkit techniques. Microsoft Research first documented inline function hooking at a conference. Today, Microsoft has expanded its usage far beyond just research. They have titled it "hot patching," which allows a system to be patched without rebooting.This video described the inline function hooking process in the context of the Hacker Defender Rootkit in detail. Thanks to SecuMania.org for posting these videos. Enjoy!