ProcL - Detect Hidden Processes

Rootkit can be difficult to detect, especially when they are running in kernel. And therefore more difficult to prevent against. This is because they are running into kernel, they can alter functions used by all applications running on the system. These applications will include antivirus, anti-spyware, anti-rootkit etc. Whatever changes made by anti-rootkit or rootkit detectors to prevent against rootkit can simply be unblocked by the better rootkit. The same powers are available with infectors and preventers. This does not mean that all is lost for preventers. But one thing has to be always on the mind of detectors/preventers that what works today, may not work tomorrow.

One of the inherent and malicious act of any rootkit is to either hide itself or hide the victim process. Consequences of hiding processes is that even legitimate copies of system utilities will fail to list information about the processes executing on the system. The inherent danger of a hidden process is that a preventing system that functions under the assumption that the underlying system is operating according to the system specification, will never see the intrusive processes and will give the system owner the false sense of confidence that the system is normal and hence secure.

Hiding a process is particularly threatening because it represents some malicious code running on your system that you are completely unaware of. Process hiding has a significant effect. Many of the trojan, virus, spyware, rootkit writers use similar techniques to hide themselves and stay undetected as long as possible on target machines. Finding all the ways a rootkit might hide a process is just the first step in defending against the rootkits. Detecting hidden objects is a promising new area in rootkit detection. It is necessary to have protection against the hidden processes, if you want to stay secured. Many of the antivirus and antispyware manufacturing companies falling back as they are not able to come up with any solutions for hidden processes. There are only few tools which can detect hidden processes, but are you willing to pay them considerable amount of money?

We believe that trend in attack tools is the continued advancements of the means to hide the presence of intrusive processes.

In ProcL we are using different approaches to detect hidden processes. Essentially, we have detailed and implemented a mechanism to embed all these different approaches in one tool to detect hidden processes. Our methods of detecting hidden processes requires the examination of each kernel object - EPROCESS, ETHREADS, HANDLES, JOBS.

Detection Methodology

-----------------------

ProcL uses many different approaches at 2 different level (ring-3 & ring-0) in the operating system

1. User-mode approaches:

     - ToolHelpAPI

     - EnumProcess API

     - Performance data helper

     - ZwQuerySystemInformation - Class "SystemProcessesAndThreadsInformation"

     - Open handle scanning

     - Process Bruteforcing

     - Scanning handles open in another process

2. Kernel-mode approaches:

     - EPROCESS structure scanning

     - PspCidTable scanning

     - HandleTableList scanning

     - Scheduler threads list scanning

     - SwapContext hooking

What ProcL is NOT?

---------------------

1. May not work on Windows Vista (not tested)

2. ProcL can not detect hidden - modules, threads, drivers, files, folders, and registry keys

3. ProcL does not restore any hooks

4. ProcL is not going to keep you Rootkit free!

Future work

------------

1. Vista support

2. Process killing

3. XML output

Attachment	Size
ProcL.zip	157.52 KB