Its Microsoft's fault

August 26, 2008

So the WIN32 platform as you know is based on modern code libraries.  This is how large coding projects have evolved over the years through the development of reusable code called libraries.  The idea is you can create a check of code to do something, say draw a picture, and then every application developer can use that code if its part of the base operating system. 

This has grown and grown and grown over the years of Windows versions in the form the WIN32 API and its associated .DLLs that come with every OS.  Sounds great right?  Sure!  Programming exploded and you can google the stats for the impact of the Software industry and the billions of Windows programs that enabled our modern capitalist economy.  Well that’s awesome, the only problem was that when Windows was developed Security was not a driving issue, it was code functionality.  The same problem exists for *nix brands/distributions through the use of shared libraries.

This leads to the modern day problem of malware being able to basically do whatever the hell it wants to do and successfully hide from modern security software protections.  If you can run executable code on a machine you can hook / filter / patch / delete / modify any of these important DLLs and code at the user / kernel level or both.  Even in firmware code but thats a different story.  Some call this cracking, some call this necessary.  Case in point, tons of debuggers, disassemblers, security software, anti -virus anti-everything .et al require the ability to extend and hook into critical system libraries to do stuff, for example extend functionality, monitor things, or modify operations, or fix a problem. 

When a program is developed and compiled it is linked to DLLs that are loaded into the process space when it is executed.  These DLLs implement function but unfortunatly Microsoft has 6 ways to Sunday to do DLL injection or code injection into process spaces and modify the function address which then malware uses to add hostile functionality such as bypass host base intrustion detection and firewalls, and proxies.  Typical processes that get injected are the web browser, winlogon process, explorer.exe and any other .exe that can get executed especially at run time via registry startup hooks.  O yea there are about a thousand of those so good luck checking all that. 

The REAL problem though is do you REALLY want to be able to do this on production systems?  This stuff should be done in secure development environments.  Microsoft has tons of code called , and (think hotpatching) VERY POWERFUL that can modify your system at will, not to mention hostile code which can do the same.  SO step back a minute.  So your telling me that no matter what I do my systems can basically be told what to do without my knowing if someone can run code on them, and you want me to entrust my business model or personal information (COKE formula, cancer cure, invention) to that kinda of a RISK model??   

There really should be someway to have a production configuration of the OS build not be able to be extensible and hookable in this manner.  I believe VISTA has attempted to harden the OS against these types of attacks with Signed drivers/code/libararies and all but there are definately ways around that and many times like exploit prevention mechanisms easy to circumvent and voluntary such as the optional compiler protection bits.

So you see my point.  ROOTKITS are a special set of software malcode that can basically hide everything from everything and do even more than that.   Rootkits are usually dropped and installed by malware to protect it from being discovered (think how much time an attack window is needed to walk with the crown jewels with our highly connected, large bandwidth pipes and the size of our modern storage device capacity.)

There is tons of ANTI-ROOT kit scanner software out there, most of it templated me too crap that you can find at .  You can find Rootkit software at and there is couple of great books on it as well for the developer minded.  Keep in mind to be a power Anti-Rootkit you actually need to insert your own monitoring hooks sometimes as some of this software does, but good ones unhook things after they are done being used.

My two personal recommendations are and both developed by Russians.  These two products do a TON of stuff including the ability to remove and fix hooks, do secure deletes, force processes to kill themselves by erasing their process space memory, and can enumerate through every conceivable area that a product can hook into the system.  Some rootkits are specifically attacking these software packages if they are present on the systems.  So they have methods to protect themselves from modification using code signing techniques.  Most people seem to LOVE Rootkit Revealer by SysInternals/Microsoft which is an outdated not very functional piece of crap that you can’t even run from the command line.  This is an important functionality for corporate wide scanning.  Infact, Microsoft actually hired the developed that wrote Rootkit Unhooker.  Not sure if he is still with them though. 

RookKit Unhooker



Get every new post delivered to your Inbox.