SecurityXploded.com
Hidden Rootkit Services Detection - www.SecurityXploded.com
 
 
Hidden Rootkit Services Detection
 
 
 
See Also
 
 
 
Contents
 
 
Introduction to Windows Services
Windows Service is a program executing in the background which is started automatically when Windows boots and runs as long as System is up and running. Service is designed to perform a specific function and generally does not interact with user.Compared to normal processes, Services normally run with 'System' privilege which allow them to perform higher privilege operations. Windows Service Manager (Services.exe) is responsible for managing all aspects of Services. Services can be managed using the built in 'Service Management Console' which can be launched through 'Administrative Tools' in Control Panel.

As services runs with highest privilege, most Rootkits implement services to keep control over the entire system.Though services operate in the background they can be seen through the 'Task Manager' or 'Service Management Console'. So it is important for the Rootkits to hide their services to prevent its detection.
 
 
 
How Rootkits Hide Services
Many Rootkits such as Hacker Defender, Vanquish use the Services not only to manage its operations but to remain under the cover. As services are visible to normal user, Rootkits use multiple techniques to hide their services.

One of the common way to list windows services is using EnumServicesStatus API function. So Rootkits generally hook this function and return the results by filtering out its services. As a result any Anti-Rootkit application which uses this method will fail to discover such Rootkit services.

Another way to list all services is by enumerating 'Services' registry key. Windows keeps the database of all installed services in the registry at following location .
 
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
 
So application can manually enumerate through all the entries within this registry key to discover all the services. To hide from this technique, Rootkits hook the registry enumeration API functions and return the modified values thus deceiving the detection tools.

Detailed information about hiding registry entries and their detection is mentioned in the article [1]"Hidden Registry Detection".
 
 
 
Hidden Rootkit Services Detection Methods
As mentioned above, Rootkits use advanced techniques to hide their services from being detected by various Applications. Here are some of the methods which can be effectively used to detect most of such Rootkit services.
  •  Hidden Service Detection using 'Hook Bypass Method through Memory Mapping DLL'
  •  Hidden Service Detection by 'Enumerating Child Processes of Services.exe'
  •  Hidden Service Detection by 'Enumerating Processes with NtControlPipe'
  •  Hidden Service Detection by 'Enumerating Services Registry Key'
 
 
Hidden Services Detection using Hook Bypass Method through Memory Mapping DLL
This method rely on the fact that API hooking can be bypassed by directly mapping the DLL as an image rather than loading it through LoadLibrary function. This way any attempt by Rootkits to hook EnumServiceStatus function can be prevented by directly mapping the Advapi32.dll through CreateFileMapping API function. Then the EnumServiceStatus function within the mapped image is located and called directly thus bypassing the hooks leading to discovery of hidden Rootkit services.

However this is not the new method and it was initially used by IceSword (Anti-Rootkit tool). Later it was exposed by EiNSTeiN_ in his [2]'Hidden Service Detection' article.

Here is the complete code example which illustrates this technique.
 
typedef BOOL (WINAPI *LPFUN_ENUMSERVICESSTATUSEX) (
		  SC_HANDLE hSCManager,
		  SC_ENUM_TYPE InfoLevel,
		  DWORD dwServiceType,
		  DWORD dwServiceState,
		  LPBYTE lpServices,
		  DWORD cbBufSize,
		  LPDWORD pcbBytesNeeded,
		  LPDWORD lpServicesReturned,
		  LPDWORD lpResumeHandle,
		  LPCTSTR pszGroupName
		);
						
						
 BOOL DetectHiddenServicesUsingHookBypassMethod
                               (SC_HANDLE scManager)
 {
 char WinSysDir[MAX_PATH];
 char advapiPath[MAX_PATH*2];

   GetSystemDirectory(WinSysDir, MAX_PATH);
   sprintf_s(advapiPath, MAX_PATH*2, 
			 "%s\\advapi32.dll", WinSysDir);
   
   HANDLE hFile = CreateFile(advapiPath, 
   			     GENERIC_READ | GENERIC_EXECUTE , 
   			     FILE_SHARE_READ, 
   			     0, 
   			     OPEN_EXISTING, 
   			     0,
   			     0);
   
   if( hFile == INVALID_HANDLE_VALUE )
   {
   	printf("%s : Failed to open %s, Error=0x%.8x", 
	              __FUNCTION__, advapiPath, GetLastError());
   	return FALSE;
   }
   	
   HANDLE hMappedFile = CreateFileMapping(hFile, NULL, 
                  PAGE_EXECUTE_READ |SEC_IMAGE, 0, 0, NULL);
   
   if( hMappedFile == NULL )
   {
   	printf("%s : Failed to create file 
	             mapping for advapi32.dll", __FUNCTION__); 
   	CloseHandle(hFile);
   	return FALSE;
   }
   
   CloseHandle(hFile);
   
   LPVOID addrMappedDll = MapViewOfFile(hMappedFile, 
              FILE_MAP_READ | FILE_MAP_EXECUTE , 0, 0, 0);
   
   if( addrMappedDll == NULL )
   {
   	printf("%s : Failed to map view 
	             of flle advapi32.dll", __FUNCTION__);
   	CloseHandle(hMappedFile);
   	return FALSE;
   }
   
   CloseHandle(hMappedFile);

   LPFUN_ENUMSERVICESSTATUSEX MappedEnumServicesStatusEx = NULL;

   LPVOID addrDllBase = GetModuleHandle("advapi32.dll");
   MappedEnumServicesStatusEx = ( (DWORD)addrMappedDll + 
          ((DWORD)&EnumServicesStatusEx - (DWORD)addrDllBase) );
   
   printf("Org Advapi32 base address is  %p", addrDllBase);
   printf("Org EnumServiceStatus address is  %p", 
                                       &EnumServicesStatusEx);
   printf("Mapped Advapi32 address is %p", addrMappedDll);
   printf("Mapped enumservicesstatusEx address is %p", 
                                  MappedEnumServicesStatusEx);
   
   // Now enumerate services using 
   // mapped EnumServicesStatusEx function
  
   DWORD bytesNeeded ;
   DWORD countServices ;
   DWORD resumeHandle = 0;
   DWORD lastErrorCode;
   int totalCount=0;
   int curIndex=-1;
   BOOL retvalue;
   DWORD buffSize = sizeof(ENUM_SERVICE_STATUS_PROCESS) * 500;
   ENUM_SERVICE_STATUS_PROCESS *enumServices = NULL;
   
   while( 1 )
   {
       enumServices = 
	   ( ENUM_SERVICE_STATUS_PROCESS *) malloc( buffSize );
       
       if( enumServices == NULL )
       {
       	   printf("\n %s : 
		       Failed to allocated buffer", __FUNCTION__);
           break ;
       }
       
       retvalue = MappedEnumServicesStatusEx( scManager ,          
       				      SC_ENUM_PROCESS_INFO ,
       				      SERVICE_WIN32 ,     
       				      SERVICE_STATE_ALL , 
       				      enumServices ,     
       				      buffSize ,          
       				      &bytesNeeded ,      
       				      &countServices,     
       				      &resumeHandle,        
       				      NULL
       				      );
       
       
       // Error has occured ...
	   // not related to more data...so return

       lastErrorCode = GetLastError();
       if( retvalue == FALSE && lastErrorCode != ERROR_MORE_DATA )
       {
       	   free( enumServices );
       	   break;
       }
       
       for(int i = 0; i < countServices; i++ )
       {	
        // Check if this is hidden service 
		// by comparing with earlier results

        if( IsHiddenService(enumServices[i].lpServiceName) )
        {
       	 //We have found hidden service
       	 printf("\n Found hidden service %s ",
		                  enumServices[i].lpServiceName); 
        }
       }
       
       free( enumServices );
       
       // check if there are more services to be retrieved ...?
       if( (retvalue == FALSE) && 
	                   (lastErrorCode == ERROR_MORE_DATA) )
       	  buffSize = bytesNeeded ;
       else
          break; 
   }
   
   UnmapViewOfFile(addrMappedDll);
   
   return TRUE;
 } 
 
This method can effectively detect the Rootkits such as HackerDefender which hooks EnumServiceStatus function to hide its services. Though there is no currently known Rootkits which hide against this method, it is possible to bypass this detection mechanism by hooking file mapping functions and then extending API hooks to any mapped DLL image also.
 
 
 
Hidden Services Detection by Enumerating Child Processes of Services.exe
All Windows service processes are created by 'Service Manager Process' i.e. Services.exe. This fact can be used to list all the child processes created by Services.exe, thus possibly detecting all running services. Since the normal process enumeration function can be hooked by Rootkits, the best way to implement this technique is to directly use NtQuerySystemInformation function to enumerate all processes and then separating out the child processes created by Services.exe. Then this list can be compared with the normal list to find all hidden services.

Below is the sample code which uses this technique to uncover all running services.
 
BOOL IsChildProcess(int pidParent, int pidChild, HANDLE hprocess)
 {
   NTSTATUS status = STATUS_SUCCESS;
   PROCESS_BASIC_INFORMATION procInfo;
   
   status = NtQueryInformationProcess(hprocess,
   				   ProcessBasicInformation,
   				   &procInfo,
   				   sizeof(procInfo),
   				   NULL
   				   );
   
   if( status == STATUS_SUCCESS )
   {
       if( procInfo.ParentProcessId == pidParent )
   	return TRUE;
   }
   
   return FALSE;
 }


 void DetectHiddenServices(int pidService)
 {
    NTSTATUS status = STATUS_SUCCESS;
    DWORD dwSize = 800000;
    void *bufHandleTable = malloc(dwSize);;
    
    status = NtQuerySystemInformation
	   (SystemHandleInformation, bufferHandleTable, dwSize, 0);

    if( status != STATUS_SUCCESS )
    {
	//failed 
	return;
    }

   HANDLE hprocess; 
   SYSTEM_HANDLE_INFORMATION *HandleInfo = 
                   (SYSTEM_HANDLE_INFORMATION *) bufHandleTable;

   for(int i=0; i< HandleInfo->NumberOfHandles; i++)
   {
   	int pid = HandleInfo->Handles[i].UniqueProcessId;
   	
	//If this process is services.exe then ignore
	if( pidService == pid )
            continue;

	hprocess = 
	OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 
                               false,
                               pid);
		
	if( hprocess == NULL )
	    continue;

	if( IsChildProcess(pidServices, pid, hprocess) )
	{
	   printf("Found service process %d", pid);
	}

	CloseHandle(hprocess);
   }


 }
 
Although this technique can be easily thwarted by hooking the NtQuerySystemInformation in the Kernel, it presents simple way to detect services hidden by userland Rootkits.
 
 
 
Hidden Services Detection by Enumerating Processes with 'NtControlPipe' Handle
This method relies on the fact that every Windows service interacts with 'Service Manager Process' (services.exe) through named pipe. This named pipe has the name 'NtControlPipe**' where ** indicates the start order of that service. So by enumerating all the processes having handle 'NtControlPipe**' one can list all running services. Then this list can be compared with normal services discovered through EnumServiceStatus function to uncover the hidden service processes.

Here is the sample code below which uses this technique.
 
NTSTATUS status = STATUS_SUCCESS;
 DWORD dwSize = 800000;
 void *bufHandleTable = malloc(dwSize);;

 status = NtQuerySystemInformation(SystemHandleInformation, 
			bufferHandleTable, dwSize, 0);

 if( status != STATUS_SUCCESS )
 {
 //failed 
 return;
 }

 HANDLE hprocess,hCopy; 
 IO_STATUS_BLOCK iostatus;
 int pid;
 BOOL bResult;


 SYSTEM_HANDLE_INFORMATION *HandleInfo = 
		(SYSTEM_HANDLE_INFORMATION *) bufHandleTable;

 PFILE_NAME_INFORMATION pNameInfo = 
	(PFILE_NAME_INFORMATION)malloc( MAX_PATH * 2 * 2); 

 int dwInfoSize = MAX_PATH * 2 * 2;


 for(int i=0; i< HandleInfo->NumberOfHandles; i++)
 {
 int pid = HandleInfo->Handles[i].UniqueProcessId;
 //If this process is services.exe then ignore
 if( pidService == pid )
		continue;

 //Check for only file handles
 //For XP HANDLE_TYPE_FILE is 28
 if( HandleInfo->Handles[i].ObjectTypeIndex ==  HANDLE_TYPE_FILE)
 {
	hprocess = 
	OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, 
					   false, 
					   pid
					   );

	if( hprocess == NULL )
	   continue;

	bResult = DuplicateHandle(hprocess, 
			(HANDLE)HandleInfo->Handles[i].Handle, 
			GetCurrentProcess(), 
			&hCopy, 
			MAXIMUM_ALLOWED, 
			FALSE, 
			0);
				   
   if( bResult == FALSE )
	  continue;

   status = NtQueryInformationFile(hCopy, 
			&iostatus, 
			pNameInfo, 
			dwInfoSize, 
			FileNameInformation);

   if( status == STATUS_SUCCESS )
   {
	// check if this handle is named 
	// pipe with name 'ntcontrolpipe'

	wcslwr(pNameInfo->FileName); 
	if( wcsstr( pNameInfo->FileName, L"ntcontrolpipe") )
	{
	 //Found the service, now check if its hidden service 
	 if( IsHiddenService(pid) )
	 {
		printf("Found hidden service %d", pid);
	 }
		
	}
   }
	
   CloseHandle(hCopy);
   CloseHandle(hprocess);
  }
       
} //End of for loop
 
But this code hangs when NtQueryInformationFile tries to get the name of named pipe. However it works greatly when executed inside the kernel. Even the [3] Process Explorer from Sysinternals uses the driver to enumerate process handles. It may be possible to successfully implement this method in the user land itself through some innovative way.
 
 
 
Hidden Services Detection by Enumerating Services Registry Key
As mentioned earlier, Windows stores all installed services under the following registry key,
 
 HEKY_LOCAL_MACHINE\System\CurrentControlSet\Services'
 
Normally Rootkits hides their service entries under this key by using variety of registry hiding technique. As a result any attempt to discover these hidden services using standard registry functions will fail. However these hidden keys can be successfully uncovered as explained in the article [1]'Hidden Registry Detection'.

Though many Rootkits uses combination of methods to hide their services, there are some (for example Vanquish Rootkit) which uses only this technique to hide its services. As a result such services are shown even in normal query through EnumServiceStatus function. So in order to effectively mark it as Rootkit, one has to use this method of detection as well.
 
 
 
Conclusion
This article described variety of techniques to detect the hidden Rootkit services. Even though most of the times one method is enough to uncover the hidden services, its good idea to combine multiple techniques to make the detection process more robust and successful.

Though the 'Hidden Rootkit Services' detection techniques presented here are effective ones, often they are not enough considering the evolving trend of emerging Rootkits. In that context this article only serves as basic footsteps towards more sophisticated detection methods.
 
 
 
References
1. Hidden Registry Detection to Uncover the Rootkits
2. Hidden Service Detector
3. Process Explorer from Sysinternals
 
 
 
See Also