GSoC Project #3 - Qebek: QEMU Based Sebek

NtDeviceIoControlFile

chengyu.song — Thu, 30 Jul 2009 12:01:41 -0400

As the console spy is almost finished, the next stage is mainly for network activities. Sebek Win32 version uses TDI hook to get this done. However, since getting driver object in virtualization layer is hard and TDI is TDI is on the path to deprecation, I need to find another way. The best solution seems to be hooking NtDeviceIoControlFile, the API Windows uses to do network related stuff and has been widely mentioned in malware behavior analysis papers. After some days of searching, I encounter a very useful resources today, a master thesis from TTAnalyze team:

Chinese Chapter

stack crash?

chengyu.song — Fri, 26 Jun 2009 14:06:18 -0400

This phenomenon is first observed when I tried the NtReadFile test last week, sometimes when the postNtReadFile is called, the handle value, buffer address and buffer size got from the stack is quite different from values got in preNtReadFile. I didn't pay much attention to this problem that time, but, when I tried to debug the NtSecureConnectPort API with WinDBG today, this phenomenon appeared again. So I did a further study on it.

First, I set a break point at nt!NtSecureConnectPort:

GSoC Project #3 - Qebek: QEMU Based Sebek

QEMU dyngen

chengyu.song — Sun, 21 Jun 2009 10:08:22 -0400

This is supposed to be the first Qebek blog, but unfortunately, it cannot pass the check of mod_security (even today), so I posted here.

GSoC Project #3 - Qebek: QEMU Based Sebek

Precall and Postcall

chengyu.song — Sun, 14 Jun 2009 12:43:13 -0400

When using hooking technology to intercept system calls, there are two different places to collect information: before the original function is called (precall) and after the original function returns (postcall). For example, in Sebek Win32 client, when callback function OnZwReadFile is called, it first calls the original function s_fnZwReadFile, after the original function returns, it checks whether the original call succeeds, if does, it then calls the data collection function LogIfStdHandle:

GSoC Project #3 - Qebek: QEMU Based Sebek

Is Handle Std

chengyu.song — Thu, 11 Jun 2009 11:32:37 -0400

Sebek Windows client has two keystroke sources, one is read or write std stream, the other is csrss port. In the callback function of NtReadFile and NtWriteFile, Sebek will check if the given file handle match one of the three standard stream handles. if matches, it then logs the given data of keystrokes:

GSoC Project #3 - Qebek: QEMU Based Sebek

Get system call address from SSDT

chengyu.song — Sun, 7 Jun 2009 06:24:44 -0400

One difference in Qebek from other existing virtualization based honeypot monitoring tool is that I want to 'hook' the function of system service instead of the dispatcher, more precisely, the 'sysenter' or 'int 2e' instruction. This is similar to the difference between SSDT (System Service Descriptor Table) hook and kernel inline hook. However, doing it this way must face a problem: how to get the function address? One way is get it directly from SSDT.