Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
PIQUE PoC Delivery
Direct Kernel Ob
ject
Mani
p
ulation
(
DKO
M)
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 29 December 2014
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
UNCLASSIFIED
1.0 (U) Executive Summary
(U) Direct Kernel Object Manipulation (DKOM) is a rootkit technique for hiding processes,
drivers, and files from the system task manager and event scheduler. Process hiding via DKOM
is accomplished by modifying the doubly linked list of active threads and processes so that
forward and backward pointers (FLINK and BLINK) of items adjacent to the process so that
they “point around” the process to be hidden. The task manager and event scheduler use
EPROCESS, which relies on enumeration of the FLINKs and BLINKs to identify running
processes, and if the FLINKs and BLINKs are modified processes become “hidden” from the
task manager and event scheduler in Figure 2.
(U) As discussed at recent TEMS, we decided to produce a DKOM Proof-of-Concept (PoC) for
Windows 8.1 64-bit. The reason for writing a DKOM PoC for Windows 8.1 is to provide a PoC
that has a longer ‘shelf-life’ than one written against Windows Vista or Windows 7 going
forward. We had originally investigated using user-mode API calls to ZwSystemDebugControl()
to implement the PoC, but determined through research that it’s not practical for Windows 8.1.
We have therefore focused out attention to writing a device driver and user application to call the
driver as briefed at recent TEMs.
(U) It was our hope and intention to have this PoC ready for delivery on December 23rd and
indications as late as Monday December 22nd were that we would be able to meet that deadline,
but we ran into some issues during testing. The issues we encountered during testing are
described later. All other PoCs and Analysis Reports were delivered as scheduled on December
23
rd
. We anticipate this PoC to be completed shortly after the holidays.
(U) We have the device driver and user application designed and coded. Both are compiling and
the device driver is installing properly on the target Windows 8.1 64-bit machine. However,
when the user application is executed, the target BSODs. It appears the issue is related to kernel
memory and we are in the process of investigating. We suspect the device driver is accessing the
wrong memory address in kernel space. We are very close to having the PoC functioning
properly and will have this difficult and complex PoC working in January.
2.0 (U) Description of the PoC Technique
(U) To implement this PoC we first need to locate the ‘ActiveProcessList’, which is in the
EPROCESS structure and contains the FLINK and BLINK we need to adjust in order to hide the
process of our choosing. In Windows 8.1 64-bit, the ‘ActiveProcessList’ happens to be at offset
0x2e8 as seen in Figure 1. We’ve hardcoded the offset into our driver code for the purposes of
this PoC, but in a production capability we would check for the target Operating System and
plug the correct offset into the code at runtime.
(U) Once we’ve gotten access to the FLINK and BLINK we will modify them to point “around”
the process we want to hide, thereby making them “invisible” to the system task manager and
system management tools that rely on the information provided by the processes FLINK and
BLINK information. This high-level description of the PoC technique is depicted in Figure 2.