NT Internals
| Hidden Dynamic-Link Library Detection Test |
|
Attention: Regarding to discussions and speculations about this test and tested software, I'd like to answer a few questions. - Why I'm testing software which isn't anti rootkit software? - Because I'd like to show that this non anti rootkit software may be useful (or not) for hidden DLL detection. - Why I'm testing software which doesn't implement DLL detection? - Once again, I'd like to show is tested software is useful for DLL detection or it isn't. Introduction: Today's malware doesn't need to hide such things like processes or device drivers any more. Instead of hiding whole processes it can inject any code into target process(es). Malware also doesn't need to use DLL (Dynamic-Link Library) to inject this code. It's obvious why malware uses DLLs instead of more stealthy shellcode - both writing and injecting DLL into target process are easiest then writing portable shellcode. Considerable part of malware injects DLLs using common ways, smaller part of malware injects DLLs using own loaders. No matter how malware will inject their DLL into target process, without additional modifications it will be visible to everyone. To prevent detection of injected DLL, malware can unlink it from doubly-linked lists. This will avoid detection of hidden DLLs by the simplest software. Some of software querying virtual memory using NtQueryVirtualMemory service to obtain information about all images mapped into current process address space. Using this method security software can show unlinked DLLs. The easiest way to avoid this kind of detection is to intercept NtQueryVirtualMemory. Currently I don't know any malware which uses most effective DLL hiding method based on VADs (Virtual Address Descriptor) modifications (if someone have any sample please let me know). Almost all (system process) processes have their own VAD trees which contain descriptors of allocated virtual memory. Each of them (the valid once) corresponding to control area structure which contain pointer at file object and segment structures. I saw a Chinese solution how to avoid DLL detection by erasing file name within the confines of file object, but it wasn't the best solution. Owing to malware I will not provide detailed information about two last method I used in this test. I can only say that Invisible Dynamic-Link Library 1.0 doesn't use any hooks. I decided to use a device driver instead of direct kernel memory modification to manipulate the process object and its VAD tree. Details: Invisible Dynamic-Link Library 1.0 hides its DLL using following methods: - InLoadOrderModuleList - DKOM - InMemoryOrderModuleList - DKOM - InInitializationOrderModuleList - DKOM - HashLinks - DKOM - ProcessObject - MANIPULATION - Vad - ERASING |
| Test Table | |||||||
| Software | InLoadOrder | InMemoryOrder | InInitializationOrder | HashLinks | ProcessObject | Vad | |
| ArcaVir Process Manager 2010.0.0.6 | - | - | - | - | - | - | |
| ATool 1.0021 | + | - | - | - | - | - | |
| Dr.Web DwShark 1.0.0.11140 | + | + | + | + | + | - | |
| Find_Hidden_Dll 0.1.1.1 | + | + | + | + | + | + | |
| GMER 1.0.15.15281 | - | - | - | - | - | - | |
| HookExplorer 1.0 | - | - | - | - | - | - | |
| HookShark BETA 0.6 | + | + | + | + | - | - | |
| IceSword 1.22 | + | + | + | + | - | - | |
| KernelDetective 1.3.1 | + | + | + | + | + | - | |
| kX-Ray 1.0.0.100 XP32 beta | + | + | + | + | + | - | |
| MalwareDefender 2.5.0 | - | - | - | - | - | - | |
| NhsScan 0.9.5 | - | - | - | - | - | - | |
| ProcessWalker Express 5.4.1000.10 | + | - | - | - | - | - | |
| RkU 3.8.382.584 | + | + | + | + | + | - | |
| RootRepeal 1.3.5 | + | + | + | + | + | - | |
| SEEM 4.5 | - | - | - | - | - | - | |
| SpyDllRemover 2.5 | - | - | - | - | - | - | |
| Spyware Process Detector 3.20 | + | - | - | - | - | - | |
| SysInspector 1.2.021.0 | - | - | - | - | - | - | |
| SysReveal 1.0.0.9 | + | + | + | + | + | - | |
| VMMap 2.4 | + | + | + | + | - | - | |
| XueTr 0.32 | + | + | + | + | + | + | |
|
Summary: I've tested twenty one software which showing information about loaded DLLs. Some of them don't have implemented any kind of DLL detection methods. Most of them have really lousy DLL detection mechanisms based on doubly-linked lists analysis. Only HookShark, IceSword and VMMap using method based on querying virtual memory. Currently most advanced mechanisms of DLL detection is implemented in XueTr 0.32. If any software isn't situated in this comparison and you think it should be - please let me know, I will test it and add to this comparison. Also if you don't agree with results of this comparison (some software should detects hidden driver on concrete level) - please let me know, I will test it again and correct results. If you have any questions or suggestions regarding this test, please feel free to contact me. But please keep in mind that the Invisible Dynamic-Link Library 1.0 is a private software, which was made for test purpose only! Updates: - 22.11.2009 - retested - RkU 3.8.382.584 retested - 07.12.2009 - retested - KernelDetective 1.3.1 & XueTr 0.30 - 30.12.2009 - retested - SysReveal 1.0.0.9 - 14.01.2010 - retested - MalwareDefender 2.5.0 & kX-Ray v1.0.0.98*/kX-Ray v1.0.0.100 & XueTr 0.32 - 15.01.2010 - retested - GMER 1.0.15.15281 - 22.02.2010 - added - Find_Hidden_Dll (by Eric_71) 0.1.1.1 * - I make a mistake while testing kX-Ray v1.0.0.98 and earlier versions, which undoubtedly can detect Invisible Dynamic-Link Library 1.0 hidden by combination of Process Object manipulation and earlier DLL hiding methods. Please let me know if you like to retest one of this software. In the future I'll not retest all newly published software without notification about its Dynamic-Link Library Detection improvements. References: [1] - Reflective Dll Injection [2] - Evading hack detection mechanisms in online games [3] - Reflective DLL Injection [4] - FATKit: Detecting Malicious Library Injection and Upping the "Anti" [5] - The VAD Tree: A Process-Eye View of Physical Memory [6] - Walking the VAD Tree [7] - Locating Hidden Clampi DLLs (VAD-style) Tested software:   ArcaVir Process Manager 2010.0.0.6 ATool 1.0021 Dr.Web DwShark 1.0.0.11140 - Find_Hidden_Dll (by Eric_71) 0.1.1.1 - GMER 1.0.15.15281 - HookExplorer 1.0 - HookShark BETA 0.6 IceSword 1.22 - KernelDetective 1.3.1 - kX-Ray 1.0.0.100 XP32 beta - MalwareDefender 2.5.0 NhsScan 0.9.5 - ProcessWalker Express 5.4.1000.10 - RkU 3.8.382.584 - RootRepeal 1.3.5 SEEM 4.5 - SpyDLLRemover 2.5 - Spyware Process Detector 3.20 - SysInspector 1.2.021.0 - SysReveal 1.0.0.9 - VMMap 2.4 XueTr 0.32 |
Legend: - this icon means that this software is still "alive" - this icon means that this software is currently "dead" - this icon means you can download this software from trusted source (author's site) |