NT Internals
| Hidden Dynamic-Link Library Detection Test |
Hidden Dynamic-Link Library Detection Test is the first part of Hidden Data Detection Software test series. If you like to acquaint with other tests please visit these pages: - Hidden Process Detection Test - Hidden Driver Detection Test |
| Attention: |
Regarding to discussions and speculations about this test and tested software, I'd like to answer a few questions. - Why I'm testing software which isn't anti rootkit software? - Because I'd like to show that this non anti rootkit software may be useful (or not) for hidden DLL detection. - Why I'm testing software which doesn't implement DLL detection? - Once again, I'd like to show is tested software is useful for DLL detection or it isn't. |
| Introduction: |
Today's malware doesn't need to hide such things like processes or device drivers any more. Instead of hiding whole processes it can inject any code into target process(es). Malware also doesn't need to use DLL (Dynamic-Link Library) to inject this code. It's obvious why malware uses DLLs instead of more stealthy shellcode - both writing and injecting DLL into target process are easiest then writing portable shellcode. Considerable part of malware injects DLLs using common ways, smaller part of malware injects DLLs using own loaders. No matter how malware will inject their DLL into target process, without additional modifications it will be visible to everyone. To prevent detection of injected DLL, malware can unlink it from doubly-linked lists. This will avoid detection of hidden DLLs by the simplest software. Some of software querying virtual memory using NtQueryVirtualMemory service to obtain information about all images mapped into current process address space. Using this method security software can show unlinked DLLs. The easiest way to avoid this kind of detection is to intercept NtQueryVirtualMemory. Currently I don't know any malware which uses most effective DLL hiding method based on VADs (Virtual Address Descriptor) modifications (if someone have any sample please let me know). Almost all (system process) processes have their own VAD trees which contain descriptors of allocated virtual memory. Each of them (the valid once) corresponding to control area structure which contain pointer at file object and segment structures. I saw a Chinese solution how to avoid DLL detection by erasing file name within the confines of file object, but it wasn't the best solution. Owing to malware I will not provide detailed information about two last method I used in this test. I can only say that Invisible Dynamic-Link Library 1.0 doesn't use any hooks. I decided to use a device driver instead of direct kernel memory modification to manipulate the process object and its VAD tree. |
| Details: |
|
Invisible DLL 1.0/1.1 hides its DLL using following methods: - InLoadOrderModuleList - UNLINKING - InMemoryOrderModuleList - UNLINKING - InInitializationOrderModuleList - UNLINKING - HashLinks - UNLINKING (fixed in Invisible DLL 1.1) - ProcessObject - MANIPULATION (removed in Invisible DLL 1.1) - LdrpHeap - ERASING (added in Invisible DLL 1.1) - Vad - ERASING 
GUI interface of Invisible DLL 1.1 |
| Test Table [Invisible DLL 1.0] | |||||||
| Software | InLoadOrder | InMemoryOrder | InInitializationOrder | HashLinks | ProcessObject | Vad | |
| ArcaVir Process Manager 2010.0.0.6 | - | - | - | - | - | - | |
| ATool 1.0021 | + | - | - | - | - | - | |
| Dr.Web DwShark 1.0.0.11140 | + | + | + | + | + | - | |
| Find_Hidden_Dll 0.1.1.1 | + | + | + | + | + | + | |
| GMER 1.0.15.15281 | - | - | - | - | - | - | |
| HookExplorer 1.0 | - | - | - | - | - | - | |
| HookShark BETA 0.6 | + | + | + | + | - | - | |
| IceSword 1.22 | + | + | + | + | - | - | |
| KernelDetective 1.3.1 | + | + | + | + | + | - | |
| kX-Ray 1.0.0.100 XP32 beta | + | + | + | + | + | - | |
| MalwareDefender 2.5.0 | - | - | - | - | - | - | |
| NhsScan 0.9.5 | - | - | - | - | - | - | |
| ProcessWalker Express 5.4.1000.10 | + | - | - | - | - | - | |
| RkU 3.8.382.584 | + | + | + | + | + | - | |
| RootRepeal 1.3.5 | + | + | + | + | + | - | |
| SEEM 4.5 | - | - | - | - | - | - | |
| SpyDllRemover 2.5 | - | - | - | - | - | - | |
| Spyware Process Detector 3.20 | + | - | - | - | - | - | |
| SysInspector 1.2.021.0 | - | - | - | - | - | - | |
| SysReveal 1.0.0.9 | + | + | + | + | + | - | |
| VMMap 2.4 | + | + | + | + | - | - | |
| XueTr 0.32 | + | + | + | + | + | + | |
| Test Table [Invisible DLL 1.1] | ||||||
| Software | InLoadOrder | InMemoryOrder | InInitializationOrder | HashLinks | LdrpHeap | Vad |
| ArcaVir Process Manager 2010.0.0.6 | - | - | - | - | - | - |
| ATool 1.0021 | + | - | - | - | - | - |
| Dr.Web DwShark 1.0.0.11140 | + | + | + | + | + | - |
| Find_Hidden_Dll 2.0.0.0 | + | + | + | + | + | - |
| GMER 1.0.15.15281 | - | - | - | - | - | - |
| HookExplorer 1.0 | - | - | - | - | - | - |
| HookShark BETA 0.6 | + | + | + | + | + | - |
| IceSword 1.22 | + | + | + | + | + | - |
| KernelDetective 1.3.1 | + | + | + | + | + | - |
| kX-Ray 1.0.0.102 XP32 beta | + | + | + | + | + | - |
| MalwareDefender 2.6.0 | - | - | - | - | - | - |
| NhsScan 0.9.5 | - | - | - | - | - | - |
| ProcessWalker Express 5.4.1000.10 | + | - | - | - | - | - |
| RkU 3.8.382.584 | + | + | + | + | + | - |
| RootRepeal 1.3.5 | + | + | + | + | + | - |
| SEEM 4.5 | - | - | - | - | - | - |
| SpyDllRemover 3.2 | - | - | - | - | - | - |
| Spyware Process Detector 3.20 | + | - | - | - | - | - |
| SysInspector 1.2.021.0 | - | - | - | - | - | - |
| SysReveal 1.0.0.27 | + | + | + | + | + | - |
| VMMap 2.61 | + | + | + | + | + | - |
| XueTr 0.33 | + | + | + | + | + | + |
| Summary: |
I've tested twenty two software which showing information about loaded DLLs. Some of them don't have implemented any kind of DLL detection methods. Few of them have really lousy DLL detection mechanisms based on doubly-linked lists analysis. You may wonder why I choose hiding DLL loaded in typical way instead of using own DLL loader as some malware does. There is more fun with hiding user mode modules loaded in typical way, because there are a lot of ways to detect their presence. The latest hiding method manipulates only VAD leaf, unmodified section object, control area, segment and file object related to hidden module. So, it possible to connect all these things to obtain complete information about hidden module. If any software isn't situated in this comparison and you think it should be - please let me know, I will test it and add to this comparison. Also if you don't agree with results of this comparison (some software should detects hidden driver on concrete level) - please let me know, I will test it again and correct results. If you have any questions or suggestions regarding this test, please feel free to contact me. But please keep in mind that the Invisible Dynamic-Link Library 1.0 is a private software, which was made for test purpose only! |
| Updates: |
- 22.11.2009 - retested - RkU 3.8.382.584 - 07.12.2009 - retested - KernelDetective 1.3.1 & XueTr 0.30 - 30.12.2009 - retested - SysReveal 1.0.0.9 - 14.01.2010 - retested - MalwareDefender 2.5.0 & kX-Ray v1.0.0.98*/kX-Ray v1.0.0.100 & XueTr 0.32 - 15.01.2010 - retested - GMER 1.0.15.15281 - 22.02.2010 - added - Find_Hidden_Dll (by Eric_71) 0.1.1.1 - 15.03.2010 - retested - ALL** - 20.03.2010 - retested - Find_Hidden_Dll 2.0.0.0 - 03.04.2010 - retested - XueTr 0.33 * - I made a mistake while testing kX-Ray v1.0.0.98 and earlier versions, which undoubtedly can detect Invisible Dynamic-Link Library 1.0 hidden by combination of Process Object manipulation and earlier DLL hiding methods. ** - The mistake I've done in the Invisible DLL 1.0 was related to function which task was unlinking of hidden DLL from LdrpHashTable. I'd like to thank Eric_71 who helped me to find and correct this mistake. After retesting all software, once again non of software is capable to detect Invisible DLL 1.1. Please let me know if you like to retest one of this software. In the future I'll not retest all newly published software without notification about its Dynamic-Link Library Detection improvements. |
| References: |
[1] - Reflective Dll Injection [2] - Evading hack detection mechanisms in online games [3] - Reflective DLL Injection [4] - FATKit: Detecting Malicious Library Injection and Upping the "Anti" [5] - The VAD Tree: A Process-Eye View of Physical Memory [6] - Walking the VAD Tree [7] - Locating Hidden Clampi DLLs (VAD-style) |
| Tested software: |
  ArcaVir Process Manager 2010.0.0.6 ATool 1.0021 Dr.Web DwShark 1.0.0.11140 Find_Hidden_Dll 2.0.0.0 GMER 1.0.15.15281 HookExplorer 1.0 HookShark BETA 0.6 IceSword 1.22 KernelDetective 1.3.1 kX-Ray 1.0.0.102 XP32 beta MalwareDefender 2.6.0 NhsScan 0.9.5 ProcessWalker Express 5.4.1000.10 RkU 3.8.382.584 RootRepeal 1.3.5 SEEM 4.5 SpyDLLRemover 3.2 Spyware Process Detector 3.20 SysInspector 1.2.021.0 SysReveal 1.0.0.27 VMMap 2.61 XueTr 0.33 |
Legend: - this icon means that this software is still "alive" - this icon means that this software is currently "dead" - this icon means you can download this software from trusted source (author's site) |