-
Defence & analysis of malware
[email protected]
-
RootkitRootkitUNIXUNIXRootkitRootkitUNIXWindows
Rootkit
-
Unix RootKitWindows Rootkit
-
RootkitRootkit
-
UNIXRootkit
UNIXRootKit:LRKURK
-
WindowsRootkitUNIX
RootKit
-
WindowsRootKitWindows RootKitWindowsWFPWindowsWindows
-
Windows RootKitWindowsFakeGINACtrl+Alt+Del
winlogon.exefakegina.dllmsgina.dll
WindowsWFP,SFC(System File Checker)
DLLAPI
-
DLLAPIhook
-
Windows RootKitWin2K Pro Gold TemplateCIS: Scoring
toolFcheckTripwireRootkit
-
RootKitRootKit
RootKit
-
Rootkit
-
Rootkit/IAT,SSDT,in-line hookingkernelDirect Kernel object
manipulation,DKOM
-
RootkitkeywordsVICE/Patchfinder(inject code)Cross view based
detection:RootKit revealer/Klister/Blacklight/GhostBusterSystem
virginity Verifier/Tripware.
-
WindowsIPSIntrusion Prevention
SystemsRootKitIceSwordRootkitRevealer.zip
(show)
-
Question?
-
WindowsWindows(System Call) Windows 2000KeServiceDescriptorTable
ntoskrnl.exe kernel32.dll/
advapi32.dllKeServiceDescriptorTableShadow USERGDI
User32.dll/Gdi32.dllWin32APIKernel32.dll/advapi32.dllNTDLL.dllint
0x2eNtoskrnl.exeWin32 USER/GDI
APIUser32.dll/Gdi32.dllWin32k.sys
-
SeDebugPrivilege CreateRemoteThread WaitForSingleObject
-
DLL
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
Windows SetWindowsHookEx
DWORD HMODULE
DLL
-
CreateProcess
-
IAT +-------------------------------+ - offset 0 | MS DOSDOS |
+-------------------------------+ | PE ("PE") |
+-------------------------------+ | .text | -
+-------------------------------+ | .data | - ()
+-------------------------------+ | .idata | -
+-------------------------------+ Import Address Table | .edata | -
+-------------------------------+ | |
+-------------------------------+
-
PAGE_EXECUTE_READWRITE5jmp
-
NTDLL.DLLWin32 API Unicode NTDLL NTDLLIDEAXEDXINT
2ENTOSKRNL(SSDT)EAXIDHook:
-
MajorFunction IRP_MJ_XXX KeServiceDescriptorTablefilemon
-
Example-- ZwOpenKey ZwQueryKey ZwQueryValueKey
ZwEnumerateValueKey ZwEnumerateKey ZwClose ZwDeleteKey
ZwSetValueKey ZwCreateKey ZwDeleteValueKeyNTSTATUS (*OldZwOpenKey)(
OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES );
NTSTATUS MyZwOpenKey(OUT PHANDLE hKey, IN ACCESS_MASK Access,IN
POBJECT_ATTRIBUTES OA ){ntstatus = OldZwOpenKey(hKey, Access, OA);
...return ntstatus;}
