Defence & analysis of malware
RootkitRootkitUNIXUNIXRootkitRootkitUNIXWindows
Rootkit
Unix RootKitWindows Rootkit
RootkitRootkit
UNIXRootkit
UNIXRootKit:LRKURK
WindowsRootkitUNIX
RootKit
WindowsRootKitWindows RootKitWindowsWFPWindowsWindows
Windows RootKitWindowsFakeGINACtrl+Alt+Del winlogon.exefakegina.dllmsgina.dll
WindowsWFP,SFC(System File Checker)
DLLAPI
DLLAPIhook
Windows RootKitWin2K Pro Gold TemplateCIS: Scoring toolFcheckTripwireRootkit
RootKitRootKit
RootKit
Rootkit
Rootkit/IAT,SSDT,in-line hookingkernelDirect Kernel object manipulation,DKOM
RootkitkeywordsVICE/Patchfinder(inject code)Cross view based detection:RootKit revealer/Klister/Blacklight/GhostBusterSystem virginity Verifier/Tripware.
WindowsIPSIntrusion Prevention SystemsRootKitIceSwordRootkitRevealer.zip
(show)
Question?
WindowsWindows(System Call) Windows 2000KeServiceDescriptorTable ntoskrnl.exe kernel32.dll/ advapi32.dllKeServiceDescriptorTableShadow USERGDI User32.dll/Gdi32.dllWin32APIKernel32.dll/advapi32.dllNTDLL.dllint 0x2eNtoskrnl.exeWin32 USER/GDI APIUser32.dll/Gdi32.dllWin32k.sys
SeDebugPrivilege CreateRemoteThread WaitForSingleObject
DLL HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
Windows SetWindowsHookEx
DWORD HMODULE
DLL
CreateProcess
IAT +-------------------------------+ - offset 0 | MS DOSDOS | +-------------------------------+ | PE ("PE") | +-------------------------------+ | .text | - +-------------------------------+ | .data | - () +-------------------------------+ | .idata | - +-------------------------------+ Import Address Table | .edata | - +-------------------------------+ | | +-------------------------------+
PAGE_EXECUTE_READWRITE5jmp
NTDLL.DLLWin32 API Unicode NTDLL NTDLLIDEAXEDXINT 2ENTOSKRNL(SSDT)EAXIDHook:
MajorFunction IRP_MJ_XXX KeServiceDescriptorTablefilemon
Example-- ZwOpenKey ZwQueryKey ZwQueryValueKey ZwEnumerateValueKey ZwEnumerateKey ZwClose ZwDeleteKey ZwSetValueKey ZwCreateKey ZwDeleteValueKeyNTSTATUS (*OldZwOpenKey)( OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES );
NTSTATUS MyZwOpenKey(OUT PHANDLE hKey, IN ACCESS_MASK Access,IN POBJECT_ATTRIBUTES OA ){ntstatus = OldZwOpenKey(hKey, Access, OA); ...return ntstatus;}
Recommended