If you can't read please download the document
恶意软件(病毒)的分析与 防范 Defence & analysis of malware
Embed Size (px)
DESCRIPTION
恶意软件(病毒)的分析与 防范 Defence & analysis of malware. 计算机学院 傅建明 [email protected]. Rootkit. Rootkit 源于 UNIX 系统中的超级用户帐号, UNIX 系统是 Rootkit 工具最初的攻击目标。现在, Rootkit 可用于多种操作系统,包括 UNIX 和 Windows。 Rootkit 是 特洛伊木马后门工具 ,通过 修改现有的操作系统软件 ,使攻击者 获得访问权 并 隐藏 在计算机中。 关键: 隐藏攻击者在系统中的存在,其包括多种掩饰攻击者在系统中存在的功能。 - PowerPoint PPT Presentation
Citation preview
-
Defence & analysis of malware
[email protected]
-
RootkitRootkitUNIXUNIXRootkitRootkitUNIXWindows
Rootkit
-
Unix RootKitWindows Rootkit
-
RootkitRootkit
-
UNIXRootkit
UNIXRootKit:LRKURK
-
WindowsRootkitUNIX
RootKit
-
WindowsRootKitWindows RootKitWindowsWFPWindowsWindows
-
Windows RootKitWindowsFakeGINACtrl+Alt+Del
winlogon.exefakegina.dllmsgina.dll
WindowsWFP,SFC(System File Checker)
DLLAPI
-
DLLAPIhook
-
Windows RootKitWin2K Pro Gold TemplateCIS: Scoring
toolFcheckTripwireRootkit
-
RootKitRootKit
RootKit
-
Rootkit
-
Rootkit/IAT,SSDT,in-line hookingkernelDirect Kernel object
manipulation,DKOM
-
RootkitkeywordsVICE/Patchfinder(inject code)Cross view based
detection:RootKit revealer/Klister/Blacklight/GhostBusterSystem
virginity Verifier/Tripware.
-
WindowsIPSIntrusion Prevention
SystemsRootKitIceSwordRootkitRevealer.zip
(show)
-
Question?
-
WindowsWindows(System Call) Windows 2000KeServiceDescriptorTable
ntoskrnl.exe kernel32.dll/
advapi32.dllKeServiceDescriptorTableShadow USERGDI
User32.dll/Gdi32.dllWin32APIKernel32.dll/advapi32.dllNTDLL.dllint
0x2eNtoskrnl.exeWin32 USER/GDI
APIUser32.dll/Gdi32.dllWin32k.sys
-
SeDebugPrivilege CreateRemoteThread WaitForSingleObject
-
DLL
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
Windows SetWindowsHookEx
DWORD HMODULE
DLL
-
CreateProcess
-
IAT +-------------------------------+ - offset 0 | MS DOSDOS |
+-------------------------------+ | PE ("PE") |
+-------------------------------+ | .text | -
+-------------------------------+ | .data | - ()
+-------------------------------+ | .idata | -
+-------------------------------+ Import Address Table | .edata | -
+-------------------------------+ | |
+-------------------------------+
-
PAGE_EXECUTE_READWRITE5jmp
-
NTDLL.DLLWin32 API Unicode NTDLL NTDLLIDEAXEDXINT
2ENTOSKRNL(SSDT)EAXIDHook:
-
MajorFunction IRP_MJ_XXX KeServiceDescriptorTablefilemon
-
Example-- ZwOpenKey ZwQueryKey ZwQueryValueKey
ZwEnumerateValueKey ZwEnumerateKey ZwClose ZwDeleteKey
ZwSetValueKey ZwCreateKey ZwDeleteValueKeyNTSTATUS (*OldZwOpenKey)(
OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES );
NTSTATUS MyZwOpenKey(OUT PHANDLE hKey, IN ACCESS_MASK Access,IN
POBJECT_ATTRIBUTES OA ){ntstatus = OldZwOpenKey(hKey, Access, OA);
...return ntstatus;}
