If you can't read please download the document
Upload
yen-cantrell
View
198
Download
23
Embed Size (px)
DESCRIPTION
恶意软件(病毒)的分析与 防范 Defence & analysis of malware. 计算机学院 傅建明 [email protected]. Rootkit. Rootkit 源于 UNIX 系统中的超级用户帐号, UNIX 系统是 Rootkit 工具最初的攻击目标。现在, Rootkit 可用于多种操作系统,包括 UNIX 和 Windows。 Rootkit 是 特洛伊木马后门工具 ,通过 修改现有的操作系统软件 ,使攻击者 获得访问权 并 隐藏 在计算机中。 关键: 隐藏攻击者在系统中的存在,其包括多种掩饰攻击者在系统中存在的功能。 - PowerPoint PPT Presentation
Citation preview
Defence & analysis of malware
RootkitRootkitUNIXUNIXRootkitRootkitUNIXWindows
Rootkit
Unix RootKitWindows Rootkit
RootkitRootkit
UNIXRootkit
UNIXRootKit:LRKURK
WindowsRootkitUNIX
RootKit
WindowsRootKitWindows RootKitWindowsWFPWindowsWindows
Windows RootKitWindowsFakeGINACtrl+Alt+Del winlogon.exefakegina.dllmsgina.dll
WindowsWFP,SFC(System File Checker)
DLLAPI
DLLAPIhook
Windows RootKitWin2K Pro Gold TemplateCIS: Scoring toolFcheckTripwireRootkit
RootKitRootKit
RootKit
Rootkit
Rootkit/IAT,SSDT,in-line hookingkernelDirect Kernel object manipulation,DKOM
RootkitkeywordsVICE/Patchfinder(inject code)Cross view based detection:RootKit revealer/Klister/Blacklight/GhostBusterSystem virginity Verifier/Tripware.
WindowsIPSIntrusion Prevention SystemsRootKitIceSwordRootkitRevealer.zip
(show)
Question?
WindowsWindows(System Call) Windows 2000KeServiceDescriptorTable ntoskrnl.exe kernel32.dll/ advapi32.dllKeServiceDescriptorTableShadow USERGDI User32.dll/Gdi32.dllWin32APIKernel32.dll/advapi32.dllNTDLL.dllint 0x2eNtoskrnl.exeWin32 USER/GDI APIUser32.dll/Gdi32.dllWin32k.sys
SeDebugPrivilege CreateRemoteThread WaitForSingleObject
DLL HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
Windows SetWindowsHookEx
DWORD HMODULE
DLL
CreateProcess
IAT +-------------------------------+ - offset 0 | MS DOSDOS | +-------------------------------+ | PE ("PE") | +-------------------------------+ | .text | - +-------------------------------+ | .data | - () +-------------------------------+ | .idata | - +-------------------------------+ Import Address Table | .edata | - +-------------------------------+ | | +-------------------------------+
PAGE_EXECUTE_READWRITE5jmp
NTDLL.DLLWin32 API Unicode NTDLL NTDLLIDEAXEDXINT 2ENTOSKRNL(SSDT)EAXIDHook:
MajorFunction IRP_MJ_XXX KeServiceDescriptorTablefilemon
Example-- ZwOpenKey ZwQueryKey ZwQueryValueKey ZwEnumerateValueKey ZwEnumerateKey ZwClose ZwDeleteKey ZwSetValueKey ZwCreateKey ZwDeleteValueKeyNTSTATUS (*OldZwOpenKey)( OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES );
NTSTATUS MyZwOpenKey(OUT PHANDLE hKey, IN ACCESS_MASK Access,IN POBJECT_ATTRIBUTES OA ){ntstatus = OldZwOpenKey(hKey, Access, OA); ...return ntstatus;}