logo资料库

The Rootkit Arsenal.pdf

发布时间:2022-05-30 发布人:admin 分类:说明书 资料大小:81.08M 资料格式:pdf 举报 版权申诉
第1页 / 共937页
第2页 / 共937页
第3页 / 共937页
第4页 / 共937页
第5页 / 共937页
第6页 / 共937页
第7页 / 共937页
第8页 / 共937页
资料共937页,剩余部分请下载后查看
    The Rootkit Arsenal
    Table of Contents
    Preface
    Part I - Foundations
    Setting the Stage
    Forensic Evidence
    First Principles
    The Malware Connection
    Closing Thoughts
    Into the Catacombs: IA-32
    IA-32 Memory Models
    Real Mode
    Protected Mode
    Windows System Architecture
    Physical Memory
    Memory Protection
    Virtual Memory
    User Mode and Kernel Mode
    The Native API
    The Boot Process
    Design Decisions
    Rootkit Basics
    Rootkit Tools
    Debuggers
    A Rootkit Skeleton
    Loading a KMD
    Installing and Launching a Rootkit
    Self-Healing Rootkits
    Windows Kernel-Mode Security
    Synchronization
    Commentary
    Part II - System Modification
    Hooking Call Tables
    Hooking in User Space: The IAT
    Hooking in Kernel Space
    Hooking Countermeasures
    Counter-Countermeasures
    Patching System Routines
    Run-time Patching
    Binary Patching
    Instruction Patching Countermeasures
    Altering Kernel Objects
    The Cost of Invisibility
    Revisiting the EPROCESS Object
    The DRIVER_SECTION Object
    The TOKEN Object
    Hiding a Process
    Hiding a Driver
    Manipulating the Access Token
    Using No-FU
    Countermeasures
    Commentary: Limits of the Two-Ring Model
    The Last Lines of Defense
    Deploying Filter Drivers
    Filter Driver Theory
    An Example: Logging Keystrokes
    Adding Functionality: Dealing with IRQLs
    Key Logging: Alternative Techniques
    Other Ways to Use Filter Drivers
    Part III - Anti-Forensics
    Defeating Live Response
    The Live Incident Response Process
    RAM Acquisition
    Defeating File System Analysis
    File System Analysis
    Countermeasures: Overview
    Countermeasures: Forensic Duplication
    Countermeasures: Deleted File Recovery
    Countermeasures: Acquiring Metadata
    Countermeasures: Removing Known Files
    Countermeasures: File Signature Analysis
    Countermeasures: Executable Analysis
    Borrowing Other Malware Tactics
    Defeating Network Analysis
    Worst-Case Scenario: Full Content Data Capture
    Tunneling: An Overview
    The Windows TCP/IP Stack
    DNS Tunneling
    DNS Tunneling: User Mode
    DNS Tunneling: WSK Implementation
    NDIS Protocol Drivers
    Countermeasure Summary
    Live Incident Response
    File System Analysis
    Network Traffic Analysis
    Why Anti-Forensics?
    Part IV - End Material
    The Tao of Rootkits
    Closing Thoughts
    Appendix (Code)
    Chapter 2
    Chapter 3
    Chapter 4
    Chapter 5
    Chapter 6
    Chapter 7
    Chapter 8
    Chapter 10
    Chapter 11
    Index
    The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System Reverend Bill Blunden Wordware Publishing, Inc.
    Library of Congress Cataloging-in-Publication Data Blunden, Bill, 1969- The rootkit arsenal ! by Bill Blunden. p. cm. Indudes bibliographical references and index. ISBN 978-1-59822-061 -2 (pbk. : alk. paper) 1. Computers- Access control. 2. Computer viruses. 3. Computer hackers. I. Title. QA76.9.A25B5852009 005./3--{Jc22 2009008316 © 2009, Wordware Publishing, Inc. An imprint of Jones and Bartlett Publishers All Rights Reserved H OO Summit Ave., Suite 102 Plano, Texas 75074 No part of this book may be reproduced in any form or by any means without permission in writing from Wordware Publishing, Inc. Printed in the United States of America ISBN-13: 978-1-59822-061-2 ISBN-I0: 1-59822-061-6 10 9 8 7 6 5 4 3 2 1 0905 Microsoft, PowerPoint, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Computrace is a registered trademark of Absolute Software, Corp .. EnCase is a registered trademark of Guidance Software, Inc. Eudora is a registered trademark of Quakomm Incorporated. File Scavenger is a registered trademark of QueTek Consulting Corporation. Ghost and PowerQuest are trademarks of Symantec Corporation. GoToMyPC is a registered trademark ofCitrix Online, LLC. KeyCarbon is a registered trademark of www.keycarbon.com. Metasploit is a registered trademark of Metasploit, LLC. OpenBoot is a trademark of Sun Microsystems, Inc. PC Tattletale is a trademark of Parental Control Products, LLC. ProDiscover is a registered trademark of Technology Pathways, LLC. Spector Pro is a registered trademark of SpectorSoft Corporation. Tripwire is a registered trademark of Tripwire, Inc. VERlSIGN is a registered trademark of VeriSign, Inc. VMware is a registered trademark of VMware, Inc. Wires hark is a registered trademark of Wireshark Foundation. Zango is a registered trademark of Zango, Inc. Other brand names and product names mentioned in this book are trademarks or service marks of their respective companies. Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe on the property of others. The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products. This book is sold as is, without warranty of any kind, either express or implied, respecting the contents of this book and any disks or programs that may accompany it, induding but not limited to implied warranties for the book's quality, performance, merchantability, or fitness for any particular purpose. Neither Jones and Bartlett Publishers nor its dealers or distributors shall be liable to the purchaser or any other person or entity with respect to any liability, loss, or damage caused or alleged to have been caused directly or indirectly by this book. All inquiries for volume purchases of this book should be addressed to Wordware Publishing, Inc., at the above address. Telephone inquiries may be made by calling: (972) 423-0090
    Thi ' d dicated to s book IS e the quintessen tial mlS Sun Wukong, , chl'ef-maker,
    Contents Preface: Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIX Part 1- Foundations Chapter 1 Setting the Stage . . . . . . . . . . . . . . .. .. . 1.1 Forensic Evidence 1.2 First Principles. . . . . . . . . . . . . . . . . . . . . . Semantics . . . . . . . ... ... . . . . . . . . . .. . Rootkits: The Kim Philby of System Software . . . . Who Is Using Rootkit Technology? The Feds .. The Spooks .... .. . The Suits .... ... . 1.3 The Malware Connection. Infectious Agents . . . Adware and Spyware . . . Rise of the Botnets . . . . Malware versus Rootkits . Job Security: The Nature of the Software Industry . 1.4 Closing Thoughts. . . . . . . . . . . . . . . Chapter 2 Into the Catacombs: IA-32 . . . . . . . . . . . . . . 2.1 IA-32 Memory Models. Physical Memory . . . . . . Flat Memory Model. . . . . Segmented Memory Model Modes of Operation. . 2.2 Real Mode. . . . . . . . . . Case Study: MS-DOS .... Isn't This a Waste of Time? Why Study Real Mode? . The Real-Mode Execution Environment Real-Mode Interrupts .. .... .. . Segmentation and Program Control . . . Case Study: Dumping the IVT . . . . . . Case Study: Logging Keystrokes with a TSR . Case Study: Hiding the TSR . . . . . . . . . . · . . . . . 3 .3 · . ..... 8 · . .. ... 9 .. 11 · 13 · 13 · 13 · 15 · 15 · 16 · 17 · 17 · 19 · 19 · 21 . . . . 23 . 24 · 25 . 27 · 27 . 28 .29 . 30 . . . . . . 32 . 33 · 35 .38 .40 · 41 .45 v
    (ontents Chapter 3 vi Case Study: Patching the tree.com Command Synopsis . . . . . . . . .... ..... .. . . 2.3 Protected Mode. . . . . . . . . . . . . . . . . The Protected-Mode Execution Environment. Protected-Mode Segmentation ..... . Protected-Mode Paging . . . . . . . . . . Protected-Mode Paging: A Closer Look . 2.4 Implementing Memory Protection .... Protection through Segmentation . . . . Limit Checks . . . Type Checks . . . . . . . . . . Privilege Checks. . . . . . . . Restricted-Instruction Checks Gate Descriptors . . . . . . . . . Protected-Mode Interrupt Tables Protection through Paging . . Summary . . . . . . . . . . . . . . . . .... 50 .. .. 53 · .54 .54 .57 · 61 .63 . 66 · 67 .67 · .68 .68 .69 .70 · 73 . 74 .76 Windows System Architecture . • . . . • • . . . . . 3.1 Physical Memory . . . . . . . . . . Physical Address Extension (PAE) . . . Data Execution Prevention (DEP) .... Address Windowing Extensions (AWE) . Pages, Page Frames, and Page Frame Numbers 3.2 Memory Protection . Segmentation . . . . . . . . . . . . . .. .... . Paging . . . . . . . . . . . . . . . . . .. . ... . Linear to Physical Address Translation . Longhand Translation . . . A Quicker Approach . . . . Another Quicker Approach 3.3 Virtual Memory . . . . . . . . User Space Topography . ... Kernel Space Dynamic Allocation . Address Space Layout Randomization (ASLR) . 3.4 User Mode and Kernel Mode . How versus Where . . . . Kernel-Mode Components User-Mode Components 3.5 The Native API .. .. . . The IVT Grows Up ... . Hardware and the System Call Mechanism System Call Data Structures . . The SYSENTER Instruction. . . . . . . . . . . . 79 .80 · 81 .82 .82 .83 .83 .84 .86 · 91 · 91 .92 .93 .93 .96 · .97 · .98 100 100 101 103 · 105 · 106 · 107 108 . ..... 109
    The System Service Dispatch Tables . Enumerating the Native API . . . Nt*O versus Zw*O System Calls. The Life Cycle of a System Call . Other Kernel-Mode Routines . .. Kernel-Mode API Documentation 3.6 The Boot Process . . . . . . Startup for BIOS Firmware . . Startup for EFI Firmware. . . The Windows Boot Manager . The Windows Boot Loader . Initializing the Executive. The Session Manager . Wininit.exe. . . . . Winlogon.exe. . . . The Major Players. 3.7 Design Decisions . How Will Our Rootkit Execute at Run Time? . What Constructs Will Our Rootkit Manipulate? . Chapter 4 Rootkit Basics . . . . 4.1 Rootkit Tools .... Development Tools Diagnostic Tools . . Reversing Tools . . Disk Imaging Tools Tool Roundup. . . . 4.2 Debuggers. . . . . Configuring Cdb.exe . Symbol Files . . . Windows Symbols. Invoking Cdb.exe . . Controlling Cdb.exe . Useful Debugger Commands. Examine Symbols Command (x) . List Loaded Modules (1m and !lmi) Display Type Command (dt) . Unassemble Command (u) . Display Command (d*) . . . Registers Command (r) .. . The Kd.exe Kernel Debugger Different Ways to Use a Kernel Debugger . Configuring Kd.exe . . . . . Preparing the Hardware . . . . . . . . . . Contents 110 113 114 116 119 122 124 124 126 126 127 130 132 134 134 · 134 · 136 137 · . 138 . . . . 141 142 · 142 · 143 · 144 145 147 148 150 · 150 · 151 · 153 · 154 · 155 155 157 158 158 159 161 161 · . 162 · 164 · . 164 vii
    分享到:
    收藏

    相关推荐

    资料库

    开发技术

    共收录19306份资料,累计14个分类,关注成员有19位,主要包括:Actionscript,Javascript,PHP,VB,Perl,Delphi,Python,C#,C,Java,C++,Web开发,硬件开发,其它

    热门标签

    Actionscript Javascript PHP VB Perl Delphi Python C# C Java C++ Web开发 硬件开发 其它

    最新资料