2005-11-04
In 2005, the bar has been raised in the arena of malicious software. This has never before been more evident than in the recent deployments of Windows rootkit technology within some of the latest viruses, worms, spyware, adware, and more. It has become increasingly important to understand what this threat is and what can be done to detect malicious use.
Definition of a rootkit
Privilege modes
Execution path hooks
Import address table hooks
System Service Descriptor Table hooking
Code Bytes | Assembly |
8bff | mov edi, edi |
55 | push ebp |
8bec | mov ebp, esp |
Code Bytes | Assembly |
e9 xx xx xx xx | jmp xxxxxxxx |
… |
Layered filter drivers
Direct Kernel Object Manipulation
Rootkits in the wild
Concluding part one
References
[ref 1] Pietrek, Matt. "Learn System-Level Win32® Coding Techniques by Writing an API Spy Program." Microsoft Systems Journal Volume 9 Number 12.[ref 2] Richter, Jeffrey. "Load Your 32-bit DLL into Another Process's Address Space Using INJLIB." Microsoft Systems Journal Volume 9 Number 5.
[ref 3] Richter, Jeffrey. Programming Applications for Microsoft Windows fourth edition. Redmond: Microsoft Press, 2000. pp. 751-820.
[ref 4] Hunt, Galen C. and Doug Brubacker, "Detours: Binary Interception of Win32 Functions" Proceedings of the 3rd USENIX Windows NT Symposium, July 1999, pp. 135-43.
[ref 5] FU. [url]http://www.rootkit.com[/url]
[ref 6] Hacker Defender by Holy Father. [url]http://hxdef.czweb.org/[/url]
About the authors
James Butler is the CTO of Komoku, which specializes in high assurance, host integrity monitoring and management. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel."-
Windows rootkits of 2005, part three
Windows rootkits of 2005, part three
Windows of 2005 休闲 rootkits -
Windows rootkits of 2005, part two
Windows rootkits of 2005, part two
Windows of 2005 休闲 rootkits -
Intro to Automating System Administration with Cfengine 3 part one
As an organization adds more and more hosts, both physical and virtual, its system administrators must spend more and more time ensuring that all hosts comply with policy. This results in an explosive
System part Cfengine Intro Automating -
Beginning MyBatis 3 Part 2 : How to Handle One-to-Many and One-to-One Selects
One of the latest MyBatis feature is the ability to use Annotations or XML to do One-to-One or One-to-Many queries. Let’s start with an example, as usual im using PostgreSQL, Netbeans 6.9 and MyBatis
java sql xml apache postgresql
举报文章
请选择举报类型
补充说明
0/200
上传截图
格式支持JPEG/PNG/JPG,图片不超过1.9M