Monday, October 3, 2011

Learn and study Rootkit Specials 1: Content

Author:combojiang
What is rootkit? A great many friends don't know, Simply put, Rootkit is a peculiar malware. It hide oneself or specified file/process or network links etc imformations on be installed aim, Usual rootkit is used with trojan/back door etc malware. Rootkit through to load special drive, modify system kernel for hide imformation. Technology is rapier, We study it to aim at use the technology to protect our system, let our system can better strong.

To study of rootkit specials, main invole:
1.Kernel hook
About hook, ring3 to ring0 has many method, Depending on tache go forward one by one order that api is called, Every tache both have hook opportunity. May be int 2e or sysenter hook, ssdt hook, inline hook, irp hook, object hook, idt hook. here, We will one by one introduce.
   1)object hook
   2)ssdt hook
   3)inline-hook
   4)idt hook
   5)IRP hook
   6)SYSENTER hook
   7)IAT HOOK
   8)EAT HOOK

2. Part first Protected mode: ring3 to ring0 gate
   1)Through Call gate access kernel
   2)Through Interrupt gate access kernel
   3)Through Task gate access kernel
   4)Through Trap gate access kernel


3。Part two Protected mode: windows Paging machine made
   1)windows Paging machine made
  
4。Part third Protected mode: Immediate access hardware
   1)Modify iopl,ring3 immediate access hardware
   2)Add to default I/O allow bitmap range of tss
   3)ChangeI/O allow bitmap pointer of tss

5。detour modify path of function exe, Be used to control function flow for reset path.
   1)detour patch
  

6. Concealed body art
   1)Hide file
   2)Hide process
   3)Hide registry key value
   4)Hide driver
   5)Hide process's dll module
   6)Strong hide process's dll module, bypass IceSword detect
   7)Hide port
 
7。Call ring3 program on ring0
  1) apc way
  2) deviceiocontrol way

8。Monitor process's thread
  1)Monitor process to create
  2)Kill thread
  3)Protect process and shield file to execute  

9。Other
  1)Some method Get address of ntoskrnl.exe module模块地址的几种办法
  2)Driver infection technology popularize
  3)shadow ssdt learn note
  4)Past master advanced windows kernel timer one
  5)Past master advanced windows kernel timer two
  6)Running modify path of executable file and Command Line
  7)Find hide driver
  8)Some method load driver
  9)A rogue method Inject dll on kernel
  10)Another method read and write memory
  11)Full driver infect code
  12)Hook Shadow SSDT
  13)ring0 detection hide process


Posted by view4822 at 7:56 AM
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)