恶意软件(病毒)的分析与 防范 defence & analysis of malware
DESCRIPTION
恶意软件(病毒)的分析与 防范 Defence & analysis of malware. 计算机学院 傅建明 [email protected]. Rootkit. Rootkit 源于 UNIX 系统中的超级用户帐号, UNIX 系统是 Rootkit 工具最初的攻击目标。现在, Rootkit 可用于多种操作系统,包括 UNIX 和 Windows。 Rootkit 是 特洛伊木马后门工具 ,通过 修改现有的操作系统软件 ,使攻击者 获得访问权 并 隐藏 在计算机中。 关键: 隐藏攻击者在系统中的存在,其包括多种掩饰攻击者在系统中存在的功能。 - PowerPoint PPT PresentationTRANSCRIPT
-
Defence & analysis of malware
-
RootkitRootkitUNIXUNIXRootkitRootkitUNIXWindows
Rootkit
-
Unix RootKitWindows Rootkit
-
RootkitRootkit
-
UNIXRootkit
UNIXRootKit:LRKURK
-
WindowsRootkitUNIX
RootKit
-
WindowsRootKitWindows RootKitWindowsWFPWindowsWindows
-
Windows RootKitWindowsFakeGINACtrl+Alt+Del winlogon.exefakegina.dllmsgina.dll
WindowsWFP,SFC(System File Checker)
DLLAPI
-
DLLAPIhook
-
Windows RootKitWin2K Pro Gold TemplateCIS: Scoring toolFcheckTripwireRootkit
-
RootKitRootKit
RootKit
-
Rootkit
-
Rootkit/IAT,SSDT,in-line hookingkernelDirect Kernel object manipulation,DKOM
-
RootkitkeywordsVICE/Patchfinder(inject code)Cross view based detection:RootKit revealer/Klister/Blacklight/GhostBusterSystem virginity Verifier/Tripware.
-
WindowsIPSIntrusion Prevention SystemsRootKitIceSwordRootkitRevealer.zip
(show)
-
Question?
-
WindowsWindows(System Call) Windows 2000KeServiceDescriptorTable ntoskrnl.exe kernel32.dll/ advapi32.dllKeServiceDescriptorTableShadow USERGDI User32.dll/Gdi32.dllWin32APIKernel32.dll/advapi32.dllNTDLL.dllint 0x2eNtoskrnl.exeWin32 USER/GDI APIUser32.dll/Gdi32.dllWin32k.sys
-
SeDebugPrivilege CreateRemoteThread WaitForSingleObject
-
DLL HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
Windows SetWindowsHookEx
DWORD HMODULE
DLL
-
CreateProcess
-
IAT +-------------------------------+ - offset 0 | MS DOSDOS | +-------------------------------+ | PE ("PE") | +-------------------------------+ | .text | - +-------------------------------+ | .data | - () +-------------------------------+ | .idata | - +-------------------------------+ Import Address Table | .edata | - +-------------------------------+ | | +-------------------------------+
-
PAGE_EXECUTE_READWRITE5jmp
-
NTDLL.DLLWin32 API Unicode NTDLL NTDLLIDEAXEDXINT 2ENTOSKRNL(SSDT)EAXIDHook:
-
MajorFunction IRP_MJ_XXX KeServiceDescriptorTablefilemon
-
Example-- ZwOpenKey ZwQueryKey ZwQueryValueKey ZwEnumerateValueKey ZwEnumerateKey ZwClose ZwDeleteKey ZwSetValueKey ZwCreateKey ZwDeleteValueKeyNTSTATUS (*OldZwOpenKey)( OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES );
NTSTATUS MyZwOpenKey(OUT PHANDLE hKey, IN ACCESS_MASK Access,IN POBJECT_ATTRIBUTES OA ){ntstatus = OldZwOpenKey(hKey, Access, OA); ...return ntstatus;}