2005 213 <shio@st.rim.or.jp>
Rootkit 2
...... GPG EFS Windows 3
Rootkit + ifconfig, ps, ls, login Tripwire lkm-rootkit NT Rootkit, AFX Rootkit OS 4
HD... NTFS ADS Alternate Data Stream... NTFS HD HD... 5
HD...... NTFS ADS? http://www.seifried.org/security/advisories/ kssa-003.html 6
PC Cookie... Evidence Eliminator http://www.evidence- eliminator.com/product.d2w In tests, Evidence Eliminator defeats EnCase and other Forensic Analysis equipment as used by investigators, police and government agencies. 7
Secret?... Stego Suite 8
SSH SSL... ICMP TCP ACK Covert Channel 9
!?!? PC PC 10
PC HIDS 11
Know Your Enemy!! 12
Windows Rootkits 13
Windows Rootkit User-Mode Rootkit exe / dll WFP FakeGINA DLL Injection & API Hooking Kernel-Mode Rootkit IDT/SDT/SSDT Hooking Direct Kernel Object Manipulation Kernel Patching (Memory / File) 14
kernel32.dll call WriteFile()... WriteFile() User Application ntdll.dll IAT (Import Address Table ) ZwWriteFile() Int 0x2E User Mode IDTR (Interrupt Descriptor Table Register) Kernel Mode 0x2E KiSystemService() 0xED SDT (Service Descriptor Table) System Service Dispatcher NtWriteFile() IDT (Interrupt Descriptor Table) SSDT (System Service Dispatch Table) 15
DLL Injection & API Hooking API Hooking DLL Injection call WriteFile()... User Application kernel32.dll WriteFile() ntdll.dll hook.dll ZwWriteFile() IAT (Import Address Table ) ZwWriteFile() Int 0x2E User Mode 16
AFX Rootkit 2004 DLL & API rootkit http://iamaphex.net/downloads/ root.exe, hook.dll 17
AFX Rootkit 2004 18
NT Rootkit Kernel API Rootkit https://www.rootkit.com/vault/hoglund/r k_044.zip _root_ / IP 10.0.0.166 disable _root_sys, deploy.exe 19
NT Rootkit 20
Hacker defender API Rootkit http://rootkit.host.sk/ ini hxdef100.exe, hxdefdrv.sys, bdcli100.exe 21
Hacker defender 22
Direct Kernel Object Manipulation (DKOM) FU Rootkit process to hide EPROCESS EPROCESS EPROCESS FLINK BLINK FLINK BLINK FLINK BLINK 23
FU Rootkit DKOM Rootkit https://www.rootkit.com/vault/fuzen_op /FU_Rootkit.zip SID fu.exe, msdirectx.sys fu.exe... 24
FU Rootkit 25
Windows Rootkit HD? HDD RAID MAC Morphine... 26
VICE http://www.rootkit.com/vault/fuzen_op/vice.zip rootkit Win32 API 27
KProcCheck http://www.security.org.sg/code/kprocc heck.html API KProcCheck 28
KProcCheck -p... API -s... FU -d... -t... SSDT -g...??? 29
30 30 KProcCheck KProcCheck
31 31 KProcCheck KProcCheck
32 32 KProcCheck KProcCheck
Klister KProcCheck? PatchFinder Execution Path Analysis EPA rootkit sc / 33
Windows Forensics and Incident Recovery Harlan Carvey, Addison-Wesley, ISBN:0321200985 Exploiting Software : How to Break Code Greg Hoglund & Gary McGraw, Addison-Wesley, ISBN:0201786958 Malware: Fighting Malicious Code Ed Skoudis & Lenny Zeltser, Prentice Hall PTR, ISBN:0131014056 VICE - Catch the hookers! Advanced Windows 2000 Rootkit Detection (Execution Path Analysis) http://www.blackhat.com/presentations/bh-usa usa-04/bh-us-04- butler/bh-us us-04-butler.pdf http://www.blackhat.com/presentations/bh-usa usa-03/bh-us-03- rutkowski/bh-us us-03-rutkowski-paper.pdf FU Rootkit (GCIH Practical Assignment by Mariusz Burdach) http://www.giac.org/practical/gcih/mariusz_burdach_gcih.pdf 34